diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-07-20 09:53:40 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-07-20 09:53:40 -0400 |
| commit | 7f12b7532553fc698a1ff2bc0756e63b96910ca0 (patch) | |
| tree | 432eee118b9b2e76595cb20277ee012c6292b6a3 | |
| parent | fc51e4dc13f0a459350c6d1d4eb30713a4a912b5 (diff) | |
| download | longterm-queue-4.12-7f12b7532553fc698a1ff2bc0756e63b96910ca0.tar.gz | |
raw import of new content
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
177 files changed, 10061 insertions, 0 deletions
diff --git a/queue/ARM64-dts-meson-gxbb-odroidc2-fix-usb1-power-supply.patch b/queue/ARM64-dts-meson-gxbb-odroidc2-fix-usb1-power-supply.patch new file mode 100644 index 0000000..3dab528 --- /dev/null +++ b/queue/ARM64-dts-meson-gxbb-odroidc2-fix-usb1-power-supply.patch @@ -0,0 +1,30 @@ +From e841ec956e539f4002f5e9fe9f9e904dcca12d5d Mon Sep 17 00:00:00 2001 +From: Neil Armstrong <narmstrong@baylibre.com> +Date: Thu, 19 Oct 2017 12:31:09 +0200 +Subject: [PATCH] ARM64: dts: meson-gxbb-odroidc2: fix usb1 power supply + +commit e841ec956e539f4002f5e9fe9f9e904dcca12d5d upstream. + +Looking at the schematics, the USB Power Supply is shared between the +two USB interfaces, +If the usb0 fails to initialize, the second one won't have power. + +Fixes: 5a0803bd5ae2 ("ARM64: dts: meson-gxbb-odroidc2: Enable USB Nodes") +Signed-off-by: Neil Armstrong <narmstrong@baylibre.com> +Signed-off-by: Kevin Hilman <khilman@baylibre.com> + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts b/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts +index 1deaa53c9fb5..2e5ed59e697e 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts +@@ -301,6 +301,7 @@ + + &usb1_phy { + status = "okay"; ++ phy-supply = <&usb_otg_pwr>; + }; + + &usb0 { +-- +2.15.0 + diff --git a/queue/ASoC-Intel-Skylake-Fix-uuid_module-memory-leak-in-fa.patch b/queue/ASoC-Intel-Skylake-Fix-uuid_module-memory-leak-in-fa.patch new file mode 100644 index 0000000..593523b --- /dev/null +++ b/queue/ASoC-Intel-Skylake-Fix-uuid_module-memory-leak-in-fa.patch @@ -0,0 +1,67 @@ +From f8e066521192c7debe59127d90abbe2773577e25 Mon Sep 17 00:00:00 2001 +From: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com> +Date: Tue, 7 Nov 2017 16:16:19 +0530 +Subject: [PATCH] ASoC: Intel: Skylake: Fix uuid_module memory leak in failure + case + +commit f8e066521192c7debe59127d90abbe2773577e25 upstream. + +In the loop that adds the uuid_module to the uuid_list list, allocated +memory is not properly freed in the error path free uuid_list whenever +any of the memory allocation in the loop fails to avoid memory leak. + +Signed-off-by: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com> +Signed-off-by: Guneshwor Singh <guneshwor.o.singh@intel.com> +Acked-By: Vinod Koul <vinod.koul@intel.com> +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/intel/skylake/skl-sst-utils.c b/sound/soc/intel/skylake/skl-sst-utils.c +index 369ef7ce981c..8ff89280d9fd 100644 +--- a/sound/soc/intel/skylake/skl-sst-utils.c ++++ b/sound/soc/intel/skylake/skl-sst-utils.c +@@ -251,6 +251,7 @@ int snd_skl_parse_uuids(struct sst_dsp *ctx, const struct firmware *fw, + struct uuid_module *module; + struct firmware stripped_fw; + unsigned int safe_file; ++ int ret = 0; + + /* Get the FW pointer to derive ADSP header */ + stripped_fw.data = fw->data; +@@ -299,8 +300,10 @@ int snd_skl_parse_uuids(struct sst_dsp *ctx, const struct firmware *fw, + + for (i = 0; i < num_entry; i++, mod_entry++) { + module = kzalloc(sizeof(*module), GFP_KERNEL); +- if (!module) +- return -ENOMEM; ++ if (!module) { ++ ret = -ENOMEM; ++ goto free_uuid_list; ++ } + + uuid_bin = (uuid_le *)mod_entry->uuid.id; + memcpy(&module->uuid, uuid_bin, sizeof(module->uuid)); +@@ -311,8 +314,8 @@ int snd_skl_parse_uuids(struct sst_dsp *ctx, const struct firmware *fw, + size = sizeof(int) * mod_entry->instance_max_count; + module->instance_id = devm_kzalloc(ctx->dev, size, GFP_KERNEL); + if (!module->instance_id) { +- kfree(module); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto free_uuid_list; + } + + list_add_tail(&module->list, &skl->uuid_list); +@@ -323,6 +326,10 @@ int snd_skl_parse_uuids(struct sst_dsp *ctx, const struct firmware *fw, + } + + return 0; ++ ++free_uuid_list: ++ skl_freeup_uuid_list(skl); ++ return ret; + } + + void skl_freeup_uuid_list(struct skl_sst *ctx) +-- +2.15.0 + diff --git a/queue/ASoC-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent.patch b/queue/ASoC-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent.patch new file mode 100644 index 0000000..5dc59b5 --- /dev/null +++ b/queue/ASoC-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent.patch @@ -0,0 +1,40 @@ +From 21781e87881f9c420871b1d1f3f29d4cd7bffb10 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> +Date: Wed, 1 Nov 2017 07:16:58 +0000 +Subject: [PATCH] ASoC: rsnd: rsnd_ssi_run_mods() needs to care ssi_parent_mod + +commit 21781e87881f9c420871b1d1f3f29d4cd7bffb10 upstream. + +SSI parent mod might be NULL. ssi_parent_mod() needs to care +about it. Otherwise, it uses negative shift. +This patch fixes it. + +Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> +Signed-off-by: Mark Brown <broonie@kernel.org> + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 58e3420a1f05..43c31d153ea6 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -195,10 +195,15 @@ static u32 rsnd_ssi_run_mods(struct rsnd_dai_stream *io) + { + struct rsnd_mod *ssi_mod = rsnd_io_to_mod_ssi(io); + struct rsnd_mod *ssi_parent_mod = rsnd_io_to_mod_ssip(io); ++ u32 mods; + +- return rsnd_ssi_multi_slaves_runtime(io) | +- 1 << rsnd_mod_id(ssi_mod) | +- 1 << rsnd_mod_id(ssi_parent_mod); ++ mods = rsnd_ssi_multi_slaves_runtime(io) | ++ 1 << rsnd_mod_id(ssi_mod); ++ ++ if (ssi_parent_mod) ++ mods |= 1 << rsnd_mod_id(ssi_parent_mod); ++ ++ return mods; + } + + u32 rsnd_ssi_multi_slaves_runtime(struct rsnd_dai_stream *io) +-- +2.15.0 + diff --git a/queue/Bluetooth-btusb-Add-new-NFA344A-entry.patch b/queue/Bluetooth-btusb-Add-new-NFA344A-entry.patch new file mode 100644 index 0000000..9ffe6af --- /dev/null +++ b/queue/Bluetooth-btusb-Add-new-NFA344A-entry.patch @@ -0,0 +1,55 @@ +From 858ff38af77fc660092e82474ecc6ac135ed29fe Mon Sep 17 00:00:00 2001 +From: Bartosz Chronowski <ext.bartosz.chronowski@tieto.com> +Date: Thu, 26 Oct 2017 10:22:43 +0200 +Subject: [PATCH] Bluetooth: btusb: Add new NFA344A entry. + +commit 858ff38af77fc660092e82474ecc6ac135ed29fe upstream. + +This change allows proper low power mode entry in suspend. + +/sys/kernel/debug/usb/devices entry: +T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=03 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e09f Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Bartosz Chronowski <ext.bartosz.chronowski@tieto.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index c054d7bce490..b8eb39436ef2 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -267,6 +267,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x0cf3, 0xe301), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0489, 0xe092), .driver_info = BTUSB_QCA_ROME }, ++ { USB_DEVICE(0x0489, 0xe09f), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0489, 0xe0a2), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x04ca, 0x3011), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x04ca, 0x3016), .driver_info = BTUSB_QCA_ROME }, +-- +2.15.0 + diff --git a/queue/Bluetooth-hci_ldisc-Fix-another-race-when-closing-th.patch b/queue/Bluetooth-hci_ldisc-Fix-another-race-when-closing-th.patch new file mode 100644 index 0000000..5442407 --- /dev/null +++ b/queue/Bluetooth-hci_ldisc-Fix-another-race-when-closing-th.patch @@ -0,0 +1,55 @@ +From 0338b1b393ec7910898e8f7b25b3bf31a7282e16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ronald=20Tschal=C3=A4r?= <ronald@innovation.ch> +Date: Wed, 25 Oct 2017 22:15:19 -0700 +Subject: [PATCH] Bluetooth: hci_ldisc: Fix another race when closing the tty. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 0338b1b393ec7910898e8f7b25b3bf31a7282e16 upstream. + +The following race condition still existed: + + P1 P2 + cancel_work_sync() + hci_uart_tx_wakeup() + hci_uart_write_work() + hci_uart_dequeue() + clear_bit(HCI_UART_PROTO_READY) + hci_unregister_dev(hdev) + hci_free_dev(hdev) + hu->proto->close(hu) + kfree(hu) + access to hdev and hu + +Cancelling the work after clearing the HCI_UART_PROTO_READY bit avoids +this as any hci_uart_tx_wakeup() issued after the flag is cleared will +detect that and not schedule further work. + +Signed-off-by: Ronald Tschalär <ronald@innovation.ch> +Reviewed-by: Lukas Wunner <lukas@wunner.de> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index 31def781a562..c823914b3a80 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -523,13 +523,13 @@ static void hci_uart_tty_close(struct tty_struct *tty) + if (hdev) + hci_uart_close(hdev); + +- cancel_work_sync(&hu->write_work); +- + if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) { + percpu_down_write(&hu->proto_lock); + clear_bit(HCI_UART_PROTO_READY, &hu->flags); + percpu_up_write(&hu->proto_lock); + ++ cancel_work_sync(&hu->write_work); ++ + if (hdev) { + if (test_bit(HCI_UART_REGISTERED, &hu->flags)) + hci_unregister_dev(hdev); +-- +2.15.0 + diff --git a/queue/GFS2-Take-inode-off-order_write-list-when-setting-jd.patch b/queue/GFS2-Take-inode-off-order_write-list-when-setting-jd.patch new file mode 100644 index 0000000..2897eff --- /dev/null +++ b/queue/GFS2-Take-inode-off-order_write-list-when-setting-jd.patch @@ -0,0 +1,67 @@ +From cc555b09d8c3817aeebda43a14ab67049a5653f7 Mon Sep 17 00:00:00 2001 +From: Bob Peterson <rpeterso@redhat.com> +Date: Wed, 20 Sep 2017 08:30:04 -0500 +Subject: [PATCH] GFS2: Take inode off order_write list when setting jdata flag + +commit cc555b09d8c3817aeebda43a14ab67049a5653f7 upstream. + +This patch fixes a deadlock caused when the jdata flag is set for +inodes that are already on the ordered write list. Since it is +on the ordered write list, log_flush calls gfs2_ordered_write which +calls filemap_fdatawrite. But since the inode had the jdata flag +set, that calls gfs2_jdata_writepages, which tries to start a new +transaction. A new transaction cannot be started because it tries +to acquire the log_flush rwsem which is already locked by the log +flush operation. + +The bottom line is: We cannot switch an inode from ordered to jdata +until we eliminate any ordered data pages (via log flush) or any +log_flush operation afterward will create the circular dependency +above. So we need to flush the log before setting the diskflags to +switch the file mode, then we need to remove the inode from the +ordered writes list. + +Before this patch, the log flush was done for jdata->ordered, but +that's wrong. If we're going from jdata to ordered, we don't need +to call gfs2_log_flush because the call to filemap_fdatawrite will +do it for us: + + filemap_fdatawrite() -> __filemap_fdatawrite_range() + __filemap_fdatawrite_range() -> do_writepages() + do_writepages() -> gfs2_jdata_writepages() + gfs2_jdata_writepages() -> gfs2_log_flush() + +This patch modifies function do_gfs2_set_flags so that if a file +has its jdata flag set, and it's already on the ordered write list, +the log will be flushed and it will be removed from the list +before setting the flag. + +Signed-off-by: Bob Peterson <rpeterso@redhat.com> +Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> +Acked-by: Abhijith Das <adas@redhat.com> + +diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c +index 8fefb80fe830..c7aea96144b4 100644 +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -267,7 +267,7 @@ static int do_gfs2_set_flags(struct file *filp, u32 reqflags, u32 mask) + goto out; + } + if ((flags ^ new_flags) & GFS2_DIF_JDATA) { +- if (flags & GFS2_DIF_JDATA) ++ if (new_flags & GFS2_DIF_JDATA) + gfs2_log_flush(sdp, ip->i_gl, NORMAL_FLUSH); + error = filemap_fdatawrite(inode->i_mapping); + if (error) +@@ -275,6 +275,8 @@ static int do_gfs2_set_flags(struct file *filp, u32 reqflags, u32 mask) + error = filemap_fdatawait(inode->i_mapping); + if (error) + goto out; ++ if (new_flags & GFS2_DIF_JDATA) ++ gfs2_ordered_del_inode(ip); + } + error = gfs2_trans_begin(sdp, RES_DINODE, 0); + if (error) +-- +2.15.0 + diff --git a/queue/HID-cp2112-fix-broken-gpio_direction_input-callback.patch b/queue/HID-cp2112-fix-broken-gpio_direction_input-callback.patch new file mode 100644 index 0000000..06796f5 --- /dev/null +++ b/queue/HID-cp2112-fix-broken-gpio_direction_input-callback.patch @@ -0,0 +1,56 @@ +From 7da85fbf1c87d4f73621e0e7666a3387497075a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?= + <sebastien.szymanski@armadeus.com> +Date: Fri, 10 Nov 2017 10:01:43 +0100 +Subject: [PATCH] HID: cp2112: fix broken gpio_direction_input callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 7da85fbf1c87d4f73621e0e7666a3387497075a9 upstream. + +When everything goes smoothly, ret is set to 0 which makes the function +to return EIO error. + +Fixes: 8e9faa15469e ("HID: cp2112: fix gpio-callback error handling") +Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com> +Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> + +diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c +index 28e3c18a4689..68cdc962265b 100644 +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -196,6 +196,8 @@ static int cp2112_gpio_direction_input(struct gpio_chip *chip, unsigned offset) + HID_REQ_GET_REPORT); + if (ret != CP2112_GPIO_CONFIG_LENGTH) { + hid_err(hdev, "error requesting GPIO config: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; + goto exit; + } + +@@ -205,8 +207,10 @@ static int cp2112_gpio_direction_input(struct gpio_chip *chip, unsigned offset) + ret = hid_hw_raw_request(hdev, CP2112_GPIO_CONFIG, buf, + CP2112_GPIO_CONFIG_LENGTH, HID_FEATURE_REPORT, + HID_REQ_SET_REPORT); +- if (ret < 0) { ++ if (ret != CP2112_GPIO_CONFIG_LENGTH) { + hid_err(hdev, "error setting GPIO config: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; + goto exit; + } + +@@ -214,7 +218,7 @@ static int cp2112_gpio_direction_input(struct gpio_chip *chip, unsigned offset) + + exit: + mutex_unlock(&dev->lock); +- return ret < 0 ? ret : -EIO; ++ return ret; + } + + static void cp2112_gpio_set(struct gpio_chip *chip, unsigned offset, int value) +-- +2.15.0 + diff --git a/queue/IB-core-Bound-check-alternate-path-port-number.patch b/queue/IB-core-Bound-check-alternate-path-port-number.patch new file mode 100644 index 0000000..7114309 --- /dev/null +++ b/queue/IB-core-Bound-check-alternate-path-port-number.patch @@ -0,0 +1,37 @@ +From 4cae8ff136782d77b108cb3a5ba53e60597ba3a6 Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens <danielj@mellanox.com> +Date: Tue, 5 Dec 2017 22:30:01 +0200 +Subject: [PATCH] IB/core: Bound check alternate path port number + +commit 4cae8ff136782d77b108cb3a5ba53e60597ba3a6 upstream. + +The alternate port number is used as an array index in the IB +security implementation, invalid values can result in a kernel panic. + +Cc: <stable@vger.kernel.org> # v4.12 +Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs") +Signed-off-by: Daniel Jurgens <danielj@mellanox.com> +Reviewed-by: Parav Pandit <parav@mellanox.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index 16d55710b116..d0202bb176a4 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1971,6 +1971,12 @@ static int modify_qp(struct ib_uverbs_file *file, + goto release_qp; + } + ++ if ((cmd->base.attr_mask & IB_QP_ALT_PATH) && ++ !rdma_is_port_valid(qp->device, cmd->base.alt_port_num)) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ + attr->qp_state = cmd->base.qp_state; + attr->cur_qp_state = cmd->base.cur_qp_state; + attr->path_mtu = cmd->base.path_mtu; +-- +2.15.0 + diff --git a/queue/IB-core-Don-t-enforce-PKey-security-on-SMI-MADs.patch b/queue/IB-core-Don-t-enforce-PKey-security-on-SMI-MADs.patch new file mode 100644 index 0000000..956ac9b --- /dev/null +++ b/queue/IB-core-Don-t-enforce-PKey-security-on-SMI-MADs.patch @@ -0,0 +1,44 @@ +From 0fbe8f575b15585eec3326e43708fbbc024e8486 Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens <danielj@mellanox.com> +Date: Tue, 5 Dec 2017 22:30:02 +0200 +Subject: [PATCH] IB/core: Don't enforce PKey security on SMI MADs + +commit 0fbe8f575b15585eec3326e43708fbbc024e8486 upstream. + +Per the infiniband spec an SMI MAD can have any PKey. Checking the pkey +on SMI MADs is not necessary, and it seems that some older adapters +using the mthca driver don't follow the convention of using the default +PKey, resulting in false denials, or errors querying the PKey cache. + +SMI MAD security is still enforced, only agents allowed to manage the +subnet are able to receive or send SMI MADs. + +Reported-by: Chris Blake <chrisrblake93@gmail.com> +Cc: <stable@vger.kernel.org> # v4.12 +Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams") +Signed-off-by: Daniel Jurgens <danielj@mellanox.com> +Reviewed-by: Parav Pandit <parav@mellanox.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c +index a337386652b0..feafdb961c48 100644 +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -739,8 +739,11 @@ int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index) + if (!rdma_protocol_ib(map->agent.device, map->agent.port_num)) + return 0; + +- if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed) +- return -EACCES; ++ if (map->agent.qp->qp_type == IB_QPT_SMI) { ++ if (!map->agent.smp_allowed) ++ return -EACCES; ++ return 0; ++ } + + return ib_security_pkey_access(map->agent.device, + map->agent.port_num, +-- +2.15.0 + diff --git a/queue/IB-core-Fix-calculation-of-maximum-RoCE-MTU.patch b/queue/IB-core-Fix-calculation-of-maximum-RoCE-MTU.patch new file mode 100644 index 0000000..e958b09 --- /dev/null +++ b/queue/IB-core-Fix-calculation-of-maximum-RoCE-MTU.patch @@ -0,0 +1,74 @@ +From 99260132fde7bddc6e0132ce53da94d1c9ccabcb Mon Sep 17 00:00:00 2001 +From: Parav Pandit <parav@mellanox.com> +Date: Mon, 16 Oct 2017 08:45:16 +0300 +Subject: [PATCH] IB/core: Fix calculation of maximum RoCE MTU + +commit 99260132fde7bddc6e0132ce53da94d1c9ccabcb upstream. + +The original code only took into consideration the largest header +possible after the IB_BTH_BYTES. This was incorrect, as the largest +possible header size is the largest possible combination of headers we +might run into. The new code accounts for all possible headers in the +largest possible combination and subtracts that from the MTU to make +sure that all packets will fit on the wire. + +Link: https://www.spinics.net/lists/linux-rdma/msg54558.html +Fixes: 3c86aa70bf67 ("RDMA/cm: Add RDMA CM support for IBoE devices") +Signed-off-by: Parav Pandit <parav@mellanox.com> +Reviewed-by: Daniel Jurgens <danielj@mellanox.com> +Reported-by: Roland Dreier <roland@purestorage.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h +index ec5008cf5d51..8815989301ab 100644 +--- a/include/rdma/ib_addr.h ++++ b/include/rdma/ib_addr.h +@@ -245,10 +245,11 @@ static inline void rdma_addr_set_dgid(struct rdma_dev_addr *dev_addr, union ib_g + static inline enum ib_mtu iboe_get_mtu(int mtu) + { + /* +- * reduce IB headers from effective IBoE MTU. 28 stands for +- * atomic header which is the biggest possible header after BTH ++ * Reduce IB headers from effective IBoE MTU. + */ +- mtu = mtu - IB_GRH_BYTES - IB_BTH_BYTES - 28; ++ mtu = mtu - (IB_GRH_BYTES + IB_UDP_BYTES + IB_BTH_BYTES + ++ IB_EXT_XRC_BYTES + IB_EXT_ATOMICETH_BYTES + ++ IB_ICRC_BYTES); + + if (mtu >= ib_mtu_enum_to_int(IB_MTU_4096)) + return IB_MTU_4096; +diff --git a/include/rdma/ib_pack.h b/include/rdma/ib_pack.h +index 36655899ee02..7ea1382ad0e5 100644 +--- a/include/rdma/ib_pack.h ++++ b/include/rdma/ib_pack.h +@@ -37,14 +37,17 @@ + #include <uapi/linux/if_ether.h> + + enum { +- IB_LRH_BYTES = 8, +- IB_ETH_BYTES = 14, +- IB_VLAN_BYTES = 4, +- IB_GRH_BYTES = 40, +- IB_IP4_BYTES = 20, +- IB_UDP_BYTES = 8, +- IB_BTH_BYTES = 12, +- IB_DETH_BYTES = 8 ++ IB_LRH_BYTES = 8, ++ IB_ETH_BYTES = 14, ++ IB_VLAN_BYTES = 4, ++ IB_GRH_BYTES = 40, ++ IB_IP4_BYTES = 20, ++ IB_UDP_BYTES = 8, ++ IB_BTH_BYTES = 12, ++ IB_DETH_BYTES = 8, ++ IB_EXT_ATOMICETH_BYTES = 28, ++ IB_EXT_XRC_BYTES = 4, ++ IB_ICRC_BYTES = 4 + }; + + struct ib_field { +-- +2.15.0 + diff --git a/queue/IB-core-Fix-endianness-annotation-in-rdma_is_multica.patch b/queue/IB-core-Fix-endianness-annotation-in-rdma_is_multica.patch new file mode 100644 index 0000000..b5c9d4a --- /dev/null +++ b/queue/IB-core-Fix-endianness-annotation-in-rdma_is_multica.patch @@ -0,0 +1,37 @@ +From 1c3aea2bc8f0b2e5b57375ead40457ff75a3a2ec Mon Sep 17 00:00:00 2001 +From: Bart Van Assche <bart.vanassche@wdc.com> +Date: Wed, 11 Oct 2017 10:48:43 -0700 +Subject: [PATCH] IB/core: Fix endianness annotation in + rdma_is_multicast_addr() + +commit 1c3aea2bc8f0b2e5b57375ead40457ff75a3a2ec upstream. + +Since ipv4_addr is a big endian 32-bit number, annotate it as such. + +Fixes: commit be1d325a3358 ("IB/core: Set RoCEv2 MGID according to spec") +Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com> +Reviewed-by: Leon Romanovsky <leonro@mellanox.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h +index ec5008cf5d51..cfa82d16573d 100644 +--- a/include/rdma/ib_addr.h ++++ b/include/rdma/ib_addr.h +@@ -305,12 +305,12 @@ static inline void rdma_get_ll_mac(struct in6_addr *addr, u8 *mac) + + static inline int rdma_is_multicast_addr(struct in6_addr *addr) + { +- u32 ipv4_addr; ++ __be32 ipv4_addr; + + if (addr->s6_addr[0] == 0xff) + return 1; + +- memcpy(&ipv4_addr, addr->s6_addr + 12, 4); ++ ipv4_addr = addr->s6_addr32[3]; + return (ipv6_addr_v4mapped(addr) && ipv4_is_multicast(ipv4_addr)); + } + +-- +2.15.0 + diff --git a/queue/IB-core-Fix-use-workqueue-without-WQ_MEM_RECLAIM.patch b/queue/IB-core-Fix-use-workqueue-without-WQ_MEM_RECLAIM.patch new file mode 100644 index 0000000..d211739 --- /dev/null +++ b/queue/IB-core-Fix-use-workqueue-without-WQ_MEM_RECLAIM.patch @@ -0,0 +1,53 @@ +From 39baf10310e6669564a485b55267fae70a4e44ae Mon Sep 17 00:00:00 2001 +From: Parav Pandit <parav@mellanox.com> +Date: Mon, 16 Oct 2017 08:45:15 +0300 +Subject: [PATCH] IB/core: Fix use workqueue without WQ_MEM_RECLAIM + +commit 39baf10310e6669564a485b55267fae70a4e44ae upstream. + +The IB/core provides address resolution service and invokes callback +handler when address resolve request completes of requester in worker +thread context. + +Such caller might allocate or free memory in callback handler +depending on the completion status to make further progress or to +terminate a connection. Most ULPs resolve route which involves +allocating route entry and path record elements in callback event handler. + +It has been noticed that WQ_MEM_RECLAIM flag should not be used for +workers that tend to allocate memory in this [1] thread discussion. + +In order to mitigate this situation, WQ_MEM_RECLAIM flag was dropped for +other such WQs in this [2] patch. + +Similar problem might arise with address resolution path, though its not +yet noticed. The ib_addr workqueue is not memory reclaim path due to its +nature of invoking callback that might allocate memory or don't free any +memory under memory pressure. + +[1] https://www.spinics.net/lists/linux-rdma/msg53239.html +[2] https://www.spinics.net/lists/linux-rdma/msg53416.html + +Fixes: f54816261c2b ("IB/addr: Remove deprecated create_singlethread_workqueue") +Fixes: 5fff41e1f89d ("IB/core: Fix race condition in resolving IP to MAC") +Signed-off-by: Parav Pandit <parav@mellanox.com> +Reviewed-by: Daniel Jurgens <danielj@mellanox.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index 12523f630b61..d2f74721b3ba 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -852,7 +852,7 @@ static struct notifier_block nb = { + + int addr_init(void) + { +- addr_wq = alloc_ordered_workqueue("ib_addr", WQ_MEM_RECLAIM); ++ addr_wq = alloc_ordered_workqueue("ib_addr", 0); + if (!addr_wq) + return -ENOMEM; + +-- +2.15.0 + diff --git a/queue/IB-hfi1-Mask-out-A-bit-from-psn-trace.patch b/queue/IB-hfi1-Mask-out-A-bit-from-psn-trace.patch new file mode 100644 index 0000000..1747d09 --- /dev/null +++ b/queue/IB-hfi1-Mask-out-A-bit-from-psn-trace.patch @@ -0,0 +1,45 @@ +From d0a2f454713a42447ee4007582c0e43c47bcf230 Mon Sep 17 00:00:00 2001 +From: Don Hiatt <don.hiatt@intel.com> +Date: Mon, 9 Oct 2017 12:38:12 -0700 +Subject: [PATCH] IB/hfi1: Mask out A bit from psn trace + +commit d0a2f454713a42447ee4007582c0e43c47bcf230 upstream. + +The trace logic prior to the fixes below used to mask the +A bit from the psn. It now mistakenly displays the A bit, +which is already displayed separately. + +Fix by adding the appropriate mask to the psn tracing. + +Fixes: 228d2af1b723 ("IB/hfi1: Separate input/output header tracing") +Fixes: 863cf89d472f ("IB/hfi1: Add 16B trace support") +Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com> +Signed-off-by: Don Hiatt <don.hiatt@intel.com> +Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/hw/hfi1/trace.c b/drivers/infiniband/hw/hfi1/trace.c +index 9938bb983ce6..9749ec9dd9f2 100644 +--- a/drivers/infiniband/hw/hfi1/trace.c ++++ b/drivers/infiniband/hw/hfi1/trace.c +@@ -154,7 +154,7 @@ void hfi1_trace_parse_9b_bth(struct ib_other_headers *ohdr, + *opcode = ib_bth_get_opcode(ohdr); + *tver = ib_bth_get_tver(ohdr); + *pkey = ib_bth_get_pkey(ohdr); +- *psn = ib_bth_get_psn(ohdr); ++ *psn = mask_psn(ib_bth_get_psn(ohdr)); + *qpn = ib_bth_get_qpn(ohdr); + } + +@@ -169,7 +169,7 @@ void hfi1_trace_parse_16b_bth(struct ib_other_headers *ohdr, + *pad = ib_bth_get_pad(ohdr); + *se = ib_bth_get_se(ohdr); + *tver = ib_bth_get_tver(ohdr); +- *psn = ib_bth_get_psn(ohdr); ++ *psn = mask_psn(ib_bth_get_psn(ohdr)); + *qpn = ib_bth_get_qpn(ohdr); + } + +-- +2.15.0 + diff --git a/queue/IB-ipoib-Grab-rtnl-lock-on-heavy-flush-when-calling-.patch b/queue/IB-ipoib-Grab-rtnl-lock-on-heavy-flush-when-calling-.patch new file mode 100644 index 0000000..65a4e91 --- /dev/null +++ b/queue/IB-ipoib-Grab-rtnl-lock-on-heavy-flush-when-calling-.patch @@ -0,0 +1,39 @@ +From b4b678b06f6eef18bff44a338c01870234db0bc9 Mon Sep 17 00:00:00 2001 +From: Alex Vesker <valex@mellanox.com> +Date: Tue, 10 Oct 2017 10:36:41 +0300 +Subject: [PATCH] IB/ipoib: Grab rtnl lock on heavy flush when calling + ndo_open/stop + +commit b4b678b06f6eef18bff44a338c01870234db0bc9 upstream. + +When ndo_open and ndo_stop are called RTNL lock should be held. +In this specific case ipoib_ib_dev_open calls the offloaded ndo_open +which re-sets the number of TX queue assuming RTNL lock is held. +Since RTNL lock is not held, RTNL assert will fail. + +Signed-off-by: Alex Vesker <valex@mellanox.com> + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +index 6cd61638b441..c97384c914a4 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -1203,10 +1203,15 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv, + ipoib_ib_dev_down(dev); + + if (level == IPOIB_FLUSH_HEAVY) { ++ rtnl_lock(); + if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags)) + ipoib_ib_dev_stop(dev); +- if (ipoib_ib_dev_open(dev) != 0) ++ ++ result = ipoib_ib_dev_open(dev); ++ rtnl_unlock(); ++ if (result) + return; ++ + if (netif_queue_stopped(dev)) + netif_start_queue(dev); + } +-- +2.15.0 + diff --git a/queue/IB-mlx4-Fix-RSS-s-QPC-attributes-assignments.patch b/queue/IB-mlx4-Fix-RSS-s-QPC-attributes-assignments.patch new file mode 100644 index 0000000..7be6c68 --- /dev/null +++ b/queue/IB-mlx4-Fix-RSS-s-QPC-attributes-assignments.patch @@ -0,0 +1,83 @@ +From 108809a0571cd1e1b317c5c083a371e163e1f8f9 Mon Sep 17 00:00:00 2001 +From: Guy Levi <guyle@mellanox.com> +Date: Wed, 25 Oct 2017 22:39:35 +0300 +Subject: [PATCH] IB/mlx4: Fix RSS's QPC attributes assignments + +commit 108809a0571cd1e1b317c5c083a371e163e1f8f9 upstream. + +In the modify QP handler the base_qpn_udp field in the RSS QPC is +overwrite later by irrelevant value assignment. Hence, ingress packets +which gets to the RSS QP will be steered then to a garbage QPN. + +The patch fixes this by skipping the above assignment when a RSS QP is +modified, also, the RSS context's attributes assignments are relocated +just before the context is posted to avoid future issues like this. + +Additionally, this patch takes the opportunity to change the code to be +disciplined to the device's manual and assigns the RSS QP context just at +RESET to INIT transition. + +Fixes:3078f5f1bd8b ("IB/mlx4: Add support for RSS QP") +Signed-off-by: Guy Levi <guyle@mellanox.com> +Reviewed-by: Yishai Hadas <yishaih@mellanox.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index b6b33d99b0b4..26f3345948e2 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -2182,11 +2182,6 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, + context->flags = cpu_to_be32((to_mlx4_state(new_state) << 28) | + (to_mlx4_st(dev, qp->mlx4_ib_qp_type) << 16)); + +- if (rwq_ind_tbl) { +- fill_qp_rss_context(context, qp); +- context->flags |= cpu_to_be32(1 << MLX4_RSS_QPC_FLAG_OFFSET); +- } +- + if (!(attr_mask & IB_QP_PATH_MIG_STATE)) + context->flags |= cpu_to_be32(MLX4_QP_PM_MIGRATED << 11); + else { +@@ -2387,6 +2382,7 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, + context->pd = cpu_to_be32(pd->pdn); + + if (!rwq_ind_tbl) { ++ context->params1 = cpu_to_be32(MLX4_IB_ACK_REQ_FREQ << 28); + get_cqs(qp, src_type, &send_cq, &recv_cq); + } else { /* Set dummy CQs to be compatible with HV and PRM */ + send_cq = to_mcq(rwq_ind_tbl->ind_tbl[0]->cq); +@@ -2394,7 +2390,6 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, + } + context->cqn_send = cpu_to_be32(send_cq->mcq.cqn); + context->cqn_recv = cpu_to_be32(recv_cq->mcq.cqn); +- context->params1 = cpu_to_be32(MLX4_IB_ACK_REQ_FREQ << 28); + + /* Set "fast registration enabled" for all kernel QPs */ + if (!ibuobject) +@@ -2513,7 +2508,7 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, + MLX4_IB_LINK_TYPE_ETH; + if (dev->dev->caps.tunnel_offload_mode == MLX4_TUNNEL_OFFLOAD_MODE_VXLAN) { + /* set QP to receive both tunneled & non-tunneled packets */ +- if (!(context->flags & cpu_to_be32(1 << MLX4_RSS_QPC_FLAG_OFFSET))) ++ if (!rwq_ind_tbl) + context->srqn = cpu_to_be32(7 << 28); + } + } +@@ -2562,6 +2557,13 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, + } + } + ++ if (rwq_ind_tbl && ++ cur_state == IB_QPS_RESET && ++ new_state == IB_QPS_INIT) { ++ fill_qp_rss_context(context, qp); ++ context->flags |= cpu_to_be32(1 << MLX4_RSS_QPC_FLAG_OFFSET); ++ } ++ + err = mlx4_qp_modify(dev->dev, &qp->mtt, to_mlx4_state(cur_state), + to_mlx4_state(new_state), context, optpar, + sqd_event, &qp->mqp); +-- +2.15.0 + diff --git a/queue/Ib-hfi1-Return-actual-operational-VLs-in-port-info-q.patch b/queue/Ib-hfi1-Return-actual-operational-VLs-in-port-info-q.patch new file mode 100644 index 0000000..4e045c8 --- /dev/null +++ b/queue/Ib-hfi1-Return-actual-operational-VLs-in-port-info-q.patch @@ -0,0 +1,42 @@ +From 00f9203119dd2774564407c7a67b17d81916298b Mon Sep 17 00:00:00 2001 +From: Patel Jay P <jay.p.patel@intel.com> +Date: Mon, 23 Oct 2017 06:05:53 -0700 +Subject: [PATCH] Ib/hfi1: Return actual operational VLs in port info query + +commit 00f9203119dd2774564407c7a67b17d81916298b upstream. + +__subn_get_opa_portinfo stores value returned by hfi1_get_ib_cfg() as +operational vls. hfi1_get_ib_cfg() returns vls_operational field in +hfi1_pportdata. The problem with this is that the value is always equal +to vls_supported field in hfi1_pportdata. + +The logic to calculate operational_vls is to set value passed by FM +(in __subn_set_opa_portinfo routine). If no value is passed then +default value is stored in operational_vls. + +Field actual_vls_operational is calculated on the basis of buffer +control table. Hence, modifying hfi1_get_ib_cfg() to return +actual_operational_vls when used with HFI1_IB_CFG_OP_VLS parameter + +Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com> +Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com> +Signed-off-by: Patel Jay P <jay.p.patel@intel.com> +Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c +index 8dd0a4ded67b..b69b85e7a244 100644 +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -9966,7 +9966,7 @@ int hfi1_get_ib_cfg(struct hfi1_pportdata *ppd, int which) + goto unimplemented; + + case HFI1_IB_CFG_OP_VLS: +- val = ppd->vls_operational; ++ val = ppd->actual_vls_operational; + break; + case HFI1_IB_CFG_VL_HIGH_CAP: /* VL arb high priority table size */ + val = VL_ARB_HIGH_PRIO_TABLE_SIZE; +-- +2.15.0 + diff --git a/queue/KVM-nVMX-Fix-EPT-switching-advertising.patch b/queue/KVM-nVMX-Fix-EPT-switching-advertising.patch new file mode 100644 index 0000000..54ab168 --- /dev/null +++ b/queue/KVM-nVMX-Fix-EPT-switching-advertising.patch @@ -0,0 +1,43 @@ +From 575b3a2cb439b03fd603ea77c73c76f3ed237596 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li <wanpeng.li@hotmail.com> +Date: Thu, 19 Oct 2017 07:00:34 +0800 +Subject: [PATCH] KVM: nVMX: Fix EPT switching advertising +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 575b3a2cb439b03fd603ea77c73c76f3ed237596 upstream. + +I can use vmxcap tool to observe "EPTP Switching yes" even if EPT is not +exposed to L1. + +EPT switching is advertised unconditionally since it is emulated, however, +it can be treated as an extended feature for EPT and it should not be +advertised if EPT itself is not exposed. This patch fixes it. + +Reviewed-by: David Hildenbrand <david@redhat.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: Radim Krčmář <rkrcmar@redhat.com> +Cc: Jim Mattson <jmattson@google.com> +Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 69d45734091f..dba0f6ad4e57 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2842,8 +2842,9 @@ static void nested_vmx_setup_ctls_msrs(struct vcpu_vmx *vmx) + * Advertise EPTP switching unconditionally + * since we emulate it + */ +- vmx->nested.nested_vmx_vmfunc_controls = +- VMX_VMFUNC_EPTP_SWITCHING; ++ if (enable_ept) ++ vmx->nested.nested_vmx_vmfunc_controls = ++ VMX_VMFUNC_EPTP_SWITCHING; + } + + /* +-- +2.15.0 + diff --git a/queue/PCI-Detach-driver-before-procfs-sysfs-teardown-on-de.patch b/queue/PCI-Detach-driver-before-procfs-sysfs-teardown-on-de.patch new file mode 100644 index 0000000..f852836 --- /dev/null +++ b/queue/PCI-Detach-driver-before-procfs-sysfs-teardown-on-de.patch @@ -0,0 +1,48 @@ +From 16b6c8bb687cc3bec914de09061fcb8411951fda Mon Sep 17 00:00:00 2001 +From: Alex Williamson <alex.williamson@redhat.com> +Date: Wed, 11 Oct 2017 15:35:56 -0600 +Subject: [PATCH] PCI: Detach driver before procfs & sysfs teardown on device + remove + +commit 16b6c8bb687cc3bec914de09061fcb8411951fda upstream. + +When removing a device, for example a VF being removed due to SR-IOV +teardown, a "soft" hot-unplug via 'echo 1 > remove' in sysfs, or an actual +hot-unplug, we first remove the procfs and sysfs attributes for the device +before attempting to release the device from any driver bound to it. +Unbinding the driver from the device can take time. The device might need +to write out data or it might be actively in use. If it's in use by +userspace through a vfio driver, the unbind might block until the user +releases the device. This leads to a potentially non-trivial amount of +time where the device exists, but we've torn down the interfaces that +userspace uses to examine devices, for instance lspci might generate this +sort of error: + + pcilib: Cannot open /sys/bus/pci/devices/0000:01:0a.3/config + lspci: Unable to read the standard configuration space header of device 0000:01:0a.3 + +We don't seem to have any dependence on this teardown ordering in the +kernel, so let's unbind the driver first, which is also more symmetric with +the instantiation of the device in pci_bus_add_device(). + +Signed-off-by: Alex Williamson <alex.williamson@redhat.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> + +diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c +index 73a03d382590..2fa0dbde36b7 100644 +--- a/drivers/pci/remove.c ++++ b/drivers/pci/remove.c +@@ -19,9 +19,9 @@ static void pci_stop_dev(struct pci_dev *dev) + pci_pme_active(dev, false); + + if (dev->is_added) { ++ device_release_driver(&dev->dev); + pci_proc_detach_device(dev); + pci_remove_sysfs_dev_files(dev); +- device_release_driver(&dev->dev); + dev->is_added = 0; + } + +-- +2.15.0 + diff --git a/queue/PCI-Do-not-allocate-more-buses-than-available-in-par.patch b/queue/PCI-Do-not-allocate-more-buses-than-available-in-par.patch new file mode 100644 index 0000000..734f2dc --- /dev/null +++ b/queue/PCI-Do-not-allocate-more-buses-than-available-in-par.patch @@ -0,0 +1,64 @@ +From a20c7f36bd3d20d245616ae223bb9d05dfb6f050 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg <mika.westerberg@linux.intel.com> +Date: Fri, 13 Oct 2017 21:35:43 +0300 +Subject: [PATCH] PCI: Do not allocate more buses than available in parent + +commit a20c7f36bd3d20d245616ae223bb9d05dfb6f050 upstream. + +One can ask more buses to be reserved for hotplug bridges by passing +pci=hpbussize=N in the kernel command line. If the parent bus does not +have enough bus space available we incorrectly create child bus with the +requested number of subordinate buses. + +In the example below hpbussize is set to one more than we have available +buses in the root port: + + pci 0000:07:00.0: [8086:1578] type 01 class 0x060400 + pci 0000:07:00.0: scanning [bus 00-00] behind bridge, pass 0 + pci 0000:07:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring + pci 0000:07:00.0: scanning [bus 00-00] behind bridge, pass 1 + pci_bus 0000:08: busn_res: can not insert [bus 08-ff] under [bus 07-3f] (conflicts with (null) [bus 07-3f]) + pci_bus 0000:08: scanning bus + ... + pci_bus 0000:0a: bus scan returning with max=40 + pci_bus 0000:0a: busn_res: [bus 0a-ff] end is updated to 40 + pci_bus 0000:0a: [bus 0a-40] partially hidden behind bridge 0000:07 [bus 07-3f] + pci_bus 0000:08: bus scan returning with max=40 + pci_bus 0000:08: busn_res: [bus 08-ff] end is updated to 40 + +Instead of allowing this, limit the subordinate number to be less than or +equal the maximum subordinate number allocated for the parent bus (if it +has any). + +Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> +[bhelgaas: remove irrelevant dmesg messages] +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 61813938d186..1f82f49c0bb3 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1076,7 +1076,8 @@ int pci_scan_bridge(struct pci_bus *bus, struct pci_dev *dev, int max, int pass) + child = pci_add_new_bus(bus, dev, max+1); + if (!child) + goto out; +- pci_bus_insert_busn_res(child, max+1, 0xff); ++ pci_bus_insert_busn_res(child, max+1, ++ bus->busn_res.end); + } + max++; + buses = (buses & 0xff000000) +@@ -2439,6 +2440,10 @@ unsigned int pci_scan_child_bus(struct pci_bus *bus) + if (bus->self && bus->self->is_hotplug_bridge && pci_hotplug_bus_size) { + if (max - bus->busn_res.start < pci_hotplug_bus_size - 1) + max = bus->busn_res.start + pci_hotplug_bus_size - 1; ++ ++ /* Do not allocate more buses than we have room left */ ++ if (max > bus->busn_res.end) ++ max = bus->busn_res.end; + } + + /* +-- +2.15.0 + diff --git a/queue/PCI-PME-Handle-invalid-data-when-reading-Root-Status.patch b/queue/PCI-PME-Handle-invalid-data-when-reading-Root-Status.patch new file mode 100644 index 0000000..3ac7312 --- /dev/null +++ b/queue/PCI-PME-Handle-invalid-data-when-reading-Root-Status.patch @@ -0,0 +1,56 @@ +From 3ad3f8ce50914288731a3018b27ee44ab803e170 Mon Sep 17 00:00:00 2001 +From: Qiang <zhengqiang10@huawei.com> +Date: Thu, 28 Sep 2017 11:54:34 +0800 +Subject: [PATCH] PCI/PME: Handle invalid data when reading Root Status + +commit 3ad3f8ce50914288731a3018b27ee44ab803e170 upstream. + +PCIe PME and native hotplug share the same interrupt number, so hotplug +interrupts are also processed by PME. In some cases, e.g., a Link Down +interrupt, a device may be present but unreachable, so when we try to +read its Root Status register, the read fails and we get all ones data +(0xffffffff). + +Previously, we interpreted that data as PCI_EXP_RTSTA_PME being set, i.e., +"some device has asserted PME," so we scheduled pcie_pme_work_fn(). This +caused an infinite loop because pcie_pme_work_fn() tried to handle PME +requests until PCI_EXP_RTSTA_PME is cleared, but with the link down, +PCI_EXP_RTSTA_PME can't be cleared. + +Check for the invalid 0xffffffff data everywhere we read the Root Status +register. + +1469d17dd341 ("PCI: pciehp: Handle invalid data when reading from +non-existent devices") added similar checks in the hotplug driver. + +Signed-off-by: Qiang Zheng <zhengqiang10@huawei.com> +[bhelgaas: changelog, also check in pcie_pme_work_fn(), use "~0" to follow +other similar checks] +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> + +diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c +index fafdb165dd2e..df290aa58dce 100644 +--- a/drivers/pci/pcie/pme.c ++++ b/drivers/pci/pcie/pme.c +@@ -226,6 +226,9 @@ static void pcie_pme_work_fn(struct work_struct *work) + break; + + pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta); ++ if (rtsta == (u32) ~0) ++ break; ++ + if (rtsta & PCI_EXP_RTSTA_PME) { + /* + * Clear PME status of the port. If there are other +@@ -273,7 +276,7 @@ static irqreturn_t pcie_pme_irq(int irq, void *context) + spin_lock_irqsave(&data->lock, flags); + pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta); + +- if (!(rtsta & PCI_EXP_RTSTA_PME)) { ++ if (rtsta == (u32) ~0 || !(rtsta & PCI_EXP_RTSTA_PME)) { + spin_unlock_irqrestore(&data->lock, flags); + return IRQ_NONE; + } +-- +2.15.0 + diff --git a/queue/PM-s2idle-Clear-the-events_check_enabled-flag.patch b/queue/PM-s2idle-Clear-the-events_check_enabled-flag.patch new file mode 100644 index 0000000..e987f84 --- /dev/null +++ b/queue/PM-s2idle-Clear-the-events_check_enabled-flag.patch @@ -0,0 +1,62 @@ +From 95b982b45122c57da2ee0b46cce70775e1d987af Mon Sep 17 00:00:00 2001 +From: Rajat Jain <rajatja@google.com> +Date: Tue, 31 Oct 2017 14:44:24 -0700 +Subject: [PATCH] PM / s2idle: Clear the events_check_enabled flag + +commit 95b982b45122c57da2ee0b46cce70775e1d987af upstream. + +Problem: This flag does not get cleared currently in the suspend or +resume path in the following cases: + + * In case some driver's suspend routine returns an error. + * Successful s2idle case + * etc? + +Why is this a problem: What happens is that the next suspend attempt +could fail even though the user did not enable the flag by writing to +/sys/power/wakeup_count. This is 1 use case how the issue can be seen +(but similar use case with driver suspend failure can be thought of): + + 1. Read /sys/power/wakeup_count + 2. echo count > /sys/power/wakeup_count + 3. echo freeze > /sys/power/wakeup_count + 4. Let the system suspend, and wakeup the system using some wake source + that calls pm_wakeup_event() e.g. power button or something. + 5. Note that the combined wakeup count would be incremented due + to the pm_wakeup_event() in the resume path. + 6. After resuming the events_check_enabled flag is still set. + +At this point if the user attempts to freeze again (without writing to +/sys/power/wakeup_count), the suspend would fail even though there has +been no wake event since the past resume. + +Address that by clearing the flag just before a resume is completed, +so that it is always cleared for the corner cases mentioned above. + +Signed-off-by: Rajat Jain <rajatja@google.com> +Acked-by: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> + +diff --git a/kernel/power/suspend.c b/kernel/power/suspend.c +index ccd2d20e6b06..0685c4499431 100644 +--- a/kernel/power/suspend.c ++++ b/kernel/power/suspend.c +@@ -437,7 +437,6 @@ static int suspend_enter(suspend_state_t state, bool *wakeup) + error = suspend_ops->enter(state); + trace_suspend_resume(TPS("machine_suspend"), + state, false); +- events_check_enabled = false; + } else if (*wakeup) { + error = -EBUSY; + } +@@ -582,6 +581,7 @@ static int enter_state(suspend_state_t state) + pm_restore_gfp_mask(); + + Finish: ++ events_check_enabled = false; + pm_pr_dbg("Finishing wakeup.\n"); + suspend_finish(); + Unlock: +-- +2.15.0 + diff --git a/queue/RDMA-cma-Avoid-triggering-undefined-behavior.patch b/queue/RDMA-cma-Avoid-triggering-undefined-behavior.patch new file mode 100644 index 0000000..d5a1ced --- /dev/null +++ b/queue/RDMA-cma-Avoid-triggering-undefined-behavior.patch @@ -0,0 +1,76 @@ +From c0b64f58e8d49570aa9ee55d880f92c20ff0166b Mon Sep 17 00:00:00 2001 +From: Bart Van Assche <bart.vanassche@wdc.com> +Date: Wed, 11 Oct 2017 10:48:45 -0700 +Subject: [PATCH] RDMA/cma: Avoid triggering undefined behavior + +commit c0b64f58e8d49570aa9ee55d880f92c20ff0166b upstream. + +According to the C standard the behavior of computations with +integer operands is as follows: +* A computation involving unsigned operands can never overflow, + because a result that cannot be represented by the resulting + unsigned integer type is reduced modulo the number that is one + greater than the largest value that can be represented by the + resulting type. +* The behavior for signed integer underflow and overflow is + undefined. + +Hence only use unsigned integers when checking for integer +overflow. + +This patch is what I came up with after having analyzed the +following smatch warnings: + +drivers/infiniband/core/cma.c:3448: cma_resolve_ib_udp() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len' +drivers/infiniband/core/cma.c:3505: cma_connect_ib() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len' + +Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com> +Acked-by: Sean Hefty <sean.hefty@intel.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 852c8fec8088..fa79c7076ccd 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1540,7 +1540,7 @@ static struct rdma_id_private *cma_id_from_event(struct ib_cm_id *cm_id, + return id_priv; + } + +-static inline int cma_user_data_offset(struct rdma_id_private *id_priv) ++static inline u8 cma_user_data_offset(struct rdma_id_private *id_priv) + { + return cma_family(id_priv) == AF_IB ? 0 : sizeof(struct cma_hdr); + } +@@ -1942,7 +1942,8 @@ static int cma_req_handler(struct ib_cm_id *cm_id, struct ib_cm_event *ib_event) + struct rdma_id_private *listen_id, *conn_id = NULL; + struct rdma_cm_event event; + struct net_device *net_dev; +- int offset, ret; ++ u8 offset; ++ int ret; + + listen_id = cma_id_from_event(cm_id, ib_event, &net_dev); + if (IS_ERR(listen_id)) +@@ -3440,7 +3441,8 @@ static int cma_resolve_ib_udp(struct rdma_id_private *id_priv, + struct ib_cm_sidr_req_param req; + struct ib_cm_id *id; + void *private_data; +- int offset, ret; ++ u8 offset; ++ int ret; + + memset(&req, 0, sizeof req); + offset = cma_user_data_offset(id_priv); +@@ -3497,7 +3499,8 @@ static int cma_connect_ib(struct rdma_id_private *id_priv, + struct rdma_route *route; + void *private_data; + struct ib_cm_id *id; +- int offset, ret; ++ u8 offset; ++ int ret; + + memset(&req, 0, sizeof req); + offset = cma_user_data_offset(id_priv); +-- +2.15.0 + diff --git a/queue/RDMA-cxgb4-Declare-stag-as-__be32.patch b/queue/RDMA-cxgb4-Declare-stag-as-__be32.patch new file mode 100644 index 0000000..c5b87fc --- /dev/null +++ b/queue/RDMA-cxgb4-Declare-stag-as-__be32.patch @@ -0,0 +1,32 @@ +From 35fb2a88ed4b77356fa679a8525c869a3594e287 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky <leon@kernel.org> +Date: Wed, 25 Oct 2017 07:41:11 +0300 +Subject: [PATCH] RDMA/cxgb4: Declare stag as __be32 + +commit 35fb2a88ed4b77356fa679a8525c869a3594e287 upstream. + +The scqe.stag is actually __b32, fix it. + + drivers/infiniband/hw/cxgb4/cq.c:754:52: warning: cast to restricted __be32 + +Cc: Steve Wise <swise@opengridcomputing.