From ecc06aa6b7e84e94274fcd44b36f6ef113f8a45c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 13 Apr 2020 19:47:01 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...move-a-bug_on-from-merge_reloc_roots.patch | 77 +++++++++ ...c-roots-based-on-their-commit-root-b.patch | 121 ++++++++++++++ ...turn-correct-data-when-mixing-16-bit.patch | 65 +++++++ ...e-a-glock-until-its-revokes-are-writ.patch | 46 +++++ ...missing-struct-parameter-description.patch | 35 ++++ ...le-fpga-handle-chained-irqs-properly.patch | 69 ++++++++ ...tra-scsi_host_put-in-ata_scsi_add_ho.patch | 158 ++++++++++++++++++ ...avoid-recursion-in-lockdep_count_-fo.patch | 80 +++++++++ ...net-vxge-fix-wrong-__va_args__-usage.patch | 98 +++++++++++ .../qlcnic-fix-bad-kzalloc-null-test.patch | 35 ++++ ...race_syscall_32-fix-no-vdso-segfault.patch | 42 +++++ queue-4.4/series | 12 ++ ...se-unsigned-comparison-for-addresses.patch | 71 ++++++++ 13 files changed, 909 insertions(+) create mode 100644 queue-4.4/btrfs-remove-a-bug_on-from-merge_reloc_roots.patch create mode 100644 queue-4.4/btrfs-track-reloc-roots-based-on-their-commit-root-b.patch create mode 100644 queue-4.4/bus-sunxi-rsb-return-correct-data-when-mixing-16-bit.patch create mode 100644 queue-4.4/gfs2-don-t-demote-a-glock-until-its-revokes-are-writ.patch create mode 100644 queue-4.4/i2c-st-fix-missing-struct-parameter-description.patch create mode 100644 queue-4.4/irqchip-versatile-fpga-handle-chained-irqs-properly.patch create mode 100644 queue-4.4/libata-remove-extra-scsi_host_put-in-ata_scsi_add_ho.patch create mode 100644 queue-4.4/locking-lockdep-avoid-recursion-in-lockdep_count_-fo.patch create mode 100644 queue-4.4/net-vxge-fix-wrong-__va_args__-usage.patch create mode 100644 queue-4.4/qlcnic-fix-bad-kzalloc-null-test.patch create mode 100644 queue-4.4/selftests-x86-ptrace_syscall_32-fix-no-vdso-segfault.patch create mode 100644 queue-4.4/series create mode 100644 queue-4.4/x86-boot-use-unsigned-comparison-for-addresses.patch diff --git a/queue-4.4/btrfs-remove-a-bug_on-from-merge_reloc_roots.patch b/queue-4.4/btrfs-remove-a-bug_on-from-merge_reloc_roots.patch new file mode 100644 index 00000000000..6f88b0a4033 --- /dev/null +++ b/queue-4.4/btrfs-remove-a-bug_on-from-merge_reloc_roots.patch @@ -0,0 +1,77 @@ +From 78f40cc9d71396d3111fe2d789865ce29edcef1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2020 11:18:30 -0500 +Subject: btrfs: remove a BUG_ON() from merge_reloc_roots() + +From: Josef Bacik + +[ Upstream commit 7b7b74315b24dc064bc1c683659061c3d48f8668 ] + +This was pretty subtle, we default to reloc roots having 0 root refs, so +if we crash in the middle of the relocation they can just be deleted. +If we successfully complete the relocation operations we'll set our root +refs to 1 in prepare_to_merge() and then go on to merge_reloc_roots(). + +At prepare_to_merge() time if any of the reloc roots have a 0 reference +still, we will remove that reloc root from our reloc root rb tree, and +then clean it up later. + +However this only happens if we successfully start a transaction. If +we've aborted previously we will skip this step completely, and only +have reloc roots with a reference count of 0, but were never properly +removed from the reloc control's rb tree. + +This isn't a problem per-se, our references are held by the list the +reloc roots are on, and by the original root the reloc root belongs to. +If we end up in this situation all the reloc roots will be added to the +dirty_reloc_list, and then properly dropped at that point. The reloc +control will be free'd and the rb tree is no longer used. + +There were two options when fixing this, one was to remove the BUG_ON(), +the other was to make prepare_to_merge() handle the case where we +couldn't start a trans handle. + +IMO this is the cleaner solution. I started with handling the error in +prepare_to_merge(), but it turned out super ugly. And in the end this +BUG_ON() simply doesn't matter, the cleanup was happening properly, we +were just panicing because this BUG_ON() only matters in the success +case. So I've opted to just remove it and add a comment where it was. + +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/relocation.