From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 16:24:23 +0000 (-0800) Subject: 4.14-stable patches X-Git-Tag: v4.19.2~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2efa64547f45801364e9edf7393fa410b893ed2f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: media-em28xx-fix-input-name-for-terratec-av-350.patch media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch media-em28xx-use-a-default-format-if-try_fmt-fails.patch media-media-colorspaces-.rst-rename-adobergb-to-oprgb.patch media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch xen-blkfront-fix-kernel-panic-with-negotiate_mq-error-path.patch xen-fix-xen_qlock_wait.patch --- diff --git a/queue-4.14/media-em28xx-fix-input-name-for-terratec-av-350.patch b/queue-4.14/media-em28xx-fix-input-name-for-terratec-av-350.patch new file mode 100644 index 00000000000..bf36e61b0f5 --- /dev/null +++ b/queue-4.14/media-em28xx-fix-input-name-for-terratec-av-350.patch @@ -0,0 +1,39 @@ +From 15644bfa195bd166d0a5ed76ae2d587f719c3dac Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 14 Sep 2018 00:20:21 -0400 +Subject: media: em28xx: fix input name for Terratec AV 350 + +From: Mauro Carvalho Chehab + +commit 15644bfa195bd166d0a5ed76ae2d587f719c3dac upstream. + +Instead of using a register value, use an AMUX name, as otherwise +VIDIOC_G_AUDIO would fail. + +Cc: stable@vger.kernel.org +Fixes: 766ed64de554 ("V4L/DVB (11827): Add support for Terratec Grabster AV350") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-cards.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -2112,13 +2112,13 @@ struct em28xx_board em28xx_boards[] = { + .input = { { + .type = EM28XX_VMUX_COMPOSITE, + .vmux = TVP5150_COMPOSITE1, +- .amux = EM28XX_AUDIO_SRC_LINE, ++ .amux = EM28XX_AMUX_LINE_IN, + .gpio = terratec_av350_unmute_gpio, + + }, { + .type = EM28XX_VMUX_SVIDEO, + .vmux = TVP5150_SVIDEO, +- .amux = EM28XX_AUDIO_SRC_LINE, ++ .amux = EM28XX_AMUX_LINE_IN, + .gpio = terratec_av350_unmute_gpio, + } }, + }, diff --git a/queue-4.14/media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch b/queue-4.14/media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch new file mode 100644 index 00000000000..b8ece73d613 --- /dev/null +++ b/queue-4.14/media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch @@ -0,0 +1,41 @@ +From afeaade90db4c5dab93f326d9582be1d5954a198 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 13 Sep 2018 22:46:29 -0400 +Subject: media: em28xx: make v4l2-compliance happier by starting sequence on zero + +From: Mauro Carvalho Chehab + +commit afeaade90db4c5dab93f326d9582be1d5954a198 upstream. + +The v4l2-compliance tool complains if a video doesn't start +with a zero sequence number. + +While this shouldn't cause any real problem for apps, let's +make it happier, in order to better check the v4l2-compliance +differences before and after patchsets. + +This is actually an old issue. It is there since at least its +videobuf2 conversion, e. g. changeset 3829fadc461 ("[media] +em28xx: convert to videobuf2"), if VB1 wouldn't suffer from +the same issue. + +Cc: stable@vger.kernel.org +Fixes: d3829fadc461 ("[media] em28xx: convert to videobuf2") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-video.