From e6de67d89645292039b25abae73976a567076d5e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 15 Apr 2020 14:17:35 +0200 Subject: [PATCH] 5.6-stable patches added patches: arm-dts-exynos-fix-polarity-of-the-lcd-spi-bus-on-universalc210-board.patch arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch arm64-dts-ti-k3-am65-add-clocks-to-dwc3-nodes.patch asoc-cs4270-pull-reset-gpio-low-then-high.patch clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch clk-ingenic-tcu-fix-round_rate-returning-error.patch cpufreq-powernv-fix-use-after-free.patch crypto-caam-qi2-fix-chacha20-data-size-error.patch crypto-caam-update-xts-sector-size-for-large-input-length.patch crypto-ccree-dec-auth-tag-size-from-cryptlen-map.patch crypto-ccree-only-try-to-map-auth-tag-if-needed.patch crypto-ccree-protect-against-empty-or-null-scatterlists.patch dm-clone-add-missing-casts-to-prevent-overflows-and-data-corruption.patch dm-clone-add-overflow-check-for-number-of-regions.patch dm-clone-fix-handling-of-partial-region-discards.patch dm-clone-metadata-fix-return-type-of-dm_clone_nr_of_hydrated_regions.patch dm-integrity-fix-a-crash-with-unusually-large-tag-size.patch dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch dm-zoned-remove-duplicate-nr_rnd_zones-increase-in-dmz_init_zone.patch drm-amd-display-check-for-null-fclk-voltage-when-parsing-clock-table.patch drm-amd-powerplay-implement-the-is_dpm_running.patch drm-amdgpu-powerplay-using-the-fclk-dpm-table-to-set-the-mclk.patch drm-amdgpu-unify-fw_write_wait-for-new-gfx9-asics.patch drm-bridge-analogix-anx78xx-fix-drm_dp_link-helper-removal.patch drm-etnaviv-rework-perfmon-query-infrastructure.patch drm-i915-gem-flush-all-the-reloc_gpu-batch.patch drm-i915-gt-treat-idling-as-a-rps-downclock-event.patch drm-i915-icl-don-t-enable-ddi-io-power-on-a-typec-port-in-tbt-mode.patch drm-prime-fix-extracting-of-the-dma-addresses-from-a-scatterlist.patch drm-remove-pagereserved-manipulation-from-drm_pci_alloc.patch drm-vboxvideo-add-missing-remove_conflicting_pci_framebuffers-call-v2.patch ext4-fix-a-data-race-at-inode-i_blocks.patch fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch ftrace-kprobe-show-the-maxactive-number-on-kprobe_events.patch hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch input-i8042-add-acer-aspire-5738z-to-nomux-list.patch ipmi-fix-hung-processes-in-__get_guid.patch kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch nfs-finish_automount-requires-us-to-hold-2-refs-to-the-mount-record.patch nfs-fix-a-few-constant_table-array-definitions.patch nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch nfs-fix-use-after-free-issues-in-nfs_pageio_add_request.patch nfsd-fsnotify-on-rmdir-under-nfsd-clients.patch ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch perf-tools-support-python-3.8-in-makefile.patch powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch s390-diag-fix-display-of-diagnose-call-statistics.patch scsi-lpfc-fix-broken-credit-recovery-after-driver-load.patch scsi-lpfc-fix-lpfc_io_buf-resource-leak-in-lpfc_get_scsi_buf_s4-error-path.patch scsi-ufs-fix-auto-hibern8-error-detection.patch scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch selftests-powerpc-add-tlbie_test-in-.gitignore.patch selftests-powerpc-fix-try-run-when-source-tree-is-not-writable.patch selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch selftests-vm-fix-map_hugetlb-length-used-for-testing-read-and-write.patch vfio-platform-switch-to-platform_get_irq_optional.patch xarray-fix-early-termination-of-xas_for_each_marked.patch xarray-fix-xas_pause-for-large-multi-index-entries.patch xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch --- ...e-lcd-spi-bus-on-universalc210-board.patch | 45 ++ ...fix-undef_hook-mask-for-thumb-setend.patch | 53 +++ ...-ti-k3-am65-add-clocks-to-dwc3-nodes.patch | 45 ++ ...cs4270-pull-reset-gpio-low-then-high.patch | 101 +++++ ...0-exit-with-error-if-cgu-init-failed.patch | 39 ++ ...c-tcu-fix-round_rate-returning-error.patch | 34 ++ .../cpufreq-powernv-fix-use-after-free.patch | 46 ++ ...aam-qi2-fix-chacha20-data-size-error.patch | 87 ++++ ...s-sector-size-for-large-input-length.patch | 62 +++ ...-dec-auth-tag-size-from-cryptlen-map.patch | 41 ++ ...e-only-try-to-map-auth-tag-if-needed.patch | 41 ++ ...t-against-empty-or-null-scatterlists.patch | 163 ++++++++ ...revent-overflows-and-data-corruption.patch | 63 +++ ...overflow-check-for-number-of-regions.patch | 58 +++ ...-handling-of-partial-region-discards.patch | 200 +++++++++ ...e-of-dm_clone_nr_of_hydrated_regions.patch | 69 +++ ...-crash-with-unusually-large-tag-size.patch | 41 ++ ...ec-fix-memory-leak-in-verity_fec_dtr.patch | 57 +++ ...-add-cond_resched-to-avoid-cpu-hangs.patch | 52 +++ ..._rnd_zones-increase-in-dmz_init_zone.patch | 37 ++ ...clk-voltage-when-parsing-clock-table.patch | 39 ++ ...werplay-implement-the-is_dpm_running.patch | 51 +++ ...g-the-fclk-dpm-table-to-set-the-mclk.patch | 66 +++ ...ify-fw_write_wait-for-new-gfx9-asics.patch | 37 ++ ...x78xx-fix-drm_dp_link-helper-removal.patch | 47 +++ ...-rework-perfmon-query-infrastructure.patch | 136 ++++++ ...15-gem-flush-all-the-reloc_gpu-batch.patch | 45 ++ ...reat-idling-as-a-rps-downclock-event.patch | 52 +++ ...io-power-on-a-typec-port-in-tbt-mode.patch | 47 +++ ...the-dma-addresses-from-a-scatterlist.patch | 86 ++++ ...rved-manipulation-from-drm_pci_alloc.patch | 92 ++++ ...conflicting_pci_framebuffers-call-v2.patch | 53 +++ ...t4-fix-a-data-race-at-inode-i_blocks.patch | 90 ++++ ...-reachable-warn_once-to-pr_warn_once.patch | 55 +++ ...he-maxactive-number-on-kprobe_events.patch | 38 ++ ...ystem-corruption-when-deleting-files.patch | 52 +++ ...-add-acer-aspire-5738z-to-nomux-list.patch | 52 +++ ...pmi-fix-hung-processes-in-__get_guid.patch | 68 +++ ...n-error-when-autoloading-is-disabled.patch | 108 +++++ ...over_pm-when-ata_dflag_detach-is-set.patch | 74 ++++ ...s-to-hold-2-refs-to-the-mount-record.patch | 63 +++ ...few-constant_table-array-definitions.patch | 58 +++ ...-in-nfs_destroy_unlinked_subrequests.patch | 31 ++ ...ree-issues-in-nfs_pageio_add_request.patch | 88 ++++ ...fsnotify-on-rmdir-under-nfsd-clients.patch | 31 ++ ...d-try-to-truncate-file-beyond-i_size.patch | 59 +++ ...tools-support-python-3.8-in-makefile.patch | 59 +++ ...ereference-when-drmem-is-unavailable.patch | 101 +++++ ...-display-of-diagnose-call-statistics.patch | 36 ++ ...en-credit-recovery-after-driver-load.patch | 146 +++++++ ...k-in-lpfc_get_scsi_buf_s4-error-path.patch | 40 ++ ...ufs-fix-auto-hibern8-error-detection.patch | 68 +++ ...-recovery-trigger-for-point-to-point.patch | 79 ++++ ...powerpc-add-tlbie_test-in-.gitignore.patch | 30 ++ ...run-when-source-tree-is-not-writable.patch | 57 +++ ...cies-on-page-flags-from-mlock2-tests.patch | 393 ++++++++++++++++++ ...ngth-used-for-testing-read-and-write.patch | 76 ++++ queue-5.6/series | 61 +++ ...-switch-to-platform_get_irq_optional.patch | 40 ++ ...y-termination-of-xas_for_each_marked.patch | 204 +++++++++ ..._pause-for-large-multi-index-entries.patch | 88 ++++ ...ion-flags-in-blkfront_setup_indirect.patch | 103 +++++ 62 files changed, 4533 insertions(+) create mode 100644 queue-5.6/arm-dts-exynos-fix-polarity-of-the-lcd-spi-bus-on-universalc210-board.patch create mode 100644 queue-5.6/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch create mode 100644 queue-5.6/arm64-dts-ti-k3-am65-add-clocks-to-dwc3-nodes.patch create mode 100644 queue-5.6/asoc-cs4270-pull-reset-gpio-low-then-high.patch create mode 100644 queue-5.6/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch create mode 100644 queue-5.6/clk-ingenic-tcu-fix-round_rate-returning-error.patch create mode 100644 queue-5.6/cpufreq-powernv-fix-use-after-free.patch create mode 100644 queue-5.6/crypto-caam-qi2-fix-chacha20-data-size-error.patch create mode 100644 queue-5.6/crypto-caam-update-xts-sector-size-for-large-input-length.patch create mode 100644 queue-5.6/crypto-ccree-dec-auth-tag-size-from-cryptlen-map.patch create mode 100644 queue-5.6/crypto-ccree-only-try-to-map-auth-tag-if-needed.patch create mode 100644 queue-5.6/crypto-ccree-protect-against-empty-or-null-scatterlists.patch create mode 100644 queue-5.6/dm-clone-add-missing-casts-to-prevent-overflows-and-data-corruption.patch create mode 100644 queue-5.6/dm-clone-add-overflow-check-for-number-of-regions.patch create mode 100644 queue-5.6/dm-clone-fix-handling-of-partial-region-discards.patch create mode 100644 queue-5.6/dm-clone-metadata-fix-return-type-of-dm_clone_nr_of_hydrated_regions.patch create mode 100644 queue-5.6/dm-integrity-fix-a-crash-with-unusually-large-tag-size.patch create mode 100644 queue-5.6/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch create mode 100644 queue-5.6/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch create mode 100644 queue-5.6/dm-zoned-remove-duplicate-nr_rnd_zones-increase-in-dmz_init_zone.patch create mode 100644 queue-5.6/drm-amd-display-check-for-null-fclk-voltage-when-parsing-clock-table.patch create mode 100644 queue-5.6/drm-amd-powerplay-implement-the-is_dpm_running.patch create mode 100644 queue-5.6/drm-amdgpu-powerplay-using-the-fclk-dpm-table-to-set-the-mclk.patch create mode 100644 queue-5.6/drm-amdgpu-unify-fw_write_wait-for-new-gfx9-asics.patch create mode 100644 queue-5.6/drm-bridge-analogix-anx78xx-fix-drm_dp_link-helper-removal.patch create mode 100644 queue-5.6/drm-etnaviv-rework-perfmon-query-infrastructure.patch create mode 100644 queue-5.6/drm-i915-gem-flush-all-the-reloc_gpu-batch.patch create mode 100644 queue-5.6/drm-i915-gt-treat-idling-as-a-rps-downclock-event.patch create mode 100644 queue-5.6/drm-i915-icl-don-t-enable-ddi-io-power-on-a-typec-port-in-tbt-mode.patch create mode 100644 queue-5.6/drm-prime-fix-extracting-of-the-dma-addresses-from-a-scatterlist.patch create mode 100644 queue-5.6/drm-remove-pagereserved-manipulation-from-drm_pci_alloc.patch create mode 100644 queue-5.6/drm-vboxvideo-add-missing-remove_conflicting_pci_framebuffers-call-v2.patch create mode 100644 queue-5.6/ext4-fix-a-data-race-at-inode-i_blocks.patch create mode 100644 queue-5.6/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch create mode 100644 queue-5.6/ftrace-kprobe-show-the-maxactive-number-on-kprobe_events.patch create mode 100644 queue-5.6/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch create mode 100644 queue-5.6/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch create mode 100644 queue-5.6/ipmi-fix-hung-processes-in-__get_guid.patch create mode 100644 queue-5.6/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch create mode 100644 queue-5.6/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch create mode 100644 queue-5.6/nfs-finish_automount-requires-us-to-hold-2-refs-to-the-mount-record.patch create mode 100644 queue-5.6/nfs-fix-a-few-constant_table-array-definitions.patch create mode 100644 queue-5.6/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch create mode 100644 queue-5.6/nfs-fix-use-after-free-issues-in-nfs_pageio_add_request.patch create mode 100644 queue-5.6/nfsd-fsnotify-on-rmdir-under-nfsd-clients.patch create mode 100644 queue-5.6/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch create mode 100644 queue-5.6/perf-tools-support-python-3.8-in-makefile.patch create mode 100644 queue-5.6/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch create mode 100644 queue-5.6/s390-diag-fix-display-of-diagnose-call-statistics.patch create mode 100644 queue-5.6/scsi-lpfc-fix-broken-credit-recovery-after-driver-load.patch create mode 100644 queue-5.6/scsi-lpfc-fix-lpfc_io_buf-resource-leak-in-lpfc_get_scsi_buf_s4-error-path.patch create mode 100644 queue-5.6/scsi-ufs-fix-auto-hibern8-error-detection.patch create mode 100644 queue-5.6/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch create mode 100644 queue-5.6/selftests-powerpc-add-tlbie_test-in-.gitignore.patch create mode 100644 queue-5.6/selftests-powerpc-fix-try-run-when-source-tree-is-not-writable.patch create mode 100644 queue-5.6/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch create mode 100644 queue-5.6/selftests-vm-fix-map_hugetlb-length-used-for-testing-read-and-write.patch create mode 100644 queue-5.6/vfio-platform-switch-to-platform_get_irq_optional.patch create mode 100644 queue-5.6/xarray-fix-early-termination-of-xas_for_each_marked.patch create mode 100644 queue-5.6/xarray-fix-xas_pause-for-large-multi-index-entries.patch create mode 100644 queue-5.6/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch diff --git a/queue-5.6/arm-dts-exynos-fix-polarity-of-the-lcd-spi-bus-on-universalc210-board.patch b/queue-5.6/arm-dts-exynos-fix-polarity-of-the-lcd-spi-bus-on-universalc210-board.patch new file mode 100644 index 00000000000..8c6fd130461 --- /dev/null +++ b/queue-5.6/arm-dts-exynos-fix-polarity-of-the-lcd-spi-bus-on-universalc210-board.patch @@ -0,0 +1,45 @@ +From 32a1671ff8e84f0dfff3a50d4b2091d25e91f5e2 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 4 Mar 2020 15:37:26 +0100 +Subject: ARM: dts: exynos: Fix polarity of the LCD SPI bus on UniversalC210 board + +From: Marek Szyprowski + +commit 32a1671ff8e84f0dfff3a50d4b2091d25e91f5e2 upstream. + +Recent changes in the SPI core and the SPI-GPIO driver revealed that the +GPIO lines for the LD9040 LCD controller on the UniversalC210 board are +defined incorrectly. Fix the polarity for those lines to match the old +behavior and hardware requirements to fix LCD panel operation with +recent kernels. + +Cc: # 5.0.x +Signed-off-by: Marek Szyprowski +Reviewed-by: Andrzej Hajda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/exynos4210-universal_c210.dts | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/exynos4210-universal_c210.dts ++++ b/arch/arm/boot/dts/exynos4210-universal_c210.dts +@@ -115,7 +115,7 @@ + gpio-sck = <&gpy3 1 GPIO_ACTIVE_HIGH>; + gpio-mosi = <&gpy3 3 GPIO_ACTIVE_HIGH>; + num-chipselects = <1>; +- cs-gpios = <&gpy4 3 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&gpy4 3 GPIO_ACTIVE_LOW>; + + lcd@0 { + compatible = "samsung,ld9040"; +@@ -124,8 +124,6 @@ + vci-supply = <&ldo17_reg>; + reset-gpios = <&gpy4 5 GPIO_ACTIVE_HIGH>; + spi-max-frequency = <1200000>; +- spi-cpol; +- spi-cpha; + power-on-delay = <10>; + reset-delay = <10>; + panel-width-mm = <90>; diff --git a/queue-5.6/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch b/queue-5.6/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch new file mode 100644 index 00000000000..9dee5161dd8 --- /dev/null +++ b/queue-5.6/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch @@ -0,0 +1,53 @@ +From fc2266011accd5aeb8ebc335c381991f20e26e33 Mon Sep 17 00:00:00 2001 +From: Fredrik Strupe +Date: Wed, 8 Apr 2020 13:29:41 +0200 +Subject: arm64: armv8_deprecated: Fix undef_hook mask for thumb setend + +From: Fredrik Strupe + +commit fc2266011accd5aeb8ebc335c381991f20e26e33 upstream. + +For thumb instructions, call_undef_hook() in traps.c first reads a u16, +and if the u16 indicates a T32 instruction (u16 >= 0xe800), a second +u16 is read, which then makes up the the lower half-word of a T32 +instruction. For T16 instructions, the second u16 is not read, +which makes the resulting u32 opcode always have the upper half set to +0. + +However, having the upper half of instr_mask in the undef_hook set to 0 +masks out the upper half of all thumb instructions - both T16 and T32. +This results in trapped T32 instructions with the lower half-word equal +to the T16 encoding of setend (b650) being matched, even though the upper +half-word is not 0000 and thus indicates a T32 opcode. + +An example of such a T32 instruction is eaa0b650, which should raise a +SIGILL since T32 instructions with an eaa prefix are unallocated as per +Arm ARM, but instead works as a SETEND because the second half-word is set +to b650. + +This patch fixes the issue by extending instr_mask to include the +upper u32 half, which will still match T16 instructions where the upper +half is 0, but not T32 instructions. + +Fixes: 2d888f48e056 ("arm64: Emulate SETEND for AArch32 tasks") +Cc: # 4.0.x- +Reviewed-by: Suzuki K Poulose +Signed-off-by: Fredrik Strupe +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/armv8_deprecated.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -601,7 +601,7 @@ static struct undef_hook setend_hooks[] + }, + { + /* Thumb mode */ +- .instr_mask = 0x0000fff7, ++ .instr_mask = 0xfffffff7, + .instr_val = 0x0000b650, + .pstate_mask = (PSR_AA32_T_BIT | PSR_AA32_MODE_MASK), + .pstate_val = (PSR_AA32_T_BIT | PSR_AA32_MODE_USR), diff --git a/queue-5.6/arm64-dts-ti-k3-am65-add-clocks-to-dwc3-nodes.patch b/queue-5.6/arm64-dts-ti-k3-am65-add-clocks-to-dwc3-nodes.patch new file mode 100644 index 00000000000..b1220c16222 --- /dev/null +++ b/queue-5.6/arm64-dts-ti-k3-am65-add-clocks-to-dwc3-nodes.patch @@ -0,0 +1,45 @@ +From a81e5442d796ccfa2cc97d205a5477053264d978 Mon Sep 17 00:00:00 2001 +From: Dave Gerlach +Date: Wed, 11 Mar 2020 16:41:11 +0200 +Subject: arm64: dts: ti: k3-am65: Add clocks to dwc3 nodes + +From: Dave Gerlach + +commit a81e5442d796ccfa2cc97d205a5477053264d978 upstream. + +The TI sci-clk driver can scan the DT for all clocks provided by system +firmware and does this by checking the clocks property of all nodes, so +we must add this to the dwc3 nodes so USB clocks are available. + +Without this USB does not work with latest system firmware i.e. +[ 1.714662] clk: couldn't get parent clock 0 for /interconnect@100000/dwc3@4020000 + +Fixes: cc54a99464ccd ("arm64: dts: ti: k3-am6: add USB suppor") +Signed-off-by: Dave Gerlach +Signed-off-by: Roger Quadros +Cc: stable@kernel.org +Signed-off-by: Tero Kristo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi +@@ -296,6 +296,7 @@ + interrupts = ; + dma-coherent; + power-domains = <&k3_pds 151 TI_SCI_PD_EXCLUSIVE>; ++ clocks = <&k3_clks 151 2>, <&k3_clks 151 7>; + assigned-clocks = <&k3_clks 151 2>, <&k3_clks 151 7>; + assigned-clock-parents = <&k3_clks 151 4>, /* set REF_CLK to 20MHz i.e. PER0_PLL/48 */ + <&k3_clks 151 9>; /* set PIPE3_TXB_CLK to CLK_12M_RC/256 (for HS only) */ +@@ -335,6 +336,7 @@ + interrupts = ; + dma-coherent; + power-domains = <&k3_pds 152 TI_SCI_PD_EXCLUSIVE>; ++ clocks = <&k3_clks 152 2>; + assigned-clocks = <&k3_clks 152 2>; + assigned-clock-parents = <&k3_clks 152 4>; /* set REF_CLK to 20MHz i.e. PER0_PLL/48 */ + diff --git a/queue-5.6/asoc-cs4270-pull-reset-gpio-low-then-high.patch b/queue-5.6/asoc-cs4270-pull-reset-gpio-low-then-high.patch new file mode 100644 index 00000000000..817af8533d7 --- /dev/null +++ b/queue-5.6/asoc-cs4270-pull-reset-gpio-low-then-high.patch @@ -0,0 +1,101 @@ +From ccfc531695f3a4aada042f6bdb33ac6be24e1aec Mon Sep 17 00:00:00 2001 +From: Mike Willard +Date: Wed, 1 Apr 2020 20:54:54 +0000 +Subject: ASoC: cs4270: pull reset GPIO low then high + +From: Mike Willard + +commit ccfc531695f3a4aada042f6bdb33ac6be24e1aec upstream. + +Pull the RST line low then high when initializing the driver, +in order to force a reset of the chip. +Previously, the line was not pulled low, which could result in +the chip registers not resetting to their default values on boot. + +Signed-off-by: Mike Willard +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200401205454.79792-1-mwillard@izotope.