Skip to content

Commit

Permalink
origin
Browse files Browse the repository at this point in the history
GIT 2226fb57a908330c7e2b83d363d450f2000de837

commit 6a7553e8d84d5322d883cb83bb9888c49a0f04e0
Author: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Date:   Fri Aug 9 15:46:40 2019 +0200

    MAINTAINERS: handle fbdev changes through drm-misc tree
    
    fbdev patches will now go to upstream through drm-misc tree (IOW
    starting with v5.4 merge window fbdev changes will be included in
    DRM pull request) for improved maintainership and better integration
    testing. Update MAINTAINERS file accordingly.
    
    Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>

commit 20621fedb2a696e4dc60bc1c5de37cf21976abcb
Author: Coly Li <colyli@suse.de>
Date:   Fri Aug 9 14:14:05 2019 +0800

    bcache: Revert "bcache: use sysfs_match_string() instead of __sysfs_match_string()"
    
    This reverts commit 89e0341af082dbc170019f908846f4a424efc86b.
    
    In drivers/md/bcache/sysfs.c:bch_snprint_string_list(), NULL pointer at
    the end of list is necessary. Remove the NULL from last element of each
    lists will cause the following panic,
    
    [ 4340.455652] bcache: register_cache() registered cache device nvme0n1
    [ 4340.464603] bcache: register_bdev() registered backing device sdk
    [ 4421.587335] bcache: bch_cached_dev_run() cached dev sdk is running already
    [ 4421.587348] bcache: bch_cached_dev_attach() Caching sdk as bcache0 on set 354e1d46-d99f-4d8b-870b-078b80dc88a6
    [ 5139.247950] general protection fault: 0000 [#1] SMP NOPTI
    [ 5139.247970] CPU: 9 PID: 5896 Comm: cat Not tainted 4.12.14-95.29-default #1 SLE12-SP4
    [ 5139.247988] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 04/18/2019
    [ 5139.248006] task: ffff888fb25c0b00 task.stack: ffff9bbacc704000
    [ 5139.248021] RIP: 0010:string+0x21/0x70
    [ 5139.248030] RSP: 0018:ffff9bbacc707bf0 EFLAGS: 00010286
    [ 5139.248043] RAX: ffffffffa7e432e3 RBX: ffff8881c20da02a RCX: ffff0a00ffffff04
    [ 5139.248058] RDX: 3f00656863616362 RSI: ffff8881c20db000 RDI: ffffffffffffffff
    [ 5139.248075] RBP: ffff8881c20db000 R08: 0000000000000000 R09: ffff8881c20da02a
    [ 5139.248090] R10: 0000000000000004 R11: 0000000000000000 R12: ffff9bbacc707c48
    [ 5139.248104] R13: 0000000000000fd6 R14: ffffffffc0665855 R15: ffffffffc0665855
    [ 5139.248119] FS:  00007faf253b8700(0000) GS:ffff88903f840000(0000) knlGS:0000000000000000
    [ 5139.248137] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 5139.248149] CR2: 00007faf25395008 CR3: 0000000f72150006 CR4: 00000000007606e0
    [ 5139.248164] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [ 5139.248179] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [ 5139.248193] PKRU: 55555554
    [ 5139.248200] Call Trace:
    [ 5139.248210]  vsnprintf+0x1fb/0x510
    [ 5139.248221]  snprintf+0x39/0x40
    [ 5139.248238]  bch_snprint_string_list.constprop.15+0x5b/0x90 [bcache]
    [ 5139.248256]  __bch_cached_dev_show+0x44d/0x5f0 [bcache]
    [ 5139.248270]  ? __alloc_pages_nodemask+0xb2/0x210
    [ 5139.248284]  bch_cached_dev_show+0x2c/0x50 [bcache]
    [ 5139.248297]  sysfs_kf_seq_show+0xbb/0x190
    [ 5139.248308]  seq_read+0xfc/0x3c0
    [ 5139.248317]  __vfs_read+0x26/0x140
    [ 5139.248327]  vfs_read+0x87/0x130
    [ 5139.248336]  SyS_read+0x42/0x90
    [ 5139.248346]  do_syscall_64+0x74/0x160
    [ 5139.248358]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    [ 5139.248370] RIP: 0033:0x7faf24eea370
    [ 5139.248379] RSP: 002b:00007fff82d03f38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
    [ 5139.248395] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007faf24eea370
    [ 5139.248411] RDX: 0000000000020000 RSI: 00007faf25396000 RDI: 0000000000000003
    [ 5139.248426] RBP: 00007faf25396000 R08: 00000000ffffffff R09: 0000000000000000
    [ 5139.248441] R10: 000000007c9d4d41 R11: 0000000000000246 R12: 00007faf25396000
    [ 5139.248456] R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000fff
    [ 5139.248892] Code: ff ff ff 0f 1f 80 00 00 00 00 49 89 f9 48 89 cf 48 c7 c0 e3 32 e4 a7 48 c1 ff 30 48 81 fa ff 0f 00 00 48 0f 46 d0 48 85 ff 74 45 <44> 0f b6 02 48 8d 42 01 45 84 c0 74 38 48 01 fa 4c 89 cf eb 0e
    
    The simplest way to fix is to revert commit 89e0341af082 ("bcache: use
    sysfs_match_string() instead of __sysfs_match_string()").
    
    This bug was introduced in Linux v5.2, so this fix only applies to
    Linux v5.2 is enough for stable tree maintainer.
    
    Fixes: 89e0341af082 ("bcache: use sysfs_match_string() instead of __sysfs_match_string()")
    Cc: stable@vger.kernel.org
    Cc: Alexandru Ardelean <alexandru.ardelean@analog.com>
    Reported-by: Peifeng Lin <pflin@suse.com>
    Acked-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
    Signed-off-by: Coly Li <colyli@suse.de>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 404861e15b5fa7edbab22400f9174c1a21fde731
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Wed Aug 7 14:31:59 2019 +0200

    s390/vdso: map vdso also for statically linked binaries
    
    s390 does not map the vdso for statically linked binaries, assuming
    that this doesn't make sense. See commit fc5243d98ac2 ("[S390]
    arch_setup_additional_pages arguments").
    
    However with glibc commit d665367f596d ("linux: Enable vDSO for static
    linking as default (BZ#19767)") and commit 5e855c895401 ("s390: Enable
    VDSO for static linking") the vdso is also used for statically linked
    binaries - if the kernel would make it available.
    
    Therefore map the vdso always, just like all other architectures.
    
    Reported-by: Stefan Liebler <stli@linux.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

commit 30e235389faadb9e3d918887b1f126155d7d761d
Author: Jia He <justin.he@arm.com>
Date:   Wed Aug 7 12:58:51 2019 +0800

    arm64: mm: add missing PTE_SPECIAL in pte_mkdevmap on arm64
    
    Without this patch, the MAP_SYNC test case will cause a print_bad_pte
    warning on arm64 as follows:
    
    [   25.542693] BUG: Bad page map in process mapdax333 pte:2e8000448800f53 pmd:41ff5f003
    [   25.546360] page:ffff7e0010220000 refcount:1 mapcount:-1 mapping:ffff8003e29c7440 index:0x0
    [   25.550281] ext4_dax_aops
    [   25.550282] name:"__aaabbbcccddd__"
    [   25.551553] flags: 0x3ffff0000001002(referenced|reserved)
    [   25.555802] raw: 03ffff0000001002 ffff8003dfffa908 0000000000000000 ffff8003e29c7440
    [   25.559446] raw: 0000000000000000 0000000000000000 00000001fffffffe 0000000000000000
    [   25.563075] page dumped because: bad pte
    [   25.564938] addr:0000ffffbe05b000 vm_flags:208000fb anon_vma:0000000000000000 mapping:ffff8003e29c7440 index:0
    [   25.574272] file:__aaabbbcccddd__ fault:ext4_dax_fault mmmmap:ext4_file_mmap readpage:0x0
    [   25.578799] CPU: 1 PID: 1180 Comm: mapdax333 Not tainted 5.2.0+ #21
    [   25.581702] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
    [   25.585624] Call trace:
    [   25.587008]  dump_backtrace+0x0/0x178
    [   25.588799]  show_stack+0x24/0x30
    [   25.590328]  dump_stack+0xa8/0xcc
    [   25.591901]  print_bad_pte+0x18c/0x218
    [   25.593628]  unmap_page_range+0x778/0xc00
    [   25.595506]  unmap_single_vma+0x94/0xe8
    [   25.597304]  unmap_vmas+0x90/0x108
    [   25.598901]  unmap_region+0xc0/0x128
    [   25.600566]  __do_munmap+0x284/0x3f0
    [   25.602245]  __vm_munmap+0x78/0xe0
    [   25.603820]  __arm64_sys_munmap+0x34/0x48
    [   25.605709]  el0_svc_common.constprop.0+0x78/0x168
    [   25.607956]  el0_svc_handler+0x34/0x90
    [   25.609698]  el0_svc+0x8/0xc
    [...]
    
    The root cause is in _vm_normal_page, without the PTE_SPECIAL bit,
    the return value will be incorrectly set to pfn_to_page(pfn) instead
    of NULL. Besides, this patch also rewrite the pmd_mkdevmap to avoid
    setting PTE_SPECIAL for pmd
    
    The MAP_SYNC test case is as follows(Provided by Yibo Cai)
    $#include <stdio.h>
    $#include <string.h>
    $#include <unistd.h>
    $#include <sys/file.h>
    $#include <sys/mman.h>
    
    $#ifndef MAP_SYNC
    $#define MAP_SYNC 0x80000
    $#endif
    
    /* mount -o dax /dev/pmem0 /mnt */
    $#define F "/mnt/__aaabbbcccddd__"
    
    int main(void)
    {
        int fd;
        char buf[4096];
        void *addr;
    
        if ((fd = open(F, O_CREAT|O_TRUNC|O_RDWR, 0644)) < 0) {
            perror("open1");
            return 1;
        }
    
        if (write(fd, buf, 4096) != 4096) {
            perror("lseek");
            return 1;
        }
    
        addr = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_SYNC, fd, 0);
        if (addr == MAP_FAILED) {
            perror("mmap");
            printf("did you mount with '-o dax'?\n");
            return 1;
        }
    
        memset(addr, 0x55, 4096);
    
        if (munmap(addr, 4096) == -1) {
            perror("munmap");
            return 1;
        }
    
        close(fd);
    
        return 0;
    }
    
    Fixes: 73b20c84d42d ("arm64: mm: implement pte_devmap support")
    Reported-by: Yibo Cai <Yibo.Cai@arm.com>
    Acked-by: Will Deacon <will@kernel.org>
    Acked-by: Robin Murphy <Robin.Murphy@arm.com>
    Signed-off-by: Jia He <justin.he@arm.com>
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

commit d0a255e795ab976481565f6ac178314b34fbf891
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Thu Aug 8 11:17:01 2019 -0400

    loop: set PF_MEMALLOC_NOIO for the worker thread
    
    A deadlock with this stacktrace was observed.
    
