From: Greg Kroah-Hartman Date: Thu, 19 Dec 2019 11:36:31 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.207~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f04bd35b4ee9a90a02474ec04d22a026f00e058;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch dm-btree-increase-rebalance-threshold-in-__rebalance2.patch dm-thin-flush-data-device-before-committing-metadata.patch dm-thin-metadata-add-support-for-a-pre-commit-callback.patch dma-buf-fix-memory-leak-in-sync_file_merge.patch drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch scsi-iscsi-fix-a-potential-deadlock-in-the-timeout-handler.patch vfio-pci-call-irq_bypass_unregister_producer-before-freeing-irq.patch xtensa-fix-tlb-sanity-checker.patch --- diff --git a/queue-4.9/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch b/queue-4.9/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch new file mode 100644 index 00000000000..ba4d5a493da --- /dev/null +++ b/queue-4.9/arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch @@ -0,0 +1,59 @@ +From d60d0cff4ab01255b25375425745c3cff69558ad Mon Sep 17 00:00:00 2001 +From: Lihua Yao +Date: Tue, 10 Sep 2019 13:22:28 +0000 +Subject: ARM: dts: s3c64xx: Fix init order of clock providers + +From: Lihua Yao + +commit d60d0cff4ab01255b25375425745c3cff69558ad upstream. + +fin_pll is the parent of clock-controller@7e00f000, specify +the dependency to ensure proper initialization order of clock +providers. + +without this patch: +[ 0.000000] S3C6410 clocks: apll = 0, mpll = 0 +[ 0.000000] epll = 0, arm_clk = 0 + +with this patch: +[ 0.000000] S3C6410 clocks: apll = 532000000, mpll = 532000000 +[ 0.000000] epll = 24000000, arm_clk = 532000000 + +Cc: +Fixes: 3f6d439f2022 ("clk: reverse default clk provider initialization order in of_clk_init()") +Signed-off-by: Lihua Yao +Reviewed-by: Sylwester Nawrocki +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/s3c6410-mini6410.dts | 4 ++++ + arch/arm/boot/dts/s3c6410-smdk6410.dts | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/arch/arm/boot/dts/s3c6410-mini6410.dts ++++ b/arch/arm/boot/dts/s3c6410-mini6410.dts +@@ -167,6 +167,10 @@ + }; + }; + ++&clocks { ++ clocks = <&fin_pll>; ++}; ++ + &sdhci0 { + pinctrl-names = "default"; + pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>; +--- a/arch/arm/boot/dts/s3c6410-smdk6410.dts ++++ b/arch/arm/boot/dts/s3c6410-smdk6410.dts +@@ -71,6 +71,10 @@ + }; + }; + ++&clocks { ++ clocks = <&fin_pll>; ++}; ++ + &sdhci0 { + pinctrl-names = "default"; + pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>; diff --git a/queue-4.9/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch b/queue-4.9/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch new file mode 100644 index 00000000000..4c6443e4198 --- /dev/null +++ b/queue-4.9/arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch @@ -0,0 +1,44 @@ +From d70f7d31a9e2088e8a507194354d41ea10062994 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Tue, 30 Jul 2019 20:23:39 +0300 +Subject: ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume() + +From: Dmitry Osipenko + +commit d70f7d31a9e2088e8a507194354d41ea10062994 upstream. + +There is an unfortunate typo in the code that results in writing to +FLOW_CTLR_HALT instead of FLOW_CTLR_CSR. + +Cc: +Acked-by: Peter De Schrijver +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-tegra/reset-handler.