From: Greg Kroah-Hartman Date: Wed, 26 Oct 2016 11:59:51 +0000 (+0200) Subject: 4.8-stable patches X-Git-Tag: v4.8.5~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f0a39a21e07b1d119eeeb26689965848bbd87b1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.8-stable patches added patches: arm64-cortex-a53-errata-workaround-check-for-kernel-addresses.patch arm64-kaslr-fix-breakage-with-config_modversions-y.patch arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch arm64-kvm-take-s1-walks-into-account-when-determining-s2-write-faults.patch arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch arm64-swp-emulation-bound-ll-sc-retries-before-rescheduling.patch ceph-fix-error-handling-in-ceph_read_iter.patch ext4-do-not-advertise-encryption-support-when-disabled.patch fscrypto-lock-inode-while-setting-encryption-policy.patch fscrypto-make-xts-tweak-initialization-endian-independent.patch isofs-do-not-return-eacces-for-unknown-filesystems.patch jbd2-fix-incorrect-unlock-on-j_list_lock.patch kvm-s390-reject-invalid-modes-for-runtime-instrumentation.patch memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch mmc-core-annotate-cmd_hdr-as-__le32.patch mmc-core-switch-to-1v8-or-1v2-for-hs400es-mode.patch mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch revert-target-fix-residual-overflow-handling-in-target_complete_cmd_with_length.patch target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch target-tcm_fc-use-cpu-affinity-for-responses.patch ubifs-abort-readdir-upon-error.patch ubifs-fix-xattr_names-length-in-exit-paths.patch --- diff --git a/queue-4.8/arm64-cortex-a53-errata-workaround-check-for-kernel-addresses.patch b/queue-4.8/arm64-cortex-a53-errata-workaround-check-for-kernel-addresses.patch new file mode 100644 index 00000000000..8c26bd1106e --- /dev/null +++ b/queue-4.8/arm64-cortex-a53-errata-workaround-check-for-kernel-addresses.patch @@ -0,0 +1,93 @@ +From 87261d19046aeaeed8eb3d2793fde850ae1b5c9e Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Wed, 19 Oct 2016 14:40:54 +0100 +Subject: arm64: Cortex-A53 errata workaround: check for kernel addresses + +From: Andre Przywara + +commit 87261d19046aeaeed8eb3d2793fde850ae1b5c9e upstream. + +Commit 7dd01aef0557 ("arm64: trap userspace "dc cvau" cache operation on +errata-affected core") adds code to execute cache maintenance instructions +in the kernel on behalf of userland on CPUs with certain ARM CPU errata. +It turns out that the address hasn't been checked to be a valid user +space address, allowing userland to clean cache lines in kernel space. +Fix this by introducing an address check before executing the +instructions on behalf of userland. + +Since the address doesn't come via a syscall parameter, we can't just +reject tagged pointers and instead have to remove the tag when checking +against the user address limit. + +Fixes: 7dd01aef0557 ("arm64: trap userspace "dc cvau" cache operation on errata-affected core") +Reported-by: Kristina Martsenko +Signed-off-by: Andre Przywara +[will: rework commit message + replace access_ok with max_user_addr()] +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/uaccess.h | 8 ++++++++ + arch/arm64/kernel/traps.c | 27 +++++++++++++++------------ + 2 files changed, 23 insertions(+), 12 deletions(-) + +--- a/arch/arm64/include/asm/uaccess.h ++++ b/arch/arm64/include/asm/uaccess.h +@@ -21,6 +21,7 @@ + /* + * User space memory access functions + */ ++#include + #include + #include + #include +@@ -102,6 +103,13 @@ static inline void set_fs(mm_segment_t f + flag; \ + }) + ++/* ++ * When dealing with data aborts or instruction traps we may end up with ++ * a tagged userland pointer. Clear the tag to get a sane pointer to pass ++ * on to access_ok(), for instance. ++ */ ++#define untagged_addr(addr) sign_extend64(addr, 55) ++ + #define access_ok(type, addr, size) __range_ok(addr, size) + #define user_addr_max get_fs + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -434,18 +434,21 @@ void cpu_enable_cache_maint_trap(void *_ + } + + #define __user_cache_maint(insn, address, res) \ +- asm volatile ( \ +- "1: " insn ", %1\n" \ +- " mov %w0, #0\n" \ +- "2:\n" \ +- " .pushsection .fixup,\"ax\"\n" \ +- " .align 2\n" \ +- "3: mov %w0, %w2\n" \ +- " b 2b\n" \ +- " .popsection\n" \ +- _ASM_EXTABLE(1b, 3b) \ +- : "=r" (res) \ +- : "r" (address), "i" (-EFAULT) ) ++ if (untagged_addr(address) >= user_addr_max()) \ ++ res = -EFAULT; \ ++ else \ ++ asm volatile ( \ ++ "1: " insn ", %1\n" \ ++ " mov %w0, #0\n" \ ++ "2:\n" \ ++ " .pushsection .fixup,\"ax\"\n" \ ++ " .align 2\n" \ ++ "3: mov %w0, %w2\n" \ ++ " b 2b\n" \ ++ " .popsection\n" \ ++ _ASM_EXTABLE(1b, 3b) \ ++ : "=r" (res) \ ++ : "r" (address), "i" (-EFAULT) ) + + asmlinkage void __exception do_sysinstr(unsigned int esr, struct pt_regs *regs) + { diff --git a/queue-4.8/arm64-kaslr-fix-breakage-with-config_modversions-y.patch b/queue-4.8/arm64-kaslr-fix-breakage-with-config_modversions-y.patch new file mode 100644 index 00000000000..db0e4d1503d --- /dev/null +++ b/queue-4.8/arm64-kaslr-fix-breakage-with-config_modversions-y.patch @@ -0,0 +1,47 @@ +From 9c0e83c371cf4696926c95f9c8c77cd6ea803426 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 13 Oct 2016 17:42:09 +0100 +Subject: arm64: kaslr: fix breakage with CONFIG_MODVERSIONS=y + +From: Ard Biesheuvel + +commit 9c0e83c371cf4696926c95f9c8c77cd6ea803426 upstream. + +As it turns out, the KASLR code breaks CONFIG_MODVERSIONS, since the +kcrctab has an absolute address field that is relocated at runtime +when the kernel offset is randomized. + +This has been fixed already for PowerPC in the past, so simply wire up +the existing code dealing with this issue. + +Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR") +Tested-by: Timur Tabi +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/module.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm64/include/asm/module.h ++++ b/arch/arm64/include/asm/module.h +@@ -17,6 +17,7 @@ + #define __ASM_MODULE_H + + #include ++#include + + #define MODULE_ARCH_VERMAGIC "aarch64" + +@@ -32,6 +33,10 @@ u64 module_emit_plt_entry(struct module + Elf64_Sym *sym); + + #ifdef CONFIG_RANDOMIZE_BASE ++#ifdef CONFIG_MODVERSIONS ++#define ARCH_RELOCATES_KCRCTAB ++#define reloc_start (kimage_vaddr - KIMAGE_VADDR) ++#endif + extern u64 module_alloc_base; + #else + #define module_alloc_base ((u64)_etext - MODULES_VSIZE) diff --git a/queue-4.8/arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch b/queue-4.8/arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch new file mode 100644 index 00000000000..004cd262ddb --- /dev/null +++ b/queue-4.8/arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch @@ -0,0 +1,40 @@ +From 850540351bb1a4fa5f192e5ce55b89928cc57f42 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 17 Oct 2016 13:47:34 +0100 +Subject: arm64: kernel: Init MDCR_EL2 even in the absence of a PMU + +From: Marc Zyngier + +commit 850540351bb1a4fa5f192e5ce55b89928cc57f42 upstream. + +Commit f436b2ac90a0 ("arm64: kernel: fix architected PMU registers +unconditional access") made sure we wouldn't access unimplemented +PMU registers, but also left MDCR_EL2 uninitialized in that case, +leading to trap bits being potentially left set. + +Make sure we always write something in that register. + +Fixes: f436b2ac90a0 ("arm64: kernel: fix architected PMU registers unconditional access") +Cc: Lorenzo Pieralisi +Cc: Will Deacon +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/head.