    The loop thread does a GFP_KERNEL allocation, it calls into dm-bufio
    shrinker and the shrinker depends on I/O completion in the dm-bufio
    subsystem.
    
    In order to fix the deadlock (and other similar ones), we set the flag
    PF_MEMALLOC_NOIO at loop thread entry.
    
    PID: 474    TASK: ffff8813e11f4600  CPU: 10  COMMAND: "kswapd0"
       #0 [ffff8813dedfb938] __schedule at ffffffff8173f405
       #1 [ffff8813dedfb990] schedule at ffffffff8173fa27
       #2 [ffff8813dedfb9b0] schedule_timeout at ffffffff81742fec
       #3 [ffff8813dedfba60] io_schedule_timeout at ffffffff8173f186
       #4 [ffff8813dedfbaa0] bit_wait_io at ffffffff8174034f
       #5 [ffff8813dedfbac0] __wait_on_bit at ffffffff8173fec8
       #6 [ffff8813dedfbb10] out_of_line_wait_on_bit at ffffffff8173ff81
       #7 [ffff8813dedfbb90] __make_buffer_clean at ffffffffa038736f [dm_bufio]
       #8 [ffff8813dedfbbb0] __try_evict_buffer at ffffffffa0387bb8 [dm_bufio]
       #9 [ffff8813dedfbbd0] dm_bufio_shrink_scan at ffffffffa0387cc3 [dm_bufio]
      #10 [ffff8813dedfbc40] shrink_slab at ffffffff811a87ce
      #11 [ffff8813dedfbd30] shrink_zone at ffffffff811ad778
      #12 [ffff8813dedfbdc0] kswapd at ffffffff811ae92f
      #13 [ffff8813dedfbec0] kthread at ffffffff810a8428
      #14 [ffff8813dedfbf50] ret_from_fork at ffffffff81745242
    
      PID: 14127  TASK: ffff881455749c00  CPU: 11  COMMAND: "loop1"
       #0 [ffff88272f5af228] __schedule at ffffffff8173f405
       #1 [ffff88272f5af280] schedule at ffffffff8173fa27
       #2 [ffff88272f5af2a0] schedule_preempt_disabled at ffffffff8173fd5e
       #3 [ffff88272f5af2b0] __mutex_lock_slowpath at ffffffff81741fb5
       #4 [ffff88272f5af330] mutex_lock at ffffffff81742133
       #5 [ffff88272f5af350] dm_bufio_shrink_count at ffffffffa03865f9 [dm_bufio]
       #6 [ffff88272f5af380] shrink_slab at ffffffff811a86bd
       #7 [ffff88272f5af470] shrink_zone at ffffffff811ad778
       #8 [ffff88272f5af500] do_try_to_free_pages at ffffffff811adb34
       #9 [ffff88272f5af590] try_to_free_pages at ffffffff811adef8
      #10 [ffff88272f5af610] __alloc_pages_nodemask at ffffffff811a09c3
      #11 [ffff88272f5af710] alloc_pages_current at ffffffff811e8b71
      #12 [ffff88272f5af760] new_slab at ffffffff811f4523
      #13 [ffff88272f5af7b0] __slab_alloc at ffffffff8173a1b5
      #14 [ffff88272f5af880] kmem_cache_alloc at ffffffff811f484b
      #15 [ffff88272f5af8d0] do_blockdev_direct_IO at ffffffff812535b3
      #16 [ffff88272f5afb00] __blockdev_direct_IO at ffffffff81255dc3
      #17 [ffff88272f5afb30] xfs_vm_direct_IO at ffffffffa01fe3fc [xfs]
      #18 [ffff88272f5afb90] generic_file_read_iter at ffffffff81198994
      #19 [ffff88272f5afc50] __dta_xfs_file_read_iter_2398 at ffffffffa020c970 [xfs]
      #20 [ffff88272f5afcc0] lo_rw_aio at ffffffffa0377042 [loop]
      #21 [ffff88272f5afd70] loop_queue_work at ffffffffa0377c3b [loop]
      #22 [ffff88272f5afe60] kthread_worker_fn at ffffffff810a8a0c
      #23 [ffff88272f5afec0] kthread at ffffffff810a8428
      #24 [ffff88272f5aff50] ret_from_fork at ffffffff81745242
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit e91455bad5cff40a8c232f2204a5104127e3fec2
Author: Jan Kara <jack@suse.cz>
Date:   Wed Aug 7 11:36:47 2019 +0200

    bdev: Fixup error handling in blkdev_get()
    
    Commit 89e524c04fa9 ("loop: Fix mount(2) failure due to race with
    LOOP_SET_FD") converted blkdev_get() to use the new helpers for
    finishing claiming of a block device. However the conversion botched the
    error handling in blkdev_get() and thus the bdev has been marked as held
    even in case __blkdev_get() returned error. This led to occasional
    warnings with block/001 test from blktests like:
    
    kernel: WARNING: CPU: 5 PID: 907 at fs/block_dev.c:1899 __blkdev_put+0x396/0x3a0
    
    Correct the error handling.
    
    CC: stable@vger.kernel.org
    Fixes: 89e524c04fa9 ("loop: Fix mount(2) failure due to race with LOOP_SET_FD")
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit fd03177c33b287c6541f4048f1d67b7b45a1abc9
Author: Paolo Valente <paolo.valente@linaro.org>
Date:   Wed Aug 7 19:21:11 2019 +0200

    block, bfq: handle NULL return value by bfq_init_rq()
    
    As reported in [1], the call bfq_init_rq(rq) may return NULL in case
    of OOM (in particular, if rq->elv.icq is NULL because memory
    allocation failed in failed in ioc_create_icq()).
    
    This commit handles this circumstance.
    
    [1] https://lkml.org/lkml/2019/7/22/824
    
    Cc: Hsin-Yi Wang <hsinyi@google.com>
    Cc: Nicolas Boichat <drinkcat@chromium.org>
    Cc: Doug Anderson <dianders@chromium.org>
    Reported-by: Guenter Roeck <linux@roeck-us.net>
    Reported-by: Hsin-Yi Wang <hsinyi@google.com>
    Reviewed-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 3f758e844aa9800eb660d60ee10226fa802594d4
Author: Paolo Valente <paolo.valente@linaro.org>
Date:   Wed Aug 7 16:17:54 2019 +0200

    block, bfq: move update of waker and woken list to queue freeing
    
    Since commit 13a857a4c4e8 ("block, bfq: detect wakers and
    unconditionally inject their I/O"), every bfq_queue has a pointer to a
    waker bfq_queue and a list of the bfq_queues it may wake. In this
    respect, when a bfq_queue, say Q, remains with no I/O source attached
    to it, Q cannot be woken by any other bfq_queue, and cannot wake any
    other bfq_queue. Then Q must be removed from the woken list of its
    possible waker bfq_queue, and all bfq_queues in the woken list of Q
    must stop having a waker bfq_queue.
    
    Q remains with no I/O source in two cases: when the last process
    associated with Q exits or when such a process gets associated with a
    different bfq_queue. Unfortunately, commit 13a857a4c4e8 ("block, bfq:
    detect wakers and unconditionally inject their I/O") performed the
    above updates only in the first case.
    
    This commit fixes this bug by moving these updates to when Q gets
    freed. This is a simple and safe way to handle all cases, as both the
    above events, process exit and re-association, lead to Q being freed
    soon, and because dangling references would come out only after Q gets
    freed (if no update were performed).
    
    Fixes: 13a857a4c4e8 ("block, bfq: detect wakers and unconditionally inject their I/O")
    Reported-by: Douglas Anderson <dianders@chromium.org>
    Tested-by: Douglas Anderson <dianders@chromium.org>
    Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 08d383a74948b43eb6e96c86153e63cbf276f1fa
Author: Paolo Valente <paolo.valente@linaro.org>
Date:   Wed Aug 7 16:17:53 2019 +0200

    block, bfq: reset last_completed_rq_bfqq if the pointed queue is freed
    
    Since commit 13a857a4c4e8 ("block, bfq: detect wakers and
    unconditionally inject their I/O"), BFQ stores, in a per-device
    pointer last_completed_rq_bfqq, the last bfq_queue that had an I/O
    request completed. If some bfq_queue receives new I/O right after the
    last request of last_completed_rq_bfqq has been completed, then
    last_completed_rq_bfqq may be a waker bfq_queue.
    
    But if the bfq_queue last_completed_rq_bfqq points to is freed, then
    last_completed_rq_bfqq becomes a dangling reference. This commit
    resets last_completed_rq_bfqq if the pointed bfq_queue is freed.
    
    Fixes: 13a857a4c4e8 ("block, bfq: detect wakers and unconditionally inject their I/O")
    Reported-by: Douglas Anderson <dianders@chromium.org>
    Tested-by: Douglas Anderson <dianders@chromium.org>
    Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 430380b4637aec646996b4aef67ad417593923b2
Author: He Zhe <zhe.he@windriver.com>
Date:   Thu Aug 8 11:09:54 2019 +0800

    block: aoe: Fix kernel crash due to atomic sleep when exiting
    
    Since commit 3582dd291788 ("aoe: convert aoeblk to blk-mq"), aoedev_downdev
    has had the possibility of sleeping and causing the following crash.
    
    BUG: scheduling while atomic: rmmod/2242/0x00000003
    Modules linked in: aoe
    Preemption disabled at:
    [<ffffffffc01d95e5>] flush+0x95/0x4a0 [aoe]
    CPU: 7 PID: 2242 Comm: rmmod Tainted: G          I       5.2.3 #1
    Hardware name: Intel Corporation S5520HC/S5520HC, BIOS S5500.86B.01.10.0025.030220091519 03/02/2009
    Call Trace:
     dump_stack+0x4f/0x6a
     ? flush+0x95/0x4a0 [aoe]
     __schedule_bug.cold+0x44/0x54
     __schedule+0x44f/0x680
     schedule+0x44/0xd0
     blk_mq_freeze_queue_wait+0x46/0xb0
     ? wait_woken+0x80/0x80
     blk_mq_freeze_queue+0x1b/0x20
     aoedev_downdev+0x111/0x160 [aoe]
     flush+0xff/0x4a0 [aoe]
     aoedev_exit+0x23/0x30 [aoe]
     aoe_exit+0x35/0x948 [aoe]
     __se_sys_delete_module+0x183/0x210
     __x64_sys_delete_module+0x16/0x20
     do_syscall_64+0x4d/0x130
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x7f24e0043b07
    Code: 73 01 c3 48 8b 0d 89 73 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f
    1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff
    ff 73 01 c3 48 8b 0d 59 73 0b 00 f7 d8 64 89 01 48
    RSP: 002b:00007ffe18f7f1e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f24e0043b07
    RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000555c3ecf87c8
    RBP: 00007ffe18f7f1f0 R08: 0000000000000000 R09: 0000000000000000
    R10: 00007f24e00b4ac0 R11: 0000000000000206 R12: 00007ffe18f7f238
    R13: 00007ffe18f7f410 R14: 00007ffe18f80e73 R15: 0000555c3ecf8760
    
    This patch, handling in the same way of pass two, unlocks the locks and
    restart pass one after aoedev_downdev is done.
    
