4.4-stable patches

added patches:
	acpi-nfit-libnvdimm-fix-interleave-set-cookie-calculation-64-bit-comparison.patch
	ftrace-fix-removing-of-second-function-probe.patch
	irqchip-irq-imx-gpcv2-fix-spinlock-initialization.patch
	iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch
	iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch
	libnvdimm-fix-reconfig_mutex-mmap_sem-and-jbd2_handle-lockdep-splat.patch
	scsi-sd-consider-max_xfer_blocks-if-opt_xfer_blocks-is-unusable.patch
	scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch
	scsi-sr-sanity-check-returned-mode-data.patch
	xen-fbfront-fix-connecting-to-backend.patch

diff --git a/queue-4.4/acpi-nfit-libnvdimm-fix-interleave-set-cookie-calculation-64-bit-comparison.patch b/queue-4.4/acpi-nfit-libnvdimm-fix-interleave-set-cookie-calculation-64-bit-comparison.patch
new file mode 100644 (file)
index 0000000..5a81e66
--- /dev/null
+++ b/queue-4.4/acpi-nfit-libnvdimm-fix-interleave-set-cookie-calculation-64-bit-comparison.patch
@@ -0,0 +1,42 @@
+From b03b99a329a14b7302f37c3ea6da3848db41c8c5 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 27 Mar 2017 21:53:38 -0700
+Subject: acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison)
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit b03b99a329a14b7302f37c3ea6da3848db41c8c5 upstream.
+
+While reviewing the -stable patch for commit 86ef58a4e35e "nfit,
+libnvdimm: fix interleave set cookie calculation" Ben noted:
+
+    "This is returning an int, thus it's effectively doing a 32-bit
+     comparison and not the 64-bit comparison you say is needed."
+
+Update the compare operation to be immune to this integer demotion problem.
+
+Cc: Nicholas Moulin <nicholas.w.moulin@linux.intel.com>
+Fixes: 86ef58a4e35e ("nfit, libnvdimm: fix interleave set cookie calculation")
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit.c
++++ b/drivers/acpi/nfit.c
+@@ -979,7 +979,11 @@ static int cmp_map(const void *m0, const
+       const struct nfit_set_info_map *map0 = m0;
+       const struct nfit_set_info_map *map1 = m1;
+ 
+-      return map0->region_offset - map1->region_offset;
++      if (map0->region_offset < map1->region_offset)
++              return -1;
++      else if (map0->region_offset > map1->region_offset)
++              return 1;
++      return 0;
+ }
+ 
+ /* Retrieve the nth entry referencing this spa */

diff --git a/queue-4.4/ftrace-fix-removing-of-second-function-probe.patch b/queue-4.4/ftrace-fix-removing-of-second-function-probe.patch
new file mode 100644 (file)
index 0000000..7cc0a13
--- /dev/null
+++ b/queue-4.4/ftrace-fix-removing-of-second-function-probe.patch
@@ -0,0 +1,174 @@
+From 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 14 Apr 2017 17:45:45 -0400
+Subject: ftrace: Fix removing of second function probe
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae upstream.
+
+When two function probes are added to set_ftrace_filter, and then one of
+them is removed, the update to the function locations is not performed, and
+the record keeping of the function states are corrupted, and causes an
+ftrace_bug() to occur.
+
+This is easily reproducable by adding two probes, removing one, and then
+adding it back again.
+
+ # cd /sys/kernel/debug/tracing
+ # echo schedule:traceoff > set_ftrace_filter
+ # echo do_IRQ:traceoff > set_ftrace_filter
+ # echo \!do_IRQ:traceoff > /debug/tracing/set_ftrace_filter
+ # echo do_IRQ:traceoff > set_ftrace_filter
+
+Causes:
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1098 at kernel/trace/ftrace.c:2369 ftrace_get_addr_curr+0x143/0x220
+ Modules linked in: [...]