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/cs4270.c | 40 +++++++++++++++++++++++++++++++++++----- + 1 file changed, 35 insertions(+), 5 deletions(-) + +--- a/sound/soc/codecs/cs4270.c ++++ b/sound/soc/codecs/cs4270.c +@@ -137,6 +137,9 @@ struct cs4270_private { + + /* power domain regulators */ + struct regulator_bulk_data supplies[ARRAY_SIZE(supply_names)]; ++ ++ /* reset gpio */ ++ struct gpio_desc *reset_gpio; + }; + + static const struct snd_soc_dapm_widget cs4270_dapm_widgets[] = { +@@ -649,6 +652,22 @@ static const struct regmap_config cs4270 + }; + + /** ++ * cs4270_i2c_remove - deinitialize the I2C interface of the CS4270 ++ * @i2c_client: the I2C client object ++ * ++ * This function puts the chip into low power mode when the i2c device ++ * is removed. ++ */ ++static int cs4270_i2c_remove(struct i2c_client *i2c_client) ++{ ++ struct cs4270_private *cs4270 = i2c_get_clientdata(i2c_client); ++ ++ gpiod_set_value_cansleep(cs4270->reset_gpio, 0); ++ ++ return 0; ++} ++ ++/** + * cs4270_i2c_probe - initialize the I2C interface of the CS4270 + * @i2c_client: the I2C client object + * @id: the I2C device ID (ignored) +@@ -660,7 +679,6 @@ static int cs4270_i2c_probe(struct i2c_c + const struct i2c_device_id *id) + { + struct cs4270_private *cs4270; +- struct gpio_desc *reset_gpiod; + unsigned int val; + int ret, i; + +@@ -679,10 +697,21 @@ static int cs4270_i2c_probe(struct i2c_c + if (ret < 0) + return ret; + +- reset_gpiod = devm_gpiod_get_optional(&i2c_client->dev, "reset", +- GPIOD_OUT_HIGH); +- if (PTR_ERR(reset_gpiod) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ /* reset the device */ ++ cs4270->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev, "reset", ++ GPIOD_OUT_LOW); ++ if (IS_ERR(cs4270->reset_gpio)) { ++ dev_dbg(&i2c_client->dev, "Error getting CS4270 reset GPIO\n"); ++ return PTR_ERR(cs4270->reset_gpio); ++ } ++ ++ if (cs4270->reset_gpio) { ++ dev_dbg(&i2c_client->dev, "Found reset GPIO\n"); ++ gpiod_set_value_cansleep(cs4270->reset_gpio, 1); ++ } ++ ++ /* Sleep 500ns before i2c communications */ ++ ndelay(500); + + cs4270->regmap = devm_regmap_init_i2c(i2c_client, &cs4270_regmap); + if (IS_ERR(cs4270->regmap)) +@@ -735,6 +764,7 @@ static struct i2c_driver cs4270_i2c_driv + }, + .id_table = cs4270_id, + .probe = cs4270_i2c_probe, ++ .remove = cs4270_i2c_remove, + }; + + module_i2c_driver(cs4270_i2c_driver); diff --git a/queue-5.6/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch b/queue-5.6/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch new file mode 100644 index 00000000000..515d1f4b9b4 --- /dev/null +++ b/queue-5.6/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch @@ -0,0 +1,39 @@ +From c067b46d731a764fc46ecc466c2967088c97089e Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Thu, 13 Feb 2020 13:19:51 -0300 +Subject: clk: ingenic/jz4770: Exit with error if CGU init failed + +From: Paul Cercueil + +commit c067b46d731a764fc46ecc466c2967088c97089e upstream. + +Exit jz4770_cgu_init() if the 'cgu' pointer we get is NULL, since the +pointer is passed as argument to functions later on. + +Fixes: 7a01c19007ad ("clk: Add Ingenic jz4770 CGU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Cercueil +Reported-by: kbuild test robot +Reported-by: Dan Carpenter +Link: https://lkml.kernel.org/r/20200213161952.37460-1-paul@crapouillou.net +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ingenic/jz4770-cgu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/ingenic/jz4770-cgu.c ++++ b/drivers/clk/ingenic/jz4770-cgu.c +@@ -432,8 +432,10 @@ static void __init jz4770_cgu_init(struc + + cgu = ingenic_cgu_new(jz4770_cgu_clocks, + ARRAY_SIZE(jz4770_cgu_clocks), np); +- if (!cgu) ++ if (!cgu) { + pr_err("%s: failed to initialise CGU\n", __func__); ++ return; ++ } + + retval = ingenic_cgu_register_clocks(cgu); + if (retval) diff --git a/queue-5.6/clk-ingenic-tcu-fix-round_rate-returning-error.patch b/queue-5.6/clk-ingenic-tcu-fix-round_rate-returning-error.patch new file mode 100644 index 00000000000..6d7c68dbe14 --- /dev/null +++ b/queue-5.6/clk-ingenic-tcu-fix-round_rate-returning-error.patch @@ -0,0 +1,34 @@ +From edcc42945dee85e9dec3737f3dbf59d917ae5418 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Thu, 13 Feb 2020 13:19:52 -0300 +Subject: clk: ingenic/TCU: Fix round_rate returning error + +From: Paul Cercueil + +commit edcc42945dee85e9dec3737f3dbf59d917ae5418 upstream. + +When requesting a rate superior to the parent's rate, it would return +-EINVAL instead of simply returning the parent's rate like it should. + +Fixes: 4f89e4b8f121 ("clk: ingenic: Add driver for the TCU clocks") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Cercueil +Link: https://lkml.kernel.org/r/20200213161952.37460-2-paul@crapouillou.net +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ingenic/tcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/ingenic/tcu.c ++++ b/drivers/clk/ingenic/tcu.c +@@ -189,7 +189,7 @@ static long ingenic_tcu_round_rate(struc + u8 prescale; + + if (req_rate > rate) +- return -EINVAL; ++ return rate; + + prescale = ingenic_tcu_get_prescale(rate, req_rate); + diff --git a/queue-5.6/cpufreq-powernv-fix-use-after-free.patch b/queue-5.6/cpufreq-powernv-fix-use-after-free.patch new file mode 100644 index 00000000000..8e19c135ef5 --- /dev/null +++ b/queue-5.6/cpufreq-powernv-fix-use-after-free.patch @@ -0,0 +1,46 @@ +From d0a72efac89d1c35ac55197895201b7b94c5e6ef Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Thu, 6 Feb 2020 17:26:21 +1100 +Subject: cpufreq: powernv: Fix use-after-free + +From: Oliver O'Halloran + +commit d0a72efac89d1c35ac55197895201b7b94c5e6ef upstream. + +The cpufreq driver has a use-after-free that we can hit if: + +a) There's an OCC message pending when the notifier is registered, and +b) The cpufreq driver fails to register with the core. + +When a) occurs the notifier schedules a workqueue item to handle the +message. The backing work_struct is located on chips[].throttle and +when b) happens we clean up by freeing the array. Once we get to +the (now free) queued item and the kernel crashes. + +Fixes: c5e29ea7ac14 ("cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Oliver O'Halloran +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200206062622.28235-1-oohall@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/powernv-cpufreq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -1080,6 +1080,12 @@ free_and_return: + + static inline void clean_chip_info(void) + { ++ int i; ++ ++ /* flush any pending work items */ ++ if (chips) ++ for (i = 0; i < nr_chips; i++) ++ cancel_work_sync(&chips[i].throttle); + kfree(chips); + } + diff --git a/queue-5.6/crypto-caam-qi2-fix-chacha20-data-size-error.patch b/queue-5.6/crypto-caam-qi2-fix-chacha20-data-size-error.patch new file mode 100644 index 00000000000..f9bfabef554 --- /dev/null +++ b/queue-5.6/crypto-caam-qi2-fix-chacha20-data-size-error.patch @@ -0,0 +1,87 @@ +From 3a5a9e1ef37b030b836d92df8264f840988f4a38 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Fri, 28 Feb 2020 08:51:23 +0200 +Subject: crypto: caam/qi2 - fix chacha20 data size error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 3a5a9e1ef37b030b836d92df8264f840988f4a38 upstream. + +HW generates a Data Size error for chacha20 requests that are not +a multiple of 64B, since algorithm state (AS) does not have +the FINAL bit set. + +Since updating req->iv (for chaining) is not required, +modify skcipher descriptors to set the FINAL bit for chacha20. + +[Note that for skcipher decryption we know that ctx1_iv_off is 0, +which allows for an optimization by not checking algorithm type, +since append_dec_op1() sets FINAL bit for all algorithms except AES.] + +Also drop the descriptor operations that save the IV. +However, in order to keep code logic simple, things like +S/G tables generation etc. are not touched. + +Cc: # v5.3+ +Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support") +Signed-off-by: Horia Geantă +Tested-by: Valentin Ciocoi Radulescu +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/caam/caamalg_desc.c ++++ b/drivers/crypto/caam/caamalg_desc.c +@@ -1379,6 +1379,9 @@ void cnstr_shdsc_skcipher_encap(u32 * co + const u32 ctx1_iv_off) + { + u32 *key_jump_cmd; ++ u32 options = cdata->algtype | OP_ALG_AS_INIT | OP_ALG_ENCRYPT; ++ bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) == ++ OP_ALG_ALGSEL_CHACHA20); + + init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX); + /* Skip if already shared */ +@@ -1417,14 +1420,15 @@ void cnstr_shdsc_skcipher_encap(u32 * co + LDST_OFFSET_SHIFT)); + + /* Load operation */ +- append_operation(desc, cdata->algtype | OP_ALG_AS_INIT | +- OP_ALG_ENCRYPT); ++ if (is_chacha20) ++ options |= OP_ALG_AS_FINALIZE; ++ append_operation(desc, options); + + /* Perform operation */ + skcipher_append_src_dst(desc); + + /* Store IV */ +- if (ivsize) ++ if (!is_chacha20 && ivsize) + append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT | + LDST_CLASS_1_CCB | (ctx1_iv_off << + LDST_OFFSET_SHIFT)); +@@ -1451,6 +1455,8 @@ void cnstr_shdsc_skcipher_decap(u32 * co + const u32 ctx1_iv_off) + { + u32 *key_jump_cmd; ++ bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) == ++ OP_ALG_ALGSEL_CHACHA20); + + init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX); + /* Skip if already shared */ +@@ -1499,7 +1505,7 @@ void cnstr_shdsc_skcipher_decap(u32 * co + skcipher_append_src_dst(desc); + + /* Store IV */ +- if (ivsize) ++ if (!is_chacha20 && ivsize) + append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT | + LDST_CLASS_1_CCB | (ctx1_iv_off << + LDST_OFFSET_SHIFT)); diff --git a/queue-5.6/crypto-caam-update-xts-sector-size-for-large-input-length.patch b/queue-5.6/crypto-caam-update-xts-sector-size-for-large-input-length.patch new file mode 100644 index 00000000000..3ec03780743 --- /dev/null +++ b/queue-5.6/crypto-caam-update-xts-sector-size-for-large-input-length.patch @@ -0,0 +1,62 @@ +From 3f142b6a7b573bde6cff926f246da05652c61eb4 Mon Sep 17 00:00:00 2001 +From: Andrei Botila +Date: Fri, 28 Feb 2020 12:46:48 +0200 +Subject: crypto: caam - update xts sector size for large input length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrei Botila + +commit 3f142b6a7b573bde6cff926f246da05652c61eb4 upstream. + +Since in the software implementation of XTS-AES there is +no notion of sector every input length is processed the same way. +CAAM implementation has the notion of sector which causes different +results between the software implementation and the one in CAAM +for input lengths bigger than 512 bytes. +Increase sector size to maximum value on 16 bits. + +Fixes: c6415a6016bf ("crypto: caam - add support for acipher xts(aes)") +Cc: # v4.12+ +Signed-off-by: Andrei Botila +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg_desc.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/caam/caamalg_desc.c ++++ b/drivers/crypto/caam/caamalg_desc.c +@@ -1524,7 +1524,13 @@ EXPORT_SYMBOL(cnstr_shdsc_skcipher_decap + */ + void cnstr_shdsc_xts_skcipher_encap(u32 * const desc, struct alginfo *cdata) + { +- __be64 sector_size = cpu_to_be64(512); ++ /* ++ * Set sector size to a big value, practically disabling ++ * sector size segmentation in xts implementation. We cannot ++ * take full advantage of this HW feature with existing ++ * crypto API / dm-crypt SW architecture. ++ */ ++ __be64 sector_size = cpu_to_be64(BIT(15)); + u32 *key_jump_cmd; + + init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX); +@@ -1577,7 +1583,13 @@ EXPORT_SYMBOL(cnstr_shdsc_xts_skcipher_e + */ + void cnstr_shdsc_xts_skcipher_decap(u32 * const desc, struct alginfo *cdata) + { +- __be64 sector_size = cpu_to_be64(512); ++ /* ++ * Set sector size to a big value, practically disabling ++ * sector size segmentation in xts implementation. We cannot ++ * take full advantage of this HW feature with existing ++ * crypto API / dm-crypt SW architecture. ++ */ ++ __be64 sector_size = cpu_to_be64(BIT(15)); + u32 *key_jump_cmd; + + init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX); diff --git a/queue-5.6/crypto-ccree-dec-auth-tag-size-from-cryptlen-map.patch b/queue-5.6/crypto-ccree-dec-auth-tag-size-from-cryptlen-map.patch new file mode 100644 index 00000000000..ae93fa97bce --- /dev/null +++ b/queue-5.6/crypto-ccree-dec-auth-tag-size-from-cryptlen-map.patch @@ -0,0 +1,41 @@ +From 8962c6d2c2b8ca51b0f188109015b15fc5f4da44 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Sun, 2 Feb 2020 18:19:14 +0200 +Subject: crypto: ccree - dec auth tag size from cryptlen map + +From: Gilad Ben-Yossef + +commit 8962c6d2c2b8ca51b0f188109015b15fc5f4da44 upstream. + +Remove the auth tag size from cryptlen before mapping the destination +in out-of-place AEAD decryption thus resolving a crash with +extended testmgr tests. + +Signed-off-by: Gilad Ben-Yossef +Reported-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v4.19+ +Tested-by: Geert Uytterhoeven +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_buffer_mgr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/ccree/cc_buffer_mgr.c ++++ b/drivers/crypto/ccree/cc_buffer_mgr.c +@@ -894,8 +894,12 @@ static int cc_aead_chain_data(struct cc_ + + if (req->src != req->dst) { + size_for_map = areq_ctx->assoclen + req->cryptlen; +- size_for_map += (direct == DRV_CRYPTO_DIRECTION_ENCRYPT) ? +- authsize : 0; ++ ++ if (direct == DRV_CRYPTO_DIRECTION_ENCRYPT) ++ size_for_map += authsize; ++ else ++ size_for_map -= authsize; ++ + if (is_gcm4543) + size_for_map += crypto_aead_ivsize(tfm); + diff --git a/queue-5.6/crypto-ccree-only-try-to-map-auth-tag-if-needed.patch b/queue-5.6/crypto-ccree-only-try-to-map-auth-tag-if-needed.patch new file mode 100644 index 00000000000..2b20cdfb18a --- /dev/null +++ b/queue-5.6/crypto-ccree-only-try-to-map-auth-tag-if-needed.patch @@ -0,0 +1,41 @@ +From 504e84abec7a635b861afd8d7f92ecd13eaa2b09 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Wed, 29 Jan 2020 16:37:55 +0200 +Subject: crypto: ccree - only try to map auth tag if needed + +From: Gilad Ben-Yossef + +commit 504e84abec7a635b861afd8d7f92ecd13eaa2b09 upstream. + +Make sure to only add the size of the auth tag to the source mapping +for encryption if it is an in-place operation. Failing to do this +previously caused us to try and map auth size len bytes from a NULL +mapping and crashing if both the cryptlen and assoclen are zero. + +Reported-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Signed-off-by: Gilad Ben-Yossef +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_buffer_mgr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/ccree/cc_buffer_mgr.c ++++ b/drivers/crypto/ccree/cc_buffer_mgr.c +@@ -1109,9 +1109,11 @@ int cc_map_aead_request(struct cc_drvdat + } + + size_to_map = req->cryptlen + areq_ctx->assoclen; +- if (areq_ctx->gen_ctx.op_type == DRV_CRYPTO_DIRECTION_ENCRYPT) ++ /* If we do in-place encryption, we also need the auth tag */ ++ if ((areq_ctx->gen_ctx.op_type == DRV_CRYPTO_DIRECTION_ENCRYPT) && ++ (req->src == req->dst)) { + size_to_map += authsize; +- ++ } + if (is_gcm4543) + size_to_map += crypto_aead_ivsize(tfm); + rc = cc_map_sg(dev, req->src, size_to_map, DMA_BIDIRECTIONAL, diff --git a/queue-5.6/crypto-ccree-protect-against-empty-or-null-scatterlists.patch b/queue-5.6/crypto-ccree-protect-against-empty-or-null-scatterlists.patch new file mode 100644 index 00000000000..bce1c02ee5e --- /dev/null +++ b/queue-5.6/crypto-ccree-protect-against-empty-or-null-scatterlists.patch @@ -0,0 +1,163 @@ +From ce0fc6db38decf0d2919bfe783de6d6b76e421a9 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Wed, 29 Jan 2020 16:37:54 +0200 +Subject: crypto: ccree - protect against empty or NULL scatterlists + +From: Gilad Ben-Yossef + +commit ce0fc6db38decf0d2919bfe783de6d6b76e421a9 upstream. + +Deal gracefully with a NULL or empty scatterlist which can happen +if both cryptlen and assoclen are zero and we're doing in-place +AEAD encryption. + +This fixes a crash when this causes us to try and map a NULL page, +at least with some platforms / DMA mapping configs. + +Cc: stable@vger.kernel.org # v4.19+ +Reported-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_buffer_mgr.c | 62 +++++++++++++++-------------------- + drivers/crypto/ccree/cc_buffer_mgr.h | 1 + 2 files changed, 28 insertions(+), 35 deletions(-) + +--- a/drivers/crypto/ccree/cc_buffer_mgr.c ++++ b/drivers/crypto/ccree/cc_buffer_mgr.c +@@ -87,6 +87,8 @@ static unsigned int cc_get_sgl_nents(str + { + unsigned int nents = 0; + ++ *lbytes = 0; ++ + while (nbytes && sg_list) { + nents++; + /* get the number of bytes in the last entry */ +@@ -95,6 +97,7 @@ static unsigned int cc_get_sgl_nents(str + nbytes : sg_list->length; + sg_list = sg_next(sg_list); + } ++ + dev_dbg(dev, "nents %d last bytes %d\n", nents, *lbytes); + return nents; + } +@@ -290,37 +293,25 @@ static int cc_map_sg(struct device *dev, + unsigned int nbytes, int direction, u32 *nents, + u32 max_sg_nents, u32 *lbytes, u32 *mapped_nents) + { +- if (sg_is_last(sg)) { +- /* One entry only case -set to DLLI */ +- if (dma_map_sg(dev, sg, 1, direction) != 1) { +- dev_err(dev, "dma_map_sg() single buffer failed\n"); +- return -ENOMEM; +- } +- dev_dbg(dev, "Mapped sg: dma_address=%pad page=%p addr=%pK offset=%u length=%u\n", +- &sg_dma_address(sg), sg_page(sg), sg_virt(sg), +- sg->offset, sg->length); +- *lbytes = nbytes; +- *nents = 1; +- *mapped_nents = 1; +- } else { /*sg_is_last*/ +- *nents = cc_get_sgl_nents(dev, sg, nbytes, lbytes); +- if (*nents > max_sg_nents) { +- *nents = 0; +- dev_err(dev, "Too many fragments. current %d max %d\n", +- *nents, max_sg_nents); +- return -ENOMEM; +- } +- /* In case of mmu the number of mapped nents might +- * be changed from the original sgl nents +- */ +- *mapped_nents = dma_map_sg(dev, sg, *nents, direction); +- if (*mapped_nents == 0) { +- *nents = 0; +- dev_err(dev, "dma_map_sg() sg buffer failed\n"); +- return -ENOMEM; +- } ++ int ret = 0; ++ ++ *nents = cc_get_sgl_nents(dev, sg, nbytes, lbytes); ++ if (*nents > max_sg_nents) { ++ *nents = 0; ++ dev_err(dev, "Too many fragments. current %d max %d\n", ++ *nents, max_sg_nents); ++ return -ENOMEM; + } + ++ ret = dma_map_sg(dev, sg, *nents, direction); ++ if (dma_mapping_error(dev, ret)) { ++ *nents = 0; ++ dev_err(dev, "dma_map_sg() sg buffer failed %d\n", ret); ++ return -ENOMEM; ++ } ++ ++ *mapped_nents = ret; ++ + return 0; + } + +@@ -555,11 +546,12 @@ void cc_unmap_aead_request(struct device + sg_virt(req->src), areq_ctx->src.nents, areq_ctx->assoc.nents, + areq_ctx->assoclen, req->cryptlen); + +- dma_unmap_sg(dev, req->src, sg_nents(req->src), DMA_BIDIRECTIONAL); ++ dma_unmap_sg(dev, req->src, areq_ctx->src.mapped_nents, ++ DMA_BIDIRECTIONAL); + if (req->src != req->dst) { + dev_dbg(dev, "Unmapping dst sgl: req->dst=%pK\n", + sg_virt(req->dst)); +- dma_unmap_sg(dev, req->dst, sg_nents(req->dst), ++ dma_unmap_sg(dev, req->dst, areq_ctx->dst.mapped_nents, + DMA_BIDIRECTIONAL); + } + if (drvdata->coherent && +@@ -881,7 +873,7 @@ static int cc_aead_chain_data(struct cc_ + &src_last_bytes); + sg_index = areq_ctx->src_sgl->length; + //check where the data starts +- while (sg_index <= size_to_skip) { ++ while (src_mapped_nents && (sg_index <= size_to_skip)) { + src_mapped_nents--; + offset -= areq_ctx->src_sgl->length; + sgl = sg_next(areq_ctx->src_sgl); +@@ -908,7 +900,7 @@ static int cc_aead_chain_data(struct cc_ + size_for_map += crypto_aead_ivsize(tfm); + + rc = cc_map_sg(dev, req->dst, size_for_map, DMA_BIDIRECTIONAL, +- &areq_ctx->dst.nents, ++ &areq_ctx->dst.mapped_nents, + LLI_MAX_NUM_OF_DATA_ENTRIES, &dst_last_bytes, + &dst_mapped_nents); + if (rc) +@@ -921,7 +913,7 @@ static int cc_aead_chain_data(struct cc_ + offset = size_to_skip; + + //check where the data starts +- while (sg_index <= size_to_skip) { ++ while (dst_mapped_nents && sg_index <= size_to_skip) { + dst_mapped_nents--; + offset -= areq_ctx->dst_sgl->length; + sgl = sg_next(areq_ctx->dst_sgl); +@@ -1123,7 +1115,7 @@ int cc_map_aead_request(struct cc_drvdat + if (is_gcm4543) + size_to_map += crypto_aead_ivsize(tfm); + rc = cc_map_sg(dev, req->src, size_to_map, DMA_BIDIRECTIONAL, +- &areq_ctx->src.nents, ++ &areq_ctx->src.mapped_nents, + (LLI_MAX_NUM_OF_ASSOC_DATA_ENTRIES + + LLI_MAX_NUM_OF_DATA_ENTRIES), + &dummy, &mapped_nents); +--- a/drivers/crypto/ccree/cc_buffer_mgr.h ++++ b/drivers/crypto/ccree/cc_buffer_mgr.h +@@ -25,6 +25,7 @@ enum cc_sg_cpy_direct { + + struct cc_mlli { + cc_sram_addr_t sram_addr; ++ unsigned int mapped_nents; + unsigned int nents; //sg nents + unsigned int mlli_nents; //mlli nents might be different than the above + }; diff --git a/queue-5.6/dm-clone-add-missing-casts-to-prevent-overflows-and-data-corruption.patch b/queue-5.6/dm-clone-add-missing-casts-to-prevent-overflows-and-data-corruption.patch new file mode 100644 index 00000000000..5c3461f69f5 --- /dev/null +++ b/queue-5.6/dm-clone-add-missing-casts-to-prevent-overflows-and-data-corruption.patch @@ -0,0 +1,63 @@ +From 9fc06ff56845cc5ccafec52f545fc2e08d22f849 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Fri, 27 Mar 2020 16:01:10 +0200 +Subject: dm clone: Add missing casts to prevent overflows and data corruption + +From: Nikos Tsironis + +commit 9fc06ff56845cc5ccafec52f545fc2e08d22f849 upstream. + +Add missing casts when converting from regions to sectors. + +In case BITS_PER_LONG == 32, the lack of the appropriate casts can lead +to overflows and miscalculation of the device sector. + +As a result, we could end up discarding and/or copying the wrong parts +of the device, thus corrupting the device's data. + +Fixes: 7431b7835f55 ("dm: add clone target") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Nikos Tsironis +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-clone-target.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-clone-target.c ++++ b/drivers/md/dm-clone-target.c +@@ -282,7 +282,7 @@ static bool bio_triggers_commit(struct c + /* Get the address of the region in sectors */ + static inline sector_t region_to_sector(struct clone *clone, unsigned long region_nr) + { +- return (region_nr << clone->region_shift); ++ return ((sector_t)region_nr << clone->region_shift); + } + + /* Get the region number of the bio */ +@@ -471,7 +471,7 @@ static void complete_discard_bio(struct + if (test_bit(DM_CLONE_DISCARD_PASSDOWN, &clone->flags) && success) { + remap_to_dest(clone, bio); + bio_region_range(clone, bio, &rs, &nr_regions); +- trim_bio(bio, rs << clone->region_shift, ++ trim_bio(bio, region_to_sector(clone, rs), + nr_regions << clone->region_shift); + generic_make_request(bio); + } else +@@ -804,11 +804,14 @@ static void hydration_copy(struct dm_clo + struct dm_io_region from, to; + struct clone *clone = hd->clone; + ++ if (WARN_ON(!nr_regions)) ++ return; ++ + region_size = clone->region_size; + region_start = hd->region_nr; + region_end = region_start + nr_regions - 1; + +- total_size = (nr_regions - 1) << clone->region_shift; ++ total_size = region_to_sector(clone, nr_regions - 1); + + if (region_end == clone->nr_regions - 1) { + /* diff --git a/queue-5.6/dm-clone-add-overflow-check-for-number-of-regions.patch b/queue-5.6/dm-clone-add-overflow-check-for-number-of-regions.patch new file mode 100644 index 00000000000..cf0b615793c --- /dev/null +++ b/queue-5.6/dm-clone-add-overflow-check-for-number-of-regions.patch @@ -0,0 +1,58 @@ +From cd481c12269b4d276f1a52eda0ebd419079bfe3a Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Fri, 27 Mar 2020 16:01:09 +0200 +Subject: dm clone: Add overflow check for number of regions + +From: Nikos Tsironis + +commit cd481c12269b4d276f1a52eda0ebd419079bfe3a upstream. + +Add overflow check for clone->nr_regions variable, which holds the +number of regions of the target. + +The overflow can occur with sufficiently large devices, if BITS_PER_LONG +== 32. E.g., if the region size is 8 sectors (4K), the overflow would +occur for device sizes > 34359738360 sectors (~16TB). + +This could result in multiple device sectors wrongly mapping to the same +region number, due to the truncation from 64 bits to 32 bits, which +would lead to data corruption. + +Fixes: 7431b7835f55 ("dm: add clone target") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Nikos Tsironis +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-clone-target.