--- /dev/null
+From bd86e32059526e2d0d13ca1e4447dfbbddb6e5cc Mon Sep 17 00:00:00 2001
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+Date: Wed, 27 Sep 2017 20:28:57 +0800
+Subject: dm crypt: fix memory leak in crypt_ctr_cipher_old()
+
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+
+commit bd86e32059526e2d0d13ca1e4447dfbbddb6e5cc upstream.
+
+Fix memory leak of cipher_api.
+
+Fixes: 33d2f09fcb35 (dm crypt: introduce new format of cipher with "capi:" prefix)
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -2470,6 +2470,7 @@ static int crypt_ctr_cipher_old(struct d
+ kfree(cipher_api);
+ return ret;
+ }
++ kfree(cipher_api);
+
+ return 0;
+ bad_mem:
--- /dev/null
+From 783874b050768d361239e444ba0fa396bb6d463f Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Wed, 13 Sep 2017 15:45:56 +0200
+Subject: dm crypt: reject sector_size feature if device length is not aligned to it
+
+From: Milan Broz <gmazyland@gmail.com>
+
+commit 783874b050768d361239e444ba0fa396bb6d463f upstream.
+
+If a crypt mapping uses optional sector_size feature, additional
+restrictions to mapped device segment size must be applied in
+constructor, otherwise the device activation will fail later.
+
+Fixes: 8f0009a225 ("dm crypt: optionally support larger encryption sector size")
+Signed-off-by: Milan Broz <gmazyland@gmail.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -2588,6 +2588,10 @@ static int crypt_ctr_optional(struct dm_
+ ti->error = "Invalid feature value for sector_size";
+ return -EINVAL;
+ }
++ if (ti->len & ((cc->sector_size >> SECTOR_SHIFT) - 1)) {
++ ti->error = "Device size is not multiple of sector_size feature";
++ return -EINVAL;
++ }
+ cc->sector_shift = __ffs(cc->sector_size) - SECTOR_SHIFT;
+ } else if (!strcasecmp(opt_string, "iv_large_sectors"))
+ set_bit(CRYPT_IV_LARGE_SECTORS, &cc->cipher_flags);
--- /dev/null
+From 62e082430ea4bb5b28909ca4375bb683931e22aa Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 20 Sep 2017 07:29:49 -0400
+Subject: dm ioctl: fix alignment of event number in the device list
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 62e082430ea4bb5b28909ca4375bb683931e22aa upstream.
+
+The size of struct dm_name_list is different on 32-bit and 64-bit
+kernels (so "(nl + 1)" differs between 32-bit and 64-bit kernels).
+
+This mismatch caused some harmless difference in padding when using 32-bit
+or 64-bit kernel. Commit 23d70c5e52dd ("dm ioctl: report event number in
+DM_LIST_DEVICES") added reporting event number in the output of
+DM_LIST_DEVICES_CMD. This difference in padding makes it impossible for
+userspace to determine the location of the event number (the location
+would be different when running on 32-bit and 64-bit kernels).
+
+Fix the padding by using offsetof(struct dm_name_list, name) instead of
+sizeof(struct dm_name_list) to determine the location of entries.
+
+Also, the ioctl version number is incremented to 37 so that userspace
+can use the version number to determine that the event number is present
+and correctly located.
+
+In addition, a global event is now raised when a DM device is created,
+removed, renamed or when table is swapped, so that the user can monitor
+for device changes.
+
+Reported-by: Eugene Syromiatnikov <esyr@redhat.com>
+Fixes: 23d70c5e52dd ("dm ioctl: report event number in DM_LIST_DEVICES")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-core.h | 1 +
+ drivers/md/dm-ioctl.c | 37 ++++++++++++++++++++++++-------------
+ drivers/md/dm.c | 10 ++++++++--
+ include/uapi/linux/dm-ioctl.h | 4 ++--
+ 4 files changed, 35 insertions(+), 17 deletions(-)
+
+--- a/drivers/md/dm-core.h
++++ b/drivers/md/dm-core.h
+@@ -149,5 +149,6 @@ static inline bool dm_message_test_buffe
+
+ extern atomic_t dm_global_event_nr;
+ extern wait_queue_head_t dm_global_eventq;
++void dm_issue_global_event(void);
+
+ #endif
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -477,9 +477,13 @@ static int remove_all(struct file *filp,
+ * Round up the ptr to an 8-byte boundary.