+ CPU: 2 PID: 1098 Comm: bash Not tainted 4.10.0-test+ #405
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
+ Call Trace:
+  dump_stack+0x68/0x9f
+  __warn+0x111/0x130
+  ? trace_irq_work_interrupt+0xa0/0xa0
+  warn_slowpath_null+0x1d/0x20
+  ftrace_get_addr_curr+0x143/0x220
+  ? __fentry__+0x10/0x10
+  ftrace_replace_code+0xe3/0x4f0
+  ? ftrace_int3_handler+0x90/0x90
+  ? printk+0x99/0xb5
+  ? 0xffffffff81000000
+  ftrace_modify_all_code+0x97/0x110
+  arch_ftrace_update_code+0x10/0x20
+  ftrace_run_update_code+0x1c/0x60
+  ftrace_run_modify_code.isra.48.constprop.62+0x8e/0xd0
+  register_ftrace_function_probe+0x4b6/0x590
+  ? ftrace_startup+0x310/0x310
+  ? debug_lockdep_rcu_enabled.part.4+0x1a/0x30
+  ? update_stack_state+0x88/0x110
+  ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
+  ? preempt_count_sub+0x18/0xd0
+  ? mutex_lock_nested+0x104/0x800
+  ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
+  ? __unwind_start+0x1c0/0x1c0
+  ? _mutex_lock_nest_lock+0x800/0x800
+  ftrace_trace_probe_callback.isra.3+0xc0/0x130
+  ? func_set_flag+0xe0/0xe0
+  ? __lock_acquire+0x642/0x1790
+  ? __might_fault+0x1e/0x20
+  ? trace_get_user+0x398/0x470
+  ? strcmp+0x35/0x60
+  ftrace_trace_onoff_callback+0x48/0x70
+  ftrace_regex_write.isra.43.part.44+0x251/0x320
+  ? match_records+0x420/0x420
+  ftrace_filter_write+0x2b/0x30
+  __vfs_write+0xd7/0x330
+  ? do_loop_readv_writev+0x120/0x120
+  ? locks_remove_posix+0x90/0x2f0
+  ? do_lock_file_wait+0x160/0x160
+  ? __lock_is_held+0x93/0x100
+  ? rcu_read_lock_sched_held+0x5c/0xb0
+  ? preempt_count_sub+0x18/0xd0
+  ? __sb_start_write+0x10a/0x230
+  ? vfs_write+0x222/0x240
+  vfs_write+0xef/0x240
+  SyS_write+0xab/0x130
+  ? SyS_read+0x130/0x130
+  ? trace_hardirqs_on_caller+0x182/0x280
+  ? trace_hardirqs_on_thunk+0x1a/0x1c
+  entry_SYSCALL_64_fastpath+0x18/0xad
+ RIP: 0033:0x7fe61c157c30
+ RSP: 002b:00007ffe87890258 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: ffffffff8114a410 RCX: 00007fe61c157c30
+ RDX: 0000000000000010 RSI: 000055814798f5e0 RDI: 0000000000000001
+ RBP: ffff8800c9027f98 R08: 00007fe61c422740 R09: 00007fe61ca53700
+ R10: 0000000000000073 R11: 0000000000000246 R12: 0000558147a36400
+ R13: 00007ffe8788f160 R14: 0000000000000024 R15: 00007ffe8788f15c
+  ? trace_hardirqs_off_caller+0xc0/0x110
+ ---[ end trace 99fa09b3d9869c2c ]---
+ Bad trampoline accounting at: ffffffff81cc3b00 (do_IRQ+0x0/0x150)
+
+Fixes: 59df055f1991 ("ftrace: trace different functions with a different tracer")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c |   20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3677,23 +3677,24 @@ static void __enable_ftrace_function_pro
+       ftrace_probe_registered = 1;
+ }
+ 
+-static void __disable_ftrace_function_probe(void)
++static bool __disable_ftrace_function_probe(void)
+ {
+       int i;
+ 
+       if (!ftrace_probe_registered)
+-              return;
++              return false;
+ 
+       for (i = 0; i < FTRACE_FUNC_HASHSIZE; i++) {
+               struct hlist_head *hhd = &ftrace_func_hash[i];
+               if (hhd->first)
+-                      return;
++                      return false;
+       }
+ 
+       /* no more funcs left */
+       ftrace_shutdown(&trace_probe_ops, 0);
+ 
+       ftrace_probe_registered = 0;
++      return true;
+ }
+ 
+ 
+@@ -3820,6 +3821,7 @@ static void
+ __unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
+                                 void *data, int flags)
+ {
++      struct ftrace_ops_hash old_hash_ops;
+       struct ftrace_func_entry *rec_entry;
+       struct ftrace_func_probe *entry;
+       struct ftrace_func_probe *p;
+@@ -3831,6 +3833,7 @@ __unregister_ftrace_function_probe(char