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-clone-target.c ++++ b/drivers/md/dm-clone-target.c +@@ -1790,6 +1790,7 @@ error: + static int clone_ctr(struct dm_target *ti, unsigned int argc, char **argv) + { + int r; ++ sector_t nr_regions; + struct clone *clone; + struct dm_arg_set as; + +@@ -1831,7 +1832,16 @@ static int clone_ctr(struct dm_target *t + goto out_with_source_dev; + + clone->region_shift = __ffs(clone->region_size); +- clone->nr_regions = dm_sector_div_up(ti->len, clone->region_size); ++ nr_regions = dm_sector_div_up(ti->len, clone->region_size); ++ ++ /* Check for overflow */ ++ if (nr_regions != (unsigned long)nr_regions) { ++ ti->error = "Too many regions. Consider increasing the region size"; ++ r = -EOVERFLOW; ++ goto out_with_source_dev; ++ } ++ ++ clone->nr_regions = nr_regions; + + r = validate_nr_regions(clone->nr_regions, &ti->error); + if (r) diff --git a/queue-5.6/dm-clone-fix-handling-of-partial-region-discards.patch b/queue-5.6/dm-clone-fix-handling-of-partial-region-discards.patch new file mode 100644 index 00000000000..158ae71e4ad --- /dev/null +++ b/queue-5.6/dm-clone-fix-handling-of-partial-region-discards.patch @@ -0,0 +1,200 @@ +From 4b5142905d4ff58a4b93f7c8eaa7ba829c0a53c9 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Fri, 27 Mar 2020 16:01:08 +0200 +Subject: dm clone: Fix handling of partial region discards + +From: Nikos Tsironis + +commit 4b5142905d4ff58a4b93f7c8eaa7ba829c0a53c9 upstream. + +There is a bug in the way dm-clone handles discards, which can lead to +discarding the wrong blocks or trying to discard blocks beyond the end +of the device. + +This could lead to data corruption, if the destination device indeed +discards the underlying blocks, i.e., if the discard operation results +in the original contents of a block to be lost. + +The root of the problem is the code that calculates the range of regions +covered by a discard request and decides which regions to discard. + +Since dm-clone handles the device in units of regions, we don't discard +parts of a region, only whole regions. + +The range is calculated as: + + rs = dm_sector_div_up(bio->bi_iter.bi_sector, clone->region_size); + re = bio_end_sector(bio) >> clone->region_shift; + +, where 'rs' is the first region to discard and (re - rs) is the number +of regions to discard. + +The bug manifests when we try to discard part of a single region, i.e., +when we try to discard a block with size < region_size, and the discard +request both starts at an offset with respect to the beginning of that +region and ends before the end of the region. + +The root cause is the following comparison: + + if (rs == re) + // skip discard and complete original bio immediately + +, which doesn't take into account that 'rs' might be greater than 're'. + +Thus, we then issue a discard request for the wrong blocks, instead of +skipping the discard all together. + +Fix the check to also take into account the above case, so we don't end +up discarding the wrong blocks. + +Also, add some range checks to dm_clone_set_region_hydrated() and +dm_clone_cond_set_range(), which update dm-clone's region bitmap. + +Note that the aforementioned bug doesn't cause invalid memory accesses, +because dm_clone_is_range_hydrated() returns True for this case, so the +checks are just precautionary. + +Fixes: 7431b7835f55 ("dm: add clone target") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Nikos Tsironis +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-clone-metadata.c | 13 ++++++++++++ + drivers/md/dm-clone-target.c | 43 +++++++++++++++++++++++++++-------------- + 2 files changed, 42 insertions(+), 14 deletions(-) + +--- a/drivers/md/dm-clone-metadata.c ++++ b/drivers/md/dm-clone-metadata.c +@@ -850,6 +850,12 @@ int dm_clone_set_region_hydrated(struct + struct dirty_map *dmap; + unsigned long word, flags; + ++ if (unlikely(region_nr >= cmd->nr_regions)) { ++ DMERR("Region %lu out of range (total number of regions %lu)", ++ region_nr, cmd->nr_regions); ++ return -ERANGE; ++ } ++ + word = region_nr / BITS_PER_LONG; + + spin_lock_irqsave(&cmd->bitmap_lock, flags); +@@ -879,6 +885,13 @@ int dm_clone_cond_set_range(struct dm_cl + struct dirty_map *dmap; + unsigned long word, region_nr; + ++ if (unlikely(start >= cmd->nr_regions || (start + nr_regions) < start || ++ (start + nr_regions) > cmd->nr_regions)) { ++ DMERR("Invalid region range: start %lu, nr_regions %lu (total number of regions %lu)", ++ start, nr_regions, cmd->nr_regions); ++ return -ERANGE; ++ } ++ + spin_lock_irq(&cmd->bitmap_lock); + + if (cmd->read_only) { +--- a/drivers/md/dm-clone-target.c ++++ b/drivers/md/dm-clone-target.c +@@ -293,10 +293,17 @@ static inline unsigned long bio_to_regio + + /* Get the region range covered by the bio */ + static void bio_region_range(struct clone *clone, struct bio *bio, +- unsigned long *rs, unsigned long *re) ++ unsigned long *rs, unsigned long *nr_regions) + { ++ unsigned long end; ++ + *rs = dm_sector_div_up(bio->bi_iter.bi_sector, clone->region_size); +- *re = bio_end_sector(bio) >> clone->region_shift; ++ end = bio_end_sector(bio) >> clone->region_shift; ++ ++ if (*rs >= end) ++ *nr_regions = 0; ++ else ++ *nr_regions = end - *rs; + } + + /* Check whether a bio overwrites a region */ +@@ -454,7 +461,7 @@ static void trim_bio(struct bio *bio, se + + static void complete_discard_bio(struct clone *clone, struct bio *bio, bool success) + { +- unsigned long rs, re; ++ unsigned long rs, nr_regions; + + /* + * If the destination device supports discards, remap and trim the +@@ -463,9 +470,9 @@ static void complete_discard_bio(struct + */ + if (test_bit(DM_CLONE_DISCARD_PASSDOWN, &clone->flags) && success) { + remap_to_dest(clone, bio); +- bio_region_range(clone, bio, &rs, &re); ++ bio_region_range(clone, bio, &rs, &nr_regions); + trim_bio(bio, rs << clone->region_shift, +- (re - rs) << clone->region_shift); ++ nr_regions << clone->region_shift); + generic_make_request(bio); + } else + bio_endio(bio); +@@ -473,12 +480,21 @@ static void complete_discard_bio(struct + + static void process_discard_bio(struct clone *clone, struct bio *bio) + { +- unsigned long rs, re; ++ unsigned long rs, nr_regions; + +- bio_region_range(clone, bio, &rs, &re); +- BUG_ON(re > clone->nr_regions); ++ bio_region_range(clone, bio, &rs, &nr_regions); ++ if (!nr_regions) { ++ bio_endio(bio); ++ return; ++ } + +- if (unlikely(rs == re)) { ++ if (WARN_ON(rs >= clone->nr_regions || (rs + nr_regions) < rs || ++ (rs + nr_regions) > clone->nr_regions)) { ++ DMERR("%s: Invalid range (%lu + %lu, total regions %lu) for discard (%llu + %u)", ++ clone_device_name(clone), rs, nr_regions, ++ clone->nr_regions, ++ (unsigned long long)bio->bi_iter.bi_sector, ++ bio_sectors(bio)); + bio_endio(bio); + return; + } +@@ -487,7 +503,7 @@ static void process_discard_bio(struct c + * The covered regions are already hydrated so we just need to pass + * down the discard. + */ +- if (dm_clone_is_range_hydrated(clone->cmd, rs, re - rs)) { ++ if (dm_clone_is_range_hydrated(clone->cmd, rs, nr_regions)) { + complete_discard_bio(clone, bio, true); + return; + } +@@ -1169,7 +1185,7 @@ static void process_deferred_discards(st + int r = -EPERM; + struct bio *bio; + struct blk_plug plug; +- unsigned long rs, re; ++ unsigned long rs, nr_regions; + struct bio_list discards = BIO_EMPTY_LIST; + + spin_lock_irq(&clone->lock); +@@ -1185,14 +1201,13 @@ static void process_deferred_discards(st + + /* Update the metadata */ + bio_list_for_each(bio, &discards) { +- bio_region_range(clone, bio, &rs, &re); ++ bio_region_range(clone, bio, &rs, &nr_regions); + /* + * A discard request might cover regions that have been already + * hydrated. There is no need to update the metadata for these + * regions. + */ +- r = dm_clone_cond_set_range(clone->cmd, rs, re - rs); +- ++ r = dm_clone_cond_set_range(clone->cmd, rs, nr_regions); + if (unlikely(r)) + break; + } diff --git a/queue-5.6/dm-clone-metadata-fix-return-type-of-dm_clone_nr_of_hydrated_regions.patch b/queue-5.6/dm-clone-metadata-fix-return-type-of-dm_clone_nr_of_hydrated_regions.patch new file mode 100644 index 00000000000..3dd673e0b7c --- /dev/null +++ b/queue-5.6/dm-clone-metadata-fix-return-type-of-dm_clone_nr_of_hydrated_regions.patch @@ -0,0 +1,69 @@ +From 81d5553d1288c2ec0390f02f84d71ca0f0f9f137 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Fri, 27 Mar 2020 16:01:11 +0200 +Subject: dm clone metadata: Fix return type of dm_clone_nr_of_hydrated_regions() + +From: Nikos Tsironis + +commit 81d5553d1288c2ec0390f02f84d71ca0f0f9f137 upstream. + +dm_clone_nr_of_hydrated_regions() returns the number of regions that +have been hydrated so far. In order to do so it employs bitmap_weight(). + +Until now, the return type of dm_clone_nr_of_hydrated_regions() was +unsigned long. + +Because bitmap_weight() returns an int, in case BITS_PER_LONG == 64 and +the return value of bitmap_weight() is 2^31 (the maximum allowed number +of regions for a device), the result is sign extended from 32 bits to 64 +bits and an incorrect value is displayed, in the status output of +dm-clone, as the number of hydrated regions. + +Fix this by having dm_clone_nr_of_hydrated_regions() return an unsigned +int. + +Fixes: 7431b7835f55 ("dm: add clone target") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Nikos Tsironis +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-clone-metadata.c | 2 +- + drivers/md/dm-clone-metadata.h | 2 +- + drivers/md/dm-clone-target.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-clone-metadata.c ++++ b/drivers/md/dm-clone-metadata.c +@@ -656,7 +656,7 @@ bool dm_clone_is_range_hydrated(struct d + return (bit >= (start + nr_regions)); + } + +-unsigned long dm_clone_nr_of_hydrated_regions(struct dm_clone_metadata *cmd) ++unsigned int dm_clone_nr_of_hydrated_regions(struct dm_clone_metadata *cmd) + { + return bitmap_weight(cmd->region_map, cmd->nr_regions); + } +--- a/drivers/md/dm-clone-metadata.h ++++ b/drivers/md/dm-clone-metadata.h +@@ -156,7 +156,7 @@ bool dm_clone_is_range_hydrated(struct d + /* + * Returns the number of hydrated regions. + */ +-unsigned long dm_clone_nr_of_hydrated_regions(struct dm_clone_metadata *cmd); ++unsigned int dm_clone_nr_of_hydrated_regions(struct dm_clone_metadata *cmd); + + /* + * Returns the first unhydrated region with region_nr >= @start +--- a/drivers/md/dm-clone-target.c ++++ b/drivers/md/dm-clone-target.c +@@ -1473,7 +1473,7 @@ static void clone_status(struct dm_targe + goto error; + } + +- DMEMIT("%u %llu/%llu %llu %lu/%lu %u ", ++ DMEMIT("%u %llu/%llu %llu %u/%lu %u ", + DM_CLONE_METADATA_BLOCK_SIZE, + (unsigned long long)(nr_metadata_blocks - nr_free_metadata_blocks), + (unsigned long long)nr_metadata_blocks, diff --git a/queue-5.6/dm-integrity-fix-a-crash-with-unusually-large-tag-size.patch b/queue-5.6/dm-integrity-fix-a-crash-with-unusually-large-tag-size.patch new file mode 100644 index 00000000000..37174e948d7 --- /dev/null +++ b/queue-5.6/dm-integrity-fix-a-crash-with-unusually-large-tag-size.patch @@ -0,0 +1,41 @@ +From b93b6643e9b5a7f260b931e97f56ffa3fa65e26d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Mar 2020 20:42:21 +0100 +Subject: dm integrity: fix a crash with unusually large tag size + +From: Mikulas Patocka + +commit b93b6643e9b5a7f260b931e97f56ffa3fa65e26d upstream. + +If the user specifies tag size larger than HASH_MAX_DIGESTSIZE, +there's a crash in integrity_metadata(). + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-integrity.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -1519,7 +1519,7 @@ static void integrity_metadata(struct wo + struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io)); + char *checksums; + unsigned extra_space = unlikely(digest_size > ic->tag_size) ? digest_size - ic->tag_size : 0; +- char checksums_onstack[HASH_MAX_DIGESTSIZE]; ++ char checksums_onstack[max((size_t)HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; + unsigned sectors_to_process = dio->range.n_sectors; + sector_t sector = dio->range.logical_sector; + +@@ -1748,7 +1748,7 @@ retry_kmap: + } while (++s < ic->sectors_per_block); + #ifdef INTERNAL_VERIFY + if (ic->internal_hash) { +- char checksums_onstack[max(HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; ++ char checksums_onstack[max((size_t)HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; + + integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack); + if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) { diff --git a/queue-5.6/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch b/queue-5.6/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch new file mode 100644 index 00000000000..dbcf89ed1b5 --- /dev/null +++ b/queue-5.6/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch @@ -0,0 +1,57 @@ +From 75fa601934fda23d2f15bf44b09c2401942d8e15 Mon Sep 17 00:00:00 2001 +From: "Shetty, Harshini X (EXT-Sony Mobile)" +Date: Tue, 17 Mar 2020 09:15:45 +0000 +Subject: dm verity fec: fix memory leak in verity_fec_dtr + +From: Shetty, Harshini X (EXT-Sony Mobile) + +commit 75fa601934fda23d2f15bf44b09c2401942d8e15 upstream. + +Fix below kmemleak detected in verity_fec_ctr. output_pool is +allocated for each dm-verity-fec device. But it is not freed when +dm-table for the verity target is removed. Hence free the output +mempool in destructor function verity_fec_dtr. + +unreferenced object 0xffffffffa574d000 (size 4096): + comm "init", pid 1667, jiffies 4294894890 (age 307.168s) + hex dump (first 32 bytes): + 8e 36 00 98 66 a8 0b 9b 00 00 00 00 00 00 00 00 .6..f........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000060e82407>] __kmalloc+0x2b4/0x340 + [<00000000dd99488f>] mempool_kmalloc+0x18/0x20 + [<000000002560172b>] mempool_init_node+0x98/0x118 + [<000000006c3574d2>] mempool_init+0x14/0x20 + [<0000000008cb266e>] verity_fec_ctr+0x388/0x3b0 + [<000000000887261b>] verity_ctr+0x87c/0x8d0 + [<000000002b1e1c62>] dm_table_add_target+0x174/0x348 + [<000000002ad89eda>] table_load+0xe4/0x328 + [<000000001f06f5e9>] dm_ctl_ioctl+0x3b4/0x5a0 + [<00000000bee5fbb7>] do_vfs_ioctl+0x5dc/0x928 + [<00000000b475b8f5>] __arm64_sys_ioctl+0x70/0x98 + [<000000005361e2e8>] el0_svc_common+0xa0/0x158 + [<000000001374818f>] el0_svc_handler+0x6c/0x88 + [<000000003364e9f4>] el0_svc+0x8/0xc + [<000000009d84cec9>] 0xffffffffffffffff + +Fixes: a739ff3f543af ("dm verity: add support for forward error correction") +Depends-on: 6f1c819c219f7 ("dm: convert to bioset_init()/mempool_init()") +Cc: stable@vger.kernel.org +Signed-off-by: Harshini Shetty +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-verity-fec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -551,6 +551,7 @@ void verity_fec_dtr(struct dm_verity *v) + mempool_exit(&f->rs_pool); + mempool_exit(&f->prealloc_pool); + mempool_exit(&f->extra_pool); ++ mempool_exit(&f->output_pool); + kmem_cache_destroy(f->cache); + + if (f->data_bufio) diff --git a/queue-5.6/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch b/queue-5.6/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch new file mode 100644 index 00000000000..c16119a05c4 --- /dev/null +++ b/queue-5.6/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch @@ -0,0 +1,52 @@ +From 1edaa447d958bec24c6a79685a5790d98976fd16 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 27 Mar 2020 07:22:36 -0400 +Subject: dm writecache: add cond_resched to avoid CPU hangs + +From: Mikulas Patocka + +commit 1edaa447d958bec24c6a79685a5790d98976fd16 upstream. + +Initializing a dm-writecache device can take a long time when the +persistent memory device is large. Add cond_resched() to a few loops +to avoid warnings that the CPU is stuck. + +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -876,6 +876,7 @@ static int writecache_alloc_entries(stru + struct wc_entry *e = &wc->entries[b]; + e->index = b; + e->write_in_progress = false; ++ cond_resched(); + } + + return 0; +@@ -930,6 +931,7 @@ static void writecache_resume(struct dm_ + e->original_sector = le64_to_cpu(wme.original_sector); + e->seq_count = le64_to_cpu(wme.seq_count); + } ++ cond_resched(); + } + #endif + for (b = 0; b < wc->n_blocks; b++) { +@@ -1791,8 +1793,10 @@ static int init_memory(struct dm_writeca + pmem_assign(sb(wc)->n_blocks, cpu_to_le64(wc->n_blocks)); + pmem_assign(sb(wc)->seq_count, cpu_to_le64(0)); + +- for (b = 0; b < wc->n_blocks; b++) ++ for (b = 0; b < wc->n_blocks; b++) { + write_original_sector_seq_count(wc, &wc->entries[b], -1, -1); ++ cond_resched(); ++ } + + writecache_flush_all_metadata(wc); + writecache_commit_flushed(wc, false); diff --git a/queue-5.6/dm-zoned-remove-duplicate-nr_rnd_zones-increase-in-dmz_init_zone.patch b/queue-5.6/dm-zoned-remove-duplicate-nr_rnd_zones-increase-in-dmz_init_zone.patch new file mode 100644 index 00000000000..778d56153e4 --- /dev/null +++ b/queue-5.6/dm-zoned-remove-duplicate-nr_rnd_zones-increase-in-dmz_init_zone.patch @@ -0,0 +1,37 @@ +From b8fdd090376a7a46d17db316638fe54b965c2fb0 Mon Sep 17 00:00:00 2001 +From: Bob Liu +Date: Tue, 24 Mar 2020 21:22:45 +0800 +Subject: dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() + +From: Bob Liu + +commit b8fdd090376a7a46d17db316638fe54b965c2fb0 upstream. + +zmd->nr_rnd_zones was increased twice by mistake. The other place it +is increased in dmz_init_zone() is the only one needed: + +1131 zmd->nr_useable_zones++; +1132 if (dmz_is_rnd(zone)) { +1133 zmd->nr_rnd_zones++; + ^^^ +Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") +Cc: stable@vger.kernel.org +Signed-off-by: Bob Liu +Reviewed-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-zoned-metadata.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/md/dm-zoned-metadata.c ++++ b/drivers/md/dm-zoned-metadata.c +@@ -1109,7 +1109,6 @@ static int dmz_init_zone(struct blk_zone + switch (blkz->type) { + case BLK_ZONE_TYPE_CONVENTIONAL: + set_bit(DMZ_RND, &zone->flags); +- zmd->nr_rnd_zones++; + break; + case BLK_ZONE_TYPE_SEQWRITE_REQ: + case BLK_ZONE_TYPE_SEQWRITE_PREF: diff --git a/queue-5.6/drm-amd-display-check-for-null-fclk-voltage-when-parsing-clock-table.patch b/queue-5.6/drm-amd-display-check-for-null-fclk-voltage-when-parsing-clock-table.patch new file mode 100644 index 00000000000..dcc52379974 --- /dev/null +++ b/queue-5.6/drm-amd-display-check-for-null-fclk-voltage-when-parsing-clock-table.patch @@ -0,0 +1,39 @@ +From 72f5b5a308c744573fdbc6c78202c52196d2c162 Mon Sep 17 00:00:00 2001 +From: Michael Strauss +Date: Sun, 5 Apr 2020 16:41:12 -0400 +Subject: drm/amd/display: Check for null fclk voltage when parsing clock table + +From: Michael Strauss + +commit 72f5b5a308c744573fdbc6c78202c52196d2c162 upstream. + +[WHY] +In cases where a clock table is malformed such that fclk entries have +frequencies but not voltages listed, we don't catch the error and set +clocks to 0 instead of using hardcoded values as we should. + +[HOW] +Add check for clock tables fclk entry's voltage as well + +Signed-off-by: Michael Strauss +Reviewed-by: Eric Yang +Acked-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c +@@ -643,7 +643,7 @@ static void rn_clk_mgr_helper_populate_b + /* Find lowest DPM, FCLK is filled in reverse order*/ + + for (i = PP_SMU_NUM_FCLK_DPM_LEVELS - 1; i >= 0; i--) { +- if (clock_table->FClocks[i].Freq != 0) { ++ if (clock_table->FClocks[i].Freq != 0 && clock_table->FClocks[i].Vol != 0) { + j = i; + break; + } diff --git a/queue-5.6/drm-amd-powerplay-implement-the-is_dpm_running.patch b/queue-5.6/drm-amd-powerplay-implement-the-is_dpm_running.patch new file mode 100644 index 00000000000..6f6b543a40d --- /dev/null +++ b/queue-5.6/drm-amd-powerplay-implement-the-is_dpm_running.patch @@ -0,0 +1,51 @@ +From 4ee2bb22ddb53a2eafc675690d0d67452029ca37 Mon Sep 17 00:00:00 2001 +From: Prike Liang +Date: Fri, 3 Apr 2020 12:26:15 +0800 +Subject: drm/amd/powerplay: implement the is_dpm_running() + +From: Prike Liang + +commit 4ee2bb22ddb53a2eafc675690d0d67452029ca37 upstream. + +As the pmfw hasn't exported the interface of SMU feature +mask to APU SKU so just force on all the features to driver +inquired interface at early initial stage. + +Signed-off-by: Prike Liang +Reviewed-by: Huang Rui +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/renoir_ppt.