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -578,8 +578,9 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // C + b.lt 4f // Skip if no PMU present + mrs x0, pmcr_el0 // Disable debug access traps + ubfx x0, x0, #11, #5 // to EL2 and allow access to +- msr mdcr_el2, x0 // all PMU counters from EL1 + 4: ++ csel x0, xzr, x0, lt // all PMU counters from EL1 ++ msr mdcr_el2, x0 // (if they exist) + + /* Stage-2 translation */ + msr vttbr_el2, xzr diff --git a/queue-4.8/arm64-kvm-take-s1-walks-into-account-when-determining-s2-write-faults.patch b/queue-4.8/arm64-kvm-take-s1-walks-into-account-when-determining-s2-write-faults.patch new file mode 100644 index 00000000000..5a1b9a0a487 --- /dev/null +++ b/queue-4.8/arm64-kvm-take-s1-walks-into-account-when-determining-s2-write-faults.patch @@ -0,0 +1,70 @@ +From 60e21a0ef54cd836b9eb22c7cb396989b5b11648 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 29 Sep 2016 12:37:01 +0100 +Subject: arm64: KVM: Take S1 walks into account when determining S2 write faults + +From: Will Deacon + +commit 60e21a0ef54cd836b9eb22c7cb396989b5b11648 upstream. + +The WnR bit in the HSR/ESR_EL2 indicates whether a data abort was +generated by a read or a write instruction. For stage 2 data aborts +generated by a stage 1 translation table walk (i.e. the actual page +table access faults at EL2), the WnR bit therefore reports whether the +instruction generating the walk was a load or a store, *not* whether the +page table walker was reading or writing the entry. + +For page tables marked as read-only at stage 2 (e.g. due to KSM merging +them with the tables from another guest), this could result in livelock, +where a page table walk generated by a load instruction attempts to +set the access flag in the stage 1 descriptor, but fails to trigger +CoW in the host since only a read fault is reported. + +This patch modifies the arm64 kvm_vcpu_dabt_iswrite function to +take into account stage 2 faults in stage 1 walks. Since DBM cannot be +disabled at EL2 for CPUs that implement it, we assume that these faults +are always causes by writes, avoiding the livelock situation at the +expense of occasional, spurious CoWs. + +We could, in theory, do a bit better by checking the guest TCR +configuration and inspecting the page table to see why the PTE faulted. +However, I doubt this is measurable in practice, and the threat of +livelock is real. + +Cc: Julien Grall +Reviewed-by: Marc Zyngier +Reviewed-by: Christoffer Dall +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/kvm_emulate.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -167,11 +167,6 @@ static inline bool kvm_vcpu_dabt_isvalid + return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_ISV); + } + +-static inline bool kvm_vcpu_dabt_iswrite(const struct kvm_vcpu *vcpu) +-{ +- return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_WNR); +-} +- + static inline bool kvm_vcpu_dabt_issext(const struct kvm_vcpu *vcpu) + { + return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SSE); +@@ -192,6 +187,12 @@ static inline bool kvm_vcpu_dabt_iss1tw( + return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_S1PTW); + } + ++static inline bool kvm_vcpu_dabt_iswrite(const struct kvm_vcpu *vcpu) ++{ ++ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_WNR) || ++ kvm_vcpu_dabt_iss1tw(vcpu); /* AF/DBM update */ ++} ++ + static inline bool kvm_vcpu_dabt_is_cm(const struct kvm_vcpu *vcpu) + { + return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_CM); diff --git a/queue-4.8/arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch b/queue-4.8/arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch new file mode 100644 index 00000000000..f2e6a06ef78 --- /dev/null +++ b/queue-4.8/arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch @@ -0,0 +1,181 @@ +From 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 4 Jul 2016 17:44:48 +0100 +Subject: arm64: percpu: rewrite ll/sc loops in assembly + +From: Will Deacon + +commit 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 upstream. + +Writing the outer loop of an LL/SC sequence using do {...} while +constructs potentially allows the compiler to hoist memory accesses +between the STXR and the branch back to the LDXR. On CPUs that do not +guarantee forward progress of LL/SC loops when faced with memory +accesses to the same ERG (up to 2k) between the failed STXR and the +branch back, we may end up livelocking. + +This patch avoids this issue in our percpu atomics by rewriting the +outer loop as part of the LL/SC inline assembly block. + +Fixes: f97fc810798c ("arm64: percpu: Implement this_cpu operations") +Reviewed-by: Mark Rutland +Tested-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/percpu.h | 120 ++++++++++++++++++---------------------- + 1 file changed, 56 insertions(+), 64 deletions(-) + +--- a/arch/arm64/include/asm/percpu.h ++++ b/arch/arm64/include/asm/percpu.h +@@ -44,48 +44,44 @@ static inline unsigned long __percpu_##o + \ + switch (size) { \ + case 1: \ +- do { \ +- asm ("//__per_cpu_" #op "_1\n" \ +- "ldxrb %w[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_1\n" \ ++ "1: ldxrb %w[ret], %[ptr]\n" \ + #asm_op " %w[ret], %w[ret], %w[val]\n" \ +- "stxrb %w[loop], %w[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u8 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxrb %w[loop], %w[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u8 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + case 2: \ +- do { \ +- asm ("//__per_cpu_" #op "_2\n" \ +- "ldxrh %w[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_2\n" \ ++ "1: ldxrh %w[ret], %[ptr]\n" \ + #asm_op " %w[ret], %w[ret], %w[val]\n" \ +- "stxrh %w[loop], %w[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u16 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxrh %w[loop], %w[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u16 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + case 4: \ +- do { \ +- asm ("//__per_cpu_" #op "_4\n" \ +- "ldxr %w[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_4\n" \ ++ "1: ldxr %w[ret], %[ptr]\n" \ + #asm_op " %w[ret], %w[ret], %w[val]\n" \ +- "stxr %w[loop], %w[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u32 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxr %w[loop], %w[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u32 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + case 8: \ +- do { \ +- asm ("//__per_cpu_" #op "_8\n" \ +- "ldxr %[ret], %[ptr]\n" \ ++ asm ("//__per_cpu_" #op "_8\n" \ ++ "1: ldxr %[ret], %[ptr]\n" \ + #asm_op " %[ret], %[ret], %[val]\n" \ +- "stxr %w[loop], %[ret], %[ptr]\n" \ +- : [loop] "=&r" (loop), [ret] "=&r" (ret), \ +- [ptr] "+Q"(*(u64 *)ptr) \ +- : [val] "Ir" (val)); \ +- } while (loop); \ ++ " stxr %w[loop], %[ret], %[ptr]\n" \ ++ " cbnz %w[loop], 1b" \ ++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \ ++ [ptr] "+Q"(*(u64 *)ptr) \ ++ : [val] "Ir" (val)); \ + break; \ + default: \ + BUILD_BUG(); \ +@@ -150,44 +146,40 @@ static inline unsigned long __percpu_xch + + switch (size) { + case 1: +- do { +- asm ("//__percpu_xchg_1\n" +- "ldxrb %w[ret], %[ptr]\n" +- "stxrb %w[loop], %w[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u8 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_1\n" ++ "1: ldxrb %w[ret], %[ptr]\n" ++ " stxrb %w[loop], %w[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u8 *)ptr) ++ : [val] "r" (val)); + break; + case 2: +- do { +- asm ("//__percpu_xchg_2\n" +- "ldxrh %w[ret], %[ptr]\n" +- "stxrh %w[loop], %w[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u16 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_2\n" ++ "1: ldxrh %w[ret], %[ptr]\n" ++ " stxrh %w[loop], %w[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u16 *)ptr) ++ : [val] "r" (val)); + break; + case 4: +- do { +- asm ("//__percpu_xchg_4\n" +- "ldxr %w[ret], %[ptr]\n" +- "stxr %w[loop], %w[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u32 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_4\n" ++ "1: ldxr %w[ret], %[ptr]\n" ++ " stxr %w[loop], %w[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u32 *)ptr) ++ : [val] "r" (val)); + break; + case 8: +- do { +- asm ("//__percpu_xchg_8\n" +- "ldxr %[ret], %[ptr]\n" +- "stxr %w[loop], %[val], %[ptr]\n" +- : [loop] "=&r"(loop), [ret] "=&r"(ret), +- [ptr] "+Q"(*(u64 *)ptr) +- : [val] "r" (val)); +- } while (loop); ++ asm ("//__percpu_xchg_8\n" ++ "1: ldxr %[ret], %[ptr]\n" ++ " stxr %w[loop], %[val], %[ptr]\n" ++ " cbnz %w[loop], 1b" ++ : [loop] "=&r"(loop), [ret] "=&r"(ret), ++ [ptr] "+Q"(*(u64 *)ptr) ++ : [val] "r" (val)); + break; + default: + BUILD_BUG(); diff --git a/queue-4.8/arm64-swp-emulation-bound-ll-sc-retries-before-rescheduling.patch b/queue-4.8/arm64-swp-emulation-bound-ll-sc-retries-before-rescheduling.patch