+       struct hlist_node *tmp;
+       char str[KSYM_SYMBOL_LEN];
+       int i, ret;
++      bool disabled;
+ 
+       if (glob && (strcmp(glob, "*") == 0 || !strlen(glob)))
+               func_g.search = NULL;
+@@ -3849,6 +3852,10 @@ __unregister_ftrace_function_probe(char
+ 
+       mutex_lock(&trace_probe_ops.func_hash->regex_lock);
+ 
++      old_hash_ops.filter_hash = old_hash;
++      /* Probes only have filters */
++      old_hash_ops.notrace_hash = NULL;
++
+       hash = alloc_and_copy_ftrace_hash(FTRACE_HASH_DEFAULT_BITS, *orig_hash);
+       if (!hash)
+               /* Hmm, should report this somehow */
+@@ -3886,12 +3893,17 @@ __unregister_ftrace_function_probe(char
+               }
+       }
+       mutex_lock(&ftrace_lock);
+-      __disable_ftrace_function_probe();
++      disabled = __disable_ftrace_function_probe();
+       /*
+        * Remove after the disable is called. Otherwise, if the last
+        * probe is removed, a null hash means *all enabled*.
+        */
+       ret = ftrace_hash_move(&trace_probe_ops, 1, orig_hash, hash);
++
++      /* still need to update the function call sites */
++      if (ftrace_enabled && !disabled)
++              ftrace_run_modify_code(&trace_probe_ops, FTRACE_UPDATE_CALLS,
++                                     &old_hash_ops);
+       synchronize_sched();
+       if (!ret)
+               free_ftrace_hash_rcu(old_hash);

diff --git a/queue-4.4/irqchip-irq-imx-gpcv2-fix-spinlock-initialization.patch b/queue-4.4/irqchip-irq-imx-gpcv2-fix-spinlock-initialization.patch
new file mode 100644 (file)
index 0000000..6d827b1
--- /dev/null
+++ b/queue-4.4/irqchip-irq-imx-gpcv2-fix-spinlock-initialization.patch
@@ -0,0 +1,45 @@
+From 75eb5e1e7b4edbc8e8f930de59004d21cb46961f Mon Sep 17 00:00:00 2001
+From: Tyler Baker <tyler.baker@linaro.org>
+Date: Thu, 13 Apr 2017 15:27:31 -0700
+Subject: irqchip/irq-imx-gpcv2: Fix spinlock initialization
+
+From: Tyler Baker <tyler.baker@linaro.org>
+
+commit 75eb5e1e7b4edbc8e8f930de59004d21cb46961f upstream.
+
+The raw_spinlock in the IMX GPCV2 interupt chip is not initialized before
+usage. That results in a lockdep splat:
+
+  INFO: trying to register non-static key.
+  the code is fine but needs lockdep annotation.
+  turning off the locking correctness validator.
+
+Add the missing raw_spin_lock_init() to the setup code.
+
+Fixes: e324c4dc4a59 ("irqchip/imx-gpcv2: IMX GPCv2 driver for wakeup sources")
+Signed-off-by: Tyler Baker <tyler.baker@linaro.org>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Cc: jason@lakedaemon.net
+Cc: marc.zyngier@arm.com
+Cc: shawnguo@kernel.org
+Cc: andrew.smirnov@gmail.com
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/20170413222731.5917-1-tyler.baker@linaro.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-imx-gpcv2.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/irqchip/irq-imx-gpcv2.c
++++ b/drivers/irqchip/irq-imx-gpcv2.c
+@@ -230,6 +230,8 @@ static int __init imx_gpcv2_irqchip_init
+               return -ENOMEM;
+       }
+ 
++      raw_spin_lock_init(&cd->rlock);
++
+       cd->gpc_base = of_iomap(node, 0);
+       if (!cd->gpc_base) {
+               pr_err("fsl-gpcv2: unable to map gpc registers\n");

diff --git a/queue-4.4/iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch b/queue-4.4/iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch
new file mode 100644 (file)
index 0000000..4fc9d3f
--- /dev/null
+++ b/queue-4.4/iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch
@@ -0,0 +1,83 @@
+From 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 2 Apr 2017 13:36:44 -0700
+Subject: iscsi-target: Drop work-around for legacy GlobalSAN initiator
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 upstream.
