From: Greg Kroah-Hartman Date: Fri, 10 Feb 2017 21:10:26 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.10~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53f769b4a76c06f7c4b7f74f8bdd028b28af6423;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch arm-8643-3-arm-ptrace-preserve-previous-registers-for-short-regset-write.patch arm-dts-imx6dl-fix-gpio4-range.patch cpumask-use-nr_cpumask_bits-for-parsing-functions.patch drm-atomic-fix-double-free-in-drm_atomic_state_default_clear.patch drm-i915-always-convert-incoming-exec-offsets-to-non-canonical.patch drm-i915-bxt-add-mst-support-when-do-dpll-calculation.patch drm-i915-fix-use-after-free-in-page_flip_completed.patch hns-avoid-stack-overflow-with-config_kasan.patch ibmvscsis-add-sgl-limit.patch mac80211-fix-adding-of-mesh-vendor-ies.patch mm-slub.c-fix-random_seq-offset-destruction.patch net-mlx5e-modify-tirs-hash-only-when-it-s-needed.patch nl80211-fix-mesh-ht-operation-check.patch rtlwifi-rtl8192ce-fix-loading-of-incorrect-firmware.patch target-don-t-bug_on-during-nodeacl-dynamic-explicit-conversion.patch target-fix-compare_and_write-ref-leak-for-non-good-status.patch target-fix-early-transport_generic_handle_tmr-abort-scenario.patch target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch target-use-correct-scsi-status-during-extended_copy-exception.patch --- diff --git a/queue-4.9/arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch b/queue-4.9/arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch new file mode 100644 index 00000000000..052acfe6f75 --- /dev/null +++ b/queue-4.9/arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch @@ -0,0 +1,56 @@ +From 97a98ae5b8acf08d07d972c087b2def060bc9b73 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Tue, 17 Jan 2017 21:10:11 +0100 +Subject: ARM: 8642/1: LPAE: catch pending imprecise abort on unmask + +From: Alexander Sverdlin + +commit 97a98ae5b8acf08d07d972c087b2def060bc9b73 upstream. + +Asynchronous external abort is coded differently in DFSR with LPAE enabled. + +Fixes: 9254970c "ARM: 8447/1: catch pending imprecise abort on unmask". +Signed-off-by: Alexander Sverdlin +Cc: Russell King +Cc: Andrew Morton +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/fault.c | 4 ++-- + arch/arm/mm/fault.h | 4 ++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/arm/mm/fault.c ++++ b/arch/arm/mm/fault.c +@@ -610,9 +610,9 @@ static int __init early_abort_handler(un + + void __init early_abt_enable(void) + { +- fsr_info[22].fn = early_abort_handler; ++ fsr_info[FSR_FS_AEA].fn = early_abort_handler; + local_abt_enable(); +- fsr_info[22].fn = do_bad; ++ fsr_info[FSR_FS_AEA].fn = do_bad; + } + + #ifndef CONFIG_ARM_LPAE +--- a/arch/arm/mm/fault.h ++++ b/arch/arm/mm/fault.h +@@ -11,11 +11,15 @@ + #define FSR_FS5_0 (0x3f) + + #ifdef CONFIG_ARM_LPAE ++#define FSR_FS_AEA 17 ++ + static inline int fsr_fs(unsigned int fsr) + { + return fsr & FSR_FS5_0; + } + #else ++#define FSR_FS_AEA 22 ++ + static inline int fsr_fs(unsigned int fsr) + { + return (fsr & FSR_FS3_0) | (fsr & FSR_FS4) >> 6; diff --git a/queue-4.9/arm-8643-3-arm-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.9/arm-8643-3-arm-ptrace-preserve-previous-registers-for-short-regset-write.patch new file mode 100644 index 00000000000..70d0cc2d596 --- /dev/null +++ b/queue-4.9/arm-8643-3-arm-ptrace-preserve-previous-registers-for-short-regset-write.patch @@ -0,0 +1,34 @@ +From 228dbbfb5d77f8e047b2a1d78da14b7158433027 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Wed, 18 Jan 2017 17:11:56 +0100 +Subject: ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write + +From: Dave Martin + +commit 228dbbfb5d77f8e047b2a1d78da14b7158433027 upstream. + +Ensure that if userspace supplies insufficient data to +PTRACE_SETREGSET to fill all the registers, the thread's old +registers are preserved. + +Fixes: 5be6f62b0059 ("ARM: 6883/1: ptrace: Migrate to regsets framework") +Signed-off-by: Dave Martin +Acked-by: Russell King +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -600,7 +600,7 @@ static int gpr_set(struct task_struct *t + const void *kbuf, const void __user *ubuf) + { + int ret; +- struct pt_regs newregs; ++ struct pt_regs newregs = *task_pt_regs(target); + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &newregs, diff --git a/queue-4.9/arm-dts-imx6dl-fix-gpio4-range.patch b/queue-4.9/arm-dts-imx6dl-fix-gpio4-range.patch new file mode 100644 index 00000000000..f1a09ad1875 --- /dev/null +++ b/queue-4.9/arm-dts-imx6dl-fix-gpio4-range.patch @@ -0,0 +1,47 @@ +From 7f59b319111bbc3a5f32730c8a43b201e9522f52 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?