    Fixes: 3582dd291788 ("aoe: convert aoeblk to blk-mq")
    Signed-off-by: He Zhe <zhe.he@windriver.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 739bacbf7aa2c44bb25d9ad5f7d5b256082c5e66
Author: Vasily Gorbik <gor@linux.ibm.com>
Date:   Mon Jan 21 13:54:53 2019 +0100

    s390/build: use size command to perform empty .bss check
    
    Currently empty .bss checks performed do not pay attention to "common
    objects" in object files which end up in .bss section eventually.
    
    The "size" tool is a part of binutils and since version 2.18 provides
    "--common" command line option, which allows to account "common objects"
    sizes in .bss section size. Utilize "size --common" to perform accurate
    check that .bss section is unused. Besides that the size tool handles
    object files without .bss section gracefully and doesn't require
    additional objdump run.
    
    The linux kernel requires binutils 2.20 since 4.13.
    
    Kbuild exports OBJSIZE to reference the right size tool.
    
    Link: http://lkml.kernel.org/r/patch-2.thread-2257a1.git-2257a1c53d4a.your-ad-here.call-01565088755-ext-5120@work.hours
    Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

commit 7bac98707f65b93bf994ef4e99b1eb9e7dbb9c32
Author: Vasily Gorbik <gor@linux.ibm.com>
Date:   Mon Jan 21 13:54:39 2019 +0100

    kbuild: add OBJSIZE variable for the size tool
    
    Define and export OBJSIZE variable for "size" tool from binutils to be
    used in architecture specific Makefiles (naming the variable just "SIZE"
    would be too risky). In particular this tool is useful to perform checks
    that early boot code is not using bss section (which might have not been
    zeroed yet or intersects with initrd or other files boot loader might
    have put right after the linux kernel).
    
    Link: http://lkml.kernel.org/r/patch-1.thread-2257a1.git-188f5a3d81d5.your-ad-here.call-01565088755-ext-5120@work.hours
    Acked-by: Masahiro Yamada <yamada.masahiro@socionext.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

commit 6cf9481b440da6d6d86bd8e4c99a8b553b9d1271
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Tue Jul 30 17:48:48 2019 +0200

    pwm: Fallback to the static lookup-list when acpi_pwm_get fails
    
    Commit 4a6ef8e37c4d ("pwm: Add support referencing PWMs from ACPI")
    made pwm_get unconditionally return the acpi_pwm_get return value if
    the device passed to pwm_get has an ACPI fwnode.
    
    But even if the passed in device has an ACPI fwnode, it does not
    necessarily have the necessary ACPI package defining its pwm bindings,
    especially since the binding / API of this ACPI package has only been
    introduced very recently.
    
    Up until now X86/ACPI devices which use a separate pwm controller for
    controlling their LCD screen's backlight brightness have been relying
    on the static lookup-list to get their pwm.
    
    pwm_get unconditionally returning the acpi_pwm_get return value breaks
    this, breaking backlight control on these devices.
    
    This commit fixes this by making pwm_get fall back to the static
    lookup-list if acpi_pwm_get returns -ENOENT.
    
    BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=96571
    Reported-by: youling257@gmail.com
    Fixes: 4a6ef8e37c4d ("pwm: Add support referencing PWMs from ACPI")
    Cc: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Acked-by: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
    Signed-off-by: Thierry Reding <thierry.reding@gmail.com>

commit 6b7c3b86f0b63134b2ab56508921a0853ffa687a
Author: Colin Ian King <colin.king@canonical.com>
Date:   Mon Jun 24 09:39:59 2019 -0700

    drm/vmwgfx: fix memory leak when too many retries have occurred
    
    Currently when too many retries have occurred there is a memory
    leak on the allocation for reply on the error return path. Fix
    this by kfree'ing reply before returning.
    
    Addresses-Coverity: ("Resource leak")
    Fixes: a9cd9c044aa9 ("drm/vmwgfx: Add a check to handle host message failure")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Reviewed-by: Deepak Rawat <drawat@vmware.com>
    Signed-off-by: Deepak Rawat <drawat@vmware.com>
    Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>

commit 1be3c1fae6c1e1f5bb982b255d2034034454527a
Author: Wenwen Wang <wenwen@cs.uga.edu>
Date:   Thu Aug 8 00:50:58 2019 -0500

    ALSA: firewire: fix a memory leak bug
    
    In iso_packets_buffer_init(), 'b->packets' is allocated through
    kmalloc_array(). Then, the aligned packet size is checked. If it is
    larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
    However, the allocated 'b->packets' is not deallocated on this path,
    leading to a memory leak.
    
    To fix the above issue, free 'b->packets' before returning the error code.
    
    Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver")
    Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
    Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Cc: <stable@vger.kernel.org> # v2.6.39+
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

commit c7cd7c748a3250ca33509f9235efab9c803aca09
Author: Wenwen Wang <wenwen@cs.uga.edu>
Date:   Thu Aug 8 00:15:21 2019 -0500

    sound: fix a memory leak bug
    
    In sound_insert_unit(), the controlling structure 's' is allocated through
    kmalloc(). Then it is added to the sound driver list by invoking
    __sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
    removed from the list through __sound_remove_unit(). If 'index' is not less
    than 0, -EBUSY is returned to indicate the error. However, 's' is not
    deallocated on this execution path, leading to a memory leak bug.
    
    To fix the above issue, free 's' before -EBUSY is returned.
    
    Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

commit a95a4f3f2702b55a89393bf0f1b2b3d79e0f7da2
Author: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
Date:   Thu Aug 1 08:53:24 2019 +0100

    hwmon: (lm75) Fixup tmp75b clr_mask
    
    The configuration register of the tmp75b sensor is 16bit long, however
    the first byte is reserved, so there is not no need to take care of it.
    
    Because the order of the bytes is little endian and it is only necessary
    to write one byte, the desired bits must be shifted into a 8 bit range.
    
    Fixes: 39abe9d88b30 ("hwmon: (lm75) Add support for TMP75B")
    Cc: stable@vger.kernel.org
    Signed-off-by: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
    Link: https://lore.kernel.org/r/20190801075324.4638-1-iker.perez@codethink.co.uk
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>

commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Jul 26 08:00:49 2019 -0700

    hwmon: (nct7802) Fix wrong detection of in4 presence
    
    The code to detect if in4 is present is wrong; if in4 is not present,
    the in4_input sysfs attribute is still present.
    
    In detail:
    
    - Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug).
    - If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input
      file under /sys and the "sensors" command displays in4_input.
      But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep.
    
    Fix is_visible function to detect and report in4_input visibility
    as expected.
    
    Reported-by: Gilles Buloz <Gilles.Buloz@kontron.com>
    Cc: Gilles Buloz <Gilles.Buloz@kontron.com>
    Cc: stable@vger.kernel.org
    Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y")
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>

commit 752ead44491e8c91e14d7079625c5916b30921c5
Author: Jens Axboe <axboe@kernel.dk>
Date:   Wed Aug 7 12:23:57 2019 -0600

    libata: add SG safety checks in SFF pio transfers
    
    Abort processing of a command if we run out of mapped data in the
    SG list. This should never happen, but a previous bug caused it to
    be possible. Play it safe and attempt to abort nicely if we don't
    have more SG segments left.
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 2d7271501720038381d45fb3dcbe4831228fc8cc
Author: Jens Axboe <axboe@kernel.dk>
Date:   Wed Aug 7 12:20:52 2019 -0600

    libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
    
    For passthrough requests, libata-scsi takes what the user passes in
    as gospel. This can be problematic if the user fills in the CDB
    incorrectly. One example of that is in request sizes. For read/write
    commands, the CDB contains fields describing the transfer length of
    the request. These should match with the SG_IO header fields, but
    libata-scsi currently does no validation of that.
    
    Check that the number of blocks in the CDB for passthrough requests
    matches what was mapped into the request. If the CDB asks for more
    data then the validated SG_IO header fields, error it.
    
    Reported-by: Krishna Ram Prakash R <krp@gtux.in>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit e15c2ffa1091c4f72370f01af4de8f9dddeb17a6
Author: Jens Axboe <axboe@kernel.dk>
Date:   Tue Aug 6 13:34:31 2019 -0600

    block: fix O_DIRECT error handling for bio fragments
    
    0eb6ddfb865c tried to fix this up, but introduced a use-after-free
    of dio. Additionally, we still had an issue with error handling,
    as reported by Darrick:
    
    "I noticed a regression in xfs/747 (an unreleased xfstest for the
    xfs_scrub media scanning feature) on 5.3-rc3.  I'll condense that down
    to a simpler reproducer:
    
    error-test: 0 209 linear 8:48 0
    error-test: 209 1 error
    error-test: 210 6446894 linear 8:48 210
    
    Basically we have a ~3G /dev/sdd and we set up device mapper to fail IO
    for sector 209 and to pass the io to the scsi device everywhere else.
    
    On 5.3-rc3, performing a directio pread of this range with a < 1M buffer
    (in other words, a request for fewer than MAX_BIO_PAGES bytes) yields
    EIO like you'd expect:
    
    pread64(3, 0x7f880e1c7000, 1048576, 0)  = -1 EIO (Input/output error)
    pread: Input/output error
    +++ exited with 0 +++
    
    But doing it with a larger buffer succeeds(!):
    
    pread64(3, "XFSB\0\0\20\0\0\0\0\0\0\fL\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1146880, 0) = 1146880
    read 1146880/1146880 bytes at offset 0
    1 MiB, 1 ops; 0.0009 sec (1.124 GiB/sec and 1052.6316 ops/sec)
    +++ exited with 0 +++
    
    (Note that the part of the buffer corresponding to the dm-error area is
    uninitialized)
    
    On 5.3-rc2, both commands would fail with EIO like you'd expect.  The
    only change between rc2 and rc3 is commit 0eb6ddfb865c ("block: Fix
    __blkdev_direct_IO() for bio fragments").
    