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Reviewed-by: Steve Wise <swise@opengridcomputing.com> +Signed-off-by: Doug Ledford <dledford@redhat.com> + +diff --git a/drivers/infiniband/hw/cxgb4/t4.h b/drivers/infiniband/hw/cxgb4/t4.h +index 2b44fa850bbb..427aaf20d77c 100644 +--- a/drivers/infiniband/hw/cxgb4/t4.h ++++ b/drivers/infiniband/hw/cxgb4/t4.h +@@ -171,7 +171,7 @@ struct t4_cqe { + __be32 msn; + } rcqe; + struct { +- u32 stag; ++ __be32 stag; + u16 nada2; + u16 cidx; + } scqe; +-- +2.15.0 + diff --git a/queue/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch b/queue/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch new file mode 100644 index 0000000..85cdaec --- /dev/null +++ b/queue/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch @@ -0,0 +1,47 @@ +From 779f4e1c6c7c661db40dfebd6dd6bda7b5f88aa3 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Tue, 12 Dec 2017 11:28:38 -0800 +Subject: [PATCH] Revert "exec: avoid RLIMIT_STACK races with prlimit()" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 779f4e1c6c7c661db40dfebd6dd6bda7b5f88aa3 upstream. + +This reverts commit 04e35f4495dd560db30c25efca4eecae8ec8c375. + +SELinux runs with secureexec for all non-"noatsecure" domain transitions, +which means lots of processes end up hitting the stack hard-limit change +that was introduced in order to fix a race with prlimit(). That race fix +will need to be redesigned. + +Reported-by: Laura Abbott <labbott@redhat.com> +Reported-by: Tomáš Trnka <trnka@scm.com> +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/fs/exec.c b/fs/exec.c +index 156f56acfe8e..5688b5e1b937 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1339,15 +1339,10 @@ void setup_new_exec(struct linux_binprm * bprm) + * avoid bad behavior from the prior rlimits. This has to + * happen before arch_pick_mmap_layout(), which examines + * RLIMIT_STACK, but after the point of no return to avoid +- * races from other threads changing the limits. This also +- * must be protected from races with prlimit() calls. ++ * needing to clean up the change on failure. + */ +- task_lock(current->group_leader); + if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM) + current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM; +- if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM) +- current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM; +- task_unlock(current->group_leader); + } + + arch_pick_mmap_layout(current->mm); +-- +2.15.0 + diff --git a/queue/SUNRPC-Fix-a-race-in-the-receive-code-path.patch b/queue/SUNRPC-Fix-a-race-in-the-receive-code-path.patch new file mode 100644 index 0000000..3c518eb --- /dev/null +++ b/queue/SUNRPC-Fix-a-race-in-the-receive-code-path.patch @@ -0,0 +1,79 @@ +From 90d91b0cd371193d9dbfa9beacab8ab9a4cb75e0 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <trond.myklebust@primarydata.com> +Date: Thu, 14 Dec 2017 21:24:08 -0500 +Subject: [PATCH] SUNRPC: Fix a race in the receive code path + +commit 90d91b0cd371193d9dbfa9beacab8ab9a4cb75e0 upstream. + +We must ensure that the call to rpc_sleep_on() in xprt_transmit() cannot +race with the call to xprt_complete_rqst(). + +Reported-by: Chuck Lever <chuck.lever@oracle.com> +Link: https://bugzilla.linux-nfs.org/show_bug.cgi?id=317 +Fixes: ce7c252a8c74 ("SUNRPC: Add a separate spinlock to protect..") +Cc: stable@vger.kernel.org # 4.14+ +Reviewed-by: Chuck Lever <chuck.lever@oracle.com> +Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> + +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 02a9bacb239b..5b06f6906a27 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1001,6 +1001,7 @@ void xprt_transmit(struct rpc_task *task) + { + struct rpc_rqst *req = task->tk_rqstp; + struct rpc_xprt *xprt = req->rq_xprt; ++ unsigned int connect_cookie; + int status, numreqs; + + dprintk("RPC: %5u xprt_transmit(%u)\n", task->tk_pid, req->rq_slen); +@@ -1024,6 +1025,7 @@ void xprt_transmit(struct rpc_task *task) + } else if (!req->rq_bytes_sent) + return; + ++ connect_cookie = xprt->connect_cookie; + req->rq_xtime = ktime_get(); + status = xprt->ops->send_request(task); + trace_xprt_transmit(xprt, req->rq_xid, status); +@@ -1047,20 +1049,28 @@ void xprt_transmit(struct rpc_task *task) + xprt->stat.bklog_u += xprt->backlog.qlen; + xprt->stat.sending_u += xprt->sending.qlen; + xprt->stat.pending_u += xprt->pending.qlen; ++ spin_unlock_bh(&xprt->transport_lock); + +- /* Don't race with disconnect */ +- if (!xprt_connected(xprt)) +- task->tk_status = -ENOTCONN; +- else { ++ req->rq_connect_cookie = connect_cookie; ++ if (rpc_reply_expected(task) && !READ_ONCE(req->rq_reply_bytes_recvd)) { + /* +- * Sleep on the pending queue since +- * we're expecting a reply. ++ * Sleep on the pending queue if we're expecting a reply. ++ * The spinlock ensures atomicity between the test of ++ * req->rq_reply_bytes_recvd, and the call to rpc_sleep_on(). + */ +- if (!req->rq_reply_bytes_recvd && rpc_reply_expected(task)) ++ spin_lock(&xprt->recv_lock); ++ if (!req->rq_reply_bytes_recvd) { + rpc_sleep_on(&xprt->pending, task, xprt_timer); +- req->rq_connect_cookie = xprt->connect_cookie; ++ /* ++ * Send an extra queue wakeup call if the ++ * connection was dropped in case the call to ++ * rpc_sleep_on() raced. ++ */ ++ if (!xprt_connected(xprt)) ++ xprt_wake_pending_tasks(xprt, -ENOTCONN); ++ } ++ spin_unlock(&xprt->recv_lock); + } +- spin_unlock_bh(&xprt->transport_lock); + } + + static void xprt_add_backlog(struct rpc_xprt *xprt, struct rpc_task *task) +-- +2.15.0 + diff --git a/queue/USB-core-prevent-malicious-bNumInterfaces-overflow.patch b/queue/USB-core-prevent-malicious-bNumInterfaces-overflow.patch new file mode 100644 index 0000000..707b2d6 --- /dev/null +++ b/queue/USB-core-prevent-malicious-bNumInterfaces-overflow.patch @@ -0,0 +1,47 @@ +From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Tue, 12 Dec 2017 14:25:13 -0500 +Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow + +commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream. + +A malicious USB device with crafted descriptors can cause the kernel +to access unallocated memory by setting the bNumInterfaces value too +high in a configuration descriptor. Although the value is adjusted +during parsing, this adjustment is skipped in one of the error return +paths. + +This patch prevents the problem by setting bNumInterfaces to 0 +initially. The existing code already sets it to the proper value +after parsing is complete. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-by: Andrey Konovalov <andreyknvl@google.com> +CC: <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 55b198ba629b..78e92d29f8d9 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, + unsigned iad_num = 0; + + memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); ++ nintf = nintf_orig = config->desc.bNumInterfaces; ++ config->desc.bNumInterfaces = 0; // Adjusted later ++ + if (config->desc.bDescriptorType != USB_DT_CONFIG || + config->desc.bLength < USB_DT_CONFIG_SIZE || + config->desc.bLength > size) { +@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, + buffer += config->desc.bLength; + size -= config->desc.bLength; + +- nintf = nintf_orig = config->desc.bNumInterfaces; + if (nintf > USB_MAXINTERFACES) { + dev_warn(ddev, "config %d has too many interfaces: %d, " + "using maximum allowed: %d\n", +-- +2.15.0 + diff --git a/queue/USB-uas-and-storage-Add-US_FL_BROKEN_FUA-for-another.patch b/queue/USB-uas-and-storage-Add-US_FL_BROKEN_FUA-for-another.patch new file mode 100644 index 0000000..2b2652a --- /dev/null +++ b/queue/USB-uas-and-storage-Add-US_FL_BROKEN_FUA-for-another.patch @@ -0,0 +1,67 @@ +From 62354454625741f0569c2cbe45b2d192f8fd258e Mon Sep 17 00:00:00 2001 +From: David Kozub <zub@linux.fjfi.cvut.cz> +Date: Tue, 5 Dec 2017 22:40:04 +0100 +Subject: [PATCH] USB: uas and storage: Add US_FL_BROKEN_FUA for another + JMicron JMS567 ID + +commit 62354454625741f0569c2cbe45b2d192f8fd258e upstream. + +There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails +with the following error: + +[sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE +[sda] tag#0 Sense Key : Illegal Request [current] +[sda] tag#0 Add. Sense: Invalid field in cdb + +The issue occurs both with UAS (occasionally) and mass storage +(immediately after mounting a FS on a disk in the enclosure). + +Enabling US_FL_BROKEN_FUA quirk solves this issue. + +This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure +for both UAS and mass storage. + +Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 2968046e7c05..f72d045ee9ef 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2100,6 +2100,13 @@ UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA ), + ++/* Reported by David Kozub <zub@linux.fjfi.cvut.cz> */ ++UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999, ++ "JMicron", ++ "JMS567", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA), ++ + /* + * Reported by Alexandre Oliva <oliva@lsd.ic.unicamp.br> + * JMicron responds to USN and several other SCSI ioctls with a +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h +index d520374a824e..e6127fb21c12 100644 +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -129,6 +129,13 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES), + ++/* Reported-by: David Kozub <zub@linux.fjfi.cvut.cz> */ ++UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999, ++ "JMicron", ++ "JMS567", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA), ++ + /* Reported-by: Hans de Goede <hdegoede@redhat.com> */ + UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, + "VIA", +-- +2.15.0 + diff --git a/queue/arm-ccn-perf-Prevent-module-unload-while-PMU-is-in-u.patch b/queue/arm-ccn-perf-Prevent-module-unload-while-PMU-is-in-u.patch new file mode 100644 index 0000000..655d9ca --- /dev/null +++ b/queue/arm-ccn-perf-Prevent-module-unload-while-PMU-is-in-u.patch @@ -0,0 +1,34 @@ +From c7f5828bf77dcbd61d51f4736c1d5aa35663fbb4 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose <suzuki.poulose@arm.com> +Date: Fri, 3 Nov 2017 11:45:18 +0000 +Subject: [PATCH] arm-ccn: perf: Prevent module unload while PMU is in use + +commit c7f5828bf77dcbd61d51f4736c1d5aa35663fbb4 upstream. + +When the PMU driver is built as a module, the perf expects the +pmu->module to be valid, so that the driver is prevented from +being unloaded while it is in use. Fix the CCN pmu driver to +fill in this field. + +Fixes: a33b0daab73a0 ("bus: ARM CCN PMU driver") +Cc: Pawel Moll <pawel.moll@arm.com> +Cc: Will Deacon <will.deacon@arm.com> +Acked-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> + +diff --git a/drivers/bus/arm-ccn.c b/drivers/bus/arm-ccn.c +index e8c6946fed9d..3063f5312397 100644 +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -1276,6 +1276,7 @@ static int arm_ccn_pmu_init(struct arm_ccn *ccn) + + /* Perf driver registration */ + ccn->dt.pmu = (struct pmu) { ++ .module = THIS_MODULE, + .attr_groups = arm_ccn_pmu_attr_groups, + .task_ctx_nr = perf_invalid_context, + .event_init = arm_ccn_pmu_event_init, +-- +2.15.0 + diff --git a/queue/arm64-Initialise-high_memory-global-variable-earlier.patch b/queue/arm64-Initialise-high_memory-global-variable-earlier.patch new file mode 100644 index 0000000..2d39215 --- /dev/null +++ b/queue/arm64-Initialise-high_memory-global-variable-earlier.patch @@ -0,0 +1,47 @@ +From f24e5834a2c3f6c5f814a417f858226f0a010ade Mon Sep 17 00:00:00 2001 +From: Steve Capper <steve.capper@arm.com> +Date: Mon, 4 Dec 2017 14:13:05 +0000 +Subject: [PATCH] arm64: Initialise high_memory global variable earlier + +commit f24e5834a2c3f6c5f814a417f858226f0a010ade upstream. + +The high_memory global variable is used by +cma_declare_contiguous(.) before it is defined. + +We don't notice this as we compute __pa(high_memory - 1), and it looks +like we're processing a VA from the direct linear map. + +This problem becomes apparent when we flip the kernel virtual address +space and the linear map is moved to the bottom of the kernel VA space. + +This patch moves the initialisation of high_memory before it used. + +Cc: <stable@vger.kernel.org> +Fixes: f7426b983a6a ("mm: cma: adjust address limit to avoid hitting low/high memory boundary") +Signed-off-by: Steve Capper <steve.capper@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> + +diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c +index 5960bef0170d..00e7b900ca41 100644 +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -476,6 +476,8 @@ void __init arm64_memblock_init(void) + + reserve_elfcorehdr(); + ++ high_memory = __va(memblock_end_of_DRAM() - 1) + 1; ++ + dma_contiguous_reserve(arm64_dma_phys_limit); + + memblock_allow_resize(); +@@ -502,7 +504,6 @@ void __init bootmem_init(void) + sparse_init(); + zone_sizes_init(min, max); + +- high_memory = __va((max << PAGE_SHIFT) - 1) + 1; + memblock_dump_all(); + } + +-- +2.15.0 + diff --git a/queue/arm64-fix-CONFIG_DEBUG_WX-address-reporting.patch b/queue/arm64-fix-CONFIG_DEBUG_WX-address-reporting.patch new file mode 100644 index 0000000..57d65ff --- /dev/null +++ b/queue/arm64-fix-CONFIG_DEBUG_WX-address-reporting.patch @@ -0,0 +1,40 @@ +From 1d08a044cf12aee37dfd54837558e3295287b343 Mon Sep 17 00:00:00 2001 +From: Mark Rutland <mark.rutland@arm.com> +Date: Wed, 13 Dec 2017 11:45:42 +0000 +Subject: [PATCH] arm64: fix CONFIG_DEBUG_WX address reporting + +commit 1d08a044cf12aee37dfd54837558e3295287b343 upstream. + +In ptdump_check_wx(), we pass walk_pgd() a start address of 0 (rather +than VA_START) for the init_mm. This means that any reported W&X +addresses are offset by VA_START, which is clearly wrong and can make +them appear like userspace addresses. + +Fix this by telling the ptdump code that we're walking init_mm starting +at VA_START. We don't need to update the addr_markers, since these are +still valid bounds regardless. + +Cc: <stable@vger.kernel.org> +Fixes: 1404d6f13e47 ("arm64: dump: Add checking for writable and exectuable pages") +Signed-off-by: Mark Rutland <mark.rutland@arm.com> +Cc: Kees Cook <keescook@chromium.org> +Cc: Laura Abbott <labbott@redhat.com> +Reported-by: Timur Tabi <timur@codeaurora.org> +Signed-off-by: Will Deacon <will.deacon@arm.com> + +diff --git a/arch/arm64/mm/dump.c b/arch/arm64/mm/dump.c +index ca74a2aace42..7b60d62ac593 100644 +--- a/arch/arm64/mm/dump.c ++++ b/arch/arm64/mm/dump.c +@@ -389,7 +389,7 @@ void ptdump_check_wx(void) + .check_wx = true, + }; + +- walk_pgd(&st, &init_mm, 0); ++ walk_pgd(&st, &init_mm, VA_START); + note_page(&st, 0, 0, 0); + if (st.wx_pages || st.uxn_pages) + pr_warn("Checked W+X mappings: FAILED, %lu W+X pages found, %lu non-UXN pages found\n", +-- +2.15.0 + diff --git a/queue/arm64-mm-Fix-pte_mkclean-pte_mkdirty-semantics.patch b/queue/arm64-mm-Fix-pte_mkclean-pte_mkdirty-semantics.patch new file mode 100644 index 0000000..dbb7fa9 --- /dev/null +++ b/queue/arm64-mm-Fix-pte_mkclean-pte_mkdirty-semantics.patch @@ -0,0 +1,107 @@ +From 8781bcbc5e69d7da69e84c7044ca0284848d5d01 Mon Sep 17 00:00:00 2001 +From: Steve Capper <steve.capper@arm.com> +Date: Fri, 1 Dec 2017 17:22:14 +0000 +Subject: [PATCH] arm64: mm: Fix pte_mkclean, pte_mkdirty semantics + +commit 8781bcbc5e69d7da69e84c7044ca0284848d5d01 upstream. + +On systems with hardware dirty bit management, the ltp madvise09 unit +test fails due to dirty bit information being lost and pages being +incorrectly freed. + +This was bisected to: + arm64: Ignore hardware dirty bit updates in ptep_set_wrprotect() + +Reverting this commit leads to a separate problem, that the unit test +retains pages that should have been dropped due to the function +madvise_free_pte_range(.) not cleaning pte's properly. + +Currently pte_mkclean only clears the software dirty bit, thus the +following code sequence can appear: + + pte = pte_mkclean(pte); + if (pte_dirty(pte)) + // this condition can return true with HW DBM! + +This patch also adjusts pte_mkclean to set PTE_RDONLY thus effectively +clearing both the SW and HW dirty information. + +In order for this to function on systems without HW DBM, we need to +also adjust pte_mkdirty to remove the read only bit from writable pte's +to avoid infinite fault loops. + +Cc: <stable@vger.kernel.org> +Fixes: 64c26841b349 ("arm64: Ignore hardware dirty bit updates in ptep_set_wrprotect()") +Reported-by: Bhupinder Thakur <bhupinder.thakur@linaro.org> +Tested-by: Bhupinder Thakur <bhupinder.thakur@linaro.org> +Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> +Signed-off-by: Steve Capper <steve.capper@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 149d05fb9421..3ff03a755c32 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -149,12 +149,20 @@ static inline pte_t pte_mkwrite(pte_t pte) + + static inline pte_t pte_mkclean(pte_t pte) + { +- return clear_pte_bit(pte, __pgprot(PTE_DIRTY)); ++ pte = clear_pte_bit(pte, __pgprot(PTE_DIRTY)); ++ pte = set_pte_bit(pte, __pgprot(PTE_RDONLY)); ++ ++ return pte; + } + + static inline pte_t pte_mkdirty(pte_t pte) + { +- return set_pte_bit(pte, __pgprot(PTE_DIRTY)); ++ pte = set_pte_bit(pte, __pgprot(PTE_DIRTY)); ++ ++ if (pte_write(pte)) ++ pte = clear_pte_bit(pte, __pgprot(PTE_RDONLY)); ++ ++ return pte; + } + + static inline pte_t pte_mkold(pte_t pte) +@@ -641,28 +649,23 @@ static inline pmd_t pmdp_huge_get_and_clear(struct mm_struct *mm, + #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + + /* +- * ptep_set_wrprotect - mark read-only while preserving the hardware update of +- * the Access Flag. ++ * ptep_set_wrprotect - mark read-only while trasferring potential hardware ++ * dirty status (PTE_DBM && !PTE_RDONLY) to the software PTE_DIRTY bit. + */ + #define __HAVE_ARCH_PTEP_SET_WRPROTECT + static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long address, pte_t *ptep) + { + pte_t old_pte, pte; + +- /* +- * ptep_set_wrprotect() is only called on CoW mappings which are +- * private (!VM_SHARED) with the pte either read-only (!PTE_WRITE && +- * PTE_RDONLY) or writable and software-dirty (PTE_WRITE && +- * !PTE_RDONLY && PTE_DIRTY); see is_cow_mapping() and +- * protection_map[]. There is no race with the hardware update of the +- * dirty state: clearing of PTE_RDONLY when PTE_WRITE (a.k.a. PTE_DBM) +- * is set. +- */ +- VM_WARN_ONCE(pte_write(*ptep) && !pte_dirty(*ptep), +- "%s: potential race with hardware DBM", __func__); + pte = READ_ONCE(*ptep); + do { + old_pte = pte; ++ /* ++ * If hardware-dirty (PTE_WRITE/DBM bit set and PTE_RDONLY ++ * clear), set the PTE_DIRTY bit. ++ */ ++ if (pte_hw_dirty(pte)) ++ pte = pte_mkdirty(pte); + pte = pte_wrprotect(pte); + pte_val(pte) = cmpxchg_relaxed(&pte_val(*ptep), + pte_val(old_pte), pte_val(pte)); +-- +2.15.0 + diff --git a/queue/arm64-prevent-regressions-in-compressed-kernel-image.patch b/queue/arm64-prevent-regressions-in-compressed-kernel-image.patch new file mode 100644 index 0000000..6862dbd --- /dev/null +++ b/queue/arm64-prevent-regressions-in-compressed-kernel-image.patch @@ -0,0 +1,123 @@ +From fd9dde6abcb9bfe6c6bee48834e157999f113971 Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers <ndesaulniers@google.com> +Date: Fri, 27 Oct 2017 09:33:41 -0700 +Subject: [PATCH] arm64: prevent regressions in compressed kernel image size + when upgrading to binutils 2.27 + +commit fd9dde6abcb9bfe6c6bee48834e157999f113971 upstream. + +Upon upgrading to binutils 2.27, we found that our lz4 and gzip +compressed kernel images were significantly larger, resulting is 10ms +boot time regressions. + +As noted by Rahul: +"aarch64 binaries uses RELA relocations, where each relocation entry +includes an addend value. This is similar to x86_64. On x86_64, the +addend values are also stored at the relocation offset for relative +relocations. This is an optimization: in the case where code does not +need to be relocated, the loader can simply skip processing relative +relocations. In binutils-2.25, both bfd and gold linkers did this for +x86_64, but only the gold linker did this for aarch64. The kernel build +here is using the bfd linker, which stored zeroes at the relocation +offsets for relative relocations. Since a set of zeroes compresses +better than a set of non-zero addend values, this behavior was resulting +in much better lz4 compression. + +The bfd linker in binutils-2.27 is now storing the actual addend values +at the relocation offsets. The behavior is now consistent with what it +does for x86_64 and what gold linker does for both architectures. The +change happened in this upstream commit: +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=1f56df9d0d5ad89806c24e71f296576d82344613 +Since a bunch of zeroes got replaced by non-zero addend values, we see +the side effect of lz4 compressed image being a bit bigger. + +To get the old behavior from the bfd linker, "--no-apply-dynamic-relocs" +flag can be used: +$ LDFLAGS="--no-apply-dynamic-relocs" make +With this flag, the compressed image size is back to what it was with +binutils-2.25. + +If the kernel is using ASLR, there aren't additional runtime costs to +--no-apply-dynamic-relocs, as the relocations will need to be applied +again anyway after the kernel is relocated to a random address. + +If the kernel is not using ASLR, then presumably the current default +behavior of the linker is better. Since the static linker performed the +dynamic relocs, and the kernel is not moved to a different address at +load time, it can skip applying the relocations all over again." + +Some measurements: + +$ ld -v +GNU ld (binutils-2.25-f3d35cf6) 2.25.51.20141117 + ^ +$ ls -l vmlinux +-rwxr-x--- 1 ndesaulniers eng 300652760 Oct 26 11:57 vmlinux +$ ls -l Image.lz4-dtb +-rw-r----- 1 ndesaulniers eng 16932627 Oct 26 11:57 Image.lz4-dtb + +$ ld -v +GNU ld (binutils-2.27-53dd00a1) 2.27.0.20170315 + ^ +pre patch: +$ ls -l vmlinux +-rwxr-x--- 1 ndesaulniers eng 300376208 Oct 26 11:43 vmlinux +$ ls -l Image.lz4-dtb +-rw-r----- 1 ndesaulniers eng 18159474 Oct 26 11:43 Image.lz4-dtb + +post patch: +$ ls -l vmlinux +-rwxr-x--- 1 ndesaulniers eng 300376208 Oct 26 12:06 vmlinux +$ ls -l Image.lz4-dtb +-rw-r----- 1 ndesaulniers eng 16932466 Oct 26 12:06 Image.lz4-dtb + +By Siqi's measurement w/ gzip: +binutils 2.27 with this patch (with --no-apply-dynamic-relocs): +Image 41535488 +Image.gz 13404067 + +binutils 2.27 without this patch (without --no-apply-dynamic-relocs): +Image 41535488 +Image.gz 14125516 + +Any compression scheme should be able to get better results from the +longer runs of zeros, not just GZIP and LZ4. + +10ms boot time savings isn't anything to get excited about, but users of +arm64+compression+bfd-2.27 should not have to pay a penalty for no +runtime improvement. + +Reported-by: Gopinath Elanchezhian <gelanchezhian@google.com> +Reported-by: Sindhuri Pentyala <spentyala@google.com> +Reported-by: Wei Wang <wvw@google.com> +Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Suggested-by: Rahul Chaudhry <rahulchaudhry@google.com> +Suggested-by: Siqi Lin <siqilin@google.com> +Suggested-by: Stephen Hines <srhines@google.com> +Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> +Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +[will: added comment to Makefile] +Signed-off-by: Will Deacon <will.deacon@arm.com> + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index 939b310913cf..953e43dd0417 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -14,8 +14,12 @@ LDFLAGS_vmlinux :=-p --no-undefined -X + CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET) + GZFLAGS :=-9 + +-ifneq ($(CONFIG_RELOCATABLE),) +-LDFLAGS_vmlinux += -pie -shared -Bsymbolic ++ifeq ($(CONFIG_RELOCATABLE), y) ++# Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour ++# for relative relocs, since this leads to better Image compression ++# with the relocation offsets always being zero. ++LDFLAGS_vmlinux += -pie -shared -Bsymbolic \ ++ $(call ld-option, --no-apply-dynamic-relocs) + endif + + ifeq ($(CONFIG_ARM64_ERRATUM_843419),y) +-- +2.15.0 + diff --git a/queue/ath10k-fix-build-errors-with-CONFIG_PM.patch b/queue/ath10k-fix-build-errors-with-CONFIG_PM.patch new file mode 100644 index 0000000..6207c7a --- /dev/null +++ b/queue/ath10k-fix-build-errors-with-CONFIG_PM.patch @@ -0,0 +1,79 @@ +From 20665a9076d48e9abd9a2db13d307f58f7ef6647 Mon Sep 17 00:00:00 2001 +From: Brian Norris <briannorris@chromium.org> +Date: Thu, 19 Oct 2017 11:45:19 -0700 +Subject: [PATCH] ath10k: fix build errors with !CONFIG_PM + +commit 20665a9076d48e9abd9a2db13d307f58f7ef6647 upstream. + +Build errors have been reported with CONFIG_PM=n: + +drivers/net/wireless/ath/ath10k/pci.c:3416:8: error: implicit +declaration of function 'ath10k_pci_suspend' +[-Werror=implicit-function-declaration] + +drivers/net/wireless/ath/ath10k/pci.c:3428:8: error: implicit +declaration of function 'ath10k_pci_resume' +[-Werror=implicit-function-declaration] + +These are caused by the combination of the following two commits: + +6af1de2e4ec4 ("ath10k: mark PM functions as __maybe_unused") +96378bd2c6cd ("ath10k: fix core PCI suspend when WoWLAN is supported but +disabled") + +Both build fine on their own. + +But now that ath10k_pci_pm_{suspend,resume}() is compiled +unconditionally, we should also compile ath10k_pci_{suspend,resume}() +unconditionally. + +And drop the #ifdef around ath10k_pci_hif_{suspend,resume}() too; they +are trivial (empty), so we're not saving much space by compiling them +out. And the alternatives would be to sprinkle more __maybe_unused, or +spread the #ifdef's further. + +Build tested with the following combinations: +CONFIG_PM=y && CONFIG_PM_SLEEP=y +CONFIG_PM=y && CONFIG_PM_SLEEP=n +CONFIG_PM=n + +Fixes: 96378bd2c6cd ("ath10k: fix core PCI suspend when WoWLAN is supported but disabled") +Fixes: 096ad2a15fd8 ("Merge branch 'ath-next'") +Signed-off-by: Brian Norris <briannorris@chromium.org> +Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index b18a9b690df4..d790ea20b95d 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -2577,8 +2577,6 @@ void ath10k_pci_hif_power_down(struct ath10k *ar) + */ + } + +-#ifdef CONFIG_PM +- + static int ath10k_pci_hif_suspend(struct ath10k *ar) + { + /* Nothing to do; the important stuff is in the driver suspend. */ +@@ -2627,7 +2625,6 @@ static int ath10k_pci_resume(struct ath10k *ar) + + return ret; + } +-#endif + + static bool ath10k_pci_validate_cal(void *data, size_t size) + { +@@ -2782,10 +2779,8 @@ static const struct ath10k_hif_ops ath10k_pci_hif_ops = { + .power_down = ath10k_pci_hif_power_down, + .read32 = ath10k_pci_read32, + .write32 = ath10k_pci_write32, +-#ifdef CONFIG_PM + .suspend = ath10k_pci_hif_suspend, + .resume = ath10k_pci_hif_resume, +-#endif + .fetch_cal_eeprom = ath10k_pci_hif_fetch_cal_eeprom, + }; + +-- +2.15.0 + diff --git a/queue/ath10k-fix-core-PCI-suspend-when-WoWLAN-is-supported.patch b/queue/ath10k-fix-core-PCI-suspend-when-WoWLAN-is-supported.patch new file mode 100644 index 0000000..4eca9d9 --- /dev/null +++ b/queue/ath10k-fix-core-PCI-suspend-when-WoWLAN-is-supported.patch @@ -0,0 +1,95 @@ +From 96378bd2c6cda5f04d0f6da2cd35d4670a982c38 Mon Sep 17 00:00:00 2001 +From: Brian Norris <briannorris@chromium.org> +Date: Wed, 4 Oct 2017 12:22:55 +0300 +Subject: [PATCH] ath10k: fix core PCI suspend when WoWLAN is supported but + disabled + +commit 96378bd2c6cda5f04d0f6da2cd35d4670a982c38 upstream. + +For devices where the FW supports WoWLAN but user-space has not +configured it, we don't do any PCI-specific suspend/resume operations, +because mac80211 doesn't call drv_suspend() when !wowlan. This has +particularly bad effects for some platforms, because we don't stop the +power-save timer, and if this timer goes off after the PCI controller +has suspended the link, Bad Things will happen. + +Commit 32faa3f0ee50 ("ath10k: add the PCI PM core suspend/resume ops") +got some of this right, in that it understood there was a problem on +non-WoWLAN firmware. But it forgot the $subject case. + +Fix this by moving all the PCI driver suspend/resume logic exclusively +into the driver PM hooks. This shouldn't affect WoWLAN support much +(this just gets executed later on). + +I would just as well kill the entirety of ath10k_hif_suspend(), as it's +not even implemented on the USB or SDIO drivers. I expect that we don't +need the callback, except to return "supported" (i.e., 0) or "not +supported" (i.e., -EOPNOTSUPP). + +Fixes: 32faa3f0ee50 ("ath10k: add the PCI PM core suspend/resume ops") +Fixes: 77258d409ce4 ("ath10k: enable pci soc powersaving") +Signed-off-by: Brian Norris <briannorris@chromium.org> +Cc: Ryan Hsu <ryanhsu@qti.qualcomm.com> +Cc: Kalle Valo <kvalo@qca.qualcomm.com> +Cc: Michal Kazior <michal.kazior@tieto.com> +Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index bc1633945a56..4655c944e3fd 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -2580,6 +2580,12 @@ void ath10k_pci_hif_power_down(struct ath10k *ar) + #ifdef CONFIG_PM + + static int ath10k_pci_hif_suspend(struct ath10k *ar) ++{ ++ /* Nothing to do; the important stuff is in the driver suspend. */ ++ return 0; ++} ++ ++static int ath10k_pci_suspend(struct ath10k *ar) + { + /* The grace timer can still be counting down and ar->ps_awake be true. + * It is known that the device may be asleep after resuming regardless +@@ -2592,6 +2598,12 @@ static int ath10k_pci_hif_suspend(struct ath10k *ar) + } + + static int ath10k_pci_hif_resume(struct ath10k *ar) ++{ ++ /* Nothing to do; the important stuff is in the driver resume. */ ++ return 0; ++} ++ ++static int ath10k_pci_resume(struct ath10k *ar) + { + struct ath10k_pci *ar_pci = ath10k_pci_priv(ar); + struct pci_dev *pdev = ar_pci->pdev; +@@ -3403,11 +3415,7 @@ static int ath10k_pci_pm_suspend(struct device *dev) + struct ath10k *ar = dev_get_drvdata(dev); + int ret; + +- if (test_bit(ATH10K_FW_FEATURE_WOWLAN_SUPPORT, +- ar->running_fw->fw_file.fw_features)) +- return 0; +- +- ret = ath10k_hif_suspend(ar); ++ ret = ath10k_pci_suspend(ar); + if (ret) + ath10k_warn(ar, "failed to suspend hif: %d\n", ret); + +@@ -3419,11 +3427,7 @@ static int ath10k_pci_pm_resume(struct device *dev) + struct ath10k *ar = dev_get_drvdata(dev); + int ret; + +- if (test_bit(ATH10K_FW_FEATURE_WOWLAN_SUPPORT, +- ar->running_fw->fw_file.fw_features)) +- return 0; +- +- ret = ath10k_hif_resume(ar); ++ ret = ath10k_pci_resume(ar); + if (ret) + ath10k_warn(ar, "failed to resume hif: %d\n", ret); + +-- +2.15.0 + diff --git a/queue/ath9k-fix-tx99-potential-info-leak.patch b/queue/ath9k-fix-tx99-potential-info-leak.patch new file mode 100644 index 0000000..43141e1 --- /dev/null +++ b/queue/ath9k-fix-tx99-potential-info-leak.patch @@ -0,0 +1,46 @@ +From ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 Mon Sep 17 00:00:00 2001 +From: Miaoqing Pan <miaoqing@codeaurora.org> +Date: Wed, 27 Sep 2017 09:13:34 +0800 +Subject: [PATCH] ath9k: fix tx99 potential info leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 upstream. + +When the user sets count to zero the string buffer would remain +completely uninitialized which causes the kernel to parse its +own stack data, potentially leading to an info leak. In addition +to that, the string might be not terminated properly when the +user data does not contain a 0-terminator. + +Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> +Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at> +Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> + +diff --git a/drivers/net/wireless/ath/ath9k/tx99.c b/drivers/net/wireless/ath/ath9k/tx99.c +index 49ed1afb913c..fe3a8263b224 100644 +--- a/drivers/net/wireless/ath/ath9k/tx99.c ++++ b/drivers/net/wireless/ath/ath9k/tx99.c +@@ -179,6 +179,9 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf, + ssize_t len; + int r; + ++ if (count < 1) ++ return -EINVAL; ++ + if (sc->cur_chan->nvifs > 1) + return -EOPNOTSUPP; + +@@ -186,6 +189,8 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf, + if (copy_from_user(buf, user_buf, len)) + return -EFAULT; + ++ buf[len] = '\0'; ++ + if (strtobool(buf, &start)) + return -EINVAL; + +-- +2.15.0 + diff --git a/queue/autofs-fix-careless-error-in-recent-commit.patch b/queue/autofs-fix-careless-error-in-recent-commit.patch new file mode 100644 index 0000000..d7f1dfe --- /dev/null +++ b/queue/autofs-fix-careless-error-in-recent-commit.patch @@ -0,0 +1,35 @@ +From 302ec300ef8a545a7fc7f667e5fd743b091c2eeb Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.com> +Date: Thu, 14 Dec 2017 15:32:38 -0800 +Subject: [PATCH] autofs: fix careless error in recent commit + +commit 302ec300ef8a545a7fc7f667e5fd743b091c2eeb upstream. + +Commit ecc0c469f277 ("autofs: don't fail mount for transient error") was +meant to replace an 'if' with a 'switch', but instead added the 'switch' +leaving the case in place. + +Link: http://lkml.kernel.org/r/87zi6wstmw.fsf@notabene.neil.brown.name +Fixes: ecc0c469f277 ("autofs: don't fail mount for transient error") +Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk> +Signed-off-by: NeilBrown <neilb@suse.com> +Cc: Ian Kent <raven@themaw.net> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c +index 8fc41705c7cd..961a12dc6dc8 100644 +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -170,7 +170,6 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi, + + mutex_unlock(&sbi->wq_mutex); + +- if (autofs4_write(sbi, pipe, &pkt, pktsz)) + switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { + case 0: + break; +-- +2.15.0 + diff --git a/queue/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch b/queue/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch new file mode 100644 index 0000000..7ad5e9b --- /dev/null +++ b/queue/badblocks-fix-wrong-return-value-in-badblocks_set-if.patch @@ -0,0 +1,36 @@ +From 39b4954c0a1556f8f7f1fdcf59a227117fcd8a0b Mon Sep 17 00:00:00 2001 +From: Liu Bo <bo.li.liu@oracle.com> +Date: Fri, 3 Nov 2017 11:24:44 -0600 +Subject: [PATCH] badblocks: fix wrong return value in badblocks_set if + badblocks are disabled + +commit 39b4954c0a1556f8f7f1fdcf59a227117fcd8a0b upstream. + +MD's rdev_set_badblocks() expects that badblocks_set() returns 1 if +badblocks are disabled, otherwise, rdev_set_badblocks() will record +superblock changes and return success in that case and md will fail to +report an IO error which it should. + +This bug has existed since badblocks were introduced in commit +9e0e252a048b ("badblocks: Add core badblock management code"). + +Signed-off-by: Liu Bo <bo.li.liu@oracle.com> +Acked-by: Guoqing Jiang <gqjiang@suse.com> +Signed-off-by: Shaohua Li <shli@fb.com> + +diff --git a/block/badblocks.c b/block/badblocks.c +index 43c71166e1e2..91f7bcf979d3 100644 +--- a/block/badblocks.c ++++ b/block/badblocks.c +@@ -178,7 +178,7 @@ int badblocks_set(struct badblocks *bb, sector_t s, int sectors, + + if (bb->shift < 0) + /* badblocks are disabled */ +- return 0; ++ return 1; + + if (bb->shift) { + /* round the start down, and the end up */ +-- +2.15.0 + diff --git a/queue/bcache-explicitly-destroy-mutex-while-exiting.patch b/queue/bcache-explicitly-destroy-mutex-while-exiting.patch new file mode 100644 index 0000000..7879711 --- /dev/null +++ b/queue/bcache-explicitly-destroy-mutex-while-exiting.patch @@ -0,0 +1,56 @@ +From 330a4db89d39a6b43f36da16824eaa7a7509d34d Mon Sep 17 00:00:00 2001 +From: Liang Chen <liangchen.linux@gmail.com> +Date: Mon, 30 Oct 2017 14:46:35 -0700 +Subject: [PATCH] bcache: explicitly destroy mutex while exiting + +commit 330a4db89d39a6b43f36da16824eaa7a7509d34d upstream. + +mutex_destroy does nothing most of time, but it's better to call +it to make the code future proof and it also has some meaning +for like mutex debug. + +As Coly pointed out in a previous review, bcache_exit() may not be +able to handle all the references properly if userspace registers +cache and backing devices right before bch_debug_init runs and +bch_debug_init failes later. So not exposing userspace interface +until everything is ready to avoid that issue. + +Signed-off-by: Liang Chen <liangchen.linux@gmail.com> +Reviewed-by: Michael Lyle <mlyle@lyle.org> +Reviewed-by: Coly Li <colyli@suse.de> +Reviewed-by: Eric Wheeler <bcache@linux.ewheeler.net> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 46134c45c6f6..b4d28928dec5 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -2095,6 +2095,7 @@ static void bcache_exit(void) + if (bcache_major) + unregister_blkdev(bcache_major, "bcache"); + unregister_reboot_notifier(&reboot); ++ mutex_destroy(&bch_register_lock); + } + + static int __init bcache_init(void) +@@ -2113,14 +2114,15 @@ static int __init bcache_init(void) + bcache_major = register_blkdev(0, "bcache"); + if (bcache_major < 0) { + unregister_reboot_notifier(&reboot); ++ mutex_destroy(&bch_register_lock); + return bcache_major; + } + + if (!(bcache_wq = alloc_workqueue("bcache", WQ_MEM_RECLAIM, 0)) || + !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) || +- sysfs_create_files(bcache_kobj, files) || + bch_request_init() || +- bch_debug_init(bcache_kobj)) ++ bch_debug_init(bcache_kobj) || ++ sysfs_create_files(bcache_kobj, files)) + goto err; + + return 0; +-- +2.15.0 + diff --git a/queue/bcache-fix-wrong-cache_misses-statistics.patch b/queue/bcache-fix-wrong-cache_misses-statistics.patch new file mode 100644 index 0000000..a791146 --- /dev/null +++ b/queue/bcache-fix-wrong-cache_misses-statistics.patch @@ -0,0 +1,62 @@ +From c157313791a999646901b3e3c6888514ebc36d62 Mon Sep 17 00:00:00 2001 +From: "tang.junhui" <tang.junhui@zte.com.cn> +Date: Mon, 30 Oct 2017 14:46:34 -0700 +Subject: [PATCH] bcache: fix wrong cache_misses statistics + +commit c157313791a999646901b3e3c6888514ebc36d62 upstream. + +Currently, Cache missed IOs are identified by s->cache_miss, but actually, +there are many situations that missed IOs are not assigned a value for +s->cache_miss in cached_dev_cache_miss(), for example, a bypassed IO +(s->iop.bypass = 1), or the cache_bio allocate failed. In these situations, +it will go to out_put or out_submit, and s->cache_miss is null, which leads +bch_mark_cache_accounting() to treat this IO as a hit IO. + +[ML: applied by 3-way merge] + +Signed-off-by: tang.junhui <tang.junhui@zte.com.cn> +Reviewed-by: Michael Lyle <mlyle@lyle.org> +Reviewed-by: Coly Li <colyli@suse.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index 886e4b6643f1..597dd1e87bea 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -470,6 +470,7 @@ struct search { + unsigned recoverable:1; + unsigned write:1; + unsigned read_dirty_data:1; ++ unsigned cache_missed:1; + + unsigned long start_time; + +@@ -656,6 +657,7 @@ static inline struct search *search_alloc(struct bio *bio, + + s->orig_bio = bio; + s->cache_miss = NULL; ++ s->cache_missed = 0; + s->d = d; + s->recoverable = 1; + s->write = op_is_write(bio_op(bio)); +@@ -775,7 +777,7 @@ static void cached_dev_read_done_bh(struct closure *cl) + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + + bch_mark_cache_accounting(s->iop.c, s->d, +- !s->cache_miss, s->iop.bypass); ++ !s->cache_missed, s->iop.bypass); + trace_bcache_read(s->orig_bio, !s->cache_miss, s->iop.bypass); + + if (s->iop.status) +@@ -794,6 +796,8 @@ static int cached_dev_cache_miss(struct btree *b, struct search *s, + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + struct bio *miss, *cache_bio; + ++ s->cache_missed = 1; ++ + if (s->cache_miss || s->iop.bypass) { + miss = bio_next_split(bio, sectors, GFP_NOIO, s->d->bio_split); + ret = miss == bio ? MAP_DONE : MAP_CONTINUE; +-- +2.15.0 + diff --git a/queue/blk-mq-sched-dispatch-from-scheduler-IFF-progress-is.patch b/queue/blk-mq-sched-dispatch-from-scheduler-IFF-progress-is.patch new file mode 100644 index 0000000..55ef133 --- /dev/null +++ b/queue/blk-mq-sched-dispatch-from-scheduler-IFF-progress-is.patch @@ -0,0 +1,61 @@ +From 5e3d02bbafad38975099b5848f5ebadedcf7bb7e Mon Sep 17 00:00:00 2001 +From: Ming Lei <ming.lei@redhat.com> +Date: Sat, 14 Oct 2017 17:22:25 +0800 +Subject: [PATCH] blk-mq-sched: dispatch from scheduler IFF progress is made in + ->dispatch + +commit 5e3d02bbafad38975099b5848f5ebadedcf7bb7e upstream. + +When the hw queue is busy, we shouldn't take requests from the scheduler +queue any more, otherwise it is difficult to do IO merge. + +This patch fixes the awful IO performance on some SCSI devices(lpfc, +qla2xxx, ...) when mq-deadline/kyber is used by not taking requests if +hw queue is busy. + +Reviewed-by: Omar Sandoval <osandov@fb.com> +Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c +index 4ab69435708c..eca011fdfa0e 100644 +--- a/block/blk-mq-sched.c ++++ b/block/blk-mq-sched.c +@@ -94,7 +94,7 @@ void blk_mq_sched_dispatch_requests(struct blk_mq_hw_ctx *hctx) + struct request_queue *q = hctx->queue; + struct elevator_queue *e = q->elevator; + const bool has_sched_dispatch = e && e->type->ops.mq.dispatch_request; +- bool did_work = false; ++ bool do_sched_dispatch = true; + LIST_HEAD(rq_list); + + /* RCU or SRCU read lock is needed before checking quiesced flag */ +@@ -125,18 +125,18 @@ void blk_mq_sched_dispatch_requests(struct blk_mq_hw_ctx *hctx) + */ + if (!list_empty(&rq_list)) { + blk_mq_sched_mark_restart_hctx(hctx); +- did_work = blk_mq_dispatch_rq_list(q, &rq_list); ++ do_sched_dispatch = blk_mq_dispatch_rq_list(q, &rq_list); + } else if (!has_sched_dispatch) { + blk_mq_flush_busy_ctxs(hctx, &rq_list); + blk_mq_dispatch_rq_list(q, &rq_list); + } + + /* +- * We want to dispatch from the scheduler if we had no work left +- * on the dispatch list, OR if we did have work but weren't able +- * to make progress. ++ * We want to dispatch from the scheduler if there was nothing ++ * on the dispatch list or we were able to dispatch from the ++ * dispatch list. + */ +- if (!did_work && has_sched_dispatch) { ++ if (do_sched_dispatch && has_sched_dispatch) { + do { + struct request *rq; + +-- +2.15.0 + diff --git a/queue/btrfs-Explicitly-handle-btrfs_update_root-failure.patch b/queue/btrfs-Explicitly-handle-btrfs_update_root-failure.patch new file mode 100644 index 0000000..faa4734 --- /dev/null +++ b/queue/btrfs-Explicitly-handle-btrfs_update_root-failure.patch @@ -0,0 +1,44 @@ +From 9417ebc8a676487c6ec8825f92fb28f7dbeb5f4b Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov <nborisov@suse.com> +Date: Thu, 28 Sep 2017 10:53:17 +0300 +Subject: [PATCH] btrfs: Explicitly handle btrfs_update_root failure + +commit 9417ebc8a676487c6ec8825f92fb28f7dbeb5f4b upstream. + +btrfs_udpate_root can fail and it aborts the transaction, the correct +way to handle an aborted transaction is to explicitly end with +btrfs_end_transaction. Even now the code is correct since +btrfs_commit_transaction would handle an aborted transaction but this is +more of an implementation detail. So let's be explicit in handling +failure in btrfs_update_root. + +Furthermore btrfs_commit_transaction can also fail and by ignoring it's +return value we could have left the in-memory copy of the root item in +an inconsistent state. So capture the error value which allows us to +correctly revert the RO/RW flags in case of commit failure. + +Signed-off-by: Nikolay Borisov <nborisov@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index feab6f61cb97..86728e06e263 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1827,8 +1827,13 @@ static noinline int btrfs_ioctl_subvol_setflags(struct file *file, + + ret = btrfs_update_root(trans, fs_info->tree_root, + &root->root_key, &root->root_item); ++ if (ret < 0) { ++ btrfs_end_transaction(trans); ++ goto out_reset; ++ } ++ ++ ret = btrfs_commit_transaction(trans); + +- btrfs_commit_transaction(trans); + out_reset: + if (ret) + btrfs_set_root_flags(&root->root_item, root_flags); +-- +2.15.0 + diff --git a/queue/btrfs-avoid-null-pointer-dereference-on-fs_info-when.patch b/queue/btrfs-avoid-null-pointer-dereference-on-fs_info-when.patch new file mode 100644 index 0000000..bdd8abe --- /dev/null +++ b/queue/btrfs-avoid-null-pointer-dereference-on-fs_info-when.patch @@ -0,0 +1,45 @@ +From 3993b112dac968612b0b213ed59cb30f50b0015b Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Mon, 11 Sep 2017 16:15:28 +0100 +Subject: [PATCH] btrfs: avoid null pointer dereference on fs_info when calling + btrfs_crit + +commit 3993b112dac968612b0b213ed59cb30f50b0015b upstream. + +There are checks on fs_info in __btrfs_panic to avoid dereferencing a +null fs_info, however, there is a call to btrfs_crit that may also +dereference a null fs_info. Fix this by adding a check to see if fs_info +is null and only print the s_id if fs_info is non-null. + +Detected by CoverityScan CID#401973 ("Dereference after null check") + +Fixes: efe120a067c8 ("Btrfs: convert printk to btrfs_ and fix BTRFS prefix") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 161694b66038..e8f5e24325f3 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -202,7 +202,6 @@ static struct ratelimit_state printk_limits[] = { + + void btrfs_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...) + { +- struct super_block *sb = fs_info->sb; + char lvl[PRINTK_MAX_SINGLE_HEADER_LEN + 1] = "\0"; + struct va_format vaf; + va_list args; +@@ -228,7 +227,8 @@ void btrfs_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...) + vaf.va = &args; + + if (__ratelimit(ratelimit)) +- printk("%sBTRFS %s (device %s): %pV\n", lvl, type, sb->s_id, &vaf); ++ printk("%sBTRFS %s (device %s): %pV\n", lvl, type, ++ fs_info ? fs_info->sb->s_id : "<unknown>", &vaf); + + va_end(args); + } +-- +2.15.0 + diff --git a/queue/btrfs-fix-false-EIO-for-missing-device.patch b/queue/btrfs-fix-false-EIO-for-missing-device.patch new file mode 100644 index 0000000..9606de4 --- /dev/null +++ b/queue/btrfs-fix-false-EIO-for-missing-device.patch @@ -0,0 +1,56 @@ +From 102ed2c5ff932439bbbe74c7bd63e6d5baa9f732 Mon Sep 17 00:00:00 2001 +From: Anand Jain <anand.jain@oracle.com> +Date: Sat, 14 Oct 2017 08:34:02 +0800 +Subject: [PATCH] btrfs: fix false EIO for missing device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 102ed2c5ff932439bbbe74c7bd63e6d5baa9f732 upstream. + +When one of the device is missing, bbio_error() takes care of setting +the error status. And if its only IO that is pending in that stripe, it +fails to check the status of the other IO at %bbio_error before setting +the error %bi_status for the %orig_bio. Fix this by checking if +%bbio->error has exceeded the %bbio->max_errors. + +Reproducer as below fdatasync error is seen intermittently. + + mount -o degraded /dev/sdc /btrfs + dd status=none if=/dev/zero of=$(mktemp /btrfs/XXX) bs=4096 count=1 conv=fdatasync + + dd: fdatasync failed for ‘/btrfs/LSe’: Input/output error + + The reason for the intermittences of the problem is because + the following conditions have to be met, which depends on timing: + In btrfs_map_bio() + - the RAID1 the missing device has to be at %dev_nr = 1 + In bbio_error() + . before bbio_error() is called the bio of the not-missing + device at %dev_nr = 0 must be completed so that the below + condition is true + if (atomic_dec_and_test(&bbio->stripes_pending)) { + +Signed-off-by: Anand Jain <anand.jain@oracle.com> +Reviewed-by: Liu Bo <bo.li.liu@oracle.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 6df39b5fda89..11d7707a3fb3 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6129,7 +6129,10 @@ static void bbio_error(struct btrfs_bio *bbio, struct bio *bio, u64 logical) + + btrfs_io_bio(bio)->mirror_num = bbio->mirror_num; + bio->bi_iter.bi_sector = logical >> 9; +- bio->bi_status = BLK_STS_IOERR; ++ if (atomic_read(&bbio->error) > bbio->max_errors) ++ bio->bi_status = BLK_STS_IOERR; ++ else ++ bio->bi_status = BLK_STS_OK; + btrfs_end_bbio(bbio, bio); + } + } +-- +2.15.0 + diff --git a/queue/btrfs-tests-Fix-a-memory-leak-in-error-handling-path.patch b/queue/btrfs-tests-Fix-a-memory-leak-in-error-handling-path.patch new file mode 100644 index 0000000..fb4926b --- /dev/null +++ b/queue/btrfs-tests-Fix-a-memory-leak-in-error-handling-path.patch @@ -0,0 +1,32 @@ +From 9ca2e97fa3c3216200afe35a3b111ec51cc796d2 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Sun, 10 Sep 2017 13:19:38 +0200 +Subject: [PATCH] btrfs: tests: Fix a memory leak in error handling path in + 'run_test()' + +commit 9ca2e97fa3c3216200afe35a3b111ec51cc796d2 upstream. + +If 'btrfs_alloc_path()' fails, we must free the resources already +allocated, as done in the other error handling paths in this function. + +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Reviewed-by: Qu Wenruo <quwenruo.btrfs@gmx.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/tests/free-space-tree-tests.c b/fs/btrfs/tests/free-space-tree-tests.c +index 1458bb0ea124..8444a018cca2 100644 +--- a/fs/btrfs/tests/free-space-tree-tests.c ++++ b/fs/btrfs/tests/free-space-tree-tests.c +@@ -500,7 +500,8 @@ static int run_test(test_func_t test_func, int bitmaps, u32 sectorsize, + path = btrfs_alloc_path(); + if (!path) { + test_msg("Couldn't allocate path\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto out; + } + + ret = add_block_group_free_space(&trans, root->fs_info, cache); +-- +2.15.0 + diff --git a/queue/btrfs-undo-writable-superblocke-when-sprouting-fails.patch b/queue/btrfs-undo-writable-superblocke-when-sprouting-fails.patch new file mode 100644 index 0000000..8858ee2 --- /dev/null +++ b/queue/btrfs-undo-writable-superblocke-when-sprouting-fails.patch @@ -0,0 +1,31 @@ +From 0af2c4bf5a012a40a2f9230458087d7f068339d0 Mon Sep 17 00:00:00 2001 +From: Anand Jain <anand.jain@oracle.com> +Date: Thu, 28 Sep 2017 14:51:09 +0800 +Subject: [PATCH] btrfs: undo writable superblocke when sprouting fails + +commit 0af2c4bf5a012a40a2f9230458087d7f068339d0 upstream. + +When new device is being added to seed FS, seed FS is marked writable, +but when we fail to bring in the new device, we missed to undo the +writable part. This patch fixes it. + +Signed-off-by: Anand Jain <anand.jain@oracle.com> +Reviewed-by: Nikolay Borisov <nborisov@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index ac1e8686ba78..0be58b5a320c 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -2496,6 +2496,8 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path + return ret; + + error_trans: ++ if (seeding_dev) ++ sb->s_flags |= MS_RDONLY; + btrfs_end_transaction(trans); + rcu_string_free(device->name); + btrfs_sysfs_rm_device_link(fs_info->fs_devices, device); +-- +2.15.0 + diff --git a/queue/ceph-drop-negative-child-dentries-before-try-pruning.patch b/queue/ceph-drop-negative-child-dentries-before-try-pruning.patch new file mode 100644 index 0000000..3202431 --- /dev/null +++ b/queue/ceph-drop-negative-child-dentries-before-try-pruning.patch @@ -0,0 +1,85 @@ +From 040d786032bf59002d374b86d75b04d97624005c Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" <zyan@redhat.com> +Date: Thu, 30 Nov 2017 11:59:22 +0800 +Subject: [PATCH] ceph: drop negative child dentries before try pruning inode's + alias + +commit 040d786032bf59002d374b86d75b04d97624005c upstream. + +Negative child dentry holds reference on inode's alias, it makes +d_prune_aliases() do nothing. + +Cc: stable@vger.kernel.org +Signed-off-by: "Yan, Zheng" <zyan@redhat.com> +Reviewed-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index ab69dcb70e8a..1b468250e947 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1440,6 +1440,29 @@ static int __close_session(struct ceph_mds_client *mdsc, + return request_close_session(mdsc, session); + } + ++static bool drop_negative_children(struct dentry *dentry) ++{ ++ struct dentry *child; ++ bool all_negative = true; ++ ++ if (!d_is_dir(dentry)) ++ goto out; ++ ++ spin_lock(&dentry->d_lock); ++ list_for_each_entry(child, &dentry->d_subdirs, d_child) { ++ if (d_really_is_positive(child)) { ++ all_negative = false; ++ break; ++ } ++ } ++ spin_unlock(&dentry->d_lock); ++ ++ if (all_negative) ++ shrink_dcache_parent(dentry); ++out: ++ return all_negative; ++} ++ + /* + * Trim old(er) caps. + * +@@ -1490,16 +1513,27 @@ static int trim_caps_cb(struct inode *inode, struct ceph_cap *cap, void *arg) + if ((used | wanted) & ~oissued & mine) + goto out; /* we need these caps */ + +- session->s_trim_caps--; + if (oissued) { + /* we aren't the only cap.. just remove us */ + __ceph_remove_cap(cap, true); ++ session->s_trim_caps--; + } else { ++ struct dentry *dentry; + /* try dropping referring dentries */ + spin_unlock(&ci->i_ceph_lock); +- d_prune_aliases(inode); +- dout("trim_caps_cb %p cap %p pruned, count now %d\n", +- inode, cap, atomic_read(&inode->i_count)); ++ dentry = d_find_any_alias(inode); ++ if (dentry && drop_negative_children(dentry)) { ++ int count; ++ dput(dentry); ++ d_prune_aliases(inode); ++ count = atomic_read(&inode->i_count); ++ if (count == 1) ++ session->s_trim_caps--; ++ dout("trim_caps_cb %p cap %p pruned, count now %d\n", ++ inode, cap, count); ++ } else { ++ dput(dentry); ++ } + return 0; + } + +-- +2.15.0 + diff --git a/queue/cifs-fix-NULL-deref-in-SMB2_read.patch b/queue/cifs-fix-NULL-deref-in-SMB2_read.patch new file mode 100644 index 0000000..fbccd26 --- /dev/null +++ b/queue/cifs-fix-NULL-deref-in-SMB2_read.patch @@ -0,0 +1,62 @@ +From a821df3f1af72aa6a0d573eea94a7dd2613e9f4e Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg <lsahlber@redhat.com> +Date: Tue, 21 Nov 2017 09:36:33 +1100 +Subject: [PATCH] cifs: fix NULL deref in SMB2_read + +commit a821df3f1af72aa6a0d573eea94a7dd2613e9f4e upstream. + +Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +CC: Stable <stable@vger.kernel.org> +Signed-off-by: Steve French <smfrench@gmail.com> + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 5331631386a2..01346b8b6edb 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2678,27 +2678,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + cifs_small_buf_release(req); + + rsp = (struct smb2_read_rsp *)rsp_iov.iov_base; +- shdr = get_sync_hdr(rsp); + +- if (shdr->Status == STATUS_END_OF_FILE) { ++ if (rc) { ++ if (rc != -ENODATA) { ++ cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); ++ cifs_dbg(VFS, "Send error in read = %d\n", rc); ++ } + free_rsp_buf(resp_buftype, rsp_iov.iov_base); +- return 0; ++ return rc == -ENODATA ? 