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-tegra/reset-handler.S ++++ b/arch/arm/mach-tegra/reset-handler.S +@@ -56,16 +56,16 @@ ENTRY(tegra_resume) + cmp r6, #TEGRA20 + beq 1f @ Yes + /* Clear the flow controller flags for this CPU. */ +- cpu_to_csr_reg r1, r0 ++ cpu_to_csr_reg r3, r0 + mov32 r2, TEGRA_FLOW_CTRL_BASE +- ldr r1, [r2, r1] ++ ldr r1, [r2, r3] + /* Clear event & intr flag */ + orr r1, r1, \ + #FLOW_CTRL_CSR_INTR_FLAG | FLOW_CTRL_CSR_EVENT_FLAG + movw r0, #0x3FFD @ enable, cluster_switch, immed, bitmaps + @ & ext flags for CPU power mgnt + bic r1, r1, r0 +- str r1, [r2] ++ str r1, [r2, r3] + 1: + + mov32 r9, 0xc09 diff --git a/queue-4.9/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch b/queue-4.9/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch new file mode 100644 index 00000000000..47243107ea6 --- /dev/null +++ b/queue-4.9/cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch @@ -0,0 +1,46 @@ +From 44805b0e62f15e90d233485420e1847133716bdc Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Tue, 12 Nov 2019 17:16:35 -0800 +Subject: CIFS: Respect O_SYNC and O_DIRECT flags during reconnect + +From: Pavel Shilovsky + +commit 44805b0e62f15e90d233485420e1847133716bdc upstream. + +Currently the client translates O_SYNC and O_DIRECT flags +into corresponding SMB create options when openning a file. +The problem is that on reconnect when the file is being +re-opened the client doesn't set those flags and it causes +a server to reject re-open requests because create options +don't match. The latter means that any subsequent system +call against that open file fail until a share is re-mounted. + +Fix this by properly setting SMB create options when +re-openning files after reconnects. + +Fixes: 1013e760d10e6: ("SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags") +Cc: Stable +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -722,6 +722,13 @@ cifs_reopen_file(struct cifsFileInfo *cf + if (backup_cred(cifs_sb)) + create_options |= CREATE_OPEN_BACKUP_INTENT; + ++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ ++ if (cfile->f_flags & O_SYNC) ++ create_options |= CREATE_WRITE_THROUGH; ++ ++ if (cfile->f_flags & O_DIRECT) ++ create_options |= CREATE_NO_BUFFER; ++ + if (server->ops->get_lease_key) + server->ops->get_lease_key(inode, &cfile->fid); + diff --git a/queue-4.9/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch b/queue-4.9/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch new file mode 100644 index 00000000000..a95525c751e --- /dev/null +++ b/queue-4.9/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch @@ -0,0 +1,67 @@ +From 474e559567fa631dea8fb8407ab1b6090c903755 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Tue, 3 Dec 2019 19:42:58 +0800 +Subject: dm btree: increase rebalance threshold in __rebalance2() + +From: Hou Tao + +commit 474e559567fa631dea8fb8407ab1b6090c903755 upstream. + +We got the following warnings from thin_check during thin-pool setup: + + $ thin_check /dev/vdb + examining superblock + examining devices tree + missing devices: [1, 84] + too few entries in btree_node: 41, expected at least 42 (block 138, max_entries = 126) + examining mapping tree + +The phenomenon is the number of entries in one node of details_info tree is +less than (max_entries / 3). And it can be easily reproduced by the following +procedures: + + $ new a thin pool + $ presume the max entries of details_info tree is 126 + $ new 127 thin devices (e.g. 1~127) to make the root node being full + and then split + $ remove the first 43 (e.g. 1~43) thin devices to make the children + reblance repeatedly + $ stop the thin pool + $ thin_check + +The root cause is that the B-tree removal procedure in __rebalance2() +doesn't guarantee the invariance: the minimal number of entries in +non-root node should be >= (max_entries / 3). + +Simply fix the problem by increasing the rebalance threshold to +make sure the number of entries in each child will be greater +than or equal to (max_entries / 3 + 1), so no matter which +child is used for removal, the number will still be valid. + +Cc: stable@vger.kernel.org +Signed-off-by: Hou Tao +Acked-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-btree-remove.