    AFAICT we end up in __blkdev_direct_IO with a 1120K buffer, which gets
    split into two bios: one for the first BIO_MAX_PAGES worth of data (1MB)
    and a second one for the 96k after that."
    
    Fix this by noting that it's always safe to dereference dio if we get
    BLK_QC_T_EAGAIN returned, as end_io hasn't been run for that case. So
    we can safely increment the dio size before calling submit_bio(), and
    then decrement it on failure (not that it really matters, as the bio
    and dio are going away).
    
    For error handling, return to the original method of just using 'ret'
    for tracking the error, and the size tracking in dio->size.
    
    Fixes: 0eb6ddfb865c ("block: Fix __blkdev_direct_IO() for bio fragments")
    Fixes: 6a43074e2f46 ("block: properly handle IOCB_NOWAIT for async O_DIRECT IO")
    Reported-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 67e7b52d44e3d539dfbfcd866c3d3d69da23a909
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Wed Aug 7 07:31:27 2019 -0400

    NFSv4: Ensure state recovery handles ETIMEDOUT correctly
    
    Ensure that the state recovery code handles ETIMEDOUT correctly,
    and also that we set RPC_TASK_TIMEOUT when recovering open state.
    
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 4b3e30ed3ec7864e798403a63ff2e96bd0c19ab0
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Aug 7 00:23:07 2019 -0500

    Revert "drm/amdkfd: New IOCTL to allocate queue GWS"
    
    This reverts commit 1a058c3376765ee31d65e28cbbb9d4ff15120056.
    
    This interface is still in too much flux.  Revert until
    it's sorted out.
    
    Acked-by: Oak Zeng <Oak.Zeng@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

commit c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Aug 6 17:31:48 2019 +0200

    ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)
    
    A long-time problem on the recent AMD chip (X370, X470, B450, etc with
    PCI ID 1022:1457) with Realtek codecs is the crackled or distorted
    sound for capture streams, as well as occasional playback hiccups.
    After lengthy debugging sessions, the workarounds we've found are like
    the following:
    
    - Set up the proper driver caps for this controller, similar as the
      other AMD controller.
    
    - Correct the DMA position reporting with the fixed FIFO size, which
      is similar like as workaround used for VIA chip set.
    
    - Even after the position correction, PulseAudio still shows
      mysterious stalls of playback streams when a capture is triggered in
      timer-scheduled mode.  Since we have no clear way to eliminate the
      stall, pass the BATCH PCM flag for PA to suppress the tsched mode as
      a temporary workaround.
    
    This patch implements the workarounds.  For the driver caps, it
    defines a new preset, AXZ_DCAPS_PRESET_AMD_SB.  It enables the FIFO-
    corrected position reporting (corresponding to the new position_fix=6)
    and enforces the SNDRV_PCM_INFO_BATCH flag.
    
    Note that the current implementation is merely a workaround.
    Hopefully we'll find a better alternative in future, especially about
    removing the BATCH flag hack again.
    
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

commit 0617bdede5114a0002298b12cd0ca2b0cfd0395d
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Wed Aug 7 13:57:18 2019 +0300

    Revert "PCI: Add missing link delays required by the PCIe spec"
    
    Commit c2bf1fc212f7 ("PCI: Add missing link delays required by the PCIe
    spec") turned out causing issues with some systems either by making them
    unresponsive or slowing down runtime and system wide resume of PCIe
    devices. While root cause for the unresponsiveness is still under
    investigation given the amount of issues reported better to revert it
    for now.
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204413
    Link: https://lore.kernel.org/linux-pci/SL2P216MB01878BBCD75F21D882AEEA2880C60@SL2P216MB0187.KORP216.PROD.OUTLOOK.COM/
    Link: https://lore.kernel.org/linux-pci/2857501d-c167-547d-c57d-d5d24ea1f1dc@molgen.mpg.de/
    Reported-by: Matthias Andree <matthias.andree@gmx.de>
    Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
    Reported-by: Nicholas Johnson <nicholas.johnson-opensource@outlook.com.au>
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723
Author: Wenwen Wang <wenwen@cs.uga.edu>
Date:   Wed Aug 7 04:08:51 2019 -0500

    ALSA: hiface: fix multiple memory leak bugs
    
    In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
    on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In
    hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through
    kzalloc().  However, if hiface_pcm_init_urb() fails, both 'rt' and
    'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs.
    Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails.
    
    To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'.
    
    Fixes: a91c3fb2f842 ("Add M2Tech hiFace USB-SPDIF driver")
    Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

commit d9dfe768b3f30faa8340cbf34196668714780c3c
Author: Marek Olšák <marek.olsak@amd.com>
Date:   Fri Aug 2 17:44:06 2019 -0400

    Revert "drm/amdgpu: fix transform feedback GDS hang on gfx10 (v2)"
    
    This reverts commit 9ed2c993d723129f85101e51b2ccc36ef5400a67.
    
    SET_CONFIG_REG writes to memory if register shadowing is enabled,
    causing a VM fault.
    
    NGG streamout is unstable anyway, so all UMDs should use legacy
    streamout. I think Mesa is the only driver using NGG streamout.
    
    Signed-off-by: Marek Olšák <marek.olsak@amd.com>
    Reviewed-by: Le Ma <Le.Ma@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

commit 93fa8587b25356382a39f1ca3a81d6c1b42ac731
Author: Vladimir Oltean <olteanv@gmail.com>
Date:   Mon Aug 5 01:38:48 2019 +0300

    net: dsa: sja1105: Fix memory leak on meta state machine error path
    
    When RX timestamping is enabled and two link-local (non-meta) frames are
    received in a row, this constitutes an error.
    
    The tagger is always caching the last link-local frame, in an attempt to
    merge it with the meta follow-up frame when that arrives. To recover
    from the above error condition, the initial cached link-local frame is
    dropped and the second frame in a row is cached (in expectance of the
    second meta frame).
    
    However, when dropping the initial link-local frame, its backing memory
    was being leaked.
    
    Fixes: f3097be21bf1 ("net: dsa: sja1105: Add a state machine for RX timestamping")
    Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit f163fed2764e66511fb5c489bf87e532ad7606fb
Author: Vladimir Oltean <olteanv@gmail.com>
Date:   Mon Aug 5 01:38:47 2019 +0300

    net: dsa: sja1105: Fix memory leak on meta state machine normal path
    
    After a meta frame is received, it is associated with the cached
    sp->data->stampable_skb from the DSA tagger private structure.
    
    Cached means its refcount is incremented with skb_get() in order for
    dsa_switch_rcv() to not free it when the tagger .rcv returns NULL.
    
    The mistake is that skb_unref() is not the correct function to use. It
    will correctly decrement the refcount (which will go back to zero) but
    the skb memory will not be freed.  That is the job of kfree_skb(), which
    also calls skb_unref().
    
    But it turns out that freeing the cached stampable_skb is in fact not
    necessary.  It is still a perfectly valid skb, and now it is even
    annotated with the partial RX timestamp.  So remove the skb_copy()
    altogether and simply pass the stampable_skb with a refcount of 1
    (incremented by us, decremented by dsa_switch_rcv) up the stack.
    
    Fixes: f3097be21bf1 ("net: dsa: sja1105: Add a state machine for RX timestamping")
    Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 6cb0abbdf90c180e1310976c47399f57477e0e53
Author: Vladimir Oltean <olteanv@gmail.com>
Date:   Mon Aug 5 01:38:46 2019 +0300

    net: dsa: sja1105: Really fix panic on unregistering PTP clock
    
    The IS_ERR_OR_NULL(priv->clock) check inside
    sja1105_ptp_clock_unregister() is preventing cancel_delayed_work_sync
    from actually being run.
    
    Additionally, sja1105_ptp_clock_unregister() does not actually get run,
    when placed in sja1105_remove(). The DSA switch gets torn down, but the
    sja1105 module does not get unregistered. So sja1105_ptp_clock_unregister
    needs to be moved to sja1105_teardown, to be symmetrical with
    sja1105_ptp_clock_register which is called from the DSA sja1105_setup.
    
    It is strange to fix a "fixes" patch, but the probe failure can only be
    seen when the attached PHY does not respond to MDIO (issue which I can't
    pinpoint the reason to) and it goes away after I power-cycle the board.
    This time the patch was validated on a failing board, and the kernel
    panic from the fixed commit's message can no longer be seen.
    
    Fixes: 29dd908d355f ("net: dsa: sja1105: Cancel PTP delayed work on unregister")
    Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 4b7da3d808f91cdad3e34059cd68ba3dfe4c3695
Author: Vladimir Oltean <olteanv@gmail.com>
Date:   Mon Aug 5 01:38:45 2019 +0300

    net: dsa: sja1105: Use the LOCKEDS bit for SJA1105 E/T as well
    
    It looks like the FDB dump taken from first-generation switches also
    contains information on whether entries are static or not. So use that
    instead of searching through the driver's tables.
    
    Fixes: d763778224ea ("net: dsa: sja1105: Implement is_static for FDB entries on E/T")
    Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 6d7c7d948a2e9f87b4e7726dee94c59300e1786b
Author: Vladimir Oltean <olteanv@gmail.com>
Date:   Mon Aug 5 01:38:44 2019 +0300

    net: dsa: sja1105: Fix broken learning with vlan_filtering disabled
    
    When put under a bridge with vlan_filtering 0, the SJA1105 ports will
    flood all traffic as if learning was broken. This is because learning
    interferes with the rx_vid's configured by dsa_8021q as unique pvid's.
    
    So learning technically still *does* work, it's just that the learnt
    entries never get matched due to their unique VLAN ID.
    
    The setting that saves the day is Shared VLAN Learning, which on this
    switch family works exactly as desired: VLAN tagging still works
    (untagged traffic gets the correct pvid) and FDB entries are still
    populated with the correct contents including VID. Also, a frame cannot
    violate the forwarding domain restrictions enforced by its classified
    VLAN. It is just that the VID is ignored when looking up the FDB for
    taking a forwarding decision (selecting the egress port).
    
    This patch activates SVL, and the result is that frames with a learnt
    DMAC are no longer flooded in the scenario described above.
    
    Now exactly *because* SVL works as desired, we have to revisit some
    earlier patches:
    
    - It is no longer necessary to manipulate the VID of the 'bridge fdb
      {add,del}' command when vlan_filtering is off. This is because now,
      SVL is enabled for that case, so the actual VID does not matter*.
    