0 : rc; + } + +- if (rc) { +- cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); +- cifs_dbg(VFS, "Send error in read = %d\n", rc); +- } else { +- *nbytes = le32_to_cpu(rsp->DataLength); +- if ((*nbytes > CIFS_MAX_MSGSIZE) || +- (*nbytes > io_parms->length)) { +- cifs_dbg(FYI, "bad length %d for count %d\n", +- *nbytes, io_parms->length); +- rc = -EIO; +- *nbytes = 0; +- } ++ *nbytes = le32_to_cpu(rsp->DataLength); ++ if ((*nbytes > CIFS_MAX_MSGSIZE) || ++ (*nbytes > io_parms->length)) { ++ cifs_dbg(FYI, "bad length %d for count %d\n", ++ *nbytes, io_parms->length); ++ rc = -EIO; ++ *nbytes = 0; + } + ++ shdr = get_sync_hdr(rsp); ++ + if (*buf) { + memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes); + free_rsp_buf(resp_buftype, rsp_iov.iov_base); +-- +2.15.0 + diff --git a/queue/clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch b/queue/clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch new file mode 100644 index 0000000..513128d --- /dev/null +++ b/queue/clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch @@ -0,0 +1,35 @@ +From d2a3671ebe6479483a12f94fcca63c058d95ad64 Mon Sep 17 00:00:00 2001 +From: Leo Yan <leo.yan@linaro.org> +Date: Fri, 1 Sep 2017 08:47:14 +0800 +Subject: [PATCH] clk: hi6220: mark clock cs_atb_syspll as critical + +commit d2a3671ebe6479483a12f94fcca63c058d95ad64 upstream. + +Clock cs_atb_syspll is pll used for coresight trace bus; when clock +cs_atb_syspll is disabled and operates its child clock node cs_atb +results in system hang. So mark clock cs_atb_syspll as critical to +keep it enabled. + +Cc: Guodong Xu <guodong.xu@linaro.org> +Cc: Zhangfei Gao <zhangfei.gao@linaro.org> +Cc: Haojian Zhuang <haojian.zhuang@linaro.org> +Signed-off-by: Leo Yan <leo.yan@linaro.org> +Signed-off-by: Michael Turquette <mturquette@baylibre.com> +Link: lkml.kernel.org/r/1504226835-2115-2-git-send-email-leo.yan@linaro.org + +diff --git a/drivers/clk/hisilicon/clk-hi6220.c b/drivers/clk/hisilicon/clk-hi6220.c +index e786d717f75d..a87809d4bd52 100644 +--- a/drivers/clk/hisilicon/clk-hi6220.c ++++ b/drivers/clk/hisilicon/clk-hi6220.c +@@ -145,7 +145,7 @@ static struct hisi_gate_clock hi6220_separated_gate_clks_sys[] __initdata = { + { HI6220_BBPPLL_SEL, "bbppll_sel", "pll0_bbp_gate", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 9, 0, }, + { HI6220_MEDIA_PLL_SRC, "media_pll_src", "pll_media_gate", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 10, 0, }, + { HI6220_MMC2_SEL, "mmc2_sel", "mmc2_mux1", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 11, 0, }, +- { HI6220_CS_ATB_SYSPLL, "cs_atb_syspll", "syspll", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 12, 0, }, ++ { HI6220_CS_ATB_SYSPLL, "cs_atb_syspll", "syspll", CLK_SET_RATE_PARENT|CLK_IS_CRITICAL, 0x270, 12, 0, }, + }; + + static struct hisi_mux_clock hi6220_mux_clks_sys[] __initdata = { +-- +2.15.0 + diff --git a/queue/clk-imx-imx7d-Fix-parent-clock-for-OCRAM_CLK.patch b/queue/clk-imx-imx7d-Fix-parent-clock-for-OCRAM_CLK.patch new file mode 100644 index 0000000..4c512c7 --- /dev/null +++ b/queue/clk-imx-imx7d-Fix-parent-clock-for-OCRAM_CLK.patch @@ -0,0 +1,51 @@ +From edc5a8e754aba9c6eaeddd18cb1e72462f99b16c Mon Sep 17 00:00:00 2001 +From: Adriana Reus <adriana.reus@nxp.com> +Date: Mon, 2 Oct 2017 13:32:10 +0300 +Subject: [PATCH] clk: imx: imx7d: Fix parent clock for OCRAM_CLK + +commit edc5a8e754aba9c6eaeddd18cb1e72462f99b16c upstream. + +The parent of OCRAM_CLK should be axi_main_root_clk +and not axi_post_div. + +before: + + axi_src 1 1 332307692 0 0 + axi_cg 1 1 332307692 0 0 + axi_pre_div 1 1 332307692 0 0 + axi_post_div 1 1 332307692 0 0 + ocram_clk 0 0 332307692 0 0 + main_axi_root_clk 1 1 332307692 0 0 + +after: + + axi_src 1 1 332307692 0 0 + axi_cg 1 1 332307692 0 0 + axi_pre_div 1 1 332307692 0 0 + axi_post_div 1 1 332307692 0 0 + main_axi_root_clk 1 1 332307692 0 0 + ocram_clk 0 0 332307692 0 0 + +Reference Doc: i.MX 7D Reference Manual - Chap 5, p 516 +(https://www.nxp.com/docs/en/reference-manual/IMX7DRM.pdf) + +Fixes: 8f6d8094b215 ("ARM: imx: add imx7d clk tree support") +Signed-off-by: Adriana Reus <adriana.reus@nxp.com> +Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> + +diff --git a/drivers/clk/imx/clk-imx7d.c b/drivers/clk/imx/clk-imx7d.c +index 2305699db467..0ac9b30c8b90 100644 +--- a/drivers/clk/imx/clk-imx7d.c ++++ b/drivers/clk/imx/clk-imx7d.c +@@ -797,7 +797,7 @@ static void __init imx7d_clocks_init(struct device_node *ccm_node) + clks[IMX7D_MAIN_AXI_ROOT_CLK] = imx_clk_gate4("main_axi_root_clk", "axi_post_div", base + 0x4040, 0); + clks[IMX7D_DISP_AXI_ROOT_CLK] = imx_clk_gate4("disp_axi_root_clk", "disp_axi_post_div", base + 0x4050, 0); + clks[IMX7D_ENET_AXI_ROOT_CLK] = imx_clk_gate4("enet_axi_root_clk", "enet_axi_post_div", base + 0x4060, 0); +- clks[IMX7D_OCRAM_CLK] = imx_clk_gate4("ocram_clk", "axi_post_div", base + 0x4110, 0); ++ clks[IMX7D_OCRAM_CLK] = imx_clk_gate4("ocram_clk", "main_axi_root_clk", base + 0x4110, 0); + clks[IMX7D_OCRAM_S_CLK] = imx_clk_gate4("ocram_s_clk", "ahb_root_clk", base + 0x4120, 0); + clks[IMX7D_DRAM_ROOT_CLK] = imx_clk_gate4("dram_root_clk", "dram_post_div", base + 0x4130, 0); + clks[IMX7D_DRAM_PHYM_ROOT_CLK] = imx_clk_gate4("dram_phym_root_clk", "dram_phym_cg", base + 0x4130, 0); +-- +2.15.0 + diff --git a/queue/clk-imx6-refine-hdmi_isfr-s-parent-to-make-HDMI-work.patch b/queue/clk-imx6-refine-hdmi_isfr-s-parent-to-make-HDMI-work.patch new file mode 100644 index 0000000..97b3c01 --- /dev/null +++ b/queue/clk-imx6-refine-hdmi_isfr-s-parent-to-make-HDMI-work.patch @@ -0,0 +1,54 @@ +From c68ee58d9ee7b856ac722f18f4f26579c8fbd2b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?= + <sebastien.szymanski@armadeus.com> +Date: Tue, 1 Aug 2017 12:40:07 +0200 +Subject: [PATCH] clk: imx6: refine hdmi_isfr's parent to make HDMI work on + i.MX6 SoCs w/o VPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit c68ee58d9ee7b856ac722f18f4f26579c8fbd2b4 upstream. + +On i.MX6 SoCs without VPU (in my case MCIMX6D4AVT10AC), the hdmi driver +fails to probe: + +[ 2.540030] dwhdmi-imx 120000.hdmi: Unsupported HDMI controller +(0000:00:00) +[ 2.548199] imx-drm display-subsystem: failed to bind 120000.hdmi +(ops dw_hdmi_imx_ops): -19 +[ 2.557403] imx-drm display-subsystem: master bind failed: -19 + +That's because hdmi_isfr's parent, video_27m, is not correctly ungated. +As explained in commit 5ccc248cc537 ("ARM: imx6q: clk: Add support for +mipi_core_cfg clock as a shared clock gate"), video_27m is gated by +CCM_CCGR3[CG8]. + +On i.MX6 SoCs with VPU, the hdmi is working thanks to the +CCM_CMEOR[mod_en_ov_vpu] bit which makes the video_27m ungated whatever +is in CCM_CCGR3[CG8]. The issue can be reproduced by setting +CCMEOR[mod_en_ov_vpu] to 0. + +Make the HDMI work in every case by setting hdmi_isfr's parent to +mipi_core_cfg. + +Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com> +Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com> +Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> + +diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c +index c07df719b8a3..8d518ad5dc13 100644 +--- a/drivers/clk/imx/clk-imx6q.c ++++ b/drivers/clk/imx/clk-imx6q.c +@@ -761,7 +761,7 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node) + clk[IMX6QDL_CLK_GPU2D_CORE] = imx_clk_gate2("gpu2d_core", "gpu2d_core_podf", base + 0x6c, 24); + clk[IMX6QDL_CLK_GPU3D_CORE] = imx_clk_gate2("gpu3d_core", "gpu3d_core_podf", base + 0x6c, 26); + clk[IMX6QDL_CLK_HDMI_IAHB] = imx_clk_gate2("hdmi_iahb", "ahb", base + 0x70, 0); +- clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "video_27m", base + 0x70, 4); ++ clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "mipi_core_cfg", base + 0x70, 4); + clk[IMX6QDL_CLK_I2C1] = imx_clk_gate2("i2c1", "ipg_per", base + 0x70, 6); + clk[IMX6QDL_CLK_I2C2] = imx_clk_gate2("i2c2", "ipg_per", base + 0x70, 8); + clk[IMX6QDL_CLK_I2C3] = imx_clk_gate2("i2c3", "ipg_per", base + 0x70, 10); +-- +2.15.0 + diff --git a/queue/clk-mediatek-add-the-option-for-determining-PLL-sour.patch b/queue/clk-mediatek-add-the-option-for-determining-PLL-sour.patch new file mode 100644 index 0000000..db84266 --- /dev/null +++ b/queue/clk-mediatek-add-the-option-for-determining-PLL-sour.patch @@ -0,0 +1,48 @@ +From c955bf3998efa3355790a4d8c82874582f1bc727 Mon Sep 17 00:00:00 2001 +From: Chen Zhong <chen.zhong@mediatek.com> +Date: Thu, 5 Oct 2017 11:50:23 +0800 +Subject: [PATCH] clk: mediatek: add the option for determining PLL source + clock + +commit c955bf3998efa3355790a4d8c82874582f1bc727 upstream. + +Since the previous setup always sets the PLL using crystal 26MHz, this +doesn't always happen in every MediaTek platform. So the patch added +flexibility for assigning extra member for determining the PLL source +clock. + +Signed-off-by: Chen Zhong <chen.zhong@mediatek.com> +Signed-off-by: Sean Wang <sean.wang@mediatek.com> +Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> + +diff --git a/drivers/clk/mediatek/clk-mtk.h b/drivers/clk/mediatek/clk-mtk.h +index f48df75cc901..f10250dcece4 100644 +--- a/drivers/clk/mediatek/clk-mtk.h ++++ b/drivers/clk/mediatek/clk-mtk.h +@@ -218,6 +218,7 @@ struct mtk_pll_data { + uint32_t pcw_reg; + int pcw_shift; + const struct mtk_pll_div_table *div_table; ++ const char *parent_name; + }; + + void mtk_clk_register_plls(struct device_node *node, +diff --git a/drivers/clk/mediatek/clk-pll.c b/drivers/clk/mediatek/clk-pll.c +index 3c546bae6955..f54e4015b0b1 100644 +--- a/drivers/clk/mediatek/clk-pll.c ++++ b/drivers/clk/mediatek/clk-pll.c +@@ -312,7 +312,10 @@ static struct clk *mtk_clk_register_pll(const struct mtk_pll_data *data, + init.name = data->name; + init.flags = (data->flags & PLL_AO) ? CLK_IS_CRITICAL : 0; + init.ops = &mtk_pll_ops; +- init.parent_names = &parent_name; ++ if (data->parent_name) ++ init.parent_names = &data->parent_name; ++ else ++ init.parent_names = &parent_name; + init.num_parents = 1; + + clk = clk_register(NULL, &pll->hw); +-- +2.15.0 + diff --git a/queue/clk-tegra-Fix-cclk_lp-divisor-register.patch b/queue/clk-tegra-Fix-cclk_lp-divisor-register.patch new file mode 100644 index 0000000..ba469d2 --- /dev/null +++ b/queue/clk-tegra-Fix-cclk_lp-divisor-register.patch @@ -0,0 +1,34 @@ +From 54eff2264d3e9fd7e3987de1d7eba1d3581c631e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl> +Date: Tue, 19 Sep 2017 04:48:10 +0200 +Subject: [PATCH] clk: tegra: Fix cclk_lp divisor register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 54eff2264d3e9fd7e3987de1d7eba1d3581c631e upstream. + +According to comments in code and common sense, cclk_lp uses its +own divisor, not cclk_g's. + +Fixes: b08e8c0ecc42 ("clk: tegra: add clock support for Tegra30") +Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> +Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> + +diff --git a/drivers/clk/tegra/clk-tegra30.c b/drivers/clk/tegra/clk-tegra30.c +index 40ffab0f94e1..bee84c554932 100644 +--- a/drivers/clk/tegra/clk-tegra30.c ++++ b/drivers/clk/tegra/clk-tegra30.c +@@ -965,7 +965,7 @@ static void __init tegra30_super_clk_init(void) + * U71 divider of cclk_lp. + */ + clk = tegra_clk_register_divider("pll_p_out3_cclklp", "pll_p_out3", +- clk_base + SUPER_CCLKG_DIVIDER, 0, ++ clk_base + SUPER_CCLKLP_DIVIDER, 0, + TEGRA_DIVIDER_INT, 16, 8, 1, NULL); + clk_register_clkdev(clk, "pll_p_out3_cclklp", NULL); + +-- +2.15.0 + diff --git a/queue/clk-tegra-Use-readl_relaxed_poll_timeout_atomic-in-t.patch b/queue/clk-tegra-Use-readl_relaxed_poll_timeout_atomic-in-t.patch new file mode 100644 index 0000000..9de8e31 --- /dev/null +++ b/queue/clk-tegra-Use-readl_relaxed_poll_timeout_atomic-in-t.patch @@ -0,0 +1,45 @@ +From 22ef01a203d27fee8b7694020b7e722db7efd2a7 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen <nicoleotsuka@gmail.com> +Date: Fri, 15 Sep 2017 12:10:13 -0700 +Subject: [PATCH] clk: tegra: Use readl_relaxed_poll_timeout_atomic() in + tegra210_clock_init() + +commit 22ef01a203d27fee8b7694020b7e722db7efd2a7 upstream. + +Below is the call trace of tegra210_init_pllu() function: + start_kernel() + -> time_init() + --> of_clk_init() + ---> tegra210_clock_init() + ----> tegra210_pll_init() + -----> tegra210_init_pllu() + +Because the preemption is disabled in the start_kernel before calling +time_init, tegra210_init_pllu is actually in an atomic context while +it includes a readl_relaxed_poll_timeout that might sleep. + +So this patch just changes this readl_relaxed_poll_timeout() to its +atomic version. + +Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com> +Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> + +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c +index be7b736371f6..9e6260869eb9 100644 +--- a/drivers/clk/tegra/clk-tegra210.c ++++ b/drivers/clk/tegra/clk-tegra210.c +@@ -2568,8 +2568,8 @@ static int tegra210_enable_pllu(void) + reg |= PLL_ENABLE; + writel(reg, clk_base + PLLU_BASE); + +- readl_relaxed_poll_timeout(clk_base + PLLU_BASE, reg, +- reg & PLL_BASE_LOCK, 2, 1000); ++ readl_relaxed_poll_timeout_atomic(clk_base + PLLU_BASE, reg, ++ reg & PLL_BASE_LOCK, 2, 1000); + if (!(reg & PLL_BASE_LOCK)) { + pr_err("Timed out waiting for PLL_U to lock\n"); + return -ETIMEDOUT; +-- +2.15.0 + diff --git a/queue/crypto-af_alg-fix-NULL-pointer-dereference-in.patch b/queue/crypto-af_alg-fix-NULL-pointer-dereference-in.patch new file mode 100644 index 0000000..e9589db --- /dev/null +++ b/queue/crypto-af_alg-fix-NULL-pointer-dereference-in.patch @@ -0,0 +1,54 @@ +From 887207ed9e5812ed9239b6d07185a2d35dda91db Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 28 Nov 2017 00:46:24 -0800 +Subject: [PATCH] crypto: af_alg - fix NULL pointer dereference in + +commit 887207ed9e5812ed9239b6d07185a2d35dda91db upstream. + + af_alg_free_areq_sgls() + +If allocating the ->tsgl member of 'struct af_alg_async_req' failed, +during cleanup we dereferenced the NULL ->tsgl pointer in +af_alg_free_areq_sgls(), because ->tsgl_entries was nonzero. + +Fix it by only freeing the ->tsgl list if it is non-NULL. + +This affected both algif_skcipher and algif_aead. + +Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: <stable@vger.kernel.org> # v4.14+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Reviewed-by: Stephan Mueller <smueller@chronox.de> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 85cea9de324a..1e5353f62067 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -672,14 +672,15 @@ void af_alg_free_areq_sgls(struct af_alg_async_req *areq) + } + + tsgl = areq->tsgl; +- for_each_sg(tsgl, sg, areq->tsgl_entries, i) { +- if (!sg_page(sg)) +- continue; +- put_page(sg_page(sg)); +- } ++ if (tsgl) { ++ for_each_sg(tsgl, sg, areq->tsgl_entries, i) { ++ if (!sg_page(sg)) ++ continue; ++ put_page(sg_page(sg)); ++ } + +- if (areq->tsgl && areq->tsgl_entries) + sock_kfree_s(sk, tsgl, areq->tsgl_entries * sizeof(*tsgl)); ++ } + } + EXPORT_SYMBOL_GPL(af_alg_free_areq_sgls); + +-- +2.15.0 + diff --git a/queue/crypto-algif_aead-fix-reference-counting-of-null-skc.patch b/queue/crypto-algif_aead-fix-reference-counting-of-null-skc.patch new file mode 100644 index 0000000..e975302 --- /dev/null +++ b/queue/crypto-algif_aead-fix-reference-counting-of-null-skc.patch @@ -0,0 +1,45 @@ +From b32a7dc8aef1882fbf983eb354837488cc9d54dc Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Mon, 27 Nov 2017 23:23:05 -0800 +Subject: [PATCH] crypto: algif_aead - fix reference counting of null skcipher + +commit b32a7dc8aef1882fbf983eb354837488cc9d54dc upstream. + +In the AEAD interface for AF_ALG, the reference to the "null skcipher" +held by each tfm was being dropped in the wrong place -- when each +af_alg_ctx was freed instead of when the aead_tfm was freed. As +discovered by syzkaller, a specially crafted program could use this to +cause the null skcipher to be freed while it is still in use. + +Fix it by dropping the reference in the right place. + +Fixes: 72548b093ee3 ("crypto: algif_aead - copy AAD from src to dst") +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: <stable@vger.kernel.org> # v4.14+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Reviewed-by: Stephan Mueller <smueller@chronox.de> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index aacae0837aff..9d73be28cf01 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -487,6 +487,7 @@ static void aead_release(void *private) + struct aead_tfm *tfm = private; + + crypto_free_aead(tfm->aead); ++ crypto_put_default_null_skcipher2(); + kfree(tfm); + } + +@@ -519,7 +520,6 @@ static void aead_sock_destruct(struct sock *sk) + unsigned int ivlen = crypto_aead_ivsize(tfm); + + af_alg_pull_tsgl(sk, ctx->used, NULL, 0); +- crypto_put_default_null_skcipher2(); + sock_kzfree_s(sk, ctx->iv, ivlen); + sock_kfree_s(sk, ctx, ctx->len); + af_alg_release_parent(sk); +-- +2.15.0 + diff --git a/queue/crypto-hmac-require-that-the-underlying-hash-algorit.patch b/queue/crypto-hmac-require-that-the-underlying-hash-algorit.patch new file mode 100644 index 0000000..1238fcf --- /dev/null +++ b/queue/crypto-hmac-require-that-the-underlying-hash-algorit.patch @@ -0,0 +1,148 @@ +From af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 28 Nov 2017 18:01:38 -0800 +Subject: [PATCH] crypto: hmac - require that the underlying hash algorithm is + unkeyed + +commit af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 upstream. + +Because the HMAC template didn't check that its underlying hash +algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))" +through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC +being used without having been keyed, resulting in sha3_update() being +called without sha3_init(), causing a stack buffer overflow. + +This is a very old bug, but it seems to have only started causing real +problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3) +because the innermost hash's state is ->import()ed from a zeroed buffer, +and it just so happens that other hash algorithms are fine with that, +but SHA-3 is not. However, there could be arch or hardware-dependent +hash algorithms also affected; I couldn't test everything. + +Fix the bug by introducing a function crypto_shash_alg_has_setkey() +which tests whether a shash algorithm is keyed. Then update the HMAC +template to require that its underlying hash algorithm is unkeyed. + +Here is a reproducer: + + #include <linux/if_alg.h> + #include <sys/socket.h> + + int main() + { + int algfd; + struct sockaddr_alg addr = { + .salg_type = "hash", + .salg_name = "hmac(hmac(sha3-512-generic))", + }; + char key[4096] = { 0 }; + + algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(algfd, (const struct sockaddr *)&addr, sizeof(addr)); + setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); + } + +Here was the KASAN report from syzbot: + + BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline] + BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 + Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044 + + CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 [inline] + kasan_report+0x25b/0x340 mm/kasan/report.c:409 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + memcpy include/linux/string.h:341 [inline] + sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 + crypto_shash_update+0xcb/0x220 crypto/shash.c:109 + shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151 + crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 + hmac_finup+0x182/0x330 crypto/hmac.c:152 + crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 + shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172 + crypto_shash_digest+0xc4/0x120 crypto/shash.c:186 + hmac_setkey+0x36a/0x690 crypto/hmac.c:66 + crypto_shash_setkey+0xad/0x190 crypto/shash.c:64 + shash_async_setkey+0x47/0x60 crypto/shash.c:207 + crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200 + hash_setkey+0x40/0x90 crypto/algif_hash.c:446 + alg_setkey crypto/af_alg.c:221 [inline] + alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254 + SYSC_setsockopt net/socket.c:1851 [inline] + SyS_setsockopt+0x189/0x360 net/socket.c:1830 + entry_SYSCALL_64_fastpath+0x1f/0x96 + +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/crypto/hmac.c b/crypto/hmac.c +index 92871dc2a63e..e74730224f0a 100644 +--- a/crypto/hmac.c ++++ b/crypto/hmac.c +@@ -195,11 +195,15 @@ static int hmac_create(struct crypto_template *tmpl, struct rtattr **tb) + salg = shash_attr_alg(tb[1], 0, 0); + if (IS_ERR(salg)) + return PTR_ERR(salg); ++ alg = &salg->base; + ++ /* The underlying hash algorithm must be unkeyed */ + err = -EINVAL; ++ if (crypto_shash_alg_has_setkey(salg)) ++ goto out_put_alg; ++ + ds = salg->digestsize; + ss = salg->statesize; +- alg = &salg->base; + if (ds > alg->cra_blocksize || + ss < alg->cra_blocksize) + goto out_put_alg; +diff --git a/crypto/shash.c b/crypto/shash.c +index 325a14da5827..e849d3ee2e27 100644 +--- a/crypto/shash.c ++++ b/crypto/shash.c +@@ -25,11 +25,12 @@ + + static const struct crypto_type crypto_shash_type; + +-static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, +- unsigned int keylen) ++int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, ++ unsigned int keylen) + { + return -ENOSYS; + } ++EXPORT_SYMBOL_GPL(shash_no_setkey); + + static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, + unsigned int keylen) +diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h +index f0b44c16e88f..c2bae8da642c 100644 +--- a/include/crypto/internal/hash.h ++++ b/include/crypto/internal/hash.h +@@ -82,6 +82,14 @@ int ahash_register_instance(struct crypto_template *tmpl, + struct ahash_instance *inst); + void ahash_free_instance(struct crypto_instance *inst); + ++int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, ++ unsigned int keylen); ++ ++static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg) ++{ ++ return alg->setkey != shash_no_setkey; ++} ++ + int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn, + struct hash_alg_common *alg, + struct crypto_instance *inst); +-- +2.15.0 + diff --git a/queue/crypto-rsa-fix-buffer-overread-when-stripping-leadin.patch b/queue/crypto-rsa-fix-buffer-overread-when-stripping-leadin.patch new file mode 100644 index 0000000..52d43dd --- /dev/null +++ b/queue/crypto-rsa-fix-buffer-overread-when-stripping-leadin.patch @@ -0,0 +1,76 @@ +From d2890c3778b164fde587bc16583f3a1c87233ec5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 26 Nov 2017 23:16:49 -0800 +Subject: [PATCH] crypto: rsa - fix buffer overread when stripping leading + zeroes + +commit d2890c3778b164fde587bc16583f3a1c87233ec5 upstream. + +In rsa_get_n(), if the buffer contained all 0's and "FIPS mode" is +enabled, we would read one byte past the end of the buffer while +scanning the leading zeroes. Fix it by checking 'n_sz' before '!*ptr'. + +This bug was reachable by adding a specially crafted key of type +"asymmetric" (requires CONFIG_RSA and CONFIG_X509_CERTIFICATE_PARSER). + +KASAN report: + + BUG: KASAN: slab-out-of-bounds in rsa_get_n+0x19e/0x1d0 crypto/rsa_helper.c:33 + Read of size 1 at addr ffff88003501a708 by task keyctl/196 + + CPU: 1 PID: 196 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 + Call Trace: + rsa_get_n+0x19e/0x1d0 crypto/rsa_helper.c:33 + asn1_ber_decoder+0x82a/0x1fd0 lib/asn1_decoder.c:328 + rsa_set_pub_key+0xd3/0x320 crypto/rsa.c:278 + crypto_akcipher_set_pub_key ./include/crypto/akcipher.h:364 [inline] + pkcs1pad_set_pub_key+0xae/0x200 crypto/rsa-pkcs1pad.c:117 + crypto_akcipher_set_pub_key ./include/crypto/akcipher.h:364 [inline] + public_key_verify_signature+0x270/0x9d0 crypto/asymmetric_keys/public_key.c:106 + x509_check_for_self_signed+0x2ea/0x480 crypto/asymmetric_keys/x509_public_key.c:141 + x509_cert_parse+0x46a/0x620 crypto/asymmetric_keys/x509_cert_parser.c:129 + x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174 + asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388 + key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850 + SYSC_add_key security/keys/keyctl.c:122 [inline] + SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62 + entry_SYSCALL_64_fastpath+0x1f/0x96 + + Allocated by task 196: + __do_kmalloc mm/slab.c:3711 [inline] + __kmalloc_track_caller+0x118/0x2e0 mm/slab.c:3726 + kmemdup+0x17/0x40 mm/util.c:118 + kmemdup ./include/linux/string.h:414 [inline] + x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106 + x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174 + asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388 + key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850 + SYSC_add_key security/keys/keyctl.c:122 [inline] + SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62 + entry_SYSCALL_64_fastpath+0x1f/0x96 + +Fixes: 5a7de97309f5 ("crypto: rsa - return raw integers for the ASN.1 parser") +Cc: <stable@vger.kernel.org> # v4.8+ +Cc: Tudor Ambarus <tudor-dan.ambarus@nxp.com> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Reviewed-by: James Morris <james.l.morris@oracle.com> +Reviewed-by: David Howells <dhowells@redhat.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/crypto/rsa_helper.c b/crypto/rsa_helper.c +index 0b66dc824606..cad395d70d78 100644 +--- a/crypto/rsa_helper.c ++++ b/crypto/rsa_helper.c +@@ -30,7 +30,7 @@ int rsa_get_n(void *context, size_t hdrlen, unsigned char tag, + return -EINVAL; + + if (fips_enabled) { +- while (!*ptr && n_sz) { ++ while (n_sz && !*ptr) { + ptr++; + n_sz--; + } +-- +2.15.0 + diff --git a/queue/crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/queue/crypto-salsa20-fix-blkcipher_walk-API-usage.patch new file mode 100644 index 0000000..80a9c85 --- /dev/null +++ b/queue/crypto-salsa20-fix-blkcipher_walk-API-usage.patch @@ -0,0 +1,88 @@ +From ecaaab5649781c5a0effdaf298a925063020500e Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 28 Nov 2017 20:56:59 -0800 +Subject: [PATCH] crypto: salsa20 - fix blkcipher_walk API usage + +commit ecaaab5649781c5a0effdaf298a925063020500e upstream. + +When asked to encrypt or decrypt 0 bytes, both the generic and x86 +implementations of Salsa20 crash in blkcipher_walk_done(), either when +doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)', +because walk->buffer and walk->page have not been initialized. + +The bug is that Salsa20 is calling blkcipher_walk_done() even when +nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to +be called when a nonzero number of bytes have been provided. + +The broken code is part of an optimization that tries to make only one +call to salsa20_encrypt_bytes() to process inputs that are not evenly +divisible by 64 bytes. To fix the bug, just remove this "optimization" +and use the blkcipher_walk API the same way all the other users do. + +Reproducer: + + #include <linux/if_alg.h> + #include <sys/socket.h> + #include <unistd.h> + + int main() + { + int algfd, reqfd; + struct sockaddr_alg addr = { + .salg_type = "skcipher", + .salg_name = "salsa20", + }; + char key[16] = { 0 }; + + algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(algfd, (void *)&addr, sizeof(addr)); + reqfd = accept(algfd, 0, 0); + setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); + read(reqfd, key, sizeof(key)); + } + +Reported-by: syzbot <syzkaller@googlegroups.com> +Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing") +Cc: <stable@vger.kernel.org> # v2.6.25+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c +index 399a29d067d6..cb91a64a99e7 100644 +--- a/arch/x86/crypto/salsa20_glue.c ++++ b/arch/x86/crypto/salsa20_glue.c +@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc, + + salsa20_ivsetup(ctx, walk.iv); + +- if (likely(walk.nbytes == nbytes)) +- { +- salsa20_encrypt_bytes(ctx, walk.src.virt.addr, +- walk.dst.virt.addr, nbytes); +- return blkcipher_walk_done(desc, &walk, 0); +- } +- + while (walk.nbytes >= 64) { + salsa20_encrypt_bytes(ctx, walk.src.virt.addr, + walk.dst.virt.addr, +diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c +index f550b5d94630..d7da0eea5622 100644 +--- a/crypto/salsa20_generic.c ++++ b/crypto/salsa20_generic.c +@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc, + + salsa20_ivsetup(ctx, walk.iv); + +- if (likely(walk.nbytes == nbytes)) +- { +- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, +- walk.src.virt.addr, nbytes); +- return blkcipher_walk_done(desc, &walk, 0); +- } +- + while (walk.nbytes >= 64) { + salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, + walk.src.virt.addr, +-- +2.15.0 + diff --git a/queue/crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch b/queue/crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch new file mode 100644 index 0000000..0977053 --- /dev/null +++ b/queue/crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch @@ -0,0 +1,42 @@ +From 7aacbfcb331ceff3ac43096d563a1f93ed46e35e Mon Sep 17 00:00:00 2001 +From: Robert Baronescu <robert.baronescu@nxp.com> +Date: Tue, 10 Oct 2017 13:22:00 +0300 +Subject: [PATCH] crypto: tcrypt - fix buffer lengths in test_aead_speed() + +commit 7aacbfcb331ceff3ac43096d563a1f93ed46e35e upstream. + +Fix the way the length of the buffers used for +encryption / decryption are computed. +For e.g. in case of encryption, input buffer does not contain +an authentication tag. + +Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> + +diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c +index 28bffa6f0292..65d191b27ecc 100644 +--- a/crypto/tcrypt.c ++++ b/crypto/tcrypt.c +@@ -340,7 +340,7 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, + } + + sg_init_aead(sg, xbuf, +- *b_size + (enc ? authsize : 0)); ++ *b_size + (enc ? 0 : authsize)); + + sg_init_aead(sgout, xoutbuf, + *b_size + (enc ? authsize : 0)); +@@ -348,7 +348,9 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, + sg_set_buf(&sg[0], assoc, aad_size); + sg_set_buf(&sgout[0], assoc, aad_size); + +- aead_request_set_crypt(req, sg, sgout, *b_size, iv); ++ aead_request_set_crypt(req, sg, sgout, ++ *b_size + (enc ? 0 : authsize), ++ iv); + aead_request_set_ad(req, aad_size); + + if (secs) +-- +2.15.0 + diff --git a/queue/dev-dax-fix-uninitialized-variable-build-warning.patch b/queue/dev-dax-fix-uninitialized-variable-build-warning.patch new file mode 100644 index 0000000..e904891 --- /dev/null +++ b/queue/dev-dax-fix-uninitialized-variable-build-warning.patch @@ -0,0 +1,37 @@ +From 0a3ff78699d1817e711441715d22665475466036 Mon Sep 17 00:00:00 2001 +From: Ross Zwisler <ross.zwisler@linux.intel.com> +Date: Wed, 18 Oct 2017 12:21:55 -0600 +Subject: [PATCH] dev/dax: fix uninitialized variable build warning + +commit 0a3ff78699d1817e711441715d22665475466036 upstream. + +Fix this build warning: + +warning: 'phys' may be used uninitialized in this function +[-Wuninitialized] + +As reported here: + +https://lkml.org/lkml/2017/10/16/152 +http://kisskb.ellerman.id.au/kisskb/buildresult/13181373/log/ + +Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com> +Signed-off-by: Dan Williams <dan.j.williams@intel.com> + +diff --git a/drivers/dax/device.c b/drivers/dax/device.c +index e9f3b3e4bbf4..6833ada237ab 100644 +--- a/drivers/dax/device.c ++++ b/drivers/dax/device.c +@@ -222,7 +222,8 @@ __weak phys_addr_t dax_pgoff_to_phys(struct dev_dax *dev_dax, pgoff_t pgoff, + unsigned long size) + { + struct resource *res; +- phys_addr_t phys; ++ /* gcc-4.6.3-nolibc for i386 complains that this is uninitialized */ ++ phys_addr_t uninitialized_var(phys); + int i; + + for (i = 0; i < dev_dax->num_resources; i++) { +-- +2.15.0 + diff --git a/queue/dm-fix-various-targets-to-dm_register_target-after-m.patch b/queue/dm-fix-various-targets-to-dm_register_target-after-m.patch new file mode 100644 index 0000000..78bdacf --- /dev/null +++ b/queue/dm-fix-various-targets-to-dm_register_target-after-m.patch @@ -0,0 +1,253 @@ +From 7e6358d244e4706fe612a77b9c36519a33600ac0 Mon Sep 17 00:00:00 2001 +From: "monty_pavel@sina.com" <monty_pavel@sina.com> +Date: Sat, 25 Nov 2017 01:43:50 +0800 +Subject: [PATCH] dm: fix various targets to dm_register_target after module + __init resources created + +commit 7e6358d244e4706fe612a77b9c36519a33600ac0 upstream. + +A NULL pointer is seen if two concurrent "vgchange -ay -K <vg name>" +processes race to load the dm-thin-pool module: + + PID: 25992 TASK: ffff883cd7d23500 CPU: 4 COMMAND: "vgchange" + #0 [ffff883cd743d600] machine_kexec at ffffffff81038fa9 + 0000001 [ffff883cd743d660] crash_kexec at ffffffff810c5992 + 0000002 [ffff883cd743d730] oops_end at ffffffff81515c90 + 0000003 [ffff883cd743d760] no_context at ffffffff81049f1b + 0000004 [ffff883cd743d7b0] __bad_area_nosemaphore at ffffffff8104a1a5 + 0000005 [ffff883cd743d800] bad_area at ffffffff8104a2ce + 0000006 [ffff883cd743d830] __do_page_fault at ffffffff8104aa6f + 0000007 [ffff883cd743d950] do_page_fault at ffffffff81517bae + 0000008 [ffff883cd743d980] page_fault at ffffffff81514f95 + [exception RIP: kmem_cache_alloc+108] + RIP: ffffffff8116ef3c RSP: ffff883cd743da38 RFLAGS: 00010046 + RAX: 0000000000000004 RBX: ffffffff81121b90 RCX: ffff881bf1e78cc0 + RDX: 0000000000000000 RSI: 00000000000000d0 RDI: 0000000000000000 + RBP: ffff883cd743da68 R8: ffff881bf1a4eb00 R9: 0000000080042000 + R10: 0000000000002000 R11: 0000000000000000 R12: 00000000000000d0 + R13: 0000000000000000 R14: 00000000000000d0 R15: 0000000000000246 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + 0000009 [ffff883cd743da70] mempool_alloc_slab at ffffffff81121ba5 + 0000010 [ffff883cd743da80] mempool_create_node at ffffffff81122083 + 0000011 [ffff883cd743dad0] mempool_create at ffffffff811220f4 + 0000012 [ffff883cd743dae0] pool_ctr at ffffffffa08de049 [dm_thin_pool] + 0000013 [ffff883cd743dbd0] dm_table_add_target at ffffffffa0005f2f [dm_mod] + 0000014 [ffff883cd743dc30] table_load at ffffffffa0008ba9 [dm_mod] + 0000015 [ffff883cd743dc90] ctl_ioctl at ffffffffa0009dc4 [dm_mod] + +The race results in a NULL pointer because: + +Process A (vgchange -ay -K): + a. send DM_LIST_VERSIONS_CMD ioctl; + b. pool_target not registered; + c. modprobe dm_thin_pool and wait until end. + +Process B (vgchange -ay -K): + a. send DM_LIST_VERSIONS_CMD ioctl; + b. pool_target registered; + c. table_load->dm_table_add_target->pool_ctr; + d. _new_mapping_cache is NULL and panic. +Note: + 1. process A and process B are two concurrent processes. + 2. pool_target can be detected by process B but + _new_mapping_cache initialization has not ended. + +To fix dm-thin-pool, and other targets (cache, multipath, and snapshot) +with the same problem, simply dm_register_target() after all resources +created during module init (as labelled with __init) are finished. + +Cc: stable@vger.kernel.org +Signed-off-by: monty <monty_pavel@sina.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> + +diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c +index cf23a14f9c6a..47407e43b96a 100644 +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -3472,18 +3472,18 @@ static int __init dm_cache_init(void) + { + int r; + +- r = dm_register_target(&cache_target); +- if (r) { +- DMERR("cache target registration failed: %d", r); +- return r; +- } +- + migration_cache = KMEM_CACHE(dm_cache_migration, 0); + if (!migration_cache) { + dm_unregister_target(&cache_target); + return -ENOMEM; + } + ++ r = dm_register_target(&cache_target); ++ if (r) { ++ DMERR("cache target registration failed: %d", r); ++ return r; ++ } ++ + return 0; + } + +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c +index c8faa2b85842..35a2a2fa477f 100644 +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1957,13 +1957,6 @@ static int __init dm_multipath_init(void) + { + int r; + +- r = dm_register_target(&multipath_target); +- if (r < 0) { +- DMERR("request-based register failed %d", r); +- r = -EINVAL; +- goto bad_register_target; +- } +- + kmultipathd = alloc_workqueue("kmpathd", WQ_MEM_RECLAIM, 0); + if (!kmultipathd) { + DMERR("failed to create workqueue kmpathd"); +@@ -1985,13 +1978,20 @@ static int __init dm_multipath_init(void) + goto bad_alloc_kmpath_handlerd; + } + ++ r = dm_register_target(&multipath_target); ++ if (r < 0) { ++ DMERR("request-based register failed %d", r); ++ r = -EINVAL; ++ goto bad_register_target; ++ } ++ + return 0; + ++bad_register_target: ++ destroy_workqueue(kmpath_handlerd); + bad_alloc_kmpath_handlerd: + destroy_workqueue(kmultipathd); + bad_alloc_kmultipathd: +- dm_unregister_target(&multipath_target); +-bad_register_target: + return r; + } + +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index 1113b42e1eda..a0613bd8ed00 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -2411,24 +2411,6 @@ static int __init dm_snapshot_init(void) + return r; + } + +- r = dm_register_target(&snapshot_target); +- if (r < 0) { +- DMERR("snapshot target register failed %d", r); +- goto bad_register_snapshot_target; +- } +- +- r = dm_register_target(&origin_target); +- if (r < 0) { +- DMERR("Origin target register failed %d", r); +- goto bad_register_origin_target; +- } +- +- r = dm_register_target(&merge_target); +- if (r < 0) { +- DMERR("Merge target register failed %d", r); +- goto bad_register_merge_target; +- } +- + r = init_origin_hash(); + if (r) { + DMERR("init_origin_hash failed."); +@@ -2449,19 +2431,37 @@ static int __init dm_snapshot_init(void) + goto bad_pending_cache; + } + ++ r = dm_register_target(&snapshot_target); ++ if (r < 0) { ++ DMERR("snapshot target register failed %d", r); ++ goto bad_register_snapshot_target; ++ } ++ ++ r = dm_register_target(&origin_target); ++ if (r < 0) { ++ DMERR("Origin target register failed %d", r); ++ goto bad_register_origin_target; ++ } ++ ++ r = dm_register_target(&merge_target); ++ if (r < 0) { ++ DMERR("Merge target register failed %d", r); ++ goto bad_register_merge_target; ++ } ++ + return 0; + +-bad_pending_cache: +- kmem_cache_destroy(exception_cache); +-bad_exception_cache: +- exit_origin_hash(); +-bad_origin_hash: +- dm_unregister_target(&merge_target); + bad_register_merge_target: + dm_unregister_target(&origin_target); + bad_register_origin_target: + dm_unregister_target(&snapshot_target); + bad_register_snapshot_target: ++ kmem_cache_destroy(pending_cache); ++bad_pending_cache: ++ kmem_cache_destroy(exception_cache); ++bad_exception_cache: ++ exit_origin_hash(); ++bad_origin_hash: + dm_exception_store_exit(); + + return r; +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 89e5dff9b4cf..f91d771fff4b 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -4355,30 +4355,28 @@ static struct target_type thin_target = { + + static int __init dm_thin_init(void) + { +- int r; ++ int r = -ENOMEM; + + pool_table_init(); + ++ _new_mapping_cache = KMEM_CACHE(dm_thin_new_mapping, 0); ++ if (!_new_mapping_cache) ++ return r; ++ + r = dm_register_target(&thin_target); + if (r) +- return r; ++ goto bad_new_mapping_cache; + + r = dm_register_target(&pool_target); + if (r) +- goto bad_pool_target; +- +- r = -ENOMEM; +- +- _new_mapping_cache = KMEM_CACHE(dm_thin_new_mapping, 0); +- if (!_new_mapping_cache) +- goto bad_new_mapping_cache; ++ goto bad_thin_target; + + return 0; + +-bad_new_mapping_cache: +- dm_unregister_target(&pool_target); +-bad_pool_target: ++bad_thin_target: + dm_unregister_target(&thin_target); ++bad_new_mapping_cache: ++ kmem_cache_destroy(_new_mapping_cache); + + return r; + } +-- +2.15.0 + diff --git a/queue/dmaengine-dmatest-move-callback-wait-queue-to-thread.patch b/queue/dmaengine-dmatest-move-callback-wait-queue-to-thread.patch new file mode 100644 index 0000000..8f16c10 --- /dev/null +++ b/queue/dmaengine-dmatest-move-callback-wait-queue-to-thread.patch @@ -0,0 +1,159 @@ +From 6f6a23a213be51728502b88741ba6a10cda2441d Mon Sep 17 00:00:00 2001 +From: Adam Wallis <awallis@codeaurora.org> +Date: Mon, 27 Nov 2017 10:45:01 -0500 +Subject: [PATCH] dmaengine: dmatest: move callback wait queue to thread + context + +commit 6f6a23a213be51728502b88741ba6a10cda2441d upstream. + +Commit adfa543e7314 ("dmatest: don't use set_freezable_with_signal()") +introduced a bug (that is in fact documented by the patch commit text) +that leaves behind a dangling pointer. Since the done_wait structure is +allocated on the stack, future invocations to the DMATEST can produce +undesirable results (e.g., corrupted spinlocks). + +Commit a9df21e34b42 ("dmaengine: dmatest: warn user when dma test times +out") attempted to WARN the user that the stack was likely corrupted but +did not fix the actual issue. + +This patch fixes the issue by pushing the wait queue and callback +structs into the the thread structure. If a failure occurs due to time, +dmaengine_terminate_all will force the callback to safely call +wake_up_all() without possibility of using a freed pointer. + +Cc: stable@vger.kernel.org +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=197605 +Fixes: adfa543e7314 ("dmatest: don't use set_freezable_with_signal()") +Reviewed-by: Sinan Kaya <okaya@codeaurora.org> +Suggested-by: Shunyong Yang <shunyong.yang@hxt-semitech.com> +Signed-off-by: Adam Wallis <awallis@codeaurora.org> +Signed-off-by: Vinod Koul <vinod.koul@intel.com> + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index 47edc7fbf91f..ec5f9d2bc820 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -155,6 +155,12 @@ MODULE_PARM_DESC(run, "Run the test (default: false)"); + #define PATTERN_COUNT_MASK 0x1f + #define PATTERN_MEMSET_IDX 0x01 + ++/* poor man's completion - we want to use wait_event_freezable() on it */ ++struct dmatest_done { ++ bool done; ++ wait_queue_head_t *wait; ++}; ++ + struct dmatest_thread { + struct list_head node; + struct dmatest_info *info; +@@ -165,6 +171,8 @@ struct dmatest_thread { + u8 **dsts; + u8 **udsts; + enum dma_transaction_type type; ++ wait_queue_head_t done_wait; ++ struct dmatest_done test_done; + bool done; + }; + +@@ -342,18 +350,25 @@ static unsigned int dmatest_verify(u8 **bufs, unsigned int start, + return error_count; + } + +-/* poor man's completion - we want to use wait_event_freezable() on it */ +-struct dmatest_done { +- bool done; +- wait_queue_head_t *wait; +-}; + + static void dmatest_callback(void *arg) + { + struct dmatest_done *done = arg; +- +- done->done = true; +- wake_up_all(done->wait); ++ struct dmatest_thread *thread = ++ container_of(arg, struct dmatest_thread, done_wait); ++ if (!thread->done) { ++ done->done = true; ++ wake_up_all(done->wait); ++ } else { ++ /* ++ * If thread->done, it means that this callback occurred ++ * after the parent thread has cleaned up. This can ++ * happen in the case that driver doesn't implement ++ * the terminate_all() functionality and a dma operation ++ * did not occur within the timeout period ++ */ ++ WARN(1, "dmatest: Kernel memory may be corrupted!!\n"); ++ } + } + + static unsigned int min_odd(unsigned int x, unsigned int y) +@@ -424,9 +439,8 @@ static unsigned long long dmatest_KBs(s64 runtime, unsigned long long len) + */ + static int dmatest_func(void *data) + { +- DECLARE_WAIT_QUEUE_HEAD_ONSTACK(done_wait); + struct dmatest_thread *thread = data; +- struct dmatest_done done = { .wait = &done_wait }; ++ struct dmatest_done *done = &thread->test_done; + struct dmatest_info *info; + struct dmatest_params *params; + struct dma_chan *chan; +@@ -673,9 +687,9 @@ static int dmatest_func(void *data) + continue; + } + +- done.done = false; ++ done->done = false; + tx->callback = dmatest_callback; +- tx->callback_param = &done; ++ tx->callback_param = done; + cookie = tx->tx_submit(tx); + + if (dma_submit_error(cookie)) { +@@ -688,21 +702,12 @@ static int dmatest_func(void *data) + } + dma_async_issue_pending(chan); + +- wait_event_freezable_timeout(done_wait, done.done, ++ wait_event_freezable_timeout(thread->done_wait, done->done, + msecs_to_jiffies(params->timeout)); + + status = dma_async_is_tx_complete(chan, cookie, NULL, NULL); + +- if (!done.done) { +- /* +- * We're leaving the timed out dma operation with +- * dangling pointer to done_wait. To make this +- * correct, we'll need to allocate wait_done for +- * each test iteration and perform "who's gonna +- * free it this time?" dancing. For now, just +- * leave it dangling. +- */ +- WARN(1, "dmatest: Kernel stack may be corrupted!!