+ */
+ #define ALIGN_MASK 7
++static inline size_t align_val(size_t val)
++{
++ return (val + ALIGN_MASK) & ~ALIGN_MASK;
++}
+ static inline void *align_ptr(void *ptr)
+ {
+- return (void *) (((size_t) (ptr + ALIGN_MASK)) & ~ALIGN_MASK);
++ return (void *)align_val((size_t)ptr);
+ }
+
+ /*
+@@ -505,7 +509,7 @@ static int list_devices(struct file *fil
+ struct hash_cell *hc;
+ size_t len, needed = 0;
+ struct gendisk *disk;
+- struct dm_name_list *nl, *old_nl = NULL;
++ struct dm_name_list *orig_nl, *nl, *old_nl = NULL;
+ uint32_t *event_nr;
+
+ down_write(&_hash_lock);
+@@ -516,17 +520,15 @@ static int list_devices(struct file *fil
+ */
+ for (i = 0; i < NUM_BUCKETS; i++) {
+ list_for_each_entry (hc, _name_buckets + i, name_list) {
+- needed += sizeof(struct dm_name_list);
+- needed += strlen(hc->name) + 1;
+- needed += ALIGN_MASK;
+- needed += (sizeof(uint32_t) + ALIGN_MASK) & ~ALIGN_MASK;
++ needed += align_val(offsetof(struct dm_name_list, name) + strlen(hc->name) + 1);
++ needed += align_val(sizeof(uint32_t));
+ }
+ }
+
+ /*
+ * Grab our output buffer.
+ */
+- nl = get_result_buffer(param, param_size, &len);
++ nl = orig_nl = get_result_buffer(param, param_size, &len);
+ if (len < needed) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ goto out;
+@@ -549,11 +551,16 @@ static int list_devices(struct file *fil
+ strcpy(nl->name, hc->name);
+
+ old_nl = nl;
+- event_nr = align_ptr(((void *) (nl + 1)) + strlen(hc->name) + 1);
++ event_nr = align_ptr(nl->name + strlen(hc->name) + 1);
+ *event_nr = dm_get_event_nr(hc->md);
+ nl = align_ptr(event_nr + 1);
+ }
+ }
++ /*
++ * If mismatch happens, security may be compromised due to buffer
++ * overflow, so it's better to crash.
++ */
++ BUG_ON((char *)nl - (char *)orig_nl != needed);
+
+ out:
+ up_write(&_hash_lock);
+@@ -1621,7 +1628,8 @@ static int target_message(struct file *f
+ * which has a variable size, is not used by the function processing
+ * the ioctl.
+ */
+-#define IOCTL_FLAGS_NO_PARAMS 1
++#define IOCTL_FLAGS_NO_PARAMS 1
++#define IOCTL_FLAGS_ISSUE_GLOBAL_EVENT 2
+
+ /*-----------------------------------------------------------------
+ * Implementation of open/close/ioctl on the special char
+@@ -1635,12 +1643,12 @@ static ioctl_fn lookup_ioctl(unsigned in
+ ioctl_fn fn;
+ } _ioctls[] = {
+ {DM_VERSION_CMD, 0, NULL}, /* version is dealt with elsewhere */
+- {DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS, remove_all},
++ {DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, remove_all},
+ {DM_LIST_DEVICES_CMD, 0, list_devices},
+
+- {DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS, dev_create},
+- {DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS, dev_remove},
+- {DM_DEV_RENAME_CMD, 0, dev_rename},
++ {DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_create},
++ {DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_remove},
++ {DM_DEV_RENAME_CMD, IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_rename},
+ {DM_DEV_SUSPEND_CMD, IOCTL_FLAGS_NO_PARAMS, dev_suspend},
+ {DM_DEV_STATUS_CMD, IOCTL_FLAGS_NO_PARAMS, dev_status},
+ {DM_DEV_WAIT_CMD, 0, dev_wait},
+@@ -1869,6 +1877,9 @@ static int ctl_ioctl(struct file *file,
+ unlikely(ioctl_flags & IOCTL_FLAGS_NO_PARAMS))
+ DMERR("ioctl %d tried to output some data but has IOCTL_FLAGS_NO_PARAMS set", cmd);
+
++ if (!r && ioctl_flags & IOCTL_FLAGS_ISSUE_GLOBAL_EVENT)
++ dm_issue_global_event();
++
+ /*
+ * Copy the results back to userland.