new file mode 100644 index 00000000000..680edf2b62e --- /dev/null +++ b/queue-4.8/arm64-swp-emulation-bound-ll-sc-retries-before-rescheduling.patch @@ -0,0 +1,108 @@ +From 1c5b51dfb7b4564008e0cadec5381a69e88b0d21 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 4 Jul 2016 16:59:43 +0100 +Subject: arm64: swp emulation: bound LL/SC retries before rescheduling + +From: Will Deacon + +commit 1c5b51dfb7b4564008e0cadec5381a69e88b0d21 upstream. + +If a CPU does not implement a global monitor for certain memory types, +then userspace can attempt a kernel DoS by issuing SWP instructions +targetting the problematic memory (for example, a framebuffer mapped +with non-cacheable attributes). + +The SWP emulation code protects against these sorts of attacks by +checking for pending signals and potentially rescheduling when the STXR +instruction fails during the emulation. Whilst this is good for avoiding +livelock, it harms emulation of legitimate SWP instructions on CPUs +where forward progress is not guaranteed if there are memory accesses to +the same reservation granule (up to 2k) between the failing STXR and +the retry of the LDXR. + +This patch solves the problem by retrying the STXR a bounded number of +times (4) before breaking out of the LL/SC loop and looking for +something else to do. + +Fixes: bd35a4adc413 ("arm64: Port SWP/SWPB emulation support from arm") +Reviewed-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/armv8_deprecated.c | 36 +++++++++++++++++++++-------------- + 1 file changed, 22 insertions(+), 14 deletions(-) + +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -280,35 +280,43 @@ static void __init register_insn_emulati + /* + * Error-checking SWP macros implemented using ldxr{b}/stxr{b} + */ +-#define __user_swpX_asm(data, addr, res, temp, B) \ ++ ++/* Arbitrary constant to ensure forward-progress of the LL/SC loop */ ++#define __SWP_LL_SC_LOOPS 4 ++ ++#define __user_swpX_asm(data, addr, res, temp, temp2, B) \ + __asm__ __volatile__( \ ++ " mov %w3, %w7\n" \ + ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, \ + CONFIG_ARM64_PAN) \ +- "0: ldxr"B" %w2, [%3]\n" \ +- "1: stxr"B" %w0, %w1, [%3]\n" \ ++ "0: ldxr"B" %w2, [%4]\n" \ ++ "1: stxr"B" %w0, %w1, [%4]\n" \ + " cbz %w0, 2f\n" \ +- " mov %w0, %w4\n" \ ++ " sub %w3, %w3, #1\n" \ ++ " cbnz %w3, 0b\n" \ ++ " mov %w0, %w5\n" \ + " b 3f\n" \ + "2:\n" \ + " mov %w1, %w2\n" \ + "3:\n" \ + " .pushsection .fixup,\"ax\"\n" \ + " .align 2\n" \ +- "4: mov %w0, %w5\n" \ ++ "4: mov %w0, %w6\n" \ + " b 3b\n" \ + " .popsection" \ + _ASM_EXTABLE(0b, 4b) \ + _ASM_EXTABLE(1b, 4b) \ + ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN, \ + CONFIG_ARM64_PAN) \ +- : "=&r" (res), "+r" (data), "=&r" (temp) \ +- : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT) \ ++ : "=&r" (res), "+r" (data), "=&r" (temp), "=&r" (temp2) \ ++ : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT), \ ++ "i" (__SWP_LL_SC_LOOPS) \ + : "memory") + +-#define __user_swp_asm(data, addr, res, temp) \ +- __user_swpX_asm(data, addr, res, temp, "") +-#define __user_swpb_asm(data, addr, res, temp) \ +- __user_swpX_asm(data, addr, res, temp, "b") ++#define __user_swp_asm(data, addr, res, temp, temp2) \ ++ __user_swpX_asm(data, addr, res, temp, temp2, "") ++#define __user_swpb_asm(data, addr, res, temp, temp2) \ ++ __user_swpX_asm(data, addr, res, temp, temp2, "b") + + /* + * Bit 22 of the instruction encoding distinguishes between +@@ -328,12 +336,12 @@ static int emulate_swpX(unsigned int add + } + + while (1) { +- unsigned long temp; ++ unsigned long temp, temp2; + + if (type == TYPE_SWPB) +- __user_swpb_asm(*data, address, res, temp); ++ __user_swpb_asm(*data, address, res, temp, temp2); + else +- __user_swp_asm(*data, address, res, temp); ++ __user_swp_asm(*data, address, res, temp, temp2); + + if (likely(res != -EAGAIN) || signal_pending(current)) + break; diff --git a/queue-4.8/ceph-fix-error-handling-in-ceph_read_iter.patch b/queue-4.8/ceph-fix-error-handling-in-ceph_read_iter.patch new file mode 100644 index 00000000000..1cb4b192d6d --- /dev/null +++ b/queue-4.8/ceph-fix-error-handling-in-ceph_read_iter.patch @@ -0,0 +1,38 @@ +From 0d7718f666be181fda1ba2d08f137d87c1419347 Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Mon, 10 Oct 2016 15:38:18 +0300 +Subject: ceph: fix error handling in ceph_read_iter + +From: Nikolay Borisov + +commit 0d7718f666be181fda1ba2d08f137d87c1419347 upstream. + +In case __ceph_do_getattr returns an error and the retry_op in +ceph_read_iter is not READ_INLINE, then it's possible to invoke +__free_page on a page which is NULL, this naturally leads to a crash. +This can happen when, for example, a process waiting on a MDS reply +receives sigterm. + +Fix this by explicitly checking whether the page is set or not. + +Signed-off-by: Nikolay Borisov +Reviewed-by: Yan, Zheng +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1272,7 +1272,8 @@ again: + statret = __ceph_do_getattr(inode, page, + CEPH_STAT_CAP_INLINE_DATA, !!page); + if (statret < 0) { +- __free_page(page); ++ if (page) ++ __free_page(page); + if (statret == -ENODATA) { + BUG_ON(retry_op != READ_INLINE); + goto again; diff --git a/queue-4.8/ext4-do-not-advertise-encryption-support-when-disabled.patch b/queue-4.8/ext4-do-not-advertise-encryption-support-when-disabled.patch new file mode 100644 index 00000000000..e4630769a31 --- /dev/null +++ b/queue-4.8/ext4-do-not-advertise-encryption-support-when-disabled.patch @@ -0,0 +1,47 @@ +From c4704a4fbe834eee4109ca064131d440941f6235 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 12 Oct 2016 23:24:51 -0400 +Subject: ext4: do not advertise encryption support when disabled + +From: Eric Biggers + +commit c4704a4fbe834eee4109ca064131d440941f6235 upstream. + +The sysfs file /sys/fs/ext4/features/encryption was present on kernels +compiled with CONFIG_EXT4_FS_ENCRYPTION=n. This was misleading because +such kernels do not actually support ext4 encryption. Therefore, only +provide this file on kernels compiled with CONFIG_EXT4_FS_ENCRYPTION=y. + +Note: since the ext4 feature files are all hardcoded to have a contents +of "supported", it really is the presence or absence of the file that is +significant, not the contents (and this change reflects that). + +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/sysfs.c ++++ b/fs/ext4/sysfs.c +@@ -223,14 +223,18 @@ static struct attribute *ext4_attrs[] = + EXT4_ATTR_FEATURE(lazy_itable_init); + EXT4_ATTR_FEATURE(batched_discard); + EXT4_ATTR_FEATURE(meta_bg_resize); ++#ifdef CONFIG_EXT4_FS_ENCRYPTION + EXT4_ATTR_FEATURE(encryption); ++#endif + EXT4_ATTR_FEATURE(metadata_csum_seed); + + static struct attribute *ext4_feat_attrs[] = { + ATTR_LIST(lazy_itable_init), + ATTR_LIST(batched_discard), + ATTR_LIST(meta_bg_resize), ++#ifdef CONFIG_EXT4_FS_ENCRYPTION + ATTR_LIST(encryption), ++#endif + ATTR_LIST(metadata_csum_seed), + NULL, + }; diff --git a/queue-4.8/fscrypto-lock-inode-while-setting-encryption-policy.patch b/queue-4.8/fscrypto-lock-inode-while-setting-encryption-policy.patch new file mode 100644 index 00000000000..ccd02ae997a --- /dev/null +++ b/queue-4.8/fscrypto-lock-inode-while-setting-encryption-policy.patch @@ -0,0 +1,44 @@ +From 8906a8223ad4909b391c5628f7991ebceda30e52 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 15 Oct 2016 09:48:50 -0400 +Subject: fscrypto: lock inode while setting encryption policy + +From: Eric Biggers + +commit 8906a8223ad4909b391c5628f7991ebceda30e52 upstream. + +i_rwsem needs to be acquired while setting an encryption policy so that +concurrent calls to FS_IOC_SET_ENCRYPTION_POLICY are correctly +serialized (especially the ->get_context() + ->set_context() pair), and +so that new files cannot be created in the directory during or after the +->empty_dir() check. + +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Reviewed-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/crypto/policy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/crypto/policy.c ++++ b/fs/crypto/policy.c +@@ -109,6 +109,8 @@ int fscrypt_process_policy(struct file * + if (ret) + return