\n"); ++ if (!done->done) { + dmaengine_unmap_put(um); + result("test timed out", total_tests, src_off, dst_off, + len, 0); +@@ -789,7 +794,7 @@ static int dmatest_func(void *data) + dmatest_KBs(runtime, total_len), ret); + + /* terminate all transfers on specified channels */ +- if (ret) ++ if (ret || failed_tests) + dmaengine_terminate_all(chan); + + thread->done = true; +@@ -849,6 +854,8 @@ static int dmatest_add_threads(struct dmatest_info *info, + thread->info = info; + thread->chan = dtc->chan; + thread->type = type; ++ thread->test_done.wait = &thread->done_wait; ++ init_waitqueue_head(&thread->done_wait); + smp_wmb(); + thread->task = kthread_create(dmatest_func, thread, "%s-%s%u", + dma_chan_name(chan), op, i); +-- +2.15.0 + diff --git a/queue/dmaengine-ti-dma-crossbar-Correct-am335x-am43xx-mux-.patch b/queue/dmaengine-ti-dma-crossbar-Correct-am335x-am43xx-mux-.patch new file mode 100644 index 0000000..030c0dd --- /dev/null +++ b/queue/dmaengine-ti-dma-crossbar-Correct-am335x-am43xx-mux-.patch @@ -0,0 +1,51 @@ +From 288e7560e4d3e259aa28f8f58a8dfe63627a1bf6 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi <peter.ujfalusi@ti.com> +Date: Wed, 8 Nov 2017 12:02:25 +0200 +Subject: [PATCH] dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value + type + +commit 288e7560e4d3e259aa28f8f58a8dfe63627a1bf6 upstream. + +The used 0x1f mask is only valid for am335x family of SoC, different family +using this type of crossbar might have different number of electable +events. In case of am43xx family 0x3f mask should have been used for +example. +Instead of trying to handle each family's mask, just use u8 type to store +the mux value since the event offsets are aligned to byte offset. + +Fixes: 42dbdcc6bf965 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx") +Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com> +Signed-off-by: Vinod Koul <vinod.koul@intel.com> + +diff --git a/drivers/dma/ti-dma-crossbar.c b/drivers/dma/ti-dma-crossbar.c +index 2f65a8fde21d..10ef9d5d5a66 100644 +--- a/drivers/dma/ti-dma-crossbar.c ++++ b/drivers/dma/ti-dma-crossbar.c +@@ -49,12 +49,12 @@ struct ti_am335x_xbar_data { + + struct ti_am335x_xbar_map { + u16 dma_line; +- u16 mux_val; ++ u8 mux_val; + }; + +-static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u16 val) ++static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val) + { +- writeb_relaxed(val & 0x1f, iomem + event); ++ writeb_relaxed(val, iomem + event); + } + + static void ti_am335x_xbar_free(struct device *dev, void *route_data) +@@ -105,7 +105,7 @@ static void *ti_am335x_xbar_route_allocate(struct of_phandle_args *dma_spec, + } + + map->dma_line = (u16)dma_spec->args[0]; +- map->mux_val = (u16)dma_spec->args[2]; ++ map->mux_val = (u8)dma_spec->args[2]; + + dma_spec->args[2] = 0; + dma_spec->args_count = 2; +-- +2.15.0 + diff --git a/queue/drm-amdgpu-bypass-lru-touch-for-KIQ-ring-submission.patch b/queue/drm-amdgpu-bypass-lru-touch-for-KIQ-ring-submission.patch new file mode 100644 index 0000000..9b53cb9 --- /dev/null +++ b/queue/drm-amdgpu-bypass-lru-touch-for-KIQ-ring-submission.patch @@ -0,0 +1,38 @@ +From dce1e131dd4dc68099ff1b70aa03cd2d0acf8639 Mon Sep 17 00:00:00 2001 +From: Pixel Ding <Pixel.Ding@amd.com> +Date: Wed, 8 Nov 2017 10:20:01 +0800 +Subject: [PATCH] drm/amdgpu: bypass lru touch for KIQ ring submission +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit dce1e131dd4dc68099ff1b70aa03cd2d0acf8639 upstream. + +KIQ ring submission is used for register accessing on SRIOV +VF that could happen both in irq enabled and irq disabled cases. +Inversion lock could happen on adev->ring_lru_list_lock, while +this operation is useless and just adds overhead in this use +case. + +Signed-off-by: Pixel Ding <Pixel.Ding@amd.com> +Reviewed-by: Monk Liu <Monk.Liu@amd.com> +Reviewed-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +index e5ece1fae149..a98fbbb4739f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -136,7 +136,8 @@ void amdgpu_ring_commit(struct amdgpu_ring *ring) + if (ring->funcs->end_use) + ring->funcs->end_use(ring); + +- amdgpu_ring_lru_touch(ring->adev, ring); ++ if (ring->funcs->type != AMDGPU_RING_TYPE_KIQ) ++ amdgpu_ring_lru_touch(ring->adev, ring); + } + + /** +-- +2.15.0 + diff --git a/queue/eeprom-at24-change-nvmem-stride-to-1.patch b/queue/eeprom-at24-change-nvmem-stride-to-1.patch new file mode 100644 index 0000000..908592a --- /dev/null +++ b/queue/eeprom-at24-change-nvmem-stride-to-1.patch @@ -0,0 +1,33 @@ +From 7f6d2ecd3d7acaf205ea7b3e96f9ffc55b92298b Mon Sep 17 00:00:00 2001 +From: David Lechner <david@lechnology.com> +Date: Sun, 3 Dec 2017 19:54:41 -0600 +Subject: [PATCH] eeprom: at24: change nvmem stride to 1 + +commit 7f6d2ecd3d7acaf205ea7b3e96f9ffc55b92298b upstream. + +Trying to read the MAC address from an eeprom that has an offset that +is not a multiple of 4 causes an error currently. + +Fix it by changing the nvmem stride to 1. + +Cc: stable@vger.kernel.org +Signed-off-by: David Lechner <david@lechnology.com> +[Bartosz: tweaked the commit message] +Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl> + +diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c +index 20b4f26d30d7..4d63ac8a82e0 100644 +--- a/drivers/misc/eeprom/at24.c ++++ b/drivers/misc/eeprom/at24.c +@@ -876,7 +876,7 @@ static int at24_probe(struct i2c_client *client, const struct i2c_device_id *id) + at24->nvmem_config.reg_read = at24_read; + at24->nvmem_config.reg_write = at24_write; + at24->nvmem_config.priv = at24; +- at24->nvmem_config.stride = 4; ++ at24->nvmem_config.stride = 1; + at24->nvmem_config.word_size = 1; + at24->nvmem_config.size = chip.byte_len; + +-- +2.15.0 + diff --git a/queue/ext4-add-missing-error-check-in-__ext4_new_inode.patch b/queue/ext4-add-missing-error-check-in-__ext4_new_inode.patch new file mode 100644 index 0000000..26f3498 --- /dev/null +++ b/queue/ext4-add-missing-error-check-in-__ext4_new_inode.patch @@ -0,0 +1,33 @@ +From 996fc4477a0ea28226b30d175f053fb6f9a4fa36 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Sun, 10 Dec 2017 23:44:11 -0500 +Subject: [PATCH] ext4: add missing error check in __ext4_new_inode() + +commit 996fc4477a0ea28226b30d175f053fb6f9a4fa36 upstream. + +It's possible for ext4_get_acl() to return an ERR_PTR. So we need to +add a check for this case in __ext4_new_inode(). Otherwise on an +error we can end up oops the kernel. + +This was getting triggered by xfstests generic/388, which is a test +which exercises the shutdown code path. + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@vger.kernel.org + +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index b4267d72f249..b32cf263750d 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -816,6 +816,8 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir, + #ifdef CONFIG_EXT4_FS_POSIX_ACL + struct posix_acl *p = get_acl(dir, ACL_TYPE_DEFAULT); + ++ if (IS_ERR(p)) ++ return ERR_CAST(p); + if (p) { + int acl_size = p->a_count * sizeof(ext4_acl_entry); + +-- +2.15.0 + diff --git a/queue/ext4-fix-crash-when-a-directory-s-i_size-is-too-smal.patch b/queue/ext4-fix-crash-when-a-directory-s-i_size-is-too-smal.patch new file mode 100644 index 0000000..f645d1b --- /dev/null +++ b/queue/ext4-fix-crash-when-a-directory-s-i_size-is-too-smal.patch @@ -0,0 +1,56 @@ +From 9d5afec6b8bd46d6ed821aa1579634437f58ef1f Mon Sep 17 00:00:00 2001 +From: Chandan Rajendra <chandan@linux.vnet.ibm.com> +Date: Mon, 11 Dec 2017 15:00:57 -0500 +Subject: [PATCH] ext4: fix crash when a directory's i_size is too small + +commit 9d5afec6b8bd46d6ed821aa1579634437f58ef1f upstream. + +On a ppc64 machine, when mounting a fuzzed ext2 image (generated by +fsfuzzer) the following call trace is seen, + +VFS: brelse: Trying to free free buffer +WARNING: CPU: 1 PID: 6913 at /root/repos/linux/fs/buffer.c:1165 .__brelse.part.6+0x24/0x40 +.__brelse.part.6+0x20/0x40 (unreliable) +.ext4_find_entry+0x384/0x4f0 +.ext4_lookup+0x84/0x250 +.lookup_slow+0xdc/0x230 +.walk_component+0x268/0x400 +.path_lookupat+0xec/0x2d0 +.filename_lookup+0x9c/0x1d0 +.vfs_statx+0x98/0x140 +.SyS_newfstatat+0x48/0x80 +system_call+0x58/0x6c + +This happens because the directory that ext4_find_entry() looks up has +inode->i_size that is less than the block size of the filesystem. This +causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not +reading any of the directory file's blocks. This renders the entries in +bh_use[] array to continue to have garbage data. buffer_uptodate() on +bh_use[0] can then return a zero value upon which brelse() function is +invoked. + +This commit fixes the bug by returning -ENOENT when the directory file +has no associated blocks. + +Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com> +Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com> +Cc: stable@vger.kernel.org + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 798b3ac680db..e750d68fbcb5 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1399,6 +1399,10 @@ static struct buffer_head * ext4_find_entry (struct inode *dir, + "falling back\n")); + } + nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb); ++ if (!nblocks) { ++ ret = NULL; ++ goto cleanup_and_exit; ++ } + start = EXT4_I(dir)->i_dir_start_lookup; + if (start >= nblocks) + start = 0; +-- +2.15.0 + diff --git a/queue/ext4-fix-fdatasync-2-after-fallocate-2-operation.patch b/queue/ext4-fix-fdatasync-2-after-fallocate-2-operation.patch new file mode 100644 index 0000000..0645106 --- /dev/null +++ b/queue/ext4-fix-fdatasync-2-after-fallocate-2-operation.patch @@ -0,0 +1,42 @@ +From c894aa97577e47d3066b27b32499ecf899bfa8b0 Mon Sep 17 00:00:00 2001 +From: Eryu Guan <eguan@redhat.com> +Date: Sun, 3 Dec 2017 22:52:51 -0500 +Subject: [PATCH] ext4: fix fdatasync(2) after fallocate(2) operation + +commit c894aa97577e47d3066b27b32499ecf899bfa8b0 upstream. + +Currently, fallocate(2) with KEEP_SIZE followed by a fdatasync(2) +then crash, we'll see wrong allocated block number (stat -c %b), the +blocks allocated beyond EOF are all lost. fstests generic/468 +exposes this bug. + +Commit 67a7d5f561f4 ("ext4: fix fdatasync(2) after extent +manipulation operations") fixed all the other extent manipulation +operation paths such as hole punch, zero range, collapse range etc., +but forgot the fallocate case. + +So similarly, fix it by recording the correct journal tid in ext4 +inode in fallocate(2) path, so that ext4_sync_file() will wait for +the right tid to be committed on fdatasync(2). + +This addresses the test failure in xfstests test generic/468. + +Signed-off-by: Eryu Guan <eguan@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@vger.kernel.org + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 07bca11749d4..c941251ac0c0 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4722,6 +4722,7 @@ static int ext4_alloc_file_blocks(struct file *file, ext4_lblk_t offset, + EXT4_INODE_EOFBLOCKS); + } + ext4_mark_inode_dirty(handle, inode); ++ ext4_update_inode_fsync_trans(handle, inode, 1); + ret2 = ext4_journal_stop(handle); + if (ret2) + break; +-- +2.15.0 + diff --git a/queue/ext4-support-fast-symlinks-from-ext3-file-systems.patch b/queue/ext4-support-fast-symlinks-from-ext3-file-systems.patch new file mode 100644 index 0000000..5753b8f --- /dev/null +++ b/queue/ext4-support-fast-symlinks-from-ext3-file-systems.patch @@ -0,0 +1,51 @@ +From fc82228a5e3860502dbf3bfa4a9570cb7093cf7f Mon Sep 17 00:00:00 2001 +From: Andi Kleen <ak@linux.intel.com> +Date: Sun, 3 Dec 2017 20:38:01 -0500 +Subject: [PATCH] ext4: support fast symlinks from ext3 file systems + +commit fc82228a5e3860502dbf3bfa4a9570cb7093cf7f upstream. + +407cd7fb83c0 (ext4: change fast symlink test to not rely on i_blocks) +broke ~10 years old ext3 file systems created by 2.6.17. Any ELF +executable fails because the /lib/ld-linux.so.2 fast symlink +cannot be read anymore. + +The patch assumed fast symlinks were created in a specific way, +but that's not true on these really old file systems. + +The new behavior is apparently needed only with the large EA inode +feature. + +Revert to the old behavior if the large EA inode feature is not set. + +This makes my old VM boot again. + +Fixes: 407cd7fb83c0 (ext4: change fast symlink test to not rely on i_blocks) +Signed-off-by: Andi Kleen <ak@linux.intel.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +Cc: stable@vger.kernel.org + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 7df2c5644e59..534a9130f625 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -149,6 +149,15 @@ static int ext4_meta_trans_blocks(struct inode *inode, int lblocks, + */ + int ext4_inode_is_fast_symlink(struct inode *inode) + { ++ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { ++ int ea_blocks = EXT4_I(inode)->i_file_acl ? ++ EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0; ++ ++ if (ext4_has_inline_data(inode)) ++ return 0; ++ ++ return (S_ISLNK(inode->i_mode) && inode->i_blocks - ea_blocks == 0); ++ } + return S_ISLNK(inode->i_mode) && inode->i_size && + (inode->i_size < EXT4_N_BLOCKS * 4); + } +-- +2.15.0 + diff --git a/queue/fbdev-controlfb-Add-missing-modes-to-fix-out-of-boun.patch b/queue/fbdev-controlfb-Add-missing-modes-to-fix-out-of-boun.patch new file mode 100644 index 0000000..97b3ca6 --- /dev/null +++ b/queue/fbdev-controlfb-Add-missing-modes-to-fix-out-of-boun.patch @@ -0,0 +1,45 @@ +From ac831a379d34109451b3c41a44a20ee10ecb615f Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert@linux-m68k.org> +Date: Thu, 9 Nov 2017 18:09:33 +0100 +Subject: [PATCH] fbdev: controlfb: Add missing modes to fix out of bounds + access + +commit ac831a379d34109451b3c41a44a20ee10ecb615f upstream. + +Dan's static analysis says: + + drivers/video/fbdev/controlfb.c:560 control_setup() + error: buffer overflow 'control_mac_modes' 20 <= 21 + +Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22, +which may lead to an out of bounds read when parsing vmode commandline +options. + +The bug was introduced in v2.4.5.6, when 2 new modes were added to +macmodes.h, but control_mac_modes[] wasn't updated: + +https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad + +Augment control_mac_modes[] with the two new video modes to fix this. + +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> +Cc: Dan Carpenter <dan.carpenter@oracle.com> +Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> + +diff --git a/drivers/video/fbdev/controlfb.h b/drivers/video/fbdev/controlfb.h +index 6026c60fc100..261522fabdac 100644 +--- a/drivers/video/fbdev/controlfb.h ++++ b/drivers/video/fbdev/controlfb.h +@@ -141,5 +141,7 @@ static struct max_cmodes control_mac_modes[] = { + {{ 1, 2}}, /* 1152x870, 75Hz */ + {{ 0, 1}}, /* 1280x960, 75Hz */ + {{ 0, 1}}, /* 1280x1024, 75Hz */ ++ {{ 1, 2}}, /* 1152x768, 60Hz */ ++ {{ 0, 1}}, /* 1600x1024, 60Hz */ + }; + +-- +2.15.0 + diff --git a/queue/icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch b/queue/icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch new file mode 100644 index 0000000..a915638 --- /dev/null +++ b/queue/icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch @@ -0,0 +1,98 @@ +From 258bbb1b0e594ad5f5652cb526b3c63e6a7fad3d Mon Sep 17 00:00:00 2001 +From: Matteo Croce <mcroce@redhat.com> +Date: Thu, 12 Oct 2017 16:12:37 +0200 +Subject: [PATCH] icmp: don't fail on fragment reassembly time exceeded + +commit 258bbb1b0e594ad5f5652cb526b3c63e6a7fad3d upstream. + +The ICMP implementation currently replies to an ICMP time exceeded message +(type 11) with an ICMP host unreachable message (type 3, code 1). + +However, time exceeded messages can either represent "time to live exceeded +in transit" (code 0) or "fragment reassembly time exceeded" (code 1). + +Unconditionally replying to "fragment reassembly time exceeded" with +host unreachable messages might cause unjustified connection resets +which are now easily triggered as UFO has been removed, because, in turn, +sending large buffers triggers IP fragmentation. + +The issue can be easily reproduced by running a lot of UDP streams +which is likely to trigger IP fragmentation: + + # start netserver in the test namespace + ip netns add test + ip netns exec test netserver + + # create a VETH pair + ip link add name veth0 type veth peer name veth0 netns test + ip link set veth0 up + ip -n test link set veth0 up + + for i in $(seq 20 29); do + # assign addresses to both ends + ip addr add dev veth0 192.168.$i.1/24 + ip -n test addr add dev veth0 192.168.$i.2/24 + + # start the traffic + netperf -L 192.168.$i.1 -H 192.168.$i.2 -t UDP_STREAM -l 0 & + done + + # wait + send_data: data send error: No route to host (errno 113) + netperf: send_omni: send_data failed: No route to host + +We need to differentiate instead: if fragment reassembly time exceeded +is reported, we need to silently drop the packet, +if time to live exceeded is reported, maintain the current behaviour. +In both cases increment the related error count "icmpInTimeExcds". + +While at it, fix a typo in a comment, and convert the if statement +into a switch to mate it more readable. + +Signed-off-by: Matteo Croce <mcroce@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 681e33998e03..3c1570d3e22f 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -782,7 +782,7 @@ static bool icmp_tag_validation(int proto) + } + + /* +- * Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEED, ICMP_QUENCH, and ++ * Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEEDED, ICMP_QUENCH, and + * ICMP_PARAMETERPROB. + */ + +@@ -810,7 +810,8 @@ static bool icmp_unreach(struct sk_buff *skb) + if (iph->ihl < 5) /* Mangled header, drop. */ + goto out_err; + +- if (icmph->type == ICMP_DEST_UNREACH) { ++ switch (icmph->type) { ++ case ICMP_DEST_UNREACH: + switch (icmph->code & 15) { + case ICMP_NET_UNREACH: + case ICMP_HOST_UNREACH: +@@ -846,8 +847,16 @@ static bool icmp_unreach(struct sk_buff *skb) + } + if (icmph->code > NR_ICMP_UNREACH) + goto out; +- } else if (icmph->type == ICMP_PARAMETERPROB) ++ break; ++ case ICMP_PARAMETERPROB: + info = ntohl(icmph->un.gateway) >> 24; ++ break; ++ case ICMP_TIME_EXCEEDED: ++ __ICMP_INC_STATS(net, ICMP_MIB_INTIMEEXCDS); ++ if (icmph->code == ICMP_EXC_FRAGTIME) ++ goto out; ++ break; ++ } + + /* + * Throw it at our lower layers +-- +2.15.0 + diff --git a/queue/iommu-amd-Limit-the-IOVA-page-range-to-the-specified.patch b/queue/iommu-amd-Limit-the-IOVA-page-range-to-the-specified.patch new file mode 100644 index 0000000..289c663 --- /dev/null +++ b/queue/iommu-amd-Limit-the-IOVA-page-range-to-the-specified.patch @@ -0,0 +1,32 @@ +From b92b4fb5c14257c0e7eae291ecc1f7b1962e1699 Mon Sep 17 00:00:00 2001 +From: Gary R Hook <gary.hook@amd.com> +Date: Fri, 3 Nov 2017 10:50:34 -0600 +Subject: [PATCH] iommu/amd: Limit the IOVA page range to the specified + addresses + +commit b92b4fb5c14257c0e7eae291ecc1f7b1962e1699 upstream. + +The extent of pages specified when applying a reserved region should +include up to the last page of the range, but not the page following +the range. + +Signed-off-by: Gary R Hook <gary.hook@amd.com> +Fixes: 8d54d6c8b8f3 ('iommu/amd: Implement apply_dm_region call-back') +Signed-off-by: Alex Williamson <alex.williamson@redhat.com> + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 797e6454afd5..a8c111e96cc3 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -3151,7 +3151,7 @@ static void amd_iommu_apply_resv_region(struct device *dev, + unsigned long start, end; + + start = IOVA_PFN(region->start); +- end = IOVA_PFN(region->start + region->length); ++ end = IOVA_PFN(region->start + region->length - 1); + + WARN_ON_ONCE(reserve_iova(&dma_dom->iovad, start, end) == NULL); + } +-- +2.15.0 + diff --git a/queue/iommu-mediatek-Fix-driver-name.patch b/queue/iommu-mediatek-Fix-driver-name.patch new file mode 100644 index 0000000..2b870cc --- /dev/null +++ b/queue/iommu-mediatek-Fix-driver-name.patch @@ -0,0 +1,36 @@ +From 395df08d2e1de238a9c8c33fdcd0e2160efd63a9 Mon Sep 17 00:00:00 2001 +From: Matthias Brugger <matthias.bgg@gmail.com> +Date: Mon, 30 Oct 2017 12:37:55 +0100 +Subject: [PATCH] iommu/mediatek: Fix driver name + +commit 395df08d2e1de238a9c8c33fdcd0e2160efd63a9 upstream. + +There exist two Mediatek iommu drivers for the two different +generations of the device. But both drivers have the same name +"mtk-iommu". This breaks the registration of the second driver: + +Error: Driver 'mtk-iommu' is already registered, aborting... + +Fix this by changing the name for first generation to +"mtk-iommu-v1". + +Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW") +Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com> +Signed-off-by: Alex Williamson <alex.williamson@redhat.com> + +diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c +index bc1efbfb9ddf..542930cd183d 100644 +--- a/drivers/iommu/mtk_iommu_v1.c ++++ b/drivers/iommu/mtk_iommu_v1.c +@@ -708,7 +708,7 @@ static struct platform_driver mtk_iommu_driver = { + .probe = mtk_iommu_probe, + .remove = mtk_iommu_remove, + .driver = { +- .name = "mtk-iommu", ++ .name = "mtk-iommu-v1", + .of_match_table = mtk_iommu_of_ids, + .pm = &mtk_iommu_pm_ops, + } +-- +2.15.0 + diff --git a/queue/ipmi_si-fix-memory-leak-on-new_smi.patch b/queue/ipmi_si-fix-memory-leak-on-new_smi.patch new file mode 100644 index 0000000..a86d1a6 --- /dev/null +++ b/queue/ipmi_si-fix-memory-leak-on-new_smi.patch @@ -0,0 +1,31 @@ +From c0a32fe13cd323ca9420500b16fd69589c9ba91e Mon Sep 17 00:00:00 2001 +From: Colin Ian King <colin.king@canonical.com> +Date: Tue, 17 Oct 2017 16:54:52 +0100 +Subject: [PATCH] ipmi_si: fix memory leak on new_smi + +commit c0a32fe13cd323ca9420500b16fd69589c9ba91e upstream. + +The error exit path omits kfree'ing the allocated new_smi, causing a memory +leak. Fix this by kfree'ing new_smi. + +Detected by CoverityScan, CID#14582571 ("Resource Leak") + +Fixes: 7e030d6dff71 ("ipmi: Prefer ACPI system interfaces over SMBIOS ones") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Corey Minyard <cminyard@mvista.com> + +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c +index 55e0c42bee4d..4c16af64f73a 100644 +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -2004,6 +2004,7 @@ int ipmi_si_add_smi(struct si_sm_io *io) + ipmi_addr_src_to_str(new_smi->io.addr_source), + si_to_str[new_smi->io.si_type]); + rv = -EBUSY; ++ kfree(new_smi); + goto out_err; + } + } +-- +2.15.0 + diff --git a/queue/ipv4-ipv4_default_advmss-should-use-route-mtu.patch b/queue/ipv4-ipv4_default_advmss-should-use-route-mtu.patch new file mode 100644 index 0000000..6780f45 --- /dev/null +++ b/queue/ipv4-ipv4_default_advmss-should-use-route-mtu.patch @@ -0,0 +1,30 @@ +From 164a5e7ad531e181334a3d3f03d0d5ad20d6faea Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 18 Oct 2017 17:02:03 -0700 +Subject: [PATCH] ipv4: ipv4_default_advmss() should use route mtu + +commit 164a5e7ad531e181334a3d3f03d0d5ad20d6faea upstream. + +ipv4_default_advmss() incorrectly uses the device MTU instead +of the route provided one. IPv6 has the proper behavior, +lets harmonize the two protocols. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 4306db827374..bc40bd411196 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1250,7 +1250,7 @@ static void set_class_tag(struct rtable *rt, u32 tag) + static unsigned int ipv4_default_advmss(const struct dst_entry *dst) + { + unsigned int header_size = sizeof(struct tcphdr) + sizeof(struct iphdr); +- unsigned int advmss = max_t(unsigned int, dst->dev->mtu - header_size, ++ unsigned int advmss = max_t(unsigned int, ipv4_mtu(dst) - header_size, + ip_rt_min_advmss); + + return min(advmss, IPV4_MAX_PMTU - header_size); +-- +2.15.0 + diff --git a/queue/iscsi-target-fix-memory-leak-in-lio_target_tiqn_addt.patch b/queue/iscsi-target-fix-memory-leak-in-lio_target_tiqn_addt.patch new file mode 100644 index 0000000..9cc7e75 --- /dev/null +++ b/queue/iscsi-target-fix-memory-leak-in-lio_target_tiqn_addt.patch @@ -0,0 +1,36 @@ +From 12d5a43b2dffb6cd28062b4e19024f7982393288 Mon Sep 17 00:00:00 2001 +From: tangwenji <tang.wenji@zte.com.cn> +Date: Fri, 15 Sep 2017 16:03:13 +0800 +Subject: [PATCH] iscsi-target: fix memory leak in lio_target_tiqn_addtpg() + +commit 12d5a43b2dffb6cd28062b4e19024f7982393288 upstream. + +tpg must free when call core_tpg_register() return fail + +Signed-off-by: tangwenji <tang.wenji@zte.com.cn> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> + +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c +index 0dd4c45f7575..0ebc4818e132 100644 +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1123,7 +1123,7 @@ static struct se_portal_group *lio_target_tiqn_addtpg( + + ret = core_tpg_register(wwn, &tpg->tpg_se_tpg, SCSI_PROTOCOL_ISCSI); + if (ret < 0) +- return NULL; ++ goto free_out; + + ret = iscsit_tpg_add_portal_group(tiqn, tpg); + if (ret != 0) +@@ -1135,6 +1135,7 @@ static struct se_portal_group *lio_target_tiqn_addtpg( + return &tpg->tpg_se_tpg; + out: + core_tpg_deregister(&tpg->tpg_se_tpg); ++free_out: + kfree(tpg); + return NULL; + } +-- +2.15.0 + diff --git a/queue/iw_cxgb4-only-insert-drain-cqes-if-wq-is-flushed.patch b/queue/iw_cxgb4-only-insert-drain-cqes-if-wq-is-flushed.patch new file mode 100644 index 0000000..e4d5e87 --- /dev/null +++ b/queue/iw_cxgb4-only-insert-drain-cqes-if-wq-is-flushed.patch @@ -0,0 +1,75 @@ +From c058ecf6e455fac7346d46197a02398ead90851f Mon Sep 17 00:00:00 2001 +From: Steve Wise <swise@opengridcomputing.com> +Date: Mon, 27 Nov 2017 13:16:32 -0800 +Subject: [PATCH] iw_cxgb4: only insert drain cqes if wq is flushed + +commit c058ecf6e455fac7346d46197a02398ead90851f upstream. + +Only insert our special drain CQEs to support ib_drain_sq/rq() after +the wq is flushed. Otherwise, existing but not yet polled CQEs can be +returned out of order to the user application. This can happen when the +QP has exited RTS but not yet flushed the QP, which can happen during +a normal close (vs abortive close). + +In addition never count the drain CQEs when determining how many CQEs +need to be synthesized during the flush operation. This latter issue +should never happen if the QP is properly flushed before inserting the +drain CQE, but I wanted to avoid corrupting the CQ state. So we handle +it and log a warning once. + +Fixes: 4fe7c2962e11 ("iw_cxgb4: refactor sq/rq drain logic") +Signed-off-by: Steve Wise <swise@opengridcomputing.com> +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> + +diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c +index ea55e95cd2c5..b7bfc536e00f 100644 +--- a/drivers/infiniband/hw/cxgb4/cq.c ++++ b/drivers/infiniband/hw/cxgb4/cq.c +@@ -395,6 +395,11 @@ void c4iw_flush_hw_cq(struct c4iw_cq *chp) + + static int cqe_completes_wr(struct t4_cqe *cqe, struct t4_wq *wq) + { ++ if (CQE_OPCODE(cqe) == C4IW_DRAIN_OPCODE) { ++ WARN_ONCE(1, "Unexpected DRAIN CQE qp id %u!\n", wq->sq.qid); ++ return 0; ++ } ++ + if (CQE_OPCODE(cqe) == FW_RI_TERMINATE) + return 0; + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index 355e288ec969..38bddd02a943 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -868,7 +868,12 @@ int c4iw_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr, + + qhp = to_c4iw_qp(ibqp); + spin_lock_irqsave(&qhp->lock, flag); +- if (t4_wq_in_error(&qhp->wq)) { ++ ++ /* ++ * If the qp has been flushed, then just insert a special ++ * drain cqe. ++ */ ++ if (qhp->wq.flushed) { + spin_unlock_irqrestore(&qhp->lock, flag); + complete_sq_drain_wr(qhp, wr); + return err; +@@ -1011,7 +1016,12 @@ int c4iw_post_receive(struct ib_qp *ibqp, struct ib_recv_wr *wr, + + qhp = to_c4iw_qp(ibqp); + spin_lock_irqsave(&qhp->lock, flag); +- if (t4_wq_in_error(&qhp->wq)) { ++ ++ /* ++ * If the qp has been flushed, then just insert a special ++ * drain cqe. ++ */ ++ if (qhp->wq.flushed) { + spin_unlock_irqrestore(&qhp->lock, flag); + complete_rq_drain_wr(qhp, wr); + return err; +-- +2.15.0 + diff --git a/queue/kernel-make-groups_sort-calling-a-responsibility-gro.patch b/queue/kernel-make-groups_sort-calling-a-responsibility-gro.patch new file mode 100644 index 0000000..0a49795 --- /dev/null +++ b/queue/kernel-make-groups_sort-calling-a-responsibility-gro.patch @@ -0,0 +1,160 @@ +From bdcf0a423ea1c40bbb40e7ee483b50fc8aa3d758 Mon Sep 17 00:00:00 2001 +From: Thiago Rafael Becker <thiago.becker@gmail.com> +Date: Thu, 14 Dec 2017 15:33:12 -0800 +Subject: [PATCH] kernel: make groups_sort calling a responsibility group_info + allocators + +commit bdcf0a423ea1c40bbb40e7ee483b50fc8aa3d758 upstream. + +In testing, we found that nfsd threads may call set_groups in parallel +for the same entry cached in auth.unix.gid, racing in the call of +groups_sort, corrupting the groups for that entry and leading to +permission denials for the client. + +This patch: + - Make groups_sort globally visible. + - Move the call to groups_sort to the modifiers of group_info + - Remove the call to groups_sort from set_groups + +Link: http://lkml.kernel.org/r/20171211151420.18655-1-thiago.becker@gmail.com +Signed-off-by: Thiago Rafael Becker <thiago.becker@gmail.com> +Reviewed-by: Matthew Wilcox <mawilcox@microsoft.com> +Reviewed-by: NeilBrown <neilb@suse.com> +Acked-by: "J. Bruce Fields" <bfields@fieldses.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c +index f04db3779b34..59eea9c65d3e 100644 +--- a/arch/s390/kernel/compat_linux.c ++++ b/arch/s390/kernel/compat_linux.c +@@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16, int, gidsetsize, u16 __user *, grouplis + return retval; + } + ++ groups_sort(group_info); + retval = set_current_groups(group_info); + put_group_info(group_info); + +diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c +index 697f8ae7792d..f650e475d8f0 100644 +--- a/fs/nfsd/auth.c ++++ b/fs/nfsd/auth.c +@@ -60,6 +60,9 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) + gi->gid[i] = exp->ex_anon_gid; + else + gi->gid[i] = rqgi->gid[i]; ++ ++ /* Each thread allocates its own gi, no race */ ++ groups_sort(gi); + } + } else { + gi = get_group_info(rqgi); +diff --git a/include/linux/cred.h b/include/linux/cred.h +index 099058e1178b..631286535d0f 100644 +--- a/include/linux/cred.h ++++ b/include/linux/cred.h +@@ -83,6 +83,7 @@ extern int set_current_groups(struct group_info *); + extern void set_groups(struct cred *, struct group_info *); + extern int groups_search(const struct group_info *, kgid_t); + extern bool may_setgroups(void); ++extern void groups_sort(struct group_info *); + + /* + * The security context of a task +diff --git a/kernel/groups.c b/kernel/groups.c +index e357bc800111..daae2f2dc6d4 100644 +--- a/kernel/groups.c ++++ b/kernel/groups.c +@@ -86,11 +86,12 @@ static int gid_cmp(const void *_a, const void *_b) + return gid_gt(a, b) - gid_lt(a, b); + } + +-static void groups_sort(struct group_info *group_info) ++void groups_sort(struct group_info *group_info) + { + sort(group_info->gid, group_info->ngroups, sizeof(*group_info->gid), + gid_cmp, NULL); + } ++EXPORT_SYMBOL(groups_sort); + + /* a simple bsearch */ + int groups_search(const struct group_info *group_info, kgid_t grp) +@@ -122,7 +123,6 @@ int groups_search(const struct group_info *group_info, kgid_t grp) + void set_groups(struct cred *new, struct group_info *group_info) + { + put_group_info(new->group_info); +- groups_sort(group_info); + get_group_info(group_info); + new->group_info = group_info; + } +@@ -206,6 +206,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist) + return retval; + } + ++ groups_sort(group_info); + retval = set_current_groups(group_info); + put_group_info(group_info); + +diff --git a/kernel/uid16.c b/kernel/uid16.c +index ce74a4901d2b..ef1da2a5f9bd 100644 +--- a/kernel/uid16.c ++++ b/kernel/uid16.c +@@ -192,6 +192,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist) + return retval; + } + ++ groups_sort(group_info); + retval = set_current_groups(group_info); + put_group_info(group_info); + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index c4778cae58ef..444380f968f1 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + goto out_free_groups; + creds->cr_group_info->gid[i] = kgid; + } ++ groups_sort(creds->cr_group_info); + + return 0; + out_free_groups: +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 5dd4e6c9fef2..26531193fce4 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail *cd, + goto out; + rsci.cred.cr_group_info->gid[i] = kgid; + } ++ groups_sort(rsci.cred.cr_group_info); + + /* mech name */ + len = qword_get(&mesg, buf, mlen); +diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c +index 740b67d5a733..af7f28fb8102 100644 +--- a/net/sunrpc/svcauth_unix.c ++++ b/net/sunrpc/svcauth_unix.c +@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_detail *cd, + ug.gi->gid[i] = kgid; + } + ++ groups_sort(ug.gi); + ugp = unix_gid_lookup(cd, uid); + if (ugp) { + struct cache_head *ch; +@@ -819,6 +820,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp) + kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv)); + cred->cr_group_info->gid[i] = kgid; + } ++ groups_sort(cred->cr_group_info); + if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { + *authp = rpc_autherr_badverf; + return SVC_DENIED; +-- +2.15.0 + diff --git a/queue/l2tp-cleanup-l2tp_tunnel_delete-calls.patch b/queue/l2tp-cleanup-l2tp_tunnel_delete-calls.patch new file mode 100644 index 0000000..decd017 --- /dev/null +++ b/queue/l2tp-cleanup-l2tp_tunnel_delete-calls.patch @@ -0,0 +1,51 @@ +From 4dc12ffeaeac939097a3f55c881d3dc3523dff0c Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <jslaby@suse.cz> +Date: Wed, 25 Oct 2017 15:57:55 +0200 +Subject: [PATCH] l2tp: cleanup l2tp_tunnel_delete calls + +commit 4dc12ffeaeac939097a3f55c881d3dc3523dff0c upstream. + +l2tp_tunnel_delete does not return anything since commit 62b982eeb458 +("l2tp: fix race condition in l2tp_tunnel_delete"). But call sites of +l2tp_tunnel_delete still do casts to void to avoid unused return value +warnings. + +Kill these now useless casts. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Cc: Sabrina Dubroca <sd@queasysnail.net> +Cc: Guillaume Nault <g.nault@alphalink.fr> +Cc: David S. Miller <davem@davemloft.net> +Cc: netdev@vger.kernel.org +Acked-by: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 02d61101b108..af22aa8ae35b 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1891,7 +1891,7 @@ static __net_exit void l2tp_exit_net(struct net *net) + + rcu_read_lock_bh(); + list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- (void)l2tp_tunnel_delete(tunnel); ++ l2tp_tunnel_delete(tunnel); + } + rcu_read_unlock_bh(); + +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index f5179424eaf1..f04fb347d251 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -282,7 +282,7 @@ static int l2tp_nl_cmd_tunnel_delete(struct sk_buff *skb, struct genl_info *info + l2tp_tunnel_notify(&l2tp_nl_family, info, + tunnel, L2TP_CMD_TUNNEL_DELETE); + +- (void) l2tp_tunnel_delete(tunnel); ++ l2tp_tunnel_delete(tunnel); + + l2tp_tunnel_dec_refcount(tunnel); + +-- +2.15.0 + diff --git a/queue/lightnvm-pblk-fix-changing-GC-group-list-for-a-line.patch b/queue/lightnvm-pblk-fix-changing-GC-group-list-for-a-line.patch new file mode 100644 index 0000000..8f7eeb9 --- /dev/null +++ b/queue/lightnvm-pblk-fix-changing-GC-group-list-for-a-line.patch @@ -0,0 +1,39 @@ +From 27b978725d895e704aab44b99242a0514485d798 Mon Sep 17 00:00:00 2001 +From: Rakesh Pandit <rakesh@tuxera.com> +Date: Fri, 13 Oct 2017 14:46:28 +0200 +Subject: [PATCH] lightnvm: pblk: fix changing GC group list for a line +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 27b978725d895e704aab44b99242a0514485d798 upstream. + +pblk_line_gc_list seems to had a bug since the introduction of pblk in +getting GC list for a line. In b20ba1bc7 while redesigning the GC +algorithm, the naming for the GC thresholds was altered, but the +values for high_thrs and mid_thrs were not. The result is that when +moving to the GC lists, the mid threshold is never evaluated. + +Fixes: a4bd217b4("lightnvm: physical block device (pblk) target") +Signed-off-by: Rakesh Pandit <rakesh@tuxera.com> +Signed-off-by: Matias Bjørling <m@bjorling.me> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/lightnvm/pblk-init.c b/drivers/lightnvm/pblk-init.c +index c7239c41ba40..56ece7dfac0e 100644 +--- a/drivers/lightnvm/pblk-init.c ++++ b/drivers/lightnvm/pblk-init.c +@@ -678,8 +678,8 @@ static int pblk_lines_init(struct pblk *pblk) + lm->blk_bitmap_len = BITS_TO_LONGS(geo->nr_luns) * sizeof(long); + lm->sec_bitmap_len = BITS_TO_LONGS(lm->sec_per_line) * sizeof(long); + lm->lun_bitmap_len = BITS_TO_LONGS(geo->nr_luns) * sizeof(long); +- lm->high_thrs = lm->sec_per_line / 2; +- lm->mid_thrs = lm->sec_per_line / 4; ++ lm->mid_thrs = lm->sec_per_line / 2; ++ lm->high_thrs = lm->sec_per_line / 4; + lm->meta_distance = (geo->nr_luns / 2) * pblk->min_write_pgs; + + /* Calculate necessary pages for smeta. See comment over struct +-- +2.15.0 + diff --git a/queue/lightnvm-pblk-fix-min-size-for-page-mempool.patch b/queue/lightnvm-pblk-fix-min-size-for-page-mempool.patch new file mode 100644 index 0000000..96b26ad --- /dev/null +++ b/queue/lightnvm-pblk-fix-min-size-for-page-mempool.patch @@ -0,0 +1,139 @@ +From bd432417681a224d9fa4a9d43be7d4edc82135b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Javier=20Gonz=C3=A1lez?= <javier@cnexlabs.com> +Date: Fri, 13 Oct 2017 14:46:06 +0200 +Subject: [PATCH] lightnvm: pblk: fix min size for page mempool +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit bd432417681a224d9fa4a9d43be7d4edc82135b2 upstream. + +pblk uses an internal page mempool for allocating pages on internal +bios. The main two users of this memory pool are partial reads (reads +with some sectors in cache and some on media) and padded writes, which +need to add dummy pages to an existing bio already containing valid +data (and with a large enough bioset allocated). In both cases, the +maximum number of pages per bio is defined by the maximum number of +physical sectors supported by the underlying device. + +This patch fixes a bad mempool allocation, where the min_nr of elements +on the pool was fixed (to 16), which is lower than the maximum number +of sectors supported by NVMe (as of the time for this patch). Instead, +use the maximum number of allowed sectors reported by the device. + +Reported-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Javier González <javier@cnexlabs.com> +Signed-off-by: Matias Bjørling <m@bjorling.me> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/lightnvm/pblk-core.c b/drivers/lightnvm/pblk-core.c +index 9299a5a75a18..f5fbb9a46784 100644 +--- a/drivers/lightnvm/pblk-core.c ++++ b/drivers/lightnvm/pblk-core.c +@@ -192,7 +192,7 @@ void pblk_bio_free_pages(struct pblk *pblk, struct bio *bio, int off, + + for (i = off; i < nr_pages + off; i++) { + bv = bio->bi_io_vec[i]; +- mempool_free(bv.bv_page, pblk->page_pool); ++ mempool_free(bv.bv_page, pblk->page_bio_pool); + } + } + +@@ -204,14 +204,14 @@ int pblk_bio_add_pages(struct pblk *pblk, struct bio *bio, gfp_t flags, + int i, ret; + + for (i = 0; i < nr_pages; i++) { +- page = mempool_alloc(pblk->page_pool, flags); ++ page = mempool_alloc(pblk->page_bio_pool, flags); + if (!page) + goto err; + + ret = bio_add_pc_page(q, bio, page, PBLK_EXPOSED_PAGE_SIZE, 0); + if (ret != PBLK_EXPOSED_PAGE_SIZE) { + pr_err("pblk: could not add page to bio\n"); +- mempool_free(page, pblk->page_pool); ++ mempool_free(page, pblk->page_bio_pool); + goto err; + } + } +diff --git a/drivers/lightnvm/pblk-init.c b/drivers/lightnvm/pblk-init.c +index eee4eeb47d07..7b1f29c71338 100644 +--- a/drivers/lightnvm/pblk-init.c ++++ b/drivers/lightnvm/pblk-init.c +@@ -132,7 +132,6 @@ static int pblk_rwb_init(struct pblk *pblk) + } + + /* Minimum pages needed within a lun */ +-#define PAGE_POOL_SIZE 16 + #define ADDR_POOL_SIZE 64 + + static int pblk_set_ppaf(struct pblk *pblk) +@@ -247,14 +246,16 @@ static int pblk_core_init(struct pblk *pblk) + if (pblk_init_global_caches(pblk)) + return -ENOMEM; + +- pblk->page_pool = mempool_create_page_pool(PAGE_POOL_SIZE, 0); +- if (!pblk->page_pool) ++ /* internal bios can be at most the sectors signaled by the device. */ ++ pblk->page_bio_pool = mempool_create_page_pool(nvm_max_phys_sects(dev), ++ 0); ++ if (!pblk->page_bio_pool) + return -ENOMEM; + + pblk->line_ws_pool = mempool_create_slab_pool(PBLK_WS_POOL_SIZE, + pblk_blk_ws_cache); + if (!pblk->line_ws_pool) +- goto free_page_pool; ++ goto free_page_bio_pool; + + pblk->rec_pool = mempool_create_slab_pool(geo->nr_luns, pblk_rec_cache); + if (!pblk->rec_pool) +@@ -309,8 +310,8 @@ static int pblk_core_init(struct pblk *pblk) + mempool_destroy(pblk->rec_pool); + free_blk_ws_pool: + mempool_destroy(pblk->line_ws_pool); +-free_page_pool: +- mempool_destroy(pblk->page_pool); ++free_page_bio_pool: ++ mempool_destroy(pblk->page_bio_pool); + return -ENOMEM; + } + +@@ -322,7 +323,7 @@ static void pblk_core_free(struct pblk *pblk) + if (pblk->bb_wq) + destroy_workqueue(pblk->bb_wq); + +- mempool_destroy(pblk->page_pool); ++ mempool_destroy(pblk->page_bio_pool); + mempool_destroy(pblk->line_ws_pool); + mempool_destroy(pblk->rec_pool); + mempool_destroy(pblk->g_rq_pool); +diff --git a/drivers/lightnvm/pblk-read.c b/drivers/lightnvm/pblk-read.c +index ee8efb55b330..402c732f0970 100644 +--- a/drivers/lightnvm/pblk-read.c ++++ b/drivers/lightnvm/pblk-read.c +@@ -238,7 +238,7 @@ static int pblk_fill_partial_read_bio(struct pblk *pblk, struct nvm_rq *rqd, + kunmap_atomic(src_p); + kunmap_atomic(dst_p); + +- mempool_free(src_bv.bv_page, pblk->page_pool); ++ mempool_free(src_bv.bv_page, pblk->page_bio_pool); + + hole = find_next_zero_bit(read_bitmap, nr_secs, hole + 1); + } while (hole < nr_secs); +diff --git a/drivers/lightnvm/pblk.h b/drivers/lightnvm/pblk.h +index b592e5194b0f..229f6020ad8a 100644 +--- a/drivers/lightnvm/pblk.h ++++ b/drivers/lightnvm/pblk.h +@@ -620,7 +620,7 @@ struct pblk { + + struct list_head compl_list; + +- mempool_t *page_pool; ++ mempool_t *page_bio_pool; + mempool_t *line_ws_pool; + mempool_t *rec_pool; + mempool_t *g_rq_pool; +-- +2.15.0 + diff --git a/queue/lightnvm-pblk-initialize-debug-stat-counter.patch b/queue/lightnvm-pblk-initialize-debug-stat-counter.patch new file mode 100644 index 0000000..a9a11d6 --- /dev/null +++ b/queue/lightnvm-pblk-initialize-debug-stat-counter.patch @@ -0,0 +1,32 @@ +From a1121176ff757e3c073490a69608ea0b18a00ec1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Javier=20Gonz=C3=A1lez?= <javier@cnexlabs.com> +Date: Fri, 13 Oct 2017 14:46:01 +0200 +Subject: [PATCH] lightnvm: pblk: initialize debug stat counter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit a1121176ff757e3c073490a69608ea0b18a00ec1 upstream. + +Initialize the stat counter for garbage collected reads. + +Fixes: a4bd217b43268 ("lightnvm: physical block device (pblk) target") +Signed-off-by: Javier González <javier@cnexlabs.com> +Signed-off-by: Matias Bjørling <m@bjorling.me> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/lightnvm/pblk-init.c b/drivers/lightnvm/pblk-init.c +index 8c85779e9635..83445115a922 100644 +--- a/drivers/lightnvm/pblk-init.c ++++ b/drivers/lightnvm/pblk-init.c +@@ -947,6 +947,7 @@ static void *pblk_init(struct nvm_tgt_dev *dev, struct gendisk *tdisk, + atomic_long_set(&pblk->recov_writes, 0); + atomic_long_set(&pblk->recov_writes, 0); + atomic_long_set(&pblk->recov_gc_writes, 0); ++ atomic_long_set(&pblk->recov_gc_reads, 0); + #endif + + atomic_long_set(&pblk->read_failed, 0); +-- +2.15.0 + diff --git a/queue/lightnvm-pblk-prevent-gc-kicks-when-gc-is-not-operat.patch b/queue/lightnvm-pblk-prevent-gc-kicks-when-gc-is-not-operat.patch new file mode 100644 index 0000000..6b62cbf --- /dev/null +++ b/queue/lightnvm-pblk-prevent-gc-kicks-when-gc-is-not-operat.patch @@ -0,0 +1,64 @@ +From 3e3a5b8ebd5d3b1d68facc58b0674a2564653222 Mon Sep 17 00:00:00 2001 +From: Hans Holmberg <hans.holmberg@cnexlabs.com> +Date: Fri, 13 Oct 2017 14:46:34 +0200 +Subject: [PATCH] lightnvm: pblk: prevent gc kicks when gc is not operational +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 3e3a5b8ebd5d3b1d68facc58b0674a2564653222 upstream. + +GC can be kicked after it has been shut down when closing the last +line during exit, resulting in accesses to freed structures. + +Make sure that GC is not triggered while it is not operational. +Also make sure that GC won't be re-activated during exit when +running on another processor by using timer_del_sync. + +Signed-off-by: Hans Holmberg <hans.holmberg@cnexlabs.com> +Signed-off-by: Matias Bjørling <m@bjorling.me> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/lightnvm/pblk-gc.c b/drivers/lightnvm/pblk-gc.c +index 7b103bce58bf..81efac18ff57 100644 +--- a/drivers/lightnvm/pblk-gc.c ++++ b/drivers/lightnvm/pblk-gc.c +@@ -478,10 +478,10 @@ void pblk_gc_should_start(struct pblk *pblk) + { + struct pblk_gc *gc = &pblk->gc; + +- if (gc->gc_enabled && !gc->gc_active) ++ if (gc->gc_enabled && !gc->gc_active) { + pblk_gc_start(pblk); +- +- pblk_gc_kick(pblk); ++ pblk_gc_kick(pblk); ++ } + } + + /* +@@ -620,7 +620,8 @@ void pblk_gc_exit(struct pblk *pblk) + flush_workqueue(gc->gc_reader_wq); + flush_workqueue(gc->gc_line_reader_wq); + +- del_timer(&gc->gc_timer); ++ gc->gc_enabled = 0; ++ del_timer_sync(&gc->gc_timer); + pblk_gc_stop(pblk, 1); + + if (gc->gc_ts) +diff --git a/drivers/lightnvm/pblk-init.c b/drivers/lightnvm/pblk-init.c +index 2e599738372d..27eb430958ff 100644 +--- a/drivers/lightnvm/pblk-init.c ++++ b/drivers/lightnvm/pblk-init.c +@@ -931,6 +931,7 @@ static void *pblk_init(struct nvm_tgt_dev *dev, struct gendisk *tdisk, + pblk->dev = dev; + pblk->disk = tdisk; + pblk->state = PBLK_STATE_RUNNING; ++ pblk->gc.gc_enabled = 0; + + spin_lock_init(&pblk->trans_lock); + spin_lock_init(&pblk->lock); +-- +2.15.0 + diff --git a/queue/lightnvm-pblk-protect-line-bitmap-while-submitting-m.patch b/queue/lightnvm-pblk-protect-line-bitmap-while-submitting-m.patch new file mode 100644 index 0000000..7aa772c --- /dev/null +++ b/queue/lightnvm-pblk-protect-line-bitmap-while-submitting-m.patch @@ -0,0 +1,41 @@ +From e57903fd972a398b7140d0bc055714e13a0e58c5 Mon Sep 17 00:00:00 2001 +From: Rakesh Pandit <rakesh@tuxera.com> +Date: Fri, 13 Oct 2017 14:45:56 +0200 +Subject: [PATCH] lightnvm: pblk: protect line bitmap while submitting meta io +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit e57903fd972a398b7140d0bc055714e13a0e58c5 upstream. + +It seems pblk_dealloc_page would race against pblk_alloc_pages for +line bitmap for sector allocation.The chances are very low but might +as well protect the bitmap properly. + +Signed-off-by: Rakesh Pandit <rakesh@tuxera.com> +Reviewed-by: Javier González <javier@cnexlabs.com> +Signed-off-by: Matias Bjørling <m@bjorling.me> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/lightnvm/pblk-core.c b/drivers/lightnvm/pblk-core.c +index 81501644fb15..b53bb00a9918 100644 +--- a/drivers/lightnvm/pblk-core.c ++++ b/drivers/lightnvm/pblk-core.c +@@ -486,12 +486,14 @@ void pblk_dealloc_page(struct pblk *pblk, struct pblk_line *line, int nr_secs) + u64 addr; + int i; + ++ spin_lock(&line->lock); + addr = find_next_zero_bit(line->map_bitmap, + pblk->lm.sec_per_line, line->cur_sec); + line->cur_sec = addr - nr_secs; + + for (i = 0; i < nr_secs; i++, line->cur_sec--) + WARN_ON(!test_and_clear_bit(line->cur_sec, line->map_bitmap)); ++ spin_unlock(&line->lock); + } + + u64 __pblk_alloc_page(struct pblk *pblk, struct pblk_line *line, int nr_secs) +-- +2.15.0 + diff --git a/queue/lightnvm-pblk-use-right-flag-for-GC-allocation.patch b/queue/lightnvm-pblk-use-right-flag-for-GC-allocation.patch new file mode 100644 index 0000000..a38bde0 --- /dev/null +++ b/queue/lightnvm-pblk-use-right-flag-for-GC-allocation.patch @@ -0,0 +1,59 @@ +From 7d327a9ed6c4dca341ebf99012e0a6b80a3050e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Javier=20Gonz=C3=A1lez?= <javier@cnexlabs.com> +Date: Fri, 13 Oct 2017 14:46:02 +0200 +Subject: [PATCH] lightnvm: pblk: use right flag for GC allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 7d327a9ed6c4dca341ebf99012e0a6b80a3050e6 upstream. + +The data buffer for the GC path allocates virtual memory through +vmalloc. When this change was introduced, a flag signaling kmalloc'ed +memory was wrongly introduced. Use the right flag when creating a bio +from this buffer. + +Fixes: de54e703a422 ("lightnvm: pblk: use vmalloc for GC data buffer") +Signed-off-by: Javier González <javier@cnexlabs.com> +Signed-off-by: Matias Bjørling <m@bjorling.me> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/lightnvm/pblk-read.c b/drivers/lightnvm/pblk-read.c +index d682e89e6493..ee8efb55b330 100644 +--- a/drivers/lightnvm/pblk-read.c ++++ b/drivers/lightnvm/pblk-read.c +@@ -499,7 +499,7 @@ int pblk_submit_read_gc(struct pblk *pblk, u64 *lba_list, void *data, + + data_len = (*secs_to_gc) * geo->sec_size; + bio = pblk_bio_map_addr(pblk, data, *secs_to_gc, data_len, +- PBLK_KMALLOC_META, GFP_KERNEL); ++ PBLK_VMALLOC_META, GFP_KERNEL); + if (IS_ERR(bio)) { + pr_err("pblk: could not allocate GC bio (%lu)\n", PTR_ERR(bio)); + goto err_free_dma; +@@ -519,7 +519,7 @@ int pblk_submit_read_gc(struct pblk *pblk, u64 *lba_list, void *data, + if (ret) { + bio_endio(bio); + pr_err("pblk: GC read request failed\n"); +- goto err_free_dma; ++ goto err_free_bio; + } + + if (!wait_for_completion_io_timeout(&wait, +@@ -541,10 +541,13 @@ int pblk_submit_read_gc(struct pblk *pblk, u64 *lba_list, void *data, + atomic_long_sub(*secs_to_gc, &pblk->inflight_reads); + #endif + ++ bio_put(bio); + out: + nvm_dev_dma_free(dev->parent, rqd.meta_list, rqd.dma_meta_list); + return NVM_IO_OK; + ++err_free_bio: ++ bio_put(bio); + err_free_dma: + nvm_dev_dma_free(dev->parent, rqd.meta_list, rqd.dma_meta_list); + return NVM_IO_ERR; +-- +2.15.0 + diff --git a/queue/liquidio-fix-kernel-panic-in-VF-driver.patch b/queue/liquidio-fix-kernel-panic-in-VF-driver.patch new file mode 100644 index 0000000..0b19dc1 --- /dev/null +++ b/queue/liquidio-fix-kernel-panic-in-VF-driver.patch @@ -0,0 +1,83 @@ +From aa28667cfbe4ff6f14454dda210b1f2e485f99b5 Mon Sep 17 00:00:00 2001 +From: Felix Manlunas <felix.manlunas@cavium.com> +Date: Thu, 26 Oct 2017 16:46:36 -0700 +Subject: [PATCH] liquidio: fix kernel panic in VF driver + +commit aa28667cfbe4ff6f14454dda210b1f2e485f99b5 upstream. + +Doing ifconfig down on VF driver in the middle of receiving line rate +traffic causes a kernel panic: + + LiquidIO_VF 0000:02:00.3: should not come here should not get rx when poll mode = 0 for vf + BUG: unable to handle kernel NULL pointer dereference at (null) + . + . + . + Call Trace: + <IRQ> + ? tasklet_action+0x102/0x120 + __do_softirq+0x91/0x292 + irq_exit+0xb6/0xc0 + do_IRQ+0x4f/0xd0 + common_interrupt+0x93/0x93 + </IRQ> + RIP: 0010:cpuidle_enter_state+0x142/0x2f0 + RSP: 0018:ffffffffa6403e20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff59 + RAX: 0000000000000000 RBX: 0000000000000003 RCX: 000000000000001f + RDX: 0000000000000000 RSI: 000000002ab7519f RDI: 0000000000000000 + RBP: ffffffffa6403e58 R08: 0000000000000084 R09: 0000000000000018 + R10: ffffffffa6403df0 R11: 00000000000003c7 R12: 0000000000000003 + R13: ffffd27ebd806800 R14: ffffffffa64d40d8 R15: 0000007be072823f + cpuidle_enter+0x17/0x20 + call_cpuidle+0x23/0x40 + do_idle+0x18c/0x1f0 + cpu_startup_entry+0x64/0x70 + rest_init+0xa5/0xb0 + start_kernel+0x45e/0x46b + x86_64_start_reservations+0x24/0x26 + x86_64_start_kernel+0x6f/0x72 + secondary_startup_64+0xa5/0xa5 + Code: Bad RIP value. + RIP: (null) RSP: ffff9246ed003f28 + CR2: 0000000000000000 + ---[ end trace 92731e80f31b7d7d ]--- + Kernel panic - not syncing: Fatal exception in interrupt + Kernel Offset: 0x24000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception in interrupt + +Reason is: in the function assigned to net_device_ops->ndo_stop, the steps +for bringing down the interface are done in the wrong order. The step that +notifies the NIC firmware to stop forwarding packets to host is done too +late. Fix it by moving that step to the beginning. + +Signed-off-by: Felix Manlunas <felix.manlunas@cavium.com> +Signed-off-by: Raghu Vatsavayi <raghu.vatsavayi@cavium.