= + +Date: Wed, 18 Jan 2017 11:09:51 +0100 +Subject: ARM: dts: imx6dl: fix GPIO4 range +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sébastien Szymanski + +commit 7f59b319111bbc3a5f32730c8a43b201e9522f52 upstream. + +GPIO4_11 is on pin 152(MX6DL_PAD_KEY_ROW2) and not on pin +151(MX6DL_PAD_KEY_ROW1). + +I found the error while booting a mainline kernel on APF6S SoM and +noticed the following message: + +[ 2.609337] imx6dl-pinctrl 20e0000.iomuxc: pin MX6DL_PAD_KEY_ROW1 +already requested by 20a8000.gpio:105; cannot claim for 20a8000.gpio:107 +[ 2.621884] imx6dl-pinctrl 20e0000.iomuxc: pin-151 (20a8000.gpio:107) +status -22 +[ 2.629303] spi_imx 2008000.ecspi: Can't get CS GPIO 107 + +With this patch, the message is gone and spi_imx driver probes correctly. + +Fixes: bb728d662bed ("ARM: dts: add gpio-ranges property to iMX GPIO controllers") +Signed-off-by: Sébastien Szymanski +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6dl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6dl.dtsi ++++ b/arch/arm/boot/dts/imx6dl.dtsi +@@ -137,7 +137,7 @@ + &gpio4 { + gpio-ranges = <&iomuxc 5 136 1>, <&iomuxc 6 145 1>, <&iomuxc 7 150 1>, + <&iomuxc 8 146 1>, <&iomuxc 9 151 1>, <&iomuxc 10 147 1>, +- <&iomuxc 11 151 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>, ++ <&iomuxc 11 152 1>, <&iomuxc 12 148 1>, <&iomuxc 13 153 1>, + <&iomuxc 14 149 1>, <&iomuxc 15 154 1>, <&iomuxc 16 39 7>, + <&iomuxc 23 56 1>, <&iomuxc 24 61 7>, <&iomuxc 31 46 1>; + }; diff --git a/queue-4.9/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch b/queue-4.9/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch new file mode 100644 index 00000000000..3246d6a0910 --- /dev/null +++ b/queue-4.9/cpumask-use-nr_cpumask_bits-for-parsing-functions.patch @@ -0,0 +1,84 @@ +From 4d59b6ccf000862beed6fc0765d3209f98a8d8a2 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 8 Feb 2017 14:30:56 -0800 +Subject: cpumask: use nr_cpumask_bits for parsing functions + +From: Tejun Heo + +commit 4d59b6ccf000862beed6fc0765d3209f98a8d8a2 upstream. + +Commit 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and +parsing functions") converted both cpumask printing and parsing +functions to use nr_cpu_ids instead of nr_cpumask_bits. While this was +okay for the printing functions as it just picked one of the two output +formats that we were alternating between depending on a kernel config, +doing the same for parsing wasn't okay. + +nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS. We can always use +nr_cpu_ids but that is a variable while NR_CPUS is a constant, so it can +be more efficient to use NR_CPUS when we can get away with it. +Converting the printing functions to nr_cpu_ids makes sense because it +affects how the masks get presented to userspace and doesn't break +anything; however, using nr_cpu_ids for parsing functions can +incorrectly leave the higher bits uninitialized while reading in these +masks from userland. As all testing and comparison functions use +nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed cpumasks +can erroneously yield false negative results. + +This made the taskstats interface incorrectly return -EINVAL even when +the inputs were correct. + +Fix it by restoring the parse functions to use nr_cpumask_bits instead +of nr_cpu_ids. + +Link: http://lkml.kernel.org/r/20170206182442.GB31078@htj.duckdns.org +Fixes: 513e3d2d11c9 ("cpumask: always use nr_cpu_ids in formatting and parsing functions") +Signed-off-by: Tejun Heo +Reported-by: Martin Steigerwald +Debugged-by: Ben Hutchings +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cpumask.