    - It is still desirable to hide dsa_8021q VID's in the FDB dump
      callback. But right now the dump callback should no longer hide
      duplicates (one per each front panel port's pvid, plus one for the
      VLAN that the CPU port is going to tag a TX frame with), because there
      shouldn't be any (the switch will match a single FDB entry no matter
      its VID anyway).
    
    * Not really... It's no longer necessary to transform a 'bridge fdb add'
      into 5 fdb add operations, but the user might still add a fdb entry with
      any vid, and all of them would appear as duplicates in 'bridge fdb
      show'. So force a 'bridge fdb add' to insert the VID of 0**, so that we
      can prune the duplicates at insertion time.
    
    ** The VID of 0 is better than 1 because it is always guaranteed to be
       in the ports' hardware filter. DSA also avoids putting the VID inside
       the netlink response message towards the bridge driver when we return
       this particular VID, which makes it suitable for FDB entries learnt
       with vlan_filtering off.
    
    Fixes: 227d07a07ef1 ("net: dsa: sja1105: Add support for traffic through standalone ports")
    Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
    Signed-off-by: Georg Waibel <georg.waibel@sensor-technik.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit f26e0cca14c9494c863d8fa6825b10bd12dc9eaa
Author: Nishka Dasgupta <nishkadg.linux@gmail.com>
Date:   Sun Aug 4 21:00:18 2019 +0530

    net: dsa: qca8k: Add of_node_put() in qca8k_setup_mdio_bus()
    
    Each iteration of for_each_available_child_of_node() puts the previous
    node, but in the case of a return from the middle of the loop, there
    is no put, thus causing a memory leak. Hence add an of_node_put() before
    the return.
    Additionally, the local variable ports in the function
    qca8k_setup_mdio_bus() takes the return value of of_get_child_by_name(),
    which gets a node but does not put it. If the function returns without
    putting ports, it may cause a memory leak. Hence put ports before the
    mid-loop return statement, and also outside the loop after its last usage
    in this function.
    Issues found with Coccinelle.
    
    Signed-off-by: Nishka Dasgupta <nishkadg.linux@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 67cbf7dedd03a63ca2fbd9df2049eabba7a37edf
Author: Vlad Buslov <vladbu@mellanox.com>
Date:   Sat Aug 3 16:36:19 2019 +0300

    net: sched: sample: allow accessing psample_group with rtnl
    
    Recently implemented support for sample action in flow_offload infra leads
    to following rcu usage warning:
    
    [ 1938.234856] =============================
    [ 1938.234858] WARNING: suspicious RCU usage
    [ 1938.234863] 5.3.0-rc1+ #574 Not tainted
    [ 1938.234866] -----------------------------
    [ 1938.234869] include/net/tc_act/tc_sample.h:47 suspicious rcu_dereference_check() usage!
    [ 1938.234872]
                   other info that might help us debug this:
    
    [ 1938.234875]
                   rcu_scheduler_active = 2, debug_locks = 1
    [ 1938.234879] 1 lock held by tc/19540:
    [ 1938.234881]  #0: 00000000b03cb918 (rtnl_mutex){+.+.}, at: tc_new_tfilter+0x47c/0x970
    [ 1938.234900]
                   stack backtrace:
    [ 1938.234905] CPU: 2 PID: 19540 Comm: tc Not tainted 5.3.0-rc1+ #574
    [ 1938.234908] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
    [ 1938.234911] Call Trace:
    [ 1938.234922]  dump_stack+0x85/0xc0
    [ 1938.234930]  tc_setup_flow_action+0xed5/0x2040
    [ 1938.234944]  fl_hw_replace_filter+0x11f/0x2e0 [cls_flower]
    [ 1938.234965]  fl_change+0xd24/0x1b30 [cls_flower]
    [ 1938.234990]  tc_new_tfilter+0x3e0/0x970
    [ 1938.235021]  ? tc_del_tfilter+0x720/0x720
    [ 1938.235028]  rtnetlink_rcv_msg+0x389/0x4b0
    [ 1938.235038]  ? netlink_deliver_tap+0x95/0x400
    [ 1938.235044]  ? rtnl_dellink+0x2d0/0x2d0
    [ 1938.235053]  netlink_rcv_skb+0x49/0x110
    [ 1938.235063]  netlink_unicast+0x171/0x200
    [ 1938.235073]  netlink_sendmsg+0x224/0x3f0
    [ 1938.235091]  sock_sendmsg+0x5e/0x60
    [ 1938.235097]  ___sys_sendmsg+0x2ae/0x330
    [ 1938.235111]  ? __handle_mm_fault+0x12cd/0x19e0
    [ 1938.235125]  ? __handle_mm_fault+0x12cd/0x19e0
    [ 1938.235138]  ? find_held_lock+0x2b/0x80
    [ 1938.235147]  ? do_user_addr_fault+0x22d/0x490
    [ 1938.235160]  __sys_sendmsg+0x59/0xa0
    [ 1938.235178]  do_syscall_64+0x5c/0xb0
    [ 1938.235187]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [ 1938.235192] RIP: 0033:0x7ff9a4d597b8
    [ 1938.235197] Code: 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 8f 0c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83
     ec 28 89 54
    [ 1938.235200] RSP: 002b:00007ffcfe381c48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [ 1938.235205] RAX: ffffffffffffffda RBX: 000000005d4497f9 RCX: 00007ff9a4d597b8
    [ 1938.235208] RDX: 0000000000000000 RSI: 00007ffcfe381cb0 RDI: 0000000000000003
    [ 1938.235211] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000006
    [ 1938.235214] R10: 0000000000404ec2 R11: 0000000000000246 R12: 0000000000000001
    [ 1938.235217] R13: 0000000000480640 R14: 0000000000000012 R15: 0000000000000001
    
    Change tcf_sample_psample_group() helper to allow using it from both rtnl
    and rcu protected contexts.
    
    Fixes: a7a7be6087b0 ("net/sched: add sample action to the hardware intermediate representation")
    Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
    Reviewed-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit c4bd48699beb92d6bb99d6139d1e9737cca73480
Author: Vlad Buslov <vladbu@mellanox.com>
Date:   Sat Aug 3 16:36:18 2019 +0300

    net: sched: police: allow accessing police->params with rtnl
    
    Recently implemented support for police action in flow_offload infra leads
    to following rcu usage warning:
    
    [ 1925.881092] =============================
    [ 1925.881094] WARNING: suspicious RCU usage
    [ 1925.881098] 5.3.0-rc1+ #574 Not tainted
    [ 1925.881100] -----------------------------
    [ 1925.881104] include/net/tc_act/tc_police.h:57 suspicious rcu_dereference_check() usage!
    [ 1925.881106]
                   other info that might help us debug this:
    
    [ 1925.881109]
                   rcu_scheduler_active = 2, debug_locks = 1
    [ 1925.881112] 1 lock held by tc/18591:
    [ 1925.881115]  #0: 00000000b03cb918 (rtnl_mutex){+.+.}, at: tc_new_tfilter+0x47c/0x970
    [ 1925.881124]
                   stack backtrace:
    [ 1925.881127] CPU: 2 PID: 18591 Comm: tc Not tainted 5.3.0-rc1+ #574
    [ 1925.881130] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
    [ 1925.881132] Call Trace:
    [ 1925.881138]  dump_stack+0x85/0xc0
    [ 1925.881145]  tc_setup_flow_action+0x1771/0x2040
    [ 1925.881155]  fl_hw_replace_filter+0x11f/0x2e0 [cls_flower]
    [ 1925.881175]  fl_change+0xd24/0x1b30 [cls_flower]
    [ 1925.881200]  tc_new_tfilter+0x3e0/0x970
    [ 1925.881231]  ? tc_del_tfilter+0x720/0x720
    [ 1925.881243]  rtnetlink_rcv_msg+0x389/0x4b0
    [ 1925.881250]  ? netlink_deliver_tap+0x95/0x400
    [ 1925.881257]  ? rtnl_dellink+0x2d0/0x2d0
    [ 1925.881264]  netlink_rcv_skb+0x49/0x110
    [ 1925.881275]  netlink_unicast+0x171/0x200
    [ 1925.881284]  netlink_sendmsg+0x224/0x3f0
    [ 1925.881299]  sock_sendmsg+0x5e/0x60
    [ 1925.881305]  ___sys_sendmsg+0x2ae/0x330
    [ 1925.881309]  ? task_work_add+0x43/0x50
    [ 1925.881314]  ? fput_many+0x45/0x80
    [ 1925.881329]  ? __lock_acquire+0x248/0x1930
    [ 1925.881342]  ? find_held_lock+0x2b/0x80
    [ 1925.881347]  ? task_work_run+0x7b/0xd0
    [ 1925.881359]  __sys_sendmsg+0x59/0xa0
    [ 1925.881375]  do_syscall_64+0x5c/0xb0
    [ 1925.881381]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [ 1925.881384] RIP: 0033:0x7feb245047b8
    [ 1925.881388] Code: 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 8f 0c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83
     ec 28 89 54
    [ 1925.881391] RSP: 002b:00007ffc2d2a5788 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [ 1925.881395] RAX: ffffffffffffffda RBX: 000000005d4497ed RCX: 00007feb245047b8
    [ 1925.881398] RDX: 0000000000000000 RSI: 00007ffc2d2a57f0 RDI: 0000000000000003
    [ 1925.881400] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000006
    [ 1925.881403] R10: 0000000000404ec2 R11: 0000000000000246 R12: 0000000000000001
    [ 1925.881406] R13: 0000000000480640 R14: 0000000000000012 R15: 0000000000000001
    
    Change tcf_police_rate_bytes_ps() and tcf_police_tcfp_burst() helpers to
    allow using them from both rtnl and rcu protected contexts.
    
    Fixes: 8c8cfc6ed274 ("net/sched: add police action to the hardware intermediate representation")
    Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
    Reviewed-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3
Author: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Date:   Sat Aug 3 20:31:41 2019 +0800

    net: hisilicon: Fix dma_map_single failed on arm64
    
    On the arm64 platform, executing "ifconfig eth0 up" will fail,
    returning "ifconfig: SIOCSIFFLAGS: Input/output error."
    
    ndev->dev is not initialized, dma_map_single->get_dma_ops->
    dummy_dma_ops->__dummy_map_page will return DMA_ERROR_CODE
    directly, so when we use dma_map_single, the first parameter
    is to use the device of platform_device.
    
    Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit f2243b82785942be519016067ee6c55a063bbfe2
Author: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Date:   Sat Aug 3 20:31:40 2019 +0800

    net: hisilicon: fix hip04-xmit never return TX_BUSY
    
    TX_DESC_NUM is 256, in tx_count, the maximum value of
    mod(TX_DESC_NUM - 1) is 254, the variable "count" in
    the hip04_mac_start_xmit function is never equal to
    (TX_DESC_NUM - 1), so hip04_mac_start_xmit never
    return NETDEV_TX_BUSY.
    
    tx_count is modified to mod(TX_DESC_NUM) so that
    the maximum value of tx_count can reach
    (TX_DESC_NUM - 1), then hip04_mac_start_xmit can reurn
    NETDEV_TX_BUSY.
    
    Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 1a2c070ae805910a853b4a14818481ed2e17c727
Author: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Date:   Sat Aug 3 20:31:39 2019 +0800

    net: hisilicon: make hip04_tx_reclaim non-reentrant
    
    If hip04_tx_reclaim is interrupted while it is running
    and then __napi_schedule continues to execute
    hip04_rx_poll->hip04_tx_reclaim, reentrancy occurs
    and oops is generated. So you need to mask the interrupt
    during the hip04_tx_reclaim run.
    
    The kernel oops exception stack is as follows:
    
    Unable to handle kernel NULL pointer dereference
    at virtual address 00000050
    pgd = c0003000
    [00000050] *pgd=80000000a04003, *pmd=00000000
    Internal error: Oops: 206 [#1] SMP ARM
    Modules linked in: hip04_eth mtdblock mtd_blkdevs mtd
    ohci_platform ehci_platform ohci_hcd ehci_hcd
    vfat fat sd_mod usb_storage scsi_mod usbcore usb_common
    CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.4.185 #1
    Hardware name: Hisilicon A15
    task: c0a250e0 task.stack: c0a00000
    PC is at hip04_tx_reclaim+0xe0/0x17c [hip04_eth]
    LR is at hip04_tx_reclaim+0x30/0x17c [hip04_eth]
    pc : [<bf30c3a4>]    lr : [<bf30c2f4>]    psr: 600e0313
    sp : c0a01d88  ip : 00000000  fp : c0601f9c
    r10: 00000000  r9 : c3482380  r8 : 00000001
    r7 : 00000000  r6 : 000000e1  r5 : c3482000  r4 : 0000000c
    r3 : f2209800  r2 : 00000000  r1 : 00000000  r0 : 00000000
    Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
    Control: 32c5387d  Table: 03d28c80  DAC: 55555555
    Process swapper/0 (pid: 0, stack limit = 0xc0a00190)
    Stack: (0xc0a01d88 to 0xc0a02000)
    [<bf30c3a4>] (hip04_tx_reclaim [hip04_eth]) from [<bf30d2e0>]
                                                    (hip04_rx_poll+0x88/0x368 [hip04_eth])
    [<bf30d2e0>] (hip04_rx_poll [hip04_eth]) from [<c04c2d9c>] (net_rx_action+0x114/0x34c)
    [<c04c2d9c>] (net_rx_action) from [<c021eed8>] (__do_softirq+0x218/0x318)
    [<c021eed8>] (__do_softirq) from [<c021f284>] (irq_exit+0x88/0xac)
    [<c021f284>] (irq_exit) from [<c0240090>] (msa_irq_exit+0x11c/0x1d4)
    [<c0240090>] (msa_irq_exit) from [<c02677e0>] (__handle_domain_irq+0x110/0x148)
    [<c02677e0>] (__handle_domain_irq) from [<c0201588>] (gic_handle_irq+0xd4/0x118)
    [<c0201588>] (gic_handle_irq) from [<c0551700>] (__irq_svc+0x40/0x58)
    Exception stack(0xc0a01f30 to 0xc0a01f78)
    1f20:                                     c0ae8b40 00000000 00000000 00000000
    1f40: 00000002 ffffe000 c0601f9c 00000000 ffffffff c0a2257c c0a22440 c0831a38
    1f60: c0a01ec4 c0a01f80 c0203714 c0203718 600e0213 ffffffff
    [<c0551700>] (__irq_svc) from [<c0203718>] (arch_cpu_idle+0x20/0x3c)
    [<c0203718>] (arch_cpu_idle) from [<c025bfd8>] (cpu_startup_entry+0x244/0x29c)
    [<c025bfd8>] (cpu_startup_entry) from [<c054b0d8>] (rest_init+0xc8/0x10c)
    [<c054b0d8>] (rest_init) from [<c0800c58>] (start_kernel+0x468/0x514)
    Code: a40599e5 016086e2 018088e2 7660efe6 (503090e5)
    ---[ end trace 1db21d6d09c49d74 ]---
    Kernel panic - not syncing: Fatal exception in interrupt
    CPU3: stopping
    CPU: 3 PID: 0 Comm: swapper/3 Tainted: G      D    O    4.4.185 #1
    
    Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8571deb013812f35260b2b7152a522eacfa9ccf9
Author: Roman Mashak <mrv@mojatatu.com>
Date:   Fri Aug 2 15:16:47 2019 -0400

    tc-testing: updated vlan action tests with batch create/delete
    
    Update TDC tests with cases varifying ability of TC to install or delete
    batches of vlan actions.
    
    Signed-off-by: Roman Mashak <mrv@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit b35475c5491a14c8ce7a5046ef7bcda8a860581a
Author: Roman Mashak <mrv@mojatatu.com>
Date:   Fri Aug 2 15:16:46 2019 -0400

    net sched: update vlan action for batched events operations
    
    Add get_fill_size() routine used to calculate the action size
    when building a batch of events.
    
    Fixes: c7e2b9689 ("sched: introduce vlan action")
    Signed-off-by: Roman Mashak <mrv@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 72cda9bb5e219aea0f2f62f56ae05198c59022a7
Author: Likun Gao <Likun.Gao@amd.com>
Date:   Fri Aug 2 15:18:57 2019 +0800

    drm/amdgpu: pin the csb buffer on hw init for gfx v8
    
    Without this pin, the csb buffer will be filled with inconsistent
    data after S3 resume. And that will causes gfx hang on gfxoff
    exit since this csb will be executed then.
    
    Signed-off-by: Likun Gao <Likun.Gao@amd.com>
    Tested-by: Paul Gover <pmw.gover@yahoo.co.uk>
    Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
    Reviewed-by: Xiaojie Yuan <xiaojie.yuan@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

commit 4a6a1385a4db5f42258a40fcd497cbfd22075968
Author: Jose Abreu <Jose.Abreu@synopsys.com>
Date:   Tue Aug 6 15:16:18 2019 +0200

    net: stmmac: tc: Do not return a fragment entry
    
    Do not try to return a fragment entry from TC list. Otherwise we may not
    clean properly allocated entries.
    
    Signed-off-by: Jose Abreu <joabreu@synopsys.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e8df7e8c233a18d2704e37ecff47583b494789d3
Author: Jose Abreu <Jose.Abreu@synopsys.com>
Date:   Tue Aug 6 15:16:17 2019 +0200

    net: stmmac: Fix issues when number of Queues >= 4
    
    When queues >= 4 we use different registers but we were not subtracting
    the offset of 4. Fix this.
    
    Found out by Coverity.
    
    Signed-off-by: Jose Abreu <joabreu@synopsys.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 0efedbf11f07adee555e0c4ba9c6eb58760aa94f
Author: Jose Abreu <Jose.Abreu@synopsys.com>
Date:   Tue Aug 6 15:16:16 2019 +0200

    net: stmmac: xgmac: Fix XGMAC selftests
    
    Fixup the XGMAC selftests by correctly finishing the implementation of
    set_filter callback.
    
    Result:
    $ ethtool -t enp4s0
    The test result is PASS
    The test extra info:
     1. MAC Loopback                 0
     2. PHY Loopback                 -95
     3. MMC Counters                 -95
     4. EEE                          -95
     5. Hash Filter MC               0
     6. Perfect Filter UC            0
     7. MC Filter                    0
     8. UC Filter                    0
     9. Flow Control                 0
    
    Signed-off-by: Jose Abreu <joabreu@synopsys.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit d0d006a43e9a7a796f6f178839c92fcc222c564d
Author: Denis Kirjanov <kda@linux-powerpc.org>
Date:   Tue Aug 6 12:51:11 2019 +0200

    be2net: disable bh with spin_lock in be_process_mcc
    
    be_process_mcc() is invoked in 3 different places and
    always with BHs disabled except the be_poll function
    but since it's invoked from softirq with BHs
    disabled it won't hurt.
    
    v1->v2: added explanation to the patch
    v2->v3: add a missing call from be_cmds.c
    
    Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit debea2cd3193ac868289e8893c3a719c265b0612
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Tue Aug 6 10:55:12 2019 +0200

    net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
    
    A call to 'kfree_skb()' is missing in the error handling path of
    'init_one()'.
    This is already present in 'remove_one()' but is missing here.
    
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 5c4e2e1af345426f63410a50e2a678673574aa02
Author: Chen-Yu Tsai <wens@csie.org>
Date:   Tue Aug 6 15:35:39 2019 +0800

    net: ethernet: sun4i-emac: Support phy-handle property for finding PHYs
    
    The sun4i-emac uses the "phy" property to find the PHY it's supposed to
    use. This property was deprecated in favor of "phy-handle" in commit
    8c5b09447625 ("dt-bindings: net: sun4i-emac: Convert the binding to a
    schemas").
    
    Add support for this new property name, and fall back to the old one in
    case the device tree hasn't been updated.
    
    Signed-off-by: Chen-Yu Tsai <wens@csie.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit b803974a86039913d5280add083d730b2b9ed8ec
Author: Kevin Hao <haokexin@gmail.com>
Date:   Fri Jul 26 10:30:49 2019 +0800

    mmc: cavium: Add the missing dma unmap when the dma has finished.
    