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index 00c19306ecee..fd70a4844e2d 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -1288,6 +1288,9 @@ static int liquidio_stop(struct net_device *netdev) + struct octeon_device *oct = lio->oct_dev; + struct napi_struct *napi, *n; + ++ /* tell Octeon to stop forwarding packets to host */ ++ send_rx_ctrl_cmd(lio, 0); ++ + if (oct->props[lio->ifidx].napi_enabled) { + list_for_each_entry_safe(napi, n, &netdev->napi_list, dev_list) + napi_disable(napi); +@@ -1305,9 +1308,6 @@ static int liquidio_stop(struct net_device *netdev) + netif_carrier_off(netdev); + lio->link_changes++; + +- /* tell Octeon to stop forwarding packets to host */ +- send_rx_ctrl_cmd(lio, 0); +- + ifstate_reset(lio, LIO_IFSTATE_RUNNING); + + txqs_stop(netdev); +-- +2.15.0 + diff --git a/queue/macvlan-Only-deliver-one-copy-of-the-frame-to-the-ma.patch b/queue/macvlan-Only-deliver-one-copy-of-the-frame-to-the-ma.patch new file mode 100644 index 0000000..edcfd1c --- /dev/null +++ b/queue/macvlan-Only-deliver-one-copy-of-the-frame-to-the-ma.patch @@ -0,0 +1,38 @@ +From dd6b9c2c332b40f142740d1b11fb77c653ff98ea Mon Sep 17 00:00:00 2001 +From: Alexander Duyck <alexander.h.duyck@intel.com> +Date: Fri, 13 Oct 2017 13:40:24 -0700 +Subject: [PATCH] macvlan: Only deliver one copy of the frame to the macvlan + interface + +commit dd6b9c2c332b40f142740d1b11fb77c653ff98ea upstream. + +This patch intoduces a slight adjustment for macvlan to address the fact +that in source mode I was seeing two copies of any packet addressed to the +macvlan interface being delivered where there should have been only one. + +The issue appears to be that one copy was delivered based on the source MAC +address and then the second copy was being delivered based on the +destination MAC address. To fix it I am just treating a unicast address +match as though it is not a match since source based macvlan isn't supposed +to be matching based on the destination MAC anyway. + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 858bd66511a2..a4ae8cd0f660 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -480,7 +480,7 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) + struct macvlan_dev, list); + else + vlan = macvlan_hash_lookup(port, eth->h_dest); +- if (vlan == NULL) ++ if (!vlan || vlan->mode == MACVLAN_MODE_SOURCE) + return RX_HANDLER_PASS; + + dev = vlan->dev; +-- +2.15.0 + diff --git a/queue/md-cluster-fix-wrong-condition-check-in-raid1_write_.patch b/queue/md-cluster-fix-wrong-condition-check-in-raid1_write_.patch new file mode 100644 index 0000000..727f3a2 --- /dev/null +++ b/queue/md-cluster-fix-wrong-condition-check-in-raid1_write_.patch @@ -0,0 +1,40 @@ +From 385f4d7f946b08f36f68b0a28e95a319925b6b62 Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang <gqjiang@suse.com> +Date: Fri, 29 Sep 2017 09:16:43 +0800 +Subject: [PATCH] md-cluster: fix wrong condition check in raid1_write_request + +commit 385f4d7f946b08f36f68b0a28e95a319925b6b62 upstream. + +The check used here is to avoid conflict between write and +resync, however we used the wrong logic, it should be the +inverse of the checking inside "if". + +Fixes: 589a1c4 ("Suspend writes in RAID1 if within range") +Signed-off-by: Guoqing Jiang <gqjiang@suse.com> +Signed-off-by: Shaohua Li <shli@fb.com> + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index f3f3e40dc9d8..35264ad0ec70 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1325,12 +1325,12 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + sigset_t full, old; + prepare_to_wait(&conf->wait_barrier, + &w, TASK_INTERRUPTIBLE); +- if (bio_end_sector(bio) <= mddev->suspend_lo || +- bio->bi_iter.bi_sector >= mddev->suspend_hi || +- (mddev_is_clustered(mddev) && ++ if ((bio_end_sector(bio) <= mddev->suspend_lo || ++ bio->bi_iter.bi_sector >= mddev->suspend_hi) && ++ (!mddev_is_clustered(mddev) || + !md_cluster_ops->area_resyncing(mddev, WRITE, +- bio->bi_iter.bi_sector, +- bio_end_sector(bio)))) ++ bio->bi_iter.bi_sector, ++ bio_end_sector(bio)))) + break; + sigfillset(&full); + sigprocmask(SIG_BLOCK, &full, &old); +-- +2.15.0 + diff --git a/queue/media-camss-vfe-always-initialize-reg-at-vfe_set_xba.patch b/queue/media-camss-vfe-always-initialize-reg-at-vfe_set_xba.patch new file mode 100644 index 0000000..4120f40 --- /dev/null +++ b/queue/media-camss-vfe-always-initialize-reg-at-vfe_set_xba.patch @@ -0,0 +1,35 @@ +From 9917fbcfa20ab987d6381fd0365665e5c1402d75 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@s-opensource.com> +Date: Wed, 1 Nov 2017 08:09:59 -0400 +Subject: [PATCH] media: camss-vfe: always initialize reg at vfe_set_xbar_cfg() + +commit 9917fbcfa20ab987d6381fd0365665e5c1402d75 upstream. + +if output->wm_num is bigger than 2, the value for reg is +not initialized, as warned by smatch: + drivers/media/platform/qcom/camss-8x16/camss-vfe.c:633 vfe_set_xbar_cfg() error: uninitialized symbol 'reg'. + drivers/media/platform/qcom/camss-8x16/camss-vfe.c:637 vfe_set_xbar_cfg() error: uninitialized symbol 'reg'. + +That shouldn't happen in practice, so add a logic that will +break the loop if i > 1, fixing the warnings. + +Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> +Acked-by: Todor Tomov <todor.tomov@linaro.org> + +diff --git a/drivers/media/platform/qcom/camss-8x16/camss-vfe.c b/drivers/media/platform/qcom/camss-8x16/camss-vfe.c +index b22d2dfcd3c2..55232a912950 100644 +--- a/drivers/media/platform/qcom/camss-8x16/camss-vfe.c ++++ b/drivers/media/platform/qcom/camss-8x16/camss-vfe.c +@@ -622,6 +622,9 @@ static void vfe_set_xbar_cfg(struct vfe_device *vfe, struct vfe_output *output, + reg = VFE_0_BUS_XBAR_CFG_x_M_PAIR_STREAM_EN; + if (p == V4L2_PIX_FMT_NV12 || p == V4L2_PIX_FMT_NV16) + reg |= VFE_0_BUS_XBAR_CFG_x_M_PAIR_STREAM_SWAP_INTER_INTRA; ++ } else { ++ /* On current devices output->wm_num is always <= 2 */ ++ break; + } + + if (output->wm_idx[i] % 2 == 1) +-- +2.15.0 + diff --git a/queue/media-usbtv-fix-brightness-and-contrast-controls.patch b/queue/media-usbtv-fix-brightness-and-contrast-controls.patch new file mode 100644 index 0000000..1853fd5 --- /dev/null +++ b/queue/media-usbtv-fix-brightness-and-contrast-controls.patch @@ -0,0 +1,43 @@ +From b3168c87c0492661badc3e908f977d79e7738a41 Mon Sep 17 00:00:00 2001 +From: Adam Sampson <ats@offog.org> +Date: Tue, 24 Oct 2017 16:14:46 -0400 +Subject: [PATCH] media: usbtv: fix brightness and contrast controls + +commit b3168c87c0492661badc3e908f977d79e7738a41 upstream. + +Because the brightness and contrast controls share a register, +usbtv_s_ctrl needs to read the existing values for both controls before +inserting the new value. However, the code accidentally wrote to the +registers (from an uninitialised stack array), rather than reading them. + +The user-visible effect of this was that adjusting the brightness would +also set the contrast to a random value, and vice versa -- so it wasn't +possible to correctly adjust the brightness of usbtv's video output. + +Tested with an "EasyDAY" UTV007 device. + +Fixes: c53a846c48f2 ("usbtv: add video controls") + +Signed-off-by: Adam Sampson <ats@offog.org> +Reviewed-by: Lubomir Rintel <lkundrak@v3.sk> +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> + +diff --git a/drivers/media/usb/usbtv/usbtv-video.c b/drivers/media/usb/usbtv/usbtv-video.c +index 95b5f4319ec2..3668a04359e8 100644 +--- a/drivers/media/usb/usbtv/usbtv-video.c ++++ b/drivers/media/usb/usbtv/usbtv-video.c +@@ -718,8 +718,8 @@ static int usbtv_s_ctrl(struct v4l2_ctrl *ctrl) + */ + if (ctrl->id == V4L2_CID_BRIGHTNESS || ctrl->id == V4L2_CID_CONTRAST) { + ret = usb_control_msg(usbtv->udev, +- usb_sndctrlpipe(usbtv->udev, 0), USBTV_CONTROL_REG, +- USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, ++ usb_rcvctrlpipe(usbtv->udev, 0), USBTV_CONTROL_REG, ++ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, USBTV_BASE + 0x0244, (void *)data, 3, 0); + if (ret < 0) + goto error; +-- +2.15.0 + diff --git a/queue/mfd-fsl-imx25-Clean-up-irq-settings-during-removal.patch b/queue/mfd-fsl-imx25-Clean-up-irq-settings-during-removal.patch new file mode 100644 index 0000000..fe48ce5 --- /dev/null +++ b/queue/mfd-fsl-imx25-Clean-up-irq-settings-during-removal.patch @@ -0,0 +1,65 @@ +From 18f77393796848e68909e65d692c1d1436f06e06 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser <martin@kaiser.cx> +Date: Tue, 17 Oct 2017 22:53:08 +0200 +Subject: [PATCH] mfd: fsl-imx25: Clean up irq settings during removal + +commit 18f77393796848e68909e65d692c1d1436f06e06 upstream. + +When fsl-imx25-tsadc is compiled as a module, loading, unloading and +reloading the module will lead to a crash. + +Unable to handle kernel paging request at virtual address bf005430 +[<c004df6c>] (irq_find_matching_fwspec) + from [<c028d5ec>] (of_irq_get+0x58/0x74) +[<c028d594>] (of_irq_get) + from [<c01ff970>] (platform_get_irq+0x48/0xc8) +[<c01ff928>] (platform_get_irq) + from [<bf00e33c>] (mx25_tsadc_probe+0x220/0x2f4 [fsl_imx25_tsadc]) + +irq_find_matching_fwspec() loops over all registered irq domains. The +irq domain is still registered from last time the module was loaded but +the pointer to its operations is invalid after the module was unloaded. + +Add a removal function which clears the irq handler and removes the irq +domain. With this cleanup in place, it's possible to unload and reload +the module. + +Signed-off-by: Martin Kaiser <martin@kaiser.cx> +Reviewed-by: Lucas Stach <l.stach@pengutronix.de> +Signed-off-by: Lee Jones <lee.jones@linaro.org> + +diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c +index 14189efd70d0..dbb85caaafed 100644 +--- a/drivers/mfd/fsl-imx25-tsadc.c ++++ b/drivers/mfd/fsl-imx25-tsadc.c +@@ -179,6 +179,19 @@ static int mx25_tsadc_probe(struct platform_device *pdev) + return devm_of_platform_populate(dev); + } + ++static int mx25_tsadc_remove(struct platform_device *pdev) ++{ ++ struct mx25_tsadc *tsadc = platform_get_drvdata(pdev); ++ int irq = platform_get_irq(pdev, 0); ++ ++ if (irq) { ++ irq_set_chained_handler_and_data(irq, NULL, NULL); ++ irq_domain_remove(tsadc->domain); ++ } ++ ++ return 0; ++} ++ + static const struct of_device_id mx25_tsadc_ids[] = { + { .compatible = "fsl,imx25-tsadc" }, + { /* Sentinel */ } +@@ -191,6 +204,7 @@ static struct platform_driver mx25_tsadc_driver = { + .of_match_table = of_match_ptr(mx25_tsadc_ids), + }, + .probe = mx25_tsadc_probe, ++ .remove = mx25_tsadc_remove, + }; + module_platform_driver(mx25_tsadc_driver); + +-- +2.15.0 + diff --git a/queue/mfd-mxs-lradc-Fix-error-handling-in-mxs_lradc_probe.patch b/queue/mfd-mxs-lradc-Fix-error-handling-in-mxs_lradc_probe.patch new file mode 100644 index 0000000..8520628 --- /dev/null +++ b/queue/mfd-mxs-lradc-Fix-error-handling-in-mxs_lradc_probe.patch @@ -0,0 +1,35 @@ +From 362741a21a5c4b9ee31e75ce28d63c6d238a745c Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov <khoroshilov@ispras.ru> +Date: Sat, 14 Oct 2017 01:06:56 +0300 +Subject: [PATCH] mfd: mxs-lradc: Fix error handling in mxs_lradc_probe() + +commit 362741a21a5c4b9ee31e75ce28d63c6d238a745c upstream. + +There is the only path, where mxs_lradc_probe() leaves clk undisabled, +since it does return instead of goto err_clk. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> +Signed-off-by: Lee Jones <lee.jones@linaro.org> + +diff --git a/drivers/mfd/mxs-lradc.c b/drivers/mfd/mxs-lradc.c +index 630bd19b2c0a..98e732a7ae96 100644 +--- a/drivers/mfd/mxs-lradc.c ++++ b/drivers/mfd/mxs-lradc.c +@@ -196,8 +196,10 @@ static int mxs_lradc_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, lradc); + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- if (!res) +- return -ENOMEM; ++ if (!res) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } + + switch (lradc->soc) { + case IMX23_LRADC: +-- +2.15.0 + diff --git a/queue/misc-pci_endpoint_test-Avoid-triggering-a-BUG.patch b/queue/misc-pci_endpoint_test-Avoid-triggering-a-BUG.patch new file mode 100644 index 0000000..118b14a --- /dev/null +++ b/queue/misc-pci_endpoint_test-Avoid-triggering-a-BUG.patch @@ -0,0 +1,31 @@ +From 846df244ebefbc9f7b91e9ae7a5e5a2e69fb4772 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Sat, 30 Sep 2017 11:16:51 +0300 +Subject: [PATCH] misc: pci_endpoint_test: Avoid triggering a BUG() + +commit 846df244ebefbc9f7b91e9ae7a5e5a2e69fb4772 upstream. + +If you call ida_simple_remove(&pci_endpoint_test_ida, id) with a +negative "id" then it triggers an immediate BUG_ON(). Let's not allow +that. + +Fixes: 2c156ac71c6b ("misc: Add host side PCI driver for PCI test function device") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c +index c0d323077ad0..d40a34f594c7 100644 +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -597,6 +597,8 @@ static void pci_endpoint_test_remove(struct pci_dev *pdev) + + if (sscanf(misc_device->name, DRV_MODULE_NAME ".%d", &id) != 1) + return; ++ if (id < 0) ++ return; + + misc_deregister(&test->miscdev); + ida_simple_remove(&pci_endpoint_test_ida, id); +-- +2.15.0 + diff --git a/queue/misc-pci_endpoint_test-Fix-failure-path-return-value.patch b/queue/misc-pci_endpoint_test-Fix-failure-path-return-value.patch new file mode 100644 index 0000000..5dbb87b --- /dev/null +++ b/queue/misc-pci_endpoint_test-Fix-failure-path-return-value.patch @@ -0,0 +1,37 @@ +From 80068c93688f6143100859c4856f895801c1a1d9 Mon Sep 17 00:00:00 2001 +From: Kishon Vijay Abraham I <kishon@ti.com> +Date: Wed, 11 Oct 2017 14:14:36 +0530 +Subject: [PATCH] misc: pci_endpoint_test: Fix failure path return values in + probe + +commit 80068c93688f6143100859c4856f895801c1a1d9 upstream. + +Return value of pci_endpoint_test_probe is not set properly in a couple of +failure cases. Fix it here. + +Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> + +diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c +index d40a34f594c7..5e7af21686d6 100644 +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -542,6 +542,7 @@ static int pci_endpoint_test_probe(struct pci_dev *pdev, + + test->base = test->bar[test_reg_bar]; + if (!test->base) { ++ err = -ENOMEM; + dev_err(dev, "Cannot perform PCI test without BAR%d\n", + test_reg_bar); + goto err_iounmap; +@@ -551,6 +552,7 @@ static int pci_endpoint_test_probe(struct pci_dev *pdev, + + id = ida_simple_get(&pci_endpoint_test_ida, 0, 0, GFP_KERNEL); + if (id < 0) { ++ err = id; + dev_err(dev, "unable to get id\n"); + goto err_iounmap; + } +-- +2.15.0 + diff --git a/queue/mlxsw-spectrum-Fix-error-return-code-in-mlxsw_sp_por.patch b/queue/mlxsw-spectrum-Fix-error-return-code-in-mlxsw_sp_por.patch new file mode 100644 index 0000000..9ccfcb0 --- /dev/null +++ b/queue/mlxsw-spectrum-Fix-error-return-code-in-mlxsw_sp_por.patch @@ -0,0 +1,31 @@ +From d86fd113ebbb37726ef7c7cc6fd6d5ce377455d6 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun <weiyongjun1@huawei.com> +Date: Mon, 6 Nov 2017 11:11:28 +0000 +Subject: [PATCH] mlxsw: spectrum: Fix error return code in + mlxsw_sp_port_create() + +commit d86fd113ebbb37726ef7c7cc6fd6d5ce377455d6 upstream. + +Fix to return a negative error code from the VID create error handling +case instead of 0, as done elsewhere in this function. + +Fixes: c57529e1d5d8 ("mlxsw: spectrum: Replace vPorts with Port-VLAN") +Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> +Reviewed-by: Ido Schimmel <idosch@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +index 1497b436be78..b2cd1ebf4e36 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -3043,6 +3043,7 @@ static int mlxsw_sp_port_create(struct mlxsw_sp *mlxsw_sp, u8 local_port, + if (IS_ERR(mlxsw_sp_port_vlan)) { + dev_err(mlxsw_sp->bus_info->dev, "Port %d: Failed to create VID 1\n", + mlxsw_sp_port->local_port); ++ err = PTR_ERR(mlxsw_sp_port_vlan); + goto err_port_vlan_get; + } + +-- +2.15.0 + diff --git a/queue/mm-Handle-0-flags-in-_calc_vm_trans-macro.patch b/queue/mm-Handle-0-flags-in-_calc_vm_trans-macro.patch new file mode 100644 index 0000000..3d0a9e3 --- /dev/null +++ b/queue/mm-Handle-0-flags-in-_calc_vm_trans-macro.patch @@ -0,0 +1,34 @@ +From 592e254502041f953e84d091eae2c68cba04c10b Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Fri, 3 Nov 2017 12:21:21 +0100 +Subject: [PATCH] mm: Handle 0 flags in _calc_vm_trans() macro + +commit 592e254502041f953e84d091eae2c68cba04c10b upstream. + +_calc_vm_trans() does not handle the situation when some of the passed +flags are 0 (which can happen if these VM flags do not make sense for +the architecture). Improve the _calc_vm_trans() macro to return 0 in +such situation. Since all passed flags are constant, this does not add +any runtime overhead. + +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Dan Williams <dan.j.williams@intel.com> + +diff --git a/include/linux/mman.h b/include/linux/mman.h +index c8367041fafd..edb6cf6a81ed 100644 +--- a/include/linux/mman.h ++++ b/include/linux/mman.h +@@ -63,8 +63,9 @@ static inline bool arch_validate_prot(unsigned long prot) + * ("bit1" and "bit2" must be single bits) + */ + #define _calc_vm_trans(x, bit1, bit2) \ ++ ((!(bit1) || !(bit2)) ? 0 : \ + ((bit1) <= (bit2) ? ((x) & (bit1)) * ((bit2) / (bit1)) \ +- : ((x) & (bit1)) / ((bit1) / (bit2))) ++ : ((x) & (bit1)) / ((bit1) / (bit2)))) + + /* + * Combine the mmap "prot" argument into "vm_flags" used internally. +-- +2.15.0 + diff --git a/queue/mm-oom_reaper-fix-memory-corruption.patch b/queue/mm-oom_reaper-fix-memory-corruption.patch new file mode 100644 index 0000000..b0a6ff2 --- /dev/null +++ b/queue/mm-oom_reaper-fix-memory-corruption.patch @@ -0,0 +1,139 @@ +From 4837fe37adff1d159904f0c013471b1ecbcb455e Mon Sep 17 00:00:00 2001 +From: Michal Hocko <mhocko@suse.com> +Date: Thu, 14 Dec 2017 15:33:15 -0800 +Subject: [PATCH] mm, oom_reaper: fix memory corruption + +commit 4837fe37adff1d159904f0c013471b1ecbcb455e upstream. + +David Rientjes has reported the following memory corruption while the +oom reaper tries to unmap the victims address space + + BUG: Bad page map in process oom_reaper pte:6353826300000000 pmd:00000000 + addr:00007f50cab1d000 vm_flags:08100073 anon_vma:ffff9eea335603f0 mapping: (null) index:7f50cab1d + file: (null) fault: (null) mmap: (null) readpage: (null) + CPU: 2 PID: 1001 Comm: oom_reaper + Call Trace: + unmap_page_range+0x1068/0x1130 + __oom_reap_task_mm+0xd5/0x16b + oom_reaper+0xff/0x14c + kthread+0xc1/0xe0 + +Tetsuo Handa has noticed that the synchronization inside exit_mmap is +insufficient. We only synchronize with the oom reaper if +tsk_is_oom_victim which is not true if the final __mmput is called from +a different context than the oom victim exit path. This can trivially +happen from context of any task which has grabbed mm reference (e.g. to +read /proc/<pid>/ file which requires mm etc.). + +The race would look like this + + oom_reaper oom_victim task + mmget_not_zero + do_exit + mmput + __oom_reap_task_mm mmput + __mmput + exit_mmap + remove_vma + unmap_page_range + +Fix this issue by providing a new mm_is_oom_victim() helper which +operates on the mm struct rather than a task. Any context which +operates on a remote mm struct should use this helper in place of +tsk_is_oom_victim. The flag is set in mark_oom_victim and never cleared +so it is stable in the exit_mmap path. + +Debugged by Tetsuo Handa. + +Link: http://lkml.kernel.org/r/20171210095130.17110-1-mhocko@kernel.org +Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") +Signed-off-by: Michal Hocko <mhocko@suse.com> +Reported-by: David Rientjes <rientjes@google.com> +Acked-by: David Rientjes <rientjes@google.com> +Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Cc: Andrea Argangeli <andrea@kernel.org> +Cc: <stable@vger.kernel.org> [4.14] +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/include/linux/oom.h b/include/linux/oom.h +index 01c91d874a57..5bad038ac012 100644 +--- a/include/linux/oom.h ++++ b/include/linux/oom.h +@@ -66,6 +66,15 @@ static inline bool tsk_is_oom_victim(struct task_struct * tsk) + return tsk->signal->oom_mm; + } + ++/* ++ * Use this helper if tsk->mm != mm and the victim mm needs a special ++ * handling. This is guaranteed to stay true after once set. ++ */ ++static inline bool mm_is_oom_victim(struct mm_struct *mm) ++{ ++ return test_bit(MMF_OOM_VICTIM, &mm->flags); ++} ++ + /* + * Checks whether a page fault on the given mm is still reliable. + * This is no longer true if the oom reaper started to reap the +diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h +index 9c8847395b5e..ec912d01126f 100644 +--- a/include/linux/sched/coredump.h ++++ b/include/linux/sched/coredump.h +@@ -70,6 +70,7 @@ static inline int get_dumpable(struct mm_struct *mm) + #define MMF_UNSTABLE 22 /* mm is unstable for copy_from_user */ + #define MMF_HUGE_ZERO_PAGE 23 /* mm has ever used the global huge zero page */ + #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */ ++#define MMF_OOM_VICTIM 25 /* mm is the oom victim */ + #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP) + + #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ +diff --git a/mm/mmap.c b/mm/mmap.c +index a4d546821214..9efdc021ad22 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3019,20 +3019,20 @@ void exit_mmap(struct mm_struct *mm) + /* Use -1 here to ensure all VMAs in the mm are unmapped */ + unmap_vmas(&tlb, vma, 0, -1); + +- set_bit(MMF_OOM_SKIP, &mm->flags); +- if (unlikely(tsk_is_oom_victim(current))) { ++ if (unlikely(mm_is_oom_victim(mm))) { + /* + * Wait for oom_reap_task() to stop working on this + * mm. Because MMF_OOM_SKIP is already set before + * calling down_read(), oom_reap_task() will not run + * on this "mm" post up_write(). + * +- * tsk_is_oom_victim() cannot be set from under us +- * either because current->mm is already set to NULL ++ * mm_is_oom_victim() cannot be set from under us ++ * either because victim->mm is already set to NULL + * under task_lock before calling mmput and oom_mm is +- * set not NULL by the OOM killer only if current->mm ++ * set not NULL by the OOM killer only if victim->mm + * is found not NULL while holding the task_lock. + */ ++ set_bit(MMF_OOM_SKIP, &mm->flags); + down_write(&mm->mmap_sem); + up_write(&mm->mmap_sem); + } +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index c957be32b27a..29f855551efe 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -683,8 +683,10 @@ static void mark_oom_victim(struct task_struct *tsk) + return; + + /* oom_mm is bound to the signal struct life time. */ +- if (!cmpxchg(&tsk->signal->oom_mm, NULL, mm)) ++ if (!cmpxchg(&tsk->signal->oom_mm, NULL, mm)) { + mmgrab(tsk->signal->oom_mm); ++ set_bit(MMF_OOM_VICTIM, &mm->flags); ++ } + + /* + * Make sure that the task is woken up from uninterruptible sleep +-- +2.15.0 + diff --git a/queue/mmc-core-apply-NO_CMD23-quirk-to-some-specific-cards.patch b/queue/mmc-core-apply-NO_CMD23-quirk-to-some-specific-cards.patch new file mode 100644 index 0000000..5b38bd1 --- /dev/null +++ b/queue/mmc-core-apply-NO_CMD23-quirk-to-some-specific-cards.patch @@ -0,0 +1,76 @@ +From 91516a2a4734614d62ee3ed921f8f88acc67c000 Mon Sep 17 00:00:00 2001 +From: Christoph Fritz <chf.fritz@googlemail.com> +Date: Sat, 9 Dec 2017 23:47:55 +0100 +Subject: [PATCH] mmc: core: apply NO_CMD23 quirk to some specific cards + +commit 91516a2a4734614d62ee3ed921f8f88acc67c000 upstream. + +To get an usdhc Apacer and some ATP SD cards work reliable, CMD23 needs +to be disabled. This has been tested on i.MX6 (sdhci-esdhc) and rk3288 +(dw_mmc-rockchip). + +Without this patch on i.MX6 (sdhci-esdhc): + + $ dd if=/dev/urandom of=/mnt/test bs=1M count=10 conv=fsync + + | <mmc0: starting CMD23 arg 00000400 flags 00000015> + | mmc0: starting CMD25 arg 00a71f00 flags 000000b5 + | mmc0: blksz 512 blocks 1024 flags 00000100 tsac 3000 ms nsac 0 + | mmc0: CMD12 arg 00000000 flags 0000049d + | sdhci [sdhci_irq()]: *** mmc0 got interrupt: 0x00000001 + | mmc0: Timeout waiting for hardware interrupt. + +Without this patch on rk3288 (dw_mmc-rockchip): + + | mmc1: Card stuck in programming state! mmcblk1 card_busy_detect + | dwmmc_rockchip ff0c0000.dwmmc: Busy; trying anyway + | mmc_host mmc1: Bus speed (slot 0) = 400000Hz (slot req 400000Hz, + | actual 400000HZ div = 0) + | mmc1: card never left busy state + | mmc1: tried to reset card, got error -110 + | blk_update_request: I/O error, dev mmcblk1, sector 139778 + | Buffer I/O error on dev mmcblk1p1, logical block 131586, lost async + | page write + +Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com> +Cc: <stable@vger.kernel.org> # v4.14+ +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> + +diff --git a/drivers/mmc/core/card.h b/drivers/mmc/core/card.h +index f06cd91964ce..79a5b985ccf5 100644 +--- a/drivers/mmc/core/card.h ++++ b/drivers/mmc/core/card.h +@@ -75,9 +75,11 @@ struct mmc_fixup { + #define EXT_CSD_REV_ANY (-1u) + + #define CID_MANFID_SANDISK 0x2 ++#define CID_MANFID_ATP 0x9 + #define CID_MANFID_TOSHIBA 0x11 + #define CID_MANFID_MICRON 0x13 + #define CID_MANFID_SAMSUNG 0x15 ++#define CID_MANFID_APACER 0x27 + #define CID_MANFID_KINGSTON 0x70 + #define CID_MANFID_HYNIX 0x90 + +diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h +index f664e9cbc9f8..75d317623852 100644 +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -52,6 +52,14 @@ static const struct mmc_fixup mmc_blk_fixups[] = { + MMC_FIXUP("MMC32G", CID_MANFID_TOSHIBA, CID_OEMID_ANY, add_quirk_mmc, + MMC_QUIRK_BLK_NO_CMD23), + ++ /* ++ * Some SD cards lockup while using CMD23 multiblock transfers. ++ */ ++ MMC_FIXUP("AF SD", CID_MANFID_ATP, CID_OEMID_ANY, add_quirk_sd, ++ MMC_QUIRK_BLK_NO_CMD23), ++ MMC_FIXUP("APUSD", CID_MANFID_APACER, 0x5048, add_quirk_sd, ++ MMC_QUIRK_BLK_NO_CMD23), ++ + /* + * Some MMC cards need longer data read timeout than indicated in CSD. + */ +-- +2.15.0 + diff --git a/queue/mtd-spi-nor-stm32-quadspi-Fix-uninitialized-error-re.patch b/queue/mtd-spi-nor-stm32-quadspi-Fix-uninitialized-error-re.patch new file mode 100644 index 0000000..3229b69 --- /dev/null +++ b/queue/mtd-spi-nor-stm32-quadspi-Fix-uninitialized-error-re.patch @@ -0,0 +1,53 @@ +From 05521bd3d117704a1458eb4d0c3ae821858658f2 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven <geert@linux-m68k.org> +Date: Thu, 26 Oct 2017 17:12:33 +0200 +Subject: [PATCH] mtd: spi-nor: stm32-quadspi: Fix uninitialized error return + code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 05521bd3d117704a1458eb4d0c3ae821858658f2 upstream. + +With gcc 4.1.2: + + drivers/mtd/spi-nor/stm32-quadspi.c: In function ‘stm32_qspi_tx_poll’: + drivers/mtd/spi-nor/stm32-quadspi.c:230: warning: ‘ret’ may be used uninitialized in this function + +Indeed, if stm32_qspi_cmd.len is zero, ret will be uninitialized. +This length is passed from outside the driver using the +spi_nor.{read,write}{,_reg}() callbacks. + +Several functions in drivers/mtd/spi-nor/spi-nor.c (e.g. write_enable(), +write_disable(), and erase_chip()) call spi_nor.write_reg() with a zero +length. + +Fix this by returning an explicit zero on success. + +Fixes: 0d43d7ab277a048c ("mtd: spi-nor: add driver for STM32 quad spi flash controller") +Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> +Acked-by: Ludovic Barre <ludovic.barre@st.com> +Signed-off-by: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr> + +diff --git a/drivers/mtd/spi-nor/stm32-quadspi.c b/drivers/mtd/spi-nor/stm32-quadspi.c +index 86c0931543c5..ad6a3e1844cb 100644 +--- a/drivers/mtd/spi-nor/stm32-quadspi.c ++++ b/drivers/mtd/spi-nor/stm32-quadspi.c +@@ -240,12 +240,12 @@ static int stm32_qspi_tx_poll(struct stm32_qspi *qspi, + STM32_QSPI_FIFO_TIMEOUT_US); + if (ret) { + dev_err(qspi->dev, "fifo timeout (stat:%#x)\n", sr); +- break; ++ return ret; + } + tx_fifo(buf++, qspi->io_base + QUADSPI_DR); + } + +- return ret; ++ return 0; + } + + static int stm32_qspi_tx_mm(struct stm32_qspi *qspi, +-- +2.15.0 + diff --git a/queue/net-dsa-lan9303-Do-not-disable-switch-fabric-port-0-.patch b/queue/net-dsa-lan9303-Do-not-disable-switch-fabric-port-0-.patch new file mode 100644 index 0000000..fdcb1d1 --- /dev/null +++ b/queue/net-dsa-lan9303-Do-not-disable-switch-fabric-port-0-.patch @@ -0,0 +1,48 @@ +From 3c91b0c1de8d013490bbc41ce9ee8810ea5baddd Mon Sep 17 00:00:00 2001 +From: Egil Hjelmeland <privat@egil-hjelmeland.no> +Date: Tue, 24 Oct 2017 17:14:10 +0200 +Subject: [PATCH] net: dsa: lan9303: Do not disable switch fabric port 0 at + .probe + +commit 3c91b0c1de8d013490bbc41ce9ee8810ea5baddd upstream. + +Make the LAN9303 work when lan9303_probe() is called twice. + +For some unknown reason the LAN9303 switch fail to forward data when switch +fabric port 0 TX is disabled during probe. (Write of LAN9303_MAC_TX_CFG_0 +in lan9303_disable_processing_port().) + +In that situation the switch fabric seem to receive frames, because the ALR +is learning addresses. But no frames are transmitted on any of the ports. + +In our system lan9303_probe() is called twice, first time +dsa_register_switch() return -EPROBE_DEFER. As an experiment, modified the +code to skip writing LAN9303_MAC_TX_CFG_0, port 0 during the first probe. +Then the switch works as expected. + +Resolve the problem by not calling lan9303_disable_processing_port() on +port 0 during probe. Ports 1 and 2 are still disabled. + +Although unsatisfying that the exact failure mechanism is not known, +the patch should not cause any harm. + +Signed-off-by: Egil Hjelmeland <privat@egil-hjelmeland.no> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c +index 87f919f0e641..4c412bd52319 100644 +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -818,7 +818,7 @@ static int lan9303_disable_processing(struct lan9303 *chip) + { + int p; + +- for (p = 0; p < LAN9303_NUM_PORTS; p++) { ++ for (p = 1; p < LAN9303_NUM_PORTS; p++) { + int ret = lan9303_disable_processing_port(chip, p); + + if (ret) +-- +2.15.0 + diff --git a/queue/net-hns3-Fix-a-misuse-to-devm_free_irq.patch b/queue/net-hns3-Fix-a-misuse-to-devm_free_irq.patch new file mode 100644 index 0000000..c5b39d4 --- /dev/null +++ b/queue/net-hns3-Fix-a-misuse-to-devm_free_irq.patch @@ -0,0 +1,35 @@ +From ae064e6123f89f90af7e4ea190cc0c612643ca93 Mon Sep 17 00:00:00 2001 +From: qumingguang <qumingguang@huawei.com> +Date: Thu, 2 Nov 2017 20:45:22 +0800 +Subject: [PATCH] net: hns3: Fix a misuse to devm_free_irq + +commit ae064e6123f89f90af7e4ea190cc0c612643ca93 upstream. + +we should use free_irq to free the nic irq during the unloading time. +because we use request_irq to apply it when nic up. It will crash if +up net device after reset the port. This patch fixes the issue. + +Signed-off-by: qumingguang <qumingguang@huawei.com> +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +index 39679fdb83c7..2a0af11c9b59 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -2558,9 +2558,8 @@ static int hns3_nic_uninit_vector_data(struct hns3_nic_priv *priv) + (void)irq_set_affinity_hint( + priv->tqp_vector[i].vector_irq, + NULL); +- devm_free_irq(&pdev->dev, +- priv->tqp_vector[i].vector_irq, +- &priv->tqp_vector[i]); ++ free_irq(priv->tqp_vector[i].vector_irq, ++ &priv->tqp_vector[i]); + } + + priv->ring_data[i].ring->irq_init_flag = HNS3_VECTOR_NOT_INITED; +-- +2.15.0 + diff --git a/queue/net-hns3-add-nic_client-check-when-initialize-roce-b.patch b/queue/net-hns3-add-nic_client-check-when-initialize-roce-b.patch new file mode 100644 index 0000000..c5896a4 --- /dev/null +++ b/queue/net-hns3-add-nic_client-check-when-initialize-roce-b.patch @@ -0,0 +1,33 @@ +From 3a46f34d20d453f09defb76b11a567647939c0aa Mon Sep 17 00:00:00 2001 +From: Lipeng <lipeng321@huawei.com> +Date: Tue, 24 Oct 2017 21:02:10 +0800 +Subject: [PATCH] net: hns3: add nic_client check when initialize roce base + information + +commit 3a46f34d20d453f09defb76b11a567647939c0aa upstream. + +Roce driver works base on HNS3 driver.If insmod Roce driver before +NIC driver there is a error because do not check nic_client. This patch +adds nic_client check when initialize roce base information. + +Fixes: 46a3df9 (net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support) + +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 443124177f05..2c22d3cf6d1e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -4285,7 +4285,7 @@ static int hclge_init_client_instance(struct hnae3_client *client, + vport->roce.client = client; + } + +- if (hdev->roce_client) { ++ if (hdev->roce_client && hdev->nic_client) { + ret = hclge_init_roce_base_info(vport); + if (ret) + goto err; +-- +2.15.0 + diff --git a/queue/net-hns3-fix-a-bug-in-hclge_uninit_client_instance.patch b/queue/net-hns3-fix-a-bug-in-hclge_uninit_client_instance.patch new file mode 100644 index 0000000..9cc9e5e --- /dev/null +++ b/queue/net-hns3-fix-a-bug-in-hclge_uninit_client_instance.patch @@ -0,0 +1,50 @@ +From a17dcf3f0124698d1120da71574bf4c339e5a368 Mon Sep 17 00:00:00 2001 +From: Lipeng <lipeng321@huawei.com> +Date: Tue, 24 Oct 2017 21:02:11 +0800 +Subject: [PATCH] net: hns3: fix a bug in hclge_uninit_client_instance + +commit a17dcf3f0124698d1120da71574bf4c339e5a368 upstream. + +HNS3 driver initialize hdev->roce_client and vport->roce.client in +hclge_init_client_instance, and need set hdev->roce_client and +vport->roce.client NULL. + +If do not set them NULL when uninit, it will fail in the scene: +insmod hns3.ko, hns-roce.ko, hns-roce-hw-v3.ko successfully, but +rmmod hns3.ko after rmmod hns-roce-hw-v2.ko and hns-roce.ko. +This patch fixes the issue. + +Fixes: 46a3df9 (net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support) + +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 2c22d3cf6d1e..d11a9a56c7d8 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -4311,13 +4311,19 @@ static void hclge_uninit_client_instance(struct hnae3_client *client, + + for (i = 0; i < hdev->num_vmdq_vport + 1; i++) { + vport = &hdev->vport[i]; +- if (hdev->roce_client) ++ if (hdev->roce_client) { + hdev->roce_client->ops->uninit_instance(&vport->roce, + 0); ++ hdev->roce_client = NULL; ++ vport->roce.client = NULL; ++ } + if (client->type == HNAE3_CLIENT_ROCE) + return; +- if (client->ops->uninit_instance) ++ if (client->ops->uninit_instance) { + client->ops->uninit_instance(&vport->nic, 0); ++ hdev->nic_client = NULL; ++ vport->nic.client = NULL; ++ } + } + } + +-- +2.15.0 + diff --git a/queue/net-hns3-fix-a-bug-when-alloc-new-buffer.patch b/queue/net-hns3-fix-a-bug-when-alloc-new-buffer.patch new file mode 100644 index 0000000..a6e0709 --- /dev/null +++ b/queue/net-hns3-fix-a-bug-when-alloc-new-buffer.patch @@ -0,0 +1,32 @@ +From b9077428ec5569aacb2952d8a2ffb51c8988d3c2 Mon Sep 17 00:00:00 2001 +From: Lipeng <lipeng321@huawei.com> +Date: Mon, 23 Oct 2017 19:51:01 +0800 +Subject: [PATCH] net: hns3: fix a bug when alloc new buffer + +commit b9077428ec5569aacb2952d8a2ffb51c8988d3c2 upstream. + +When alloce new buffer to HW, should unmap the old buffer first. +This old code map the old buffer but not unmap the old buffer, +this patch fixes it. + +Fixes: 76ad4f0 (net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC) + +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +index 8383d6726ae4..3ddcd47fa61c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -1595,7 +1595,7 @@ static int hns3_alloc_ring_buffers(struct hns3_enet_ring *ring) + static void hns3_replace_buffer(struct hns3_enet_ring *ring, int i, + struct hns3_desc_cb *res_cb) + { +- hns3_map_buffer(ring, &ring->desc_cb[i]); ++ hns3_unmap_buffer(ring, &ring->desc_cb[i]); + ring->desc_cb[i] = *res_cb; + ring->desc[i].addr = cpu_to_le64(ring->desc_cb[i].dma); + } +-- +2.15.0 + diff --git a/queue/net-hns3-fix-for-getting-advertised_caps-in-hns3_get.patch b/queue/net-hns3-fix-for-getting-advertised_caps-in-hns3_get.patch new file mode 100644 index 0000000..19fb36f --- /dev/null +++ b/queue/net-hns3-fix-for-getting-advertised_caps-in-hns3_get.patch @@ -0,0 +1,34 @@ +From 2b39cabb2a283cea0c3d96d9370575371726164f Mon Sep 17 00:00:00 2001 +From: Fuyun Liang <liangfuyun1@huawei.com> +Date: Fri, 3 Nov 2017 12:18:26 +0800 +Subject: [PATCH] net: hns3: fix for getting advertised_caps in + hns3_get_link_ksettings + +commit 2b39cabb2a283cea0c3d96d9370575371726164f upstream. + +This patch fixes a bug for ethtool's get_link_ksettings(). +The advertising for autoneg is always added to advertised_caps +whether autoneg is enable or disable. This patch fixes it. + +Fixes: 496d03e (net: hns3: Add Ethtool support to HNS3 driver) +Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com> +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c +index 367b20cef294..0e10a43e29b3 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c +@@ -640,6 +640,9 @@ static int hns3_get_link_ksettings(struct net_device *netdev, + break; + } + ++ if (!cmd->base.autoneg) ++ advertised_caps &= ~HNS3_LM_AUTONEG_BIT; ++ + /* now, map driver link modes to ethtool link modes */ + hns3_driv_to_eth_caps(supported_caps, cmd, false); + hns3_driv_to_eth_caps(advertised_caps, cmd, true); +-- +2.15.0 + diff --git a/queue/net-hns3-fix-the-TX-RX-ring.queue_index-in-hns3_ring.patch b/queue/net-hns3-fix-the-TX-RX-ring.queue_index-in-hns3_ring.patch new file mode 100644 index 0000000..a43470c --- /dev/null +++ b/queue/net-hns3-fix-the-TX-RX-ring.queue_index-in-hns3_ring.patch @@ -0,0 +1,42 @@ +From 66b447301ac710ee237dba8b653244018fbb6168 Mon Sep 17 00:00:00 2001 +From: Lipeng <lipeng321@huawei.com> +Date: Mon, 23 Oct 2017 19:51:05 +0800 +Subject: [PATCH] net: hns3: fix the TX/RX ring.queue_index in + hns3_ring_get_cfg + +commit 66b447301ac710ee237dba8b653244018fbb6168 upstream. + +The interface hns3_ring_get_cfg only update TX ring queue_index, +but do not update RX ring queue_index. This patch fixes it. + +Fixes: 76ad4f0 (net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC) + +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +index 58aa2dd6ace0..14de0f7581c8 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -2506,16 +2506,16 @@ static int hns3_ring_get_cfg(struct hnae3_queue *q, struct hns3_nic_priv *priv, + + if (ring_type == HNAE3_RING_TYPE_TX) { + ring_data[q->tqp_index].ring = ring; ++ ring_data[q->tqp_index].queue_index = q->tqp_index; + ring->io_base = (u8 __iomem *)q->io_base + HNS3_TX_REG_OFFSET; + } else { + ring_data[q->tqp_index + queue_num].ring = ring; ++ ring_data[q->tqp_index + queue_num].queue_index = q->tqp_index; + ring->io_base = q->io_base; + } + + hnae_set_bit(ring->flag, HNAE3_RING_TYPE_B, ring_type); + +- ring_data[q->tqp_index].queue_index = q->tqp_index; +- + ring->tqp = q; + ring->desc = NULL; + ring->desc_cb = NULL; +-- +2.15.0 + diff --git a/queue/net-hns3-fix-the-bug-of-hns3_set_txbd_baseinfo.patch b/queue/net-hns3-fix-the-bug-of-hns3_set_txbd_baseinfo.patch new file mode 100644 index 0000000..9dab83e --- /dev/null +++ b/queue/net-hns3-fix-the-bug-of-hns3_set_txbd_baseinfo.patch @@ -0,0 +1,37 @@ +From 7036d26f328f12a323069eb16d965055b4cb3795 Mon Sep 17 00:00:00 2001 +From: Lipeng <lipeng321@huawei.com> +Date: Tue, 24 Oct 2017 21:02:09 +0800 +Subject: [PATCH] net: hns3: fix the bug of hns3_set_txbd_baseinfo + +commit 7036d26f328f12a323069eb16d965055b4cb3795 upstream. + +The SC bits of TX BD mean switch control. For this area, value 0 +indicates no switch control, the packet is routed according to the +forwarding table. Value 1 indicates that the packet is transmitted +to the network bypassing the forwarding table. + +As HNS3 driver need support VF later, VF conmunicate with its own +PF need forwarding table. This patch sets SC bits of TX BD 0 and use +forwarding table. + +Fixes: 76ad4f0 (net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC) + +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +index 537f6c3babb7..c6c5b2a96aaa 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -716,7 +716,7 @@ static void hns3_set_txbd_baseinfo(u16 *bdtp_fe_sc_vld_ra_ri, int frag_end) + HNS3_TXD_BDTYPE_M, 0); + hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_FE_B, !!frag_end); + hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_VLD_B, 1); +- hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_SC_M, HNS3_TXD_SC_S, 1); ++ hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_SC_M, HNS3_TXD_SC_S, 0); + } + + static int hns3_fill_desc(struct hns3_enet_ring *ring, void *priv, +-- +2.15.0 + diff --git a/queue/net-hns3-fix-the-bug-when-map-buffer-fail.patch b/queue/net-hns3-fix-the-bug-when-map-buffer-fail.patch new file mode 100644 index 0000000..55f4fc7 --- /dev/null +++ b/queue/net-hns3-fix-the-bug-when-map-buffer-fail.patch @@ -0,0 +1,32 @@ +From 564883bb4dc1a4f3cba6344e77743175694b0761 Mon Sep 17 00:00:00 2001 +From: Lipeng <lipeng321@huawei.com> +Date: Mon, 23 Oct 2017 19:51:02 +0800 +Subject: [PATCH] net: hns3: fix the bug when map buffer fail + +commit 564883bb4dc1a4f3cba6344e77743175694b0761 upstream. + +If one buffer had been recieved to stack, driver will alloc a new buffer, +map the buffer to device and replace the old buffer. When map fail, should +only free the new alloced buffer, but not free all buffers in the ring. + +Fixes: 76ad4f0 (net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC) + +Signed-off-by: Lipeng <lipeng321@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +index 3ddcd47fa61c..58aa2dd6ace0 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -1555,7 +1555,7 @@ static int hns3_reserve_buffer_map(struct hns3_enet_ring *ring, + return 0; + + out_with_buf: +- hns3_free_buffers(ring); ++ hns3_free_buffer(ring, cb); + out: + return ret; + } +-- +2.15.0 + diff --git a/queue/netfilter-ipvs-Fix-inappropriate-output-of-procfs.patch b/queue/netfilter-ipvs-Fix-inappropriate-output-of-procfs.patch new file mode 100644 index 0000000..e192f85 --- /dev/null +++ b/queue/netfilter-ipvs-Fix-inappropriate-output-of-procfs.patch @@ -0,0 +1,75 @@ +From c5504f724c86ee925e7ffb80aa342cfd57959b13 Mon Sep 17 00:00:00 2001 +From: KUWAZAWA Takuya <albatross0@gmail.com> +Date: Sun, 15 Oct 2017 20:54:10 +0900 +Subject: [PATCH] netfilter: ipvs: Fix inappropriate output of procfs + +commit c5504f724c86ee925e7ffb80aa342cfd57959b13 upstream. + +Information about ipvs in different network namespace can be seen via procfs. + +How to reproduce: + + # ip netns add ns01 + # ip netns add ns02 + # ip netns exec ns01 ip a add dev lo 127.0.0.1/8 + # ip netns exec ns02 ip a add dev lo 127.0.0.1/8 + # ip netns exec ns01 ipvsadm -A -t 10.1.1.1:80 + # ip netns exec ns02 ipvsadm -A -t 10.1.1.2:80 + +The ipvsadm displays information about its own network namespace only. + + # ip netns exec ns01 ipvsadm -Ln + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 10.1.1.1:80 wlc + + # ip netns exec ns02 ipvsadm -Ln + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 10.1.1.2:80 wlc + +But I can see information about other network namespace via procfs. + + # ip netns exec ns01 cat /proc/net/ip_vs + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 0A010101:0050 wlc + TCP 0A010102:0050 wlc + + # ip netns exec ns02 cat /proc/net/ip_vs + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 0A010102:0050 wlc + +Signed-off-by: KUWAZAWA Takuya <albatross0@gmail.com> +Acked-by: Julian Anastasov <ja@ssi.bg> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index b825835752e6..fac8c802b4ea 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2034,12 +2034,16 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v) + seq_puts(seq, + " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n"); + } else { ++ struct net *net = seq_file_net(seq); ++ struct netns_ipvs *ipvs = net_ipvs(net); + const struct ip_vs_service *svc = v; + const struct ip_vs_iter *iter = seq->private; + const struct ip_vs_dest *dest; + struct ip_vs_scheduler *sched = rcu_dereference(svc->scheduler); + char *sched_name = sched ? sched->name : "none"; + ++ if (svc->ipvs != ipvs) ++ return 0; + if (iter->table == ip_vs_svc_table) { + #ifdef CONFIG_IP_VS_IPV6 + if (svc->af == AF_INET6) +-- +2.15.0 + diff --git a/queue/nfs-don-t-wait-on-commit-in-nfs_commit_inode-if-ther.patch b/queue/nfs-don-t-wait-on-commit-in-nfs_commit_inode-if-ther.patch new file mode 100644 index 0000000..4325bf9 --- /dev/null +++ b/queue/nfs-don-t-wait-on-commit-in-nfs_commit_inode-if-ther.patch @@ -0,0 +1,66 @@ +From dc4fd9ab01ab379ae5af522b3efd4187a7c30a31 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew <smayhew@redhat.com> +Date: Fri, 8 Dec 2017 16:00:12 -0500 +Subject: [PATCH] nfs: don't wait on commit in nfs_commit_inode() if there were + no commit requests + +commit dc4fd9ab01ab379ae5af522b3efd4187a7c30a31 upstream. + +If there were no commit requests, then nfs_commit_inode() should not +wait on the commit or mark the inode dirty, otherwise the following +BUG_ON can be triggered: + +[ 1917.130762] kernel BUG at fs/inode.c:578! +[ 1917.130766] Oops: Exception in kernel mode, sig: 5 [#1] +[ 1917.130768] SMP NR_CPUS=2048 NUMA pSeries +[ 1917.130772] Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi blocklayoutdriver rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache sunrpc sg nx_crypto pseries_rng ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common ibmvscsi scsi_transport_srp ibmveth scsi_tgt dm_mirror dm_region_hash dm_log dm_mod +[ 1917.130805] CPU: 2 PID: 14923 Comm: umount.nfs4 Tainted: G ------------ T 3.10.0-768.el7.ppc64 #1 +[ 1917.130810] task: c0000005ecd88040 ti: c00000004cea0000 task.ti: c00000004cea0000 +[ 1917.130813] NIP: c000000000354178 LR: c000000000354160 CTR: c00000000012db80 +[ 1917.130816] REGS: c00000004cea3720 TRAP: 0700 Tainted: G ------------ T (3.10.0-768.el7.ppc64) +[ 1917.130820] MSR: 8000000100029032 <SF,EE,ME,IR,DR,RI> CR: 22002822 XER: 20000000 +[ 1917.130828] CFAR: c00000000011f594 SOFTE: 1 +GPR00: c000000000354160 c00000004cea39a0 c0000000014c4700 c0000000018cc750 +GPR04: 000000000000c750 80c0000000000000 0600000000000000 04eeb76bea749a03 +GPR08: 0000000000000034 c0000000018cc758 0000000000000001 d000000005e619e8 +GPR12: c00000000012db80 c000000007b31200 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +GPR24: 0000000000000000 c000000000dfc3ec 0000000000000000 c0000005eefc02c0 +GPR28: d0000000079dbd50 c0000005b94a02c0 c0000005b94a0250 c0000005b94a01c8 +[ 1917.130867] NIP [c000000000354178] .evict+0x1c8/0x350 +[ 1917.130871] LR [c000000000354160] .evict+0x1b0/0x350 +[ 1917.130873] Call Trace: +[ 1917.130876] [c00000004cea39a0] [c000000000354160] .evict+0x1b0/0x350 (unreliable) +[ 1917.130880] [c00000004cea3a30] [c0000000003558cc] .evict_inodes+0x13c/0x270 +[ 1917.130884] [c00000004cea3af0] [c000000000327d20] .kill_anon_super+0x70/0x1e0 +[ 1917.130896] [c00000004cea3b80] [d000000005e43e30] .nfs_kill_super+0x20/0x60 [nfs] +[ 1917.130900] [c00000004cea3c00] [c000000000328a20] .deactivate_locked_super+0xa0/0x1b0 +[ 1917.130903] [c00000004cea3c80] [c00000000035ba54] .cleanup_mnt+0xd4/0x180 +[ 1917.130907] [c00000004cea3d10] [c000000000119034] .task_work_run+0x114/0x150 +[ 1917.130912] [c00000004cea3db0] [c00000000001ba6c] .do_notify_resume+0xcc/0x100 +[ 1917.130916] [c00000004cea3e30] [c00000000000a7b0] .ret_from_except_lite+0x5c/0x60 +[ 1917.130919] Instruction dump: +[ 1917.130921] 7fc3f378 486734b5 60000000 387f00a0 38800003 4bdcb365 60000000 e95f00a0 +[ 1917.130927] 694a0060 7d4a0074 794ad182 694a0001 <0b0a0000> 892d02a4 2f890000 40de0134 + +Signed-off-by: Scott Mayhew <smayhew@redhat.com> +Cc: stable@vger.kernel.org # 4.5+ +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 5b5f464f6f2a..4a379d7918f2 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1890,6 +1890,8 @@ int nfs_commit_inode(struct inode *inode, int how) + if (res) + error = nfs_generic_commit_list(inode, &head, how, &cinfo); + nfs_commit_end(cinfo.mds); ++ if (res == 0) ++ return res; + if (error < 0) + goto out_error; + if (!may_wait) +-- +2.15.0 + diff --git a/queue/nullb-fix-error-return-code-in-null_init.patch b/queue/nullb-fix-error-return-code-in-null_init.patch new file mode 100644 index 0000000..1e40d2a --- /dev/null +++ b/queue/nullb-fix-error-return-code-in-null_init.patch @@ -0,0 +1,33 @@ +From 30c516d750396c5f3ec9cb04c9e025c25e91495e Mon Sep 17 00:00:00 2001 +From: Wei Yongjun <weiyongjun1@huawei.com> +Date: Tue, 17 Oct 2017 12:11:46 +0000 +Subject: [PATCH] nullb: fix error return code in null_init() + +commit 30c516d750396c5f3ec9cb04c9e025c25e91495e upstream. + +Fix to return error code -ENOMEM from the null_alloc_dev() error +handling case instead of 0, as done elsewhere in this function. + +Fixes: 2984c8684f96 ("nullb: factor disk parameters") +Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c +index bf2c8ca3242a..50c83c4b2ea0 100644 +--- a/drivers/block/null_blk.c ++++ b/drivers/block/null_blk.c +@@ -1991,8 +1991,10 @@ static int __init null_init(void) + + for (i = 0; i < nr_devices; i++) { + dev = null_alloc_dev(); +- if (!dev) ++ if (!dev) { ++ ret = -ENOMEM; + goto err_dev; ++ } + ret = null_add_dev(dev); + if (ret) { + null_free_dev(dev); +-- +2.15.0 + diff --git a/queue/nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch b/queue/nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch new file mode 100644 index 0000000..dff2baf --- /dev/null +++ b/queue/nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch @@ -0,0 +1,34 @@ +From 2dd4122854f697afc777582d18548dded03ce5dd Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig <hch@lst.de> +Date: Wed, 18 Oct 2017 13:20:01 +0200 +Subject: [PATCH] nvme: use kref_get_unless_zero in nvme_find_get_ns + +commit 2dd4122854f697afc777582d18548dded03ce5dd upstream. + +For kref_get_unless_zero to protect against lookup vs free races we need +to use it in all places where we aren't guaranteed to already hold a +reference. There is no such guarantee in nvme_find_get_ns, so switch to +kref_get_unless_zero in this function. + +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Sagi Grimberg <sagi@grimberg.me> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 7fae42d595d5..1d931deac83b 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2290,7 +2290,8 @@ static struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid) + mutex_lock(&ctrl->namespaces_mutex); + list_for_each_entry(ns, &ctrl->namespaces, list) { + if (ns->ns_id == nsid) { +- kref_get(&ns->kref); ++ if (!kref_get_unless_zero(&ns->kref)) ++ continue; + ret = ns; + break; + } +-- +2.15.0 + diff --git a/queue/ovl-Pass-ovl_get_nlink-parameters-in-right-order.patch b/queue/ovl-Pass-ovl_get_nlink-parameters-in-right-order.patch new file mode 100644 index 0000000..574ed2c --- /dev/null +++ b/queue/ovl-Pass-ovl_get_nlink-parameters-in-right-order.patch @@ -0,0 +1,33 @@ +From 08d8f8a5b094b66b29936e8751b4a818b8db1207 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal <vgoyal@redhat.com> +Date: Mon, 27 Nov 2017 10:12:44 -0500 +Subject: [PATCH] ovl: Pass ovl_get_nlink() parameters in right order + +commit 08d8f8a5b094b66b29936e8751b4a818b8db1207 upstream. + +Right now we seem to be passing index as "lowerdentry" and origin.dentry +as "upperdentry". IIUC, we should pass these parameters in reversed order +and this looks like a bug. + +Signed-off-by: Vivek Goyal <vgoyal@redhat.com> +Acked-by: Amir Goldstein <amir73il@gmail.com> +Fixes: caf70cb2ba5d ("ovl: cleanup orphan index entries") +Cc: <stable@vger.kernel.org> #v4.13 +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> + +diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c +index 2a12dc2e9840..beb945e1963c 100644 +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -435,7 +435,7 @@ int ovl_verify_index(struct dentry *index, struct ovl_path *lower, + + /* Check if index is orphan and don't warn before cleaning it */ + if (d_inode(index)->i_nlink == 1 && +- ovl_get_nlink(index, origin.dentry, 0) == 0) ++ ovl_get_nlink(origin.dentry, index, 0) == 0) + err = -ENOENT; + + dput(origin.dentry); +-- +2.15.0 + diff --git a/queue/ovl-update-ctx-pos-on-impure-dir-iteration.patch b/queue/ovl-update-ctx-pos-on-impure-dir-iteration.patch new file mode 100644 index 0000000..bb79576 --- /dev/null +++ b/queue/ovl-update-ctx-pos-on-impure-dir-iteration.patch @@ -0,0 +1,36 @@ +From b02a16e6413a2f782e542ef60bad9ff6bf212f8a Mon Sep 17 00:00:00 2001 +From: Amir Goldstein <amir73il@gmail.com> +Date: Wed, 29 Nov 2017 07:35:21 +0200 +Subject: [PATCH] ovl: update ctx->pos on impure dir iteration + +commit b02a16e6413a2f782e542ef60bad9ff6bf212f8a upstream. + +This fixes a regression with readdir of impure dir in overlayfs +that is shared to VM via 9p fs. + +Reported-by: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com> +Fixes: 4edb83bb1041 ("ovl: constant d_ino for non-merge dirs") +Cc: <stable@vger.kernel.org> #4.14 +Signed-off-by: Amir Goldstein <amir73il@gmail.com> +Tested-by: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com> +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> + +diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c +index 0daa4354fec4..51088849ce97 100644 +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -663,7 +663,10 @@ static int ovl_iterate_real(struct file *file, struct dir_context *ctx) + return PTR_ERR(rdt.cache); + } + +- return iterate_dir(od->realfile, &rdt.ctx); ++ err = iterate_dir(od->realfile, &rdt.ctx); ++ ctx->pos = rdt.ctx.pos; ++ ++ return err; + } + + +-- +2.15.0 + diff --git a/queue/pinctrl-adi2-Fix-Kconfig-build-problem.patch b/queue/pinctrl-adi2-Fix-Kconfig-build-problem.patch new file mode 100644 index 0000000..dabd8d7 --- /dev/null +++ b/queue/pinctrl-adi2-Fix-Kconfig-build-problem.patch @@ -0,0 +1,98 @@ +From 1c363531dd814dc4fe10865722bf6b0f72ce4673 Mon Sep 17 00:00:00 2001 +From: Linus Walleij <linus.walleij@linaro.org> +Date: Wed, 11 Oct 2017 11:57:15 +0200 +Subject: [PATCH] pinctrl: adi2: Fix Kconfig build problem + +commit 1c363531dd814dc4fe10865722bf6b0f72ce4673 upstream. + +The build robot is complaining on Blackfin: + +drivers/pinctrl/pinctrl-adi2.c: In function 'port_setup': +>> drivers/pinctrl/pinctrl-adi2.c:221:21: error: dereferencing + pointer to incomplete type 'struct gpio_port_t' + writew(readw(®s->port_fer) & ~BIT(offset), + ^~ +drivers/pinctrl/pinctrl-adi2.c: In function 'adi_gpio_ack_irq': +>> drivers/pinctrl/pinctrl-adi2.c:266:18: error: dereferencing +pointer to incomplete type 'struct bfin_pint_regs' + if (readl(®s->invert_set) & pintbit) + ^~ +It seems the driver need to include <asm/gpio.h> and <asm/irq.h> +to compile. + +The Blackfin architecture was re-defining the Kconfig +PINCTRL symbol which is not OK, so replaced this with +PINCTRL_BLACKFIN_ADI2 which selects PINCTRL and PINCTRL_ADI2 +just like most arches do. + +Further, the old GPIO driver symbol GPIO_ADI was possible to +select at the same time as selecting PINCTRL. This was not +working because the arch-local <asm/gpio.h> header contains +an explicit #ifndef PINCTRL clause making compilation break +if you combine them. The same is true for DEBUG_MMRS. + +Make sure the ADI2 pinctrl driver is not selected at the same +time as the old GPIO implementation. (This should be converted +to use gpiolib or pincontrol and move to drivers/...) Also make +sure the old GPIO_ADI driver or DEBUG_MMRS is not selected at +the same time as the new PINCTRL implementation, and only make +PINCTRL_ADI2 selectable for the Blackfin families that actually +have it. + +This way it is still possible to add e.g. I2C-based pin +control expanders on the Blackfin. + +Cc: Steven Miao <realmz6@gmail.com> +Cc: Huanhuan Feng <huanhuan.feng@analog.