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/gpu/drm/amd/powerplay/renoir_ppt.c ++++ b/drivers/gpu/drm/amd/powerplay/renoir_ppt.c +@@ -887,6 +887,17 @@ static int renoir_read_sensor(struct smu + return ret; + } + ++static bool renoir_is_dpm_running(struct smu_context *smu) ++{ ++ /* ++ * Util now, the pmfw hasn't exported the interface of SMU ++ * feature mask to APU SKU so just force on all the feature ++ * at early initial stage. ++ */ ++ return true; ++ ++} ++ + static const struct pptable_funcs renoir_ppt_funcs = { + .get_smu_msg_index = renoir_get_smu_msg_index, + .get_smu_clk_index = renoir_get_smu_clk_index, +@@ -928,6 +939,7 @@ static const struct pptable_funcs renoir + .mode2_reset = smu_v12_0_mode2_reset, + .set_soft_freq_limited_range = smu_v12_0_set_soft_freq_limited_range, + .set_driver_table_location = smu_v12_0_set_driver_table_location, ++ .is_dpm_running = renoir_is_dpm_running, + }; + + void renoir_set_ppt_funcs(struct smu_context *smu) diff --git a/queue-5.6/drm-amdgpu-powerplay-using-the-fclk-dpm-table-to-set-the-mclk.patch b/queue-5.6/drm-amdgpu-powerplay-using-the-fclk-dpm-table-to-set-the-mclk.patch new file mode 100644 index 00000000000..5dd390b160b --- /dev/null +++ b/queue-5.6/drm-amdgpu-powerplay-using-the-fclk-dpm-table-to-set-the-mclk.patch @@ -0,0 +1,66 @@ +From 022ac4c9c55be35a2d1f71019a931324c51b0dab Mon Sep 17 00:00:00 2001 +From: Yuxian Dai +Date: Wed, 1 Apr 2020 19:26:26 +0800 +Subject: drm/amdgpu/powerplay: using the FCLK DPM table to set the MCLK + +From: Yuxian Dai + +commit 022ac4c9c55be35a2d1f71019a931324c51b0dab upstream. + +1.Using the FCLK DPM table to set the MCLK for DPM states consist of +three entities: + FCLK + UCLK + MEMCLK +All these three clk change together, MEMCLK from FCLK, so use the fclk +frequency. +2.we should show the current working clock freqency from clock table metric + +Signed-off-by: Yuxian Dai +Reviewed-by: Alex Deucher +Reviewed-by: Huang Rui +Reviewed-by: Kevin Wang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/renoir_ppt.c | 6 ++++++ + drivers/gpu/drm/amd/powerplay/renoir_ppt.h | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/powerplay/renoir_ppt.c ++++ b/drivers/gpu/drm/amd/powerplay/renoir_ppt.c +@@ -240,6 +240,7 @@ static int renoir_print_clk_levels(struc + uint32_t cur_value = 0, value = 0, count = 0, min = 0, max = 0; + DpmClocks_t *clk_table = smu->smu_table.clocks_table; + SmuMetrics_t metrics; ++ bool cur_value_match_level = false; + + if (!clk_table || clk_type >= SMU_CLK_COUNT) + return -EINVAL; +@@ -298,8 +299,13 @@ static int renoir_print_clk_levels(struc + GET_DPM_CUR_FREQ(clk_table, clk_type, i, value); + size += sprintf(buf + size, "%d: %uMhz %s\n", i, value, + cur_value == value ? "*" : ""); ++ if (cur_value == value) ++ cur_value_match_level = true; + } + ++ if (!cur_value_match_level) ++ size += sprintf(buf + size, " %uMhz *\n", cur_value); ++ + return size; + } + +--- a/drivers/gpu/drm/amd/powerplay/renoir_ppt.h ++++ b/drivers/gpu/drm/amd/powerplay/renoir_ppt.h +@@ -37,7 +37,7 @@ extern void renoir_set_ppt_funcs(struct + freq = table->SocClocks[dpm_level].Freq; \ + break; \ + case SMU_MCLK: \ +- freq = table->MemClocks[dpm_level].Freq; \ ++ freq = table->FClocks[dpm_level].Freq; \ + break; \ + case SMU_DCEFCLK: \ + freq = table->DcfClocks[dpm_level].Freq; \ diff --git a/queue-5.6/drm-amdgpu-unify-fw_write_wait-for-new-gfx9-asics.patch b/queue-5.6/drm-amdgpu-unify-fw_write_wait-for-new-gfx9-asics.patch new file mode 100644 index 00000000000..5ab6bad04f1 --- /dev/null +++ b/queue-5.6/drm-amdgpu-unify-fw_write_wait-for-new-gfx9-asics.patch @@ -0,0 +1,37 @@ +From 2960758cce2310774de60bbbd8d6841d436c54d9 Mon Sep 17 00:00:00 2001 +From: Aaron Liu +Date: Tue, 7 Apr 2020 17:46:04 +0800 +Subject: drm/amdgpu: unify fw_write_wait for new gfx9 asics + +From: Aaron Liu + +commit 2960758cce2310774de60bbbd8d6841d436c54d9 upstream. + +Make the fw_write_wait default case true since presumably all new +gfx9 asics will have updated firmware. That is using unique WAIT_REG_MEM +packet with opration=1. + +Signed-off-by: Aaron Liu +Tested-by: Aaron Liu +Tested-by: Yuxian Dai +Acked-by: Alex Deucher +Acked-by: Huang Rui +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1158,6 +1158,8 @@ static void gfx_v9_0_check_fw_write_wait + adev->gfx.mec_fw_write_wait = true; + break; + default: ++ adev->gfx.me_fw_write_wait = true; ++ adev->gfx.mec_fw_write_wait = true; + break; + } + } diff --git a/queue-5.6/drm-bridge-analogix-anx78xx-fix-drm_dp_link-helper-removal.patch b/queue-5.6/drm-bridge-analogix-anx78xx-fix-drm_dp_link-helper-removal.patch new file mode 100644 index 00000000000..298e45f1955 --- /dev/null +++ b/queue-5.6/drm-bridge-analogix-anx78xx-fix-drm_dp_link-helper-removal.patch @@ -0,0 +1,47 @@ +From 3e138a63d6674a4567a018a31e467567c40b14d5 Mon Sep 17 00:00:00 2001 +From: Torsten Duwe +Date: Tue, 18 Feb 2020 16:57:44 +0100 +Subject: drm/bridge: analogix-anx78xx: Fix drm_dp_link helper removal + +From: Torsten Duwe + +commit 3e138a63d6674a4567a018a31e467567c40b14d5 upstream. + +drm_dp_link_rate_to_bw_code and ...bw_code_to_link_rate simply divide by +and multiply with 27000, respectively. Avoid an overflow in the u8 dpcd[0] +and the multiply+divide alltogether. + +Signed-off-by: Torsten Duwe +Fixes: ff1e8fb68ea0 ("drm/bridge: analogix-anx78xx: Avoid drm_dp_link helpers") +Cc: Thierry Reding +Cc: Daniel Vetter +Cc: Andrzej Hajda +Cc: Neil Armstrong +Cc: Laurent Pinchart +Cc: Jonas Karlman +Cc: Jernej Skrabec +Cc: # v5.5+ +Reviewed-by: Thierry Reding +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20200218155744.9675368BE1@verein.lst.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/bridge/analogix/analogix-anx78xx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/bridge/analogix/analogix-anx78xx.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix-anx78xx.c +@@ -722,10 +722,9 @@ static int anx78xx_dp_link_training(stru + if (err) + return err; + +- dpcd[0] = drm_dp_max_link_rate(anx78xx->dpcd); +- dpcd[0] = drm_dp_link_rate_to_bw_code(dpcd[0]); + err = regmap_write(anx78xx->map[I2C_IDX_TX_P0], +- SP_DP_MAIN_LINK_BW_SET_REG, dpcd[0]); ++ SP_DP_MAIN_LINK_BW_SET_REG, ++ anx78xx->dpcd[DP_MAX_LINK_RATE]); + if (err) + return err; + diff --git a/queue-5.6/drm-etnaviv-rework-perfmon-query-infrastructure.patch b/queue-5.6/drm-etnaviv-rework-perfmon-query-infrastructure.patch new file mode 100644 index 00000000000..ba749c5d8a3 --- /dev/null +++ b/queue-5.6/drm-etnaviv-rework-perfmon-query-infrastructure.patch @@ -0,0 +1,136 @@ +From ed1dd899baa32d47d9a93d98336472da50564346 Mon Sep 17 00:00:00 2001 +From: Christian Gmeiner +Date: Fri, 28 Feb 2020 11:37:49 +0100 +Subject: drm/etnaviv: rework perfmon query infrastructure + +From: Christian Gmeiner + +commit ed1dd899baa32d47d9a93d98336472da50564346 upstream. + +Report the correct perfmon domains and signals depending +on the supported feature flags. + +Reported-by: Dan Carpenter +Fixes: 9e2c2e273012 ("drm/etnaviv: add infrastructure to query perf counter") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Gmeiner +Signed-off-by: Lucas Stach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/etnaviv/etnaviv_perfmon.c | 59 ++++++++++++++++++++++++++---- + 1 file changed, 52 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c +@@ -32,6 +32,7 @@ struct etnaviv_pm_domain { + }; + + struct etnaviv_pm_domain_meta { ++ unsigned int feature; + const struct etnaviv_pm_domain *domains; + u32 nr_domains; + }; +@@ -410,36 +411,78 @@ static const struct etnaviv_pm_domain do + + static const struct etnaviv_pm_domain_meta doms_meta[] = { + { ++ .feature = chipFeatures_PIPE_3D, + .nr_domains = ARRAY_SIZE(doms_3d), + .domains = &doms_3d[0] + }, + { ++ .feature = chipFeatures_PIPE_2D, + .nr_domains = ARRAY_SIZE(doms_2d), + .domains = &doms_2d[0] + }, + { ++ .feature = chipFeatures_PIPE_VG, + .nr_domains = ARRAY_SIZE(doms_vg), + .domains = &doms_vg[0] + } + }; + ++static unsigned int num_pm_domains(const struct etnaviv_gpu *gpu) ++{ ++ unsigned int num = 0, i; ++ ++ for (i = 0; i < ARRAY_SIZE(doms_meta); i++) { ++ const struct etnaviv_pm_domain_meta *meta = &doms_meta[i]; ++ ++ if (gpu->identity.features & meta->feature) ++ num += meta->nr_domains; ++ } ++ ++ return num; ++} ++ ++static const struct etnaviv_pm_domain *pm_domain(const struct etnaviv_gpu *gpu, ++ unsigned int index) ++{ ++ const struct etnaviv_pm_domain *domain = NULL; ++ unsigned int offset = 0, i; ++ ++ for (i = 0; i < ARRAY_SIZE(doms_meta); i++) { ++ const struct etnaviv_pm_domain_meta *meta = &doms_meta[i]; ++ ++ if (!(gpu->identity.features & meta->feature)) ++ continue; ++ ++ if (meta->nr_domains < (index - offset)) { ++ offset += meta->nr_domains; ++ continue; ++ } ++ ++ domain = meta->domains + (index - offset); ++ } ++ ++ return domain; ++} ++ + int etnaviv_pm_query_dom(struct etnaviv_gpu *gpu, + struct drm_etnaviv_pm_domain *domain) + { +- const struct etnaviv_pm_domain_meta *meta = &doms_meta[domain->pipe]; ++ const unsigned int nr_domains = num_pm_domains(gpu); + const struct etnaviv_pm_domain *dom; + +- if (domain->iter >= meta->nr_domains) ++ if (domain->iter >= nr_domains) + return -EINVAL; + +- dom = meta->domains + domain->iter; ++ dom = pm_domain(gpu, domain->iter); ++ if (!dom) ++ return -EINVAL; + + domain->id = domain->iter; + domain->nr_signals = dom->nr_signals; + strncpy(domain->name, dom->name, sizeof(domain->name)); + + domain->iter++; +- if (domain->iter == meta->nr_domains) ++ if (domain->iter == nr_domains) + domain->iter = 0xff; + + return 0; +@@ -448,14 +491,16 @@ int etnaviv_pm_query_dom(struct etnaviv_ + int etnaviv_pm_query_sig(struct etnaviv_gpu *gpu, + struct drm_etnaviv_pm_signal *signal) + { +- const struct etnaviv_pm_domain_meta *meta = &doms_meta[signal->pipe]; ++ const unsigned int nr_domains = num_pm_domains(gpu); + const struct etnaviv_pm_domain *dom; + const struct etnaviv_pm_signal *sig; + +- if (signal->domain >= meta->nr_domains) ++ if (signal->domain >= nr_domains) + return -EINVAL; + +- dom = meta->domains + signal->domain; ++ dom = pm_domain(gpu, signal->domain); ++ if (!dom) ++ return -EINVAL; + + if (signal->iter >= dom->nr_signals) + return -EINVAL; diff --git a/queue-5.6/drm-i915-gem-flush-all-the-reloc_gpu-batch.patch b/queue-5.6/drm-i915-gem-flush-all-the-reloc_gpu-batch.patch new file mode 100644 index 00000000000..89380145176 --- /dev/null +++ b/queue-5.6/drm-i915-gem-flush-all-the-reloc_gpu-batch.patch @@ -0,0 +1,45 @@ +From 1aaea8476d9f014667d2cb24819f9bcaf3ebb7a4 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Mon, 6 Apr 2020 12:48:21 +0100 +Subject: drm/i915/gem: Flush all the reloc_gpu batch + +From: Chris Wilson + +commit 1aaea8476d9f014667d2cb24819f9bcaf3ebb7a4 upstream. + +__i915_gem_object_flush_map() takes a byte range, so feed it the written +bytes and do not mistake the u32 index as bytes! + +Fixes: a679f58d0510 ("drm/i915: Flush pages on acquisition") +Signed-off-by: Chris Wilson +Cc: Matthew Auld +Cc: # v5.2+ +Reviewed-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20200406114821.10949-1-chris@chris-wilson.co.uk +(cherry picked from commit 30c88a47f1abd5744908d3681f54dcf823fe2a12) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +@@ -914,11 +914,13 @@ static inline struct i915_ggtt *cache_to + + static void reloc_gpu_flush(struct reloc_cache *cache) + { +- GEM_BUG_ON(cache->rq_size >= cache->rq->batch->obj->base.size / sizeof(u32)); ++ struct drm_i915_gem_object *obj = cache->rq->batch->obj; ++ ++ GEM_BUG_ON(cache->rq_size >= obj->base.size / sizeof(u32)); + cache->rq_cmd[cache->rq_size] = MI_BATCH_BUFFER_END; + +- __i915_gem_object_flush_map(cache->rq->batch->obj, 0, cache->rq_size); +- i915_gem_object_unpin_map(cache->rq->batch->obj); ++ __i915_gem_object_flush_map(obj, 0, sizeof(u32) * (cache->rq_size + 1)); ++ i915_gem_object_unpin_map(obj); + + intel_gt_chipset_flush(cache->rq->engine->gt); + diff --git a/queue-5.6/drm-i915-gt-treat-idling-as-a-rps-downclock-event.patch b/queue-5.6/drm-i915-gt-treat-idling-as-a-rps-downclock-event.patch new file mode 100644 index 00000000000..1e29cccf659 --- /dev/null +++ b/queue-5.6/drm-i915-gt-treat-idling-as-a-rps-downclock-event.patch @@ -0,0 +1,52 @@ +From 98479ada421a8fd2123b98efd398a6f1379307ab Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sun, 22 Mar 2020 16:32:24 +0000 +Subject: drm/i915/gt: Treat idling as a RPS downclock event + +From: Chris Wilson + +commit 98479ada421a8fd2123b98efd398a6f1379307ab upstream. + +If we park/unpark faster than we can respond to RPS events, we never +will process a downclock event after expiring a waitboost, and thus we +will forever restart the GPU at max clocks even if the workload switches +and doesn't justify full power. + +Closes: https://gitlab.freedesktop.org/drm/intel/issues/1500 +Fixes: 3e7abf814193 ("drm/i915: Extract GT render power state management") +Signed-off-by: Chris Wilson +Cc: Andi Shyti +Cc: Lyude Paul +Reviewed-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20200322163225.28791-1-chris@chris-wilson.co.uk +Cc: # v5.5+ +(cherry picked from commit 21abf0bf168dffff1192e0f072af1dc74ae1ff0e) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gt/intel_rps.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/gpu/drm/i915/gt/intel_rps.c ++++ b/drivers/gpu/drm/i915/gt/intel_rps.c +@@ -763,6 +763,19 @@ void intel_rps_park(struct intel_rps *rp + intel_uncore_forcewake_get(rps_to_uncore(rps), FORCEWAKE_MEDIA); + rps_set(rps, rps->idle_freq, false); + intel_uncore_forcewake_put(rps_to_uncore(rps), FORCEWAKE_MEDIA); ++ ++ /* ++ * Since we will try and restart from the previously requested ++ * frequency on unparking, treat this idle point as a downclock ++ * interrupt and reduce the frequency for resume. If we park/unpark ++ * more frequently than the rps worker can run, we will not respond ++ * to any EI and never see a change in frequency. ++ * ++ * (Note we accommodate Cherryview's limitation of only using an ++ * even bin by applying it to all.) ++ */ ++ rps->cur_freq = ++ max_t(int, round_down(rps->cur_freq - 1, 2), rps->min_freq); + } + + void intel_rps_boost(struct i915_request *rq) diff --git a/queue-5.6/drm-i915-icl-don-t-enable-ddi-io-power-on-a-typec-port-in-tbt-mode.patch b/queue-5.6/drm-i915-icl-don-t-enable-ddi-io-power-on-a-typec-port-in-tbt-mode.patch new file mode 100644 index 00000000000..f6d845fd472 --- /dev/null +++ b/queue-5.6/drm-i915-icl-don-t-enable-ddi-io-power-on-a-typec-port-in-tbt-mode.patch @@ -0,0 +1,47 @@ +From 6e8a36c13382b7165d23928caee8d91c1b301142 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Mon, 30 Mar 2020 18:22:44 +0300 +Subject: drm/i915/icl+: Don't enable DDI IO power on a TypeC port in TBT mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit 6e8a36c13382b7165d23928caee8d91c1b301142 upstream. + +The DDI IO power well must not be enabled for a TypeC port in TBT mode, +ensure this during driver loading/system resume. + +This gets rid of error messages like +[drm] *ERROR* power well DDI E TC2 IO state mismatch (refcount 1/enabled 0) + +and avoids leaking the power ref when disabling the output. + +Cc: # v5.4+ +Signed-off-by: Imre Deak +Reviewed-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20200330152244.11316-1-imre.deak@intel.com +(cherry picked from commit f77a2db27f26c3ccba0681f7e89fef083718f07f) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/display/intel_ddi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_ddi.c ++++ b/drivers/gpu/drm/i915/display/intel_ddi.c +@@ -2225,7 +2225,11 @@ static void intel_ddi_get_power_domains( + return; + + dig_port = enc_to_dig_port(encoder); +- intel_display_power_get(dev_priv, dig_port->ddi_io_power_domain); ++ ++ if (!intel_phy_is_tc(dev_priv, phy) || ++ dig_port->tc_mode != TC_PORT_TBT_ALT) ++ intel_display_power_get(dev_priv, ++ dig_port->ddi_io_power_domain); + + /* + * AUX power is only needed for (e)DP mode, and for HDMI mode on TC diff --git a/queue-5.6/drm-prime-fix-extracting-of-the-dma-addresses-from-a-scatterlist.patch b/queue-5.6/drm-prime-fix-extracting-of-the-dma-addresses-from-a-scatterlist.patch new file mode 100644 index 00000000000..695553e6499 --- /dev/null +++ b/queue-5.6/drm-prime-fix-extracting-of-the-dma-addresses-from-a-scatterlist.patch @@ -0,0 +1,86 @@ +From c0f83d164fb8f3a2b7bc379a6c1e27d1123a9eab Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Fri, 27 Mar 2020 17:21:26 +0100 +Subject: drm/prime: fix extracting of the DMA addresses from a scatterlist + +From: Marek Szyprowski + +commit c0f83d164fb8f3a2b7bc379a6c1e27d1123a9eab upstream. + +Scatterlist elements contains both pages and DMA addresses, but one +should not assume 1:1 relation between them. The sg->length is the size +of the physical memory chunk described by the sg->page, while +sg_dma_len(sg) is the size of the DMA (IO virtual) chunk described by +the sg_dma_address(sg). + +The proper way of extracting both: pages and DMA addresses of the whole +buffer described by a scatterlist it to iterate independently over the +sg->pages/sg->length and sg_dma_address(sg)/sg_dma_len(sg) entries. + +Fixes: 42e67b479eab ("drm/prime: use dma length macro when mapping sg") +Signed-off-by: Marek Szyprowski +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20200327162126.29705-1-m.szyprowski@samsung.com +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_prime.c | 37 +++++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/drm_prime.c ++++ b/drivers/gpu/drm/drm_prime.c +@@ -962,27 +962,40 @@ int drm_prime_sg_to_page_addr_arrays(str + unsigned count; + struct scatterlist *sg; + struct page *page; +- u32 len, index; ++ u32 page_len, page_index; + dma_addr_t addr; ++ u32 dma_len, dma_index; + +- index = 0; ++ /* ++ * Scatterlist elements contains both pages and DMA addresses, but ++ * one shoud not assume 1:1 relation between them. The sg->length is ++ * the size of the physical memory chunk described by the sg->page, ++ * while sg_dma_len(sg) is the size of the DMA (IO virtual) chunk ++ * described by the sg_dma_address(sg). ++ */ ++ page_index = 0; ++ dma_index = 0; + for_each_sg(sgt->sgl, sg, sgt->nents, count) { +- len = sg_dma_len(sg); ++ page_len = sg->length; + page = sg_page(sg); ++ dma_len = sg_dma_len(sg); + addr = sg_dma_address(sg); + +- while (len > 0) { +- if (WARN_ON(index >= max_entries)) ++ while (pages && page_len > 0) { ++ if (WARN_ON(page_index >= max_entries)) + return -1; +- if (pages) +- pages[index] = page; +- if (addrs) +- addrs[index] = addr; +- ++ pages[page_index] = page; + page++; ++ page_len -= PAGE_SIZE; ++ page_index++; ++ } ++ while (addrs && dma_len > 0) { ++ if (WARN_ON(dma_index >= max_entries)) ++ return -1; ++ addrs[dma_index] = addr; + addr += PAGE_SIZE; +- len -= PAGE_SIZE; +- index++; ++ dma_len -= PAGE_SIZE; ++ dma_index++; + } + } + return 0; diff --git a/queue-5.6/drm-remove-pagereserved-manipulation-from-drm_pci_alloc.patch b/queue-5.6/drm-remove-pagereserved-manipulation-from-drm_pci_alloc.patch new file mode 100644 index 00000000000..4a097fd8cc1 --- /dev/null +++ b/queue-5.6/drm-remove-pagereserved-manipulation-from-drm_pci_alloc.patch @@ -0,0 +1,92 @@ +From ea36ec8623f56791c6ff6738d0509b7920f85220 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sun, 2 Feb 2020 17:16:31 +0000 +Subject: drm: Remove PageReserved manipulation from drm_pci_alloc + +From: Chris Wilson + +commit ea36ec8623f56791c6ff6738d0509b7920f85220 upstream. + +drm_pci_alloc/drm_pci_free are very thin wrappers around the core dma +facilities, and we have no special reason within the drm layer to behave +differently. In particular, since + +commit de09d31dd38a50fdce106c15abd68432eebbd014 +Author: Kirill A. Shutemov +Date: Fri Jan 15 16:51:42 2016 -0800 + + page-flags: define PG_reserved behavior on compound pages + + As far as I can see there's no users of PG_reserved on compound pages. + Let's use PF_NO_COMPOUND here. + +it has been illegal to combine GFP_COMP with SetPageReserved, so lets +stop doing both and leave the dma layer to its own devices. + +Reported-by: Taketo Kabe +Bug: https://gitlab.freedesktop.org/drm/intel/issues/1027 +Fixes: de09d31dd38a ("page-flags: define PG_reserved behavior on compound pages") +Signed-off-by: Chris Wilson +Cc: # v4.5+ +Reviewed-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20200202171635.4039044-1-chris@chris-wilson.co.uk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_pci.c | 23 ++--------------------- + 1 file changed, 2 insertions(+), 21 deletions(-) + +--- a/drivers/gpu/drm/drm_pci.c ++++ b/drivers/gpu/drm/drm_pci.c +@@ -51,8 +51,6 @@ + drm_dma_handle_t *drm_pci_alloc(struct drm_device * dev, size_t size, size_t align) + { + drm_dma_handle_t *dmah; +- unsigned long addr; +- size_t sz; + + /* pci_alloc_consistent only guarantees alignment to the smallest + * PAGE_SIZE order which is greater than or equal to the requested size. +@@ -68,20 +66,13 @@ drm_dma_handle_t *drm_pci_alloc(struct d + dmah->size = size; + dmah->vaddr = dma_alloc_coherent(&dev->pdev->dev, size, + &dmah->busaddr, +- GFP_KERNEL | __GFP_COMP); ++ GFP_KERNEL); + + if (dmah->vaddr == NULL) { + kfree(dmah); + return NULL; + } + +- /* XXX - Is virt_to_page() legal for consistent mem? */ +- /* Reserve */ +- for (addr = (unsigned long)dmah->vaddr, sz = size; +- sz > 0; addr += PAGE_SIZE, sz -= PAGE_SIZE) { +- SetPageReserved(virt_to_page((void *)addr)); +- } +- + return dmah; + } + +@@ -94,19 +85,9 @@ EXPORT_SYMBOL(drm_pci_alloc); + */ + void __drm_legacy_pci_free(struct drm_device * dev, drm_dma_handle_t * dmah) + { +- unsigned long addr; +- size_t sz; +- +- if (dmah->vaddr) { +- /* XXX - Is virt_to_page() legal for consistent mem? */ +- /* Unreserve */ +- for (addr = (unsigned long)dmah->vaddr, sz = dmah->size; +- sz > 0; addr += PAGE_SIZE, sz -= PAGE_SIZE) { +- ClearPageReserved(virt_to_page((void *)addr)); +- } ++ if (dmah->vaddr) + dma_free_coherent(&dev->pdev->dev, dmah->size, dmah->vaddr, + dmah->busaddr); +- } + } + + /** diff --git a/queue-5.6/drm-vboxvideo-add-missing-remove_conflicting_pci_framebuffers-call-v2.patch b/queue-5.6/drm-vboxvideo-add-missing-remove_conflicting_pci_framebuffers-call-v2.patch new file mode 100644 index 00000000000..5aa13605d78 --- /dev/null +++ b/queue-5.6/drm-vboxvideo-add-missing-remove_conflicting_pci_framebuffers-call-v2.patch @@ -0,0 +1,53 @@ +From a65a97b48694d34248195eb89bf3687403261056 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 25 Mar 2020 15:43:10 +0100 +Subject: drm/vboxvideo: Add missing remove_conflicting_pci_framebuffers call, v2 + +From: Hans de Goede + +commit a65a97b48694d34248195eb89bf3687403261056 upstream. + +The vboxvideo driver is missing a call to remove conflicting framebuffers. + +Surprisingly, when using legacy BIOS booting this does not really cause +any issues. But when using UEFI to boot the VM then plymouth will draw +on both the efifb /dev/fb0 and /dev/drm/card0 (which has registered +/dev/fb1 as fbdev emulation). + +VirtualBox will actual display the output of both devices (I guess it is +showing whatever was drawn last), this causes weird artifacts because of +pitch issues in the efifb when the VM window is not sized at 1024x768 +(the window will resize to its last size once the vboxvideo driver loads, +changing the pitch). + +Adding the missing drm_fb_helper_remove_conflicting_pci_framebuffers() +call fixes this. + +Changes in v2: +-Make the drm_fb_helper_remove_conflicting_pci_framebuffers() call one of + the first things we do in our probe() method + +Cc: stable@vger.kernel.org +Fixes: 2695eae1f6d3 ("drm/vboxvideo: Switch to generic fbdev emulation") +Signed-off-by: Hans de Goede +Reviewed-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200325144310.36779-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vboxvideo/vbox_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/vboxvideo/vbox_drv.c ++++ b/drivers/gpu/drm/vboxvideo/vbox_drv.c +@@ -41,6 +41,10 @@ static int vbox_pci_probe(struct pci_dev + if (!vbox_check_supported(VBE_DISPI_ID_HGSMI)) + return -ENODEV; + ++ ret = drm_fb_helper_remove_conflicting_pci_framebuffers(pdev, "vboxvideodrmfb"); ++ if (ret) ++ return ret; ++ + vbox = kzalloc(sizeof(*vbox), GFP_KERNEL); + if (!vbox) + return -ENOMEM; diff --git a/queue-5.6/ext4-fix-a-data-race-at-inode-i_blocks.patch b/queue-5.6/ext4-fix-a-data-race-at-inode-i_blocks.patch new file mode 100644 index 00000000000..dbfaf70bd99 --- /dev/null +++ b/queue-5.6/ext4-fix-a-data-race-at-inode-i_blocks.patch @@ -0,0 +1,90 @@ +From 28936b62e71e41600bab319f262ea9f9b1027629 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 21 Feb 2020 23:32:58 -0500 +Subject: ext4: fix a data race at inode->i_blocks + +From: Qian Cai + +commit 28936b62e71e41600bab319f262ea9f9b1027629 upstream. + +inode->i_blocks could be accessed concurrently as noticed by KCSAN, + + BUG: KCSAN: data-race in ext4_do_update_inode [ext4] / inode_add_bytes + + write to 0xffff9a00d4b982d0 of 8 bytes by task 22100 on cpu 118: + inode_add_bytes+0x65/0xf0 + __inode_add_bytes at fs/stat.c:689 + (inlined by) inode_add_bytes at fs/stat.c:702 + ext4_mb_new_blocks+0x418/0xca0 [ext4] + ext4_ext_map_blocks+0x1a6b/0x27b0 [ext4] + ext4_map_blocks+0x1a9/0x950 [ext4] + _ext4_get_block+0xfc/0x270 [ext4] + ext4_get_block_unwritten+0x33/0x50 [ext4] + __block_write_begin_int+0x22e/0xae0 + __block_write_begin+0x39/0x50 + ext4_write_begin+0x388/0xb50 [ext4] + ext4_da_write_begin+0x35f/0x8f0 [ext4] + generic_perform_write+0x15d/0x290 + ext4_buffered_write_iter+0x11f/0x210 [ext4] + ext4_file_write_iter+0xce/0x9e0 [ext4] + new_sync_write+0x29c/0x3b0 + __vfs_write+0x92/0xa0 + vfs_write+0x103/0x260 + ksys_write+0x9d/0x130 + __x64_sys_write+0x4c/0x60 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + read to 0xffff9a00d4b982d0 of 8 bytes by task 8 on cpu 65: + ext4_do_update_inode+0x4a0/0xf60 [ext4] + ext4_inode_blocks_set at fs/ext4/inode.c:4815 + ext4_mark_iloc_dirty+0xaf/0x160 [ext4] + ext4_mark_inode_dirty+0x129/0x3e0 [ext4] + ext4_convert_unwritten_extents+0x253/0x2d0 [ext4] + ext4_convert_unwritten_io_end_vec+0xc5/0x150 [ext4] + ext4_end_io_rsv_work+0x22c/0x350 [ext4] + process_one_work+0x54f/0xb90 + worker_thread+0x80/0x5f0 + kthread+0x1cd/0x1f0 + ret_from_fork+0x27/0x50 + + 4 locks held by kworker/u256:0/8: + #0: ffff9a025abc4328 ((wq_completion)ext4-rsv-conversion){+.+.}, at: process_one_work+0x443/0xb90 + #1: ffffab5a862dbe20 ((work_completion)(&ei->i_rsv_conversion_work)){+.+.}, at: process_one_work+0x443/0xb90 + #2: ffff9a025a9d0f58 (jbd2_handle){++++}, at: start_this_handle+0x1c1/0x9d0 [jbd2] + #3: ffff9a00d4b985d8 (&(&ei->i_raw_lock)->rlock){+.+.}, at: ext4_do_update_inode+0xaa/0xf60 [ext4] + irq event stamp: 3009267 + hardirqs last enabled at (3009267): [] __find_get_block+0x107/0x790 + hardirqs last disabled at (3009266): [] __find_get_block+0x49/0x790 + softirqs last enabled at (3009230): [] __do_softirq+0x34c/0x57c + softirqs last disabled at (3009223): [] irq_exit+0xa2/0xc0 + + Reported by Kernel Concurrency Sanitizer on: + CPU: 65 PID: 8 Comm: kworker/u256:0 Tainted: G L 5.6.0-rc2-next-20200221+ #7 + Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019 + Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work [ext4] + +The plain read is outside of inode->i_lock critical section which +results in a data race. Fix it by adding READ_ONCE() there. + +Link: https://lore.kernel.org/r/20200222043258.2279-1-cai@lca.pw +Signed-off-by: Qian Cai +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4812,7 +4812,7 @@ static int ext4_inode_blocks_set(handle_ + struct ext4_inode_info *ei) + { + struct inode *inode = &(ei->vfs_inode); +- u64 i_blocks = inode->i_blocks; ++ u64 i_blocks = READ_ONCE(inode->i_blocks); + struct super_block *sb = inode->i_sb; + + if (i_blocks <= ~0U) { diff --git a/queue-5.6/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch b/queue-5.6/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch new file mode 100644 index 00000000000..a7cc028077f --- /dev/null +++ b/queue-5.6/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch @@ -0,0 +1,55 @@ +From 26c5d78c976ca298e59a56f6101a97b618ba3539 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 10 Apr 2020 14:33:47 -0700 +Subject: fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once() + +From: Eric Biggers + +commit 26c5d78c976ca298e59a56f6101a97b618ba3539 upstream. + +After request_module(), nothing is stopping the module from being +unloaded until someone takes a reference to it via try_get_module(). + +The WARN_ONCE() in get_fs_type() is thus user-reachable, via userspace +running 'rmmod' concurrently. + +Since WARN_ONCE() is for kernel bugs only, not for user-reachable +situations, downgrade this warning to pr_warn_once(). + +Keep it printed once only, since the intent of this warning is to detect +a bug in modprobe at boot time. Printing the warning more than once +wouldn't really provide any useful extra information. + +Fixes: 41124db869b7 ("fs: warn in case userspace lied about modprobe return") +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Reviewed-by: Jessica Yu +Cc: Alexei Starovoitov +Cc: Greg Kroah-Hartman +Cc: Jeff Vander Stoep +Cc: Jessica Yu +Cc: Kees Cook +Cc: Luis Chamberlain +Cc: NeilBrown +Cc: [4.13+] +Link: http://lkml.kernel.org/r/20200312202552.241885-3-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/filesystems.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/filesystems.c ++++ b/fs/filesystems.c +@@ -272,7 +272,9 @@ struct file_system_type *get_fs_type(con + fs = __get_fs_type(name, len); + if (!fs && (request_module("fs-%.*s", len, name) == 0)) { + fs = __get_fs_type(name, len); +- WARN_ONCE(!fs, "request_module fs-%.*s succeeded, but still no fs?\n", len, name); ++ if (!fs) ++ pr_warn_once("request_module fs-%.*s succeeded, but still no fs?\n", ++ len, name); + } + + if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { diff --git a/queue-5.6/ftrace-kprobe-show-the-maxactive-number-on-kprobe_events.patch b/queue-5.6/ftrace-kprobe-show-the-maxactive-number-on-kprobe_events.patch new file mode 100644 index 00000000000..6978cf0cb26 --- /dev/null +++ b/queue-5.6/ftrace-kprobe-show-the-maxactive-number-on-kprobe_events.patch @@ -0,0 +1,38 @@ +From 6a13a0d7b4d1171ef9b80ad69abc37e1daa941b3 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Tue, 24 Mar 2020 16:34:48 +0900 +Subject: ftrace/kprobe: Show the maxactive number on kprobe_events + +From: Masami Hiramatsu + +commit 6a13a0d7b4d1171ef9b80ad69abc37e1daa941b3 upstream. + +Show maxactive parameter on kprobe_events. +This allows user to save the current configuration and +restore it without losing maxactive parameter. + +Link: http://lkml.kernel.org/r/4762764a-6df7-bc93-ed60-e336146dce1f@gmail.com +Link: http://lkml.kernel.org/r/158503528846.22706.5549974121212526020.stgit@devnote2 + +Cc: stable@vger.kernel.org +Fixes: 696ced4fb1d76 ("tracing/kprobes: expose maxactive for kretprobe in kprobe_events") +Reported-by: Taeung Song +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_kprobe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1078,6 +1078,8 @@ static int trace_kprobe_show(struct seq_ + int i; + + seq_putc(m, trace_kprobe_is_return(tk) ? 'r' : 'p'); ++ if (trace_kprobe_is_return(tk) && tk->rp.maxactive) ++ seq_printf(m, "%d", tk->rp.maxactive); + seq_printf(m, ":%s/%s", trace_probe_group_name(&tk->tp), + trace_probe_name(&tk->tp)); + diff --git a/queue-5.6/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch b/queue-5.6/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch new file mode 100644 index 00000000000..822fc5300d2 --- /dev/null +++ b/queue-5.6/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch @@ -0,0 +1,52 @@ +From 25efb2ffdf991177e740b2f63e92b4ec7d310a92 Mon Sep 17 00:00:00 2001 +From: Simon Gander +Date: Fri, 10 Apr 2020 14:32:16 -0700 +Subject: hfsplus: fix crash and filesystem corruption when deleting files + +From: Simon Gander + +commit 25efb2ffdf991177e740b2f63e92b4ec7d310a92 upstream. + +When removing files containing extended attributes, the hfsplus driver may +remove the wrong entries from the attributes b-tree, causing major +filesystem damage and in some cases even kernel crashes. + +To remove a file, all its extended attributes have to be removed as well. +The driver does this by looking up all keys in the attributes b-tree with +the cnid of the file. Each of these entries then gets deleted using the +key used for searching, which doesn't contain the attribute's name when it +should. Since the key doesn't contain the name, the deletion routine will +not find the correct entry and instead remove the one in front of it. If +parent nodes have to be modified, these become corrupt as well. This +causes invalid links and unsorted entries that not even macOS's fsck_hfs +is able to fix. + +To fix this, modify the search key before an entry is deleted from the +attributes b-tree by copying the found entry's key into the search key, +therefore ensuring that the correct entry gets removed from the tree. + +Signed-off-by: Simon Gander +Signed-off-by: Andrew Morton +Reviewed-by: Anton Altaparmakov +Cc: +Link: http://lkml.kernel.org/r/20200327155541.1521-1-simon@tuxera.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hfsplus/attributes.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/hfsplus/attributes.c ++++ b/fs/hfsplus/attributes.c +@@ -292,6 +292,10 @@ static int __hfsplus_delete_attr(struct + return -ENOENT; + } + ++ /* Avoid btree corruption */ ++ hfs_bnode_read(fd->bnode, fd->search_key, ++ fd->keyoffset, fd->keylength); ++ + err = hfs_brec_remove(fd); + if (err) + return err; diff --git a/queue-5.6/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch b/queue-5.6/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch new file mode 100644 index 00000000000..6027ad0f688 --- /dev/null +++ b/queue-5.6/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch @@ -0,0 +1,52 @@ +From ebc68cedec4aead47d8d11623d013cca9bf8e825 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 1 Apr 2020 13:23:06 -0700 +Subject: Input: i8042 - add Acer Aspire 5738z to nomux list + +From: Hans de Goede + +commit ebc68cedec4aead47d8d11623d013cca9bf8e825 upstream. + +The Acer Aspire 5738z has a button to disable (and re-enable) the +touchpad next to the touchpad. + +When this button is pressed a LED underneath indicates that the touchpad +is disabled (and an event is send to userspace and GNOME shows its +touchpad enabled / disable OSD thingie). + +So far so good, but after re-enabling the touchpad it no longer works. + +The laptop does not have an external ps2 port, so mux mode is not needed +and disabling mux mode fixes the touchpad no longer working after toggling +it off and back on again, so lets add this laptop model to the nomux list. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20200331123947.318908-1-hdegoede@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -530,6 +530,17 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"), + }, + }, ++ { ++ /* ++ * Acer Aspire 5738z ++ * Touchpad stops working in mux mode when dis- + re-enabled ++ * with the touchpad enable/disable toggle hotkey ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5738"), ++ }, ++ }, + { } + }; + diff --git a/queue-5.6/ipmi-fix-hung-processes-in-__get_guid.patch b/queue-5.6/ipmi-fix-hung-processes-in-__get_guid.patch new file mode 100644 index 00000000000..82fafcec529 --- /dev/null +++ b/queue-5.6/ipmi-fix-hung-processes-in-__get_guid.patch @@ -0,0 +1,68 @@ +From 32830a0534700f86366f371b150b17f0f0d140d7 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 3 Apr 2020 17:04:08 +0800 +Subject: ipmi: fix hung processes in __get_guid() + +From: Wen Yang + +commit 32830a0534700f86366f371b150b17f0f0d140d7 upstream. + +The wait_event() function is used to detect command completion. +When send_guid_cmd() returns an error, smi_send() has not been +called to send data. Therefore, wait_event() should not be used +on the error path, otherwise it will cause the following warning: + +[ 1361.588808] systemd-udevd D 0 1501 1436 0x00000004 +[ 1361.588813] ffff883f4b1298c0 0000000000000000 ffff883f4b188000 ffff887f7e3d9f40 +[ 1361.677952] ffff887f64bd4280 ffffc90037297a68 ffffffff8173ca3b ffffc90000000010 +[ 1361.767077] 00ffc90037297ad0 ffff887f7e3d9f40 0000000000000286 ffff883f4b188000 +[ 1361.856199] Call Trace: +[ 1361.885578] [] ? __schedule+0x23b/0x780 +[ 1361.951406] [] schedule+0x36/0x80 +[ 1362.010979] [] get_guid+0x118/0x150 [ipmi_msghandler] +[ 1362.091281] [] ? prepare_to_wait_event+0x100/0x100 +[ 1362.168533] [] ipmi_register_smi+0x405/0x940 [ipmi_msghandler] +[ 1362.258337] [] try_smi_init+0x529/0x950 [ipmi_si] +[ 1362.334521] [] ? std_irq_setup+0xd0/0xd0 [ipmi_si] +[ 1362.411701] [] init_ipmi_si+0x492/0x9e0 [ipmi_si] +[ 1362.487917] [] ? ipmi_pci_probe+0x280/0x280 [ipmi_si] +[ 1362.568219] [] do_one_initcall+0x50/0x180 +[ 1362.636109] [] ? kmem_cache_alloc_trace+0x142/0x190 +[ 1362.714330] [] do_init_module+0x5f/0x200 +[ 1362.781208] [] load_module+0x1898/0x1de0 +[ 1362.848069] [] ? __symbol_put+0x60/0x60 +[ 1362.913886] [] ? security_kernel_post_read_file+0x6b/0x80 +[ 1362.998514] [] SYSC_finit_module+0xe5/0x120 +[ 1363.068463] [] ? SYSC_finit_module+0xe5/0x120 +[ 1363.140513] [] SyS_finit_module+0xe/0x10 +[ 1363.207364] [] do_syscall_64+0x74/0x180 + +Fixes: 50c812b2b951 ("[PATCH] ipmi: add full sysfs support") +Signed-off-by: Wen Yang +Cc: Corey Minyard +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Cc: openipmi-developer@lists.sourceforge.net +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 2.6.17- +Message-Id: <20200403090408.58745-1-wenyang@linux.alibaba.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_msghandler.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -3188,8 +3188,8 @@ static void __get_guid(struct ipmi_smi * + if (rv) + /* Send failed, no GUID available. */ + bmc->dyn_guid_set = 0; +- +- wait_event(intf->waitq, bmc->dyn_guid_set != 2); ++ else ++ wait_event(intf->waitq, bmc->dyn_guid_set != 2); + + /* dyn_guid_set makes the guid data available. */ + smp_rmb(); diff --git a/queue-5.6/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch b/queue-5.6/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch new file mode 100644 index 00000000000..9533e0571bd --- /dev/null +++ b/queue-5.6/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch @@ -0,0 +1,108 @@ +From d7d27cfc5cf0766a26a8f56868c5ad5434735126 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 10 Apr 2020 14:33:43 -0700 +Subject: kmod: make request_module() return an error when autoloading is disabled + +From: Eric Biggers + +commit d7d27cfc5cf0766a26a8f56868c5ad5434735126 upstream. + +Patch series "module autoloading fixes and cleanups", v5. + +This series fixes a bug where request_module() was reporting success to +kernel code when module autoloading had been completely disabled via +'echo > /proc/sys/kernel/modprobe'. + +It also addresses the issues raised on the original thread +(https://lkml.kernel.org/lkml/20200310223731.126894-1-ebiggers@kernel.org/T/#u) +bydocumenting the modprobe sysctl, adding a self-test for the empty path +case, and downgrading a user-reachable WARN_ONCE(). + +This patch (of 4): + +It's long been possible to disable kernel module autoloading completely +(while still allowing manual module insertion) by setting +/proc/sys/kernel/modprobe to the empty string. + +This can be preferable to setting it to a nonexistent file since it +avoids the overhead of an attempted execve(), avoids potential +deadlocks, and avoids the call to security_kernel_module_request() and +thus on SELinux-based systems eliminates the need to write SELinux rules +to dontaudit module_request. + +However, when module autoloading is disabled in this way, +request_module() returns 0. This is broken because callers expect 0 to +mean that the module was successfully loaded. + +Apparently this was never noticed because this method of disabling +module autoloading isn't used much, and also most callers don't use the +return value of request_module() since it's always necessary to check +whether the module registered its functionality or not anyway. + +But improperly returning 0 can indeed confuse a few callers, for example +get_fs_type() in fs/filesystems.c where it causes a WARNING to be hit: + + if (!fs && (request_module("fs-%.*s", len, name) == 0)) { + fs = __get_fs_type(name, len); + WARN_ONCE(!fs, "request_module fs-%.*s succeeded, but still no fs?\n", len, name); + } + +This is easily reproduced with: + + echo > /proc/sys/kernel/modprobe + mount -t NONEXISTENT none / + +It causes: + + request_module fs-NONEXISTENT succeeded, but still no fs? + WARNING: CPU: 1 PID: 1106 at fs/filesystems.c:275 get_fs_type+0xd6/0xf0 + [...] + +This should actually use pr_warn_once() rather than WARN_ONCE(), since +it's also user-reachable if userspace immediately unloads the module. +Regardless, request_module() should correctly return an error when it +fails. So let's make it return -ENOENT, which matches the error when +the modprobe binary doesn't exist. + +I've also sent patches to document and test this case. + +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Reviewed-by: Kees Cook +Reviewed-by: Jessica Yu +Acked-by: Luis Chamberlain +Cc: Alexei Starovoitov +Cc: Greg Kroah-Hartman +Cc: Jeff Vander Stoep +Cc: Ben Hutchings +Cc: Josh Triplett +Cc: +Link: http://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org +Link: http://lkml.kernel.org/r/20200312202552.241885-1-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kmod.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -120,7 +120,7 @@ out: + * invoke it. + * + * If module auto-loading support is disabled then this function +- * becomes a no-operation. ++ * simply returns -ENOENT. + */ + int __request_module(bool wait, const char *fmt, ...) + { +@@ -137,7 +137,7 @@ int __request_module(bool wait, const ch + WARN_ON_ONCE(wait && current_is_async()); + + if (!modprobe_path[0]) +- return 0; ++ return -ENOENT; + + va_start(args, fmt); + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); diff --git a/queue-5.6/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch b/queue-5.6/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch new file mode 100644 index 00000000000..a22782bb3c7 --- /dev/null +++ b/queue-5.6/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch @@ -0,0 +1,74 @@ +From 8305f72f952cff21ce8109dc1ea4b321c8efc5af Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 27 Mar 2019 17:02:54 +0800 +Subject: libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set + +From: Kai-Heng Feng + +commit 8305f72f952cff21ce8109dc1ea4b321c8efc5af upstream. + +During system resume from suspend, this can be observed on ASM1062 PMP +controller: + +ata10.01: SATA link down (SStatus 0 SControl 330) +ata10.02: hard resetting link +ata10.02: SATA link down (SStatus 0 SControl 330) +ata10.00: configured for UDMA/133 +Kernel panic - not syncing: stack-protector: Kernel + in: sata_pmp_eh_recover+0xa2b/0xa40 + +CPU: 2 PID: 230 Comm: scsi_eh_9 Tainted: P OE +#49-Ubuntu +Hardware name: System manufacturer System Product + 1001 12/10/2017 +Call Trace: +dump_stack+0x63/0x8b +panic+0xe4/0x244 +? sata_pmp_eh_recover+0xa2b/0xa40 +__stack_chk_fail+0x19/0x20 +sata_pmp_eh_recover+0xa2b/0xa40 +? ahci_do_softreset+0x260/0x260 [libahci] +? ahci_do_hardreset+0x140/0x140 [libahci] +? ata_phys_link_offline+0x60/0x60 +? ahci_stop_engine+0xc0/0xc0 [libahci] +sata_pmp_error_handler+0x22/0x30 +ahci_error_handler+0x45/0x80 [libahci] +ata_scsi_port_error_handler+0x29b/0x770 +? ata_scsi_cmd_error_handler+0x101/0x140 +ata_scsi_error+0x95/0xd0 +? scsi_try_target_reset+0x90/0x90 +scsi_error_handler+0xd0/0x5b0 +kthread+0x121/0x140 +? scsi_eh_get_sense+0x200/0x200 +? kthread_create_worker_on_cpu+0x70/0x70 +ret_from_fork+0x22/0x40 +Kernel Offset: 0xcc00000 from 0xffffffff81000000 +(relocation range: 0xffffffff80000000-0xffffffffbfffffff) + +Since sata_pmp_eh_recover_pmp() doens't set rc when ATA_DFLAG_DETACH is +set, sata_pmp_eh_recover() continues to run. During retry it triggers +the stack protector. + +Set correct rc in sata_pmp_eh_recover_pmp() to let sata_pmp_eh_recover() +jump to pmp_fail directly. + +BugLink: https://bugs.launchpad.net/bugs/1821434 +Cc: stable@vger.kernel.org +Signed-off-by: Kai-Heng Feng +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-pmp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/libata-pmp.c ++++ b/drivers/ata/libata-pmp.c +@@ -763,6 +763,7 @@ static int sata_pmp_eh_recover_pmp(struc + + if (dev->flags & ATA_DFLAG_DETACH) { + detach = 1; ++ rc = -ENODEV; + goto fail; + } + diff --git a/queue-5.6/nfs-finish_automount-requires-us-to-hold-2-refs-to-the-mount-record.patch b/queue-5.6/nfs-finish_automount-requires-us-to-hold-2-refs-to-the-mount-record.patch new file mode 100644 index 00000000000..ad77a36edcc --- /dev/null +++ b/queue-5.6/nfs-finish_automount-requires-us-to-hold-2-refs-to-the-mount-record.patch @@ -0,0 +1,63 @@ +From 75da98586af75eb80664714a67a9895bf0a5517e Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 2 Apr 2020 10:34:36 -0400 +Subject: NFS: finish_automount() requires us to hold 2 refs to the mount record + +From: Trond Myklebust + +commit 75da98586af75eb80664714a67a9895bf0a5517e upstream. + +We must not return from nfs_d_automount() without holding 2 references +to the mount record. Doing so, will trigger the BUG() in finish_automount(). +Also ensure that we don't try to reschedule the automount timer with +a negative or zero timeout value. + +Fixes: 22a1ae9a93fb ("NFS: If nfs_mountpoint_expiry_timeout < 0, do not expire submounts") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/namespace.