    This fixes the below calltrace when the CONFIG_DMA_API_DEBUG is enabled.
      DMA-API: thunderx_mmc 0000:01:01.4: cpu touching an active dma mapped cacheline [cln=0x000000002fdf9800]
      WARNING: CPU: 21 PID: 1 at kernel/dma/debug.c:596 debug_dma_assert_idle+0x1f8/0x270
      Modules linked in:
      CPU: 21 PID: 1 Comm: init Not tainted 5.3.0-rc1-next-20190725-yocto-standard+ #64
      Hardware name: Marvell OcteonTX CN96XX board (DT)
      pstate: 80400009 (Nzcv daif +PAN -UAO)
      pc : debug_dma_assert_idle+0x1f8/0x270
      lr : debug_dma_assert_idle+0x1f8/0x270
      sp : ffff0000113cfc10
      x29: ffff0000113cfc10 x28: 0000ffff8c880000
      x27: ffff800bc72a0000 x26: ffff000010ff8000
      x25: ffff000010ff8940 x24: ffff000010ff8968
      x23: 0000000000000000 x22: ffff000010e83700
      x21: ffff000010ea2000 x20: ffff000010e835c8
      x19: ffff800bc2c73300 x18: ffffffffffffffff
      x17: 0000000000000000 x16: 0000000000000000
      x15: ffff000010e835c8 x14: 6d20616d64206576
      x13: 69746361206e6120 x12: 676e696863756f74
      x11: 20757063203a342e x10: 31303a31303a3030
      x9 : 303020636d6d5f78 x8 : 3230303030303030
      x7 : 00000000000002fd x6 : ffff000010fd57d0
      x5 : 0000000000000000 x4 : ffff0000106c5210
      x3 : 00000000ffffffff x2 : 0000800bee9c0000
      x1 : 57d5843f4aa62800 x0 : 0000000000000000
      Call trace:
       debug_dma_assert_idle+0x1f8/0x270
       wp_page_copy+0xb0/0x688
       do_wp_page+0xa8/0x5b8
       __handle_mm_fault+0x600/0xd00
       handle_mm_fault+0x118/0x1e8
       do_page_fault+0x200/0x500
       do_mem_abort+0x50/0xb0
       el0_da+0x20/0x24
      ---[ end trace a005534bd23e109f ]---
      DMA-API: Mapped at:
       debug_dma_map_sg+0x94/0x350
       cvm_mmc_request+0x3c4/0x988
       __mmc_start_request+0x9c/0x1f8
       mmc_start_request+0x7c/0xb0
       mmc_blk_mq_issue_rq+0x5c4/0x7b8
    
    Signed-off-by: Kevin Hao <haokexin@gmail.com>
    Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs")
    Cc: stable@vger.kernel.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>

commit fa25eba6993b3750f417baabba169afaba076178
Author: Kevin Hao <haokexin@gmail.com>
Date:   Fri Jul 26 10:30:48 2019 +0800

    mmc: cavium: Set the correct dma max segment size for mmc_host
    
    We have set the mmc_host.max_seg_size to 8M, but the dma max segment
    size of PCI device is set to 64K by default in function pci_device_add().
    The mmc_host.max_seg_size is used to set the max segment size of
    the blk queue. Then this mismatch will trigger a calltrace like below
    when a bigger than 64K segment request arrives at mmc dev. So we should
    consider the limitation of the cvm_mmc_host when setting the
    mmc_host.max_seg_size.
      DMA-API: thunderx_mmc 0000:01:01.4: mapping sg segment longer than device claims to support [len=131072] [max=65536]
      WARNING: CPU: 6 PID: 238 at kernel/dma/debug.c:1221 debug_dma_map_sg+0x2b8/0x350
      Modules linked in:
      CPU: 6 PID: 238 Comm: kworker/6:1H Not tainted 5.3.0-rc1-next-20190724-yocto-standard+ #62
      Hardware name: Marvell OcteonTX CN96XX board (DT)
      Workqueue: kblockd blk_mq_run_work_fn
      pstate: 80c00009 (Nzcv daif +PAN +UAO)
      pc : debug_dma_map_sg+0x2b8/0x350
     …
  • Loading branch information
akpm00 authored and hnaz committed Aug 9, 2019
1 parent e21a712 commit c88a53c
Show file tree
Hide file tree
Showing 373 changed files with 3,797 additions and 1,933 deletions.
88 changes: 80 additions & 8 deletions Documentation/admin-guide/hw-vuln/spectre.rst
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,11 @@ Related CVEs

The following CVE entries describe Spectre variants:

============= ======================= =================
============= ======================= ==========================
CVE-2017-5753 Bounds check bypass Spectre variant 1
CVE-2017-5715 Branch target injection Spectre variant 2
============= ======================= =================
CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs)
============= ======================= ==========================

Problem
-------
Expand Down Expand Up @@ -78,6 +79,13 @@ There are some extensions of Spectre variant 1 attacks for reading data
over the network, see :ref:`[12] <spec_ref12>`. However such attacks
are difficult, low bandwidth, fragile, and are considered low risk.

Note that, despite "Bounds Check Bypass" name, Spectre variant 1 is not
only about user-controlled array bounds checks. It can affect any
conditional checks. The kernel entry code interrupt, exception, and NMI
handlers all have conditional swapgs checks. Those may be problematic
in the context of Spectre v1, as kernel code can speculatively run with
a user GS.

Spectre variant 2 (Branch Target Injection)
-------------------------------------------

Expand Down Expand Up @@ -132,6 +140,9 @@ not cover all possible attack vectors.
1. A user process attacking the kernel
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Spectre variant 1
~~~~~~~~~~~~~~~~~

The attacker passes a parameter to the kernel via a register or
via a known address in memory during a syscall. Such parameter may
be used later by the kernel as an index to an array or to derive
Expand All @@ -144,7 +155,40 @@ not cover all possible attack vectors.
potentially be influenced for Spectre attacks, new "nospec" accessor
macros are used to prevent speculative loading of data.

Spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
Spectre variant 1 (swapgs)
~~~~~~~~~~~~~~~~~~~~~~~~~~

An attacker can train the branch predictor to speculatively skip the
swapgs path for an interrupt or exception. If they initialize
the GS register to a user-space value, if the swapgs is speculatively
skipped, subsequent GS-related percpu accesses in the speculation
window will be done with the attacker-controlled GS value. This
could cause privileged memory to be accessed and leaked.

For example:

::

if (coming from user space)
swapgs
mov %gs:<percpu_offset>, %reg
mov (%reg), %reg1

When coming from user space, the CPU can speculatively skip the
swapgs, and then do a speculative percpu load using the user GS
value. So the user can speculatively force a read of any kernel
value. If a gadget exists which uses the percpu value as an address
in another load/store, then the contents of the kernel value may
become visible via an L1 side channel attack.

A similar attack exists when coming from kernel space. The CPU can
speculatively do the swapgs, causing the user GS to get used for the
rest of the speculative window.

Spectre variant 2
~~~~~~~~~~~~~~~~~

A spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
target buffer (BTB) before issuing syscall to launch an attack.
After entering the kernel, the kernel could use the poisoned branch
target buffer on indirect jump and jump to gadget code in speculative
Expand Down Expand Up @@ -280,11 +324,18 @@ The sysfs file showing Spectre variant 1 mitigation status is:

The possible values in this file are:

======================================= =================================
'Mitigation: __user pointer sanitation' Protection in kernel on a case by
case base with explicit pointer
sanitation.
======================================= =================================
.. list-table::

* - 'Not affected'
- The processor is not vulnerable.
* - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
- The swapgs protections are disabled; otherwise it has
protection in the kernel on a case by case base with explicit
pointer sanitation and usercopy LFENCE barriers.
* - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
- Protection in the kernel on a case by case base with explicit
pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE
barriers.

However, the protections are put in place on a case by case basis,
and there is no guarantee that all possible attack vectors for Spectre
Expand Down Expand Up @@ -366,12 +417,27 @@ Turning on mitigation for Spectre variant 1 and Spectre variant 2
1. Kernel mitigation
^^^^^^^^^^^^^^^^^^^^

Spectre variant 1
~~~~~~~~~~~~~~~~~

For the Spectre variant 1, vulnerable kernel code (as determined
by code audit or scanning tools) is annotated on a case by case
basis to use nospec accessor macros for bounds clipping :ref:`[2]
<spec_ref2>` to avoid any usable disclosure gadgets. However, it may
not cover all attack vectors for Spectre variant 1.

Copy-from-user code has an LFENCE barrier to prevent the access_ok()
check from being mis-speculated. The barrier is done by the
barrier_nospec() macro.

For the swapgs variant of Spectre variant 1, LFENCE barriers are
added to interrupt, exception and NMI entry where needed. These
barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and
FENCE_SWAPGS_USER_ENTRY macros.