+
+Once upon a time back in 2009, a work-around was added to support
+the GlobalSAN iSCSI initiator v3.3 for MacOSX, which during login
+did not propose nor respond to MaxBurstLength, FirstBurstLength,
+DefaultTime2Wait and DefaultTime2Retain keys.
+
+The work-around in iscsi_check_proposer_for_optional_reply()
+allowed the missing keys to be proposed, but did not require
+waiting for a response before moving to full feature phase
+operation.  This allowed GlobalSAN v3.3 to work out-of-the
+box, and for many years we didn't run into login interopt
+issues with any other initiators..
+
+Until recently, when Martin tried a QLogic 57840S iSCSI Offload
+HBA on Windows 2016 which completed login, but subsequently
+failed with:
+
+    Got unknown iSCSI OpCode: 0x43
+
+The issue was QLogic MSFT side did not propose DefaultTime2Wait +
+DefaultTime2Retain, so LIO proposes them itself, and immediately
+transitions to full feature phase because of the GlobalSAN hack.
+However, the QLogic MSFT side still attempts to respond to
+DefaultTime2Retain + DefaultTime2Wait, even though LIO has set
+ISCSI_FLAG_LOGIN_NEXT_STAGE3 + ISCSI_FLAG_LOGIN_TRANSIT
+in last login response.
+
+So while the QLogic MSFT side should have been proposing these
+two keys to start, it was doing the correct thing per RFC-3720
+attempting to respond to proposed keys before transitioning to
+full feature phase.
+
+All that said, recent versions of GlobalSAN iSCSI (v5.3.0.541)
+does correctly propose the four keys during login, making the
+original work-around moot.
+
+So in order to allow QLogic MSFT to run unmodified as-is, go
+ahead and drop this long standing work-around.
+
+Reported-by: Martin Svec <martin.svec@zoner.cz>
+Cc: Martin Svec <martin.svec@zoner.cz>
+Cc: Himanshu Madhani <Himanshu.Madhani@cavium.com>
+Cc: Arun Easi <arun.easi@cavium.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_parameters.c |   16 ----------------
+ 1 file changed, 16 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -781,22 +781,6 @@ static void iscsi_check_proposer_for_opt
+               if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH))
+                       SET_PSTATE_REPLY_OPTIONAL(param);
+               /*
+-               * The GlobalSAN iSCSI Initiator for MacOSX does
+-               * not respond to MaxBurstLength, FirstBurstLength,
+-               * DefaultTime2Wait or DefaultTime2Retain parameter keys.
+-               * So, we set them to 'reply optional' here, and assume the
+-               * the defaults from iscsi_parameters.h if the initiator
+-               * is not RFC compliant and the keys are not negotiated.
+-               */
+-              if (!strcmp(param->name, MAXBURSTLENGTH))
+-                      SET_PSTATE_REPLY_OPTIONAL(param);
+-              if (!strcmp(param->name, FIRSTBURSTLENGTH))
+-                      SET_PSTATE_REPLY_OPTIONAL(param);
+-              if (!strcmp(param->name, DEFAULTTIME2WAIT))
+-                      SET_PSTATE_REPLY_OPTIONAL(param);
+-              if (!strcmp(param->name, DEFAULTTIME2RETAIN))
+-                      SET_PSTATE_REPLY_OPTIONAL(param);
+-              /*
+                * Required for gPXE iSCSI boot client
+                */
+               if (!strcmp(param->name, MAXCONNECTIONS))

diff --git a/queue-4.4/iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch b/queue-4.4/iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch
new file mode 100644 (file)
index 0000000..96b0445
--- /dev/null
+++ b/queue-4.4/iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch
@@ -0,0 +1,79 @@
+From efb2ea770bb3b0f40007530bc8b0c22f36e1c5eb Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 23 Mar 2017 17:19:24 -0700
+Subject: iscsi-target: Fix TMR reference leak during session shutdown
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit efb2ea770bb3b0f40007530bc8b0c22f36e1c5eb upstream.