ret; + ++ inode_lock(inode); ++ + if (!inode_has_encryption_context(inode)) { + if (!S_ISDIR(inode->i_mode)) + ret = -EINVAL; +@@ -127,6 +129,8 @@ int fscrypt_process_policy(struct file * + ret = -EINVAL; + } + ++ inode_unlock(inode); ++ + mnt_drop_write_file(filp); + return ret; + } diff --git a/queue-4.8/fscrypto-make-xts-tweak-initialization-endian-independent.patch b/queue-4.8/fscrypto-make-xts-tweak-initialization-endian-independent.patch new file mode 100644 index 00000000000..f079543a535 --- /dev/null +++ b/queue-4.8/fscrypto-make-xts-tweak-initialization-endian-independent.patch @@ -0,0 +1,64 @@ +From fb4454376df9d820d95452d71dd83da6971f9338 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 12 Oct 2016 23:30:16 -0400 +Subject: fscrypto: make XTS tweak initialization endian-independent + +From: Eric Biggers + +commit fb4454376df9d820d95452d71dd83da6971f9338 upstream. + +The XTS tweak (or IV) was initialized differently on little endian and +big endian systems. Because the ciphertext depends on the XTS tweak, it +was not possible to use an encrypted filesystem created by a little +endian system on a big endian system and vice versa, even if they shared +the same PAGE_SIZE. Fix this by always using little endian. + +This will break hypothetical big endian users of ext4 or f2fs +encryption. However, all users we are aware of are little endian, and +it's believed that "real" big endian users are unlikely to exist yet. +So this might as well be fixed now before it's too late. + +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/crypto/crypto.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/fs/crypto/crypto.c ++++ b/fs/crypto/crypto.c +@@ -152,7 +152,10 @@ static int do_page_crypto(struct inode * + struct page *src_page, struct page *dest_page, + gfp_t gfp_flags) + { +- u8 xts_tweak[FS_XTS_TWEAK_SIZE]; ++ struct { ++ __le64 index; ++ u8 padding[FS_XTS_TWEAK_SIZE - sizeof(__le64)]; ++ } xts_tweak; + struct skcipher_request *req = NULL; + DECLARE_FS_COMPLETION_RESULT(ecr); + struct scatterlist dst, src; +@@ -172,17 +175,15 @@ static int do_page_crypto(struct inode * + req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, + fscrypt_complete, &ecr); + +- BUILD_BUG_ON(FS_XTS_TWEAK_SIZE < sizeof(index)); +- memcpy(xts_tweak, &index, sizeof(index)); +- memset(&xts_tweak[sizeof(index)], 0, +- FS_XTS_TWEAK_SIZE - sizeof(index)); ++ BUILD_BUG_ON(sizeof(xts_tweak) != FS_XTS_TWEAK_SIZE); ++ xts_tweak.index = cpu_to_le64(index); ++ memset(xts_tweak.padding, 0, sizeof(xts_tweak.padding)); + + sg_init_table(&dst, 1); + sg_set_page(&dst, dest_page, PAGE_SIZE, 0); + sg_init_table(&src, 1); + sg_set_page(&src, src_page, PAGE_SIZE, 0); +- skcipher_request_set_crypt(req, &src, &dst, PAGE_SIZE, +- xts_tweak); ++ skcipher_request_set_crypt(req, &src, &dst, PAGE_SIZE, &xts_tweak); + if (rw == FS_DECRYPT) + res = crypto_skcipher_decrypt(req); + else diff --git a/queue-4.8/isofs-do-not-return-eacces-for-unknown-filesystems.patch b/queue-4.8/isofs-do-not-return-eacces-for-unknown-filesystems.patch new file mode 100644 index 00000000000..319956ae169 --- /dev/null +++ b/queue-4.8/isofs-do-not-return-eacces-for-unknown-filesystems.patch @@ -0,0 +1,51 @@ +From a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 4 Oct 2016 13:44:06 +0200 +Subject: isofs: Do not return EACCES for unknown filesystems + +From: Jan Kara + +commit a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a upstream. + +When isofs_mount() is called to mount a device read-write, it returns +EACCES even before it checks that the device actually contains an isofs +filesystem. This may confuse mount(8) which then tries to mount all +subsequent filesystem types in read-only mode. + +Fix the problem by returning EACCES only once we verify that the device +indeed contains an iso9660 filesystem. + +Fixes: 17b7f7cf58926844e1dd40f5eb5348d481deca6a +Reported-by: Kent Overstreet +Reported-by: Karel Zak +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/inode.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -687,6 +687,11 @@ static int isofs_fill_super(struct super + pri_bh = NULL; + + root_found: ++ /* We don't support read-write mounts */ ++ if (!(s->s_flags & MS_RDONLY)) { ++ error = -EACCES; ++ goto out_freebh; ++ } + + if (joliet_level && (pri == NULL || !opt.rock)) { + /* This is the case of Joliet with the norock mount flag. +@@ -1501,9 +1506,6 @@ struct inode *__isofs_iget(struct super_ + static struct dentry *isofs_mount(struct file_system_type *fs_type, + int flags, const char *dev_name, void *data) + { +- /* We don't support read-write mounts */ +- if (!(flags & MS_RDONLY)) +- return ERR_PTR(-EACCES); + return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super); + } + diff --git a/queue-4.8/jbd2-fix-incorrect-unlock-on-j_list_lock.patch b/queue-4.8/jbd2-fix-incorrect-unlock-on-j_list_lock.patch new file mode 100644 index 00000000000..6779d0a4c2e --- /dev/null +++ b/queue-4.8/jbd2-fix-incorrect-unlock-on-j_list_lock.patch @@ -0,0 +1,47 @@ +From 559cce698eaf4ccecb2213b2519ea3a0413e5155 Mon Sep 17 00:00:00 2001 +From: Taesoo Kim +Date: Wed, 12 Oct 2016 23:19:18 -0400 +Subject: jbd2: fix incorrect unlock on j_list_lock + +From: Taesoo Kim + +commit 559cce698eaf4ccecb2213b2519ea3a0413e5155 upstream. + +When 'jh->b_transaction == transaction' (asserted by below) + + J_ASSERT_JH(jh, (jh->b_transaction == transaction || ... + +'journal->j_list_lock' will be incorrectly unlocked, since +the the lock is aquired only at the end of if / else-if +statements (missing the else case). + +Signed-off-by: Taesoo Kim +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Fixes: 6e4862a5bb9d12be87e4ea5d9a60836ebed71d28 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1149,6 +1149,7 @@ int jbd2_journal_get_create_access(handl + JBUFFER_TRACE(jh, "file as BJ_Reserved"); + spin_lock(&journal->j_list_lock); + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved); ++ spin_unlock(&journal->j_list_lock); + } else if (jh->b_transaction == journal->j_committing_transaction) { + /* first access by this transaction */ + jh->b_modified = 0; +@@ -1156,8 +1157,8 @@ int jbd2_journal_get_create_access(handl + JBUFFER_TRACE(jh, "set next transaction"); + spin_lock(&journal->j_list_lock); + jh->b_next_transaction = transaction; ++ spin_unlock(&journal->j_list_lock); + } +- spin_unlock(&journal->j_list_lock); + jbd_unlock_bh_state(bh); + + /* diff --git a/queue-4.8/kvm-s390-reject-invalid-modes-for-runtime-instrumentation.patch b/queue-4.8/kvm-s390-reject-invalid-modes-for-runtime-instrumentation.patch new file mode 100644 index 00000000000..0c1f7e9678e --- /dev/null +++ b/queue-4.8/kvm-s390-reject-invalid-modes-for-runtime-instrumentation.patch @@ -0,0 +1,60 @@ +From a5efb6b6c99a3a6dc4330f51d8066f638bdea0ac Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Wed, 28 Sep 2016 16:18:47 +0200 +Subject: KVM: s390: reject invalid modes for runtime instrumentation + +From: Christian Borntraeger + +commit a5efb6b6c99a3a6dc4330f51d8066f638bdea0ac upstream. + +Usually a validity intercept is a programming error of the host +because of invalid entries in the state description. +We can get a validity intercept if the mode of the runtime +instrumentation control block is wrong. As the host does not know +which modes are valid, this can be used by userspace to trigger +a WARN. +Instead of printing a WARN let's return an error to userspace as +this can only happen if userspace provides a malformed initial +value (e.g. on migration). The kernel should never warn on bogus +input. Instead let's log it into the s390 debug feature. + +While at it, let's return -EINVAL for all validity intercepts as +this will trigger an error in QEMU like + +error: kvm run failed Invalid argument +PSW=mask 0404c00180000000 addr 000000000063c226 cc 00 +R00=000000000000004f R01=0000000000000004 R02=0000000000760005 R03=000000007fe0a000 +R04=000000000064ba2a R05=000000049db73dd0 R06=000000000082c4b0 R07=0000000000000041 +R08=0000000000000002 R09=000003e0804042a8 R10=0000000496152c42 R11=000000007fe0afb0 +[...] + +This will avoid an endless loop of validity intercepts. + +Fixes: c6e5f166373a ("KVM: s390: implement the RI support of guest") +Acked-by: Fan Zhang +Reviewed-by: Pierre Morel +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/intercept.