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -145,6 +145,7 @@ struct vfsmount *nfs_d_automount(struct + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SERVER(d_inode(path->dentry)); + struct nfs_client *client = server->nfs_client; ++ int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + + if (IS_ROOT(path->dentry)) +@@ -190,12 +191,12 @@ struct vfsmount *nfs_d_automount(struct + if (IS_ERR(mnt)) + goto out_fc; + +- if (nfs_mountpoint_expiry_timeout < 0) ++ mntget(mnt); /* prevent immediate expiration */ ++ if (timeout <= 0) + goto out_fc; + +- mntget(mnt); /* prevent immediate expiration */ + mnt_set_expiry(mnt, &nfs_automount_list); +- schedule_delayed_work(&nfs_automount_task, nfs_mountpoint_expiry_timeout); ++ schedule_delayed_work(&nfs_automount_task, timeout); + + out_fc: + put_fs_context(fc); +@@ -233,10 +234,11 @@ const struct inode_operations nfs_referr + static void nfs_expire_automounts(struct work_struct *work) + { + struct list_head *list = &nfs_automount_list; ++ int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + + mark_mounts_for_expiry(list); +- if (!list_empty(list)) +- schedule_delayed_work(&nfs_automount_task, nfs_mountpoint_expiry_timeout); ++ if (!list_empty(list) && timeout > 0) ++ schedule_delayed_work(&nfs_automount_task, timeout); + } + + void nfs_release_automount_timer(void) diff --git a/queue-5.6/nfs-fix-a-few-constant_table-array-definitions.patch b/queue-5.6/nfs-fix-a-few-constant_table-array-definitions.patch new file mode 100644 index 00000000000..bda15dcc343 --- /dev/null +++ b/queue-5.6/nfs-fix-a-few-constant_table-array-definitions.patch @@ -0,0 +1,58 @@ +From 529af90576cfa44aa107e9876e2ebaa053983986 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Thu, 2 Apr 2020 17:20:44 -0400 +Subject: NFS: Fix a few constant_table array definitions + +From: Scott Mayhew + +commit 529af90576cfa44aa107e9876e2ebaa053983986 upstream. + +nfs_vers_tokens, nfs_xprt_protocol_tokens, and nfs_secflavor_tokens were +all missing an empty item at the end of the array, allowing +lookup_constant() to potentially walk off the end and trigger and oops. + +Reported-by: Olga Kornievskaia +Signed-off-by: Scott Mayhew +Fixes: e38bb238ed8c ("NFS: Convert mount option parsing to use functionality from fs_parser.h") +Cc: stable@vger.kernel.org # v5.6 +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/fs_context.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/nfs/fs_context.c ++++ b/fs/nfs/fs_context.c +@@ -190,6 +190,7 @@ static const struct constant_table nfs_v + { "4.0", Opt_vers_4_0 }, + { "4.1", Opt_vers_4_1 }, + { "4.2", Opt_vers_4_2 }, ++ {} + }; + + enum { +@@ -202,13 +203,14 @@ enum { + nr__Opt_xprt + }; + +-static const struct constant_table nfs_xprt_protocol_tokens[nr__Opt_xprt] = { ++static const struct constant_table nfs_xprt_protocol_tokens[] = { + { "rdma", Opt_xprt_rdma }, + { "rdma6", Opt_xprt_rdma6 }, + { "tcp", Opt_xprt_tcp }, + { "tcp6", Opt_xprt_tcp6 }, + { "udp", Opt_xprt_udp }, + { "udp6", Opt_xprt_udp6 }, ++ {} + }; + + enum { +@@ -239,6 +241,7 @@ static const struct constant_table nfs_s + { "spkm3i", Opt_sec_spkmi }, + { "spkm3p", Opt_sec_spkmp }, + { "sys", Opt_sec_sys }, ++ {} + }; + + /* diff --git a/queue-5.6/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch b/queue-5.6/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch new file mode 100644 index 00000000000..e2de084bc3a --- /dev/null +++ b/queue-5.6/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch @@ -0,0 +1,31 @@ +From add42de31721fa29ed77a7ce388674d69f9d31a4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 1 Apr 2020 10:07:16 -0400 +Subject: NFS: Fix a page leak in nfs_destroy_unlinked_subrequests() + +From: Trond Myklebust + +commit add42de31721fa29ed77a7ce388674d69f9d31a4 upstream. + +When we detach a subrequest from the list, we must also release the +reference it holds to the parent. + +Fixes: 5b2b5187fa85 ("NFS: Fix nfs_page_group_destroy() and nfs_lock_and_join_requests() race cases") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -444,6 +444,7 @@ nfs_destroy_unlinked_subrequests(struct + } + + subreq->wb_head = subreq; ++ nfs_release_request(old_head); + + if (test_and_clear_bit(PG_INODE_REF, &subreq->wb_flags)) { + nfs_release_request(subreq); diff --git a/queue-5.6/nfs-fix-use-after-free-issues-in-nfs_pageio_add_request.patch b/queue-5.6/nfs-fix-use-after-free-issues-in-nfs_pageio_add_request.patch new file mode 100644 index 00000000000..bd84480b926 --- /dev/null +++ b/queue-5.6/nfs-fix-use-after-free-issues-in-nfs_pageio_add_request.patch @@ -0,0 +1,88 @@ +From dc9dc2febb17f72e9878eb540ad3996f7984239a Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 29 Mar 2020 19:55:05 -0400 +Subject: NFS: Fix use-after-free issues in nfs_pageio_add_request() + +From: Trond Myklebust + +commit dc9dc2febb17f72e9878eb540ad3996f7984239a upstream. + +We need to ensure that we create the mirror requests before calling +nfs_pageio_add_request_mirror() on the request we are adding. +Otherwise, we can end up with a use-after-free if the call to +nfs_pageio_add_request_mirror() triggers I/O. + +Fixes: c917cfaf9bbe ("NFS: Fix up NFS I/O subrequest creation") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pagelist.c | 48 ++++++++++++++++++++++++------------------------ + 1 file changed, 24 insertions(+), 24 deletions(-) + +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -1177,38 +1177,38 @@ int nfs_pageio_add_request(struct nfs_pa + if (desc->pg_error < 0) + goto out_failed; + +- for (midx = 0; midx < desc->pg_mirror_count; midx++) { +- if (midx) { +- nfs_page_group_lock(req); +- +- /* find the last request */ +- for (lastreq = req->wb_head; +- lastreq->wb_this_page != req->wb_head; +- lastreq = lastreq->wb_this_page) +- ; +- +- dupreq = nfs_create_subreq(req, lastreq, +- pgbase, offset, bytes); +- +- nfs_page_group_unlock(req); +- if (IS_ERR(dupreq)) { +- desc->pg_error = PTR_ERR(dupreq); +- goto out_failed; +- } +- } else +- dupreq = req; ++ /* Create the mirror instances first, and fire them off */ ++ for (midx = 1; midx < desc->pg_mirror_count; midx++) { ++ nfs_page_group_lock(req); ++ ++ /* find the last request */ ++ for (lastreq = req->wb_head; ++ lastreq->wb_this_page != req->wb_head; ++ lastreq = lastreq->wb_this_page) ++ ; ++ ++ dupreq = nfs_create_subreq(req, lastreq, ++ pgbase, offset, bytes); ++ ++ nfs_page_group_unlock(req); ++ if (IS_ERR(dupreq)) { ++ desc->pg_error = PTR_ERR(dupreq); ++ goto out_failed; ++ } + +- if (nfs_pgio_has_mirroring(desc)) +- desc->pg_mirror_idx = midx; ++ desc->pg_mirror_idx = midx; + if (!nfs_pageio_add_request_mirror(desc, dupreq)) + goto out_cleanup_subreq; + } + ++ desc->pg_mirror_idx = 0; ++ if (!nfs_pageio_add_request_mirror(desc, req)) ++ goto out_failed; ++ + return 1; + + out_cleanup_subreq: +- if (req != dupreq) +- nfs_pageio_cleanup_request(desc, dupreq); ++ nfs_pageio_cleanup_request(desc, dupreq); + out_failed: + nfs_pageio_error_cleanup(desc); + return 0; diff --git a/queue-5.6/nfsd-fsnotify-on-rmdir-under-nfsd-clients.patch b/queue-5.6/nfsd-fsnotify-on-rmdir-under-nfsd-clients.patch new file mode 100644 index 00000000000..c6d95c5f866 --- /dev/null +++ b/queue-5.6/nfsd-fsnotify-on-rmdir-under-nfsd-clients.patch @@ -0,0 +1,31 @@ +From 69afd267982e733a555fede4e85fe30329ed0588 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 19 Mar 2020 11:30:38 -0400 +Subject: nfsd: fsnotify on rmdir under nfsd/clients/ + +From: J. Bruce Fields + +commit 69afd267982e733a555fede4e85fe30329ed0588 upstream. + +Userspace should be able to monitor nfsd/clients/ to see when clients +come and go, but we're failing to send fsnotify events. + +Cc: stable@kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfsctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1333,6 +1333,7 @@ void nfsd_client_rmdir(struct dentry *de + dget(dentry); + ret = simple_rmdir(dir, dentry); + WARN_ON_ONCE(ret); ++ fsnotify_rmdir(dir, dentry); + d_delete(dentry); + inode_unlock(dir); + } diff --git a/queue-5.6/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch b/queue-5.6/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch new file mode 100644 index 00000000000..99aeb34ef8f --- /dev/null +++ b/queue-5.6/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch @@ -0,0 +1,59 @@ +From 783fda856e1034dee90a873f7654c418212d12d7 Mon Sep 17 00:00:00 2001 +From: Changwei Ge +Date: Fri, 10 Apr 2020 14:32:38 -0700 +Subject: ocfs2: no need try to truncate file beyond i_size + +From: Changwei Ge + +commit 783fda856e1034dee90a873f7654c418212d12d7 upstream. + +Linux fallocate(2) with FALLOC_FL_PUNCH_HOLE mode set, its offset can +exceed the inode size. Ocfs2 now doesn't allow that offset beyond inode +size. This restriction is not necessary and violates fallocate(2) +semantics. + +If fallocate(2) offset is beyond inode size, just return success and do +nothing further. + +Otherwise, ocfs2 will crash the kernel. + + kernel BUG at fs/ocfs2//alloc.c:7264! + ocfs2_truncate_inline+0x20f/0x360 [ocfs2] + ocfs2_remove_inode_range+0x23c/0xcb0 [ocfs2] + __ocfs2_change_file_space+0x4a5/0x650 [ocfs2] + ocfs2_fallocate+0x83/0xa0 [ocfs2] + vfs_fallocate+0x148/0x230 + SyS_fallocate+0x48/0x80 + do_syscall_64+0x79/0x170 + +Signed-off-by: Changwei Ge +Signed-off-by: Andrew Morton +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Link: http://lkml.kernel.org/r/20200407082754.17565-1-chge@linux.alibaba.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/alloc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -7403,6 +7403,10 @@ int ocfs2_truncate_inline(struct inode * + struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; + struct ocfs2_inline_data *idata = &di->id2.i_data; + ++ /* No need to punch hole beyond i_size. */ ++ if (start >= i_size_read(inode)) ++ return 0; ++ + if (end > i_size_read(inode)) + end = i_size_read(inode); + diff --git a/queue-5.6/perf-tools-support-python-3.8-in-makefile.patch b/queue-5.6/perf-tools-support-python-3.8-in-makefile.patch new file mode 100644 index 00000000000..dca0903cacf --- /dev/null +++ b/queue-5.6/perf-tools-support-python-3.8-in-makefile.patch @@ -0,0 +1,59 @@ +From b9c9ce4e598e012ca7c1813fae2f4d02395807de Mon Sep 17 00:00:00 2001 +From: Sam Lunt +Date: Fri, 31 Jan 2020 12:11:23 -0600 +Subject: perf tools: Support Python 3.8+ in Makefile + +From: Sam Lunt + +commit b9c9ce4e598e012ca7c1813fae2f4d02395807de upstream. + +Python 3.8 changed the output of 'python-config --ldflags' to no longer +include the '-lpythonX.Y' flag (this apparently fixed an issue loading +modules with a statically linked Python executable). The libpython +feature check in linux/build/feature fails if the Python library is not +included in FEATURE_CHECK_LDFLAGS-libpython variable. + +This adds a check in the Makefile to determine if PYTHON_CONFIG accepts +the '--embed' flag and passes that flag alongside '--ldflags' if so. + +tools/perf is the only place the libpython feature check is used. + +Signed-off-by: Sam Lunt +Tested-by: He Zhe +Link: http://lore.kernel.org/lkml/c56be2e1-8111-9dfe-8298-f7d0f9ab7431@windriver.com +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: trivial@kernel.org +Cc: stable@kernel.org +Link: http://lore.kernel.org/lkml/20200131181123.tmamivhq4b7uqasr@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/Makefile.config | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -228,8 +228,17 @@ strip-libs = $(filter-out -l%,$(1)) + + PYTHON_CONFIG_SQ := $(call shell-sq,$(PYTHON_CONFIG)) + ++# Python 3.8 changed the output of `python-config --ldflags` to not include the ++# '-lpythonX.Y' flag unless '--embed' is also passed. The feature check for ++# libpython fails if that flag is not included in LDFLAGS ++ifeq ($(shell $(PYTHON_CONFIG_SQ) --ldflags --embed 2>&1 1>/dev/null; echo $$?), 0) ++ PYTHON_CONFIG_LDFLAGS := --ldflags --embed ++else ++ PYTHON_CONFIG_LDFLAGS := --ldflags ++endif ++ + ifdef PYTHON_CONFIG +- PYTHON_EMBED_LDOPTS := $(shell $(PYTHON_CONFIG_SQ) --ldflags 2>/dev/null) ++ PYTHON_EMBED_LDOPTS := $(shell $(PYTHON_CONFIG_SQ) $(PYTHON_CONFIG_LDFLAGS) 2>/dev/null) + PYTHON_EMBED_LDFLAGS := $(call strip-libs,$(PYTHON_EMBED_LDOPTS)) + PYTHON_EMBED_LIBADD := $(call grep-libs,$(PYTHON_EMBED_LDOPTS)) -lutil + PYTHON_EMBED_CCOPTS := $(shell $(PYTHON_CONFIG_SQ) --includes 2>/dev/null) diff --git a/queue-5.6/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch b/queue-5.6/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch new file mode 100644 index 00000000000..476d5154212 --- /dev/null +++ b/queue-5.6/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch @@ -0,0 +1,101 @@ +From a83836dbc53e96f13fec248ecc201d18e1e3111d Mon Sep 17 00:00:00 2001 +From: Libor Pechacek +Date: Fri, 31 Jan 2020 14:28:29 +0100 +Subject: powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable + +From: Libor Pechacek + +commit a83836dbc53e96f13fec248ecc201d18e1e3111d upstream. + +In guests without hotplugagble memory drmem structure is only zero +initialized. Trying to manipulate DLPAR parameters results in a crash. + + $ echo "memory add count 1" > /sys/kernel/dlpar + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + ... + NIP: c0000000000ff294 LR: c0000000000ff248 CTR: 0000000000000000 + REGS: c0000000fb9d3880 TRAP: 0300 Tainted: G E (5.5.0-rc6-2-default) + MSR: 8000000000009033 CR: 28242428 XER: 20000000 + CFAR: c0000000009a6c10 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 + ... + NIP dlpar_memory+0x6e4/0xd00 + LR dlpar_memory+0x698/0xd00 + Call Trace: + dlpar_memory+0x698/0xd00 (unreliable) + handle_dlpar_errorlog+0xc0/0x190 + dlpar_store+0x198/0x4a0 + kobj_attr_store+0x30/0x50 + sysfs_kf_write+0x64/0x90 + kernfs_fop_write+0x1b0/0x290 + __vfs_write+0x3c/0x70 + vfs_write+0xd0/0x260 + ksys_write+0xdc/0x130 + system_call+0x5c/0x68 + +Taking closer look at the code, I can see that for_each_drmem_lmb is a +macro expanding into `for (lmb = &drmem_info->lmbs[0]; lmb <= +&drmem_info->lmbs[drmem_info->n_lmbs - 1]; lmb++)`. When drmem_info->lmbs +is NULL, the loop would iterate through the whole address range if it +weren't stopped by the NULL pointer dereference on the next line. + +This patch aligns for_each_drmem_lmb and for_each_drmem_lmb_in_range +macro behavior with the common C semantics, where the end marker does +not belong to the scanned range, and alters get_lmb_range() semantics. +As a side effect, the wraparound observed in the crash is prevented. + +Fixes: 6c6ea53725b3 ("powerpc/mm: Separate ibm, dynamic-memory data from DT format") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Libor Pechacek +Signed-off-by: Michal Suchanek +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200131132829.10281-1-msuchanek@suse.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/drmem.h | 4 ++-- + arch/powerpc/platforms/pseries/hotplug-memory.c | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/drmem.h ++++ b/arch/powerpc/include/asm/drmem.h +@@ -27,12 +27,12 @@ struct drmem_lmb_info { + extern struct drmem_lmb_info *drmem_info; + + #define for_each_drmem_lmb_in_range(lmb, start, end) \ +- for ((lmb) = (start); (lmb) <= (end); (lmb)++) ++ for ((lmb) = (start); (lmb) < (end); (lmb)++) + + #define for_each_drmem_lmb(lmb) \ + for_each_drmem_lmb_in_range((lmb), \ + &drmem_info->lmbs[0], \ +- &drmem_info->lmbs[drmem_info->n_lmbs - 1]) ++ &drmem_info->lmbs[drmem_info->n_lmbs]) + + /* + * The of_drconf_cell_v1 struct defines the layout of the LMB data +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -223,7 +223,7 @@ static int get_lmb_range(u32 drc_index, + struct drmem_lmb **end_lmb) + { + struct drmem_lmb *lmb, *start, *end; +- struct drmem_lmb *last_lmb; ++ struct drmem_lmb *limit; + + start = NULL; + for_each_drmem_lmb(lmb) { +@@ -236,10 +236,10 @@ static int get_lmb_range(u32 drc_index, + if (!start) + return -EINVAL; + +- end = &start[n_lmbs - 1]; ++ end = &start[n_lmbs]; + +- last_lmb = &drmem_info->lmbs[drmem_info->n_lmbs - 1]; +- if (end > last_lmb) ++ limit = &drmem_info->lmbs[drmem_info->n_lmbs]; ++ if (end > limit) + return -EINVAL; + + *start_lmb = start; diff --git a/queue-5.6/s390-diag-fix-display-of-diagnose-call-statistics.patch b/queue-5.6/s390-diag-fix-display-of-diagnose-call-statistics.patch new file mode 100644 index 00000000000..83bd7536c6b --- /dev/null +++ b/queue-5.6/s390-diag-fix-display-of-diagnose-call-statistics.patch @@ -0,0 +1,36 @@ +From 6c7c851f1b666a8a455678a0b480b9162de86052 Mon Sep 17 00:00:00 2001 +From: Michael Mueller +Date: Tue, 3 Mar 2020 16:42:01 +0100 +Subject: s390/diag: fix display of diagnose call statistics + +From: Michael Mueller + +commit 6c7c851f1b666a8a455678a0b480b9162de86052 upstream. + +Show the full diag statistic table and not just parts of it. + +The issue surfaced in a KVM guest with a number of vcpus +defined smaller than NR_DIAG_STAT. + +Fixes: 1ec2772e0c3c ("s390/diag: add a statistic for diagnose calls") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Mueller +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/diag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/diag.c ++++ b/arch/s390/kernel/diag.c +@@ -84,7 +84,7 @@ static int show_diag_stat(struct seq_fil + + static void *show_diag_stat_start(struct seq_file *m, loff_t *pos) + { +- return *pos <= nr_cpu_ids ? (void *)((unsigned long) *pos + 1) : NULL; ++ return *pos <= NR_DIAG_STAT ? (void *)((unsigned long) *pos + 1) : NULL; + } + + static void *show_diag_stat_next(struct seq_file *m, void *v, loff_t *pos) diff --git a/queue-5.6/scsi-lpfc-fix-broken-credit-recovery-after-driver-load.patch b/queue-5.6/scsi-lpfc-fix-broken-credit-recovery-after-driver-load.patch new file mode 100644 index 00000000000..447c7f64d87 --- /dev/null +++ b/queue-5.6/scsi-lpfc-fix-broken-credit-recovery-after-driver-load.patch @@ -0,0 +1,146 @@ +From 835214f5d5f516a38069bc077c879c7da00d6108 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 27 Jan 2020 16:23:03 -0800 +Subject: scsi: lpfc: Fix broken Credit Recovery after driver load + +From: James Smart + +commit 835214f5d5f516a38069bc077c879c7da00d6108 upstream. + +When driver is set to enable bb credit recovery, the switch displayed the +setting as inactive. If the link bounces, it switches to Active. + +During link up processing, the driver currently does a MBX_READ_SPARAM +followed by a MBX_CONFIG_LINK. These mbox commands are queued to be +executed, one at a time and the completion is processed by the worker +thread. Since the MBX_READ_SPARAM is done BEFORE the MBX_CONFIG_LINK, the +BB_SC_N bit is never set the the returned values. BB Credit recovery status +only gets set after the driver requests the feature in CONFIG_LINK, which +is done after the link up. Thus the ordering of READ_SPARAM needs to follow +the CONFIG_LINK. + +Fix by reordering so that READ_SPARAM is done after CONFIG_LINK. Added a +HBA_DEFER_FLOGI flag so that any FLOGI handling waits until after the +READ_SPARAM is done so that the proper BB credit value is set in the FLOGI +payload. + +Fixes: 6bfb16208298 ("scsi: lpfc: Fix configuration of BB credit recovery in service parameters") +Cc: # v5.4+ +Link: https://lore.kernel.org/r/20200128002312.16346-4-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc.h | 1 + drivers/scsi/lpfc/lpfc_hbadisc.c | 59 +++++++++++++++++++++++++-------------- + 2 files changed, 40 insertions(+), 20 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -749,6 +749,7 @@ struct lpfc_hba { + * capability + */ + #define HBA_FLOGI_ISSUED 0x100000 /* FLOGI was issued */ ++#define HBA_DEFER_FLOGI 0x800000 /* Defer FLOGI till read_sparm cmpl */ + + uint32_t fcp_ring_in_use; /* When polling test if intr-hndlr active*/ + struct lpfc_dmabuf slim2p; +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -1163,13 +1163,16 @@ lpfc_mbx_cmpl_local_config_link(struct l + } + + /* Start discovery by sending a FLOGI. port_state is identically +- * LPFC_FLOGI while waiting for FLOGI cmpl ++ * LPFC_FLOGI while waiting for FLOGI cmpl. Check if sending ++ * the FLOGI is being deferred till after MBX_READ_SPARAM completes. + */ +- if (vport->port_state != LPFC_FLOGI) +- lpfc_initial_flogi(vport); +- else if (vport->fc_flag & FC_PT2PT) +- lpfc_disc_start(vport); +- ++ if (vport->port_state != LPFC_FLOGI) { ++ if (!