+ */
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -52,6 +52,12 @@ static struct workqueue_struct *deferred
+ atomic_t dm_global_event_nr = ATOMIC_INIT(0);
+ DECLARE_WAIT_QUEUE_HEAD(dm_global_eventq);
+
++void dm_issue_global_event(void)
++{
++ atomic_inc(&dm_global_event_nr);
++ wake_up(&dm_global_eventq);
++}
++
+ /*
+ * One of these is allocated per bio.
+ */
+@@ -1865,9 +1871,8 @@ static void event_callback(void *context
+ dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
+
+ atomic_inc(&md->event_nr);
+- atomic_inc(&dm_global_event_nr);
+ wake_up(&md->eventq);
+- wake_up(&dm_global_eventq);
++ dm_issue_global_event();
+ }
+
+ /*
+@@ -2283,6 +2288,7 @@ struct dm_table *dm_swap_table(struct ma
+ }
+
+ map = __bind(md, table, &limits);
++ dm_issue_global_event();
+
+ out:
+ mutex_unlock(&md->suspend_lock);
+--- a/include/uapi/linux/dm-ioctl.h
++++ b/include/uapi/linux/dm-ioctl.h
+@@ -269,9 +269,9 @@ enum {
+ #define DM_DEV_SET_GEOMETRY _IOWR(DM_IOCTL, DM_DEV_SET_GEOMETRY_CMD, struct dm_ioctl)
+
+ #define DM_VERSION_MAJOR 4
+-#define DM_VERSION_MINOR 36
++#define DM_VERSION_MINOR 37
+ #define DM_VERSION_PATCHLEVEL 0
+-#define DM_VERSION_EXTRA "-ioctl (2017-06-09)"
++#define DM_VERSION_EXTRA "-ioctl (2017-09-20)"
+
+ /* Status bits */
+ #define DM_READONLY_FLAG (1 << 0) /* In/Out */
--- /dev/null
+From 97bce57bd7f96e1218751996f549a6e61f18cc8c Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Fri, 1 Sep 2017 17:59:15 +0300
+Subject: iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 97bce57bd7f96e1218751996f549a6e61f18cc8c upstream.