+
+This patch fixes a iscsi-target specific TMR reference leak
+during session shutdown, that could occur when a TMR was
+quiesced before the hand-off back to iscsi-target code
+via transport_cmd_check_stop_to_fabric().
+
+The reference leak happens because iscsit_free_cmd() was
+incorrectly skipping the final target_put_sess_cmd() for
+TMRs when transport_generic_free_cmd() returned zero because
+the se_cmd->cmd_kref did not reach zero, due to the missing
+se_cmd assignment in original code.
+
+The result was iscsi_cmd and it's associated se_cmd memory
+would be freed once se_sess->sess_cmd_map where released,
+but the associated se_tmr_req was leaked and remained part
+of se_device->dev_tmr_list.
+
+This bug would manfiest itself as kernel paging request
+OOPsen in core_tmr_lun_reset(), when a left-over se_tmr_req
+attempted to dereference it's se_cmd pointer that had
+already been released during normal session shutdown.
+
+To address this bug, go ahead and treat ISCSI_OP_SCSI_CMD
+and ISCSI_OP_SCSI_TMFUNC the same when there is an extra
+se_cmd->cmd_kref to drop in iscsit_free_cmd(), and use
+op_scsi to signal __iscsit_free_cmd() when the former
+needs to clear any further iscsi related I/O state.
+
+Reported-by: Rob Millner <rlm@daterainc.com>
+Cc: Rob Millner <rlm@daterainc.com>
+Reported-by: Chu Yuan Lin <cyl@datera.io>
+Cc: Chu Yuan Lin <cyl@datera.io>
+Tested-by: Chu Yuan Lin <cyl@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_util.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_util.c
++++ b/drivers/target/iscsi/iscsi_target_util.c
+@@ -731,21 +731,23 @@ void iscsit_free_cmd(struct iscsi_cmd *c
+ {
+       struct se_cmd *se_cmd = NULL;
+       int rc;
++      bool op_scsi = false;
+       /*
+        * Determine if a struct se_cmd is associated with
+        * this struct iscsi_cmd.
+        */
+       switch (cmd->iscsi_opcode) {
+       case ISCSI_OP_SCSI_CMD:
+-              se_cmd = &cmd->se_cmd;
+-              __iscsit_free_cmd(cmd, true, shutdown);
++              op_scsi = true;
+               /*
+                * Fallthrough
+                */
+       case ISCSI_OP_SCSI_TMFUNC:
+-              rc = transport_generic_free_cmd(&cmd->se_cmd, shutdown);
+-              if (!rc && shutdown && se_cmd && se_cmd->se_sess) {
+-                      __iscsit_free_cmd(cmd, true, shutdown);
++              se_cmd = &cmd->se_cmd;
++              __iscsit_free_cmd(cmd, op_scsi, shutdown);
++              rc = transport_generic_free_cmd(se_cmd, shutdown);
++              if (!rc && shutdown && se_cmd->se_sess) {
++                      __iscsit_free_cmd(cmd, op_scsi, shutdown);
+                       target_put_sess_cmd(se_cmd);
+               }
+               break;

diff --git a/queue-4.4/libnvdimm-fix-reconfig_mutex-mmap_sem-and-jbd2_handle-lockdep-splat.patch b/queue-4.4/libnvdimm-fix-reconfig_mutex-mmap_sem-and-jbd2_handle-lockdep-splat.patch
new file mode 100644 (file)
index 0000000..f35f6a0
--- /dev/null
+++ b/queue-4.4/libnvdimm-fix-reconfig_mutex-mmap_sem-and-jbd2_handle-lockdep-splat.patch
@@ -0,0 +1,92 @@
+From 0beb2012a1722633515c8aaa263c73449636c893 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 7 Apr 2017 09:47:24 -0700
+Subject: libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 0beb2012a1722633515c8aaa263c73449636c893 upstream.
+
+Holding the reconfig_mutex over a potential userspace fault sets up a
+lockdep dependency chain between filesystem-DAX and the libnvdimm ioctl
+path. Move the user access outside of the lock.