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index f38bac9456fd3..246754b31619e 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -2440,7 +2440,21 @@ out: + free_reloc_roots(&reloc_roots); + } + +- BUG_ON(!RB_EMPTY_ROOT(&rc->reloc_root_tree.rb_root)); ++ /* ++ * We used to have ++ * ++ * BUG_ON(!RB_EMPTY_ROOT(&rc->reloc_root_tree.rb_root)); ++ * ++ * here, but it's wrong. If we fail to start the transaction in ++ * prepare_to_merge() we will have only 0 ref reloc roots, none of which ++ * have actually been removed from the reloc_root_tree rb tree. This is ++ * fine because we're bailing here, and we hold a reference on the root ++ * for the list that holds it, so these roots will be cleaned up when we ++ * do the reloc_dirty_list afterwards. Meanwhile the root->reloc_root ++ * will be cleaned up on unmount. ++ * ++ * The remaining nodes will be cleaned up by free_reloc_control. ++ */ + } + + static void free_block_list(struct rb_root *blocks) +-- +2.20.1 + diff --git a/queue-4.4/btrfs-track-reloc-roots-based-on-their-commit-root-b.patch b/queue-4.4/btrfs-track-reloc-roots-based-on-their-commit-root-b.patch new file mode 100644 index 00000000000..cba3934791d --- /dev/null +++ b/queue-4.4/btrfs-track-reloc-roots-based-on-their-commit-root-b.patch @@ -0,0 +1,121 @@ +From f135b4a8dc1289a94820678a5811415231905dc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 17:17:08 -0400 +Subject: btrfs: track reloc roots based on their commit root bytenr + +From: Josef Bacik + +[ Upstream commit ea287ab157c2816bf12aad4cece41372f9d146b4 ] + +We always search the commit root of the extent tree for looking up back +references, however we track the reloc roots based on their current +bytenr. + +This is wrong, if we commit the transaction between relocating tree +blocks we could end up in this code in build_backref_tree + + if (key.objectid == key.offset) { + /* + * Only root blocks of reloc trees use backref + * pointing to itself. + */ + root = find_reloc_root(rc, cur->bytenr); + ASSERT(root); + cur->root = root; + break; + } + +find_reloc_root() is looking based on the bytenr we had in the commit +root, but if we've COWed this reloc root we will not find that bytenr, +and we will trip over the ASSERT(root). + +Fix this by using the commit_root->start bytenr for indexing the commit +root. Then we change the __update_reloc_root() caller to be used when +we switch the commit root for the reloc root during commit. + +This fixes the panic I was seeing when we started throttling relocation +for delayed refs. + +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/relocation.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 246754b31619e..df04309390bba 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1289,7 +1289,7 @@ static int __must_check __add_reloc_root(struct btrfs_root *root) + if (!node) + return -ENOMEM; + +- node->bytenr = root->node->start; ++ node->bytenr = root->commit_root->start; + node->data = root; + + spin_lock(&rc->reloc_root_tree.lock); +@@ -1321,10 +1321,11 @@ static void __del_reloc_root(struct btrfs_root *root) + if (rc && root->node) { + spin_lock(&rc->reloc_root_tree.lock); + rb_node = tree_search(&rc->reloc_root_tree.rb_root, +- root->node->start); ++ root->commit_root->start); + if (rb_node) { + node = rb_entry(rb_node, struct mapping_node, rb_node); + rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); ++ RB_CLEAR_NODE(&node->rb_node); + } + spin_unlock(&rc->reloc_root_tree.lock); + if (!node) +@@ -1342,7 +1343,7 @@ static void __del_reloc_root(struct btrfs_root *root) + * helper to update the 'address of tree root -> reloc tree' + * mapping + */ +-static int __update_reloc_root(struct btrfs_root *root, u64 new_bytenr) ++static int __update_reloc_root(struct btrfs_root *root) + { + struct rb_node *rb_node; + struct mapping_node *node = NULL; +@@ -1350,7 +1351,7 @@ static int __update_reloc_root(struct btrfs_root *root, u64 new_bytenr) + + spin_lock(&rc->reloc_root_tree.lock); + rb_node = tree_search(&rc->reloc_root_tree.rb_root, +- root->node->start); ++ root->commit_root->start); + if (rb_node) { + node = rb_entry(rb_node, struct mapping_node, rb_node); + rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); +@@ -1362,7 +1363,7 @@ static