+
+The MCAST_FILTER_CMD can get quite large when we have many mcast
+addresses to set (we support up to 255). So the command should be
+send as NOCOPY to prevent a warning caused by too-long commands:
+
+WARNING: CPU: 0 PID: 9700 at /root/iwlwifi/stack-dev/drivers/net/wireless/intel/iwlwifi/pcie/tx.c:1550 iwl_pcie_enqueue_hcmd+0x8c7/0xb40 [iwlwifi]
+Command MCAST_FILTER_CMD (0x1d0) is too large (328 bytes)
+
+This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196743
+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -1589,6 +1589,11 @@ static void iwl_mvm_mc_iface_iterator(vo
+ struct iwl_mvm_mc_iter_data *data = _data;
+ struct iwl_mvm *mvm = data->mvm;
+ struct iwl_mcast_filter_cmd *cmd = mvm->mcast_filter_cmd;
++ struct iwl_host_cmd hcmd = {
++ .id = MCAST_FILTER_CMD,
++ .flags = CMD_ASYNC,
++ .dataflags[0] = IWL_HCMD_DFL_NOCOPY,
++ };
+ int ret, len;
+
+ /* if we don't have free ports, mcast frames will be dropped */
+@@ -1603,7 +1608,10 @@ static void iwl_mvm_mc_iface_iterator(vo
+ memcpy(cmd->bssid, vif->bss_conf.bssid, ETH_ALEN);
+ len = roundup(sizeof(*cmd) + cmd->count * ETH_ALEN, 4);
+
+- ret = iwl_mvm_send_cmd_pdu(mvm, MCAST_FILTER_CMD, CMD_ASYNC, len, cmd);
++ hcmd.len[0] = len;
++ hcmd.data[0] = cmd;
++
++ ret = iwl_mvm_send_cmd(mvm, &hcmd);
+ if (ret)
+ IWL_ERR(mvm, "mcast filter cmd error. ret=%d\n", ret);
+ }
--- /dev/null
+From 2fb1e946450a4fef74bb72f360555f7760d816f0 Mon Sep 17 00:00:00 2001
+From: Sam Bobroff <sam.bobroff@au1.ibm.com>
+Date: Tue, 26 Sep 2017 16:47:04 +1000
+Subject: KVM: PPC: Book3S: Fix server always zero from kvmppc_xive_get_xive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sam Bobroff <sam.bobroff@au1.ibm.com>
+
+commit 2fb1e946450a4fef74bb72f360555f7760d816f0 upstream.
+
+In KVM's XICS-on-XIVE emulation, kvmppc_xive_get_xive() returns the
+value of state->guest_server as "server". However, this value is not
+set by it's counterpart kvmppc_xive_set_xive(). When the guest uses
+this interface to migrate interrupts away from a CPU that is going
+offline, it sees all interrupts as belonging to CPU 0, so they are
+left assigned to (now) offline CPUs.
+
+This patch removes the guest_server field from the state, and returns
+act_server in it's place (that is, the CPU actually handling the
+interrupt, which may differ from the one requested).
+
+Fixes: 5af50993850a ("KVM: PPC: Book3S HV: Native usage of the XIVE interrupt controller")
+Signed-off-by: Sam Bobroff <sam.bobroff@au1.ibm.com>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_xive.c | 5 ++---
+ arch/powerpc/kvm/book3s_xive.h | 1 -
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_xive.c
++++ b/arch/powerpc/kvm/book3s_xive.c
+@@ -622,7 +622,7 @@ int kvmppc_xive_get_xive(struct kvm *kvm
+ return -EINVAL;
+ state = &sb->irq_state[idx];
+ arch_spin_lock(&sb->lock);
+- *server = state->guest_server;
++ *server = state->act_server;
+ *priority = state->guest_priority;
+ arch_spin_unlock(&sb->lock);
+
+@@ -1331,7 +1331,7 @@ static int xive_get_source(struct kvmppc
+ xive->saved_src_count++;
+
+ /* Convert saved state into something compatible with xics */
+- val = state->guest_server;
++ val = state->act_server;
+ prio = state->saved_scan_prio;
+
+ if (prio == MASKED) {
+@@ -1507,7 +1507,6 @@ static int xive_set_source(struct kvmppc
+ /* First convert prio and mark interrupt as untargetted */
+ act_prio = xive_prio_from_guest(guest_prio);
+ state->act_priority = MASKED;
+- state->guest_server = server;
+
+ /*
+ * We need to drop the lock due to the mutex below. Hopefully
+--- a/arch/powerpc/kvm/book3s_xive.h
++++ b/arch/powerpc/kvm/book3s_xive.h
+@@ -35,7 +35,6 @@ struct kvmppc_xive_irq_state {
+ struct xive_irq_data *pt_data; /* XIVE Pass-through associated data */
+
+ /* Targetting as set by guest */
+- u32 guest_server; /* Current guest selected target */
+ u8 guest_priority; /* Guest set priority */
+ u8 saved_priority; /* Saved priority when masking */
+
--- /dev/null
+From a2b7861bb33b2538420bb5d8554153484d3f961f Mon Sep 17 00:00:00 2001
+From: Boqun Feng <boqun.feng@gmail.com>
+Date: Tue, 3 Oct 2017 21:36:51 +0800
+Subject: kvm/x86: Avoid async PF preempting the kernel incorrectly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+commit a2b7861bb33b2538420bb5d8554153484d3f961f upstream.