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -900,6 +900,8 @@ static int em28xx_enable_analog_tuner(st + if (!mdev || !v4l2->decoder) + return 0; + ++ dev->v4l2->field_count = 0; ++ + /* + * This will find the tuner that is connected into the decoder. + * Technically, this is not 100% correct, as the device may be diff --git a/queue-4.14/media-em28xx-use-a-default-format-if-try_fmt-fails.patch b/queue-4.14/media-em28xx-use-a-default-format-if-try_fmt-fails.patch new file mode 100644 index 00000000000..62def0baa9a --- /dev/null +++ b/queue-4.14/media-em28xx-use-a-default-format-if-try_fmt-fails.patch @@ -0,0 +1,40 @@ +From f823ce2a1202d47110a7ef86b65839f0be8adc38 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 13 Sep 2018 23:22:40 -0400 +Subject: media: em28xx: use a default format if TRY_FMT fails + +From: Mauro Carvalho Chehab + +commit f823ce2a1202d47110a7ef86b65839f0be8adc38 upstream. + +Follow the V4L2 spec, as warned by v4l2-compliance: + + warn: v4l2-test-formats.cpp(732): TRY_FMT cannot handle an invalid pixelformat. + warn: v4l2-test-formats.cpp(733): This may or may not be a problem. For more information see: + +warn: v4l2-test-formats.cpp(734): http://www.mail-archive.com/linux-media@vger.kernel.org/msg56550.html + +Cc: stable@vger.kernel.org +Fixes: bddcf63313c6 ("V4L/DVB (9927): em28xx: use a more standard way to specify video formats") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-video.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -1445,9 +1445,9 @@ static int vidioc_try_fmt_vid_cap(struct + + fmt = format_by_fourcc(f->fmt.pix.pixelformat); + if (!fmt) { +- em28xx_videodbg("Fourcc format (%08x) invalid.\n", +- f->fmt.pix.pixelformat); +- return -EINVAL; ++ fmt = &format[0]; ++ em28xx_videodbg("Fourcc format (%08x) invalid. Using default (%08x).\n", ++ f->fmt.pix.pixelformat, fmt->fourcc); + } + + if (dev->board.is_em2800) { diff --git a/queue-4.14/media-media-colorspaces-.rst-rename-adobergb-to-oprgb.patch b/queue-4.14/media-media-colorspaces-.rst-rename-adobergb-to-oprgb.patch new file mode 100644 index 00000000000..04d6c18d615 --- /dev/null +++ b/queue-4.14/media-media-colorspaces-.rst-rename-adobergb-to-oprgb.patch @@ -0,0 +1,99 @@ +From a58c37978cf02f6d35d05ee4e9288cb8455f1401 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 13 Sep 2018 07:47:28 -0400 +Subject: media: media colorspaces*.rst: rename AdobeRGB to opRGB + +From: Hans Verkuil + +commit a58c37978cf02f6d35d05ee4e9288cb8455f1401 upstream. + +Drop all Adobe references and use the official opRGB standard +instead. + +Signed-off-by: Hans Verkuil +Cc: stable@vger.kernel.org +Acked-by: Daniel Vetter +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/media/uapi/v4l/biblio.rst | 10 ---------- + Documentation/media/uapi/v4l/colorspaces-defs.rst | 8 ++++---- + Documentation/media/uapi/v4l/colorspaces-details.rst | 13 ++++++------- + 3 files changed, 10 insertions(+), 21 deletions(-) + +--- a/Documentation/media/uapi/v4l/biblio.rst ++++ b/Documentation/media/uapi/v4l/biblio.rst +@@ -226,16 +226,6 @@ xvYCC + + :author: International Electrotechnical Commission (http://www.iec.ch) + +-.. _adobergb: +- +-AdobeRGB +-======== +- +- +-:title: Adobe© RGB (1998) Color Image Encoding Version 2005-05 +- +-:author: Adobe Systems Incorporated (http://www.adobe.com) +- + .. _oprgb: + + opRGB +--- a/Documentation/media/uapi/v4l/colorspaces-defs.rst ++++ b/Documentation/media/uapi/v4l/colorspaces-defs.rst +@@ -51,8 +51,8 @@ whole range, 0-255, dividing the angular + - See :ref:`col-rec709`. + * - ``V4L2_COLORSPACE_SRGB`` + - See :ref:`col-srgb`. +- * - ``V4L2_COLORSPACE_ADOBERGB`` +- - See :ref:`col-adobergb`. ++ * - ``V4L2_COLORSPACE_OPRGB`` ++ - See :ref:`col-oprgb`. + * - ``V4L2_COLORSPACE_BT2020`` + - See :ref:`col-bt2020`. + * - ``V4L2_COLORSPACE_DCI_P3`` +@@ -90,8 +90,8 @@ whole range, 0-255, dividing the angular + - Use the Rec. 709 transfer function. + * - ``V4L2_XFER_FUNC_SRGB`` + - Use the sRGB transfer function. +- * - ``V4L2_XFER_FUNC_ADOBERGB`` +- - Use the AdobeRGB transfer function. ++ * - ``V4L2_XFER_FUNC_OPRGB`` ++ - Use the opRGB transfer function. + * - ``V4L2_XFER_FUNC_SMPTE240M`` + - Use the SMPTE 240M transfer function. + * - ``V4L2_XFER_FUNC_NONE`` +--- a/Documentation/media/uapi/v4l/colorspaces-details.rst ++++ b/Documentation/media/uapi/v4l/colorspaces-details.rst +@@ -290,15 +290,14 @@ Y' is clamped to the range [0…1] and C + 170M/BT.601. The Y'CbCr quantization is limited range. + + +-.. _col-adobergb: ++.. _col-oprgb: + +-Colorspace Adobe RGB (V4L2_COLORSPACE_ADOBERGB) ++Colorspace opRGB (V4L2_COLORSPACE_OPRGB) + =============================================== + +-The :ref:`adobergb` standard defines the colorspace used by computer +-graphics that use the AdobeRGB colorspace. This is also known as the +-:ref:`oprgb` standard. The default transfer function is +-``V4L2_XFER_FUNC_ADOBERGB``. The default Y'CbCr encoding is ++The :ref:`oprgb` standard defines the colorspace used by computer ++graphics that use the opRGB colorspace. The default transfer function is ++``V4L2_XFER_FUNC_OPRGB``. The default Y'CbCr encoding is + ``V4L2_YCBCR_ENC_601``. The default Y'CbCr quantization is limited + range. + +@@ -312,7 +311,7 @@ The chromaticities of the primary colors + + .. tabularcolumns:: |p{4.4cm}|p{4.4cm}|p{8.7cm}| + +-.. flat-table:: Adobe RGB Chromaticities ++.. flat-table:: opRGB Chromaticities + :header-rows: 1 + :stub-columns: 0 + :widths: 1 1 2 diff --git a/queue-4.14/media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch b/queue-4.14/media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch new file mode 100644 index 00000000000..917542112ce --- /dev/null +++ b/queue-4.14/media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch @@ -0,0 +1,80 @@ +From 5c4c4505b716cb782ad7263091edc466c4d1fbd4 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 13 Sep 2018 16:49:51 -0400 +Subject: media: tvp5150: avoid going past array on v4l2_querymenu() + +From: Mauro Carvalho Chehab + +commit 5c4c4505b716cb782ad7263091edc466c4d1fbd4 upstream. + +The parameters of v4l2_ctrl_new_std_menu_items() are tricky: instead of +the number of possible values, it requires the number of the maximum +value. In other words, the ARRAY_SIZE() value should be decremented, +otherwise it will go past the array bounds, as warned by KASAN: + +[ 279.839688] BUG: KASAN: global-out-of-bounds in v4l2_querymenu+0x10d/0x180 [videodev] +[ 279.839709] Read of size 8 at addr ffffffffc10a4cb0 by task v4l2-compliance/16676 + +[ 279.839736] CPU: 1 PID: 16676 Comm: v4l2-compliance Not tainted 4.18.0-rc2+ #120 +[ 279.839741] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 +[ 279.839743] Call Trace: +[ 279.839758] dump_stack+0x71/0xab +[ 279.839807] ? v4l2_querymenu+0x10d/0x180 [videodev] +[ 279.839817] print_address_description+0x1c9/0x270 +[ 279.839863] ? v4l2_querymenu+0x10d/0x180 [videodev] +[ 279.839871] kasan_report+0x237/0x360 +[ 279.839918] v4l2_querymenu+0x10d/0x180 [videodev] +[ 279.839964] __video_do_ioctl+0x2c8/0x590 [videodev] +[ 279.840011] ? copy_overflow+0x20/0x20 [videodev] +[ 279.840020] ? avc_ss_reset+0xa0/0xa0 +[ 279.840028] ? check_stack_object+0x21/0x60 +[ 279.840036] ? __check_object_size+0xe7/0x240 +[ 279.840080] video_usercopy+0xed/0x730 [videodev] +[ 279.840123] ? copy_overflow+0x20/0x20 [videodev] +[ 279.840167] ? v4l_enumstd+0x40/0x40 [videodev] +[ 279.840177] ? __handle_mm_fault+0x9f9/0x1ba0 +[ 279.840186] ? __pmd_alloc+0x2c0/0x2c0 +[ 279.840193] ? __vfs_write+0xb6/0x350 +[ 279.840200] ? kernel_read+0xa0/0xa0 +[ 279.840244] ? video_usercopy+0x730/0x730 [videodev] +[ 279.840284] v4l2_ioctl+0xa1/0xb0 [videodev] +[ 279.840295] do_vfs_ioctl+0x117/0x8a0 +[ 279.840303] ? selinux_file_ioctl+0x211/0x2f0 +[ 279.840313] ? ioctl_preallocate+0x120/0x120 +[ 279.840319] ? selinux_capable+0x20/0x20 +[ 279.840332] ksys_ioctl+0x70/0x80 +[ 279.840342] __x64_sys_ioctl+0x3d/0x50 +[ 279.840351] do_syscall_64+0x6d/0x1c0 +[ 279.840361] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 279.840367] RIP: 0033:0x7fdfb46275d7 +[ 279.840369] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48 +[ 279.840474] RSP: 002b:00007ffee1179038 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +[ 279.840483] RAX: ffffffffffffffda RBX: 00007ffee1179180 RCX: 00007fdfb46275d7 +[ 279.840488] RDX: 00007ffee11790c0 RSI: 00000000c02c5625 RDI: 0000000000000003 +[ 279.840493] RBP: 0000000000000002 R08: 0000000000000020 R09: 00000000009f0902 +[ 279.840497] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffee117a5a0 +[ 279.840501] R13: 00007ffee11790c0 R14: 0000000000000002 R15: 0000000000000000 + +[ 279.840515] The buggy address belongs to the variable: +[ 279.840535] tvp5150_test_patterns+0x10/0xffffffffffffe360 [tvp5150] + +Fixes: c43875f66140 ("[media] tvp5150: replace MEDIA_ENT_F_CONN_TEST by a control") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tvp5150.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -1530,7 +1530,7 @@ static int tvp5150_probe(struct i2c_clie + 27000000, 1, 27000000); + v4l2_ctrl_new_std_menu_items(&core->hdl, &tvp5150_ctrl_ops, + V4L2_CID_TEST_PATTERN, +- ARRAY_SIZE(tvp5150_test_patterns), ++ ARRAY_SIZE(tvp5150_test_patterns) - 1, + 0, 0, tvp5150_test_patterns); + sd->ctrl_handler = &core->hdl; + if (core->hdl.error) { diff --git a/queue-4.14/power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch b/queue-4.14/power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch deleted file mode 100644 index 5fe8febc700..00000000000 --- a/queue-4.14/power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 9844fb2e351311210e6660a9a1c62d17424a6145 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Mon, 27 Aug 2018 10:21:53 +0200 -Subject: power: supply: twl4030-charger: fix OF sibling-node lookup - -From: Johan Hovold - -commit 9844fb2e351311210e6660a9a1c62d17424a6145 upstream. - -Use the new of_get_compatible_child() helper to lookup the usb sibling -node instead of using of_find_compatible_node(), which searches the -entire tree from a given start node and thus can return an unrelated -(non-sibling) node. - -This