int __update_reloc_root(struct btrfs_root *root, u64 new_bytenr) + BUG_ON((struct btrfs_root *)node->data != root); + + spin_lock(&rc->reloc_root_tree.lock); +- node->bytenr = new_bytenr; ++ node->bytenr = root->node->start; + rb_node = tree_insert(&rc->reloc_root_tree.rb_root, + node->bytenr, &node->rb_node); + spin_unlock(&rc->reloc_root_tree.lock); +@@ -1503,6 +1504,7 @@ int btrfs_update_reloc_root(struct btrfs_trans_handle *trans, + } + + if (reloc_root->commit_root != reloc_root->node) { ++ __update_reloc_root(reloc_root); + btrfs_set_root_node(root_item, reloc_root->node); + free_extent_buffer(reloc_root->commit_root); + reloc_root->commit_root = btrfs_root_node(reloc_root); +@@ -4578,11 +4580,6 @@ int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans, + BUG_ON(rc->stage == UPDATE_DATA_PTRS && + root->root_key.objectid == BTRFS_DATA_RELOC_TREE_OBJECTID); + +- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) { +- if (buf == root->node) +- __update_reloc_root(root, cow->start); +- } +- + level = btrfs_header_level(buf); + if (btrfs_header_generation(buf) <= + btrfs_root_last_snapshot(&root->root_item)) +-- +2.20.1 + diff --git a/queue-4.4/bus-sunxi-rsb-return-correct-data-when-mixing-16-bit.patch b/queue-4.4/bus-sunxi-rsb-return-correct-data-when-mixing-16-bit.patch new file mode 100644 index 00000000000..bdc4b17fc5a --- /dev/null +++ b/queue-4.4/bus-sunxi-rsb-return-correct-data-when-mixing-16-bit.patch @@ -0,0 +1,65 @@ +From f25fd35c1ec8463ac312453861930ac03b1afa26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2020 21:27:26 +0100 +Subject: bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit + reads + +From: Ondrej Jirman + +[ Upstream commit a43ab30dcd4a1abcdd0d2461bf1cf7c0817f6cd3 ] + +When doing a 16-bit read that returns data in the MSB byte, the +RSB_DATA register will keep the MSB byte unchanged when doing +the following 8-bit read. sunxi_rsb_read() will then return +a result that contains high byte from 16-bit read mixed with +the 8-bit result. + +The consequence is that after this happens the PMIC's regmap will +look like this: (0x33 is the high byte from the 16-bit read) + +% cat /sys/kernel/debug/regmap/sunxi-rsb-3a3/registers +00: 33 +01: 33 +02: 33 +03: 33 +04: 33 +05: 33 +06: 33 +07: 33 +08: 33 +09: 33 +0a: 33 +0b: 33 +0c: 33 +0d: 33 +0e: 33 +[snip] + +Fix this by masking the result of the read with the correct mask +based on the size of the read. There are no 16-bit users in the +mainline kernel, so this doesn't need to get into the stable tree. + +Signed-off-by: Ondrej Jirman +Acked-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index 0ffb247b42d65..d45f48de42a0c 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -345,7 +345,7 @@ static int sunxi_rsb_read(struct sunxi_rsb *rsb, u8 rtaddr, u8 addr, + if (ret) + goto unlock; + +- *buf = readl(rsb->regs + RSB_DATA); ++ *buf = readl(rsb->regs + RSB_DATA) & GENMASK(len * 8 - 1, 0); + + unlock: + mutex_unlock(&rsb->lock); +-- +2.20.1 + diff --git a/queue-4.4/gfs2-don-t-demote-a-glock-until-its-revokes-are-writ.patch b/queue-4.4/gfs2-don-t-demote-a-glock-until-its-revokes-are-writ.patch new file mode 100644 index 00000000000..8621f9a7238 --- /dev/null +++ b/queue-4.4/gfs2-don-t-demote-a-glock-until-its-revokes-are-writ.patch @@ -0,0 +1,46 @@ +From 225aab281d3d9d21fc635ab6bd969f4f90b48ffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 14:08:45 -0600 +Subject: gfs2: Don't demote a glock until its revokes are written + +From: Bob Peterson + +[ Upstream commit df5db5f9ee112e76b5202fbc331f990a0fc316d6 ] + +Before this patch, run_queue would demote glocks based on whether +there are any more holders. But if the glock has pending revokes that +haven't been written to the media, giving up the glock might end in +file system corruption if the revokes never get written due to +io errors, node crashes and fences, etc. In that case, another node +will replay the metadata blocks associated with the glock, but +because the revoke was never written, it could replay that block +even though the glock had since been granted to another node who +might have made changes. + +This patch changes the logic in run_queue so that it never demotes +a glock until its count of pending