+
+     [ INFO: possible circular locking dependency detected ]
+     4.11.0-rc3+ #13 Tainted: G        W  O
+     -------------------------------------------------------
+     fallocate/16656 is trying to acquire lock:
+      (&nvdimm_bus->reconfig_mutex){+.+.+.}, at: [<ffffffffa00080b1>] nvdimm_bus_lock+0x21/0x30 [libnvdimm]
+     but task is already holding lock:
+      (jbd2_handle){++++..}, at: [<ffffffff813b4944>] start_this_handle+0x104/0x460
+
+    which lock already depends on the new lock.
+
+    the existing dependency chain (in reverse order) is:
+
+    -> #2 (jbd2_handle){++++..}:
+            lock_acquire+0xbd/0x200
+            start_this_handle+0x16a/0x460
+            jbd2__journal_start+0xe9/0x2d0
+            __ext4_journal_start_sb+0x89/0x1c0
+            ext4_dirty_inode+0x32/0x70
+            __mark_inode_dirty+0x235/0x670
+            generic_update_time+0x87/0xd0
+            touch_atime+0xa9/0xd0
+            ext4_file_mmap+0x90/0xb0
+            mmap_region+0x370/0x5b0
+            do_mmap+0x415/0x4f0
+            vm_mmap_pgoff+0xd7/0x120
+            SyS_mmap_pgoff+0x1c5/0x290
+            SyS_mmap+0x22/0x30
+            entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+    -> #1 (&mm->mmap_sem){++++++}:
+            lock_acquire+0xbd/0x200
+            __might_fault+0x70/0xa0
+            __nd_ioctl+0x683/0x720 [libnvdimm]
+            nvdimm_ioctl+0x8b/0xe0 [libnvdimm]
+            do_vfs_ioctl+0xa8/0x740
+            SyS_ioctl+0x79/0x90
+            do_syscall_64+0x6c/0x200
+            return_from_SYSCALL_64+0x0/0x7a
+
+    -> #0 (&nvdimm_bus->reconfig_mutex){+.+.+.}:
+            __lock_acquire+0x16b6/0x1730
+            lock_acquire+0xbd/0x200
+            __mutex_lock+0x88/0x9b0
+            mutex_lock_nested+0x1b/0x20
+            nvdimm_bus_lock+0x21/0x30 [libnvdimm]
+            nvdimm_forget_poison+0x25/0x50 [libnvdimm]
+            nvdimm_clear_poison+0x106/0x140 [libnvdimm]
+            pmem_do_bvec+0x1c2/0x2b0 [nd_pmem]
+            pmem_make_request+0xf9/0x270 [nd_pmem]
+            generic_make_request+0x118/0x3b0
+            submit_bio+0x75/0x150
+
+Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices")
+Cc: Dave Jiang <dave.jiang@intel.com>
+Reported-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/bus.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -590,8 +590,14 @@ static int __nd_ioctl(struct nvdimm_bus
+       rc = nd_desc->ndctl(nd_desc, nvdimm, cmd, buf, buf_len);
+       if (rc < 0)
+               goto out_unlock;
++      nvdimm_bus_unlock(&nvdimm_bus->dev);
++
+       if (copy_to_user(p, buf, buf_len))
+               rc = -EFAULT;
++
++      vfree(buf);
++      return rc;
++
+  out_unlock:
+       nvdimm_bus_unlock(&nvdimm_bus->dev);
+  out:

diff --git a/queue-4.4/scsi-sd-consider-max_xfer_blocks-if-opt_xfer_blocks-is-unusable.patch b/queue-4.4/scsi-sd-consider-max_xfer_blocks-if-opt_xfer_blocks-is-unusable.patch
new file mode 100644 (file)
index 0000000..b33a112
--- /dev/null
+++ b/queue-4.4/scsi-sd-consider-max_xfer_blocks-if-opt_xfer_blocks-is-unusable.patch
@@ -0,0 +1,36 @@
+From 6780414519f91c2a84da9baa963a940ac916f803 Mon Sep 17 00:00:00 2001
+From: Fam Zheng <famz@redhat.com>
+Date: Tue, 28 Mar 2017 12:41:26 +0800
+Subject: scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
+
+From: Fam Zheng <famz@redhat.com>
+
+commit 6780414519f91c2a84da9baa963a940ac916f803 upstream.
+
+If device reports a small max_xfer_blocks and a zero opt_xfer_blocks, we
+end up using BLK_DEF_MAX_SECTORS, which is wrong and r/w of that size
+may get error.