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -203,7 +203,13 @@ static void __rebalance2(struct dm_btree + struct btree_node *right = r->n; + uint32_t nr_left = le32_to_cpu(left->header.nr_entries); + uint32_t nr_right = le32_to_cpu(right->header.nr_entries); +- unsigned threshold = 2 * merge_threshold(left) + 1; ++ /* ++ * Ensure the number of entries in each child will be greater ++ * than or equal to (max_entries / 3 + 1), so no matter which ++ * child is used for removal, the number will still be not ++ * less than (max_entries / 3). ++ */ ++ unsigned int threshold = 2 * (merge_threshold(left) + 1); + + if (nr_left + nr_right < threshold) { + /* diff --git a/queue-4.9/dm-thin-flush-data-device-before-committing-metadata.patch b/queue-4.9/dm-thin-flush-data-device-before-committing-metadata.patch new file mode 100644 index 00000000000..e8521def518 --- /dev/null +++ b/queue-4.9/dm-thin-flush-data-device-before-committing-metadata.patch @@ -0,0 +1,170 @@ +From 694cfe7f31db36912725e63a38a5179c8628a496 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Wed, 4 Dec 2019 16:07:42 +0200 +Subject: dm thin: Flush data device before committing metadata + +From: Nikos Tsironis + +commit 694cfe7f31db36912725e63a38a5179c8628a496 upstream. + +The thin provisioning target maintains per thin device mappings that map +virtual blocks to data blocks in the data device. + +When we write to a shared block, in case of internal snapshots, or +provision a new block, in case of external snapshots, we copy the shared +block to a new data block (COW), update the mapping for the relevant +virtual block and then issue the write to the new data block. + +Suppose the data device has a volatile write-back cache and the +following sequence of events occur: + +1. We write to a shared block +2. A new data block is allocated +3. We copy the shared block to the new data block using kcopyd (COW) +4. We insert the new mapping for the virtual block in the btree for that + thin device. +5. The commit timeout expires and we commit the metadata, that now + includes the new mapping from step (4). +6. The system crashes and the data device's cache has not been flushed, + meaning that the COWed data are lost. + +The next time we read that virtual block of the thin device we read it +from the data block allocated in step (2), since the metadata have been +successfully committed. The data are lost due to the crash, so we read +garbage instead of the old, shared data. + +This has the following implications: + +1. In case of writes to shared blocks, with size smaller than the pool's + block size (which means we first copy the whole block and then issue + the smaller write), we corrupt data that the user never touched. + +2. In case of writes to shared blocks, with size equal to the device's + logical block size, we fail to provide atomic sector writes. When the + system recovers the user will read garbage from that sector instead + of the old data or the new data. + +3. Even for writes to shared blocks, with size equal to the pool's block + size (overwrites), after the system recovers, the written sectors + will contain garbage instead of a random mix of sectors containing + either old data or new data, thus we fail again to provide atomic + sectors writes. + +4. Even when the user flushes the thin device, because we first commit + the metadata and then pass down the flush, the same risk for + corruption exists (if the system crashes after the metadata have been + committed but before the flush is passed down to the data device.) + +The only case which is unaffected is that of writes with size equal to +the pool's block size and with the FUA flag set. But, because FUA writes +trigger metadata commits, this case can trigger the corruption +indirectly. + +Moreover, apart from internal and external snapshots, the same issue +exists for newly provisioned blocks, when block zeroing is enabled. +After the system recovers the provisioned blocks might contain garbage +instead of zeroes. + +To solve this and avoid the potential data corruption we flush the +pool's data device **before** committing its metadata. + +This ensures that the data blocks of any newly inserted mappings are +properly written to non-volatile storage and won't be lost in case of a +crash. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikos Tsironis +Acked-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 40 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -298,6 +298,7 @@ struct pool_c { + dm_block_t low_water_blocks; + struct pool_features requested_pf; /* Features requested during table load */ + struct pool_features adjusted_pf; /* Features used after adjusting for constituent devices */ ++ struct bio flush_bio; + }; + + /* +@@ -2378,8 +2379,16 @@ static void process_deferred_bios(struct + while ((bio = bio_list_pop(&bio_completions))) + bio_endio(bio); + +- while ((bio = bio_list_pop(&bios))) +- generic_make_request(bio); ++ while ((bio = bio_list_pop(&bios))) { ++ /* ++ * The data device was flushed as part of metadata commit, ++ * so complete redundant flushes immediately. ++ */ ++ if (bio->bi_opf & REQ_PREFLUSH) ++ bio_endio(bio); ++ else ++ generic_make_request(bio); ++ } + } + + static void do_worker(struct work_struct *ws) +@@ -3139,6 +3148,7 @@ static void pool_dtr(struct dm_target *t + __pool_dec(pt->pool); + dm_put_device(ti, pt->metadata_dev); + dm_put_device(ti, pt->data_dev); ++ bio_uninit(&pt->flush_bio); + kfree(pt); + + mutex_unlock(&dm_thin_pool_table.mutex); +@@ -3204,6 +3214,29 @@ static void metadata_low_callback(void * + dm_table_event(pool->ti->table); + } + ++/* ++ * We need to flush the data device **before** committing the metadata. ++ * ++ * This ensures that the data blocks of any newly inserted mappings are ++ * properly written to non-volatile storage and won't be lost in case of a ++ * crash. ++ * ++ * Failure to do so can result in data corruption in the case of internal or ++ * external snapshots and in the case of newly provisioned blocks, when block ++ * zeroing is enabled. ++ */ ++static int metadata_pre_commit_callback(void *context) ++{ ++ struct pool_c *pt = context; ++ struct bio *flush_bio = &pt->flush_bio; ++ ++ bio_reset(flush_bio); ++ bio_set_dev(flush_bio, pt->data_dev->bdev); ++ flush_bio->bi_opf = REQ_OP_WRITE | REQ_PREFLUSH; ++ ++ return submit_bio_wait(flush_bio); ++} ++ + static sector_t get_dev_size(struct block_device *bdev) + { + return i_size_read(bdev->bd_inode) >> SECTOR_SHIFT; +@@ -3372,6 +3405,7 @@ static int pool_ctr(struct dm_target *ti + pt->data_dev = data_dev; + pt->low_water_blocks = low_water_blocks; + pt->adjusted_pf = pt->requested_pf = pf; ++ bio_init(&pt->flush_bio, NULL, 0); + ti->num_flush_bios = 1; + + /* +@@ -3399,6 +3433,10 @@ static int pool_ctr(struct dm_target *ti + if (r) + goto out_flags_changed; + ++ dm_pool_register_pre_commit_callback(pt->pool->pmd, ++ metadata_pre_commit_callback, ++ pt); ++ + pt->callbacks.congested_fn = pool_is_congested; + dm_table_add_target_callbacks(ti->table, &pt->callbacks); + diff --git a/queue-4.9/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch b/queue-4.9/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch new file mode 100644 index 00000000000..418555aa618 --- /dev/null +++ b/queue-4.9/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch @@ -0,0 +1,101 @@ +From ecda7c0280e6b3398459dc589b9a41c1adb45529 Mon Sep 17 00:00:00 2001 +From: Nikos Tsironis +Date: Wed, 4 Dec 2019 16:07:41 +0200 +Subject: dm thin metadata: Add support for a pre-commit callback + +From: Nikos Tsironis + +commit ecda7c0280e6b3398459dc589b9a41c1adb45529 upstream. + +Add support for one pre-commit callback which is run right before the +metadata are committed. + +This allows the thin provisioning target to run a callback before the +metadata are committed and is required by the next commit. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikos Tsironis +Acked-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 29 +++++++++++++++++++++++++++++ + drivers/md/dm-thin-metadata.h | 7 +++++++ + 2 files changed, 36 insertions(+) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -190,6 +190,15 @@ struct dm_pool_metadata { + sector_t data_block_size; + + /* ++ * Pre-commit callback. ++ * ++ * This allows the thin provisioning target to run a callback before ++ * the metadata are committed. ++ */ ++ dm_pool_pre_commit_fn pre_commit_fn; ++ void *pre_commit_context; ++ ++ /* + * We reserve a section of the metadata for commit overhead. + * All reported space does *not* include this. + */ +@@ -793,6 +802,14 @@ static int __commit_transaction(struct d + */ + BUILD_BUG_ON(sizeof(struct thin_disk_superblock) > 512); + ++ if (pmd->pre_commit_fn) { ++ r = pmd->pre_commit_fn(pmd->pre_commit_context); ++ if (r < 0) { ++ DMERR("pre-commit callback failed"); ++ return r; ++ } ++ } ++ + r = __write_changed_details(pmd); + if (r < 0) + return r; +@@ -866,6 +883,8 @@ struct dm_pool_metadata *dm_pool_metadat + pmd->fail_io = false; + pmd->bdev = bdev; + pmd->data_block_size = data_block_size; ++ pmd->pre_commit_fn = NULL; ++ pmd->pre_commit_context = NULL; + + r = __create_persistent_data_objects(pmd, format_device); + if (r) { +@@ -2010,6 +2029,16 @@ int dm_pool_register_metadata_threshold( + return r; + } + ++void dm_pool_register_pre_commit_callback(struct dm_pool_metadata *pmd, ++ dm_pool_pre_commit_fn fn, ++ void *context) ++{ ++ pmd_write_lock_in_core(pmd); ++ pmd->pre_commit_fn = fn; ++ pmd->pre_commit_context = context; ++ pmd_write_unlock(pmd); ++} ++ + int dm_pool_metadata_set_needs_check(struct dm_pool_metadata *pmd) + { + int r; +--- a/drivers/md/dm-thin-metadata.h ++++ b/drivers/md/dm-thin-metadata.h +@@ -230,6 +230,13 @@ bool dm_pool_metadata_needs_check(struct + */ + void dm_pool_issue_prefetches(struct dm_pool_metadata *pmd); + ++/* Pre-commit callback */ ++typedef int (*dm_pool_pre_commit_fn)(void *context); ++ ++void dm_pool_register_pre_commit_callback(struct dm_pool_metadata *pmd, ++ dm_pool_pre_commit_fn fn, ++ void *context); ++ + /*----------------------------------------------------------------*/ + + #endif diff --git a/queue-4.9/dma-buf-fix-memory-leak-in-sync_file_merge.patch b/queue-4.9/dma-buf-fix-memory-leak-in-sync_file_merge.patch new file mode 100644 index 00000000000..0fa0e17f260 --- /dev/null +++ b/queue-4.9/dma-buf-fix-memory-leak-in-sync_file_merge.patch @@ -0,0 +1,34 @@ +From 6645d42d79d33e8a9fe262660a75d5f4556bbea9 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 22 Nov 2019 16:09:55 -0600 +Subject: dma-buf: Fix memory leak in sync_file_merge() + +From: Navid Emamdoost + +commit 6645d42d79d33e8a9fe262660a75d5f4556bbea9 upstream. + +In the implementation of sync_file_merge() the allocated sync_file is +leaked if number of fences overflows. Release sync_file by goto err. + +Fixes: a02b9dc90d84 ("dma-buf/sync_file: refactor fence storage in struct sync_file") +Signed-off-by: Navid Emamdoost +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191122220957.30427-1-navid.emamdoost@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma-buf/sync_file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma-buf/sync_file.c ++++ b/drivers/dma-buf/sync_file.c +@@ -204,7 +204,7 @@ static struct sync_file *sync_file_merge + a_fences = get_fences(a, &a_num_fences); + b_fences = get_fences(b, &b_num_fences); + if (a_num_fences > INT_MAX - b_num_fences) +- return NULL; ++ goto err; + + num_fences = a_num_fences + b_num_fences; + diff --git a/queue-4.9/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch b/queue-4.9/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch new file mode 100644 index 00000000000..9ea5f0842f1 --- /dev/null +++ b/queue-4.9/drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch @@ -0,0 +1,51 @@ +From 008037d4d972c9c47b273e40e52ae34f9d9e33e7 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 26 Nov 2019 09:41:46 -0500 +Subject: drm/radeon: fix r1xx/r2xx register checker for POT textures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 008037d4d972c9c47b273e40e52ae34f9d9e33e7 upstream. + +Shift and mask were reversed. Noticed by chance. + +Tested-by: Meelis Roos +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/r100.c | 4 ++-- + drivers/gpu/drm/radeon/r200.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/radeon/r100.c ++++ b/drivers/gpu/drm/radeon/r100.c +@@ -1824,8 +1824,8 @@ static int r100_packet0_check(struct rad + track->textures[i].use_pitch = 1; + } else { + track->textures[i].use_pitch = 0; +- track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK); +- track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK); ++ track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT); ++ track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT); + } + if (idx_value & RADEON_TXFORMAT_CUBIC_MAP_ENABLE) + track->textures[i].tex_coord_type = 2; +--- a/drivers/gpu/drm/radeon/r200.c ++++ b/drivers/gpu/drm/radeon/r200.c +@@ -476,8 +476,8 @@ int r200_packet0_check(struct radeon_cs_ + track->textures[i].use_pitch = 1; + } else { + track->textures[i].use_pitch = 0; +- track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK); +- track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK); ++ track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT); ++ track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT); + } + if (idx_value & R200_TXFORMAT_LOOKUP_DISABLE) + track->textures[i].lookup_disable = true; diff --git a/queue-4.9/scsi-iscsi-fix-a-potential-deadlock-in-the-timeout-handler.patch b/queue-4.9/scsi-iscsi-fix-a-potential-deadlock-in-the-timeout-handler.patch new file mode 100644 index 00000000000..67aef6fd97e --- /dev/null +++ b/queue-4.9/scsi-iscsi-fix-a-potential-deadlock-in-the-timeout-handler.patch @@ -0,0 +1,119 @@ +From 5480e299b5ae57956af01d4839c9fc88a465eeab Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 9 Dec 2019 09:34:57 -0800 +Subject: scsi: iscsi: Fix a potential deadlock in the timeout handler + +From: Bart Van Assche + +commit 5480e299b5ae57956af01d4839c9fc88a465eeab upstream. + +Some time ago the block layer was modified such that timeout handlers are +called from thread context instead of interrupt context. Make it safe to +run the iSCSI timeout handler in thread context. This patch fixes the +following lockdep complaint: + +================================ +WARNING: inconsistent lock state +5.5.1-dbg+ #11 Not tainted +-------------------------------- +inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +kworker/7:1H/206 [HC0[0]:SC0[0]:HE1:SE1] takes: +ffff88802d9827e8 (&(&session->frwd_lock)->rlock){+.?.