revokes reaches zero. + +Signed-off-by: Bob Peterson +Reviewed-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 1eb737c466ddc..f80ffccb03160 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -541,6 +541,9 @@ __acquires(&gl->gl_lockref.lock) + goto out_unlock; + if (nonblock) + goto out_sched; ++ smp_mb(); ++ if (atomic_read(&gl->gl_revokes) != 0) ++ goto out_sched; + set_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags); + GLOCK_BUG_ON(gl, gl->gl_demote_state == LM_ST_EXCLUSIVE); + gl->gl_target = gl->gl_demote_state; +-- +2.20.1 + diff --git a/queue-4.4/i2c-st-fix-missing-struct-parameter-description.patch b/queue-4.4/i2c-st-fix-missing-struct-parameter-description.patch new file mode 100644 index 00000000000..2960c11d2f5 --- /dev/null +++ b/queue-4.4/i2c-st-fix-missing-struct-parameter-description.patch @@ -0,0 +1,35 @@ +From 6ccdd438c07fed558b222f4dfc51079044666a87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 22:22:43 +0100 +Subject: i2c: st: fix missing struct parameter description + +From: Alain Volmat + +[ Upstream commit f491c6687332920e296d0209e366fe2ca7eab1c6 ] + +Fix a missing struct parameter description to allow +warning free W=1 compilation. + +Signed-off-by: Alain Volmat +Reviewed-by: Patrice Chotard +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-st.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/i2c-st.c b/drivers/i2c/busses/i2c-st.c +index 25020ec777c97..ee0a7d3dd0c65 100644 +--- a/drivers/i2c/busses/i2c-st.c ++++ b/drivers/i2c/busses/i2c-st.c +@@ -399,6 +399,7 @@ static void st_i2c_wr_fill_tx_fifo(struct st_i2c_dev *i2c_dev) + /** + * st_i2c_rd_fill_tx_fifo() - Fill the Tx FIFO in read mode + * @i2c_dev: Controller's private data ++ * @max: Maximum amount of data to fill into the Tx FIFO + * + * This functions fills the Tx FIFO with fixed pattern when + * in read mode to trigger clock. +-- +2.20.1 + diff --git a/queue-4.4/irqchip-versatile-fpga-handle-chained-irqs-properly.patch b/queue-4.4/irqchip-versatile-fpga-handle-chained-irqs-properly.patch new file mode 100644 index 00000000000..eccbd5ae3c6 --- /dev/null +++ b/queue-4.4/irqchip-versatile-fpga-handle-chained-irqs-properly.patch @@ -0,0 +1,69 @@ +From 8fdb67de9fdb46e1c96f698d38bd1475f13f03a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 11:34:48 +0900 +Subject: irqchip/versatile-fpga: Handle chained IRQs properly + +From: Sungbo Eo + +[ Upstream commit 486562da598c59e9f835b551d7cf19507de2d681 ] + +Enclose the chained handler with chained_irq_{enter,exit}(), so that the +muxed interrupts get properly acked. + +This patch also fixes a reboot bug on OX820 SoC, where the jiffies timer +interrupt is never acked. The kernel waits a clock tick forever in +calibrate_delay_converge(), which leads to a boot hang. + +Fixes: c41b16f8c9d9 ("ARM: integrator/versatile: consolidate FPGA IRQ handling code") +Signed-off-by: Sungbo Eo +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20200319023448.1479701-1-mans0n@gorani.run +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-versatile-fpga.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-versatile-fpga.c b/drivers/irqchip/irq-versatile-fpga.c +index cadf104e30746..c18f6bdd03b12 100644 +--- a/drivers/irqchip/irq-versatile-fpga.c ++++ b/drivers/irqchip/irq-versatile-fpga.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -67,12 +68,16 @@ static void fpga_irq_unmask(struct irq_data *d) + + static void fpga_irq_handle(struct irq_desc *desc) + { ++ struct irq_chip *chip = irq_desc_get_chip(desc); + struct fpga_irq_data *f = irq_desc_get_handler_data(desc); +- u32 status = readl(f->base + IRQ_STATUS); ++ u32 status; ++ ++ chained_irq_enter(chip, desc); + ++ status = readl(f->base + IRQ_STATUS); + if (status == 0) { + do_bad_IRQ(desc); +- return; ++ goto out; + } + + do { +@@ -81,6 +86,9 @@ static void fpga_irq_handle(struct irq_desc *desc) + status &= ~(1 << irq); + generic_handle_irq(irq_find_mapping(f->domain, irq)); + } while (status); ++ ++out: ++ chained_irq_exit(chip, desc); + } + + /* +-- +2.20.1 + diff --git a/queue-4.4/libata-remove-extra-scsi_host_put-in-ata_scsi_add_ho.patch b/queue-4.4/libata-remove-extra-scsi_host_put-in-ata_scsi_add_ho.patch new file mode 100644 index 