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> + +diff --git a/arch/blackfin/Kconfig b/arch/blackfin/Kconfig +index 89bdb8264305..6cd804e16a94 100644 +--- a/arch/blackfin/Kconfig ++++ b/arch/blackfin/Kconfig +@@ -320,11 +320,14 @@ config BF53x + + config GPIO_ADI + def_bool y ++ depends on !PINCTRL + depends on (BF51x || BF52x || BF53x || BF538 || BF539 || BF561) + +-config PINCTRL ++config PINCTRL_BLACKFIN_ADI2 + def_bool y +- depends on BF54x || BF60x ++ depends on (BF54x || BF60x) ++ select PINCTRL ++ select PINCTRL_ADI2 + + config MEM_MT48LC64M4A2FB_7E + bool +diff --git a/arch/blackfin/Kconfig.debug b/arch/blackfin/Kconfig.debug +index f3337ee03621..a93cf06a4d6f 100644 +--- a/arch/blackfin/Kconfig.debug ++++ b/arch/blackfin/Kconfig.debug +@@ -17,6 +17,7 @@ config DEBUG_VERBOSE + + config DEBUG_MMRS + tristate "Generate Blackfin MMR tree" ++ depends on !PINCTRL + select DEBUG_FS + help + Create a tree of Blackfin MMRs via the debugfs tree. If +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index c0294958405d..5b4939e709ac 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -32,7 +32,8 @@ config DEBUG_PINCTRL + + config PINCTRL_ADI2 + bool "ADI pin controller driver" +- depends on BLACKFIN ++ depends on (BF54x || BF60x) ++ depends on !GPIO_ADI + select PINMUX + select IRQ_DOMAIN + help +-- +2.15.0 + diff --git a/queue/platform-x86-hp_accel-Add-quirk-for-HP-ProBook-440-G.patch b/queue/platform-x86-hp_accel-Add-quirk-for-HP-ProBook-440-G.patch new file mode 100644 index 0000000..9a087c2 --- /dev/null +++ b/queue/platform-x86-hp_accel-Add-quirk-for-HP-ProBook-440-G.patch @@ -0,0 +1,38 @@ +From 163ca80013aafb6dc9cb295de3db7aeab9ab43f8 Mon Sep 17 00:00:00 2001 +From: Osama Khan <osama.khan@ericsson.com> +Date: Sat, 21 Oct 2017 10:42:21 +0000 +Subject: [PATCH] platform/x86: hp_accel: Add quirk for HP ProBook 440 G4 + +commit 163ca80013aafb6dc9cb295de3db7aeab9ab43f8 upstream. + +Added support for HP ProBook 440 G4 laptops by including the accelerometer +orientation quirk for that device. Testing was performed based on the +axis orientation guidelines here: +https://www.kernel.org/doc/Documentation/misc-devices/lis3lv02d +which states "If the left side is elevated, X increases (becomes positive)". + +When tested, on lifting the left edge, x values became increasingly negative +thus indicating an inverted x-axis on the installed lis3lv02d chip. +This was compensated by adding an entry for this device in hp_accel.c +specifying the quirk as x_inverted. The patch was tested on a +ProBook 440 G4 device and x-axis as well as y and z-axis values are now +generated as per spec. + +Signed-off-by: Osama Khan <osama.khan@ericsson.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> + +diff --git a/drivers/platform/x86/hp_accel.c b/drivers/platform/x86/hp_accel.c +index 493d8910a74e..7b12abe86b94 100644 +--- a/drivers/platform/x86/hp_accel.c ++++ b/drivers/platform/x86/hp_accel.c +@@ -240,6 +240,7 @@ static const struct dmi_system_id lis3lv02d_dmi_ids[] = { + AXIS_DMI_MATCH("HDX18", "HP HDX 18", x_inverted), + AXIS_DMI_MATCH("HPB432x", "HP ProBook 432", xy_rotated_left), + AXIS_DMI_MATCH("HPB440G3", "HP ProBook 440 G3", x_inverted_usd), ++ AXIS_DMI_MATCH("HPB440G4", "HP ProBook 440 G4", x_inverted), + AXIS_DMI_MATCH("HPB442x", "HP ProBook 442", xy_rotated_left), + AXIS_DMI_MATCH("HPB452x", "HP ProBook 452", y_inverted), + AXIS_DMI_MATCH("HPB522x", "HP ProBook 522", xy_swap), +-- +2.15.0 + diff --git a/queue/platform-x86-intel_punit_ipc-Fix-resource-ioremap-wa.patch b/queue/platform-x86-intel_punit_ipc-Fix-resource-ioremap-wa.patch new file mode 100644 index 0000000..92b0d91 --- /dev/null +++ b/queue/platform-x86-intel_punit_ipc-Fix-resource-ioremap-wa.patch @@ -0,0 +1,64 @@ +From 6cc8cbbc8868033f279b63e98b26b75eaa0006ab Mon Sep 17 00:00:00 2001 +From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> +Date: Sun, 29 Oct 2017 02:49:54 -0700 +Subject: [PATCH] platform/x86: intel_punit_ipc: Fix resource ioremap warning + +commit 6cc8cbbc8868033f279b63e98b26b75eaa0006ab upstream. + +For PUNIT device, ISPDRIVER_IPC and GTDDRIVER_IPC resources are not +mandatory. So when PMC IPC driver creates a PUNIT device, if these +resources are not available then it creates dummy resource entries for +these missing resources. But during PUNIT device probe, doing ioremap on +these dummy resources generates following warning messages. + +intel_punit_ipc: can't request region for resource [mem 0x00000000] +intel_punit_ipc: can't request region for resource [mem 0x00000000] +intel_punit_ipc: can't request region for resource [mem 0x00000000] +intel_punit_ipc: can't request region for resource [mem 0x00000000] + +This patch fixes this issue by adding extra check for resource size +before performing ioremap operation. + +Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> + +diff --git a/drivers/platform/x86/intel_punit_ipc.c b/drivers/platform/x86/intel_punit_ipc.c +index a47a41fc10ad..b5b890127479 100644 +--- a/drivers/platform/x86/intel_punit_ipc.c ++++ b/drivers/platform/x86/intel_punit_ipc.c +@@ -252,28 +252,28 @@ static int intel_punit_get_bars(struct platform_device *pdev) + * - GTDRIVER_IPC BASE_IFACE + */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 2); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[ISPDRIVER_IPC][BASE_DATA] = addr; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 3); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[ISPDRIVER_IPC][BASE_IFACE] = addr; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 4); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[GTDRIVER_IPC][BASE_DATA] = addr; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 5); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[GTDRIVER_IPC][BASE_IFACE] = addr; +-- +2.15.0 + diff --git a/queue/posix-timer-Properly-check-sigevent-sigev_notify.patch b/queue/posix-timer-Properly-check-sigevent-sigev_notify.patch new file mode 100644 index 0000000..d0f9fe5 --- /dev/null +++ b/queue/posix-timer-Properly-check-sigevent-sigev_notify.patch @@ -0,0 +1,90 @@ +From cef31d9af908243421258f1df35a4a644604efbe Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Fri, 15 Dec 2017 10:32:03 +0100 +Subject: [PATCH] posix-timer: Properly check sigevent->sigev_notify + +commit cef31d9af908243421258f1df35a4a644604efbe upstream. + +timer_create() specifies via sigevent->sigev_notify the signal delivery for +the new timer. The valid modes are SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD +and (SIGEV_SIGNAL | SIGEV_THREAD_ID). + +The sanity check in good_sigevent() is only checking the valid combination +for the SIGEV_THREAD_ID bit, i.e. SIGEV_SIGNAL, but if SIGEV_THREAD_ID is +not set it accepts any random value. + +This has no real effects on the posix timer and signal delivery code, but +it affects show_timer() which handles the output of /proc/$PID/timers. That +function uses a string array to pretty print sigev_notify. The access to +that array has no bound checks, so random sigev_notify cause access beyond +the array bounds. + +Add proper checks for the valid notify modes and remove the SIGEV_THREAD_ID +masking from various code pathes as SIGEV_NONE can never be set in +combination with SIGEV_THREAD_ID. + +Reported-by: Eric Biggers <ebiggers3@gmail.com> +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Reported-by: Alexey Dobriyan <adobriyan@gmail.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: John Stultz <john.stultz@linaro.org> +Cc: stable@vger.kernel.org + +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 13d6881f908b..ec999f32c840 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -434,17 +434,22 @@ static struct pid *good_sigevent(sigevent_t * event) + { + struct task_struct *rtn = current->group_leader; + +- if ((event->sigev_notify & SIGEV_THREAD_ID ) && +- (!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) || +- !same_thread_group(rtn, current) || +- (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL)) ++ switch (event->sigev_notify) { ++ case SIGEV_SIGNAL | SIGEV_THREAD_ID: ++ rtn = find_task_by_vpid(event->sigev_notify_thread_id); ++ if (!rtn || !same_thread_group(rtn, current)) ++ return NULL; ++ /* FALLTHRU */ ++ case SIGEV_SIGNAL: ++ case SIGEV_THREAD: ++ if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX) ++ return NULL; ++ /* FALLTHRU */ ++ case SIGEV_NONE: ++ return task_pid(rtn); ++ default: + return NULL; +- +- if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) && +- ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX))) +- return NULL; +- +- return task_pid(rtn); ++ } + } + + static struct k_itimer * alloc_posix_timer(void) +@@ -669,7 +674,7 @@ void common_timer_get(struct k_itimer *timr, struct itimerspec64 *cur_setting) + struct timespec64 ts64; + bool sig_none; + +- sig_none = (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE; ++ sig_none = timr->it_sigev_notify == SIGEV_NONE; + iv = timr->it_interval; + + /* interval timer ? */ +@@ -856,7 +861,7 @@ int common_timer_set(struct k_itimer *timr, int flags, + + timr->it_interval = timespec64_to_ktime(new_setting->it_interval); + expires = timespec64_to_ktime(new_setting->it_value); +- sigev_none = (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE; ++ sigev_none = timr->it_sigev_notify == SIGEV_NONE; + + kc->timer_arm(timr, expires, flags & TIMER_ABSTIME, sigev_none); + timr->it_active = !sigev_none; +-- +2.15.0 + diff --git a/queue/powerpc-ipic-Fix-status-get-and-status-clear.patch b/queue/powerpc-ipic-Fix-status-get-and-status-clear.patch new file mode 100644 index 0000000..5f4f54c --- /dev/null +++ b/queue/powerpc-ipic-Fix-status-get-and-status-clear.patch @@ -0,0 +1,35 @@ +From 6b148a7ce72a7f87c81cbcde48af014abc0516a9 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Wed, 18 Oct 2017 11:16:47 +0200 +Subject: [PATCH] powerpc/ipic: Fix status get and status clear + +commit 6b148a7ce72a7f87c81cbcde48af014abc0516a9 upstream. + +IPIC Status is provided by register IPIC_SERSR and not by IPIC_SERMR +which is the mask register. + +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> + +diff --git a/arch/powerpc/sysdev/ipic.c b/arch/powerpc/sysdev/ipic.c +index 16f1edd78c40..535cf1f6941c 100644 +--- a/arch/powerpc/sysdev/ipic.c ++++ b/arch/powerpc/sysdev/ipic.c +@@ -846,12 +846,12 @@ void ipic_disable_mcp(enum ipic_mcp_irq mcp_irq) + + u32 ipic_get_mcp_status(void) + { +- return ipic_read(primary_ipic->regs, IPIC_SERMR); ++ return ipic_read(primary_ipic->regs, IPIC_SERSR); + } + + void ipic_clear_mcp_status(u32 mask) + { +- ipic_write(primary_ipic->regs, IPIC_SERMR, mask); ++ ipic_write(primary_ipic->regs, IPIC_SERSR, mask); + } + + /* Return an interrupt vector or 0 if no interrupt is pending. */ +-- +2.15.0 + diff --git a/queue/powerpc-opal-Fix-EBUSY-bug-in-acquiring-tokens.patch b/queue/powerpc-opal-Fix-EBUSY-bug-in-acquiring-tokens.patch new file mode 100644 index 0000000..2ebdfa1 --- /dev/null +++ b/queue/powerpc-opal-Fix-EBUSY-bug-in-acquiring-tokens.patch @@ -0,0 +1,55 @@ +From 71e24d7731a2903b1ae2bba2b2971c654d9c2aa6 Mon Sep 17 00:00:00 2001 +From: "William A. Kennington III" <wak@google.com> +Date: Fri, 22 Sep 2017 16:58:00 -0700 +Subject: [PATCH] powerpc/opal: Fix EBUSY bug in acquiring tokens + +commit 71e24d7731a2903b1ae2bba2b2971c654d9c2aa6 upstream. + +The current code checks the completion map to look for the first token +that is complete. In some cases, a completion can come in but the +token can still be on lease to the caller processing the completion. +If this completed but unreleased token is the first token found in the +bitmap by another tasks trying to acquire a token, then the +__test_and_set_bit call will fail since the token will still be on +lease. The acquisition will then fail with an EBUSY. + +This patch reorganizes the acquisition code to look at the +opal_async_token_map for an unleased token. If the token has no lease +it must have no outstanding completions so we should never see an +EBUSY, unless we have leased out too many tokens. Since +opal_async_get_token_inrerruptible is protected by a semaphore, we +will practically never see EBUSY anymore. + +Fixes: 8d7248232208 ("powerpc/powernv: Infrastructure to support OPAL async completion") +Signed-off-by: William A. Kennington III <wak@google.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> + +diff --git a/arch/powerpc/platforms/powernv/opal-async.c b/arch/powerpc/platforms/powernv/opal-async.c +index cf33769a7b72..45b3feb8aa2f 100644 +--- a/arch/powerpc/platforms/powernv/opal-async.c ++++ b/arch/powerpc/platforms/powernv/opal-async.c +@@ -39,18 +39,18 @@ int __opal_async_get_token(void) + int token; + + spin_lock_irqsave(&opal_async_comp_lock, flags); +- token = find_first_bit(opal_async_complete_map, opal_max_async_tokens); ++ token = find_first_zero_bit(opal_async_token_map, opal_max_async_tokens); + if (token >= opal_max_async_tokens) { + token = -EBUSY; + goto out; + } + +- if (__test_and_set_bit(token, opal_async_token_map)) { ++ if (!__test_and_clear_bit(token, opal_async_complete_map)) { + token = -EBUSY; + goto out; + } + +- __clear_bit(token, opal_async_complete_map); ++ __set_bit(token, opal_async_token_map); + + out: + spin_unlock_irqrestore(&opal_async_comp_lock, flags); +-- +2.15.0 + diff --git a/queue/powerpc-perf-hv-24x7-Fix-incorrect-comparison-in-mem.patch b/queue/powerpc-perf-hv-24x7-Fix-incorrect-comparison-in-mem.patch new file mode 100644 index 0000000..07e71d2 --- /dev/null +++ b/queue/powerpc-perf-hv-24x7-Fix-incorrect-comparison-in-mem.patch @@ -0,0 +1,36 @@ +From 05c14c03138532a3cb2aa29c2960445c8753343b Mon Sep 17 00:00:00 2001 +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Mon, 9 Oct 2017 21:52:44 +1100 +Subject: [PATCH] powerpc/perf/hv-24x7: Fix incorrect comparison in memord + +commit 05c14c03138532a3cb2aa29c2960445c8753343b upstream. + +In the hv-24x7 code there is a function memord() which tries to +implement a sort function return -1, 0, 1. However one of the +conditions is incorrect, such that it can never be true, because we +will have already returned. + +I don't believe there is a bug in practice though, because the +comparisons are an optimisation prior to calling memcmp(). + +Fix it by swapping the second comparision, so it can be true. + +Reported-by: David Binderman <dcb314@hotmail.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> + +diff --git a/arch/powerpc/perf/hv-24x7.c b/arch/powerpc/perf/hv-24x7.c +index 9c88b82f6229..72238eedc360 100644 +--- a/arch/powerpc/perf/hv-24x7.c ++++ b/arch/powerpc/perf/hv-24x7.c +@@ -540,7 +540,7 @@ static int memord(const void *d1, size_t s1, const void *d2, size_t s2) + { + if (s1 < s2) + return 1; +- if (s2 > s1) ++ if (s1 > s2) + return -1; + + return memcmp(d1, d2, s1); +-- +2.15.0 + diff --git a/queue/powerpc-powernv-cpufreq-Fix-the-frequency-read-by-pr.patch b/queue/powerpc-powernv-cpufreq-Fix-the-frequency-read-by-pr.patch new file mode 100644 index 0000000..d3c95ca --- /dev/null +++ b/queue/powerpc-powernv-cpufreq-Fix-the-frequency-read-by-pr.patch @@ -0,0 +1,34 @@ +From cd77b5ce208c153260ed7882d8910f2395bfaabd Mon Sep 17 00:00:00 2001 +From: Shriya <shriyak@linux.vnet.ibm.com> +Date: Fri, 13 Oct 2017 10:06:41 +0530 +Subject: [PATCH] powerpc/powernv/cpufreq: Fix the frequency read by + /proc/cpuinfo + +commit cd77b5ce208c153260ed7882d8910f2395bfaabd upstream. + +The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which +returns the last frequency requested by the kernel, but may not +reflect the actual frequency the processor is running at. This patch +makes a call to cpufreq_get() instead which returns the current +frequency reported by the hardware. + +Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()") +Signed-off-by: Shriya <shriyak@linux.vnet.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> + +diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c +index d23f148a11f0..62f4a5ad8594 100644 +--- a/arch/powerpc/platforms/powernv/setup.c ++++ b/arch/powerpc/platforms/powernv/setup.c +@@ -335,7 +335,7 @@ static unsigned long pnv_get_proc_freq(unsigned int cpu) + { + unsigned long ret_freq; + +- ret_freq = cpufreq_quick_get(cpu) * 1000ul; ++ ret_freq = cpufreq_get(cpu) * 1000ul; + + /* + * If the backend cpufreq driver does not exist, +-- +2.15.0 + diff --git a/queue/powerpc-pseries-vio-Dispose-of-virq-mapping-on-vdevi.patch b/queue/powerpc-pseries-vio-Dispose-of-virq-mapping-on-vdevi.patch new file mode 100644 index 0000000..c48184f --- /dev/null +++ b/queue/powerpc-pseries-vio-Dispose-of-virq-mapping-on-vdevi.patch @@ -0,0 +1,47 @@ +From b8f89fea599d91e674497aad572613eb63181f31 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com> +Date: Thu, 28 Sep 2017 20:19:20 -0400 +Subject: [PATCH] powerpc/pseries/vio: Dispose of virq mapping on vdevice + unregister + +commit b8f89fea599d91e674497aad572613eb63181f31 upstream. + +When a vdevice is DLPAR removed from the system the vio subsystem +doesn't bother unmapping the virq from the irq_domain. As a result we +have a virq mapped to a hardware irq that is no longer valid for the +irq_domain. A side effect is that we are left with /proc/irq/<irq#> +affinity entries, and attempts to modify the smp_affinity of the irq +will fail. + +In the following observed example the kernel log is spammed by +ics_rtas_set_affinity errors after the removal of a VSCSI adapter. +This is a result of irqbalance trying to adjust the affinity every 10 +seconds. + + rpadlpar_io: slot U8408.E8E.10A7ACV-V5-C25 removed + ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3 + ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3 + +This patch fixes the issue by calling irq_dispose_mapping() on the +virq of the viodev on unregister. + +Fixes: f2ab6219969f ("powerpc/pseries: Add PFO support to the VIO bus") +Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> + +diff --git a/arch/powerpc/platforms/pseries/vio.c b/arch/powerpc/platforms/pseries/vio.c +index 12277bc9fd9e..d86938260a86 100644 +--- a/arch/powerpc/platforms/pseries/vio.c ++++ b/arch/powerpc/platforms/pseries/vio.c +@@ -1592,6 +1592,8 @@ ATTRIBUTE_GROUPS(vio_dev); + void vio_unregister_device(struct vio_dev *viodev) + { + device_unregister(&viodev->dev); ++ if (viodev->family == VDEVICE) ++ irq_dispose_mapping(viodev->irq); + } + EXPORT_SYMBOL(vio_unregister_device); + +-- +2.15.0 + diff --git a/queue/powerpc-xmon-Check-before-calling-xive-functions.patch b/queue/powerpc-xmon-Check-before-calling-xive-functions.patch new file mode 100644 index 0000000..9703317 --- /dev/null +++ b/queue/powerpc-xmon-Check-before-calling-xive-functions.patch @@ -0,0 +1,43 @@ +From 402e172a2ce76210f2fe921cf419d12103851344 Mon Sep 17 00:00:00 2001 +From: Breno Leitao <leitao@debian.org> +Date: Tue, 17 Oct 2017 16:20:18 -0200 +Subject: [PATCH] powerpc/xmon: Check before calling xive functions + +commit 402e172a2ce76210f2fe921cf419d12103851344 upstream. + +Currently xmon could call XIVE functions from OPAL even if the XIVE is +disabled or does not exist in the system, as in POWER8 machines. This +causes the following exception: + + 1:mon> dx + cpu 0x1: Vector: 700 (Program Check) at [c000000423c93450] + pc: c00000000009cfa4: opal_xive_dump+0x50/0x68 + lr: c0000000000997b8: opal_return+0x0/0x50 + +This patch simply checks if XIVE is enabled before calling XIVE +functions. + +Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller") +Suggested-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com> +Signed-off-by: Breno Leitao <leitao@debian.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> + +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index 4679aeb84767..2e2320edb96b 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -2508,6 +2508,11 @@ static void dump_xives(void) + unsigned long num; + int c; + ++ if (!xive_enabled()) { ++ printf("Xive disabled on this system\n"); ++ return; ++ } ++ + c = inchar(); + if (c == 'a') { + dump_all_xives(); +-- +2.15.0 + diff --git a/queue/ppp-Destroy-the-mutex-when-cleanup.patch b/queue/ppp-Destroy-the-mutex-when-cleanup.patch new file mode 100644 index 0000000..b544d2e --- /dev/null +++ b/queue/ppp-Destroy-the-mutex-when-cleanup.patch @@ -0,0 +1,30 @@ +From f02b2320b27c16b644691267ee3b5c110846f49e Mon Sep 17 00:00:00 2001 +From: Gao Feng <gfree.wind@vip.163.com> +Date: Tue, 31 Oct 2017 18:25:37 +0800 +Subject: [PATCH] ppp: Destroy the mutex when cleanup + +commit f02b2320b27c16b644691267ee3b5c110846f49e upstream. + +The mutex_destroy only makes sense when enable DEBUG_MUTEX. For the +good readbility, it's better to invoke it in exit func when the init +func invokes mutex_init. + +Signed-off-by: Gao Feng <gfree.wind@vip.163.com> +Acked-by: Guillaume Nault <g.nault@alphalink.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index af7f93ed1487..44891335f9af 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -960,6 +960,7 @@ static __net_exit void ppp_exit_net(struct net *net) + unregister_netdevice_many(&list); + rtnl_unlock(); + ++ mutex_destroy(&pn->all_ppp_mutex); + idr_destroy(&pn->units_idr); + } + +-- +2.15.0 + diff --git a/queue/qtnfmac-modify-full-Tx-queue-error-reporting.patch b/queue/qtnfmac-modify-full-Tx-queue-error-reporting.patch new file mode 100644 index 0000000..caf1552 --- /dev/null +++ b/queue/qtnfmac-modify-full-Tx-queue-error-reporting.patch @@ -0,0 +1,35 @@ +From e9931f984dd1e80adb3b5e095ef175fe383bc92d Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> +Date: Mon, 30 Oct 2017 13:13:46 +0300 +Subject: [PATCH] qtnfmac: modify full Tx queue error reporting + +commit e9931f984dd1e80adb3b5e095ef175fe383bc92d upstream. + +Under heavy load it is normal that h/w Tx queue is almost full all the time +and reclaim should be done before transmitting next packet. Warning still +should be reported as well as s/w Tx queues should be stopped in the +case when reclaim failed. + +Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> + +diff --git a/drivers/net/wireless/quantenna/qtnfmac/pearl/pcie.c b/drivers/net/wireless/quantenna/qtnfmac/pearl/pcie.c +index 69131965a298..146e42a132e7 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/pearl/pcie.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/pearl/pcie.c +@@ -643,11 +643,11 @@ static int qtnf_tx_queue_ready(struct qtnf_pcie_bus_priv *priv) + { + if (!CIRC_SPACE(priv->tx_bd_w_index, priv->tx_bd_r_index, + priv->tx_bd_num)) { +- pr_err_ratelimited("reclaim full Tx queue\n"); + qtnf_pcie_data_tx_reclaim(priv); + + if (!CIRC_SPACE(priv->tx_bd_w_index, priv->tx_bd_r_index, + priv->tx_bd_num)) { ++ pr_warn_ratelimited("reclaim full Tx queue\n"); + priv->tx_full_count++; + return 0; + } +-- +2.15.0 + diff --git a/queue/raid5-Set-R5_Expanded-on-parity-devices-as-well-as-d.patch b/queue/raid5-Set-R5_Expanded-on-parity-devices-as-well-as-d.patch new file mode 100644 index 0000000..9451217 --- /dev/null +++ b/queue/raid5-Set-R5_Expanded-on-parity-devices-as-well-as-d.patch @@ -0,0 +1,49 @@ +From 235b6003fb28f0dd8e7ed8fbdb088bb548291766 Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.com> +Date: Tue, 17 Oct 2017 16:18:36 +1100 +Subject: [PATCH] raid5: Set R5_Expanded on parity devices as well as data. + +commit 235b6003fb28f0dd8e7ed8fbdb088bb548291766 upstream. + +When reshaping a fully degraded raid5/raid6 to a larger +nubmer of devices, the new device(s) are not in-sync +and so that can make the newly grown stripe appear to be +"failed". +To avoid this, we set the R5_Expanded flag to say "Even though +this device is not fully in-sync, this block is safe so +don't treat the device as failed for this stripe". +This flag is set for data devices, not not for parity devices. + +Consequently, if you have a RAID6 with two devices that are partly +recovered and a spare, and start a reshape to include the spare, +then when the reshape gets past the point where the recovery was +up to, it will think the stripes are failed and will get into +an infinite loop, failing to make progress. + +So when contructing parity on an EXPAND_READY stripe, +set R5_Expanded. + +Reported-by: Curt <lightspd@gmail.com> +Signed-off-by: NeilBrown <neilb@suse.com> +Signed-off-by: Shaohua Li <shli@fb.com> + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 10c0d87074f0..a21dbd22a2fb 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -1818,8 +1818,11 @@ static void ops_complete_reconstruct(void *stripe_head_ref) + struct r5dev *dev = &sh->dev[i]; + + if (dev->written || i == pd_idx || i == qd_idx) { +- if (!discard && !test_bit(R5_SkipCopy, &dev->flags)) ++ if (!discard && !test_bit(R5_SkipCopy, &dev->flags)) { + set_bit(R5_UPTODATE, &dev->flags); ++ if (test_bit(STRIPE_EXPAND_READY, &sh->state)) ++ set_bit(R5_Expanded, &dev->flags); ++ } + if (fua) + set_bit(R5_WantFUA, &dev->flags); + if (sync) +-- +2.15.0 + diff --git a/queue/raid5-ppl-check-recovery_offset-when-performing-ppl-.patch b/queue/raid5-ppl-check-recovery_offset-when-performing-ppl-.patch new file mode 100644 index 0000000..ef16f2d --- /dev/null +++ b/queue/raid5-ppl-check-recovery_offset-when-performing-ppl-.patch @@ -0,0 +1,31 @@ +From 07719ff767dcd8cc42050f185d332052f3816546 Mon Sep 17 00:00:00 2001 +From: Artur Paszkiewicz <artur.paszkiewicz@intel.com> +Date: Fri, 29 Sep 2017 22:54:19 +0200 +Subject: [PATCH] raid5-ppl: check recovery_offset when performing ppl recovery + +commit 07719ff767dcd8cc42050f185d332052f3816546 upstream. + +If starting an array that is undergoing rebuild, make ppl recovery honor +the recovery_offset of a member disk and don't read data that is not yet +in-sync. + +Signed-off-by: Artur Paszkiewicz <artur.paszkiewicz@intel.com> +Signed-off-by: Shaohua Li <shli@fb.com> + +diff --git a/drivers/md/raid5-ppl.c b/drivers/md/raid5-ppl.c +index 76d6245427b8..628c0bf7b9fd 100644 +--- a/drivers/md/raid5-ppl.c ++++ b/drivers/md/raid5-ppl.c +@@ -758,7 +758,8 @@ static int ppl_recover_entry(struct ppl_log *log, struct ppl_header_entry *e, + (unsigned long long)sector); + + rdev = conf->disks[dd_idx].rdev; +- if (!rdev) { ++ if (!rdev || (!test_bit(In_sync, &rdev->flags) && ++ sector >= rdev->recovery_offset)) { + pr_debug("%s:%*s data member disk %d missing\n", + __func__, indent, "", dd_idx); + update_parity = false; +-- +2.15.0 + diff --git a/queue/rpmsg-glink-Initialize-the-intent_req_comp-completio.patch b/queue/rpmsg-glink-Initialize-the-intent_req_comp-completio.patch new file mode 100644 index 0000000..6686292 --- /dev/null +++ b/queue/rpmsg-glink-Initialize-the-intent_req_comp-completio.patch @@ -0,0 +1,32 @@ +From 2394facb17bcace4b3c19b50202177a5d8903b64 Mon Sep 17 00:00:00 2001 +From: Arun Kumar Neelakantam <aneela@codeaurora.org> +Date: Mon, 30 Oct 2017 11:11:24 +0530 +Subject: [PATCH] rpmsg: glink: Initialize the "intent_req_comp" completion + variable + +commit 2394facb17bcace4b3c19b50202177a5d8903b64 upstream. + +The "intent_req_comp" variable is used without initialization which +results in NULL pointer dereference in qcom_glink_request_intent(). + +we need to initialize the completion variable before using it. + +Fixes: 27b9c5b66b23 ("rpmsg: glink: Request for intents when unavailable") +Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org> +Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index 5dcc9bf1c5bc..fcd46ab090a7 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -227,6 +227,7 @@ static struct glink_channel *qcom_glink_alloc_channel(struct qcom_glink *glink, + + init_completion(&channel->open_req); + init_completion(&channel->open_ack); ++ init_completion(&channel->intent_req_comp); + + INIT_LIST_HEAD(&channel->done_intents); + INIT_WORK(&channel->intent_work, qcom_glink_rx_done_work); +-- +2.15.0 + diff --git a/queue/rtc-pcf8563-fix-output-clock-rate.patch b/queue/rtc-pcf8563-fix-output-clock-rate.patch new file mode 100644 index 0000000..d397509 --- /dev/null +++ b/queue/rtc-pcf8563-fix-output-clock-rate.patch @@ -0,0 +1,31 @@ +From a3350f9c57ffad569c40f7320b89da1f3061c5bb Mon Sep 17 00:00:00 2001 +From: Philipp Zabel <p.zabel@pengutronix.de> +Date: Tue, 7 Nov 2017 13:12:17 +0100 +Subject: [PATCH] rtc: pcf8563: fix output clock rate + +commit a3350f9c57ffad569c40f7320b89da1f3061c5bb upstream. + +The pcf8563_clkout_recalc_rate function erroneously ignores the +frequency index read from the CLKO register and always returns +32768 Hz. + +Fixes: a39a6405d5f9 ("rtc: pcf8563: add CLKOUT to common clock framework") +Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> +Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> + +diff --git a/drivers/rtc/rtc-pcf8563.c b/drivers/rtc/rtc-pcf8563.c +index cea6ea4df970..8c836c51a508 100644 +--- a/drivers/rtc/rtc-pcf8563.c ++++ b/drivers/rtc/rtc-pcf8563.c +@@ -422,7 +422,7 @@ static unsigned long pcf8563_clkout_recalc_rate(struct clk_hw *hw, + return 0; + + buf &= PCF8563_REG_CLKO_F_MASK; +- return clkout_rates[ret]; ++ return clkout_rates[buf]; + } + + static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate, +-- +2.15.0 + diff --git a/queue/rtl8188eu-Fix-a-possible-sleep-in-atomic-bug-in-rtw_.patch b/queue/rtl8188eu-Fix-a-possible-sleep-in-atomic-bug-in-rtw_.patch new file mode 100644 index 0000000..313066e --- /dev/null +++ b/queue/rtl8188eu-Fix-a-possible-sleep-in-atomic-bug-in-rtw_.patch @@ -0,0 +1,35 @@ +From 08880f8e08cbd814e870e9d3ab9530abc1bce226 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai <baijiaju1990@163.com> +Date: Sun, 8 Oct 2017 19:54:07 +0800 +Subject: [PATCH] rtl8188eu: Fix a possible sleep-in-atomic bug in + rtw_disassoc_cmd + +commit 08880f8e08cbd814e870e9d3ab9530abc1bce226 upstream. + +The driver may sleep under a spinlock, and the function call path is: +rtw_set_802_11_bssid(acquire the spinlock) + rtw_disassoc_cmd + kzalloc(GFP_KERNEL) --> may sleep + +To fix it, GFP_KERNEL is replaced with GFP_ATOMIC. +This bug is found by my static analysis tool and my code review. + +Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/rtl8188eu/core/rtw_cmd.c b/drivers/staging/rtl8188eu/core/rtw_cmd.c +index 9461bce883ea..65083a72b408 100644 +--- a/drivers/staging/rtl8188eu/core/rtw_cmd.c ++++ b/drivers/staging/rtl8188eu/core/rtw_cmd.c +@@ -508,7 +508,7 @@ u8 rtw_disassoc_cmd(struct adapter *padapter, u32 deauth_timeout_ms, bool enqueu + + if (enqueue) { + /* need enqueue, prepare cmd_obj and enqueue */ +- cmdobj = kzalloc(sizeof(*cmdobj), GFP_KERNEL); ++ cmdobj = kzalloc(sizeof(*cmdobj), GFP_ATOMIC); + if (!cmdobj) { + res = _FAIL; + kfree(param); +-- +2.15.0 + diff --git a/queue/samples-bpf-adjust-rlimit-RLIMIT_MEMLOCK-for-xdp1.patch b/queue/samples-bpf-adjust-rlimit-RLIMIT_MEMLOCK-for-xdp1.patch new file mode 100644 index 0000000..21fad05 --- /dev/null +++ b/queue/samples-bpf-adjust-rlimit-RLIMIT_MEMLOCK-for-xdp1.patch @@ -0,0 +1,54 @@ +From 6dfca831c03ef654b1f7bff1b8d487d330e9f76b Mon Sep 17 00:00:00 2001 +From: Tushar Dave <tushar.n.dave@oracle.com> +Date: Fri, 27 Oct 2017 16:12:30 -0700 +Subject: [PATCH] samples/bpf: adjust rlimit RLIMIT_MEMLOCK for xdp1 + +commit 6dfca831c03ef654b1f7bff1b8d487d330e9f76b upstream. + +Default rlimit RLIMIT_MEMLOCK is 64KB, causes bpf map failure. +e.g. +[root@lab bpf]#./xdp1 -N $(</sys/class/net/eth2/ifindex) +failed to create a map: 1 Operation not permitted + +Fix it. + +Signed-off-by: Tushar Dave <tushar.n.dave@oracle.com> +Acked-by: Alexei Starovoitov <ast@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/samples/bpf/xdp1_user.c b/samples/bpf/xdp1_user.c +index 2431c0321b71..fdaefe91801d 100644 +--- a/samples/bpf/xdp1_user.c ++++ b/samples/bpf/xdp1_user.c +@@ -14,6 +14,7 @@ + #include <string.h> + #include <unistd.h> + #include <libgen.h> ++#include <sys/resource.h> + + #include "bpf_load.h" + #include "bpf_util.h" +@@ -69,6 +70,7 @@ static void usage(const char *prog) + + int main(int argc, char **argv) + { ++ struct rlimit r = {RLIM_INFINITY, RLIM_INFINITY}; + const char *optstr = "SN"; + char filename[256]; + int opt; +@@ -91,6 +93,12 @@ int main(int argc, char **argv) + usage(basename(argv[0])); + return 1; + } ++ ++ if (setrlimit(RLIMIT_MEMLOCK, &r)) { ++ perror("setrlimit(RLIMIT_MEMLOCK)"); ++ return 1; ++ } ++ + ifindex = strtoul(argv[optind], NULL, 0); + + snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]); +-- +2.15.0 + diff --git a/queue/sched-rt-Do-not-pull-from-current-CPU-if-only-one-CP.patch b/queue/sched-rt-Do-not-pull-from-current-CPU-if-only-one-CP.patch new file mode 100644 index 0000000..053696b --- /dev/null +++ b/queue/sched-rt-Do-not-pull-from-current-CPU-if-only-one-CP.patch @@ -0,0 +1,82 @@ +From f73c52a5bcd1710994e53fbccc378c42b97a06b6 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt <rostedt@goodmis.org> +Date: Sat, 2 Dec 2017 13:04:54 -0500 +Subject: [PATCH] sched/rt: Do not pull from current CPU if only one CPU to + pull + +commit f73c52a5bcd1710994e53fbccc378c42b97a06b6 upstream. + +Daniel Wagner reported a crash on the BeagleBone Black SoC. + +This is a single CPU architecture, and does not have a functional +arch_send_call_function_single_ipi() implementation which can crash +the kernel if that is called. + +As it only has one CPU, it shouldn't be called, but if the kernel is +compiled for SMP, the push/pull RT scheduling logic now calls it for +irq_work if the one CPU is overloaded, it can use that function to call +itself and crash the kernel. + +Ideally, we should disable the SCHED_FEAT(RT_PUSH_IPI) if the system +only has a single CPU. But SCHED_FEAT is a constant if sched debugging +is turned off. Another fix can also be used, and this should also help +with normal SMP machines. That is, do not initiate the pull code if +there's only one RT overloaded CPU, and that CPU happens to be the +current CPU that is scheduling in a lower priority task. + +Even on a system with many CPUs, if there's many RT tasks waiting to +run on a single CPU, and that CPU schedules in another RT task of lower +priority, it will initiate the PULL logic in case there's a higher +priority RT task on another CPU that is waiting to run. But if there is +no other CPU with waiting RT tasks, it will initiate the RT pull logic +on itself (as it still has RT tasks waiting to run). This is a wasted +effort. + +Not only does this help with SMP code where the current CPU is the only +one with RT overloaded tasks, it should also solve the issue that +Daniel encountered, because it will prevent the PULL logic from +executing, as there's only one CPU on the system, and the check added +here will cause it to exit the RT pull code. + +Reported-by: Daniel Wagner <wagi@monom.org> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Acked-by: Peter Zijlstra <peterz@infradead.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: linux-rt-users <linux-rt-users@vger.kernel.org> +Cc: stable@vger.kernel.org +Fixes: 4bdced5c9 ("sched/rt: Simplify the IPI based RT balancing logic") +Link: http://lkml.kernel.org/r/20171202130454.4cbbfe8d@vmware.local.home +Signed-off-by: Ingo Molnar <mingo@kernel.org> + +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index 4056c19ca3f0..665ace2fc558 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -2034,8 +2034,9 @@ static void pull_rt_task(struct rq *this_rq) + bool resched = false; + struct task_struct *p; + struct rq *src_rq; ++ int rt_overload_count = rt_overloaded(this_rq); + +- if (likely(!rt_overloaded(this_rq))) ++ if (likely(!rt_overload_count)) + return; + + /* +@@ -2044,6 +2045,11 @@ static void pull_rt_task(struct rq *this_rq) + */ + smp_rmb(); + ++ /* If we are the only overloaded CPU do nothing */ ++ if (rt_overload_count == 1 && ++ cpumask_test_cpu(this_rq->cpu, this_rq->rd->rto_mask)) ++ return; ++ + #ifdef HAVE_RT_PUSH_IPI + if (sched_feat(RT_PUSH_IPI)) { + tell_cpu_to_push(this_rq); +-- +2.15.0 + diff --git a/queue/scsi-aacraid-use-timespec64-instead-of-timeval.patch b/queue/scsi-aacraid-use-timespec64-instead-of-timeval.patch new file mode 100644 index 0000000..1242e69 --- /dev/null +++ b/queue/scsi-aacraid-use-timespec64-instead-of-timeval.patch @@ -0,0 +1,103 @@ +From 820f188659122602ab217dd80cfa32b3ac0c55c0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Tue, 7 Nov 2017 11:46:05 +0100 +Subject: [PATCH] scsi: aacraid: use timespec64 instead of timeval + +commit 820f188659122602ab217dd80cfa32b3ac0c55c0 upstream. + +aacraid passes the current time to the firmware in one of two ways, +either as year/month/day/... or as 32-bit unsigned seconds. + +The first one is broken on 32-bit architectures as it cannot go past +year 2038. Using timespec64 here makes it behave properly on both 32-bit +and 64-bit architectures, and avoids relying on signed integer overflow +to pass times into the second interface. + +The interface used in aac_send_hosttime() however is still problematic +in year 2106 when 32-bit seconds overflow. Hopefully we don't have to +worry about aacraid by that time. + +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Reviewed-by: Dave Carroll <david.carroll@microsemi.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index dfe8e70f8d99..525a652dab48 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -2383,19 +2383,19 @@ static int aac_send_wellness_command(struct aac_dev *dev, char *wellness_str, + goto out; + } + +-int aac_send_safw_hostttime(struct aac_dev *dev, struct timeval *now) ++int aac_send_safw_hostttime(struct aac_dev *dev, struct timespec64 *now) + { + struct tm cur_tm; + char wellness_str[] = "<HW>TD\010\0\0\0\0\0\0\0\0\0DW\0\0ZZ"; + u32 datasize = sizeof(wellness_str); +- unsigned long local_time; ++ time64_t local_time; + int ret = -ENODEV; + + if (!dev->sa_firmware) + goto out; + +- local_time = (u32)(now->tv_sec - (sys_tz.tz_minuteswest * 60)); +- time_to_tm(local_time, 0, &cur_tm); ++ local_time = (now->tv_sec - (sys_tz.tz_minuteswest * 60)); ++ time64_to_tm(local_time, 0, &cur_tm); + cur_tm.tm_mon += 1; + cur_tm.tm_year += 1900; + wellness_str[8] = bin2bcd(cur_tm.tm_hour); +@@ -2412,7 +2412,7 @@ int aac_send_safw_hostttime(struct aac_dev *dev, struct timeval *now) + return ret; + } + +-int aac_send_hosttime(struct aac_dev *dev, struct timeval *now) ++int aac_send_hosttime(struct aac_dev *dev, struct timespec64 *now) + { + int ret = -ENOMEM; + struct fib *fibptr; +@@ -2424,7 +2424,7 @@ int aac_send_hosttime(struct aac_dev *dev, struct timeval *now) + + aac_fib_init(fibptr); + info = (__le32 *)fib_data(fibptr); +- *info = cpu_to_le32(now->tv_sec); ++ *info = cpu_to_le32(now->tv_sec); /* overflow in y2106 */ + ret = aac_fib_send(SendHostTime, fibptr, sizeof(*info), FsaNormal, + 1, 1, NULL, NULL); + +@@ -2496,7 +2496,7 @@ int aac_command_thread(void *data) + } + if (!time_before(next_check_jiffies,next_jiffies) + && ((difference = next_jiffies - jiffies) <= 0)) { +- struct timeval now; ++ struct timespec64 now; + int ret; + + /* Don't even try to talk to adapter if its sick */ +@@ -2506,15 +2506,15 @@ int aac_command_thread(void *data) + next_check_jiffies = jiffies + + ((long)(unsigned)check_interval) + * HZ; +- do_gettimeofday(&now); ++ ktime_get_real_ts64(&now); + + /* Synchronize our watches */ +- if (((1000000 - (1000000 / HZ)) > now.tv_usec) +- && (now.tv_usec > (1000000 / HZ))) +- difference = (((1000000 - now.tv_usec) * HZ) +- + 500000) / 1000000; ++ if (((NSEC_PER_SEC - (NSEC_PER_SEC / HZ)) > now.tv_nsec) ++ && (now.tv_nsec > (NSEC_PER_SEC / HZ))) ++ difference = (((NSEC_PER_SEC - now.tv_nsec) * HZ) ++ + NSEC_PER_SEC / 2) / NSEC_PER_SEC; + else { +- if (now.tv_usec > 500000) ++ if (now.tv_nsec > NSEC_PER_SEC / 2) + ++now.tv_sec; + + if (dev->sa_firmware) +-- +2.15.0 + diff --git a/queue/scsi-bfa-integer-overflow-in-debugfs.patch b/queue/scsi-bfa-integer-overflow-in-debugfs.patch new file mode 100644 index 0000000..598dc81 --- /dev/null +++ b/queue/scsi-bfa-integer-overflow-in-debugfs.patch @@ -0,0 +1,45 @@ +From 3e351275655d3c84dc28abf170def9786db5176d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 4 Oct 2017 10:50:37 +0300 +Subject: [PATCH] scsi: bfa: integer overflow in debugfs + +commit 3e351275655d3c84dc28abf170def9786db5176d upstream. + +We could allocate less memory than intended because we do: + + bfad->regdata = kzalloc(len << 2, GFP_KERNEL); + +The shift can overflow leading to a crash. This is debugfs code so the +impact is very small. I fixed the network version of this in March with +commit 13e2d5187f6b ("bna: integer overflow bug in debugfs"). + +Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c +index 8dcd8c70c7ee..05f523971348 100644 +--- a/drivers/scsi/bfa/bfad_debugfs.c ++++ b/drivers/scsi/bfa/bfad_debugfs.c +@@ -255,7 +255,8 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, + struct bfad_s *bfad = port->bfad; + struct bfa_s *bfa = &bfad->bfa; + struct bfa_ioc_s *ioc = &bfa->ioc; +- int addr, len, rc, i; ++ int addr, rc, i; ++ u32 len; + u32 *regbuf; + void __iomem *rb, *reg_addr; + unsigned long flags; +@@ -266,7 +267,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, + return PTR_ERR(kern_buf); + + rc = sscanf(kern_buf, "%x:%x", &addr, &len); +- if (rc < 2) { ++ if (rc < 2 || len > (UINT_MAX >> 2)) { + printk(KERN_INFO + "bfad[%d]: %s failed to read user buf\n", + bfad->inst_no, __func__); +-- +2.15.0 + diff --git a/queue/scsi-core-Fix-a-scsi_show_rq-NULL-pointer-dereferenc.patch b/queue/scsi-core-Fix-a-scsi_show_rq-NULL-pointer-dereferenc.patch new file mode 100644 index 0000000..97f199a --- /dev/null +++ b/queue/scsi-core-Fix-a-scsi_show_rq-NULL-pointer-dereferenc.patch @@ -0,0 +1,89 @@ +From 14e3062fb18532175af4d1c4073597999f7a2248 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche <bart.vanassche@wdc.com> +Date: Tue, 5 Dec 2017 16:57:51 -0800 +Subject: [PATCH] scsi: core: Fix a scsi_show_rq() NULL pointer dereference + +commit 14e3062fb18532175af4d1c4073597999f7a2248 upstream. + +Avoid that scsi_show_rq() triggers a NULL pointer dereference if called +after sd_uninit_command(). Swap the NULL pointer assignment and the +mempool_free() call in sd_uninit_command() to make it less likely that +scsi_show_rq() triggers a use-after-free. Note: even with these changes +scsi_show_rq() can trigger a use-after-free but that's a lesser evil +than e.g. suppressing debug information for T10 PI Type 2 commands +completely. This patch fixes the following oops: + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: scsi_format_opcode_name+0x1a/0x1c0 +CPU: 1 PID: 1881 Comm: cat Not tainted 4.14.0-rc2.blk_mq_io_hang+ #516 +Call Trace: + __scsi_format_command+0x27/0xc0 + scsi_show_rq+0x5c/0xc0 + __blk_mq_debugfs_rq_show+0x116/0x130 + blk_mq_debugfs_rq_show+0xe/0x10 + seq_read+0xfe/0x3b0 + full_proxy_read+0x54/0x90 + __vfs_read+0x37/0x160 + vfs_read+0x96/0x130 + SyS_read+0x55/0xc0 + entry_SYSCALL_64_fastpath+0x1a/0xa5 + +[mkp: added Type 2] + +Fixes: 0eebd005dd07 ("scsi: Implement blk_mq_ops.show_rq()") +Reported-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com> +Cc: James E.J. Bottomley <jejb@linux.vnet.ibm.com> +Cc: Martin K. Petersen <martin.petersen@oracle.com> +Cc: Ming Lei <ming.lei@redhat.com> +Cc: Christoph Hellwig <hch@lst.de> +Cc: Hannes Reinecke <hare@suse.com> +Cc: Johannes Thumshirn <jthumshirn@suse.de> +Cc: stable@vger.kernel.org +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/scsi_debugfs.c b/drivers/scsi/scsi_debugfs.c +index 01f08c03f2c1..c3765d29fd3f 100644 +--- a/drivers/scsi/scsi_debugfs.c ++++ b/drivers/scsi/scsi_debugfs.c +@@ -8,9 +8,11 @@ void scsi_show_rq(struct seq_file *m, struct request *rq) + { + struct scsi_cmnd *cmd = container_of(scsi_req(rq), typeof(*cmd), req); + int msecs = jiffies_to_msecs(jiffies - cmd->jiffies_at_alloc); +- char buf[80]; ++ const u8 *const cdb = READ_ONCE(cmd->cmnd); ++ char buf[80] = "(?)"; + +- __scsi_format_command(buf, sizeof(buf), cmd->cmnd, cmd->cmd_len); ++ if (cdb) ++ __scsi_format_command(buf, sizeof(buf), cdb, cmd->cmd_len); + seq_printf(m, ", .cmd=%s, .retries=%d, allocated %d.%03d s ago", buf, + cmd->retries, msecs / 1000, msecs % 1000); + } +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 24fe68522716..a028ab3322a9 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1312,6 +1312,7 @@ static int sd_init_command(struct scsi_cmnd *cmd) + static void sd_uninit_command(struct scsi_cmnd *SCpnt) + { + struct request *rq = SCpnt->request; ++ u8 *cmnd; + + if (SCpnt->flags & SCMD_ZONE_WRITE_LOCK) + sd_zbc_write_unlock_zone(SCpnt); +@@ -1320,9 +1321,10 @@ static void sd_uninit_command(struct scsi_cmnd *SCpnt) + __free_page(rq->special_vec.bv_page); + + if (SCpnt->cmnd != scsi_req(rq)->cmd) { +- mempool_free(SCpnt->cmnd, sd_cdb_pool); ++ cmnd = SCpnt->cmnd; + SCpnt->cmnd = NULL; + SCpnt->cmd_len = 0; ++ mempool_free(cmnd, sd_cdb_pool); + } + } + +-- +2.15.0 + diff --git a/queue/scsi-hisi_sas-fix-the-risk-of-freeing-slot-twice.patch b/queue/scsi-hisi_sas-fix-the-risk-of-freeing-slot-twice.patch new file mode 100644 index 0000000..f8c68ab --- /dev/null +++ b/queue/scsi-hisi_sas-fix-the-risk-of-freeing-slot-twice.patch @@ -0,0 +1,66 @@ +From 6ba0fbc35aa9f3bc8c12be3b4047055c9ce2ac92 Mon Sep 17 00:00:00 2001 +From: Xiaofei Tan <tanxiaofei@huawei.com> +Date: Tue, 24 Oct 2017 23:51:38 +0800 +Subject: [PATCH] scsi: hisi_sas: fix the risk of freeing slot twice + +commit 6ba0fbc35aa9f3bc8c12be3b4047055c9ce2ac92 upstream. + +The function hisi_sas_slot_task_free() is used to free the slot and do +tidy-up of LLDD resources. The LLDD generally should know the state of +a slot and decide when to free it, and it should only be done once. + +For some scenarios, we really don't know the state, like when TMF +timeout. In this case, we check task->lldd_task before calling +hisi_sas_slot_task_free(). + +However, we may miss some scenarios when we should also check +task->lldd_task, and it is not SMP safe to check task->lldd_task as we +don't protect it within spin lock. + +This patch is to fix this risk of freeing slot twice, as follows: + + 1. Check task->lldd_task in the hisi_sas_slot_task_free(), and give + up freeing of this time if task->lldd_task is NULL. + + 2. Set slot->buf to NULL after it is freed. + +Signed-off-by: Xiaofei Tan <tanxiaofei@huawei.com> +Signed-off-by: John Garry <john.garry@huawei.