Spectre variant 2
~~~~~~~~~~~~~~~~~

For Spectre variant 2 mitigation, the compiler turns indirect calls or
jumps in the kernel into equivalent return trampolines (retpolines)
:ref:`[3] <spec_ref3>` :ref:`[9] <spec_ref9>` to go to the target
Expand Down Expand Up @@ -473,6 +539,12 @@ Mitigation control on the kernel command line
Spectre variant 2 mitigation can be disabled or force enabled at the
kernel command line.

nospectre_v1

[X86,PPC] Disable mitigations for Spectre Variant 1
(bounds check bypass). With this option data leaks are
possible in the system.

nospectre_v2

[X86] Disable all mitigations for the Spectre variant 2
Expand Down
8 changes: 4 additions & 4 deletions Documentation/admin-guide/kernel-parameters.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2604,7 +2604,7 @@
expose users to several CPU vulnerabilities.
Equivalent to: nopti [X86,PPC]
kpti=0 [ARM64]
nospectre_v1 [PPC]
nospectre_v1 [X86,PPC]
nobp=0 [S390]
nospectre_v2 [X86,PPC,S390,ARM64]
spectre_v2_user=off [X86]
Expand Down Expand Up @@ -2965,9 +2965,9 @@
nosmt=force: Force disable SMT, cannot be undone
via the sysfs control file.

nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds
check bypass). With this option data leaks are possible
in the system.
nospectre_v1 [X86,PPC] Disable mitigations for Spectre Variant 1
(bounds check bypass). With this option data leaks are
possible in the system.

nospectre_v2 [X86,PPC_FSL_BOOK3E,ARM64] Disable all mitigations for
the Spectre variant 2 (indirect branch prediction)
Expand Down
1 change: 0 additions & 1 deletion Documentation/devicetree/bindings/spi/spi-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ patternProperties:
Compatible of the SPI device.

reg:
maxItems: 1
minimum: 0
maximum: 256
description:
Expand Down
26 changes: 16 additions & 10 deletions Documentation/filesystems/cifs/TODO
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,22 @@ a) SMB3 (and SMB3.1.1) missing optional features:
- T10 copy offload ie "ODX" (copy chunk, and "Duplicate Extents" ioctl
currently the only two server side copy mechanisms supported)

b) improved sparse file support
b) improved sparse file support (fiemap and SEEK_HOLE are implemented
but additional features would be supportable by the protocol).

c) Directory entry caching relies on a 1 second timer, rather than
using Directory Leases, currently only the root file handle is cached longer

d) quota support (needs minor kernel change since quota calls
to make it to network filesystems or deviceless filesystems)

e) Additional use cases where we use "compoounding" (e.g. open/query/close
and open/setinfo/close) to reduce the number of roundtrips, and also
open to reduce redundant opens (using deferred close and reference counts more).
e) Additional use cases can be optimized to use "compounding"
(e.g. open/query/close and open/setinfo/close) to reduce the number
of roundtrips to the server and improve performance. Various cases
(stat, statfs, create, unlink, mkdir) already have been improved by
using compounding but more can be done. In addition we could significantly
reduce redundant opens by using deferred close (with handle caching leases)
and better using reference counters on file handles.

f) Finish inotify support so kde and gnome file list windows
will autorefresh (partially complete by Asser). Needs minor kernel
Expand All @@ -43,18 +48,17 @@ mount or a per server basis to client UIDs or nobody if no mapping
exists. Also better integration with winbind for resolving SID owners

k) Add tools to take advantage of more smb3 specific ioctls and features
(passthrough ioctl/fsctl for sending various SMB3 fsctls to the server
is in progress, and a passthrough query_info call is already implemented
in cifs.ko to allow smb3 info levels queries to be sent from userspace)
(passthrough ioctl/fsctl is now implemented in cifs.ko to allow sending
various SMB3 fsctls and query info and set info calls directly from user space)
Add tools to make setting various non-POSIX metadata attributes easier
from tools (e.g. extending what was done in smb-info tool).

l) encrypted file support

m) improved stats gathering tools (perhaps integration with nfsometer?)
to extend and make easier to use what is currently in /proc/fs/cifs/Stats

n) allow setting more NTFS/SMB3 file attributes remotely (currently limited to compressed
file attribute via chflags) and improve user space tools for managing and
viewing them.
n) Add support for claims based ACLs ("DAC")

o) mount helper GUI (to simplify the various configuration options on mount)

Expand Down Expand Up @@ -82,6 +86,8 @@ so far).
w) Add support for additional strong encryption types, and additional spnego
authentication mechanisms (see MS-SMB2)

x) Finish support for SMB3.1.1 compression

KNOWN BUGS
====================================
See http://bugzilla.samba.org - search on product "CifsVFS" for
Expand Down
23 changes: 17 additions & 6 deletions Documentation/networking/tls-offload.rst
Original file line number Diff line number Diff line change
Expand Up @@ -424,13 +424,24 @@ Statistics
Following minimum set of TLS-related statistics should be reported
by the driver:

* ``rx_tls_decrypted`` - number of successfully decrypted TLS segments
* ``tx_tls_encrypted`` - number of in-order TLS segments passed to device
for encryption
* ``rx_tls_decrypted_packets`` - number of successfully decrypted RX packets
which were part of a TLS stream.
* ``rx_tls_decrypted_bytes`` - number of TLS payload bytes in RX packets
which were successfully decrypted.
* ``tx_tls_encrypted_packets`` - number of TX packets passed to the device
for encryption of their TLS payload.
* ``tx_tls_encrypted_bytes`` - number of TLS payload bytes in TX packets
passed to the device for encryption.
* ``tx_tls_ctx`` - number of TLS TX HW offload contexts added to device for
encryption.
* ``tx_tls_ooo`` - number of TX packets which were part of a TLS stream
but did not arrive in the expected order
* ``tx_tls_drop_no_sync_data`` - number of TX packets dropped because
they arrived out of order and associated record could not be found
but did not arrive in the expected order.
* ``tx_tls_drop_no_sync_data`` - number of TX packets which were part of
a TLS stream dropped, because they arrived out of order and associated
record could not be found.
* ``tx_tls_drop_bypass_req`` - number of TX packets which were part of a TLS
stream dropped, because they contain both data that has been encrypted by
software and data that expects hardware crypto offload.

Notable corner cases, exceptions and additional requirements
============================================================
Expand Down
15 changes: 5 additions & 10 deletions MAINTAINERS
Original file line number Diff line number Diff line change
Expand Up @@ -6377,7 +6377,7 @@ FRAMEBUFFER LAYER
M: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
L: dri-devel@lists.freedesktop.org
L: linux-fbdev@vger.kernel.org
T: git git://github.com/bzolnier/linux.git
T: git git://anongit.freedesktop.org/drm/drm-misc
Q: http://patchwork.kernel.org/project/linux-fbdev/list/
S: Maintained
F: Documentation/fb/
Expand Down Expand Up @@ -6827,13 +6827,6 @@ F: Documentation/filesystems/gfs2*.txt
F: fs/gfs2/
F: include/uapi/linux/gfs2_ondisk.h

GIGASET ISDN DRIVERS
M: Paul Bolle <pebolle@tiscali.nl>
L: gigaset307x-common@lists.sourceforge.net
W: http://gigaset307x.sourceforge.net/
S: Odd Fixes
F: drivers/staging/isdn/gigaset/

GNSS SUBSYSTEM
M: Johan Hovold <johan@kernel.org>
T: git git://git.kernel.org/pub/scm/linux/kernel/git/johan/gnss.git
Expand Down Expand Up @@ -8049,6 +8042,7 @@ S: Maintained
F: drivers/video/fbdev/i810/

INTEL ASoC DRIVERS
M: Cezary Rojewski <cezary.rojewski@intel.com>
M: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
M: Liam Girdwood <liam.r.girdwood@linux.intel.com>
M: Jie Yang <yang.jie@linux.intel.com>
Expand Down Expand Up @@ -11149,6 +11143,7 @@ L: netdev@vger.kernel.org
S: Maintained
W: https://fedorahosted.org/dropwatch/
F: net/core/drop_monitor.c
F: include/uapi/linux/net_dropmon.h

NETWORKING DRIVERS
M: "David S. Miller" <davem@davemloft.net>
Expand Down Expand Up @@ -11287,6 +11282,7 @@ M: Aviad Yehezkel <aviadye@mellanox.com>
M: Dave Watson <davejwatson@fb.com>
M: John Fastabend <john.fastabend@gmail.com>
M: Daniel Borkmann <daniel@iogearbox.net>
M: Jakub Kicinski <jakub.kicinski@netronome.com>
L: netdev@vger.kernel.org
S: Maintained
F: net/tls/*
Expand Down Expand Up @@ -16089,7 +16085,7 @@ S: Maintained
F: drivers/net/ethernet/ti/netcp*

TI PCM3060 ASoC CODEC DRIVER
M: Kirill Marinushkin <kmarinushkin@birdec.tech>
M: Kirill Marinushkin <kmarinushkin@birdec.com>
L: alsa-devel@alsa-project.org (moderated for non-subscribers)
S: Maintained
F: Documentation/devicetree/bindings/sound/pcm3060.txt
Expand Down Expand Up @@ -17565,7 +17561,6 @@ M: Jakub Kicinski <jakub.kicinski@netronome.com>
M: Jesper Dangaard Brouer <hawk@kernel.org>
M: John Fastabend <john.fastabend@gmail.com>
L: netdev@vger.kernel.org
L: xdp-newbies@vger.kernel.org
L: bpf@vger.kernel.org
S: Supported
F: net/core/xdp.c
Expand Down
7 changes: 4 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -419,6 +419,7 @@ NM = $(CROSS_COMPILE)nm
STRIP = $(CROSS_COMPILE)strip
OBJCOPY = $(CROSS_COMPILE)objcopy
OBJDUMP = $(CROSS_COMPILE)objdump
OBJSIZE = $(CROSS_COMPILE)size
PAHOLE = pahole
LEX = flex
YACC = bison
Expand Down Expand Up @@ -475,9 +476,9 @@ GCC_PLUGINS_CFLAGS :=
CLANG_FLAGS :=

export ARCH SRCARCH CONFIG_SHELL HOSTCC KBUILD_HOSTCFLAGS CROSS_COMPILE AS LD CC
export CPP AR NM STRIP OBJCOPY OBJDUMP PAHOLE KBUILD_HOSTLDFLAGS KBUILD_HOSTLDLIBS
export MAKE LEX YACC AWK INSTALLKERNEL PERL PYTHON PYTHON2 PYTHON3 UTS_MACHINE
export HOSTCXX KBUILD_HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
export CPP AR NM STRIP OBJCOPY OBJDUMP OBJSIZE PAHOLE LEX YACC AWK INSTALLKERNEL
export PERL PYTHON PYTHON2 PYTHON3 CHECK CHECKFLAGS MAKE UTS_MACHINE HOSTCXX
export KBUILD_HOSTCXXFLAGS KBUILD_HOSTLDFLAGS KBUILD_HOSTLDLIBS LDFLAGS_MODULE

export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS KBUILD_LDFLAGS
export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE
Expand Down
7 changes: 5 additions & 2 deletions arch/arm64/include/asm/pgtable.h
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ static inline pmd_t pmd_mkcont(pmd_t pmd)

static inline pte_t pte_mkdevmap(pte_t pte)
{
return set_pte_bit(pte, __pgprot(PTE_DEVMAP));
return set_pte_bit(pte, __pgprot(PTE_DEVMAP | PTE_SPECIAL));
}

static inline void set_pte(pte_t *ptep, pte_t pte)
Expand Down Expand Up @@ -396,7 +396,10 @@ static inline int pmd_protnone(pmd_t pmd)
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
#define pmd_devmap(pmd) pte_devmap(pmd_pte(pmd))
#endif
#define pmd_mkdevmap(pmd) pte_pmd(pte_mkdevmap(pmd_pte(pmd)))
static inline pmd_t pmd_mkdevmap(pmd_t pmd)
{
return pte_pmd(set_pte_bit(pmd_pte(pmd), __pgprot(PTE_DEVMAP)));
}

#define __pmd_to_phys(pmd) __pte_to_phys(pmd_pte(pmd))
#define __phys_to_pmd_val(phys) __phys_to_pte_val(phys)
Expand Down
1 change: 1 addition & 0 deletions arch/mips/cavium-octeon/octeon-usb.c
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,7 @@ static int dwc3_octeon_clocks_start(struct device *dev, u64 base)
default:
dev_err(dev, "Invalid ref_clk %u, using 100000000 instead\n",
clock_rate);
/* fall through */
case 100000000:
mpll_mul = 0x19;
if (ref_clk_sel < 2)
Expand Down
2 changes: 2 additions & 0 deletions arch/mips/kernel/cacheinfo.c
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ static int __populate_cache_leaves(unsigned int cpu)
if (c->tcache.waysize)
populate_cache(tcache, this_leaf, 3, CACHE_TYPE_UNIFIED);

this_cpu_ci->cpu_map_populated = true;

return 0;
}

Expand Down
3 changes: 2 additions & 1 deletion arch/mips/kernel/i8253.c
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@ void __init setup_pit_timer(void)

static int __init init_pit_clocksource(void)
{
if (num_possible_cpus() > 1) /* PIT does not scale! */
if (num_possible_cpus() > 1 || /* PIT does not scale! */
!clockevent_state_periodic(&i8253_clockevent))
return 0;

return clocksource_i8253_init();
Expand Down
Loading

0 comments on commit c88a53c

Please sign in to comment.