+
+[mkp: tweaked to avoid setting rw_max twice and added typecast]
+
+Fixes: ca369d51b3e ("block/sd: Fix device-imposed transfer length limits")
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2888,7 +2888,8 @@ static int sd_revalidate_disk(struct gen
+               q->limits.io_opt = logical_to_bytes(sdp, sdkp->opt_xfer_blocks);
+               rw_max = logical_to_sectors(sdp, sdkp->opt_xfer_blocks);
+       } else
+-              rw_max = BLK_DEF_MAX_SECTORS;
++              rw_max = min_not_zero(logical_to_sectors(sdp, dev_max),
++                                    (sector_t)BLK_DEF_MAX_SECTORS);
+ 
+       /* Combine with controller limits */
+       q->limits.max_sectors = min(rw_max, queue_max_hw_sectors(q));

diff --git a/queue-4.4/scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch b/queue-4.4/scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch
new file mode 100644 (file)
index 0000000..c5de468
--- /dev/null
+++ b/queue-4.4/scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch
@@ -0,0 +1,70 @@
+From 7c856152cb92f8eee2df29ef325a1b1f43161aff Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Tue, 4 Apr 2017 10:42:30 -0400
+Subject: scsi: sd: Fix capacity calculation with 32-bit sector_t
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit 7c856152cb92f8eee2df29ef325a1b1f43161aff upstream.
+
+We previously made sure that the reported disk capacity was less than
+0xffffffff blocks when the kernel was not compiled with large sector_t
+support (CONFIG_LBDAF). However, this check assumed that the capacity
+was reported in units of 512 bytes.
+
+Add a sanity check function to ensure that we only enable disks if the
+entire reported capacity can be expressed in terms of sector_t.
+
+Reported-by: Steve Magnani <steve.magnani@digidescorp.com>
+Cc: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Reviewed-by: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c |   20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2051,6 +2051,22 @@ static void read_capacity_error(struct s
+ 
+ #define READ_CAPACITY_RETRIES_ON_RESET        10
+ 
++/*
++ * Ensure that we don't overflow sector_t when CONFIG_LBDAF is not set
++ * and the reported logical block size is bigger than 512 bytes. Note
++ * that last_sector is a u64 and therefore logical_to_sectors() is not
++ * applicable.
++ */
++static bool sd_addressable_capacity(u64 lba, unsigned int sector_size)
++{
++      u64 last_sector = (lba + 1ULL) << (ilog2(sector_size) - 9);
++
++      if (sizeof(sector_t) == 4 && last_sector > U32_MAX)
++              return false;
++
++      return true;
++}
++
+ static int read_capacity_16(struct scsi_disk *sdkp, struct scsi_device *sdp,
+                                               unsigned char *buffer)
+ {
+@@ -2116,7 +2132,7 @@ static int read_capacity_16(struct scsi_
+               return -ENODEV;
+       }
+ 
+-      if ((sizeof(sdkp->capacity) == 4) && (lba >= 0xffffffffULL)) {
++      if (!sd_addressable_capacity(lba, sector_size)) {
+               sd_printk(KERN_ERR, sdkp, "Too big for this kernel. Use a "
+                       "kernel compiled with support for large block "
+                       "devices.\n");
+@@ -2202,7 +2218,7 @@ static int read_capacity_10(struct scsi_
+               return sector_size;
+       }
+ 
+-      if ((sizeof(sdkp->capacity) == 4) && (lba == 0xffffffff)) {
++      if (!sd_addressable_capacity(lba, sector_size)) {
+               sd_printk(KERN_ERR, sdkp, "Too big for this kernel. Use a "
+                       "kernel compiled with support for large block "
+                       "devices.\n");

diff --git a/queue-4.4/scsi-sr-sanity-check-returned-mode-data.patch b/queue-4.4/scsi-sr-sanity-check-returned-mode-data.patch
new file mode 100644 (file)
index 0000000..af0bb1a
--- /dev/null
+++ b/queue-4.4/scsi-sr-sanity-check-returned-mode-data.patch
@@ -0,0 +1,46 @@
+From a00a7862513089f17209b732f230922f1942e0b9 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Fri, 17 Mar 2017 08:47:14 -0400
+Subject: scsi: sr: Sanity check returned mode data
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit a00a7862513089f17209b732f230922f1942e0b9 upstream.