}, at: iscsi_eh_cmd_timed_out+0xa6/0x6d0 [libiscsi] +{IN-SOFTIRQ-W} state was registered at: + lock_acquire+0x106/0x240 + _raw_spin_lock+0x38/0x50 + iscsi_check_transport_timeouts+0x3e/0x210 [libiscsi] + call_timer_fn+0x132/0x470 + __run_timers.part.0+0x39f/0x5b0 + run_timer_softirq+0x63/0xc0 + __do_softirq+0x12d/0x5fd + irq_exit+0xb3/0x110 + smp_apic_timer_interrupt+0x131/0x3d0 + apic_timer_interrupt+0xf/0x20 + default_idle+0x31/0x230 + arch_cpu_idle+0x13/0x20 + default_idle_call+0x53/0x60 + do_idle+0x38a/0x3f0 + cpu_startup_entry+0x24/0x30 + start_secondary+0x222/0x290 + secondary_startup_64+0xa4/0xb0 +irq event stamp: 1383705 +hardirqs last enabled at (1383705): [] _raw_spin_unlock_irq+0x2c/0x50 +hardirqs last disabled at (1383704): [] _raw_spin_lock_irq+0x18/0x50 +softirqs last enabled at (1383690): [] iscsi_queuecommand+0x76a/0xa20 [libiscsi] +softirqs last disabled at (1383682): [] iscsi_queuecommand+0x118/0xa20 [libiscsi] + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(&session->frwd_lock)->rlock); + + lock(&(&session->frwd_lock)->rlock); + + *** DEADLOCK *** + +2 locks held by kworker/7:1H/206: + #0: ffff8880d57bf928 ((wq_completion)kblockd){+.+.}, at: process_one_work+0x472/0xab0 + #1: ffff88802b9c7de8 ((work_completion)(&q->timeout_work)){+.+.}, at: process_one_work+0x476/0xab0 + +stack backtrace: +CPU: 7 PID: 206 Comm: kworker/7:1H Not tainted 5.5.1-dbg+ #11 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Workqueue: kblockd blk_mq_timeout_work +Call Trace: + dump_stack+0xa5/0xe6 + print_usage_bug.cold+0x232/0x23b + mark_lock+0x8dc/0xa70 + __lock_acquire+0xcea/0x2af0 + lock_acquire+0x106/0x240 + _raw_spin_lock+0x38/0x50 + iscsi_eh_cmd_timed_out+0xa6/0x6d0 [libiscsi] + scsi_times_out+0xf4/0x440 [scsi_mod] + scsi_timeout+0x1d/0x20 [scsi_mod] + blk_mq_check_expired+0x365/0x3a0 + bt_iter+0xd6/0xf0 + blk_mq_queue_tag_busy_iter+0x3de/0x650 + blk_mq_timeout_work+0x1af/0x380 + process_one_work+0x56d/0xab0 + worker_thread+0x7a/0x5d0 + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +Fixes: 287922eb0b18 ("block: defer timeouts to a workqueue") +Cc: Christoph Hellwig +Cc: Keith Busch +Cc: Lee Duncan +Cc: Chris Leech +Cc: +Link: https://lore.kernel.org/r/20191209173457.187370-1-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libiscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1982,7 +1982,7 @@ static enum blk_eh_timer_return iscsi_eh + + ISCSI_DBG_EH(session, "scsi cmd %p timedout\n", sc); + +- spin_lock(&session->frwd_lock); ++ spin_lock_bh(&session->frwd_lock); + task = (struct iscsi_task *)sc->SCp.ptr; + if (!task) { + /* +@@ -2109,7 +2109,7 @@ static enum blk_eh_timer_return iscsi_eh + done: + if (task) + task->last_timeout = jiffies; +- spin_unlock(&session->frwd_lock); ++ spin_unlock_bh(&session->frwd_lock); + ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ? + "timer reset" : "shutdown or nh"); + return rc; diff --git a/queue-4.9/series b/queue-4.9/series index 001ce7f4f91..3077b03194b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -185,3 +185,14 @@ tcp-protect-accesses-to-.ts_recent_stamp-with-read-write-_once.patch revert-regulator-defer-init-completion-for-a-while-after-late_initcall.patch pci-fix-intel-acs-quirk-updcr-register-address.patch pci-msi-fix-incorrect-msi-x-masking-on-resume.patch +xtensa-fix-tlb-sanity-checker.patch +cifs-respect-o_sync-and-o_direct-flags-during-reconnect.patch +arm-dts-s3c64xx-fix-init-order-of-clock-providers.patch +arm-tegra-fix-flow_ctlr_halt-register-clobbering-by-tegra_resume.patch +vfio-pci-call-irq_bypass_unregister_producer-before-freeing-irq.patch +dma-buf-fix-memory-leak-in-sync_file_merge.patch +dm-btree-increase-rebalance-threshold-in-__rebalance2.patch +dm-thin-metadata-add-support-for-a-pre-commit-callback.patch +dm-thin-flush-data-device-before-committing-metadata.patch +scsi-iscsi-fix-a-potential-deadlock-in-the-timeout-handler.patch +drm-radeon-fix-r1xx-r2xx-register-checker-for-pot-textures.patch diff --git a/queue-4.9/vfio-pci-call-irq_bypass_unregister_producer-before-freeing-irq.patch b/queue-4.9/vfio-pci-call-irq_bypass_unregister_producer-before-freeing-irq.patch new file mode 100644 index 00000000000..668a1449f5d --- /dev/null +++ b/queue-4.9/vfio-pci-call-irq_bypass_unregister_producer-before-freeing-irq.patch @@ -0,0 +1,55 @@ +From d567fb8819162099035e546b11a736e29c2af0ea Mon Sep 17 00:00:00 2001 +From: Jiang Yi +Date: Wed, 27 Nov 2019 17:49:10 +0100 +Subject: vfio/pci: call irq_bypass_unregister_producer() before freeing irq + +From: Jiang Yi + +commit d567fb8819162099035e546b11a736e29c2af0ea upstream. + +Since irq_bypass_register_producer() is called after request_irq(), we +should do tear-down in reverse order: irq_bypass_unregister_producer() +then free_irq(). + +Specifically free_irq() may release resources required by the +irqbypass del_producer() callback. Notably an example provided by +Marc Zyngier on arm64 with GICv4 that he indicates has the potential +to wedge the hardware: + + free_irq(irq) + __free_irq(irq) + irq_domain_deactivate_irq(irq) + its_irq_domain_deactivate() + [unmap the VLPI from the ITS] + + kvm_arch_irq_bypass_del_producer(cons, prod) + kvm_vgic_v4_unset_forwarding(kvm, irq, ...) + its_unmap_vlpi(irq) + [Unmap the VLPI from the ITS (again), remap the original LPI] + +Signed-off-by: Jiang Yi +Cc: stable@vger.kernel.org # v4.4+ +Fixes: 6d7425f109d26 ("vfio: Register/unregister irq_bypass_producer") +Link: https://lore.kernel.org/kvm/20191127164910.15888-1-giangyi@amazon.com +Reviewed-by: Marc Zyngier +Reviewed-by: Eric Auger +[aw: commit log] +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci_intrs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -297,8 +297,8 @@ static int vfio_msi_set_vector_signal(st + irq = pci_irq_vector(pdev, vector); + + if (vdev->ctx[vector].trigger) { +- free_irq(irq, vdev->ctx[vector].trigger); + irq_bypass_unregister_producer(&vdev->ctx[vector].producer); ++ free_irq(irq, vdev->ctx[vector].trigger); + kfree(vdev->ctx[vector].name); + eventfd_ctx_put(vdev->ctx[vector].trigger); + vdev->ctx[vector].trigger = NULL; diff --git a/queue-4.9/xtensa-fix-tlb-sanity-checker.patch b/queue-4.9/xtensa-fix-tlb-sanity-checker.patch new file mode 100644 index 00000000000..ef5ddc709c7 --- /dev/null +++ b/queue-4.9/xtensa-fix-tlb-sanity-checker.patch @@ -0,0 +1,47 @@ +From 36de10c4788efc6efe6ff9aa10d38cb7eea4c818 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Wed, 13 Nov 2019 13:18:31 -0800 +Subject: xtensa: fix TLB sanity checker + +From: Max Filippov + +commit 36de10c4788efc6efe6ff9aa10d38cb7eea4c818 upstream. + +Virtual and translated addresses retrieved by the xtensa TLB sanity +checker must be consistent, i.e. correspond to the same state of the +checked TLB entry. KASAN shadow memory is mapped dynamically using +auto-refill TLB entries and thus may change TLB state between the +virtual and translated address retrieval, resulting in false TLB +insanity report. +Move read_xtlb_translation close to read_xtlb_virtual to make sure that +read values are consistent. + +Cc: stable@vger.kernel.org +Fixes: a99e07ee5e88 ("xtensa: check TLB sanity on return to userspace") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/mm/tlb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/xtensa/mm/tlb.c ++++ b/arch/xtensa/mm/tlb.c +@@ -218,6 +218,8 @@ static int check_tlb_entry(unsigned w, u + unsigned tlbidx = w | (e << PAGE_SHIFT); + unsigned r0 = dtlb ? + read_dtlb_virtual(tlbidx) : read_itlb_virtual(tlbidx); ++ unsigned r1 = dtlb ? ++ read_dtlb_translation(tlbidx) : read_itlb_translation(tlbidx); + unsigned vpn = (r0 & PAGE_MASK) | (e << PAGE_SHIFT); + unsigned pte = get_pte_for_vaddr(vpn); + unsigned mm_asid = (get_rasid_register() >> 8) & ASID_MASK; +@@ -233,8 +235,6 @@ static int check_tlb_entry(unsigned w, u + } + + if (tlb_asid == mm_asid) { +- unsigned r1 = dtlb ? read_dtlb_translation(tlbidx) : +- read_itlb_translation(tlbidx); + if ((pte ^ r1) & PAGE_MASK) { + pr_err("%cTLB: way: %u, entry: %u, mapping: %08x->%08x, PTE: %08x\n", + dtlb ? 'D' : 'I', w, e, r0, r1, pte);