+
+Currently, in PREEMPT_COUNT=n kernel, kvm_async_pf_task_wait() could call
+schedule() to reschedule in some cases. This could result in
+accidentally ending the current RCU read-side critical section early,
+causing random memory corruption in the guest, or otherwise preempting
+the currently running task inside between preempt_disable and
+preempt_enable.
+
+The difficulty to handle this well is because we don't know whether an
+async PF delivered in a preemptible section or RCU read-side critical section
+for PREEMPT_COUNT=n, since preempt_disable()/enable() and rcu_read_lock/unlock()
+are both no-ops in that case.
+
+To cure this, we treat any async PF interrupting a kernel context as one
+that cannot be preempted, preventing kvm_async_pf_task_wait() from choosing
+the schedule() path in that case.
+
+To do so, a second parameter for kvm_async_pf_task_wait() is introduced,
+so that we know whether it's called from a context interrupting the
+kernel, and the parameter is set properly in all the callsites.
+
+Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_para.h | 4 ++--
+ arch/x86/kernel/kvm.c | 14 ++++++++++----
+ arch/x86/kvm/mmu.c | 2 +-
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_para.h
++++ b/arch/x86/include/asm/kvm_para.h
+@@ -88,7 +88,7 @@ static inline long kvm_hypercall4(unsign
+ bool kvm_para_available(void);
+ unsigned int kvm_arch_para_features(void);
+ void __init kvm_guest_init(void);
+-void kvm_async_pf_task_wait(u32 token);
++void kvm_async_pf_task_wait(u32 token, int interrupt_kernel);
+ void kvm_async_pf_task_wake(u32 token);
+ u32 kvm_read_and_reset_pf_reason(void);
+ extern void kvm_disable_steal_time(void);
+@@ -103,7 +103,7 @@ static inline void kvm_spinlock_init(voi
+
+ #else /* CONFIG_KVM_GUEST */
+ #define kvm_guest_init() do {} while (0)
+-#define kvm_async_pf_task_wait(T) do {} while(0)
++#define kvm_async_pf_task_wait(T, I) do {} while(0)
+ #define kvm_async_pf_task_wake(T) do {} while(0)
+
+ static inline bool kvm_para_available(void)
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -117,7 +117,11 @@ static struct kvm_task_sleep_node *_find
+ return NULL;
+ }
+
+-void kvm_async_pf_task_wait(u32 token)
++/*
++ * @interrupt_kernel: Is this called from a routine which interrupts the kernel
++ * (other than user space)?
++ */
++void kvm_async_pf_task_wait(u32 token, int interrupt_kernel)
+ {
+ u32 key = hash_32(token, KVM_TASK_SLEEP_HASHBITS);
+ struct kvm_task_sleep_head *b = &async_pf_sleepers[key];
+@@ -140,8 +144,10 @@ void kvm_async_pf_task_wait(u32 token)
+
+ n.token = token;
+ n.cpu = smp_processor_id();
+- n.halted = is_idle_task(current) || preempt_count() > 1 ||
+- rcu_preempt_depth();
++ n.halted = is_idle_task(current) ||
++ (IS_ENABLED(CONFIG_PREEMPT_COUNT)
++ ? preempt_count() > 1 || rcu_preempt_depth()
++ : interrupt_kernel);
+ init_swait_queue_head(&n.wq);
+ hlist_add_head(&n.link, &b->list);
+ raw_spin_unlock(&b->lock);
+@@ -269,7 +275,7 @@ do_async_page_fault(struct pt_regs *regs
+ case KVM_PV_REASON_PAGE_NOT_PRESENT:
+ /* page is swapped out by the host. */
+ prev_state = exception_enter();
+- kvm_async_pf_task_wait((u32)read_cr2());
++ kvm_async_pf_task_wait((u32)read_cr2(), !user_mode(regs));
+ exception_exit(prev_state);
+ break;
+ case KVM_PV_REASON_PAGE_READY:
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -3799,7 +3799,7 @@ int kvm_handle_page_fault(struct kvm_vcp
+ case KVM_PV_REASON_PAGE_NOT_PRESENT:
+ vcpu->arch.apf.host_apf_reason = 0;
+ local_irq_disable();
+- kvm_async_pf_task_wait(fault_address);
++ kvm_async_pf_task_wait(fault_address, 0);
+ local_irq_enable();
+ break;
+ case KVM_PV_REASON_PAGE_READY:
--- /dev/null
+From 77082ca503bed061f7fbda7cfd7c93beda967a41 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Wed, 27 Sep 2017 21:38:59 -0400
+Subject: scsi: sd: Do not override max_sectors_kb sysfs setting
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit 77082ca503bed061f7fbda7cfd7c93beda967a41 upstream.