00000000000..a22c80dad0b --- /dev/null +++ b/queue-4.4/libata-remove-extra-scsi_host_put-in-ata_scsi_add_ho.patch @@ -0,0 +1,158 @@ +From b39a29536e306627478c4afc07c01a3db5443513 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2020 19:33:35 +0800 +Subject: libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() + +From: John Garry + +[ Upstream commit 1d72f7aec3595249dbb83291ccac041a2d676c57 ] + +If the call to scsi_add_host_with_dma() in ata_scsi_add_hosts() fails, +then we may get use-after-free KASAN warns: + +================================================================== +BUG: KASAN: use-after-free in kobject_put+0x24/0x180 +Read of size 1 at addr ffff0026b8c80364 by task swapper/0/1 +CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 5.6.0-rc3-00004-g5a71b206ea82-dirty #1765 +Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDD, BIOS 2280-V2 CS V3.B160.01 02/24/2020 +Call trace: +dump_backtrace+0x0/0x298 +show_stack+0x14/0x20 +dump_stack+0x118/0x190 +print_address_description.isra.9+0x6c/0x3b8 +__kasan_report+0x134/0x23c +kasan_report+0xc/0x18 +__asan_load1+0x5c/0x68 +kobject_put+0x24/0x180 +put_device+0x10/0x20 +scsi_host_put+0x10/0x18 +ata_devres_release+0x74/0xb0 +release_nodes+0x2d0/0x470 +devres_release_all+0x50/0x78 +really_probe+0x2d4/0x560 +driver_probe_device+0x7c/0x148 +device_driver_attach+0x94/0xa0 +__driver_attach+0xa8/0x110 +bus_for_each_dev+0xe8/0x158 +driver_attach+0x30/0x40 +bus_add_driver+0x220/0x2e0 +driver_register+0xbc/0x1d0 +__pci_register_driver+0xbc/0xd0 +ahci_pci_driver_init+0x20/0x28 +do_one_initcall+0xf0/0x608 +kernel_init_freeable+0x31c/0x384 +kernel_init+0x10/0x118 +ret_from_fork+0x10/0x18 + +Allocated by task 5: +save_stack+0x28/0xc8 +__kasan_kmalloc.isra.8+0xbc/0xd8 +kasan_kmalloc+0xc/0x18 +__kmalloc+0x1a8/0x280 +scsi_host_alloc+0x44/0x678 +ata_scsi_add_hosts+0x74/0x268 +ata_host_register+0x228/0x488 +ahci_host_activate+0x1c4/0x2a8 +ahci_init_one+0xd18/0x1298 +local_pci_probe+0x74/0xf0 +work_for_cpu_fn+0x2c/0x48 +process_one_work+0x488/0xc08 +worker_thread+0x330/0x5d0 +kthread+0x1c8/0x1d0 +ret_from_fork+0x10/0x18 + +Freed by task 5: +save_stack+0x28/0xc8 +__kasan_slab_free+0x118/0x180 +kasan_slab_free+0x10/0x18 +slab_free_freelist_hook+0xa4/0x1a0 +kfree+0xd4/0x3a0 +scsi_host_dev_release+0x100/0x148 +device_release+0x7c/0xe0 +kobject_put+0xb0/0x180 +put_device+0x10/0x20 +scsi_host_put+0x10/0x18 +ata_scsi_add_hosts+0x210/0x268 +ata_host_register+0x228/0x488 +ahci_host_activate+0x1c4/0x2a8 +ahci_init_one+0xd18/0x1298 +local_pci_probe+0x74/0xf0 +work_for_cpu_fn+0x2c/0x48 +process_one_work+0x488/0xc08 +worker_thread+0x330/0x5d0 +kthread+0x1c8/0x1d0 +ret_from_fork+0x10/0x18 + +There is also refcount issue, as well: +WARNING: CPU: 1 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0xf8/0x170 + +The issue is that we make an erroneous extra call to scsi_host_put() +for that host: + +So in ahci_init_one()->ata_host_alloc_pinfo()->ata_host_alloc(), we setup +a device release method - ata_devres_release() - which intends to release +the SCSI hosts: + +static void ata_devres_release(struct device *gendev, void *res) +{ + ... + for (i = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; + + if (!ap) + continue; + + if (ap->scsi_host) + scsi_host_put(ap->scsi_host); + + } + ... +} + +However in the ata_scsi_add_hosts() error path, we also call +scsi_host_put() for the SCSI hosts. + +Fix by removing the the scsi_host_put() calls in ata_scsi_add_hosts() and +leave this to ata_devres_release(). + +Fixes: f31871951b38 ("libata: separate out ata_host_alloc() and ata_host_register()") +Signed-off-by: John Garry +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-scsi.