(phba->hba_flag & HBA_DEFER_FLOGI)) ++ lpfc_initial_flogi(vport); ++ } else { ++ if (vport->fc_flag & FC_PT2PT) ++ lpfc_disc_start(vport); ++ } + return; + + out: +@@ -3094,6 +3097,14 @@ lpfc_mbx_cmpl_read_sparam(struct lpfc_hb + lpfc_mbuf_free(phba, mp->virt, mp->phys); + kfree(mp); + mempool_free(pmb, phba->mbox_mem_pool); ++ ++ /* Check if sending the FLOGI is being deferred to after we get ++ * up to date CSPs from MBX_READ_SPARAM. ++ */ ++ if (phba->hba_flag & HBA_DEFER_FLOGI) { ++ lpfc_initial_flogi(vport); ++ phba->hba_flag &= ~HBA_DEFER_FLOGI; ++ } + return; + + out: +@@ -3224,6 +3235,23 @@ lpfc_mbx_process_link_up(struct lpfc_hba + } + + lpfc_linkup(phba); ++ sparam_mbox = NULL; ++ ++ if (!(phba->hba_flag & HBA_FCOE_MODE)) { ++ cfglink_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); ++ if (!cfglink_mbox) ++ goto out; ++ vport->port_state = LPFC_LOCAL_CFG_LINK; ++ lpfc_config_link(phba, cfglink_mbox); ++ cfglink_mbox->vport = vport; ++ cfglink_mbox->mbox_cmpl = lpfc_mbx_cmpl_local_config_link; ++ rc = lpfc_sli_issue_mbox(phba, cfglink_mbox, MBX_NOWAIT); ++ if (rc == MBX_NOT_FINISHED) { ++ mempool_free(cfglink_mbox, phba->mbox_mem_pool); ++ goto out; ++ } ++ } ++ + sparam_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (!sparam_mbox) + goto out; +@@ -3244,20 +3272,7 @@ lpfc_mbx_process_link_up(struct lpfc_hba + goto out; + } + +- if (!(phba->hba_flag & HBA_FCOE_MODE)) { +- cfglink_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); +- if (!cfglink_mbox) +- goto out; +- vport->port_state = LPFC_LOCAL_CFG_LINK; +- lpfc_config_link(phba, cfglink_mbox); +- cfglink_mbox->vport = vport; +- cfglink_mbox->mbox_cmpl = lpfc_mbx_cmpl_local_config_link; +- rc = lpfc_sli_issue_mbox(phba, cfglink_mbox, MBX_NOWAIT); +- if (rc == MBX_NOT_FINISHED) { +- mempool_free(cfglink_mbox, phba->mbox_mem_pool); +- goto out; +- } +- } else { ++ if (phba->hba_flag & HBA_FCOE_MODE) { + vport->port_state = LPFC_VPORT_UNKNOWN; + /* + * Add the driver's default FCF record at FCF index 0 now. This +@@ -3314,6 +3329,10 @@ lpfc_mbx_process_link_up(struct lpfc_hba + } + /* Reset FCF roundrobin bmask for new discovery */ + lpfc_sli4_clear_fcf_rr_bmask(phba); ++ } else { ++ if (phba->bbcredit_support && phba->cfg_enable_bbcr && ++ !(phba->link_flag & LS_LOOPBACK_MODE)) ++ phba->hba_flag |= HBA_DEFER_FLOGI; + } + + /* Prepare for LINK up registrations */ diff --git a/queue-5.6/scsi-lpfc-fix-lpfc_io_buf-resource-leak-in-lpfc_get_scsi_buf_s4-error-path.patch b/queue-5.6/scsi-lpfc-fix-lpfc_io_buf-resource-leak-in-lpfc_get_scsi_buf_s4-error-path.patch new file mode 100644 index 00000000000..cffd3bf7171 --- /dev/null +++ b/queue-5.6/scsi-lpfc-fix-lpfc_io_buf-resource-leak-in-lpfc_get_scsi_buf_s4-error-path.patch @@ -0,0 +1,40 @@ +From 0ab384a49c548baf132ccef249f78d9c6c506380 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 27 Jan 2020 16:23:02 -0800 +Subject: scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path + +From: James Smart + +commit 0ab384a49c548baf132ccef249f78d9c6c506380 upstream. + +If a call to lpfc_get_cmd_rsp_buf_per_hdwq returns NULL (memory allocation +failure), a previously allocated lpfc_io_buf resource is leaked. + +Fix by releasing the lpfc_io_buf resource in the failure path. + +Fixes: d79c9e9d4b3d ("scsi: lpfc: Support dynamic unbounded SGL lists on G7 hardware.") +Cc: # v5.4+ +Link: https://lore.kernel.org/r/20200128002312.16346-3-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_scsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -671,8 +671,10 @@ lpfc_get_scsi_buf_s4(struct lpfc_hba *ph + lpfc_cmd->prot_data_type = 0; + #endif + tmp = lpfc_get_cmd_rsp_buf_per_hdwq(phba, lpfc_cmd); +- if (!tmp) ++ if (!tmp) { ++ lpfc_release_io_buf(phba, lpfc_cmd, lpfc_cmd->hdwq); + return NULL; ++ } + + lpfc_cmd->fcp_cmnd = tmp->fcp_cmnd; + lpfc_cmd->fcp_rsp = tmp->fcp_rsp; diff --git a/queue-5.6/scsi-ufs-fix-auto-hibern8-error-detection.patch b/queue-5.6/scsi-ufs-fix-auto-hibern8-error-detection.patch new file mode 100644 index 00000000000..38ababe33a8 --- /dev/null +++ b/queue-5.6/scsi-ufs-fix-auto-hibern8-error-detection.patch @@ -0,0 +1,68 @@ +From 5a244e0ea67b293abb1d26c825db2ddde5f2862f Mon Sep 17 00:00:00 2001 +From: Stanley Chu +Date: Wed, 29 Jan 2020 18:52:50 +0800 +Subject: scsi: ufs: fix Auto-Hibern8 error detection + +From: Stanley Chu + +commit 5a244e0ea67b293abb1d26c825db2ddde5f2862f upstream. + +Auto-Hibern8 may be disabled by some vendors or sysfs in runtime even if +Auto-Hibern8 capability is supported by host. If Auto-Hibern8 capability is +supported by host but not actually enabled, Auto-Hibern8 error shall not +happen. + +To fix this, provide a way to detect if Auto-Hibern8 is actually enabled +first, and bypass Auto-Hibern8 disabling case in +ufshcd_is_auto_hibern8_error(). + +Fixes: 821744403913 ("scsi: ufs: Add error-handling of Auto-Hibernate") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200129105251.12466-4-stanley.chu@mediatek.com +Reviewed-by: Bean Huo +Reviewed-by: Alim Akhtar +Reviewed-by: Asutosh Das +Reviewed-by: Can Guo +Signed-off-by: Stanley Chu +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ufs/ufshcd.c | 3 ++- + drivers/scsi/ufs/ufshcd.h | 6 ++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -5486,7 +5486,8 @@ static irqreturn_t ufshcd_update_uic_err + static bool ufshcd_is_auto_hibern8_error(struct ufs_hba *hba, + u32 intr_mask) + { +- if (!ufshcd_is_auto_hibern8_supported(hba)) ++ if (!ufshcd_is_auto_hibern8_supported(hba) || ++ !ufshcd_is_auto_hibern8_enabled(hba)) + return false; + + if (!(intr_mask & UFSHCD_UIC_HIBERN8_MASK)) +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -55,6 +55,7 @@ + #include + #include + #include ++#include + #include "unipro.h" + + #include +@@ -773,6 +774,11 @@ static inline bool ufshcd_is_auto_hibern + return (hba->capabilities & MASK_AUTO_HIBERN8_SUPPORT); + } + ++static inline bool ufshcd_is_auto_hibern8_enabled(struct ufs_hba *hba) ++{ ++ return FIELD_GET(UFSHCI_AHIBERN8_TIMER_MASK, hba->ahit) ? true : false; ++} ++ + #define ufshcd_writel(hba, val, reg) \ + writel((val), (hba)->mmio_base + (reg)) + #define ufshcd_readl(hba, reg) \ diff --git a/queue-5.6/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch b/queue-5.6/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch new file mode 100644 index 00000000000..f213e3d3125 --- /dev/null +++ b/queue-5.6/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch @@ -0,0 +1,79 @@ +From 819732be9fea728623e1ed84eba28def7384ad1f Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Thu, 12 Mar 2020 18:44:56 +0100 +Subject: scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point + +From: Steffen Maier + +commit 819732be9fea728623e1ed84eba28def7384ad1f upstream. + +v2.6.27 commit cc8c282963bd ("[SCSI] zfcp: Automatically attach remote +ports") introduced zfcp automatic port scan. + +Before that, the user had to use the sysfs attribute "port_add" of an FCP +device (adapter) to add and open remote (target) ports, even for the remote +peer port in point-to-point topology. That code path did a proper port open +recovery trigger taking the erp_lock. + +Since above commit, a new helper function zfcp_erp_open_ptp_port() +performed an UNlocked port open recovery trigger. This can race with other +parallel recovery triggers. In zfcp_erp_action_enqueue() this could corrupt +e.g. adapter->erp_total_count or adapter->erp_ready_head. + +As already found for fabric topology in v4.17 commit fa89adba1941 ("scsi: +zfcp: fix infinite iteration on ERP ready list"), there was an endless loop +during tracing of rport (un)block. A subsequent v4.18 commit 9e156c54ace3 +("scsi: zfcp: assert that the ERP lock is held when tracing a recovery +trigger") introduced a lockdep assertion for that case. + +As a side effect, that lockdep assertion now uncovered the unlocked code +path for PtP. It is from within an adapter ERP action: + +zfcp_erp_strategy[1479] intentionally DROPs erp lock around + zfcp_erp_strategy_do_action() +zfcp_erp_strategy_do_action[1441] NO erp lock +zfcp_erp_adapter_strategy[876] NO erp lock +zfcp_erp_adapter_strategy_open[855] NO erp lock +zfcp_erp_adapter_strategy_open_fsf[806]NO erp lock +zfcp_erp_adapter_strat_fsf_xconf[772] erp lock only around + zfcp_erp_action_to_running(), + BUT *_not_* around + zfcp_erp_enqueue_ptp_port() +zfcp_erp_enqueue_ptp_port[728] BUG: *_not_* taking erp lock +_zfcp_erp_port_reopen[432] assumes to be called with erp lock +zfcp_erp_action_enqueue[314] assumes to be called with erp lock +zfcp_dbf_rec_trig[288] _checks_ to be called with erp lock: + lockdep_assert_held(&adapter->erp_lock); + +It causes the following lockdep warning: + +WARNING: CPU: 2 PID: 775 at drivers/s390/scsi/zfcp_dbf.c:288 + zfcp_dbf_rec_trig+0x16a/0x188 +no locks held by zfcperp0.0.17c0/775. + +Fix this by using the proper locked recovery trigger helper function. + +Link: https://lore.kernel.org/r/20200312174505.51294-2-maier@linux.ibm.com +Fixes: cc8c282963bd ("[SCSI] zfcp: Automatically attach remote ports") +Cc: #v2.6.27+ +Reviewed-by: Jens Remus +Reviewed-by: Benjamin Block +Signed-off-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_erp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -725,7 +725,7 @@ static void zfcp_erp_enqueue_ptp_port(st + adapter->peer_d_id); + if (IS_ERR(port)) /* error or port already attached */ + return; +- _zfcp_erp_port_reopen(port, 0, "ereptp1"); ++ zfcp_erp_port_reopen(port, 0, "ereptp1"); + } + + static enum zfcp_erp_act_result zfcp_erp_adapter_strat_fsf_xconf( diff --git a/queue-5.6/selftests-powerpc-add-tlbie_test-in-.gitignore.patch b/queue-5.6/selftests-powerpc-add-tlbie_test-in-.gitignore.patch new file mode 100644 index 00000000000..189c321e397 --- /dev/null +++ b/queue-5.6/selftests-powerpc-add-tlbie_test-in-.gitignore.patch @@ -0,0 +1,30 @@ +From 47bf235f324c696395c30541fe4fcf99fcd24188 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 28 Feb 2020 00:00:09 +0000 +Subject: selftests/powerpc: Add tlbie_test in .gitignore + +From: Christophe Leroy + +commit 47bf235f324c696395c30541fe4fcf99fcd24188 upstream. + +The commit identified below added tlbie_test but forgot to add it in +.gitignore. + +Fixes: 93cad5f78995 ("selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue") +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/259f9c06ed4563c4fa4fa8ffa652347278d769e7.1582847784.git.christophe.leroy@c-s.fr +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/powerpc/mm/.gitignore | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/powerpc/mm/.gitignore ++++ b/tools/testing/selftests/powerpc/mm/.gitignore +@@ -6,3 +6,4 @@ segv_errors + wild_bctr + large_vm_fork_separation + bad_accesses ++tlbie_test diff --git a/queue-5.6/selftests-powerpc-fix-try-run-when-source-tree-is-not-writable.patch b/queue-5.6/selftests-powerpc-fix-try-run-when-source-tree-is-not-writable.patch new file mode 100644 index 00000000000..42b9097c875 --- /dev/null +++ b/queue-5.6/selftests-powerpc-fix-try-run-when-source-tree-is-not-writable.patch @@ -0,0 +1,57 @@ +From 9686813f6e9d5568bc045de0be853411e44958c8 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 27 Mar 2020 20:53:19 +1100 +Subject: selftests/powerpc: Fix try-run when source tree is not writable + +From: Michael Ellerman + +commit 9686813f6e9d5568bc045de0be853411e44958c8 upstream. + +We added a usage of try-run to pmu/ebb/Makefile to detect if the +toolchain supported the -no-pie option. + +This fails if we build out-of-tree and the source tree is not +writable, as try-run tries to write its temporary files to the current +directory. That leads to the -no-pie option being silently dropped, +which leads to broken executables with some toolchains. + +If we remove the redirect to /dev/null in try-run, we see the error: + + make[3]: Entering directory '/linux/tools/testing/selftests/powerpc/pmu/ebb' + /usr/bin/ld: cannot open output file .54.tmp: Read-only file system + collect2: error: ld returned 1 exit status + make[3]: Nothing to be done for 'all'. + +And looking with strace we see it's trying to use a file that's in the +source tree: + + lstat("/linux/tools/testing/selftests/powerpc/pmu/ebb/.54.tmp", 0x7ffffc0f83c8) + +We can fix it by setting TMPOUT to point to the $(OUTPUT) directory, +and we can verify with strace it's now trying to write to the output +directory: + + lstat("/output/kselftest/powerpc/pmu/ebb/.54.tmp", 0x7fffd1bf6bf8) + +And also see that the -no-pie option is now correctly detected. + +Fixes: 0695f8bca93e ("selftests/powerpc: Handle Makefile for unrecognized option") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200327095319.2347641-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/powerpc/pmu/ebb/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/powerpc/pmu/ebb/Makefile ++++ b/tools/testing/selftests/powerpc/pmu/ebb/Makefile +@@ -7,6 +7,7 @@ noarg: + # The EBB handler is 64-bit code and everything links against it + CFLAGS += -m64 + ++TMPOUT = $(OUTPUT)/ + # Toolchains may build PIE by default which breaks the assembly + no-pie-option := $(call try-run, echo 'int main() { return 0; }' | \ + $(CC) -Werror $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -no-pie -x c - -o "$$TMP", -no-pie) diff --git a/queue-5.6/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch b/queue-5.6/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch new file mode 100644 index 00000000000..c7f04908ad9 --- /dev/null +++ b/queue-5.6/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch @@ -0,0 +1,393 @@ +From eea274d64e6ea8aff2224d33d0851133a84cc7b5 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Wed, 1 Apr 2020 21:10:25 -0700 +Subject: selftests: vm: drop dependencies on page flags from mlock2 tests + +From: Michal Hocko + +commit eea274d64e6ea8aff2224d33d0851133a84cc7b5 upstream. + +It was noticed that mlock2 tests are failing after 9c4e6b1a7027f ("mm, +mlock, vmscan: no more skipping pagevecs") because the patch has changed +the timing on when the page is added to the unevictable LRU list and thus +gains the unevictable page flag. + +The test was just too dependent on the implementation details which were +true at the time when it was introduced. Page flags and the timing when +they are set is something no userspace should ever depend on. The test +should be testing only for the user observable contract of the tested +syscalls. Those are defined pretty well for the mlock and there are other +means for testing them. In fact this is already done and testing for page +flags can be safely dropped to achieve the aimed purpose. Present bits +can be checked by /proc//smaps RSS field and the locking state by +VmFlags although I would argue that Locked: field would be more +appropriate. + +Drop all the page flag machinery and considerably simplify the test. This +should be more robust for future kernel changes while checking the +promised contract is still valid. + +Fixes: 9c4e6b1a7027f ("mm, mlock, vmscan: no more skipping pagevecs") +Reported-by: Rafael Aquini +Signed-off-by: Michal Hocko +Signed-off-by: Andrew Morton +Acked-by: Rafael Aquini +Cc: Shakeel Butt +Cc: Eric B Munson +Cc: Shuah Khan +Cc: +Link: http://lkml.kernel.org/r/20200324154218.GS19542@dhcp22.suse.cz +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/vm/mlock2-tests.c | 233 ++++-------------------------- + 1 file changed, 37 insertions(+), 196 deletions(-) + +--- a/tools/testing/selftests/vm/mlock2-tests.c ++++ b/tools/testing/selftests/vm/mlock2-tests.c +@@ -67,59 +67,6 @@ out: + return ret; + } + +-static uint64_t get_pageflags(unsigned long addr) +-{ +- FILE *file; +- uint64_t pfn; +- unsigned long offset; +- +- file = fopen("/proc/self/pagemap", "r"); +- if (!file) { +- perror("fopen pagemap"); +- _exit(1); +- } +- +- offset = addr / getpagesize() * sizeof(pfn); +- +- if (fseek(file, offset, SEEK_SET)) { +- perror("fseek pagemap"); +- _exit(1); +- } +- +- if (fread(&pfn, sizeof(pfn), 1, file) != 1) { +- perror("fread pagemap"); +- _exit(1); +- } +- +- fclose(file); +- return pfn; +-} +- +-static uint64_t get_kpageflags(unsigned long pfn) +-{ +- uint64_t flags; +- FILE *file; +- +- file = fopen("/proc/kpageflags", "r"); +- if (!file) { +- perror("fopen kpageflags"); +- _exit(1); +- } +- +- if (fseek(file, pfn * sizeof(flags), SEEK_SET)) { +- perror("fseek kpageflags"); +- _exit(1); +- } +- +- if (fread(&flags, sizeof(flags), 1, file) != 1) { +- perror("fread kpageflags"); +- _exit(1); +- } +- +- fclose(file); +- return flags; +-} +- + #define VMFLAGS "VmFlags:" + + static bool is_vmflag_set(unsigned long addr, const char *vmflag) +@@ -159,19 +106,13 @@ out: + #define RSS "Rss:" + #define LOCKED "lo" + +-static bool is_vma_lock_on_fault(unsigned long addr) ++static unsigned long get_value_for_name(unsigned long addr, const char *name) + { +- bool ret = false; +- bool locked; +- FILE *smaps = NULL; +- unsigned long vma_size, vma_rss; + char *line = NULL; +- char *value; + size_t size = 0; +- +- locked = is_vmflag_set(addr, LOCKED); +- if (!locked) +- goto out; ++ char *value_ptr; ++ FILE *smaps = NULL; ++ unsigned long value = -1UL; + + smaps = seek_to_smaps_entry(addr); + if (!smaps) { +@@ -180,112 +121,70 @@ static bool is_vma_lock_on_fault(unsigne + } + + while (getline(&line, &size, smaps) > 0) { +- if (!strstr(line, SIZE)) { ++ if (!strstr(line, name)) { + free(line); + line = NULL; + size = 0; + continue; + } + +- value = line + strlen(SIZE); +- if (sscanf(value, "%lu kB", &vma_size) < 1) { ++ value_ptr = line + strlen(name); ++ if (sscanf(value_ptr, "%lu kB", &value) < 1) { + printf("Unable to parse smaps entry for Size\n"); + goto out; + } + break; + } + +- while (getline(&line, &size, smaps) > 0) { +- if (!strstr(line, RSS)) { +- free(line); +- line = NULL; +- size = 0; +- continue; +- } +- +- value = line + strlen(RSS); +- if (sscanf(value, "%lu kB", &vma_rss) < 1) { +- printf("Unable to parse smaps entry for Rss\n"); +- goto out; +- } +- break; +- } +- +- ret = locked && (vma_rss < vma_size); + out: +- free(line); + if (smaps) + fclose(smaps); +- return ret; ++ free(line); ++ return value; + } + +-#define PRESENT_BIT 0x8000000000000000ULL +-#define PFN_MASK 0x007FFFFFFFFFFFFFULL +-#define UNEVICTABLE_BIT (1UL << 18) +- +-static int lock_check(char *map) ++static bool is_vma_lock_on_fault(unsigned long addr) + { +- unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; ++ bool locked; ++ unsigned long vma_size, vma_rss; ++ ++ locked = is_vmflag_set(addr, LOCKED); ++ if (!locked) ++ return false; + +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); ++ vma_size = get_value_for_name(addr, SIZE); ++ vma_rss = get_value_for_name(addr, RSS); + +- /* Both pages should be present */ +- if (((page1_flags & PRESENT_BIT) == 0) || +- ((page2_flags & PRESENT_BIT) == 0)) { +- printf("Failed to make both pages present\n"); +- return 1; +- } ++ /* only one page is faulted in */ ++ return (vma_rss < vma_size); ++} + +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- page2_flags = get_kpageflags(page2_flags & PFN_MASK); ++#define PRESENT_BIT 0x8000000000000000ULL ++#define PFN_MASK 0x007FFFFFFFFFFFFFULL ++#define UNEVICTABLE_BIT (1UL << 18) + +- /* Both pages should be unevictable */ +- if (((page1_flags & UNEVICTABLE_BIT) == 0) || +- ((page2_flags & UNEVICTABLE_BIT) == 0)) { +- printf("Failed to make both pages unevictable\n"); +- return 1; +- } ++static int lock_check(unsigned long addr) ++{ ++ bool locked; ++ unsigned long vma_size, vma_rss; + +- if (!is_vmflag_set((unsigned long)map, LOCKED)) { +- printf("VMA flag %s is missing on page 1\n", LOCKED); +- return 1; +- } ++ locked = is_vmflag_set(addr, LOCKED); ++ if (!locked) ++ return false; + +- if (!is_vmflag_set((unsigned long)map + page_size, LOCKED)) { +- printf("VMA flag %s is missing on page 2\n", LOCKED); +- return 1; +- } ++ vma_size = get_value_for_name(addr, SIZE); ++ vma_rss = get_value_for_name(addr, RSS); + +- return 0; ++ return (vma_rss == vma_size); + } + + static int unlock_lock_check(char *map) + { +- unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; +- +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- page2_flags = get_kpageflags(page2_flags & PFN_MASK); +- +- if ((page1_flags & UNEVICTABLE_BIT) || (page2_flags & UNEVICTABLE_BIT)) { +- printf("A page is still marked unevictable after unlock\n"); +- return 1; +- } +- + if (is_vmflag_set((unsigned long)map, LOCKED)) { + printf("VMA flag %s is present on page 1 after unlock\n", LOCKED); + return 1; + } + +- if (is_vmflag_set((unsigned long)map + page_size, LOCKED)) { +- printf("VMA flag %s is present on page 2 after unlock\n", LOCKED); +- return 1; +- } +- + return 0; + } + +@@ -311,7 +210,7 @@ static int test_mlock_lock() + goto unmap; + } + +- if (lock_check(map)) ++ if (!lock_check((unsigned long)map)) + goto unmap; + + /* Now unlock and recheck attributes */ +@@ -330,64 +229,18 @@ out: + + static int onfault_check(char *map) + { +- unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; +- +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- +- /* Neither page should be present */ +- if ((page1_flags & PRESENT_BIT) || (page2_flags & PRESENT_BIT)) { +- printf("Pages were made present by MLOCK_ONFAULT\n"); +- return 1; +- } +- + *map = 'a'; +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- +- /* Only page 1 should be present */ +- if ((page1_flags & PRESENT_BIT) == 0) { +- printf("Page 1 is not present after fault\n"); +- return 1; +- } else if (page2_flags & PRESENT_BIT) { +- printf("Page 2 was made present\n"); +- return 1; +- } +- +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- +- /* Page 1 should be unevictable */ +- if ((page1_flags & UNEVICTABLE_BIT) == 0) { +- printf("Failed to make faulted page unevictable\n"); +- return 1; +- } +- + if (!is_vma_lock_on_fault((unsigned long)map)) { + printf("VMA is not marked for lock on fault\n"); + return 1; + } + +- if (!is_vma_lock_on_fault((unsigned long)map + page_size)) { +- printf("VMA is not marked for lock on fault\n"); +- return 1; +- } +- + return 0; + } + + static int unlock_onfault_check(char *map) + { + unsigned long page_size = getpagesize(); +- uint64_t page1_flags; +- +- page1_flags = get_pageflags((unsigned long)map); +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- +- if (page1_flags & UNEVICTABLE_BIT) { +- printf("Page 1 is still marked unevictable after unlock\n"); +- return 1; +- } + + if (is_vma_lock_on_fault((unsigned long)map) || + is_vma_lock_on_fault((unsigned long)map + page_size)) { +@@ -445,7 +298,6 @@ static int test_lock_onfault_of_present( + char *map; + int ret = 1; + unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; + + map = mmap(NULL, 2 * page_size, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); +@@ -465,17 +317,6 @@ static int test_lock_onfault_of_present( + goto unmap; + } + +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- page2_flags = get_kpageflags(page2_flags & PFN_MASK); +- +- /* Page 1 should be unevictable */ +- if ((page1_flags & UNEVICTABLE_BIT) == 0) { +- printf("Failed to make present page unevictable\n"); +- goto unmap; +- } +- + if (!is_vma_lock_on_fault((unsigned long)map) || + !is_vma_lock_on_fault((unsigned long)map + page_size)) { + printf("VMA with present pages is not marked lock on fault\n"); +@@ -507,7 +348,7 @@ static int test_munlockall() + goto out; + } + +- if (lock_check(map)) ++ if (!lock_check((unsigned long)map)) + goto unmap; + + if (munlockall()) { +@@ -549,7 +390,7 @@ static int test_munlockall() + goto out; + } + +- if (lock_check(map)) ++ if (!lock_check((unsigned long)map)) + goto unmap; + + if (munlockall()) { diff --git a/queue-5.6/selftests-vm-fix-map_hugetlb-length-used-for-testing-read-and-write.patch b/queue-5.6/selftests-vm-fix-map_hugetlb-length-used-for-testing-read-and-write.patch new file mode 100644 index 00000000000..393f554fb0d --- /dev/null +++ b/queue-5.6/selftests-vm-fix-map_hugetlb-length-used-for-testing-read-and-write.patch @@ -0,0 +1,76 @@ +From cabc30da10e677c67ab9a136b1478175734715c5 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 1 Apr 2020 21:11:51 -0700 +Subject: selftests/vm: fix map_hugetlb length used for testing read and write + +From: Christophe Leroy + +commit cabc30da10e677c67ab9a136b1478175734715c5 upstream. + +Commit fa7b9a805c79 ("tools/selftest/vm: allow choosing mem size and page +size in map_hugetlb") added the possibility to change the size of memory +mapped for the test, but left the read and write test using the default +value. This is unnoticed when mapping a length greater than the default +one, but segfaults otherwise. + +Fix read_bytes() and write_bytes() by giving them the real length. + +Also fix the call to munmap(). + +Fixes: fa7b9a805c79 ("tools/selftest/vm: allow choosing mem size and page size in map_hugetlb") +Signed-off-by: Christophe Leroy +Signed-off-by: Andrew Morton +Reviewed-by: Leonardo Bras +Cc: Michael Ellerman +Cc: Shuah Khan +Cc: +Link: http://lkml.kernel.org/r/9a404a13c871c4bd0ba9ede68f69a1225180dd7e.1580978385.git.christophe.leroy@c-s.fr +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/vm/map_hugetlb.