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -118,8 +118,13 @@ static int handle_validity(struct kvm_vc + + vcpu->stat.exit_validity++; + trace_kvm_s390_intercept_validity(vcpu, viwhy); +- WARN_ONCE(true, "kvm: unhandled validity intercept 0x%x\n", viwhy); +- return -EOPNOTSUPP; ++ KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%pK)", viwhy, ++ current->pid, vcpu->kvm); ++ ++ /* do not warn on invalid runtime instrumentation mode */ ++ WARN_ONCE(viwhy != 0x44, "kvm: unhandled validity intercept 0x%x\n", ++ viwhy); ++ return -EINVAL; + } + + static int handle_instruction(struct kvm_vcpu *vcpu) diff --git a/queue-4.8/memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch b/queue-4.8/memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch new file mode 100644 index 00000000000..97bf44ecd6d --- /dev/null +++ b/queue-4.8/memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch @@ -0,0 +1,60 @@ +From 9158cb29e7c2f10dd325eb1589f0fe745a271257 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Wed, 28 Sep 2016 11:33:28 -0700 +Subject: memstick: rtsx_usb_ms: Manage runtime PM when accessing the device + +From: Ulf Hansson + +commit 9158cb29e7c2f10dd325eb1589f0fe745a271257 upstream. + +Accesses to the rtsx usb device, which is the parent of the rtsx memstick +device, must not be done unless it's runtime resumed. This is currently not +the case and it could trigger various errors. + +Fix this by properly deal with runtime PM in this regards. This means +making sure the device is runtime resumed, when serving requests via the +->request() callback or changing settings via the ->set_param() callbacks. + +Cc: Ritesh Raj Sarraf +Cc: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/host/rtsx_usb_ms.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/memstick/host/rtsx_usb_ms.c ++++ b/drivers/memstick/host/rtsx_usb_ms.c +@@ -524,6 +524,7 @@ static void rtsx_usb_ms_handle_req(struc + int rc; + + if (!host->req) { ++ pm_runtime_get_sync(ms_dev(host)); + do { + rc = memstick_next_req(msh, &host->req); + dev_dbg(ms_dev(host), "next req %d\n", rc); +@@ -544,6 +545,7 @@ static void rtsx_usb_ms_handle_req(struc + host->req->error); + } + } while (!rc); ++ pm_runtime_put(ms_dev(host)); + } + + } +@@ -570,6 +572,7 @@ static int rtsx_usb_ms_set_param(struct + dev_dbg(ms_dev(host), "%s: param = %d, value = %d\n", + __func__, param, value); + ++ pm_runtime_get_sync(ms_dev(host)); + mutex_lock(&ucr->dev_mutex); + + err = rtsx_usb_card_exclusive_check(ucr, RTSX_USB_MS_CARD); +@@ -635,6 +638,7 @@ static int rtsx_usb_ms_set_param(struct + } + out: + mutex_unlock(&ucr->dev_mutex); ++ pm_runtime_put(ms_dev(host)); + + /* power-on delay */ + if (param == MEMSTICK_POWER && value == MEMSTICK_POWER_ON) diff --git a/queue-4.8/memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch b/queue-4.8/memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch new file mode 100644 index 00000000000..062c109c81f --- /dev/null +++ b/queue-4.8/memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch @@ -0,0 +1,44 @@ +From 796aa46adf1d90eab36ae06a42e6d3f10b28a75c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 26 Sep 2016 15:45:41 -0700 +Subject: memstick: rtsx_usb_ms: Runtime resume the device when polling for cards + +From: Alan Stern + +commit 796aa46adf1d90eab36ae06a42e6d3f10b28a75c upstream. + +Accesses to the rtsx usb device, which is the parent of the rtsx memstick +device, must not be done unless it's runtime resumed. + +Therefore when the rtsx_usb_ms driver polls for inserted memstick cards, +let's add pm_runtime_get|put*() to make sure accesses is done when the +rtsx usb device is runtime resumed. + +Reported-by: Ritesh Raj Sarraf +Tested-by: Ritesh Raj Sarraf +Signed-off-by: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/host/rtsx_usb_ms.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/memstick/host/rtsx_usb_ms.c ++++ b/drivers/memstick/host/rtsx_usb_ms.c +@@ -681,6 +681,7 @@ static int rtsx_usb_detect_ms_card(void + int err; + + for (;;) { ++ pm_runtime_get_sync(ms_dev(host)); + mutex_lock(&ucr->dev_mutex); + + /* Check pending MS card changes */ +@@ -703,6 +704,7 @@ static int rtsx_usb_detect_ms_card(void + } + + poll_again: ++ pm_runtime_put(ms_dev(host)); + if (host->eject) + break; + diff --git a/queue-4.8/mmc-core-annotate-cmd_hdr-as-__le32.patch b/queue-4.8/mmc-core-annotate-cmd_hdr-as-__le32.patch new file mode 100644 index 00000000000..89eca457105 --- /dev/null +++ b/queue-4.8/mmc-core-annotate-cmd_hdr-as-__le32.patch @@ -0,0 +1,53 @@ +From 3f2d26643595973e835e8356ea90c7c15cb1b0f1 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 3 Oct 2016 10:58:28 +0200 +Subject: mmc: core: Annotate cmd_hdr as __le32 + +From: Jiri Slaby + +commit 3f2d26643595973e835e8356ea90c7c15cb1b0f1 upstream. + +Commit f68381a70bb2 (mmc: block: fix packed command header endianness) +correctly fixed endianness handling of packed_cmd_hdr in +mmc_blk_packed_hdr_wrq_prep. + +But now, sparse complains about incorrect types: +drivers/mmc/card/block.c:1613:27: sparse: incorrect type in assignment (different base types) +drivers/mmc/card/block.c:1613:27: expected unsigned int [unsigned] [usertype] +drivers/mmc/card/block.c:1613:27: got restricted __le32 [usertype] +... + +So annotate cmd_hdr properly using __le32 to make everyone happy. + +Signed-off-by: Jiri Slaby +Fixes: f68381a70bb2 (mmc: block: fix packed command header endianness) +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/card/block.c | 2 +- + drivers/mmc/card/queue.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/card/block.c ++++ b/drivers/mmc/card/block.c +@@ -1778,7 +1778,7 @@ static void mmc_blk_packed_hdr_wrq_prep( + struct mmc_blk_data *md = mq->data; + struct mmc_packed *packed = mqrq->packed; + bool do_rel_wr, do_data_tag; +- u32 *packed_cmd_hdr; ++ __le32 *packed_cmd_hdr; + u8 hdr_blocks; + u8 i = 1; + +--- a/drivers/mmc/card/queue.h ++++ b/drivers/mmc/card/queue.h +@@ -31,7 +31,7 @@ enum mmc_packed_type { + + struct mmc_packed { + struct list_head list; +- u32 cmd_hdr[1024]; ++ __le32 cmd_hdr[1024]; + unsigned int blocks; + u8 nr_entries; + u8 retries; diff --git a/queue-4.8/mmc-core-switch-to-1v8-or-1v2-for-hs400es-mode.patch b/queue-4.8/mmc-core-switch-to-1v8-or-1v2-for-hs400es-mode.patch new file mode 100644 index 00000000000..bd1235bcc4c --- /dev/null +++ b/queue-4.8/mmc-core-switch-to-1v8-or-1v2-for-hs400es-mode.patch @@ -0,0 +1,45 @@ +From 1720d3545b772c49b2975eeb3b8f4d3f56dc2085 Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Fri, 30 Sep 2016 14:18:58 +0800 +Subject: mmc: core: switch to 1V8 or 1V2 for hs400es mode + +From: Shawn Lin + +commit 1720d3545b772c49b2975eeb3b8f4d3f56dc2085 upstream. + +When introducing hs400es, I didn't notice that we haven't +switched voltage to 1V2 or 1V8 for it. That happens to work +as the first controller claiming to support hs400es, arasan(5.1), +which is designed to only support 1V8. So the voltage is fixed to 1V8. +But it actually is wrong, and will not fit for other host controllers. +Let's fix it. + +Fixes: commit 81ac2af65793ecf ("mmc: core: implement enhanced strobe support") +Signed-off-by: Shawn Lin +Reviewed-by: Douglas Anderson +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/mmc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1259,6 +1259,16 @@ static int mmc_select_hs400es(struct mmc + goto out_err; + } + ++ if (card->mmc_avail_type & EXT_CSD_CARD_TYPE_HS400_1_2V) ++ err = __mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_120); ++ ++ if (err && card->mmc_avail_type & EXT_CSD_CARD_TYPE_HS400_1_8V) ++ err = __mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_180); ++ ++ /* If fails try again during next card power cycle */ ++ if (err) ++ goto out_err; ++ + err = mmc_select_bus_width(card); + if (err < 0) + goto out_err; diff --git a/queue-4.8/mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch b/queue-4.8/mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch new file mode 100644 index 00000000000..f14d1edcb2a --- /dev/null +++ b/queue-4.8/mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch @@ -0,0 +1,36 @@ +From 31cf742f515c275d22843c4c756e048d2b6d716c Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Tue, 27 Sep 2016 08:44:33 -0700 +Subject: mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused + +From: Ulf Hansson + +commit 31cf742f515c275d22843c4c756e048d2b6d716c upstream. + +The rtsx_usb_sdmmc driver may bail out in its ->set_ios() callback when no +SD card is inserted. This is wrong, as it could cause the device to remain +runtime resumed when it's unused. Fix this behaviour. + +Tested-by: Ritesh Raj Sarraf +Cc: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1138,11 +1138,6 @@ static void sdmmc_set_ios(struct mmc_hos + dev_dbg(sdmmc_dev(host), "%s\n", __func__); + mutex_lock(&ucr->dev_mutex); + +- if (rtsx_usb_card_exclusive_check(ucr, RTSX_USB_SD_CARD)) { +- mutex_unlock(&ucr->dev_mutex); +- return; +- } +- + sd_set_power_mode(host, ios->power_mode); + sd_set_bus_width(host, ios->bus_width); + sd_set_timing(host, ios->timing, &host->ddr_mode); diff --git a/queue-4.8/mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch b/queue-4.8/mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch new file mode 100644 index 00000000000..81dedec354f --- /dev/null +++ b/queue-4.8/mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch @@ -0,0 +1,42 @@ +From 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Thu, 15 Sep 2016 14:46:21 +0200 +Subject: mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led + +From: Ulf Hansson + +commit 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 upstream. + +Accesses of the rtsx sdmmc's parent device, which is the rtsx usb device, +must be done when it's runtime resumed. Currently this isn't case when +changing the led, so let's fix this by adding a pm_runtime_get_sync() and +a pm_runtime_put() around those operations. + +Reported-by: Ritesh Raj Sarraf +Tested-by: Ritesh Raj Sarraf +Cc: Alan Stern +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1309,6 +1309,7 @@ static void rtsx_usb_update_led(struct w + container_of(work, struct rtsx_usb_sdmmc, led_work); + struct rtsx_ucr *ucr = host->ucr; + ++ pm_runtime_get_sync(sdmmc_dev(host)); + mutex_lock(&ucr->dev_mutex); + + if (host->led.brightness == LED_OFF) +@@ -1317,6 +1318,7 @@ static void rtsx_usb_update_led(struct w + rtsx_usb_turn_on_led(ucr); + + mutex_unlock(&ucr->dev_mutex); ++ pm_runtime_put(sdmmc_dev(host)); + } + #endif + diff --git a/queue-4.8/powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch b/queue-4.8/powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch new file mode 100644 index 00000000000..61025b4971e --- /dev/null +++ b/queue-4.8/powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch @@ -0,0 +1,37 @@ +From d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 Mon Sep 17 00:00:00 2001 +From: Frederic Barrat +Date: Fri, 17 Jun 2016 18:53:28 +0200 +Subject: powerpc/mm: Prevent unlikely crash in copro_calculate_slb() + +From: Frederic Barrat + +commit d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 upstream. + +If a cxl adapter faults on an invalid address for a kernel context, we +may enter copro_calculate_slb() with a NULL mm pointer (kernel +context) and an effective address which looks like a user +address. Which will cause a crash when dereferencing mm. It is clearly +an AFU bug, but there's no reason to crash either. So return an error, +so that cxl can ack the interrupt with an address error. + +Fixes: 73d16a6e0e51 ("powerpc/cell: Move data segment faulting code out of cell platform") +Signed-off-by: Frederic Barrat +Acked-by: Ian Munsie +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/copro_fault.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/mm/copro_fault.c ++++ b/arch/powerpc/mm/copro_fault.c +@@ -106,6 +106,8 @@ int copro_calculate_slb(struct mm_struct + switch (REGION_ID(ea)) { + case USER_REGION_ID: + pr_devel("%s: 0x%llx -- USER_REGION_ID\n", __func__, ea); ++ if (mm == NULL) ++ return 1; + psize = get_slice_psize(mm, ea); + ssize = user_segment_size(ea); + vsid = get_vsid(mm->context.id, ea, ssize); diff --git a/queue-4.8/revert-target-fix-residual-overflow-handling-in-target_complete_cmd_with_length.patch b/queue-4.8/revert-target-fix-residual-overflow-handling-in-target_complete_cmd_with_length.patch new file mode 100644 index 00000000000..7328125a25e --- /dev/null +++ b/queue-4.8/revert-target-fix-residual-overflow-handling-in-target_complete_cmd_with_length.patch @@ -0,0 +1,73 @@ +From 61f36166c245e563c7a2b624f4c78c5ce0f680d6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 16 Oct 2016 00:27:42 -0700 +Subject: Revert "target: Fix residual overflow handling in target_complete_cmd_with_length" + +From: Nicholas Bellinger + +commit 61f36166c245e563c7a2b624f4c78c5ce0f680d6 upstream. + +This reverts commit c1ccbfe0311e2380a6d2dcb0714b36904f5d586f. + +Reverting this patch, as it incorrectly assumes the additional length +for INQUIRY in target_complete_cmd_with_length() is SCSI allocation +length, which breaks existing user-space code when SCSI allocation +length is smaller than additional length. + + root@scsi-mq:~# sg_inq --len=4 -vvvv /dev/sdb + found bsg_major=253 + open /dev/sdb with flags=0x800 + inquiry cdb: 12 00 00 00 04 00 + duration=0 ms + inquiry: pass-through requested 4 bytes (data-in) but got -28 bytes + inquiry: pass-through can't get negative bytes, say it got none + inquiry: got too few bytes (0) + INQUIRY resid (32) should never exceed requested len=4 + inquiry: failed requesting 4 byte response: Malformed response to + SCSI command [resid=32] + +AFAICT the original change was not to address a specific host issue, +so go ahead and revert to original logic for now. + +Cc: Douglas Gilbert +Cc: Martin K. Petersen +Cc: Sumit Rai +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 16 +--------------- + 1 file changed, 1 insertion(+), 15 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -754,15 +754,7 @@ EXPORT_SYMBOL(target_complete_cmd); + + void target_complete_cmd_with_length(struct se_cmd *cmd, u8 scsi_status, int length) + { +- if (scsi_status != SAM_STAT_GOOD) { +- return; +- } +- +- /* +- * Calculate new residual count based upon length of SCSI data +- * transferred. +- */ +- if (length < cmd->data_length) { ++ if (scsi_status == SAM_STAT_GOOD && length < cmd->data_length) { + if (cmd->se_cmd_flags & SCF_UNDERFLOW_BIT) { + cmd->residual_count += cmd->data_length - length; + } else { +@@ -771,12 +763,6 @@ void target_complete_cmd_with_length(str + } + + cmd->data_length = length; +- } else if (length > cmd->data_length) { +- cmd->se_cmd_flags |= SCF_OVERFLOW_BIT; +- cmd->residual_count = length - cmd->data_length; +- } else { +- cmd->se_cmd_flags &= ~(SCF_OVERFLOW_BIT | SCF_UNDERFLOW_BIT); +- cmd->residual_count = 0; + } + + target_complete_cmd(cmd, scsi_status); diff --git a/queue-4.8/series b/queue-4.8/series index 890e10508e0..efead7bcf1e 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -111,3 +111,30 @@ irqchip-gicv3-handle-loop-timeout-proper.patch irqchip-eznps-acknowledge-nps_ipi-before-calling-the-handler.patch irqchip-gic-v3-its-fix-entry-size-mask-for-gits_baser.patch cxl-prevent-adapter-reset-if-an-active-context-exists.patch +isofs-do-not-return-eacces-for-unknown-filesystems.patch +memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch +memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch +arm64-swp-emulation-bound-ll-sc-retries-before-rescheduling.patch +arm64-kaslr-fix-breakage-with-config_modversions-y.patch +arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch +arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch +arm64-cortex-a53-errata-workaround-check-for-kernel-addresses.patch +arm64-kvm-take-s1-walks-into-account-when-determining-s2-write-faults.patch +ceph-fix-error-handling-in-ceph_read_iter.patch +powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch +mmc-core-annotate-cmd_hdr-as-__le32.patch +mmc-core-switch-to-1v8-or-1v2-for-hs400es-mode.patch +mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch +mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch +kvm-s390-reject-invalid-modes-for-runtime-instrumentation.patch +fscrypto-make-xts-tweak-initialization-endian-independent.patch +fscrypto-lock-inode-while-setting-encryption-policy.patch +ext4-do-not-advertise-encryption-support-when-disabled.patch +jbd2-fix-incorrect-unlock-on-j_list_lock.patch +ubifs-fix-xattr_names-length-in-exit-paths.patch +ubifs-abort-readdir-upon-error.patch +target-tcm_fc-use-cpu-affinity-for-responses.patch +target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch +target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch +target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch +revert-target-fix-residual-overflow-handling-in-target_complete_cmd_with_length.patch diff --git a/queue-4.8/target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch b/queue-4.8/target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch new file mode 100644 index 00000000000..79c6877a423 --- /dev/null +++ b/queue-4.8/target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch @@ -0,0 +1,86 @@ +From 926317de33998c112c5510301868ea9aa34097e2 Mon Sep 17 00:00:00 2001 +From: Dinesh Israni +Date: Mon, 10 Oct 2016 20:22:03 -0700 +Subject: target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code + +From: Dinesh Israni + +commit 926317de33998c112c5510301868ea9aa34097e2 upstream. + +This patch addresses a bug where a local EXTENDED_COPY WRITE or READ +backend I/O request would always return SAM_STAT_CHECK_CONDITION, +even if underlying xcopy_pt_cmd->se_cmd generated a different +SCSI status code. + +ESX host environments expect to hit SAM_STAT_RESERVATION_CONFLICT +for certain scenarios, and SAM_STAT_CHECK_CONDITION results in +non-retriable status for these cases. + +Tested on v4.1.y with ESX v5.5u2+ with local IBLOCK backend copy. + +Reported-by: Nixon Vincent +Tested-by: Nixon Vincent +Cc: Nixon Vincent +Tested-by: Dinesh Israni +Signed-off-by: Dinesh Israni +Cc: Dinesh Israni +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_xcopy.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/target/target_core_xcopy.c ++++ b/drivers/target/target_core_xcopy.c +@@ -662,6 +662,7 @@ static int target_xcopy_read_source( + rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, src_dev, &cdb[0], + remote_port, true); + if (rc < 0) { ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + transport_generic_free_cmd(se_cmd, 0); + return rc; + } +@@ -673,6 +674,7 @@ static int target_xcopy_read_source( + + rc = target_xcopy_issue_pt_cmd(xpt_cmd); + if (rc < 0) { ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + transport_generic_free_cmd(se_cmd, 0); + return rc; + } +@@ -723,6 +725,7 @@ static int target_xcopy_write_destinatio + remote_port, false); + if (rc < 0) { + struct se_cmd *src_cmd = &xop->src_pt_cmd->se_cmd; ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + /* + * If the failure happened before the t_mem_list hand-off in + * target_xcopy_setup_pt_cmd(), Reset memory + clear flag so that +@@ -738,6 +741,7 @@ static int target_xcopy_write_destinatio + + rc = target_xcopy_issue_pt_cmd(xpt_cmd); + if (rc < 0) { ++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status; + se_cmd->se_cmd_flags &= ~SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC; + transport_generic_free_cmd(se_cmd, 0); + return rc; +@@ -824,10 +828,14 @@ static void target_xcopy_do_work(struct + out: + xcopy_pt_undepend_remotedev(xop); + kfree(xop); +- +- pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION" +- " -> sending response\n", rc); +- ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; ++ /* ++ * Don't override an error scsi status if it has already been set ++ */ ++ if (ec_cmd->scsi_status == SAM_STAT_GOOD) { ++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY" ++ " CHECK_CONDITION -> sending response\n", rc); ++ ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; ++ } + target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION); + } + diff --git a/queue-4.8/target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch b/queue-4.8/target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch new file mode 100644 index 00000000000..7d4a02b5391 --- /dev/null +++ b/queue-4.8/target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch @@ -0,0 +1,145 @@ +From 449a137846c84829a328757cd21fd9ca65c08519 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sat, 8 Oct 2016 17:26:44 -0700 +Subject: target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE + +From: Nicholas Bellinger + +commit 449a137846c84829a328757cd21fd9ca65c08519 upstream. + +This patch addresses a bug where EXTENDED_COPY across multiple LUNs +results in a CHECK_CONDITION when the source + destination are not +located on the same physical node. + +ESX Host environments expect sense COPY_ABORTED w/ COPY TARGET DEVICE +NOT REACHABLE to be returned when this occurs, in order to signal +fallback to local copy method. + +As described in section 6.3.3 of spc4r22: + + "If it is not possible to complete processing of a segment because the + copy manager is unable to establish communications with a copy target + device, because the copy target device does not respond to INQUIRY, + or because the data returned in response to INQUIRY indicates + an unsupported logical unit, then the EXTENDED COPY command shall be + terminated with CHECK CONDITION status, with the sense key set to + COPY ABORTED, and the additional sense code set to COPY TARGET DEVICE + NOT REACHABLE." + +Tested on v4.1.y with ESX v5.5u2+ with BlockCopy across multiple nodes. + +Reported-by: Nixon Vincent +Tested-by: Nixon Vincent +Cc: Nixon Vincent +Tested-by: Dinesh Israni +Signed-off-by: Dinesh Israni +Cc: Dinesh Israni +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 7 +++++++ + drivers/target/target_core_xcopy.c | 22 ++++++++++++++++------ + include/target/target_core_base.h | 1 + + 3 files changed, 24 insertions(+), 6 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1706,6 +1706,7 @@ void transport_generic_request_failure(s + case TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED: + case TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED: + case TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED: ++ case TCM_COPY_TARGET_DEVICE_NOT_REACHABLE: + break; + case TCM_OUT_OF_RESOURCES: + sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; +@@ -2873,6 +2874,12 @@ static const struct sense_info sense_inf + .ascq = 0x03, /* LOGICAL BLOCK REFERENCE TAG CHECK FAILED */ + .add_sector_info = true, + }, ++ [TCM_COPY_TARGET_DEVICE_NOT_REACHABLE] = { ++ .key = COPY_ABORTED, ++ .asc = 0x0d, ++ .ascq = 0x02, /* COPY TARGET DEVICE NOT REACHABLE */ ++ ++ }, + [TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE] = { + /* + * Returning ILLEGAL REQUEST would cause immediate IO errors on +--- a/drivers/target/target_core_xcopy.c ++++ b/drivers/target/target_core_xcopy.c +@@ -104,7 +104,7 @@ static int target_xcopy_locate_se_dev_e4 + } + mutex_unlock(&g_device_mutex); + +- pr_err("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n"); ++ pr_debug_ratelimited("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n"); + return -EINVAL; + } + +@@ -185,7 +185,7 @@ static int target_xcopy_parse_tiddesc_e4 + + static int target_xcopy_parse_target_descriptors(struct se_cmd *se_cmd, + struct xcopy_op *xop, unsigned char *p, +- unsigned short tdll) ++ unsigned short tdll, sense_reason_t *sense_ret) + { + struct se_device *local_dev = se_cmd->se_dev; + unsigned char *desc = p; +@@ -193,6 +193,8 @@ static int target_xcopy_parse_target_des + unsigned short start = 0; + bool src = true; + ++ *sense_ret = TCM_INVALID_PARAMETER_LIST; ++ + if (offset != 0) { + pr_err("XCOPY target descriptor list length is not" + " multiple of %d\n", XCOPY_TARGET_DESC_LEN); +@@ -243,9 +245,16 @@ static int target_xcopy_parse_target_des + rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, true); + else + rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, false); +- +- if (rc < 0) ++ /* ++ * If a matching IEEE NAA 0x83 descriptor for the requested device ++ * is not located on this node, return COPY_ABORTED with ASQ/ASQC ++ * 0x0d/0x02 - COPY_TARGET_DEVICE_NOT_REACHABLE to request the ++ * initiator to fall back to normal copy method. ++ */ ++ if (rc < 0) { ++ *sense_ret = TCM_COPY_TARGET_DEVICE_NOT_REACHABLE; + goto out; ++ } + + pr_debug("XCOPY TGT desc: Source dev: %p NAA IEEE WWN: 0x%16phN\n", + xop->src_dev, &xop->src_tid_wwn[0]); +@@ -816,7 +825,8 @@ out: + xcopy_pt_undepend_remotedev(xop); + kfree(xop); + +- pr_warn("target_xcopy_do_work: Setting X-COPY CHECK_CONDITION -> sending response\n"); ++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION" ++ " -> sending response\n", rc); + ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; + target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION); + } +@@ -875,7 +885,7 @@ sense_reason_t target_do_xcopy(struct se + " tdll: %hu sdll: %u inline_dl: %u\n", list_id, list_id_usage, + tdll, sdll, inline_dl); + +- rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll); ++ rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll, &ret); + if (rc <= 0) + goto out; + +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -177,6 +177,7 @@ enum tcm_sense_reason_table { + TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED = R(0x15), + TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED = R(0x16), + TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED = R(0x17), ++ TCM_COPY_TARGET_DEVICE_NOT_REACHABLE = R(0x18), + #undef R + }; + diff --git a/queue-4.8/target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch b/queue-4.8/target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch new file mode 100644 index 00000000000..f80d6e071ae --- /dev/null +++ b/queue-4.8/target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch @@ -0,0 +1,45 @@ +From 527268df31e57cf2b6d417198717c6d6afdb1e3e Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 4 Oct 2016 16:37:05 -0700 +Subject: target: Re-add missing SCF_ACK_KREF assignment in v4.1.y + +From: Nicholas Bellinger + +commit 527268df31e57cf2b6d417198717c6d6afdb1e3e upstream. + +This patch fixes a regression in >= v4.1.y code where the original +SCF_ACK_KREF assignment in target_get_sess_cmd() was dropped upstream +in commit 054922bb, but the series for addressing TMR ABORT_TASK + +LUN_RESET with fabric session reinstatement in commit febe562c20 still +depends on this code in transport_cmd_finish_abort(). + +The regression manifests itself as a se_cmd->cmd_kref +1 leak, where +ABORT_TASK + LUN_RESET can hang indefinately for a specific I_T session +for drivers using SCF_ACK_KREF, resulting in hung kthreads. + +This patch has been verified with v4.1.y code. + +Reported-by: Vaibhav Tandon +Tested-by: Vaibhav Tandon +Cc: Vaibhav Tandon +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2547,8 +2547,10 @@ int target_get_sess_cmd(struct se_cmd *s + * fabric acknowledgement that requires two target_put_sess_cmd() + * invocations before se_cmd descriptor release. + */ +- if (ack_kref) ++ if (ack_kref) { + kref_get(&se_cmd->cmd_kref); ++ se_cmd->se_cmd_flags |= SCF_ACK_KREF; ++ } + + spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); + if (se_sess->sess_tearing_down) { diff --git a/queue-4.8/target-tcm_fc-use-cpu-affinity-for-responses.patch b/queue-4.8/target-tcm_fc-use-cpu-affinity-for-responses.patch new file mode 100644 index 00000000000..23c397ccccb --- /dev/null +++ b/queue-4.8/target-tcm_fc-use-cpu-affinity-for-responses.patch @@ -0,0 +1,33 @@ +From 1ba0158fa66b5b2c597a748f87be1650c9960ccc Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Mon, 22 Aug 2016 10:54:11 +0200 +Subject: target/tcm_fc: use CPU affinity for responses + +From: Hannes Reinecke + +commit 1ba0158fa66b5b2c597a748f87be1650c9960ccc upstream. + +The libfc stack assigns exchange IDs based on the CPU the request +was received on, so we need to send the responses via the same CPU. +Otherwise the send logic gets confuses and responses will be delayed, +causing exchange timeouts on the initiator side. + +Signed-off-by: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/tcm_fc/tfc_cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/tcm_fc/tfc_cmd.c ++++ b/drivers/target/tcm_fc/tfc_cmd.c +@@ -572,7 +572,7 @@ static void ft_send_work(struct work_str + if (target_submit_cmd(&cmd->se_cmd, cmd->sess->se_sess, fcp->fc_cdb, + &cmd->ft_sense_buffer[0], scsilun_to_int(&fcp->fc_lun), + ntohl(fcp->fc_dl), task_attr, data_dir, +- TARGET_SCF_ACK_KREF)) ++ TARGET_SCF_ACK_KREF | TARGET_SCF_USE_CPUID)) + goto err; + + pr_debug("r_ctl %x alloc target_submit_cmd\n", fh->fh_r_ctl); diff --git a/queue-4.8/ubifs-abort-readdir-upon-error.patch b/queue-4.8/ubifs-abort-readdir-upon-error.patch new file mode 100644 index 00000000000..3159ea12b6e --- /dev/null +++ b/queue-4.8/ubifs-abort-readdir-upon-error.patch @@ -0,0 +1,59 @@ +From c83ed4c9dbb358b9e7707486e167e940d48bfeed Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Wed, 19 Oct 2016 12:43:07 +0200 +Subject: ubifs: Abort readdir upon error + +From: Richard Weinberger + +commit c83ed4c9dbb358b9e7707486e167e940d48bfeed upstream. + +If UBIFS is facing an error while walking a directory, it reports this +error and ubifs_readdir() returns the error code. But the VFS readdir +logic does not make the getdents system call fail in all cases. When the +readdir cursor indicates that more entries are present, the system call +will just return and the libc wrapper will try again since it also +knows that more entries are present. +This causes the libc wrapper to busy loop for ever when a directory is +corrupted on UBIFS. +A common approach do deal with corrupted directory entries is +skipping them by setting the cursor to the next entry. On UBIFS this +approach is not possible since we cannot compute the next directory +entry cursor position without reading the current entry. So all we can +do is setting the cursor to the "no more entries" position and make +getdents exit. + +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/dir.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -350,7 +350,7 @@ static unsigned int vfs_dent_type(uint8_ + */ + static int ubifs_readdir(struct file *file, struct dir_context *ctx) + { +- int err; ++ int err = 0; + struct qstr nm; + union ubifs_key key; + struct ubifs_dent_node *dent; +@@ -452,14 +452,12 @@ out: + kfree(file->private_data); + file->private_data = NULL; + +- if (err != -ENOENT) { ++ if (err != -ENOENT) + ubifs_err(c, "cannot find next direntry, error %d", err); +- return err; +- } + + /* 2 is a special value indicating that there are no more direntries */ + ctx->pos = 2; +- return 0; ++ return err; + } + + /* Free saved readdir() state when the directory is closed */ diff --git a/queue-4.8/ubifs-fix-xattr_names-length-in-exit-paths.patch b/queue-4.8/ubifs-fix-xattr_names-length-in-exit-paths.patch new file mode 100644 index 00000000000..ceebf954fe6 --- /dev/null +++ b/queue-4.8/ubifs-fix-xattr_names-length-in-exit-paths.patch @@ -0,0 +1,38 @@ +From 843741c5778398ea67055067f4cc65ae6c80ca0e Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 20 Sep 2016 10:08:30 +0200 +Subject: ubifs: Fix xattr_names length in exit paths + +From: Richard Weinberger + +commit 843741c5778398ea67055067f4cc65ae6c80ca0e upstream. + +When the operation fails we also have to undo the changes +we made to ->xattr_names. Otherwise listxattr() will report +wrong lengths. + +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ubifs/xattr.c ++++ b/fs/ubifs/xattr.c +@@ -172,6 +172,7 @@ out_cancel: + host_ui->xattr_cnt -= 1; + host_ui->xattr_size -= CALC_DENT_SIZE(nm->len); + host_ui->xattr_size -= CALC_XATTR_BYTES(size); ++ host_ui->xattr_names -= nm->len; + mutex_unlock(&host_ui->ui_mutex); + out_free: + make_bad_inode(inode); +@@ -476,6 +477,7 @@ out_cancel: + host_ui->xattr_cnt += 1; + host_ui->xattr_size += CALC_DENT_SIZE(nm->len); + host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len); ++ host_ui->xattr_names += nm->len; + mutex_unlock(&host_ui->ui_mutex); + ubifs_release_budget(c, &req); + make_bad_inode(inode);