also addresses a potential use-after-free (e.g. after probe -deferral) as the tree-wide helper drops a reference to its first -argument (i.e. the parent device node). - -While at it, also fix the related phy-node reference leak. - -Fixes: f5e4edb8c888 ("power: twl4030_charger: find associated phy by more reliable means.") -Cc: stable # 4.2 -Cc: NeilBrown -Cc: Felipe Balbi -Cc: Sebastian Reichel -Reviewed-by: Sebastian Reichel -Signed-off-by: Johan Hovold -Signed-off-by: Rob Herring -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/power/supply/twl4030_charger.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/drivers/power/supply/twl4030_charger.c -+++ b/drivers/power/supply/twl4030_charger.c -@@ -996,12 +996,13 @@ static int twl4030_bci_probe(struct plat - if (bci->dev->of_node) { - struct device_node *phynode; - -- phynode = of_find_compatible_node(bci->dev->of_node->parent, -- NULL, "ti,twl4030-usb"); -+ phynode = of_get_compatible_child(bci->dev->of_node->parent, -+ "ti,twl4030-usb"); - if (phynode) { - bci->usb_nb.notifier_call = twl4030_bci_usb_ncb; - bci->transceiver = devm_usb_get_phy_by_node( - bci->dev, phynode, &bci->usb_nb); -+ of_node_put(phynode); - if (IS_ERR(bci->transceiver)) { - ret = PTR_ERR(bci->transceiver); - if (ret == -EPROBE_DEFER) diff --git a/queue-4.14/series b/queue-4.14/series index d72ffe8c248..bf9c36b0a97 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -177,8 +177,14 @@ dm-zoned-fix-metadata-block-ref-counting.patch dm-zoned-fix-various-dmz_get_mblock-issues.patch powerpc-msi-fix-compile-error-on-mpc83xx.patch mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch -power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch iommu-arm-smmu-ensure-that-page-table-updates-are-visible-before-tlbi.patch tc-set-dma-masks-for-devices.patch media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch kgdboc-passing-ekgdboc-to-command-line-causes-panic.patch +xen-fix-xen_qlock_wait.patch +xen-blkfront-fix-kernel-panic-with-negotiate_mq-error-path.patch +media-em28xx-use-a-default-format-if-try_fmt-fails.patch +media-tvp5150-avoid-going-past-array-on-v4l2_querymenu.patch +media-em28xx-fix-input-name-for-terratec-av-350.patch +media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch +media-media-colorspaces-.rst-rename-adobergb-to-oprgb.patch diff --git a/queue-4.14/xen-blkfront-fix-kernel-panic-with-negotiate_mq-error-path.patch b/queue-4.14/xen-blkfront-fix-kernel-panic-with-negotiate_mq-error-path.patch new file mode 100644 index 00000000000..b4c3b6c975c --- /dev/null +++ b/queue-4.14/xen-blkfront-fix-kernel-panic-with-negotiate_mq-error-path.patch @@ -0,0 +1,50 @@ +From 6cc4a0863c9709c512280c64e698d68443ac8053 Mon Sep 17 00:00:00 2001 +From: Manjunath Patil +Date: Tue, 30 Oct 2018 09:49:21 -0700 +Subject: xen-blkfront: fix kernel panic with negotiate_mq error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Manjunath Patil + +commit 6cc4a0863c9709c512280c64e698d68443ac8053 upstream. + +info->nr_rings isn't adjusted in case of ENOMEM error from +negotiate_mq(). This leads to kernel panic in error path. + +Typical call stack involving panic - + #8 page_fault at ffffffff8175936f + [exception RIP: blkif_free_ring+33] + RIP: ffffffffa0149491 RSP: ffff8804f7673c08 RFLAGS: 00010292 + ... + #9 blkif_free at ffffffffa0149aaa [xen_blkfront] + #10 talk_to_blkback at ffffffffa014c8cd [xen_blkfront] + #11 blkback_changed at ffffffffa014ea8b [xen_blkfront] + #12 xenbus_otherend_changed at ffffffff81424670 + #13 backend_changed at ffffffff81426dc3 + #14 xenwatch_thread at ffffffff81422f29 + #15 kthread at ffffffff810abe6a + #16 ret_from_fork at ffffffff81754078 + +Cc: stable@vger.kernel.org +Fixes: 7ed8ce1c5fc7 ("xen-blkfront: move negotiate_mq to cover all cases of new VBDs") +Signed-off-by: Manjunath Patil +Acked-by: Roger Pau Monné +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkfront.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -1910,6 +1910,7 @@ static int negotiate_mq(struct blkfront_ + info->rinfo = kzalloc(sizeof(struct blkfront_ring_info) * info->nr_rings, GFP_KERNEL); + if (!info->rinfo) { + xenbus_dev_fatal(info->xbdev, -ENOMEM, "allocating ring_info structure"); ++ info->nr_rings = 0; + return -ENOMEM; + } + diff --git a/queue-4.14/xen-fix-xen_qlock_wait.patch b/queue-4.14/xen-fix-xen_qlock_wait.patch new file mode 100644 index 00000000000..956aa2dabb6 --- /dev/null +++ b/queue-4.14/xen-fix-xen_qlock_wait.patch @@ -0,0 +1,82 @@ +From d3132b3860f6cf35ff7609a76bbcdbb814bd027c Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 8 Nov 2018 08:35:06 +0100 +Subject: xen: fix xen_qlock_wait() + +From: Juergen Gross + +commit d3132b3860f6cf35ff7609a76bbcdbb814bd027c upstream. + +Commit a856531951dc80 ("xen: make xen_qlock_wait() nestable") +introduced a regression for Xen guests running fully virtualized +(HVM or PVH mode). The Xen hypervisor wouldn't return from the poll +hypercall with interrupts disabled in case of an interrupt (for PV +guests it does). + +So instead of disabling interrupts in xen_qlock_wait() use a nesting +counter to avoid calling xen_clear_irq_pending() in case +xen_qlock_wait() is nested. + +Fixes: a856531951dc80 ("xen: make xen_qlock_wait() nestable") +Cc: stable@vger.kernel.org +Reported-by: Sander Eikelenboom +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Tested-by: Sander Eikelenboom +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/spinlock.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + #include + +@@ -20,6 +21,7 @@ + + static DEFINE_PER_CPU(int, lock_kicker_irq) = -1; + static DEFINE_PER_CPU(char *, irq_name); ++static DEFINE_PER_CPU(atomic_t, xen_qlock_wait_nest); + static bool xen_pvspin = true; + + #include +@@ -40,25 +42,25 @@ static void xen_qlock_kick(int cpu) + */ + static void xen_qlock_wait(u8 *byte, u8 val) + { +- unsigned long flags; + int irq = __this_cpu_read(lock_kicker_irq); ++ atomic_t *nest_cnt = this_cpu_ptr(&xen_qlock_wait_nest); + + /* If kicker interrupts not initialized yet, just spin */ + if (irq == -1 || in_nmi()) + return; + +- /* Guard against reentry. */ +- local_irq_save(flags); ++ /* Detect reentry. */ ++ atomic_inc(nest_cnt); + +- /* If irq pending already clear it. */ +- if (xen_test_irq_pending(irq)) { ++ /* If irq pending already and no nested call clear it. */ ++ if (atomic_read(nest_cnt) == 1 && xen_test_irq_pending(irq)) { + xen_clear_irq_pending(irq); + } else if (READ_ONCE(*byte) == val) { + /* Block until irq becomes pending (or a spurious wakeup) */ + xen_poll_irq(irq); + } + +- local_irq_restore(flags); ++ atomic_dec(nest_cnt); + } + + static irqreturn_t dummy_handler(int irq, void *dev_id)