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 2a209e1ea76b..6b4dabdeb4a9 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -185,13 +185,16 @@ void hisi_sas_slot_task_free(struct hisi_hba *hisi_hba, struct sas_task *task, + struct domain_device *device = task->dev; + struct hisi_sas_device *sas_dev = device->lldd_dev; + ++ if (!task->lldd_task) ++ return; ++ ++ task->lldd_task = NULL; ++ + if (!sas_protocol_ata(task->task_proto)) + if (slot->n_elem) + dma_unmap_sg(dev, task->scatter, slot->n_elem, + task->data_dir); + +- task->lldd_task = NULL; +- + if (sas_dev) + atomic64_dec(&sas_dev->running_req); + } +@@ -199,8 +202,8 @@ void hisi_sas_slot_task_free(struct hisi_hba *hisi_hba, struct sas_task *task, + if (slot->buf) + dma_pool_free(hisi_hba->buffer_pool, slot->buf, slot->buf_dma); + +- + list_del_init(&slot->entry); ++ slot->buf = NULL; + slot->task = NULL; + slot->port = NULL; + hisi_sas_slot_index_free(hisi_hba, slot->idx); +-- +2.15.0 + diff --git a/queue/scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-u.patch b/queue/scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-u.patch new file mode 100644 index 0000000..172d744 --- /dev/null +++ b/queue/scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-u.patch @@ -0,0 +1,52 @@ +From 55ca38b4255bb336c2d35990bdb2b368e19b435a Mon Sep 17 00:00:00 2001 +From: Martin Wilck <mwilck@suse.de> +Date: Fri, 20 Oct 2017 16:51:14 -0500 +Subject: [PATCH] scsi: hpsa: cleanup sas_phy structures in sysfs when + unloading + +commit 55ca38b4255bb336c2d35990bdb2b368e19b435a upstream. + +I am resubmitting this patch on behalf of Martin Wilck with his +permission. + +The original patch can be found here: +https://www.spinics.net/lists/linux-scsi/msg102083.html + +This patch did not help until Hannes's +commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod") +was applied to the kernel. + +-------------------------------------- +Original patch description from Martin: +-------------------------------------- + +When the hpsa module is unloaded using rmmod, dangling +symlinks remain under /sys/class/sas_phy. Fix this by +calling sas_phy_delete() rather than sas_phy_free (which, +according to comments, should not be called for PHYs that +have been set up successfully, anyway). + +Tested-by: Don Brace <don.brace@microsemi.com> +Reviewed-by: Don Brace <don.brace@microsemi.com> +Signed-off-by: Martin Wilck <mwilck@suse.de> +Signed-off-by: Don Brace <don.brace@microsemi.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index aff4a4fee260..76461c4cca0c 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -9207,9 +9207,9 @@ static void hpsa_free_sas_phy(struct hpsa_sas_phy *hpsa_sas_phy) + struct sas_phy *phy = hpsa_sas_phy->phy; + + sas_port_delete_phy(hpsa_sas_phy->parent_port->port, phy); +- sas_phy_free(phy); + if (hpsa_sas_phy->added_to_port) + list_del(&hpsa_sas_phy->phy_list_entry); ++ sas_phy_delete(phy); + kfree(hpsa_sas_phy); + } + +-- +2.15.0 + diff --git a/queue/scsi-hpsa-destroy-sas-transport-properties-before-sc.patch b/queue/scsi-hpsa-destroy-sas-transport-properties-before-sc.patch new file mode 100644 index 0000000..f5bde11 --- /dev/null +++ b/queue/scsi-hpsa-destroy-sas-transport-properties-before-sc.patch @@ -0,0 +1,81 @@ +From dfb2e6f46b3074eb85203d8f0888b71ec1c2e37a Mon Sep 17 00:00:00 2001 +From: Martin Wilck <mwilck@suse.de> +Date: Fri, 20 Oct 2017 16:51:08 -0500 +Subject: [PATCH] scsi: hpsa: destroy sas transport properties before scsi_host + +commit dfb2e6f46b3074eb85203d8f0888b71ec1c2e37a upstream. + +This patch cleans up a lot of warnings when unloading the driver. + +A current example of the stack trace starts with: + [ 142.570715] sysfs group 'power' not found for kobject 'port-5:0' +There can be hundreds of these messages during a driver unload. + +I am resubmitting this patch on behalf of Martin Wilck with his +permission. + +His original patch can be found here: +https://www.spinics.net/lists/linux-scsi/msg102085.html + +This patch did not help until Hannes's +commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod") +was applied to the kernel. + +--------------------------- +Original patch description: +--------------------------- + +Unloading the hpsa driver causes warnings + +[ 1063.793652] WARNING: CPU: 1 PID: 4850 at ../fs/sysfs/group.c:237 device_del+0x54/0x240() +[ 1063.793659] sysfs group ffffffff81cf21a0 not found for kobject 'port-2:0' + +with two different stacks: +1) +[ 1063.793774] [<ffffffff81448af4>] device_del+0x54/0x240 +[ 1063.793780] [<ffffffff8145178a>] transport_remove_classdev+0x4a/0x60 +[ 1063.793784] [<ffffffff81451216>] attribute_container_device_trigger+0xa6/0xb0 +[ 1063.793802] [<ffffffffa0105d46>] sas_port_delete+0x126/0x160 [scsi_transport_sas] +[ 1063.793819] [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa] + +2) +[ 1063.797103] [<ffffffff81448af4>] device_del+0x54/0x240 +[ 1063.797118] [<ffffffffa0105d4e>] sas_port_delete+0x12e/0x160 [scsi_transport_sas] +[ 1063.797134] [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa] + +This is caused by the fact that host device hostX is deleted before the +SAS transport devices hostX/port-a:b. + +This patch fixes this by reverting the order of device deletions. + +Tested-by: Don Brace <don.brace@microsemi.com> +Reviewed-by: Don Brace <don.brace@microsemi.com> +Signed-off-by: Martin Wilck <mwilck@suse.de> +Signed-off-by: Don Brace <don.brace@microsemi.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 9abe81021484..aff4a4fee260 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -8684,6 +8684,8 @@ static void hpsa_remove_one(struct pci_dev *pdev) + destroy_workqueue(h->rescan_ctlr_wq); + destroy_workqueue(h->resubmit_wq); + ++ hpsa_delete_sas_host(h); ++ + /* + * Call before disabling interrupts. + * scsi_remove_host can trigger I/O operations especially +@@ -8718,8 +8720,6 @@ static void hpsa_remove_one(struct pci_dev *pdev) + h->lockup_detected = NULL; /* init_one 2 */ + /* (void) pci_disable_pcie_error_reporting(pdev); */ /* init_one 1 */ + +- hpsa_delete_sas_host(h); +- + kfree(h); /* init_one 1 */ + } + +-- +2.15.0 + diff --git a/queue/scsi-libsas-fix-length-error-in-sas_smp_handler.patch b/queue/scsi-libsas-fix-length-error-in-sas_smp_handler.patch new file mode 100644 index 0000000..217c11a --- /dev/null +++ b/queue/scsi-libsas-fix-length-error-in-sas_smp_handler.patch @@ -0,0 +1,65 @@ +From 621f6401fdeefe96dfe9eab4b167c7c39f552bb0 Mon Sep 17 00:00:00 2001 +From: Jason Yan <yanaijie@huawei.com> +Date: Mon, 11 Dec 2017 15:03:33 +0800 +Subject: [PATCH] scsi: libsas: fix length error in sas_smp_handler() + +commit 621f6401fdeefe96dfe9eab4b167c7c39f552bb0 upstream. + +The return value of smp_execute_task_sg() is the untransferred residual, +but bsg_job_done() requires the length of payload received. This makes +SMP passthrough commands from userland by sg ioctl to libsas get a wrong +response. The userland tools such as smp_utils failed because of these +wrong responses: + +~#smp_discover /dev/bsg/expander-2\:13 +response too short, len=0 +~#smp_discover /dev/bsg/expander-2\:134 +response too short, len=0 + +Fix this by passing the actual received length to bsg_job_done(). And if +smp_execute_task_sg() returns 0, this means received length is exactly +the buffer length. + +[mkp: typo] + +Fixes: 651a01364994 ("scsi: scsi_transport_sas: switch to bsg-lib for SMP passthrough") +Cc: <stable@vger.kernel.org> # v4.14+ +Signed-off-by: Jason Yan <yanaijie@huawei.com> +Reported-by: chenqilin <chenqilin2@huawei.com> +Tested-by: chenqilin <chenqilin2@huawei.com> +CC: Christoph Hellwig <hch@lst.de> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 174e5eff6155..c7f21661b3cd 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -2145,7 +2145,7 @@ void sas_smp_handler(struct bsg_job *job, struct Scsi_Host *shost, + struct sas_rphy *rphy) + { + struct domain_device *dev; +- unsigned int reslen = 0; ++ unsigned int rcvlen = 0; + int ret = -EINVAL; + + /* no rphy means no smp target support (ie aic94xx host) */ +@@ -2179,12 +2179,12 @@ void sas_smp_handler(struct bsg_job *job, struct Scsi_Host *shost, + + ret = smp_execute_task_sg(dev, job->request_payload.sg_list, + job->reply_payload.sg_list); +- if (ret > 0) { +- /* positive number is the untransferred residual */ +- reslen = ret; ++ if (ret >= 0) { ++ /* bsg_job_done() requires the length received */ ++ rcvlen = job->reply_payload.payload_len - ret; + ret = 0; + } + + out: +- bsg_job_done(job, ret, reslen); ++ bsg_job_done(job, ret, rcvlen); + } +-- +2.15.0 + diff --git a/queue/scsi-scsi_debug-write_same-fix-error-report.patch b/queue/scsi-scsi_debug-write_same-fix-error-report.patch new file mode 100644 index 0000000..0a702b8 --- /dev/null +++ b/queue/scsi-scsi_debug-write_same-fix-error-report.patch @@ -0,0 +1,38 @@ +From e33d7c56450b0a5c7290cbf9e1581fab5174f552 Mon Sep 17 00:00:00 2001 +From: Douglas Gilbert <dgilbert@interlog.com> +Date: Sun, 29 Oct 2017 10:47:19 -0400 +Subject: [PATCH] scsi: scsi_debug: write_same: fix error report + +commit e33d7c56450b0a5c7290cbf9e1581fab5174f552 upstream. + +The scsi_debug driver incorrectly suggests there is an error with the +SCSI WRITE SAME command when the number_of_logical_blocks is greater +than 1. It will also suggest there is an error when NDOB +(no data-out buffer) is set and the number_of_logical_blocks is +greater than 0. Both are valid, fix. + +Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index 3c15f6b63b07..e4f037f0f38b 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -3001,11 +3001,11 @@ static int resp_write_same(struct scsi_cmnd *scp, u64 lba, u32 num, + if (-1 == ret) { + write_unlock_irqrestore(&atomic_rw, iflags); + return DID_ERROR << 16; +- } else if (sdebug_verbose && (ret < (num * sdebug_sector_size))) ++ } else if (sdebug_verbose && !ndob && (ret < sdebug_sector_size)) + sdev_printk(KERN_INFO, scp->device, +- "%s: %s: cdb indicated=%u, IO sent=%d bytes\n", ++ "%s: %s: lb size=%u, IO sent=%d bytes\n", + my_name, "write same", +- num * sdebug_sector_size, ret); ++ sdebug_sector_size, ret); + + /* Copy first sector to remaining blocks */ + for (i = 1 ; i < num ; i++) +-- +2.15.0 + diff --git a/queue/scsi-scsi_devinfo-Add-REPORTLUN2-to-EMC-SYMMETRIX-bl.patch b/queue/scsi-scsi_devinfo-Add-REPORTLUN2-to-EMC-SYMMETRIX-bl.patch new file mode 100644 index 0000000..320bbe8 --- /dev/null +++ b/queue/scsi-scsi_devinfo-Add-REPORTLUN2-to-EMC-SYMMETRIX-bl.patch @@ -0,0 +1,31 @@ +From 909cf3e16a5274fe2127cf3cea5c8dba77b2c412 Mon Sep 17 00:00:00 2001 +From: Kurt Garloff <garloff@suse.de> +Date: Tue, 17 Oct 2017 09:10:45 +0200 +Subject: [PATCH] scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist + entry + +commit 909cf3e16a5274fe2127cf3cea5c8dba77b2c412 upstream. + +All EMC SYMMETRIX support REPORT_LUNS, even if configured to report +SCSI-2 for whatever reason. + +Signed-off-by: Kurt Garloff <garloff@suse.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index a998585ab178..555269bec02f 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -161,7 +161,7 @@ static struct { + {"DGC", "RAID", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, storage on LUN 0 */ + {"DGC", "DISK", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, no storage on LUN 0 */ + {"EMC", "Invista", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, +- {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_FORCELUN}, ++ {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_REPORTLUN2}, + {"EMULEX", "MD21/S2 ESDI", NULL, BLIST_SINGLELUN}, + {"easyRAID", "16P", NULL, BLIST_NOREPORTLUN}, + {"easyRAID", "X6P", NULL, BLIST_NOREPORTLUN}, +-- +2.15.0 + diff --git a/queue/scsi-sd-change-allow_restart-to-bool-in-sysfs-interf.patch b/queue/scsi-sd-change-allow_restart-to-bool-in-sysfs-interf.patch new file mode 100644 index 0000000..63c9156 --- /dev/null +++ b/queue/scsi-sd-change-allow_restart-to-bool-in-sysfs-interf.patch @@ -0,0 +1,42 @@ +From 658e9a6dc1126f21fa417cd213e1cdbff8be0ba2 Mon Sep 17 00:00:00 2001 +From: weiping zhang <zhangweiping@didichuxing.com> +Date: Thu, 12 Oct 2017 14:56:44 +0800 +Subject: [PATCH] scsi: sd: change allow_restart to bool in sysfs interface + +commit 658e9a6dc1126f21fa417cd213e1cdbff8be0ba2 upstream. + +/sys/class/scsi_disk/0:2:0:0/allow_restart can be changed to 0 +unexpectedly by writing an invalid string such as the following: + +echo asdf > /sys/class/scsi_disk/0:2:0:0/allow_restart + +Signed-off-by: weiping zhang <zhangweiping@didichuxing.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 3ef221493d6c..ce9cc7afd095 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -253,6 +253,7 @@ static ssize_t + allow_restart_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { ++ bool v; + struct scsi_disk *sdkp = to_scsi_disk(dev); + struct scsi_device *sdp = sdkp->device; + +@@ -262,7 +263,10 @@ allow_restart_store(struct device *dev, struct device_attribute *attr, + if (sdp->type != TYPE_DISK && sdp->type != TYPE_ZBC) + return -EINVAL; + +- sdp->allow_restart = simple_strtoul(buf, NULL, 10); ++ if (kstrtobool(buf, &v)) ++ return -EINVAL; ++ ++ sdp->allow_restart = v; + + return count; + } +-- +2.15.0 + diff --git a/queue/scsi-sd-change-manage_start_stop-to-bool-in-sysfs-in.patch b/queue/scsi-sd-change-manage_start_stop-to-bool-in-sysfs-in.patch new file mode 100644 index 0000000..f8afc9f --- /dev/null +++ b/queue/scsi-sd-change-manage_start_stop-to-bool-in-sysfs-in.patch @@ -0,0 +1,37 @@ +From 623401ee33e42cee64d333877892be8db02951eb Mon Sep 17 00:00:00 2001 +From: weiping zhang <zhangweiping@didichuxing.com> +Date: Thu, 12 Oct 2017 14:57:06 +0800 +Subject: [PATCH] scsi: sd: change manage_start_stop to bool in sysfs interface + +commit 623401ee33e42cee64d333877892be8db02951eb upstream. + +/sys/class/scsi_disk/0:2:0:0/manage_start_stop can be changed to 0 +unexpectly by writing an invalid string. + +Signed-off-by: weiping zhang <zhangweiping@didichuxing.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index ce9cc7afd095..37daf9a42afe 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -231,11 +231,15 @@ manage_start_stop_store(struct device *dev, struct device_attribute *attr, + { + struct scsi_disk *sdkp = to_scsi_disk(dev); + struct scsi_device *sdp = sdkp->device; ++ bool v; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + +- sdp->manage_start_stop = simple_strtoul(buf, NULL, 10); ++ if (kstrtobool(buf, &v)) ++ return -EINVAL; ++ ++ sdp->manage_start_stop = v; + + return count; + } +-- +2.15.0 + diff --git a/queue/serdev-ttyport-enforce-tty-driver-open-requirement.patch b/queue/serdev-ttyport-enforce-tty-driver-open-requirement.patch new file mode 100644 index 0000000..cde70ca --- /dev/null +++ b/queue/serdev-ttyport-enforce-tty-driver-open-requirement.patch @@ -0,0 +1,50 @@ +From dee7d0f3b200c67c6ee96bd37c6e8fa52690ab56 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 16 Oct 2017 15:06:19 +0200 +Subject: [PATCH] serdev: ttyport: enforce tty-driver open() requirement + +commit dee7d0f3b200c67c6ee96bd37c6e8fa52690ab56 upstream. + +The tty-driver open routine is mandatory, but the serdev +tty-port-controller implementation did not treat it as such and would +instead fall back to calling tty_port_open() directly. + +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Rob Herring <robh@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/serdev/serdev-ttyport.c b/drivers/tty/serdev/serdev-ttyport.c +index 302018d67efa..404f3fd070a7 100644 +--- a/drivers/tty/serdev/serdev-ttyport.c ++++ b/drivers/tty/serdev/serdev-ttyport.c +@@ -102,10 +102,10 @@ static int ttyport_open(struct serdev_controller *ctrl) + return PTR_ERR(tty); + serport->tty = tty; + +- if (tty->ops->open) +- tty->ops->open(serport->tty, NULL); +- else +- tty_port_open(serport->port, tty, NULL); ++ if (!tty->ops->open) ++ goto err_unlock; ++ ++ tty->ops->open(serport->tty, NULL); + + /* Bring the UART into a known 8 bits no parity hw fc state */ + ktermios = tty->termios; +@@ -122,6 +122,12 @@ static int ttyport_open(struct serdev_controller *ctrl) + + tty_unlock(serport->tty); + return 0; ++ ++err_unlock: ++ tty_unlock(tty); ++ tty_release_struct(tty, serport->tty_idx); ++ ++ return -ENODEV; + } + + static void ttyport_close(struct serdev_controller *ctrl) +-- +2.15.0 + diff --git a/queue/series b/queue/series new file mode 100644 index 0000000..1cb95d4 --- /dev/null +++ b/queue/series @@ -0,0 +1,177 @@ +0001-mfd-fsl-imx25-Clean-up-irq-settings-during-removal.patch +0001-crypto-algif_aead-fix-reference-counting-of-null-skc.patch +0001-crypto-rsa-fix-buffer-overread-when-stripping-leadin.patch +0001-crypto-hmac-require-that-the-underlying-hash-algorit.patch +0001-crypto-salsa20-fix-blkcipher_walk-API-usage.patch +0001-crypto-af_alg-fix-NULL-pointer-dereference-in.patch +0001-cifs-fix-NULL-deref-in-SMB2_read.patch +0001-string.h-workaround-for-increased-stack-usage.patch +0001-autofs-fix-careless-error-in-recent-commit.patch +0001-kernel-make-groups_sort-calling-a-responsibility-gro.patch +0001-mm-oom_reaper-fix-memory-corruption.patch +0001-tracing-Allocate-mask_str-buffer-dynamically.patch +0001-USB-uas-and-storage-Add-US_FL_BROKEN_FUA-for-another.patch +0001-USB-core-prevent-malicious-bNumInterfaces-overflow.patch +0001-ovl-Pass-ovl_get_nlink-parameters-in-right-order.patch +0001-ovl-update-ctx-pos-on-impure-dir-iteration.patch +0001-usbip-fix-stub_rx-get_pipe-to-validate-endpoint-numb.patch +0001-usbip-fix-stub_rx-harden-CMD_SUBMIT-path-to-handle-m.patch +0001-usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch +0001-usbip-fix-stub_send_ret_submit-vulnerability-to-null.patch +0001-mmc-core-apply-NO_CMD23-quirk-to-some-specific-cards.patch +0001-ceph-drop-negative-child-dentries-before-try-pruning.patch +0001-usb-xhci-fix-TDS-for-MTK-xHCI1.1.patch +0001-xhci-Don-t-add-a-virt_dev-to-the-devs-array-before-i.patch +0001-IB-core-Bound-check-alternate-path-port-number.patch +0001-IB-core-Don-t-enforce-PKey-security-on-SMI-MADs.patch +0001-nfs-don-t-wait-on-commit-in-nfs_commit_inode-if-ther.patch +0001-arm64-mm-Fix-pte_mkclean-pte_mkdirty-semantics.patch +0001-arm64-Initialise-high_memory-global-variable-earlier.patch +0001-arm64-fix-CONFIG_DEBUG_WX-address-reporting.patch +0001-scsi-core-Fix-a-scsi_show_rq-NULL-pointer-dereferenc.patch +0001-scsi-libsas-fix-length-error-in-sas_smp_handler.patch +0001-sched-rt-Do-not-pull-from-current-CPU-if-only-one-CP.patch +0001-dm-fix-various-targets-to-dm_register_target-after-m.patch +0001-SUNRPC-Fix-a-race-in-the-receive-code-path.patch +0001-iw_cxgb4-only-insert-drain-cqes-if-wq-is-flushed.patch +0001-x86-boot-compressed-64-Detect-and-handle-5-level-pag.patch +0001-x86-boot-compressed-64-Print-error-if-5-level-paging.patch +0001-eeprom-at24-change-nvmem-stride-to-1.patch +0001-posix-timer-Properly-check-sigevent-sigev_notify.patch +0001-dmaengine-dmatest-move-callback-wait-queue-to-thread.patch +0001-Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch +0001-ext4-support-fast-symlinks-from-ext3-file-systems.patch +0001-ext4-fix-fdatasync-2-after-fallocate-2-operation.patch +0001-ext4-add-missing-error-check-in-__ext4_new_inode.patch +0001-ext4-fix-crash-when-a-directory-s-i_size-is-too-smal.patch +0001-IB-mlx4-Fix-RSS-s-QPC-attributes-assignments.patch +0001-HID-cp2112-fix-broken-gpio_direction_input-callback.patch +0001-sfc-don-t-warn-on-successful-change-of-MAC.patch +0001-fbdev-controlfb-Add-missing-modes-to-fix-out-of-boun.patch +0001-video-udlfb-Fix-read-EDID-timeout.patch +0001-video-fbdev-au1200fb-Release-some-resources-if-a-mem.patch +0001-video-fbdev-au1200fb-Return-an-error-code-if-a-memor.patch +0001-rtc-pcf8563-fix-output-clock-rate.patch +0001-scsi-aacraid-use-timespec64-instead-of-timeval.patch +0001-drm-amdgpu-bypass-lru-touch-for-KIQ-ring-submission.patch +0001-PM-s2idle-Clear-the-events_check_enabled-flag.patch +0001-ASoC-Intel-Skylake-Fix-uuid_module-memory-leak-in-fa.patch +0001-dmaengine-ti-dma-crossbar-Correct-am335x-am43xx-mux-.patch +0001-mlxsw-spectrum-Fix-error-return-code-in-mlxsw_sp_por.patch +0001-PCI-PME-Handle-invalid-data-when-reading-Root-Status.patch +0001-powerpc-powernv-cpufreq-Fix-the-frequency-read-by-pr.patch +0001-PCI-Do-not-allocate-more-buses-than-available-in-par.patch +0001-iommu-mediatek-Fix-driver-name.patch +0001-thunderbolt-tb-fix-use-after-free-in-tb_activate_pci.patch +0001-netfilter-ipvs-Fix-inappropriate-output-of-procfs.patch +0001-powerpc-opal-Fix-EBUSY-bug-in-acquiring-tokens.patch +0001-powerpc-ipic-Fix-status-get-and-status-clear.patch +0001-powerpc-pseries-vio-Dispose-of-virq-mapping-on-vdevi.patch +0001-platform-x86-intel_punit_ipc-Fix-resource-ioremap-wa.patch +0001-target-iscsi-Detect-conn_cmd_list-corruption-early.patch +0001-target-iscsi-Fix-a-race-condition-in-iscsit_add_reje.patch +0001-iscsi-target-fix-memory-leak-in-lio_target_tiqn_addt.patch +0001-target-fix-condition-return-in-core_pr_dump_initiato.patch +0001-target-file-Do-not-return-error-for-UNMAP-if-length-.patch +0001-badblocks-fix-wrong-return-value-in-badblocks_set-if.patch +0001-iommu-amd-Limit-the-IOVA-page-range-to-the-specified.patch +0001-xfs-truncate-pagecache-before-writeback-in-xfs_setat.patch +0001-arm-ccn-perf-Prevent-module-unload-while-PMU-is-in-u.patch +0001-crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch +0001-mm-Handle-0-flags-in-_calc_vm_trans-macro.patch +0001-net-hns3-fix-for-getting-advertised_caps-in-hns3_get.patch +0001-net-hns3-Fix-a-misuse-to-devm_free_irq.patch +0001-staging-rtl8188eu-Revert-part-of-staging-rtl8188eu-f.patch +0001-clk-mediatek-add-the-option-for-determining-PLL-sour.patch +0001-clk-imx-imx7d-Fix-parent-clock-for-OCRAM_CLK.patch +0001-clk-imx6-refine-hdmi_isfr-s-parent-to-make-HDMI-work.patch +0001-media-camss-vfe-always-initialize-reg-at-vfe_set_xba.patch +0001-clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch +0001-blk-mq-sched-dispatch-from-scheduler-IFF-progress-is.patch +0001-clk-tegra-Use-readl_relaxed_poll_timeout_atomic-in-t.patch +0001-clk-tegra-Fix-cclk_lp-divisor-register.patch +0001-ppp-Destroy-the-mutex-when-cleanup.patch +0001-ASoC-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent.patch +0001-thermal-drivers-step_wise-Fix-temperature-regulation.patch +0001-misc-pci_endpoint_test-Fix-failure-path-return-value.patch +0001-misc-pci_endpoint_test-Avoid-triggering-a-BUG.patch +0001-scsi-scsi_debug-write_same-fix-error-report.patch +0001-GFS2-Take-inode-off-order_write-list-when-setting-jd.patch +0001-media-usbtv-fix-brightness-and-contrast-controls.patch +0001-rpmsg-glink-Initialize-the-intent_req_comp-completio.patch +0001-bcache-explicitly-destroy-mutex-while-exiting.patch +0001-bcache-fix-wrong-cache_misses-statistics.patch +0001-Ib-hfi1-Return-actual-operational-VLs-in-port-info-q.patch +0001-Bluetooth-hci_ldisc-Fix-another-race-when-closing-th.patch +0001-arm64-prevent-regressions-in-compressed-kernel-image.patch +0001-btrfs-fix-false-EIO-for-missing-device.patch +0001-btrfs-Explicitly-handle-btrfs_update_root-failure.patch +0001-btrfs-undo-writable-superblocke-when-sprouting-fails.patch +0001-btrfs-avoid-null-pointer-dereference-on-fs_info-when.patch +0001-btrfs-tests-Fix-a-memory-leak-in-error-handling-path.patch +0001-qtnfmac-modify-full-Tx-queue-error-reporting.patch +0001-mtd-spi-nor-stm32-quadspi-Fix-uninitialized-error-re.patch +0001-ARM64-dts-meson-gxbb-odroidc2-fix-usb1-power-supply.patch +0001-Bluetooth-btusb-Add-new-NFA344A-entry.patch +0001-samples-bpf-adjust-rlimit-RLIMIT_MEMLOCK-for-xdp1.patch +0001-liquidio-fix-kernel-panic-in-VF-driver.patch +0001-platform-x86-hp_accel-Add-quirk-for-HP-ProBook-440-G.patch +0001-nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch +0001-l2tp-cleanup-l2tp_tunnel_delete-calls.patch +0001-xfs-fix-log-block-underflow-during-recovery-cycle-ve.patch +0001-xfs-return-a-distinct-error-code-value-for-IGET_INCO.patch +0001-xfs-fix-incorrect-extent-state-in-xfs_bmap_add_exten.patch +0001-net-dsa-lan9303-Do-not-disable-switch-fabric-port-0-.patch +0001-net-hns3-fix-a-bug-in-hclge_uninit_client_instance.patch +0001-net-hns3-add-nic_client-check-when-initialize-roce-b.patch +0001-net-hns3-fix-the-bug-of-hns3_set_txbd_baseinfo.patch +0001-RDMA-cxgb4-Declare-stag-as-__be32.patch +0001-PCI-Detach-driver-before-procfs-sysfs-teardown-on-de.patch +0001-scsi-hisi_sas-fix-the-risk-of-freeing-slot-twice.patch +0001-scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-u.patch +0001-scsi-hpsa-destroy-sas-transport-properties-before-sc.patch +0001-mfd-mxs-lradc-Fix-error-handling-in-mxs_lradc_probe.patch +0001-net-hns3-fix-the-TX-RX-ring.queue_index-in-hns3_ring.patch +0001-net-hns3-fix-the-bug-when-map-buffer-fail.patch +0001-net-hns3-fix-a-bug-when-alloc-new-buffer.patch +0001-serdev-ttyport-enforce-tty-driver-open-requirement.patch +0001-powerpc-perf-hv-24x7-Fix-incorrect-comparison-in-mem.patch +0001-powerpc-xmon-Check-before-calling-xive-functions.patch +0001-soc-mediatek-pwrap-fix-compiler-errors.patch +0001-ipv4-ipv4_default_advmss-should-use-route-mtu.patch +0001-KVM-nVMX-Fix-EPT-switching-advertising.patch +0001-tty-fix-oops-when-rmmod-8250.patch +0001-dev-dax-fix-uninitialized-variable-build-warning.patch +0001-pinctrl-adi2-Fix-Kconfig-build-problem.patch +0001-raid5-Set-R5_Expanded-on-parity-devices-as-well-as-d.patch +0001-scsi-scsi_devinfo-Add-REPORTLUN2-to-EMC-SYMMETRIX-bl.patch +0001-IB-core-Fix-use-workqueue-without-WQ_MEM_RECLAIM.patch +0001-IB-core-Fix-calculation-of-maximum-RoCE-MTU.patch +0001-vt6655-Fix-a-possible-sleep-in-atomic-bug-in-vt6655_.patch +0001-IB-hfi1-Mask-out-A-bit-from-psn-trace.patch +0001-rtl8188eu-Fix-a-possible-sleep-in-atomic-bug-in-rtw_.patch +0001-rtl8188eu-Fix-a-possible-sleep-in-atomic-bug-in-rtw_.patch +0001-ipmi_si-fix-memory-leak-on-new_smi.patch +0001-nullb-fix-error-return-code-in-null_init.patch +0001-scsi-sd-change-manage_start_stop-to-bool-in-sysfs-in.patch +0001-scsi-sd-change-allow_restart-to-bool-in-sysfs-interf.patch +0001-scsi-bfa-integer-overflow-in-debugfs.patch +0001-raid5-ppl-check-recovery_offset-when-performing-ppl-.patch +0001-md-cluster-fix-wrong-condition-check-in-raid1_write_.patch +0001-xprtrdma-Don-t-defer-fencing-an-async-RPC-s-chunks.patch +0001-udf-Avoid-overflow-when-session-starts-at-large-offs.patch +0001-macvlan-Only-deliver-one-copy-of-the-frame-to-the-ma.patch +0001-IB-core-Fix-endianness-annotation-in-rdma_is_multica.patch +0001-RDMA-cma-Avoid-triggering-undefined-behavior.patch +0001-IB-ipoib-Grab-rtnl-lock-on-heavy-flush-when-calling-.patch +0001-icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch +0001-lightnvm-pblk-prevent-gc-kicks-when-gc-is-not-operat.patch +0001-lightnvm-pblk-fix-changing-GC-group-list-for-a-line.patch +0001-lightnvm-pblk-use-right-flag-for-GC-allocation.patch +0001-lightnvm-pblk-initialize-debug-stat-counter.patch +0001-lightnvm-pblk-fix-min-size-for-page-mempool.patch +0001-lightnvm-pblk-protect-line-bitmap-while-submitting-m.patch +0001-ath9k-fix-tx99-potential-info-leak.patch +0001-ath10k-fix-core-PCI-suspend-when-WoWLAN-is-supported.patch +0001-ath10k-fix-build-errors-with-CONFIG_PM.patch +0001-usb-musb-da8xx-fix-babble-condition-handling.patch diff --git a/queue/sfc-don-t-warn-on-successful-change-of-MAC.patch b/queue/sfc-don-t-warn-on-successful-change-of-MAC.patch new file mode 100644 index 0000000..ad7b950 --- /dev/null +++ b/queue/sfc-don-t-warn-on-successful-change-of-MAC.patch @@ -0,0 +1,27 @@ +From cbad52e92ad7f01f0be4ca58bde59462dc1afe3a Mon Sep 17 00:00:00 2001 +From: Robert Stonehouse <rstonehouse@solarflare.com> +Date: Tue, 7 Nov 2017 17:30:30 +0000 +Subject: [PATCH] sfc: don't warn on successful change of MAC + +commit cbad52e92ad7f01f0be4ca58bde59462dc1afe3a upstream. + +Fixes: 535a61777f44e ("sfc: suppress handled MCDI failures when changing the MAC address") +Signed-off-by: Bert Kenward <bkenward@solarflare.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 19a91881fbf9..46d60013564c 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -5734,7 +5734,7 @@ static int efx_ef10_set_mac_address(struct efx_nic *efx) + * MCFW do not support VFs. + */ + rc = efx_ef10_vport_set_mac_address(efx); +- } else { ++ } else if (rc) { + efx_mcdi_display_error(efx, MC_CMD_VADAPTOR_SET_MAC, + sizeof(inbuf), NULL, 0, rc); + } +-- +2.15.0 + diff --git a/queue/soc-mediatek-pwrap-fix-compiler-errors.patch b/queue/soc-mediatek-pwrap-fix-compiler-errors.patch new file mode 100644 index 0000000..b0dd623 --- /dev/null +++ b/queue/soc-mediatek-pwrap-fix-compiler-errors.patch @@ -0,0 +1,30 @@ +From fb2c1934f30577756e55e24e8870b45c78da3bc2 Mon Sep 17 00:00:00 2001 +From: Matthias Brugger <matthias.bgg@gmail.com> +Date: Sat, 21 Oct 2017 10:17:47 +0200 +Subject: [PATCH] soc: mediatek: pwrap: fix compiler errors + +commit fb2c1934f30577756e55e24e8870b45c78da3bc2 upstream. + +When compiling using sparse, we got the following error: +drivers/soc/mediatek/mtk-pmic-wrap.c:686:25: error: dubious one-bit signed bitfield + +Changing the data type to unsigned fixes this. + +Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com> + +diff --git a/drivers/soc/mediatek/mtk-pmic-wrap.c b/drivers/soc/mediatek/mtk-pmic-wrap.c +index 5d61d127e1d7..912edf93c192 100644 +--- a/drivers/soc/mediatek/mtk-pmic-wrap.c ++++ b/drivers/soc/mediatek/mtk-pmic-wrap.c +@@ -683,7 +683,7 @@ struct pmic_wrapper_type { + u32 int_en_all; + u32 spi_w; + u32 wdt_src; +- int has_bridge:1; ++ unsigned int has_bridge:1; + int (*init_reg_clock)(struct pmic_wrapper *wrp); + int (*init_soc_specific)(struct pmic_wrapper *wrp); + }; +-- +2.15.0 + diff --git a/queue/staging-rtl8188eu-Revert-part-of-staging-rtl8188eu-f.patch b/queue/staging-rtl8188eu-Revert-part-of-staging-rtl8188eu-f.patch new file mode 100644 index 0000000..676c179 --- /dev/null +++ b/queue/staging-rtl8188eu-Revert-part-of-staging-rtl8188eu-f.patch @@ -0,0 +1,41 @@ +From 4004a9870bbefdb6644c3d2033f5315920a3b669 Mon Sep 17 00:00:00 2001 +From: Hans de Goede <hdegoede@redhat.com> +Date: Thu, 2 Nov 2017 10:30:11 +0100 +Subject: [PATCH] staging: rtl8188eu: Revert part of "staging: rtl8188eu: fix + comments with lines over 80 characters" + +commit 4004a9870bbefdb6644c3d2033f5315920a3b669 upstream. + +Commit 74e1e498e84e ("staging: rtl8188eu: fix comments with lines over 80 +characters") not only changed comments but also changed an if check: + +-if (pmlmepriv->cur_network.join_res != true) { ++if (!(pmlmepriv->cur_network.join_res)) { + +This is not equivalent as join_res is an int and can have values such +as -2 and -3. + +Note for the next time, please only make one type of changes in a single +clean-up commit. + +Fixes: 74e1e498e84e ("staging: rtl8188eu: fix comments with lines over 80 ...") +Cc: Juliana Rodrigues <juliana.orod@gmail.com> +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/rtl8188eu/core/rtw_ap.c b/drivers/staging/rtl8188eu/core/rtw_ap.c +index 32a483769975..fa611455109a 100644 +--- a/drivers/staging/rtl8188eu/core/rtw_ap.c ++++ b/drivers/staging/rtl8188eu/core/rtw_ap.c +@@ -754,7 +754,7 @@ static void start_bss_network(struct adapter *padapter, u8 *pbuf) + } + + /* setting only at first time */ +- if (!(pmlmepriv->cur_network.join_res)) { ++ if (pmlmepriv->cur_network.join_res != true) { + /* WEP Key will be set before this function, do not + * clear CAM. + */ +-- +2.15.0 + diff --git a/queue/string.h-workaround-for-increased-stack-usage.patch b/queue/string.h-workaround-for-increased-stack-usage.patch new file mode 100644 index 0000000..de1ce9f --- /dev/null +++ b/queue/string.h-workaround-for-increased-stack-usage.patch @@ -0,0 +1,75 @@ +From 146734b091430c80d80bb96b1139a96fb4bc830e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Thu, 14 Dec 2017 15:32:34 -0800 +Subject: [PATCH] string.h: workaround for increased stack usage + +commit 146734b091430c80d80bb96b1139a96fb4bc830e upstream. + +The hardened strlen() function causes rather large stack usage in at +least one file in the kernel, in particular when CONFIG_KASAN is +enabled: + + drivers/media/usb/em28xx/em28xx-dvb.c: In function 'em28xx_dvb_init': + drivers/media/usb/em28xx/em28xx-dvb.c:2062:1: error: the frame size of 3256 bytes is larger than 204 bytes [-Werror=frame-larger-than=] + +Analyzing this problem led to the discovery that gcc fails to merge the +stack slots for the i2c_board_info[] structures after we strlcpy() into +them, due to the 'noreturn' attribute on the source string length check. + +I reported this as a gcc bug, but it is unlikely to get fixed for gcc-8, +since it is relatively easy to work around, and it gets triggered +rarely. An earlier workaround I did added an empty inline assembly +statement before the call to fortify_panic(), which works surprisingly +well, but is really ugly and unintuitive. + +This is a new approach to the same problem, this time addressing it by +not calling the 'extern __real_strnlen()' function for string constants +where __builtin_strlen() is a compile-time constant and therefore known +to be safe. + +We do this by checking if the last character in the string is a +compile-time constant '\0'. If it is, we can assume that strlen() of +the string is also constant. + +As a side-effect, this should also improve the object code output for +any other call of strlen() on a string constant. + +[akpm@linux-foundation.org: add comment] +Link: http://lkml.kernel.org/r/20171205215143.3085755-1-arnd@arndb.de +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365 +Link: https://patchwork.kernel.org/patch/9980413/ +Link: https://patchwork.kernel.org/patch/9974047/ +Fixes: 6974f0c4555 ("include/linux/string.h: add the option of fortified string.h functions") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Cc: Kees Cook <keescook@chromium.org> +Cc: Mauro Carvalho Chehab <mchehab@kernel.org> +Cc: Dmitry Vyukov <dvyukov@google.com> +Cc: Alexander Potapenko <glider@google.com> +Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> +Cc: Daniel Micay <danielmicay@gmail.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Martin Wilck <mwilck@suse.com> +Cc: Dan Williams <dan.j.williams@intel.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/include/linux/string.h b/include/linux/string.h +index 410ecf17de3c..cfd83eb2f926 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -259,7 +259,10 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + { + __kernel_size_t ret; + size_t p_size = __builtin_object_size(p, 0); +- if (p_size == (size_t)-1) ++ ++ /* Work around gcc excess stack consumption issue */ ++ if (p_size == (size_t)-1 || ++ (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0')) + return __builtin_strlen(p); + ret = strnlen(p, p_size); + if (p_size <= ret) +-- +2.15.0 + diff --git a/queue/target-file-Do-not-return-error-for-UNMAP-if-length-.patch b/queue/target-file-Do-not-return-error-for-UNMAP-if-length-.patch new file mode 100644 index 0000000..838514b --- /dev/null +++ b/queue/target-file-Do-not-return-error-for-UNMAP-if-length-.patch @@ -0,0 +1,36 @@ +From 594e25e73440863981032d76c9b1e33409ceff6e Mon Sep 17 00:00:00 2001 +From: Jiang Yi <jiangyilism@gmail.com> +Date: Fri, 11 Aug 2017 11:29:44 +0800 +Subject: [PATCH] target/file: Do not return error for UNMAP if length is zero + +commit 594e25e73440863981032d76c9b1e33409ceff6e upstream. + +The function fd_execute_unmap() in target_core_file.c calles + +ret = file->f_op->fallocate(file, mode, pos, len); + +Some filesystems implement fallocate() to return error if +length is zero (e.g. btrfs) but according to SCSI Block +Commands spec UNMAP should return success for zero length. + +Signed-off-by: Jiang Yi <jiangyilism@gmail.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> + +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index c629817a8854..9b2c0c773022 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -482,6 +482,10 @@ fd_execute_unmap(struct se_cmd *cmd, sector_t lba, sector_t nolb) + struct inode *inode = file->f_mapping->host; + int ret; + ++ if (!nolb) { ++ return 0; ++ } ++ + if (cmd->se_dev->dev_attrib.pi_prot_type) { + ret = fd_do_prot_unmap(cmd, lba, nolb); + if (ret) +-- +2.15.0 + diff --git a/queue/target-fix-condition-return-in-core_pr_dump_initiato.patch b/queue/target-fix-condition-return-in-core_pr_dump_initiato.patch new file mode 100644 index 0000000..19e3493 --- /dev/null +++ b/queue/target-fix-condition-return-in-core_pr_dump_initiato.patch @@ -0,0 +1,39 @@ +From 24528f089d0a444070aa4f715ace537e8d6bf168 Mon Sep 17 00:00:00 2001 +From: tangwenji <tang.wenji@zte.com.cn> +Date: Thu, 24 Aug 2017 19:59:37 +0800 +Subject: [PATCH] target:fix condition return in core_pr_dump_initiator_port() + +commit 24528f089d0a444070aa4f715ace537e8d6bf168 upstream. + +When is pr_reg->isid_present_at_reg is false,this function should return. + +This fixes a regression originally introduced by: + + commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5 + Author: Andy Grover <agrover@redhat.com> + Date: Thu May 16 10:40:55 2013 -0700 + + target: Alter core_pr_dump_initiator_port for ease of use + +Signed-off-by: tangwenji <tang.wenji@zte.com.cn> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> + +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 871ae21870be..a54490709811 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -58,8 +58,10 @@ void core_pr_dump_initiator_port( + char *buf, + u32 size) + { +- if (!pr_reg->isid_present_at_reg) ++ if (!pr_reg->isid_present_at_reg) { + buf[0] = '\0'; ++ return; ++ } + + snprintf(buf, size, ",i,0x%s", pr_reg->pr_reg_isid); + } +-- +2.15.0 + diff --git a/queue/target-iscsi-Detect-conn_cmd_list-corruption-early.patch b/queue/target-iscsi-Detect-conn_cmd_list-corruption-early.patch new file mode 100644 index 0000000..83d69fa --- /dev/null +++ b/queue/target-iscsi-Detect-conn_cmd_list-corruption-early.patch @@ -0,0 +1,49 @@ +From 6eaf69e4ec075f5af236c0c89f75639a195db904 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche <bart.vanassche@wdc.com> +Date: Tue, 31 Oct 2017 11:03:18 -0700 +Subject: [PATCH] target/iscsi: Detect conn_cmd_list corruption early + +commit 6eaf69e4ec075f5af236c0c89f75639a195db904 upstream. + +Certain behavior of the initiator can cause the target driver to +send both a reject and a SCSI response. If that happens two +target_put_sess_cmd() calls will occur without the command having +been removed from conn_cmd_list. In other words, conn_cmd_list +will get corrupted once the freed memory is reused. Although the +Linux kernel can detect list corruption if list debugging is +enabled, in this case the context in which list corruption is +detected is not related to the context that caused list corruption. +Hence add WARN_ON() statements that report the context that is +causing list corruption. + +Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com> +Cc: Christoph Hellwig <hch@lst.de> +Cc: Mike Christie <mchristi@redhat.com> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 1e36f83b5961..70c6b9bfc04e 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -694,6 +694,8 @@ void iscsit_release_cmd(struct iscsi_cmd *cmd) + struct iscsi_session *sess; + struct se_cmd *se_cmd = &cmd->se_cmd; + ++ WARN_ON(!list_empty(&cmd->i_conn_node)); ++ + if (cmd->conn) + sess = cmd->conn->sess; + else +@@ -716,6 +718,8 @@ void __iscsit_free_cmd(struct iscsi_cmd *cmd, bool check_queues) + { + struct iscsi_conn *conn = cmd->conn; + ++ WARN_ON(!list_empty(&cmd->i_conn_node)); ++ + if (cmd->data_direction == DMA_TO_DEVICE) { + iscsit_stop_dataout_timer(cmd); + iscsit_free_r2ts_from_list(cmd); +-- +2.15.0 + diff --git a/queue/target-iscsi-Fix-a-race-condition-in-iscsit_add_reje.patch b/queue/target-iscsi-Fix-a-race-condition-in-iscsit_add_reje.patch new file mode 100644 index 0000000..0e2502e --- /dev/null +++ b/queue/target-iscsi-Fix-a-race-condition-in-iscsit_add_reje.patch @@ -0,0 +1,41 @@ +From cfe2b621bb18d86e93271febf8c6e37622da2d14 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche <bart.vanassche@wdc.com> +Date: Tue, 31 Oct 2017 11:03:17 -0700 +Subject: [PATCH] target/iscsi: Fix a race condition in + iscsit_add_reject_from_cmd() + +commit cfe2b621bb18d86e93271febf8c6e37622da2d14 upstream. + +Avoid that cmd->se_cmd.se_tfo is read after a command has already been +freed. + +Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com> +Cc: Christoph Hellwig <hch@lst.de> +Cc: Mike Christie <mchristi@redhat.com> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 91fbada7cdc2..541f66a875fc 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -833,6 +833,7 @@ static int iscsit_add_reject_from_cmd( + unsigned char *buf) + { + struct iscsi_conn *conn; ++ const bool do_put = cmd->se_cmd.se_tfo != NULL; + + if (!cmd->conn) { + pr_err("cmd->conn is NULL for ITT: 0x%08x\n", +@@ -863,7 +864,7 @@ static int iscsit_add_reject_from_cmd( + * Perform the kref_put now if se_cmd has already been setup by + * scsit_setup_scsi_cmd() + */ +- if (cmd->se_cmd.se_tfo != NULL) { ++ if (do_put) { + pr_debug("iscsi reject: calling target_put_sess_cmd >>>>>>\n"); + target_put_sess_cmd(&cmd->se_cmd); + } +-- +2.15.0 + diff --git a/queue/thermal-drivers-step_wise-Fix-temperature-regulation.patch b/queue/thermal-drivers-step_wise-Fix-temperature-regulation.patch new file mode 100644 index 0000000..004be5e --- /dev/null +++ b/queue/thermal-drivers-step_wise-Fix-temperature-regulation.patch @@ -0,0 +1,155 @@ +From 07209fcf33542c1ff1e29df2dbdf8f29cdaacb10 Mon Sep 17 00:00:00 2001 +From: Daniel Lezcano <daniel.lezcano@linaro.org> +Date: Thu, 19 Oct 2017 19:05:58 +0200 +Subject: [PATCH] thermal/drivers/step_wise: Fix temperature regulation + misbehavior +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 07209fcf33542c1ff1e29df2dbdf8f29cdaacb10 upstream. + +There is a particular situation when the cooling device is cpufreq and the heat +dissipation is not efficient enough where the temperature increases little by +little until reaching the critical threshold and leading to a SoC reset. + +The behavior is reproducible on a hikey6220 with bad heat dissipation (eg. +stacked with other boards). + +Running a simple C program doing while(1); for each CPU of the SoC makes the +temperature to reach the passive regulation trip point and ends up to the +maximum allowed temperature followed by a reset. + +This issue has been also reported by running the libhugetlbfs test suite. + +What is observed is a ping pong between two cpu frequencies, 1.2GHz and 900MHz +while the temperature continues to grow. + +It appears the step wise governor calls get_target_state() the first time with +the throttle set to true and the trend to 'raising'. The code selects logically +the next state, so the cpu frequency decreases from 1.2GHz to 900MHz, so far so +good. The temperature decreases immediately but still stays greater than the +trip point, then get_target_state() is called again, this time with the +throttle set to true *and* the trend to 'dropping'. From there the algorithm +assumes we have to step down the state and the cpu frequency jumps back to +1.2GHz. But the temperature is still higher than the trip point, so +get_target_state() is called with throttle=1 and trend='raising' again, we jump +to 900MHz, then get_target_state() is called with throttle=1 and +trend='dropping', we jump to 1.2GHz, etc ... but the temperature does not +stabilizes and continues to increase. + +[ 237.922654] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 237.922678] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 237.922690] thermal cooling_device0: cur_state=0 +[ 237.922701] thermal cooling_device0: old_target=0, target=1 +[ 238.026656] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 238.026680] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1 +[ 238.026694] thermal cooling_device0: cur_state=1 +[ 238.026707] thermal cooling_device0: old_target=1, target=0 +[ 238.134647] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 238.134667] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 238.134679] thermal cooling_device0: cur_state=0 +[ 238.134690] thermal cooling_device0: old_target=0, target=1 + +In this situation the temperature continues to increase while the trend is +oscillating between 'dropping' and 'raising'. We need to keep the current state +untouched if the throttle is set, so the temperature can decrease or a higher +state could be selected, thus preventing this oscillation. + +Keeping the next_target untouched when 'throttle' is true at 'dropping' time +fixes the issue. + +The following traces show the governor does not change the next state if +trend==2 (dropping) and throttle==1. + +[ 2306.127987] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 2306.128009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 2306.128021] thermal cooling_device0: cur_state=0 +[ 2306.128031] thermal cooling_device0: old_target=0, target=1 +[ 2306.231991] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 2306.232016] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1 +[ 2306.232030] thermal cooling_device0: cur_state=1 +[ 2306.232042] thermal cooling_device0: old_target=1, target=1 +[ 2306.335982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1 +[ 2306.336006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=1 +[ 2306.336021] thermal cooling_device0: cur_state=1 +[ 2306.336034] thermal cooling_device0: old_target=1, target=1 +[ 2306.439984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 2306.440008] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0 +[ 2306.440022] thermal cooling_device0: cur_state=1 +[ 2306.440034] thermal cooling_device0: old_target=1, target=0 + +[ ... ] + +After a while, if the temperature continues to increase, the next state becomes +2 which is 720MHz on the hikey. That results in the temperature stabilizing +around the trip point. + +[ 2455.831982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 2455.832006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=0 +[ 2455.832019] thermal cooling_device0: cur_state=1 +[ 2455.832032] thermal cooling_device0: old_target=1, target=1 +[ 2455.935985] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1 +[ 2455.936013] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0 +[ 2455.936027] thermal cooling_device0: cur_state=1 +[ 2455.936040] thermal cooling_device0: old_target=1, target=1 +[ 2456.043984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1 +[ 2456.044009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0 +[ 2456.044023] thermal cooling_device0: cur_state=1 +[ 2456.044036] thermal cooling_device0: old_target=1, target=1 +[ 2456.148001] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 2456.148028] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 2456.148042] thermal cooling_device0: cur_state=1 +[ 2456.148055] thermal cooling_device0: old_target=1, target=2 +[ 2456.252009] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 2456.252041] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0 +[ 2456.252058] thermal cooling_device0: cur_state=2 +[ 2456.252075] thermal cooling_device0: old_target=2, target=1 + +IOW, this change is needed to keep the state for a cooling device if the +temperature trend is oscillating while the temperature increases slightly. + +Without this change, the situation above leads to a catastrophic crash by a +hardware reset on hikey. This issue has been reported to happen on an OMAP +dra7xx also. + +Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> +Cc: Keerthy <j-keerthy@ti.com> +Cc: John Stultz <john.stultz@linaro.org> +Cc: Leo Yan <leo.yan@linaro.org> +Tested-by: Keerthy <j-keerthy@ti.com> +Reviewed-by: Keerthy <j-keerthy@ti.com> +Signed-off-by: Eduardo Valentin <edubezval@gmail.com> + +diff --git a/drivers/thermal/step_wise.c b/drivers/thermal/step_wise.c +index be95826631b7..ee047ca43084 100644 +--- a/drivers/thermal/step_wise.c ++++ b/drivers/thermal/step_wise.c +@@ -31,8 +31,7 @@ + * If the temperature is higher than a trip point, + * a. if the trend is THERMAL_TREND_RAISING, use higher cooling + * state for this trip point +- * b. if the trend is THERMAL_TREND_DROPPING, use lower cooling +- * state for this trip point ++ * b. if the trend is THERMAL_TREND_DROPPING, do nothing + * c. if the trend is THERMAL_TREND_RAISE_FULL, use upper limit + * for this trip point + * d. if the trend is THERMAL_TREND_DROP_FULL, use lower limit +@@ -94,9 +93,11 @@ static unsigned long get_target_state(struct thermal_instance *instance, + if (!throttle) + next_target = THERMAL_NO_TARGET; + } else { +- next_target = cur_state - 1; +- if (next_target > instance->upper) +- next_target = instance->upper; ++ if (!throttle) { ++ next_target = cur_state - 1; ++ if (next_target > instance->upper) ++ next_target = instance->upper; ++ } + } + break; + case THERMAL_TREND_DROP_FULL: +-- +2.15.0 + diff --git a/queue/thunderbolt-tb-fix-use-after-free-in-tb_activate_pci.patch b/queue/thunderbolt-tb-fix-use-after-free-in-tb_activate_pci.patch new file mode 100644 index 0000000..c6b56ba --- /dev/null +++ b/queue/thunderbolt-tb-fix-use-after-free-in-tb_activate_pci.patch @@ -0,0 +1,35 @@ +From a2e373438f72391493a4425efc1b82030b6b4fd5 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" <garsilva@embeddedor.com> +Date: Sat, 4 Nov 2017 23:52:54 -0500 +Subject: [PATCH] thunderbolt: tb: fix use after free in + tb_activate_pcie_devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit a2e373438f72391493a4425efc1b82030b6b4fd5 upstream. + +Add a ̣̣continue statement in order to avoid using a previously +free'd pointer tunnel in list_add. + +Addresses-Coverity-ID: 1415336 +Fixes: 9d3cce0b6136 ("thunderbolt: Introduce thunderbolt bus and connection manager") +Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> +Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c +index 0b22ad9d68b4..f7d0c60c6a11 100644 +--- a/drivers/thunderbolt/tb.c ++++ b/drivers/thunderbolt/tb.c +@@ -224,6 +224,7 @@ static void tb_activate_pcie_devices(struct tb *tb) + tb_port_info(up_port, + "PCIe tunnel activation failed, aborting\n"); + tb_pci_free(tunnel); ++ continue; + } + + list_add(&tunnel->list, &tcm->tunnel_list); +-- +2.15.0 + diff --git a/queue/tracing-Allocate-mask_str-buffer-dynamically.patch b/queue/tracing-Allocate-mask_str-buffer-dynamically.patch new file mode 100644 index 0000000..26fc05d --- /dev/null +++ b/queue/tracing-Allocate-mask_str-buffer-dynamically.patch @@ -0,0 +1,96 @@ +From 90e406f96f630c07d631a021fd4af10aac913e77 Mon Sep 17 00:00:00 2001 +From: Changbin Du <changbin.du@intel.com> +Date: Thu, 30 Nov 2017 11:39:43 +0800 +Subject: [PATCH] tracing: Allocate mask_str buffer dynamically + +commit 90e406f96f630c07d631a021fd4af10aac913e77 upstream. + +The default NR_CPUS can be very large, but actual possible nr_cpu_ids +usually is very small. For my x86 distribution, the NR_CPUS is 8192 and +nr_cpu_ids is 4. About 2 pages are wasted. + +Most machines don't have so many CPUs, so define a array with NR_CPUS +just wastes memory. So let's allocate the buffer dynamically when need. + +With this change, the mutext tracing_cpumask_update_lock also can be +removed now, which was used to protect mask_str. + +Link: http://lkml.kernel.org/r/1512013183-19107-1-git-send-email-changbin.du@intel.com + +Fixes: 36dfe9252bd4c ("ftrace: make use of tracing_cpumask") +Cc: stable@vger.kernel.org +Signed-off-by: Changbin Du <changbin.du@intel.