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index a44aeda571091..59dc033408be7 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3720,22 +3720,19 @@ int ata_scsi_add_hosts(struct ata_host *host, struct scsi_host_template *sht) + */ + shost->max_host_blocked = 1; + +- rc = scsi_add_host_with_dma(ap->scsi_host, +- &ap->tdev, ap->host->dev); ++ rc = scsi_add_host_with_dma(shost, &ap->tdev, ap->host->dev); + if (rc) +- goto err_add; ++ goto err_alloc; + } + + return 0; + +- err_add: +- scsi_host_put(host->ports[i]->scsi_host); + err_alloc: + while (--i >= 0) { + struct Scsi_Host *shost = host->ports[i]->scsi_host; + ++ /* scsi_host_put() is in ata_devres_release() */ + scsi_remove_host(shost); +- scsi_host_put(shost); + } + return rc; + } +-- +2.20.1 + diff --git a/queue-4.4/locking-lockdep-avoid-recursion-in-lockdep_count_-fo.patch b/queue-4.4/locking-lockdep-avoid-recursion-in-lockdep_count_-fo.patch new file mode 100644 index 00000000000..8bc9ebdb3c8 --- /dev/null +++ b/queue-4.4/locking-lockdep-avoid-recursion-in-lockdep_count_-fo.patch @@ -0,0 +1,80 @@ +From 836f950f935635ecca30dc5864976a18d513adb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 23:12:55 +0800 +Subject: locking/lockdep: Avoid recursion in + lockdep_count_{for,back}ward_deps() + +From: Boqun Feng + +[ Upstream commit 25016bd7f4caf5fc983bbab7403d08e64cba3004 ] + +Qian Cai reported a bug when PROVE_RCU_LIST=y, and read on /proc/lockdep +triggered a warning: + + [ ] DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled) + ... + [ ] Call Trace: + [ ] lock_is_held_type+0x5d/0x150 + [ ] ? rcu_lockdep_current_cpu_online+0x64/0x80 + [ ] rcu_read_lock_any_held+0xac/0x100 + [ ] ? rcu_read_lock_held+0xc0/0xc0 + [ ] ? __slab_free+0x421/0x540 + [ ] ? kasan_kmalloc+0x9/0x10 + [ ] ? __kmalloc_node+0x1d7/0x320 + [ ] ? kvmalloc_node+0x6f/0x80 + [ ] __bfs+0x28a/0x3c0 + [ ] ? class_equal+0x30/0x30 + [ ] lockdep_count_forward_deps+0x11a/0x1a0 + +The warning got triggered because lockdep_count_forward_deps() call +__bfs() without current->lockdep_recursion being set, as a result +a lockdep internal function (__bfs()) is checked by lockdep, which is +unexpected, and the inconsistency between the irq-off state and the +state traced by lockdep caused the warning. + +Apart from this warning, lockdep internal functions like __bfs() should +always be protected by current->lockdep_recursion to avoid potential +deadlocks and data inconsistency, therefore add the +current->lockdep_recursion on-and-off section to protect __bfs() in both +lockdep_count_forward_deps() and lockdep_count_backward_deps() + +Reported-by: Qian Cai +Signed-off-by: Boqun Feng +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200312151258.128036-1-boqun.feng@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index a419696709a1a..0a00720d3cccb 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -1265,9 +1265,11 @@ unsigned long lockdep_count_forward_deps(struct lock_class *class) + this.class = class; + + raw_local_irq_save(flags); ++ current->lockdep_recursion = 1; + arch_spin_lock(&lockdep_lock); + ret = __lockdep_count_forward_deps(&this); + arch_spin_unlock(&lockdep_lock); ++ current->lockdep_recursion = 0; + raw_local_irq_restore(flags); + + return ret; +@@ -1292,9 +1294,11 @@ unsigned long lockdep_count_backward_deps(struct lock_class *class) + this.class = class; + + raw_local_irq_save(flags); ++ current->lockdep_recursion = 1; + arch_spin_lock(&lockdep_lock); + ret = __lockdep_count_backward_deps(&this); + arch_spin_unlock(&lockdep_lock); ++ current->lockdep_recursion = 0; + raw_local_irq_restore(flags); + + return ret; +-- +2.20.1 + diff --git a/queue-4.4/net-vxge-fix-wrong-__va_args__-usage.patch b/queue-4.4/net-vxge-fix-wrong-__va_args__-usage.patch new file mode 100644 index 00000000000..77426065a83 --- /dev/null +++ b/queue-4.4/net-vxge-fix-wrong-__va_args__-usage.patch @@ -0,0 +1,98 @@ +From 46d4ae608a56193a0cc2889ee2dcc64a797cfac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 22:23:47 +0800 +Subject: net: vxge: fix wrong __VA_ARGS__ usage + +From: Zheng Wei + +[ Upstream commit b317538c47943f9903860d83cc0060409e12d2ff ] + +printk in macro vxge_debug_ll uses __VA_ARGS__ without "##" prefix, +it causes a build error when there is no variable +arguments(e.g. only fmt is specified.). + +Signed-off-by: Zheng Wei +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/vxge/vxge-config.h | 2 +- + drivers/net/ethernet/neterion/vxge/vxge-main.h | 14 +++++++------- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.h b/drivers/net/ethernet/neterion/vxge/vxge-config.h +index 6ce4412fcc1ad..380e841fdd957 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-config.h ++++ b/drivers/net/ethernet/neterion/vxge/vxge-config.h +@@ -2065,7 +2065,7 @@ vxge_hw_vpath_strip_fcs_check(struct __vxge_hw_device *hldev, u64 vpath_mask); + if ((level >= VXGE_ERR && VXGE_COMPONENT_LL & VXGE_DEBUG_ERR_MASK) || \ + (level >= VXGE_TRACE && VXGE_COMPONENT_LL & VXGE_DEBUG_TRACE_MASK))\ + if ((mask & VXGE_DEBUG_MASK) == mask) \ +- printk(fmt "\n", __VA_ARGS__); \ ++ printk(fmt "\n", ##__VA_ARGS__); \ + } while (0) + #else + #define vxge_debug_ll(level, mask, fmt, ...) +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.h b/drivers/net/ethernet/neterion/vxge/vxge-main.h +index 3a79d93b84453..5b535aa10d23e 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-main.h ++++ b/drivers/net/ethernet/neterion/vxge/vxge-main.h +@@ -454,49 +454,49 @@ int vxge_fw_upgrade(struct vxgedev *vdev, char *fw_name, int override); + + #if (VXGE_DEBUG_LL_CONFIG & VXGE_DEBUG_MASK) + #define vxge_debug_ll_config(level, fmt, ...) \ +- vxge_debug_ll(level, VXGE_DEBUG_LL_CONFIG, fmt, __VA_ARGS__) ++ vxge_debug_ll(level, VXGE_DEBUG_LL_CONFIG, fmt, ##__VA_ARGS__) + #else + #define vxge_debug_ll_config(level, fmt, ...) + #endif + + #if (VXGE_DEBUG_INIT & VXGE_DEBUG_MASK) + #define vxge_debug_init(level, fmt, ...) \ +- vxge_debug_ll(level, VXGE_DEBUG_INIT, fmt, __VA_ARGS__) ++ vxge_debug_ll(level, VXGE_DEBUG_INIT, fmt, ##__VA_ARGS__) + #else + #define vxge_debug_init(level, fmt, ...) + #endif + + #if (VXGE_DEBUG_TX & VXGE_DEBUG_MASK) + #define vxge_debug_tx(level, fmt, ...) \ +- vxge_debug_ll(level, VXGE_DEBUG_TX, fmt, __VA_ARGS__) ++ vxge_debug_ll(level, VXGE_DEBUG_TX, fmt, ##__VA_ARGS__) + #else + #define vxge_debug_tx(level, fmt, ...) + #endif + + #if (VXGE_DEBUG_RX & VXGE_DEBUG_MASK) + #define vxge_debug_rx(level, fmt, ...) \ +- vxge_debug_ll(level, VXGE_DEBUG_RX, fmt, __VA_ARGS__) ++ vxge_debug_ll(level, VXGE_DEBUG_RX, fmt, ##__VA_ARGS__) + #else + #define vxge_debug_rx(level, fmt, ...) + #endif + + #if (VXGE_DEBUG_MEM & VXGE_DEBUG_MASK) + #define vxge_debug_mem(level, fmt, ...) \ +- vxge_debug_ll(level, VXGE_DEBUG_MEM, fmt, __VA_ARGS__) ++ vxge_debug_ll(level, VXGE_DEBUG_MEM, fmt, ##__VA_ARGS__) + #else + #define vxge_debug_mem(level, fmt, ...) + #endif + + #if (VXGE_DEBUG_ENTRYEXIT & VXGE_DEBUG_MASK) + #define vxge_debug_entryexit(level, fmt, ...) \ +- vxge_debug_ll(level, VXGE_DEBUG_ENTRYEXIT, fmt, __VA_ARGS__) ++ vxge_debug_ll(level, VXGE_DEBUG_ENTRYEXIT, fmt, ##__VA_ARGS__) + #else + #define vxge_debug_entryexit(level, fmt, ...) + #endif + + #if (VXGE_DEBUG_INTR & VXGE_DEBUG_MASK) + #define vxge_debug_intr(level, fmt, ...) \ +- vxge_debug_ll(level, VXGE_DEBUG_INTR, fmt, __VA_ARGS__) ++ vxge_debug_ll(level, VXGE_DEBUG_INTR, fmt, ##__VA_ARGS__) + #else + #define vxge_debug_intr(level, fmt, ...) + #endif +-- +2.20.1 + diff --git a/queue-4.4/qlcnic-fix-bad-kzalloc-null-test.patch b/queue-4.4/qlcnic-fix-bad-kzalloc-null-test.patch new file mode 100644 index 00000000000..b3136d849a1 --- /dev/null +++ b/queue-4.4/qlcnic-fix-bad-kzalloc-null-test.patch @@ -0,0 +1,35 @@ +From 2481b1353d7f4cd54e27f5ee716abf92911c802b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 18:14:29 +0800 +Subject: qlcnic: Fix bad kzalloc null test + +From: Xu Wang + +[ Upstream commit bcaeb886ade124331a6f3a5cef34a3f1484c0a03 ] + +In qlcnic_83xx_get_reset_instruction_template, the variable +of null test is bad, so correct it. + +Signed-off-by: Xu Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +index 26263a192a77e..083aeca77c758 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +@@ -1724,7 +1724,7 @@ static int qlcnic_83xx_get_reset_instruction_template(struct qlcnic_adapter *p_d + + ahw->reset.seq_error = 0; + ahw->reset.buff = kzalloc(QLC_83XX_RESTART_TEMPLATE_SIZE, GFP_KERNEL); +- if (p_dev->ahw->reset.buff == NULL) ++ if (ahw->reset.buff == NULL) + return -ENOMEM; + + p_buff = p_dev->ahw->reset.buff; +-- +2.20.1 + diff --git a/queue-4.4/selftests-x86-ptrace_syscall_32-fix-no-vdso-segfault.patch b/queue-4.4/selftests-x86-ptrace_syscall_32-fix-no-vdso-segfault.patch new file mode 100644 index 00000000000..934f3f8fe9f --- /dev/null +++ b/queue-4.4/selftests-x86-ptrace_syscall_32-fix-no-vdso-segfault.patch @@ -0,0 +1,42 @@ +From f91a9ae18958006402a080692a17df53aa530b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 15:35:51 -0700 +Subject: selftests/x86/ptrace_syscall_32: Fix no-vDSO segfault + +From: Andy Lutomirski + +[ Upstream commit 630b99ab60aa972052a4202a1ff96c7e45eb0054 ] + +If AT_SYSINFO is not present, don't try to call a NULL pointer. + +Reported-by: kbuild test robot +Signed-off-by: Andy Lutomirski +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/faaf688265a7e1a5b944d6f8bc0f6368158306d3.1584052409.git.luto@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/x86/ptrace_syscall.