+
+Kefeng Wang discovered that old versions of the QEMU CD driver would
+return mangled mode data causing us to walk off the end of the buffer in
+an attempt to parse it. Sanity check the returned mode sense data.
+
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Tested-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sr.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -834,6 +834,7 @@ static void get_capabilities(struct scsi
+       unsigned char *buffer;
+       struct scsi_mode_data data;
+       struct scsi_sense_hdr sshdr;
++      unsigned int ms_len = 128;
+       int rc, n;
+ 
+       static const char *loadmech[] =
+@@ -860,10 +861,11 @@ static void get_capabilities(struct scsi
+       scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr);
+ 
+       /* ask for mode page 0x2a */
+-      rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, 128,
++      rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, ms_len,
+                            SR_TIMEOUT, 3, &data, NULL);
+ 
+-      if (!scsi_status_is_good(rc)) {
++      if (!scsi_status_is_good(rc) || data.length > ms_len ||
++          data.header_length + data.block_descriptor_length > data.length) {
+               /* failed, drive doesn't have capabilities mode page */
+               cd->cdi.speed = 1;
+               cd->cdi.mask |= (CDC_CD_R | CDC_CD_RW | CDC_DVD_R |

diff --git a/queue-4.4/series b/queue-4.4/series
index 988ee206f890cee2294972ec4d2520178854b04b..4ed68eb545a2dddbfa148b7dfe6cdef71e58a971 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -9,3 +9,13 @@ input-xpad-add-support-for-razer-wildcat-gamepad.patch
 perf-x86-avoid-exposing-wrong-stale-data-in-intel_pmu_lbr_read_32.patch
 x86-vdso-ensure-vdso32_enabled-gets-set-to-valid-values-only.patch
 x86-vdso-plug-race-between-mapping-and-elf-header-setup.patch
+acpi-nfit-libnvdimm-fix-interleave-set-cookie-calculation-64-bit-comparison.patch
+iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch
+iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch
+scsi-sr-sanity-check-returned-mode-data.patch
+scsi-sd-consider-max_xfer_blocks-if-opt_xfer_blocks-is-unusable.patch
+scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch
+xen-fbfront-fix-connecting-to-backend.patch
+libnvdimm-fix-reconfig_mutex-mmap_sem-and-jbd2_handle-lockdep-splat.patch
+irqchip-irq-imx-gpcv2-fix-spinlock-initialization.patch
+ftrace-fix-removing-of-second-function-probe.patch

diff --git a/queue-4.4/xen-fbfront-fix-connecting-to-backend.patch b/queue-4.4/xen-fbfront-fix-connecting-to-backend.patch
new file mode 100644 (file)
index 0000000..78e70c2
--- /dev/null
+++ b/queue-4.4/xen-fbfront-fix-connecting-to-backend.patch
@@ -0,0 +1,44 @@
+From 9121b15b5628b38b4695282dc18c553440e0f79b Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 7 Apr 2017 17:28:23 +0200
+Subject: xen, fbfront: fix connecting to backend
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 9121b15b5628b38b4695282dc18c553440e0f79b upstream.
+
+Connecting to the backend isn't working reliably in xen-fbfront: in
+case XenbusStateInitWait of the backend has been missed the backend
+transition to XenbusStateConnected will trigger the connected state
+only without doing the actions required when the backend has
+connected.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/xen-fbfront.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/xen-fbfront.c
++++ b/drivers/video/fbdev/xen-fbfront.c
+@@ -644,7 +644,6 @@ static void xenfb_backend_changed(struct
+               break;
+ 
+       case XenbusStateInitWait:
+-InitWait:
+               xenbus_switch_state(dev, XenbusStateConnected);
+               break;
+ 
+@@ -655,7 +654,8 @@ InitWait:
+                * get Connected twice here.
+                */
+               if (dev->state != XenbusStateConnected)
+-                      goto InitWait; /* no InitWait seen yet, fudge it */
++                      /* no InitWait seen yet, fudge it */
++                      xenbus_switch_state(dev, XenbusStateConnected);
+ 
+               if (xenbus_scanf(XBT_NIL, info->xbdev->otherend,
+                                "request-update", "%d", &val) < 0)