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 5815ec16edd4..9f3f043ba3b7 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4178,37 +4178,30 @@ static const struct file_operations show_traces_fops = { + .llseek = seq_lseek, + }; + +-/* +- * The tracer itself will not take this lock, but still we want +- * to provide a consistent cpumask to user-space: +- */ +-static DEFINE_MUTEX(tracing_cpumask_update_lock); +- +-/* +- * Temporary storage for the character representation of the +- * CPU bitmask (and one more byte for the newline): +- */ +-static char mask_str[NR_CPUS + 1]; +- + static ssize_t + tracing_cpumask_read(struct file *filp, char __user *ubuf, + size_t count, loff_t *ppos) + { + struct trace_array *tr = file_inode(filp)->i_private; ++ char *mask_str; + int len; + +- mutex_lock(&tracing_cpumask_update_lock); ++ len = snprintf(NULL, 0, "%*pb\n", ++ cpumask_pr_args(tr->tracing_cpumask)) + 1; ++ mask_str = kmalloc(len, GFP_KERNEL); ++ if (!mask_str) ++ return -ENOMEM; + +- len = snprintf(mask_str, count, "%*pb\n", ++ len = snprintf(mask_str, len, "%*pb\n", + cpumask_pr_args(tr->tracing_cpumask)); + if (len >= count) { + count = -EINVAL; + goto out_err; + } +- count = simple_read_from_buffer(ubuf, count, ppos, mask_str, NR_CPUS+1); ++ count = simple_read_from_buffer(ubuf, count, ppos, mask_str, len); + + out_err: +- mutex_unlock(&tracing_cpumask_update_lock); ++ kfree(mask_str); + + return count; + } +@@ -4228,8 +4221,6 @@ tracing_cpumask_write(struct file *filp, const char __user *ubuf, + if (err) + goto err_unlock; + +- mutex_lock(&tracing_cpumask_update_lock); +- + local_irq_disable(); + arch_spin_lock(&tr->max_lock); + for_each_tracing_cpu(cpu) { +@@ -4252,8 +4243,6 @@ tracing_cpumask_write(struct file *filp, const char __user *ubuf, + local_irq_enable(); + + cpumask_copy(tr->tracing_cpumask, tracing_cpumask_new); +- +- mutex_unlock(&tracing_cpumask_update_lock); + free_cpumask_var(tracing_cpumask_new); + + return count; +-- +2.15.0 + diff --git a/queue/tty-fix-oops-when-rmmod-8250.patch b/queue/tty-fix-oops-when-rmmod-8250.patch new file mode 100644 index 0000000..e045a50 --- /dev/null +++ b/queue/tty-fix-oops-when-rmmod-8250.patch @@ -0,0 +1,87 @@ +From c79dde629d2027ca80329c62854a7635e623d527 Mon Sep 17 00:00:00 2001 +From: nixiaoming <nixiaoming@huawei.com> +Date: Fri, 15 Sep 2017 17:45:56 +0800 +Subject: [PATCH] tty fix oops when rmmod 8250 + +commit c79dde629d2027ca80329c62854a7635e623d527 upstream. + +After rmmod 8250.ko +tty_kref_put starts kwork (release_one_tty) to release proc interface +oops when accessing driver->driver_name in proc_tty_unregister_driver + +Use jprobe, found driver->driver_name point to 8250.ko +static static struct uart_driver serial8250_reg +.driver_name= serial, + +Use name in proc_dir_entry instead of driver->driver_name to fix oops + +test on linux 4.1.12: + +BUG: unable to handle kernel paging request at ffffffffa01979de +IP: [<ffffffff81310f40>] strchr+0x0/0x30 +PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: ... ... [last unloaded: 8250] +CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G O 4.1.12 #1 +Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015 +Workqueue: events release_one_tty +task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000 +RIP: 0010:[<ffffffff81310f40>] [<ffffffff81310f40>] strchr+0x0/0x30 +RSP: 0018:ffff880852887c90 EFLAGS: 00010282 +RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004 +RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de +RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0 +R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de +R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840 +FS: 0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0 +Stack: + ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2 + ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010 + ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08 +Call Trace: + [<ffffffff812349b1>] ? __xlate_proc_name+0x71/0xd0 + [<ffffffff812354f0>] remove_proc_entry+0x40/0x180 + [<ffffffff815f6811>] ? _raw_spin_lock_irqsave+0x41/0x60 + [<ffffffff813be520>] ? destruct_tty_driver+0x60/0xe0 + [<ffffffff81237c68>] proc_tty_unregister_driver+0x28/0x40 + [<ffffffff813be548>] destruct_tty_driver+0x88/0xe0 + [<ffffffff813be5bd>] tty_driver_kref_put+0x1d/0x20 + [<ffffffff813becca>] release_one_tty+0x5a/0xd0 + [<ffffffff81074159>] process_one_work+0x139/0x420 + [<ffffffff810745a1>] worker_thread+0x121/0x450 + [<ffffffff81074480>] ? process_scheduled_works+0x40/0x40 + [<ffffffff8107a16c>] kthread+0xec/0x110 + [<ffffffff81080000>] ? tg_rt_schedulable+0x210/0x220 + [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80 + [<ffffffff815f7292>] ret_from_fork+0x42/0x70 + [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80 + +Signed-off-by: nixiaoming <nixiaoming@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/fs/proc/proc_tty.c b/fs/proc/proc_tty.c +index 901bd06f437d..20e2c18e2b47 100644 +--- a/fs/proc/proc_tty.c ++++ b/fs/proc/proc_tty.c +@@ -14,6 +14,7 @@ + #include <linux/tty.h> + #include <linux/seq_file.h> + #include <linux/bitops.h> ++#include "internal.h" + + /* + * The /proc/tty directory inodes... +@@ -164,7 +165,7 @@ void proc_tty_unregister_driver(struct tty_driver *driver) + if (!ent) + return; + +- remove_proc_entry(driver->driver_name, proc_tty_driver); ++ remove_proc_entry(ent->name, proc_tty_driver); + + driver->proc_entry = NULL; + } +-- +2.15.0 + diff --git a/queue/udf-Avoid-overflow-when-session-starts-at-large-offs.patch b/queue/udf-Avoid-overflow-when-session-starts-at-large-offs.patch new file mode 100644 index 0000000..4ce4b74 --- /dev/null +++ b/queue/udf-Avoid-overflow-when-session-starts-at-large-offs.patch @@ -0,0 +1,30 @@ +From abdc0eb06964fe1d2fea6dd1391b734d0590365d Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Mon, 16 Oct 2017 11:38:11 +0200 +Subject: [PATCH] udf: Avoid overflow when session starts at large offset + +commit abdc0eb06964fe1d2fea6dd1391b734d0590365d upstream. + +When session starts beyond offset 2^31 the arithmetics in +udf_check_vsd() would overflow. Make sure the computation is done in +large enough type. + +Reported-by: Cezary Sliwa <sliwa@ifpan.edu.pl> +Signed-off-by: Jan Kara <jack@suse.cz> + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 99cb81d0077f..08bf097507f6 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -703,7 +703,7 @@ static loff_t udf_check_vsd(struct super_block *sb) + else + sectorsize = sb->s_blocksize; + +- sector += (sbi->s_session << sb->s_blocksize_bits); ++ sector += (((loff_t)sbi->s_session) << sb->s_blocksize_bits); + + udf_debug("Starting at sector %u (%ld byte sectors)\n", + (unsigned int)(sector >> sb->s_blocksize_bits), +-- +2.15.0 + diff --git a/queue/usb-musb-da8xx-fix-babble-condition-handling.patch b/queue/usb-musb-da8xx-fix-babble-condition-handling.patch new file mode 100644 index 0000000..3465f1d --- /dev/null +++ b/queue/usb-musb-da8xx-fix-babble-condition-handling.patch @@ -0,0 +1,46 @@ +From bd3486ded7a0c313a6575343e6c2b21d14476645 Mon Sep 17 00:00:00 2001 +From: Bin Liu <b-liu@ti.com> +Date: Tue, 5 Dec 2017 08:45:30 -0600 +Subject: [PATCH] usb: musb: da8xx: fix babble condition handling + +commit bd3486ded7a0c313a6575343e6c2b21d14476645 upstream. + +When babble condition happens, the musb controller might automatically +turns off VBUS. On DA8xx platform, the controller generates drvvbus +interrupt for turning off VBUS along with the babble interrupt. + +In this case, we should handle the babble interrupt first and recover +from the babble condition. + +This change ignores the drvvbus interrupt if babble interrupt is also +generated at the same time, so the babble recovery routine works +properly. + +Cc: stable@vger.kernel.org # v3.16+ +Signed-off-by: Bin Liu <b-liu@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/musb/da8xx.c b/drivers/usb/musb/da8xx.c +index 0397606a211b..6c036de63272 100644 +--- a/drivers/usb/musb/da8xx.c ++++ b/drivers/usb/musb/da8xx.c +@@ -284,7 +284,15 @@ static irqreturn_t da8xx_musb_interrupt(int irq, void *hci) + musb->xceiv->otg->state = OTG_STATE_A_WAIT_VRISE; + portstate(musb->port1_status |= USB_PORT_STAT_POWER); + del_timer(&musb->dev_timer); +- } else { ++ } else if (!(musb->int_usb & MUSB_INTR_BABBLE)) { ++ /* ++ * When babble condition happens, drvvbus interrupt ++ * is also generated. Ignore this drvvbus interrupt ++ * and let babble interrupt handler recovers the ++ * controller; otherwise, the host-mode flag is lost ++ * due to the MUSB_DEV_MODE() call below and babble ++ * recovery logic will not be called. ++ */ + musb->is_active = 0; + MUSB_DEV_MODE(musb); + otg->default_a = 0; +-- +2.15.0 + diff --git a/queue/usb-xhci-fix-TDS-for-MTK-xHCI1.1.patch b/queue/usb-xhci-fix-TDS-for-MTK-xHCI1.1.patch new file mode 100644 index 0000000..53d3dad --- /dev/null +++ b/queue/usb-xhci-fix-TDS-for-MTK-xHCI1.1.patch @@ -0,0 +1,47 @@ +From 72b663a99c074a8d073e7ecdae446cfb024ef551 Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun <chunfeng.yun@mediatek.com> +Date: Fri, 8 Dec 2017 18:10:06 +0200 +Subject: [PATCH] usb: xhci: fix TDS for MTK xHCI1.1 + +commit 72b663a99c074a8d073e7ecdae446cfb024ef551 upstream. + +For MTK's xHCI 1.0 or latter, TD size is the number of max +packet sized packets remaining in the TD, not including +this TRB (following spec). + +For MTK's xHCI 0.96 and older, TD size is the number of max +packet sized packets remaining in the TD, including this TRB +(not following spec). + +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 6eb87c6e4d24..c5cbc685c691 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3112,7 +3112,7 @@ static u32 xhci_td_remainder(struct xhci_hcd *xhci, int transferred, + { + u32 maxp, total_packet_count; + +- /* MTK xHCI is mostly 0.97 but contains some features from 1.0 */ ++ /* MTK xHCI 0.96 contains some features from 1.0 */ + if (xhci->hci_version < 0x100 && !(xhci->quirks & XHCI_MTK_HOST)) + return ((td_total_len - transferred) >> 10); + +@@ -3121,8 +3121,8 @@ static u32 xhci_td_remainder(struct xhci_hcd *xhci, int transferred, + trb_buff_len == td_total_len) + return 0; + +- /* for MTK xHCI, TD size doesn't include this TRB */ +- if (xhci->quirks & XHCI_MTK_HOST) ++ /* for MTK xHCI 0.96, TD size include this TRB, but not in 1.x */ ++ if ((xhci->quirks & XHCI_MTK_HOST) && (xhci->hci_version < 0x100)) + trb_buff_len = 0; + + maxp = usb_endpoint_maxp(&urb->ep->desc); +-- +2.15.0 + diff --git a/queue/usbip-fix-stub_rx-get_pipe-to-validate-endpoint-numb.patch b/queue/usbip-fix-stub_rx-get_pipe-to-validate-endpoint-numb.patch new file mode 100644 index 0000000..908abe0 --- /dev/null +++ b/queue/usbip-fix-stub_rx-get_pipe-to-validate-endpoint-numb.patch @@ -0,0 +1,71 @@ +From 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 Mon Sep 17 00:00:00 2001 +From: Shuah Khan <shuahkh@osg.samsung.com> +Date: Thu, 7 Dec 2017 14:16:47 -0700 +Subject: [PATCH] usbip: fix stub_rx: get_pipe() to validate endpoint number + +commit 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 upstream. + +get_pipe() routine doesn't validate the input endpoint number +and uses to reference ep_in and ep_out arrays. Invalid endpoint +number can trigger BUG(). Range check the epnum and returning +error instead of calling BUG(). + +Change caller stub_recv_cmd_submit() to handle the get_pipe() +error return. + +Reported-by: Secunia Research <vuln@secunia.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 536e037f541f..4d61063c259d 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -328,15 +328,15 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) + struct usb_host_endpoint *ep; + struct usb_endpoint_descriptor *epd = NULL; + ++ if (epnum < 0 || epnum > 15) ++ goto err_ret; ++ + if (dir == USBIP_DIR_IN) + ep = udev->ep_in[epnum & 0x7f]; + else + ep = udev->ep_out[epnum & 0x7f]; +- if (!ep) { +- dev_err(&sdev->udev->dev, "no such endpoint?, %d\n", +- epnum); +- BUG(); +- } ++ if (!ep) ++ goto err_ret; + + epd = &ep->desc; + if (usb_endpoint_xfer_control(epd)) { +@@ -367,9 +367,10 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) + return usb_rcvisocpipe(udev, epnum); + } + ++err_ret: + /* NOT REACHED */ +- dev_err(&sdev->udev->dev, "get pipe, epnum %d\n", epnum); +- return 0; ++ dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum); ++ return -1; + } + + static void masking_bogus_flags(struct urb *urb) +@@ -435,6 +436,9 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + struct usb_device *udev = sdev->udev; + int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); + ++ if (pipe == -1) ++ return; ++ + priv = stub_priv_alloc(sdev, pdu); + if (!priv) + return; +-- +2.15.0 + diff --git a/queue/usbip-fix-stub_rx-harden-CMD_SUBMIT-path-to-handle-m.patch b/queue/usbip-fix-stub_rx-harden-CMD_SUBMIT-path-to-handle-m.patch new file mode 100644 index 0000000..5a7c782 --- /dev/null +++ b/queue/usbip-fix-stub_rx-harden-CMD_SUBMIT-path-to-handle-m.patch @@ -0,0 +1,107 @@ +From c6688ef9f29762e65bce325ef4acd6c675806366 Mon Sep 17 00:00:00 2001 +From: Shuah Khan <shuahkh@osg.samsung.com> +Date: Thu, 7 Dec 2017 14:16:48 -0700 +Subject: [PATCH] usbip: fix stub_rx: harden CMD_SUBMIT path to handle + malicious input + +commit c6688ef9f29762e65bce325ef4acd6c675806366 upstream. + +Harden CMD_SUBMIT path to handle malicious input that could trigger +large memory allocations. Add checks to validate transfer_buffer_length +and number_of_packets to protect against bad input requesting for +unbounded memory allocations. Validate early in get_pipe() and return +failure. + +Reported-by: Secunia Research <vuln@secunia.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 4d61063c259d..493ac2928391 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -322,11 +322,13 @@ static struct stub_priv *stub_priv_alloc(struct stub_device *sdev, + return priv; + } + +-static int get_pipe(struct stub_device *sdev, int epnum, int dir) ++static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) + { + struct usb_device *udev = sdev->udev; + struct usb_host_endpoint *ep; + struct usb_endpoint_descriptor *epd = NULL; ++ int epnum = pdu->base.ep; ++ int dir = pdu->base.direction; + + if (epnum < 0 || epnum > 15) + goto err_ret; +@@ -339,6 +341,15 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) + goto err_ret; + + epd = &ep->desc; ++ ++ /* validate transfer_buffer_length */ ++ if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) { ++ dev_err(&sdev->udev->dev, ++ "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n", ++ pdu->u.cmd_submit.transfer_buffer_length); ++ return -1; ++ } ++ + if (usb_endpoint_xfer_control(epd)) { + if (dir == USBIP_DIR_OUT) + return usb_sndctrlpipe(udev, epnum); +@@ -361,6 +372,21 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) + } + + if (usb_endpoint_xfer_isoc(epd)) { ++ /* validate packet size and number of packets */ ++ unsigned int maxp, packets, bytes; ++ ++ maxp = usb_endpoint_maxp(epd); ++ maxp *= usb_endpoint_maxp_mult(epd); ++ bytes = pdu->u.cmd_submit.transfer_buffer_length; ++ packets = DIV_ROUND_UP(bytes, maxp); ++ ++ if (pdu->u.cmd_submit.number_of_packets < 0 || ++ pdu->u.cmd_submit.number_of_packets > packets) { ++ dev_err(&sdev->udev->dev, ++ "CMD_SUBMIT: isoc invalid num packets %d\n", ++ pdu->u.cmd_submit.number_of_packets); ++ return -1; ++ } + if (dir == USBIP_DIR_OUT) + return usb_sndisocpipe(udev, epnum); + else +@@ -369,7 +395,7 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) + + err_ret: + /* NOT REACHED */ +- dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum); ++ dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum); + return -1; + } + +@@ -434,7 +460,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + struct stub_priv *priv; + struct usbip_device *ud = &sdev->ud; + struct usb_device *udev = sdev->udev; +- int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); ++ int pipe = get_pipe(sdev, pdu); + + if (pipe == -1) + return; +@@ -456,7 +482,8 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + } + + /* allocate urb transfer buffer, if needed */ +- if (pdu->u.cmd_submit.transfer_buffer_length > 0) { ++ if (pdu->u.cmd_submit.transfer_buffer_length > 0 && ++ pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) { + priv->urb->transfer_buffer = + kzalloc(pdu->u.cmd_submit.transfer_buffer_length, + GFP_KERNEL); +-- +2.15.0 + diff --git a/queue/usbip-fix-stub_send_ret_submit-vulnerability-to-null.patch b/queue/usbip-fix-stub_send_ret_submit-vulnerability-to-null.patch new file mode 100644 index 0000000..060d0af --- /dev/null +++ b/queue/usbip-fix-stub_send_ret_submit-vulnerability-to-null.patch @@ -0,0 +1,39 @@ +From be6123df1ea8f01ee2f896a16c2b7be3e4557a5a Mon Sep 17 00:00:00 2001 +From: Shuah Khan <shuahkh@osg.samsung.com> +Date: Thu, 7 Dec 2017 14:16:50 -0700 +Subject: [PATCH] usbip: fix stub_send_ret_submit() vulnerability to null + transfer_buffer + +commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a upstream. + +stub_send_ret_submit() handles urb with a potential null transfer_buffer, +when it replays a packet with potential malicious data that could contain +a null buffer. Add a check for the condition when actual_length > 0 and +transfer_buffer is null. + +Reported-by: Secunia Research <vuln@secunia.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/stub_tx.c b/drivers/usb/usbip/stub_tx.c +index b18bce96c212..53172b1f6257 100644 +--- a/drivers/usb/usbip/stub_tx.c ++++ b/drivers/usb/usbip/stub_tx.c +@@ -167,6 +167,13 @@ static int stub_send_ret_submit(struct stub_device *sdev) + memset(&pdu_header, 0, sizeof(pdu_header)); + memset(&msg, 0, sizeof(msg)); + ++ if (urb->actual_length > 0 && !urb->transfer_buffer) { ++ dev_err(&sdev->udev->dev, ++ "urb: actual_length %d transfer_buffer null\n", ++ urb->actual_length); ++ return -1; ++ } ++ + if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) + iovnum = 2 + urb->number_of_packets; + else +-- +2.15.0 + diff --git a/queue/usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch b/queue/usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch new file mode 100644 index 0000000..076f83e --- /dev/null +++ b/queue/usbip-prevent-vhci_hcd-driver-from-leaking-a-socket-.patch @@ -0,0 +1,132 @@ +From 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 Mon Sep 17 00:00:00 2001 +From: Shuah Khan <shuahkh@osg.samsung.com> +Date: Thu, 7 Dec 2017 14:16:49 -0700 +Subject: [PATCH] usbip: prevent vhci_hcd driver from leaking a socket pointer + address + +commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream. + +When a client has a USB device attached over IP, the vhci_hcd driver is +locally leaking a socket pointer address via the + +/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug +output when "usbip --debug port" is run. + +Fix it to not leak. The socket pointer address is not used at the moment +and it was made visible as a convenient way to find IP address from socket +pointer address by looking up /proc/net/{tcp,tcp6}. + +As this opens a security hole, the fix replaces socket pointer address with +sockfd. + +Reported-by: Secunia Research <vuln@secunia.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index e5de35c8c505..473fb8a87289 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -256,6 +256,7 @@ struct usbip_device { + /* lock for status */ + spinlock_t lock; + ++ int sockfd; + struct socket *tcp_socket; + + struct task_struct *tcp_rx; +diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c +index e78f7472cac4..091f76b7196d 100644 +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -17,15 +17,20 @@ + + /* + * output example: +- * hub port sta spd dev socket local_busid +- * hs 0000 004 000 00000000 c5a7bb80 1-2.3 ++ * hub port sta spd dev sockfd local_busid ++ * hs 0000 004 000 00000000 3 1-2.3 + * ................................................ +- * ss 0008 004 000 00000000 d8cee980 2-3.4 ++ * ss 0008 004 000 00000000 4 2-3.4 + * ................................................ + * +- * IP address can be retrieved from a socket pointer address by looking +- * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a +- * port number and its peer IP address. ++ * Output includes socket fd instead of socket pointer address to avoid ++ * leaking kernel memory address in: ++ * /sys/devices/platform/vhci_hcd.0/status and in debug output. ++ * The socket pointer address is not used at the moment and it was made ++ * visible as a convenient way to find IP address from socket pointer ++ * address by looking up /proc/net/{tcp,tcp6}. As this opens a security ++ * hole, the change is made to use sockfd instead. ++ * + */ + static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vdev) + { +@@ -39,8 +44,8 @@ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vd + if (vdev->ud.status == VDEV_ST_USED) { + *out += sprintf(*out, "%03u %08x ", + vdev->speed, vdev->devid); +- *out += sprintf(*out, "%16p %s", +- vdev->ud.tcp_socket, ++ *out += sprintf(*out, "%u %s", ++ vdev->ud.sockfd, + dev_name(&vdev->udev->dev)); + + } else { +@@ -160,7 +165,8 @@ static ssize_t nports_show(struct device *dev, struct device_attribute *attr, + char *s = out; + + /* +- * Half the ports are for SPEED_HIGH and half for SPEED_SUPER, thus the * 2. ++ * Half the ports are for SPEED_HIGH and half for SPEED_SUPER, ++ * thus the * 2. + */ + out += sprintf(out, "%d\n", VHCI_PORTS * vhci_num_controllers); + return out - s; +@@ -366,6 +372,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, + + vdev->devid = devid; + vdev->speed = speed; ++ vdev->ud.sockfd = sockfd; + vdev->ud.tcp_socket = socket; + vdev->ud.status = VDEV_ST_NOTASSIGNED; + +diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c +index 627d1dfc332b..c9c81614a66a 100644 +--- a/tools/usb/usbip/libsrc/vhci_driver.c ++++ b/tools/usb/usbip/libsrc/vhci_driver.c +@@ -50,14 +50,14 @@ static int parse_status(const char *value) + + while (*c != '\0') { + int port, status, speed, devid; +- unsigned long socket; ++ int sockfd; + char lbusid[SYSFS_BUS_ID_SIZE]; + struct usbip_imported_device *idev; + char hub[3]; + +- ret = sscanf(c, "%2s %d %d %d %x %lx %31s\n", ++ ret = sscanf(c, "%2s %d %d %d %x %u %31s\n", + hub, &port, &status, &speed, +- &devid, &socket, lbusid); ++ &devid, &sockfd, lbusid); + + if (ret < 5) { + dbg("sscanf failed: %d", ret); +@@ -66,7 +66,7 @@ static int parse_status(const char *value) + + dbg("hub %s port %d status %d speed %d devid %x", + hub, port, status, speed, devid); +- dbg("socket %lx lbusid %s", socket, lbusid); ++ dbg("sockfd %u lbusid %s", sockfd, lbusid); + + /* if a device is connected, look at it */ + idev = &vhci_driver->idev[port]; +-- +2.15.0 + diff --git a/queue/video-fbdev-au1200fb-Release-some-resources-if-a-mem.patch b/queue/video-fbdev-au1200fb-Release-some-resources-if-a-mem.patch new file mode 100644 index 0000000..871b85c --- /dev/null +++ b/queue/video-fbdev-au1200fb-Release-some-resources-if-a-mem.patch @@ -0,0 +1,32 @@ +From 451f130602619a17c8883dd0b71b11624faffd51 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Thu, 9 Nov 2017 18:09:28 +0100 +Subject: [PATCH] video: fbdev: au1200fb: Release some resources if a memory + allocation fails + +commit 451f130602619a17c8883dd0b71b11624faffd51 upstream. + +We should go through the error handling code instead of returning -ENOMEM +directly. + +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Cc: Tejun Heo <tj@kernel.org> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index 7fa41026984d..cf54168d44dc 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1702,7 +1702,8 @@ static int au1200fb_drv_probe(struct platform_device *dev) + if (!fbdev->fb_mem) { + print_err("fail to allocate frambuffer (size: %dK))", + fbdev->fb_len / 1024); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto failed; + } + + /* +-- +2.15.0 + diff --git a/queue/video-fbdev-au1200fb-Return-an-error-code-if-a-memor.patch b/queue/video-fbdev-au1200fb-Return-an-error-code-if-a-memor.patch new file mode 100644 index 0000000..2887a40 --- /dev/null +++ b/queue/video-fbdev-au1200fb-Return-an-error-code-if-a-memor.patch @@ -0,0 +1,35 @@ +From 8cae353e6b01ac3f18097f631cdbceb5ff28c7f3 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Date: Thu, 9 Nov 2017 18:09:28 +0100 +Subject: [PATCH] video: fbdev: au1200fb: Return an error code if a memory + allocation fails + +commit 8cae353e6b01ac3f18097f631cdbceb5ff28c7f3 upstream. + +'ret' is known to be 0 at this point. +In case of memory allocation error in 'framebuffer_alloc()', return +-ENOMEM instead. + +Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> +Cc: Tejun Heo <tj@kernel.org> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index a5facc2ad90b..7fa41026984d 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1680,8 +1680,10 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + fbi = framebuffer_alloc(sizeof(struct au1200fb_device), + &dev->dev); +- if (!fbi) ++ if (!fbi) { ++ ret = -ENOMEM; + goto failed; ++ } + + _au1200fb_infos[plane] = fbi; + fbdev = fbi->par; +-- +2.15.0 + diff --git a/queue/video-udlfb-Fix-read-EDID-timeout.patch b/queue/video-udlfb-Fix-read-EDID-timeout.patch new file mode 100644 index 0000000..0bbe88d --- /dev/null +++ b/queue/video-udlfb-Fix-read-EDID-timeout.patch @@ -0,0 +1,46 @@ +From c98769475575c8a585f5b3952f4b5f90266f699b Mon Sep 17 00:00:00 2001 +From: Ladislav Michl <ladis@linux-mips.org> +Date: Thu, 9 Nov 2017 18:09:30 +0100 +Subject: [PATCH] video: udlfb: Fix read EDID timeout + +commit c98769475575c8a585f5b3952f4b5f90266f699b upstream. + +While usb_control_msg function expects timeout in miliseconds, a value +of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error +message which looks like: +udlfb: Read EDID byte 78 failed err ffffff92 +as error is either negative errno or number of bytes transferred use %d +format specifier. + +Returned EDID is in second byte, so return error when less than two bytes +are received. + +Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support") +Signed-off-by: Ladislav Michl <ladis@linux-mips.org> +Cc: Bernie Thompson <bernie@plugable.com> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> + +diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c +index ef08a104fb42..d44f14242016 100644 +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -769,11 +769,11 @@ static int dlfb_get_edid(struct dlfb_data *dev, char *edid, int len) + + for (i = 0; i < len; i++) { + ret = usb_control_msg(dev->udev, +- usb_rcvctrlpipe(dev->udev, 0), (0x02), +- (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2, +- HZ); +- if (ret < 1) { +- pr_err("Read EDID byte %d failed err %x\n", i, ret); ++ usb_rcvctrlpipe(dev->udev, 0), 0x02, ++ (0x80 | (0x02 << 5)), i << 8, 0xA1, ++ rbuf, 2, USB_CTRL_GET_TIMEOUT); ++ if (ret < 2) { ++ pr_err("Read EDID byte %d failed: %d\n", i, ret); + i--; + break; + } +-- +2.15.0 + diff --git a/queue/vt6655-Fix-a-possible-sleep-in-atomic-bug-in-vt6655_.patch b/queue/vt6655-Fix-a-possible-sleep-in-atomic-bug-in-vt6655_.patch new file mode 100644 index 0000000..9c94297 --- /dev/null +++ b/queue/vt6655-Fix-a-possible-sleep-in-atomic-bug-in-vt6655_.patch @@ -0,0 +1,40 @@ +From 42c8eb3f6e15367981b274cb79ee4657e2c6949d Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai <baijiaju1990@163.com> +Date: Mon, 9 Oct 2017 16:45:55 +0800 +Subject: [PATCH] vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend + +commit 42c8eb3f6e15367981b274cb79ee4657e2c6949d upstream. + +The driver may sleep under a spinlock, and the function call path is: +vt6655_suspend (acquire the spinlock) + pci_set_power_state + __pci_start_power_transition (drivers/pci/pci.c) + msleep --> may sleep + +To fix it, pci_set_power_state is called without having a spinlock. + +This bug is found by my static analysis tool and my code review. + +Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index 9fcf2e223f71..1123b4f1e1d6 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -1693,10 +1693,11 @@ static int vt6655_suspend(struct pci_dev *pcid, pm_message_t state) + MACbShutdown(priv); + + pci_disable_device(pcid); +- pci_set_power_state(pcid, pci_choose_state(pcid, state)); + + spin_unlock_irqrestore(&priv->lock, flags); + ++ pci_set_power_state(pcid, pci_choose_state(pcid, state)); ++ + return 0; + } + +-- +2.15.0 + diff --git a/queue/x86-boot-compressed-64-Detect-and-handle-5-level-pag.patch b/queue/x86-boot-compressed-64-Detect-and-handle-5-level-pag.patch new file mode 100644 index 0000000..513579e --- /dev/null +++ b/queue/x86-boot-compressed-64-Detect-and-handle-5-level-pag.patch @@ -0,0 +1,104 @@ +From 08529078d8d9adf689bf39cc38d53979a0869970 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> +Date: Mon, 4 Dec 2017 15:40:55 +0300 +Subject: [PATCH] x86/boot/compressed/64: Detect and handle 5-level paging at + boot-time + +commit 08529078d8d9adf689bf39cc38d53979a0869970 upstream. + +Prerequisite for fixing the current problem of instantaneous reboots when a +5-level paging kernel is booted on 4-level paging hardware. + +At the same time this change prepares the decompression code to boot-time +switching between 4- and 5-level paging. + +[ tglx: Folded the GCC < 5 fix. ] + +Fixes: 77ef56e4f0fb ("x86: Enable 5-level paging support via CONFIG_X86_5LEVEL=y") +Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Andi Kleen <ak@linux.intel.com> +Cc: stable@vger.kernel.org +Cc: Andy Lutomirski <luto@amacapital.net> +Cc: linux-mm@kvack.org +Cc: Cyrill Gorcunov <gorcunov@openvz.org> +Cc: Borislav Petkov <bp@suse.de> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Link: https://lkml.kernel.org/r/20171204124059.63515-2-kirill.shutemov@linux.intel.com + +diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile +index 1e9c322e973a..f25e1530e064 100644 +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -80,6 +80,7 @@ vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/kaslr.o + ifdef CONFIG_X86_64 + vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/pagetable.o + vmlinux-objs-y += $(obj)/mem_encrypt.o ++ vmlinux-objs-y += $(obj)/pgtable_64.o + endif + + $(obj)/eboot.o: KBUILD_CFLAGS += -fshort-wchar -mno-red-zone +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index 20919b4f3133..fc313e29fe2c 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -305,10 +305,18 @@ ENTRY(startup_64) + leaq boot_stack_end(%rbx), %rsp + + #ifdef CONFIG_X86_5LEVEL +- /* Check if 5-level paging has already enabled */ +- movq %cr4, %rax +- testl $X86_CR4_LA57, %eax +- jnz lvl5 ++ /* ++ * Check if we need to enable 5-level paging. ++ * RSI holds real mode data and need to be preserved across ++ * a function call. ++ */ ++ pushq %rsi ++ call l5_paging_required ++ popq %rsi ++ ++ /* If l5_paging_required() returned zero, we're done here. */ ++ cmpq $0, %rax ++ je lvl5 + + /* + * At this point we are in long mode with 4-level paging enabled, +diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c +new file mode 100644 +index 000000000000..b4469a37e9a1 +--- /dev/null ++++ b/arch/x86/boot/compressed/pgtable_64.c +@@ -0,0 +1,28 @@ ++#include <asm/processor.h> ++ ++/* ++ * __force_order is used by special_insns.h asm code to force instruction ++ * serialization. ++ * ++ * It is not referenced from the code, but GCC < 5 with -fPIE would fail ++ * due to an undefined symbol. Define it to make these ancient GCCs work. ++ */ ++unsigned long __force_order; ++ ++int l5_paging_required(void) ++{ ++ /* Check if leaf 7 is supported. */ ++ ++ if (native_cpuid_eax(0) < 7) ++ return 0; ++ ++ /* Check if la57 is supported. */ ++ if (!(native_cpuid_ecx(7) & (1 << (X86_FEATURE_LA57 & 31)))) ++ return 0; ++ ++ /* Check if 5-level paging has already been enabled. */ ++ if (native_read_cr4() & X86_CR4_LA57) ++ return 0; ++ ++ return 1; ++} +-- +2.15.0 + diff --git a/queue/x86-boot-compressed-64-Print-error-if-5-level-paging.patch b/queue/x86-boot-compressed-64-Print-error-if-5-level-paging.patch new file mode 100644 index 0000000..1f8f5c2 --- /dev/null +++ b/queue/x86-boot-compressed-64-Print-error-if-5-level-paging.patch @@ -0,0 +1,68 @@ +From 6d7e0ba2d2be9e50cccba213baf07e0e183c1b24 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> +Date: Mon, 4 Dec 2017 15:40:56 +0300 +Subject: [PATCH] x86/boot/compressed/64: Print error if 5-level paging is not + supported + +commit 6d7e0ba2d2be9e50cccba213baf07e0e183c1b24 upstream. + +If the machine does not support the paging mode for which the kernel was +compiled, the boot process cannot continue. + +It's not possible to let the kernel detect the mismatch as it does not even +reach the point where cpu features can be evaluted due to a triple fault in +the KASLR setup. + +Instead of instantaneous silent reboot, emit an error message which gives +the user the information why the boot fails. + +Fixes: 77ef56e4f0fb ("x86: Enable 5-level paging support via CONFIG_X86_5LEVEL=y") +Reported-by: Borislav Petkov <bp@suse.de> +Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Tested-by: Borislav Petkov <bp@suse.de> +Cc: Andi Kleen <ak@linux.intel.com> +Cc: stable@vger.kernel.org +Cc: Andy Lutomirski <luto@amacapital.net> +Cc: linux-mm@kvack.org +Cc: Cyrill Gorcunov <gorcunov@openvz.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Link: https://lkml.kernel.org/r/20171204124059.63515-3-kirill.shutemov@linux.intel.com + +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c +index b50c42455e25..98761a1576ce 100644 +--- a/arch/x86/boot/compressed/misc.c ++++ b/arch/x86/boot/compressed/misc.c +@@ -169,6 +169,16 @@ void __puthex(unsigned long value) + } + } + ++static bool l5_supported(void) ++{ ++ /* Check if leaf 7 is supported. */ ++ if (native_cpuid_eax(0) < 7) ++ return 0; ++ ++ /* Check if la57 is supported. */ ++ return native_cpuid_ecx(7) & (1 << (X86_FEATURE_LA57 & 31)); ++} ++ + #if CONFIG_X86_NEED_RELOCS + static void handle_relocations(void *output, unsigned long output_len, + unsigned long virt_addr) +@@ -362,6 +372,12 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap, + console_init(); + debug_putstr("early console in extract_kernel\n"); + ++ if (IS_ENABLED(CONFIG_X86_5LEVEL) && !l5_supported()) { ++ error("This linux kernel as configured requires 5-level paging\n" ++ "This CPU does not support the required 'cr4.la57' feature\n" ++ "Unable to boot - please use a kernel appropriate for your CPU\n"); ++ } ++ + free_mem_ptr = heap; /* Heap */ + free_mem_end_ptr = heap + BOOT_HEAP_SIZE; + +-- +2.15.0 + diff --git a/queue/xfs-fix-incorrect-extent-state-in-xfs_bmap_add_exten.patch b/queue/xfs-fix-incorrect-extent-state-in-xfs_bmap_add_exten.patch new file mode 100644 index 0000000..5cdbe99 --- /dev/null +++ b/queue/xfs-fix-incorrect-extent-state-in-xfs_bmap_add_exten.patch @@ -0,0 +1,37 @@ +From 5e422f5e4fd71d18bc6b851eeb3864477b3d842e Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig <hch@lst.de> +Date: Tue, 17 Oct 2017 14:16:19 -0700 +Subject: [PATCH] xfs: fix incorrect extent state in + xfs_bmap_add_extent_unwritten_real + +commit 5e422f5e4fd71d18bc6b851eeb3864477b3d842e upstream. + +There was one spot in xfs_bmap_add_extent_unwritten_real that didn't use the +passed in new extent state but always converted to normal, leading to wrong +behavior when converting from normal to unwritten. + +Only found by code inspection, it seems like this code path to move partial +extent from written to unwritten while merging it with the next extent is +rarely exercised. + +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Brian Foster <bfoster@redhat.com> +Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> + +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index 89263797cf32..a3cc8afed367 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -2560,7 +2560,7 @@ xfs_bmap_add_extent_unwritten_real( + &i))) + goto done; + XFS_WANT_CORRUPTED_GOTO(mp, i == 0, done); +- cur->bc_rec.b.br_state = XFS_EXT_NORM; ++ cur->bc_rec.b.br_state = new->br_state; + if ((error = xfs_btree_insert(cur, &i))) + goto done; + XFS_WANT_CORRUPTED_GOTO(mp, i == 1, done); +-- +2.15.0 + diff --git a/queue/xfs-fix-log-block-underflow-during-recovery-cycle-ve.patch b/queue/xfs-fix-log-block-underflow-during-recovery-cycle-ve.patch new file mode 100644 index 0000000..6098c66 --- /dev/null +++ b/queue/xfs-fix-log-block-underflow-during-recovery-cycle-ve.patch @@ -0,0 +1,44 @@ +From 9f2a4505800607e537e9dd9dea4f55c4b0c30c7a Mon Sep 17 00:00:00 2001 +From: Brian Foster <bfoster@redhat.com> +Date: Thu, 26 Oct 2017 09:31:16 -0700 +Subject: [PATCH] xfs: fix log block underflow during recovery cycle + verification + +commit 9f2a4505800607e537e9dd9dea4f55c4b0c30c7a upstream. + +It is possible for mkfs to format very small filesystems with too +small of an internal log with respect to the various minimum size +and block count requirements. If this occurs when the log happens to +be smaller than the scan window used for cycle verification and the +scan wraps the end of the log, the start_blk calculation in +xlog_find_head() underflows and leads to an attempt to scan an +invalid range of log blocks. This results in log recovery failure +and a failed mount. + +Since there may be filesystems out in the wild with this kind of +geometry, we cannot simply refuse to mount. Instead, cap the scan +window for cycle verification to the size of the physical log. This +ensures that the cycle verification proceeds as expected when the +scan wraps the end of the log. + +Reported-by: Zorro Lang <zlang@redhat.com> +Signed-off-by: Brian Foster <bfoster@redhat.com> +Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> + +diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c +index 89ce1926a021..f809deee53a8 100644 +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -763,7 +763,7 @@ xlog_find_head( + * in the in-core log. The following number can be made tighter if + * we actually look at the block size of the filesystem. + */ +- num_scan_bblks = XLOG_TOTAL_REC_SHIFT(log); ++ num_scan_bblks = min_t(int, log_bbnum, XLOG_TOTAL_REC_SHIFT(log)); + if (head_blk >= num_scan_bblks) { + /* + * We are guaranteed that the entire check can be performed +-- +2.15.0 + diff --git a/queue/xfs-return-a-distinct-error-code-value-for-IGET_INCO.patch b/queue/xfs-return-a-distinct-error-code-value-for-IGET_INCO.patch new file mode 100644 index 0000000..39c32a4 --- /dev/null +++ b/queue/xfs-return-a-distinct-error-code-value-for-IGET_INCO.patch @@ -0,0 +1,32 @@ +From ed438b476b611c67089760037139f93ea8ed41d5 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <darrick.wong@oracle.com> +Date: Tue, 17 Oct 2017 21:37:32 -0700 +Subject: [PATCH] xfs: return a distinct error code value for IGET_INCORE cache + misses + +commit ed438b476b611c67089760037139f93ea8ed41d5 upstream. + +For an XFS_IGET_INCORE iget operation, if the inode isn't in the cache, +return ENODATA so that we don't confuse it with the pre-existing ENOENT +cases (inode is in cache, but freed). + +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Reviewed-by: Brian Foster <bfoster@redhat.com> +Reviewed-by: Dave Chinner <dchinner@redhat.com> + +diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c +index 34227115a5d6..43005fbe8b1e 100644 +--- a/fs/xfs/xfs_icache.c ++++ b/fs/xfs/xfs_icache.c +@@ -610,7 +610,7 @@ xfs_iget( + } else { + rcu_read_unlock(); + if (flags & XFS_IGET_INCORE) { +- error = -ENOENT; ++ error = -ENODATA; + goto out_error_or_again; + } + XFS_STATS_INC(mp, xs_ig_missed); +-- +2.15.0 + diff --git a/queue/xfs-truncate-pagecache-before-writeback-in-xfs_setat.patch b/queue/xfs-truncate-pagecache-before-writeback-in-xfs_setat.patch new file mode 100644 index 0000000..cd9fe0f --- /dev/null +++ b/queue/xfs-truncate-pagecache-before-writeback-in-xfs_setat.patch @@ -0,0 +1,116 @@ +From 350976ae21873b0d36584ea005076356431b8f79 Mon Sep 17 00:00:00 2001 +From: Eryu Guan <eguan@redhat.com> +Date: Wed, 1 Nov 2017 21:43:50 -0700 +Subject: [PATCH] xfs: truncate pagecache before writeback in + xfs_setattr_size() + +commit 350976ae21873b0d36584ea005076356431b8f79 upstream. + +On truncate down, if new size is not block size aligned, we zero the +rest of block to avoid exposing stale data to user, and +iomap_truncate_page() skips zeroing if the range is already in +unwritten state or a hole. Then we writeback from on-disk i_size to +the new size if this range hasn't been written to disk yet, and +truncate page cache beyond new EOF and set in-core i_size. + +The problem is that we could write data between di_size and newsize +before removing the page cache beyond newsize, as the extents may +still be in unwritten state right after a buffer write. As such, the +page of data that newsize lies in has not been zeroed by page cache +invalidation before it is written, and xfs_do_writepage() hasn't +triggered it's "zero data beyond EOF" case because we haven't +updated in-core i_size yet. Then a subsequent mmap read could see +non-zeros past EOF. + +I occasionally see this in fsx runs in fstests generic/112, a +simplified fsx operation sequence is like (assuming 4k block size +xfs): + + fallocate 0x0 0x1000 0x0 keep_size + write 0x0 0x1000 0x0 + truncate 0x0 0x800 0x1000 + punch_hole 0x0 0x800 0x800 + mapread 0x0 0x800 0x800 + +where fallocate allocates unwritten extent but doesn't update +i_size, buffer write populates the page cache and extent is still +unwritten, truncate skips zeroing page past new EOF and writes the +page to disk, punch_hole invalidates the page cache, at last mapread +reads the block back and sees non-zero beyond EOF. + +Fix it by moving truncate_setsize() to before writeback so the page +cache invalidation zeros the partial page at the new EOF. This also +triggers "zero data beyond EOF" in xfs_do_writepage() at writeback +time, because newsize has been set and page straddles the newsize. + +Also fixed the wrong 'end' param of filemap_write_and_wait_range() +call while we're at it, the 'end' is inclusive and should be +'newsize - 1'. + +Suggested-by: Dave Chinner <dchinner@redhat.com> +Signed-off-by: Eryu Guan <eguan@redhat.com> +Acked-by: Dave Chinner <dchinner@redhat.com> +Reviewed-by: Brian Foster <bfoster@redhat.com> +Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> + +diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c +index 8b5676d244ca..56475fcd76f2 100644 +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -883,22 +883,6 @@ xfs_setattr_size( + if (error) + return error; + +- /* +- * We are going to log the inode size change in this transaction so +- * any previous writes that are beyond the on disk EOF and the new +- * EOF that have not been written out need to be written here. If we +- * do not write the data out, we expose ourselves to the null files +- * problem. Note that this includes any block zeroing we did above; +- * otherwise those blocks may not be zeroed after a crash. +- */ +- if (did_zeroing || +- (newsize > ip->i_d.di_size && oldsize != ip->i_d.di_size)) { +- error = filemap_write_and_wait_range(VFS_I(ip)->i_mapping, +- ip->i_d.di_size, newsize); +- if (error) +- return error; +- } +- + /* + * We've already locked out new page faults, so now we can safely remove + * pages from the page cache knowing they won't get refaulted until we +@@ -915,9 +899,29 @@ xfs_setattr_size( + * user visible changes). There's not much we can do about this, except + * to hope that the caller sees ENOMEM and retries the truncate + * operation. ++ * ++ * And we update in-core i_size and truncate page cache beyond newsize ++ * before writeback the [di_size, newsize] range, so we're guaranteed ++ * not to write stale data past the new EOF on truncate down. + */ + truncate_setsize(inode, newsize); + ++ /* ++ * We are going to log the inode size change in this transaction so ++ * any previous writes that are beyond the on disk EOF and the new ++ * EOF that have not been written out need to be written here. If we ++ * do not write the data out, we expose ourselves to the null files ++ * problem. Note that this includes any block zeroing we did above; ++ * otherwise those blocks may not be zeroed after a crash. ++ */ ++ if (did_zeroing || ++ (newsize > ip->i_d.di_size && oldsize != ip->i_d.di_size)) { ++ error = filemap_write_and_wait_range(VFS_I(ip)->i_mapping, ++ ip->i_d.di_size, newsize - 1); ++ if (error) ++ return error; ++ } ++ + error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, 0, 0, 0, &tp); + if (error) + return error; +-- +2.15.0 + diff --git a/queue/xhci-Don-t-add-a-virt_dev-to-the-devs-array-before-i.patch b/queue/xhci-Don-t-add-a-virt_dev-to-the-devs-array-before-i.patch new file mode 100644 index 0000000..dba197f --- /dev/null +++ b/queue/xhci-Don-t-add-a-virt_dev-to-the-devs-array-before-i.patch @@ -0,0 +1,63 @@ +From 5d9b70f7d52eb14bb37861c663bae44de9521c35 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Fri, 8 Dec 2017 18:10:05 +0200 +Subject: [PATCH] xhci: Don't add a virt_dev to the devs array before it's + fully allocated + +commit 5d9b70f7d52eb14bb37861c663bae44de9521c35 upstream. + +Avoid null pointer dereference if some function is walking through the +devs array accessing members of a new virt_dev that is mid allocation. + +Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its +members are properly allocated. + +issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port + +"Quick analysis suggests that xhci_alloc_virt_device() is not mutex +protected. If so, there is a time frame where xhci->devs[slot_id] is set +but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL." + +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 15f7d422885f..3a29b32a3bd0 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -971,10 +971,9 @@ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, + return 0; + } + +- xhci->devs[slot_id] = kzalloc(sizeof(*xhci->devs[slot_id]), flags); +- if (!xhci->devs[slot_id]) ++ dev = kzalloc(sizeof(*dev), flags); ++ if (!dev) + return 0; +- dev = xhci->devs[slot_id]; + + /* Allocate the (output) device context that will be used in the HC. */ + dev->out_ctx = xhci_alloc_container_ctx(xhci, XHCI_CTX_TYPE_DEVICE, flags); +@@ -1015,9 +1014,17 @@ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, + + trace_xhci_alloc_virt_device(dev); + ++ xhci->devs[slot_id] = dev; ++ + return 1; + fail: +- xhci_free_virt_device(xhci, slot_id); ++ ++ if (dev->in_ctx) ++ xhci_free_container_ctx(xhci, dev->in_ctx); ++ if (dev->out_ctx) ++ xhci_free_container_ctx(xhci, dev->out_ctx); ++ kfree(dev); ++ + return 0; + } + +-- +2.15.0 + diff --git a/queue/xprtrdma-Don-t-defer-fencing-an-async-RPC-s-chunks.patch b/queue/xprtrdma-Don-t-defer-fencing-an-async-RPC-s-chunks.patch new file mode 100644 index 0000000..65d740a --- /dev/null +++ b/queue/xprtrdma-Don-t-defer-fencing-an-async-RPC-s-chunks.patch @@ -0,0 +1,44 @@ +From 8f66b1a529047a972cb9602a919c53a95f3d7a2b Mon Sep 17 00:00:00 2001 +From: Chuck Lever <chuck.lever@oracle.com> +Date: Mon, 9 Oct 2017 12:03:26 -0400 +Subject: [PATCH] xprtrdma: Don't defer fencing an async RPC's chunks + +commit 8f66b1a529047a972cb9602a919c53a95f3d7a2b upstream. + +In current kernels, waiting in xprt_release appears to be safe to +do. I had erroneously believed that for ASYNC RPCs, waiting of any +kind in xprt_release->xprt_rdma_free would result in deadlock. I've +done injection testing and consulted with Trond to confirm that +waiting in the RPC release path is safe. + +For the very few times where RPC resources haven't yet been released +earlier by the reply handler, it is safe to wait synchronously in +xprt_rdma_free for invalidation rather than defering it to MR +recovery. + +Note: When the QP is error state, posting a LocalInvalidate should +flush and mark the MR as bad. There is no way the remote HCA can +access that MR via a QP in error state, so it is effectively already +inaccessible and thus safe for the Upper Layer to access. The next +time the MR is used it should be recognized and cleaned up properly +by frwr_op_map. + +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> + +diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c +index c84e2b644e13..8cf5ccfe180d 100644 +--- a/net/sunrpc/xprtrdma/transport.c ++++ b/net/sunrpc/xprtrdma/transport.c +@@ -686,7 +686,7 @@ xprt_rdma_free(struct rpc_task *task) + dprintk("RPC: %s: called on 0x%p\n", __func__, req->rl_reply); + + if (!list_empty(&req->rl_registered)) +- ia->ri_ops->ro_unmap_safe(r_xprt, req, !RPC_IS_ASYNC(task)); ++ ia->ri_ops->ro_unmap_sync(r_xprt, &req->rl_registered); + rpcrdma_unmap_sges(ia, req); + rpcrdma_buffer_put(req); + } +-- +2.15.0 + |