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/x86/ptrace_syscall.c b/tools/testing/selftests/x86/ptrace_syscall.c +index 5105b49cd8aa5..8b3c1236f04dc 100644 +--- a/tools/testing/selftests/x86/ptrace_syscall.c ++++ b/tools/testing/selftests/x86/ptrace_syscall.c +@@ -284,8 +284,12 @@ int main() + + #if defined(__i386__) && (!defined(__GLIBC__) || __GLIBC__ > 2 || __GLIBC_MINOR__ >= 16) + vsyscall32 = (void *)getauxval(AT_SYSINFO); +- printf("[RUN]\tCheck AT_SYSINFO return regs\n"); +- test_sys32_regs(do_full_vsyscall32); ++ if (vsyscall32) { ++ printf("[RUN]\tCheck AT_SYSINFO return regs\n"); ++ test_sys32_regs(do_full_vsyscall32); ++ } else { ++ printf("[SKIP]\tAT_SYSINFO is not available\n"); ++ } + #endif + + test_ptrace_syscall_restart(); +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..903bb963a93 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,12 @@ +bus-sunxi-rsb-return-correct-data-when-mixing-16-bit.patch +net-vxge-fix-wrong-__va_args__-usage.patch +qlcnic-fix-bad-kzalloc-null-test.patch +i2c-st-fix-missing-struct-parameter-description.patch +irqchip-versatile-fpga-handle-chained-irqs-properly.patch +selftests-x86-ptrace_syscall_32-fix-no-vdso-segfault.patch +libata-remove-extra-scsi_host_put-in-ata_scsi_add_ho.patch +gfs2-don-t-demote-a-glock-until-its-revokes-are-writ.patch +x86-boot-use-unsigned-comparison-for-addresses.patch +locking-lockdep-avoid-recursion-in-lockdep_count_-fo.patch +btrfs-remove-a-bug_on-from-merge_reloc_roots.patch +btrfs-track-reloc-roots-based-on-their-commit-root-b.patch diff --git a/queue-4.4/x86-boot-use-unsigned-comparison-for-addresses.patch b/queue-4.4/x86-boot-use-unsigned-comparison-for-addresses.patch new file mode 100644 index 00000000000..02c2f86b947 --- /dev/null +++ b/queue-4.4/x86-boot-use-unsigned-comparison-for-addresses.patch @@ -0,0 +1,71 @@ +From 8d5a656af732e200de0a2803f8c5ceec1dda16f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2020 09:08:44 +0100 +Subject: x86/boot: Use unsigned comparison for addresses + +From: Arvind Sankar + +[ Upstream commit 81a34892c2c7c809f9c4e22c5ac936ae673fb9a2 ] + +The load address is compared with LOAD_PHYSICAL_ADDR using a signed +comparison currently (using jge instruction). + +When loading a 64-bit kernel using the new efi32_pe_entry() point added by: + + 97aa276579b2 ("efi/x86: Add true mixed mode entry point into .compat section") + +using Qemu with -m 3072, the firmware actually loads us above 2Gb, +resulting in a very early crash. + +Use the JAE instruction to perform a unsigned comparison instead, as physical +addresses should be considered unsigned. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ard Biesheuvel +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20200301230436.2246909-6-nivedita@alum.mit.edu +Link: https://lore.kernel.org/r/20200308080859.21568-14-ardb@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/head_32.S | 2 +- + arch/x86/boot/compressed/head_64.S | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S +index 0256064da8da3..0eca7f2087b1f 100644 +--- a/arch/x86/boot/compressed/head_32.S ++++ b/arch/x86/boot/compressed/head_32.S +@@ -170,7 +170,7 @@ preferred_addr: + notl %eax + andl %eax, %ebx + cmpl $LOAD_PHYSICAL_ADDR, %ebx +- jge 1f ++ jae 1f + #endif + movl $LOAD_PHYSICAL_ADDR, %ebx + 1: +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index b831e24f7168b..ca8151ef3bfa0 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -104,7 +104,7 @@ ENTRY(startup_32) + notl %eax + andl %eax, %ebx + cmpl $LOAD_PHYSICAL_ADDR, %ebx +- jge 1f ++ jae 1f + #endif + movl $LOAD_PHYSICAL_ADDR, %ebx + 1: +@@ -337,7 +337,7 @@ preferred_addr: + notq %rax + andq %rax, %rbp + cmpq $LOAD_PHYSICAL_ADDR, %rbp +- jge 1f ++ jae 1f + #endif + movq $LOAD_PHYSICAL_ADDR, %rbp + 1: +-- +2.20.1 + -- 2.47.3