+
+A user may lower the max_sectors_kb setting in sysfs to accommodate
+certain workloads. Previously we would always set the max I/O size to
+either the block layer default or the optional preferred I/O size
+reported by the device.
+
+Keep the current heuristics for the initial setting of max_sectors_kb.
+For subsequent invocations, only update the current queue limit if it
+exceeds the capabilities of the hardware.
+
+Reported-by: Don Brace <don.brace@microsemi.com>
+Reviewed-by: Martin Wilck <mwilck@suse.com>
+Tested-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3109,8 +3109,6 @@ static int sd_revalidate_disk(struct gen
+ sd_read_security(sdkp, buffer);
+ }
+
+- sdkp->first_scan = 0;
+-
+ /*
+ * We now have all cache related info, determine how we deal
+ * with flush requests.
+@@ -3125,7 +3123,7 @@ static int sd_revalidate_disk(struct gen
+ q->limits.max_dev_sectors = logical_to_sectors(sdp, dev_max);
+
+ /*
+- * Use the device's preferred I/O size for reads and writes
++ * Determine the device's preferred I/O size for reads and writes
+ * unless the reported value is unreasonably small, large, or
+ * garbage.
+ */
+@@ -3139,8 +3137,19 @@ static int sd_revalidate_disk(struct gen
+ rw_max = min_not_zero(logical_to_sectors(sdp, dev_max),
+ (sector_t)BLK_DEF_MAX_SECTORS);
+
+- /* Combine with controller limits */
+- q->limits.max_sectors = min(rw_max, queue_max_hw_sectors(q));
++ /* Do not exceed controller limit */
++ rw_max = min(rw_max, queue_max_hw_sectors(q));
++
++ /*
++ * Only update max_sectors if previously unset or if the current value
++ * exceeds the capabilities of the hardware.
++ */
++ if (sdkp->first_scan ||
++ q->limits.max_sectors > q->limits.max_dev_sectors ||
++ q->limits.max_sectors > q->limits.max_hw_sectors)
++ q->limits.max_sectors = rw_max;
++
++ sdkp->first_scan = 0;
+
+ set_capacity(disk, logical_to_sectors(sdp, sdkp->capacity));
+ sd_config_write_same(sdkp);
--- /dev/null
+From 28a0bc4120d38a394499382ba21d6965a67a3703 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Wed, 27 Sep 2017 21:35:12 -0400
+Subject: scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit 28a0bc4120d38a394499382ba21d6965a67a3703 upstream.
+
+SBC-4 states:
+
+ "A MAXIMUM UNMAP LBA COUNT field set to a non-zero value indicates the
+ maximum number of LBAs that may be unmapped by an UNMAP command"
+
+ "A MAXIMUM WRITE SAME LENGTH field set to a non-zero value indicates
+ the maximum number of contiguous logical blocks that the device server
+ allows to be unmapped or written in a single WRITE SAME command."