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/tools/testing/selftests/vm/map_hugetlb.c ++++ b/tools/testing/selftests/vm/map_hugetlb.c +@@ -45,20 +45,20 @@ static void check_bytes(char *addr) + printf("First hex is %x\n", *((unsigned int *)addr)); + } + +-static void write_bytes(char *addr) ++static void write_bytes(char *addr, size_t length) + { + unsigned long i; + +- for (i = 0; i < LENGTH; i++) ++ for (i = 0; i < length; i++) + *(addr + i) = (char)i; + } + +-static int read_bytes(char *addr) ++static int read_bytes(char *addr, size_t length) + { + unsigned long i; + + check_bytes(addr); +- for (i = 0; i < LENGTH; i++) ++ for (i = 0; i < length; i++) + if (*(addr + i) != (char)i) { + printf("Mismatch at %lu\n", i); + return 1; +@@ -96,11 +96,11 @@ int main(int argc, char **argv) + + printf("Returned address is %p\n", addr); + check_bytes(addr); +- write_bytes(addr); +- ret = read_bytes(addr); ++ write_bytes(addr, length); ++ ret = read_bytes(addr, length); + + /* munmap() length of MAP_HUGETLB memory must be hugepage aligned */ +- if (munmap(addr, LENGTH)) { ++ if (munmap(addr, length)) { + perror("munmap"); + exit(1); + } diff --git a/queue-5.6/series b/queue-5.6/series index 5e96687522d..b80c40f39c3 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -171,3 +171,64 @@ arm64-dts-allwinner-h6-fix-pmu-compatible.patch sched-core-remove-duplicate-assignment-in-sched_tick_remote.patch arm64-dts-allwinner-h5-fix-pmu-compatible.patch mm-memcg-do-not-high-throttle-allocators-based-on-wraparound.patch +dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch +dm-integrity-fix-a-crash-with-unusually-large-tag-size.patch +dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch +dm-zoned-remove-duplicate-nr_rnd_zones-increase-in-dmz_init_zone.patch +dm-clone-fix-handling-of-partial-region-discards.patch +dm-clone-add-overflow-check-for-number-of-regions.patch +dm-clone-add-missing-casts-to-prevent-overflows-and-data-corruption.patch +dm-clone-metadata-fix-return-type-of-dm_clone_nr_of_hydrated_regions.patch +xarray-fix-xas_pause-for-large-multi-index-entries.patch +xarray-fix-early-termination-of-xas_for_each_marked.patch +crypto-caam-qi2-fix-chacha20-data-size-error.patch +crypto-caam-update-xts-sector-size-for-large-input-length.patch +crypto-ccree-protect-against-empty-or-null-scatterlists.patch +crypto-ccree-only-try-to-map-auth-tag-if-needed.patch +crypto-ccree-dec-auth-tag-size-from-cryptlen-map.patch +scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch +scsi-ufs-fix-auto-hibern8-error-detection.patch +scsi-lpfc-fix-lpfc_io_buf-resource-leak-in-lpfc_get_scsi_buf_s4-error-path.patch +scsi-lpfc-fix-broken-credit-recovery-after-driver-load.patch +arm-dts-exynos-fix-polarity-of-the-lcd-spi-bus-on-universalc210-board.patch +arm64-dts-ti-k3-am65-add-clocks-to-dwc3-nodes.patch +arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch +selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch +selftests-vm-fix-map_hugetlb-length-used-for-testing-read-and-write.patch +selftests-powerpc-add-tlbie_test-in-.gitignore.patch +selftests-powerpc-fix-try-run-when-source-tree-is-not-writable.patch +vfio-platform-switch-to-platform_get_irq_optional.patch +drm-i915-gem-flush-all-the-reloc_gpu-batch.patch +drm-bridge-analogix-anx78xx-fix-drm_dp_link-helper-removal.patch +drm-etnaviv-rework-perfmon-query-infrastructure.patch +drm-remove-pagereserved-manipulation-from-drm_pci_alloc.patch +drm-amdgpu-powerplay-using-the-fclk-dpm-table-to-set-the-mclk.patch +drm-amd-powerplay-implement-the-is_dpm_running.patch +drm-amdgpu-unify-fw_write_wait-for-new-gfx9-asics.patch +drm-amd-display-check-for-null-fclk-voltage-when-parsing-clock-table.patch +drm-prime-fix-extracting-of-the-dma-addresses-from-a-scatterlist.patch +drm-i915-icl-don-t-enable-ddi-io-power-on-a-typec-port-in-tbt-mode.patch +powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch +drm-vboxvideo-add-missing-remove_conflicting_pci_framebuffers-call-v2.patch +nfsd-fsnotify-on-rmdir-under-nfsd-clients.patch +nfs-fix-use-after-free-issues-in-nfs_pageio_add_request.patch +nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch +nfs-finish_automount-requires-us-to-hold-2-refs-to-the-mount-record.patch +nfs-fix-a-few-constant_table-array-definitions.patch +ext4-fix-a-data-race-at-inode-i_blocks.patch +drm-i915-gt-treat-idling-as-a-rps-downclock-event.patch +asoc-cs4270-pull-reset-gpio-low-then-high.patch +fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch +ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch +perf-tools-support-python-3.8-in-makefile.patch +s390-diag-fix-display-of-diagnose-call-statistics.patch +input-i8042-add-acer-aspire-5738z-to-nomux-list.patch +ftrace-kprobe-show-the-maxactive-number-on-kprobe_events.patch +clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch +clk-ingenic-tcu-fix-round_rate-returning-error.patch +kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch +cpufreq-powernv-fix-use-after-free.patch +hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch +libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch +ipmi-fix-hung-processes-in-__get_guid.patch +xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch diff --git a/queue-5.6/vfio-platform-switch-to-platform_get_irq_optional.patch b/queue-5.6/vfio-platform-switch-to-platform_get_irq_optional.patch new file mode 100644 index 00000000000..8369fc3788d --- /dev/null +++ b/queue-5.6/vfio-platform-switch-to-platform_get_irq_optional.patch @@ -0,0 +1,40 @@ +From 723fe298ad85ad1278bd2312469ad14738953cc6 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Tue, 24 Mar 2020 09:26:30 -0600 +Subject: vfio: platform: Switch to platform_get_irq_optional() + +From: Eric Auger + +commit 723fe298ad85ad1278bd2312469ad14738953cc6 upstream. + +Since commit 7723f4c5ecdb ("driver core: platform: Add an error +message to platform_get_irq*()"), platform_get_irq() calls dev_err() +on an error. As we enumerate all interrupts until platform_get_irq() +fails, we now systematically get a message such as: +"vfio-platform fff51000.ethernet: IRQ index 3 not found" which is +a false positive. + +Let's use platform_get_irq_optional() instead. + +Signed-off-by: Eric Auger +Cc: stable@vger.kernel.org # v5.3+ +Reviewed-by: Andre Przywara +Tested-by: Andre Przywara +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/platform/vfio_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vfio/platform/vfio_platform.c ++++ b/drivers/vfio/platform/vfio_platform.c +@@ -44,7 +44,7 @@ static int get_platform_irq(struct vfio_ + { + struct platform_device *pdev = (struct platform_device *) vdev->opaque; + +- return platform_get_irq(pdev, i); ++ return platform_get_irq_optional(pdev, i); + } + + static int vfio_platform_probe(struct platform_device *pdev) diff --git a/queue-5.6/xarray-fix-early-termination-of-xas_for_each_marked.patch b/queue-5.6/xarray-fix-early-termination-of-xas_for_each_marked.patch new file mode 100644 index 00000000000..db4e4c8a5b3 --- /dev/null +++ b/queue-5.6/xarray-fix-early-termination-of-xas_for_each_marked.patch @@ -0,0 +1,204 @@ +From 7e934cf5ace1dceeb804f7493fa28bb697ed3c52 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 12 Mar 2020 17:29:11 -0400 +Subject: xarray: Fix early termination of xas_for_each_marked + +From: Matthew Wilcox (Oracle) + +commit 7e934cf5ace1dceeb804f7493fa28bb697ed3c52 upstream. + +xas_for_each_marked() is using entry == NULL as a termination condition +of the iteration. When xas_for_each_marked() is used protected only by +RCU, this can however race with xas_store(xas, NULL) in the following +way: + +TASK1 TASK2 +page_cache_delete() find_get_pages_range_tag() + xas_for_each_marked() + xas_find_marked() + off = xas_find_chunk() + + xas_store(&xas, NULL) + xas_init_marks(&xas); + ... + rcu_assign_pointer(*slot, NULL); + entry = xa_entry(off); + +And thus xas_for_each_marked() terminates prematurely possibly leading +to missed entries in the iteration (translating to missing writeback of +some pages or a similar problem). + +If we find a NULL entry that has been marked, skip it (unless we're trying +to allocate an entry). + +Reported-by: Jan Kara +CC: stable@vger.kernel.org +Fixes: ef8e5717db01 ("page cache: Convert delete_batch to XArray") +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/xarray.h | 6 + + lib/xarray.c | 2 + tools/testing/radix-tree/Makefile | 4 - + tools/testing/radix-tree/iteration_check_2.c | 87 +++++++++++++++++++++++++++ + tools/testing/radix-tree/main.c | 1 + tools/testing/radix-tree/test.h | 1 + 6 files changed, 98 insertions(+), 3 deletions(-) + +--- a/include/linux/xarray.h ++++ b/include/linux/xarray.h +@@ -1648,6 +1648,7 @@ static inline void *xas_next_marked(stru + xa_mark_t mark) + { + struct xa_node *node = xas->xa_node; ++ void *entry; + unsigned int offset; + + if (unlikely(xas_not_node(node) || node->shift)) +@@ -1659,7 +1660,10 @@ static inline void *xas_next_marked(stru + return NULL; + if (offset == XA_CHUNK_SIZE) + return xas_find_marked(xas, max, mark); +- return xa_entry(xas->xa, node, offset); ++ entry = xa_entry(xas->xa, node, offset); ++ if (!entry) ++ return xas_find_marked(xas, max, mark); ++ return entry; + } + + /* +--- a/lib/xarray.c ++++ b/lib/xarray.c +@@ -1208,6 +1208,8 @@ void *xas_find_marked(struct xa_state *x + } + + entry = xa_entry(xas->xa, xas->xa_node, xas->xa_offset); ++ if (!entry && !(xa_track_free(xas->xa) && mark == XA_FREE_MARK)) ++ continue; + if (!xa_is_node(entry)) + return entry; + xas->xa_node = xa_to_node(entry); +--- a/tools/testing/radix-tree/Makefile ++++ b/tools/testing/radix-tree/Makefile +@@ -7,8 +7,8 @@ LDLIBS+= -lpthread -lurcu + TARGETS = main idr-test multiorder xarray + CORE_OFILES := xarray.o radix-tree.o idr.o linux.o test.o find_bit.o bitmap.o + OFILES = main.o $(CORE_OFILES) regression1.o regression2.o regression3.o \ +- regression4.o \ +- tag_check.o multiorder.o idr-test.o iteration_check.o benchmark.o ++ regression4.o tag_check.o multiorder.o idr-test.o iteration_check.o \ ++ iteration_check_2.o benchmark.o + + ifndef SHIFT + SHIFT=3 +--- /dev/null ++++ b/tools/testing/radix-tree/iteration_check_2.c +@@ -0,0 +1,87 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++/* ++ * iteration_check_2.c: Check that deleting a tagged entry doesn't cause ++ * an RCU walker to finish early. ++ * Copyright (c) 2020 Oracle ++ * Author: Matthew Wilcox ++ */ ++#include ++#include "test.h" ++ ++static volatile bool test_complete; ++ ++static void *iterator(void *arg) ++{ ++ XA_STATE(xas, arg, 0); ++ void *entry; ++ ++ rcu_register_thread(); ++ ++ while (!test_complete) { ++ xas_set(&xas, 0); ++ rcu_read_lock(); ++ xas_for_each_marked(&xas, entry, ULONG_MAX, XA_MARK_0) ++ ; ++ rcu_read_unlock(); ++ assert(xas.xa_index >= 100); ++ } ++ ++ rcu_unregister_thread(); ++ return NULL; ++} ++ ++static void *throbber(void *arg) ++{ ++ struct xarray *xa = arg; ++ ++ rcu_register_thread(); ++ ++ while (!test_complete) { ++ int i; ++ ++ for (i = 0; i < 100; i++) { ++ xa_store(xa, i, xa_mk_value(i), GFP_KERNEL); ++ xa_set_mark(xa, i, XA_MARK_0); ++ } ++ for (i = 0; i < 100; i++) ++ xa_erase(xa, i); ++ } ++ ++ rcu_unregister_thread(); ++ return NULL; ++} ++ ++void iteration_test2(unsigned test_duration) ++{ ++ pthread_t threads[2]; ++ DEFINE_XARRAY(array); ++ int i; ++ ++ printv(1, "Running iteration test 2 for %d seconds\n", test_duration); ++ ++ test_complete = false; ++ ++ xa_store(&array, 100, xa_mk_value(100), GFP_KERNEL); ++ xa_set_mark(&array, 100, XA_MARK_0); ++ ++ if (pthread_create(&threads[0], NULL, iterator, &array)) { ++ perror("create iterator thread"); ++ exit(1); ++ } ++ if (pthread_create(&threads[1], NULL, throbber, &array)) { ++ perror("create throbber thread"); ++ exit(1); ++ } ++ ++ sleep(test_duration); ++ test_complete = true; ++ ++ for (i = 0; i < 2; i++) { ++ if (pthread_join(threads[i], NULL)) { ++ perror("pthread_join"); ++ exit(1); ++ } ++ } ++ ++ xa_destroy(&array); ++} +--- a/tools/testing/radix-tree/main.c ++++ b/tools/testing/radix-tree/main.c +@@ -311,6 +311,7 @@ int main(int argc, char **argv) + regression4_test(); + iteration_test(0, 10 + 90 * long_run); + iteration_test(7, 10 + 90 * long_run); ++ iteration_test2(10 + 90 * long_run); + single_thread_tests(long_run); + + /* Free any remaining preallocated nodes */ +--- a/tools/testing/radix-tree/test.h ++++ b/tools/testing/radix-tree/test.h +@@ -34,6 +34,7 @@ void xarray_tests(void); + void tag_check(void); + void multiorder_checks(void); + void iteration_test(unsigned order, unsigned duration); ++void iteration_test2(unsigned duration); + void benchmark(void); + void idr_checks(void); + void ida_tests(void); diff --git a/queue-5.6/xarray-fix-xas_pause-for-large-multi-index-entries.patch b/queue-5.6/xarray-fix-xas_pause-for-large-multi-index-entries.patch new file mode 100644 index 00000000000..ab7cb8e1c17 --- /dev/null +++ b/queue-5.6/xarray-fix-xas_pause-for-large-multi-index-entries.patch @@ -0,0 +1,88 @@ +From c36d451ad386b34f452fc3c8621ff14b9eaa31a6 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Fri, 31 Jan 2020 06:17:09 -0500 +Subject: XArray: Fix xas_pause for large multi-index entries + +From: Matthew Wilcox (Oracle) + +commit c36d451ad386b34f452fc3c8621ff14b9eaa31a6 upstream. + +Inspired by the recent Coverity report, I looked for other places where +the offset wasn't being converted to an unsigned long before being +shifted, and I found one in xas_pause() when the entry being paused is +of order >32. + +Fixes: b803b42823d0 ("xarray: Add XArray iterators") +Signed-off-by: Matthew Wilcox (Oracle) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_xarray.c | 37 +++++++++++++++++++++++++++++++++++++ + lib/xarray.c | 2 +- + 2 files changed, 38 insertions(+), 1 deletion(-) + +--- a/lib/test_xarray.c ++++ b/lib/test_xarray.c +@@ -1156,6 +1156,42 @@ static noinline void check_find_entry(st + XA_BUG_ON(xa, !xa_empty(xa)); + } + ++static noinline void check_pause(struct xarray *xa) ++{ ++ XA_STATE(xas, xa, 0); ++ void *entry; ++ unsigned int order; ++ unsigned long index = 1; ++ unsigned int count = 0; ++ ++ for (order = 0; order < order_limit; order++) { ++ XA_BUG_ON(xa, xa_store_order(xa, index, order, ++ xa_mk_index(index), GFP_KERNEL)); ++ index += 1UL << order; ++ } ++ ++ rcu_read_lock(); ++ xas_for_each(&xas, entry, ULONG_MAX) { ++ XA_BUG_ON(xa, entry != xa_mk_index(1UL << count)); ++ count++; ++ } ++ rcu_read_unlock(); ++ XA_BUG_ON(xa, count != order_limit); ++ ++ count = 0; ++ xas_set(&xas, 0); ++ rcu_read_lock(); ++ xas_for_each(&xas, entry, ULONG_MAX) { ++ XA_BUG_ON(xa, entry != xa_mk_index(1UL << count)); ++ count++; ++ xas_pause(&xas); ++ } ++ rcu_read_unlock(); ++ XA_BUG_ON(xa, count != order_limit); ++ ++ xa_destroy(xa); ++} ++ + static noinline void check_move_tiny(struct xarray *xa) + { + XA_STATE(xas, xa, 0); +@@ -1664,6 +1700,7 @@ static int xarray_checks(void) + check_xa_alloc(); + check_find(&array); + check_find_entry(&array); ++ check_pause(&array); + check_account(&array); + check_destroy(&array); + check_move(&array); +--- a/lib/xarray.c ++++ b/lib/xarray.c +@@ -970,7 +970,7 @@ void xas_pause(struct xa_state *xas) + + xas->xa_node = XAS_RESTART; + if (node) { +- unsigned int offset = xas->xa_offset; ++ unsigned long offset = xas->xa_offset; + while (++offset < XA_CHUNK_SIZE) { + if (!xa_is_sibling(xa_entry(xas->xa, node, offset))) + break; diff --git a/queue-5.6/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch b/queue-5.6/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch new file mode 100644 index 00000000000..c1361259c4d --- /dev/null +++ b/queue-5.6/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch @@ -0,0 +1,103 @@ +From 3a169c0be75b59dd85d159493634870cdec6d3c4 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 3 Apr 2020 11:00:34 +0200 +Subject: xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +commit 3a169c0be75b59dd85d159493634870cdec6d3c4 upstream. + +Commit 1d5c76e664333 ("xen-blkfront: switch kcalloc to kvcalloc for +large array allocation") didn't fix the issue it was meant to, as the +flags for allocating the memory are GFP_NOIO, which will lead the +memory allocation falling back to kmalloc(). + +So instead of GFP_NOIO use GFP_KERNEL and do all the memory allocation +in blkfront_setup_indirect() in a memalloc_noio_{save,restore} section. + +Fixes: 1d5c76e664333 ("xen-blkfront: switch kcalloc to kvcalloc for large array allocation") +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Acked-by: Roger Pau Monné +Link: https://lore.kernel.org/r/20200403090034.8753-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkfront.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -47,6 +47,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2189,10 +2190,12 @@ static void blkfront_setup_discard(struc + + static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) + { +- unsigned int psegs, grants; ++ unsigned int psegs, grants, memflags; + int err, i; + struct blkfront_info *info = rinfo->dev_info; + ++ memflags = memalloc_noio_save(); ++ + if (info->max_indirect_segments == 0) { + if (!HAS_EXTRA_REQ) + grants = BLKIF_MAX_SEGMENTS_PER_REQUEST; +@@ -2224,7 +2227,7 @@ static int blkfront_setup_indirect(struc + + BUG_ON(!list_empty(&rinfo->indirect_pages)); + for (i = 0; i < num; i++) { +- struct page *indirect_page = alloc_page(GFP_NOIO); ++ struct page *indirect_page = alloc_page(GFP_KERNEL); + if (!indirect_page) + goto out_of_memory; + list_add(&indirect_page->lru, &rinfo->indirect_pages); +@@ -2235,15 +2238,15 @@ static int blkfront_setup_indirect(struc + rinfo->shadow[i].grants_used = + kvcalloc(grants, + sizeof(rinfo->shadow[i].grants_used[0]), +- GFP_NOIO); ++ GFP_KERNEL); + rinfo->shadow[i].sg = kvcalloc(psegs, + sizeof(rinfo->shadow[i].sg[0]), +- GFP_NOIO); ++ GFP_KERNEL); + if (info->max_indirect_segments) + rinfo->shadow[i].indirect_grants = + kvcalloc(INDIRECT_GREFS(grants), + sizeof(rinfo->shadow[i].indirect_grants[0]), +- GFP_NOIO); ++ GFP_KERNEL); + if ((rinfo->shadow[i].grants_used == NULL) || + (rinfo->shadow[i].sg == NULL) || + (info->max_indirect_segments && +@@ -2252,6 +2255,7 @@ static int blkfront_setup_indirect(struc + sg_init_table(rinfo->shadow[i].sg, psegs); + } + ++ memalloc_noio_restore(memflags); + + return 0; + +@@ -2271,6 +2275,9 @@ out_of_memory: + __free_page(indirect_page); + } + } ++ ++ memalloc_noio_restore(memflags); ++ + return -ENOMEM; + } + -- 2.47.3