+
+Despite the spec being clear on the topic, some devices incorrectly
+expect WRITE SAME commands with the UNMAP bit set to be limited to the
+value reported in MAXIMUM UNMAP LBA COUNT in the Block Limits VPD.
+
+Implement a blacklist option that can be used to accommodate devices
+with this behavior.
+
+Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
+Reported-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_scan.c | 3 +++
+ drivers/scsi/sd.c | 16 ++++++++++++----
+ include/scsi/scsi_device.h | 1 +
+ include/scsi/scsi_devinfo.h | 1 +
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -956,6 +956,9 @@ static int scsi_add_lun(struct scsi_devi
+ if (*bflags & BLIST_NO_DIF)
+ sdev->no_dif = 1;
+
++ if (*bflags & BLIST_UNMAP_LIMIT_WS)
++ sdev->unmap_limit_for_ws = 1;
++
+ sdev->eh_timeout = SCSI_DEFAULT_EH_TIMEOUT;
+
+ if (*bflags & BLIST_TRY_VPD_PAGES)
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -715,13 +715,21 @@ static void sd_config_discard(struct scs
+ break;
+
+ case SD_LBP_WS16:
+- max_blocks = min_not_zero(sdkp->max_ws_blocks,
+- (u32)SD_MAX_WS16_BLOCKS);
++ if (sdkp->device->unmap_limit_for_ws)
++ max_blocks = sdkp->max_unmap_blocks;
++ else
++ max_blocks = sdkp->max_ws_blocks;
++
++ max_blocks = min_not_zero(max_blocks, (u32)SD_MAX_WS16_BLOCKS);
+ break;
+
+ case SD_LBP_WS10:
+- max_blocks = min_not_zero(sdkp->max_ws_blocks,
+- (u32)SD_MAX_WS10_BLOCKS);
++ if (sdkp->device->unmap_limit_for_ws)
++ max_blocks = sdkp->max_unmap_blocks;
++ else
++ max_blocks = sdkp->max_ws_blocks;
++
++ max_blocks = min_not_zero(max_blocks, (u32)SD_MAX_WS10_BLOCKS);
+ break;
+
+ case SD_LBP_ZERO:
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -182,6 +182,7 @@ struct scsi_device {
+ unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
+ unsigned broken_fua:1; /* Don't set FUA bit */
+ unsigned lun_in_cdb:1; /* Store LUN bits in CDB[1] */
++ unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */
+
+ atomic_t disk_events_disable_depth; /* disable depth for disk events */
+
+--- a/include/scsi/scsi_devinfo.h
++++ b/include/scsi/scsi_devinfo.h
+@@ -29,5 +29,6 @@
+ #define BLIST_TRY_VPD_PAGES 0x10000000 /* Attempt to read VPD pages */
+ #define BLIST_NO_RSOC 0x20000000 /* don't try to issue RSOC */
+ #define BLIST_MAX_1024 0x40000000 /* maximum 1024 sector cdb length */
++#define BLIST_UNMAP_LIMIT_WS 0x80000000 /* Use UNMAP limit for WRITE SAME */
+
+ #endif
btrfs-fix-overlap-of-fs_info-flags-values.patch
rocker-fix-rocker_tlv_put_-functions-for-kasan.patch
netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch
+dm-crypt-reject-sector_size-feature-if-device-length-is-not-aligned-to-it.patch
+dm-ioctl-fix-alignment-of-event-number-in-the-device-list.patch
+dm-crypt-fix-memory-leak-in-crypt_ctr_cipher_old.patch
+kvm-ppc-book3s-fix-server-always-zero-from-kvmppc_xive_get_xive.patch
+kvm-x86-avoid-async-pf-preempting-the-kernel-incorrectly.patch
+iwlwifi-mvm-use-iwl_hcmd_nocopy-for-mcast_filter_cmd.patch
+scsi-sd-implement-blacklist-option-for-write-same-w-unmap.patch
+scsi-sd-do-not-override-max_sectors_kb-sysfs-setting.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