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -560,7 +560,7 @@ static inline void cpumask_copy(struct c + static inline int cpumask_parse_user(const char __user *buf, int len, + struct cpumask *dstp) + { +- return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpu_ids); ++ return bitmap_parse_user(buf, len, cpumask_bits(dstp), nr_cpumask_bits); + } + + /** +@@ -575,7 +575,7 @@ static inline int cpumask_parselist_user + struct cpumask *dstp) + { + return bitmap_parselist_user(buf, len, cpumask_bits(dstp), +- nr_cpu_ids); ++ nr_cpumask_bits); + } + + /** +@@ -590,7 +590,7 @@ static inline int cpumask_parse(const ch + char *nl = strchr(buf, '\n'); + unsigned int len = nl ? (unsigned int)(nl - buf) : strlen(buf); + +- return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpu_ids); ++ return bitmap_parse(buf, len, cpumask_bits(dstp), nr_cpumask_bits); + } + + /** +@@ -602,7 +602,7 @@ static inline int cpumask_parse(const ch + */ + static inline int cpulist_parse(const char *buf, struct cpumask *dstp) + { +- return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpu_ids); ++ return bitmap_parselist(buf, cpumask_bits(dstp), nr_cpumask_bits); + } + + /** diff --git a/queue-4.9/drm-atomic-fix-double-free-in-drm_atomic_state_default_clear.patch b/queue-4.9/drm-atomic-fix-double-free-in-drm_atomic_state_default_clear.patch new file mode 100644 index 00000000000..14c7fb96bea --- /dev/null +++ b/queue-4.9/drm-atomic-fix-double-free-in-drm_atomic_state_default_clear.patch @@ -0,0 +1,132 @@ +From 92c715fca907686f5298220ece53423e38ba3aed Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Tue, 31 Jan 2017 10:25:25 +0100 +Subject: drm/atomic: Fix double free in drm_atomic_state_default_clear + +From: Maarten Lankhorst + +commit 92c715fca907686f5298220ece53423e38ba3aed upstream. + +drm_atomic_helper_page_flip and drm_atomic_ioctl set their own events +in crtc_state->event. But when it's set the event is freed in 2 places. + +Solve this by only freeing the event in the atomic ioctl when it +allocated its own event. + +This has been broken twice. The first time when the code was introduced, +but only in the corner case when an event is allocated, but more crtc's +were included by atomic check and then failing. This can mostly +happen when you do an atomic modeset in i915 and the display clock is +changed, which forces all crtc's to be included to the state. + +This has been broken worse by adding in-fences support, which caused +the double free to be done unconditionally. + +[IGT] kms_rotation_crc: starting subtest primary-rotation-180 +============================================================================= +BUG kmalloc-128 (Tainted: G U ): Object already free +----------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in drm_atomic_helper_setup_commit+0x285/0x2f0 [drm_kms_helper] age=0 cpu=3 pid=1529 + ___slab_alloc+0x308/0x3b0 + __slab_alloc+0xd/0x20 + kmem_cache_alloc_trace+0x92/0x1c0 + drm_atomic_helper_setup_commit+0x285/0x2f0 [drm_kms_helper] + intel_atomic_commit+0x35/0x4f0 [i915] + drm_atomic_commit+0x46/0x50 [drm] + drm_mode_atomic_ioctl+0x7d4/0xab0 [drm] + drm_ioctl+0x2b3/0x490 [drm] + do_vfs_ioctl+0x69c/0x700 + SyS_ioctl+0x4e/0x80 + entry_SYSCALL_64_fastpath+0x13/0x94 +INFO: Freed in drm_event_cancel_free+0xa3/0xb0 [drm] age=0 cpu=3 pid=1529 + __slab_free+0x48/0x2e0 + kfree+0x159/0x1a0 + drm_event_cancel_free+0xa3/0xb0 [drm] + drm_mode_atomic_ioctl+0x86d/0xab0 [drm] + drm_ioctl+0x2b3/0x490 [drm] + do_vfs_ioctl+0x69c/0x700 + SyS_ioctl+0x4e/0x80 + entry_SYSCALL_64_fastpath+0x13/0x94 +INFO: Slab 0xffffde1f0997b080 objects=17 used=2 fp=0xffff92fb65ec2578 flags=0x200000000008101 +INFO: Object 0xffff92fb65ec2578 @offset=1400 fp=0xffff92fb65ec2ae8 + +Redzone ffff92fb65ec2570: bb bb bb bb bb bb bb bb ........ +Object ffff92fb65ec2578: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +Object ffff92fb65ec2588: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +Object ffff92fb65ec2598: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +Object ffff92fb65ec25a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +Object ffff92fb65ec25b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +Object ffff92fb65ec25c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +Object ffff92fb65ec25d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +Object ffff92fb65ec25e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. +Redzone ffff92fb65ec25f8: bb bb bb bb bb bb bb bb ........ +Padding ffff92fb65ec2738: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ +CPU: 3 PID: 180 Comm: kworker/3:2 Tainted: G BU 4.10.0-rc6-patser+ #5039 +Hardware name: /NUC5PPYB, BIOS PYBSWCEL.86A.0031.2015.0601.1712 06/01/2015 +Workqueue: events intel_atomic_helper_free_state [i915] +Call Trace: + dump_stack+0x4d/0x6d + print_trailer+0x20c/0x220 + free_debug_processing+0x1c6/0x330 + ? drm_atomic_state_default_clear+0xf7/0x1c0 [drm] + __slab_free+0x48/0x2e0 + ? drm_atomic_state_default_clear+0xf7/0x1c0 [drm] + kfree+0x159/0x1a0 + drm_atomic_state_default_clear+0xf7/0x1c0 [drm] + ? drm_atomic_state_clear+0x30/0x30 [drm] + intel_atomic_state_clear+0xd/0x20 [i915] + drm_atomic_state_clear+0x1a/0x30 [drm] + __drm_atomic_state_free+0x13/0x60 [drm] + intel_atomic_helper_free_state+0x5d/0x70 [i915] + process_one_work+0x260/0x4a0 + worker_thread+0x2d1/0x4f0 + kthread+0x127/0x130 + ? process_one_work+0x4a0/0x4a0 + ? kthread_stop+0x120/0x120 + ret_from_fork+0x29/0x40 +FIX kmalloc-128: Object at 0xffff92fb65ec2578 not freed + +Fixes: 3b24f7d67581 ("drm/atomic: Add struct drm_crtc_commit to track async updates") +Fixes: 9626014258a5 ("drm/fence: add in-fences support") +Cc: Daniel Vetter +Signed-off-by: Maarten Lankhorst +Reviewed-by: Daniel Vetter +Reviewed-by: Gustavo Padovan +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/1485854725-27640-1-git-send-email-maarten.lankhorst@linux.intel.com +CC: koos vriezen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_atomic.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -1759,16 +1759,16 @@ out: + + if (ret && arg->flags & DRM_MODE_PAGE_FLIP_EVENT) { + /* +- * TEST_ONLY and PAGE_FLIP_EVENT are mutually exclusive, +- * if they weren't, this code should be called on success +- * for TEST_ONLY too. ++ * Free the allocated event. drm_atomic_helper_setup_commit ++ * can allocate an event too, so only free it if it's ours ++ * to prevent a double free in drm_atomic_state_clear. + */ +- + for_each_crtc_in_state(state, crtc, crtc_state, i) { +- if (!crtc_state->event) +- continue; +- +- drm_event_cancel_free(dev, &crtc_state->event->base); ++ struct drm_pending_vblank_event *event = crtc_state->event; ++ if (event && (event->base.fence || event->base.file_priv)) { ++ drm_event_cancel_free(dev, &event->base); ++ crtc_state->event = NULL; ++ } + } + } + diff --git a/queue-4.9/drm-i915-always-convert-incoming-exec-offsets-to-non-canonical.patch b/queue-4.9/drm-i915-always-convert-incoming-exec-offsets-to-non-canonical.patch new file mode 100644 index 00000000000..0091a8ab201 --- /dev/null +++ b/queue-4.9/drm-i915-always-convert-incoming-exec-offsets-to-non-canonical.patch @@ -0,0 +1,62 @@ +From 6e7eb1783be7f19eb071c96ddda0bbf22279ff46 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Winiarski?= +Date: Tue, 7 Feb 2017 20:55:59 +0100 +Subject: drm/i915: Always convert incoming exec offsets to non-canonical +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Winiarski + +commit 6e7eb1783be7f19eb071c96ddda0bbf22279ff46 upstream. + +We're using non-canonical addresses in drm_mm, and we're making sure that +userspace is using canonical addressing - both in case of softpin +(verifying incoming offset) and when relocating (converting to canonical +when updating offset returned to userspace). +Unfortunately when considering the need for relocations, we're comparing +offset from userspace (in canonical form) with drm_mm node (in +non-canonical form), and as a result, we end up always relocating if our +offsets are in the "problematic" range. +Let's always convert the offsets to avoid the performance impact of +relocations. + +Fixes: a5f0edf63bdf ("drm/i915: Avoid writing relocs with addresses in non-canonical form") +Cc: Chris Wilson +Cc: Michel Thierry +Reported-by: Michał Pyrzowski +Signed-off-by: Michał Winiarski +Link: http://patchwork.freedesktop.org/patch/msgid/20170207195559.18798-1-michal.winiarski@intel.com +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +(cherry picked from commit 038c95a313e4ca954ee5ab8a0c7559a646b0f462) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -1215,14 +1215,14 @@ validate_exec_list(struct drm_device *de + if (exec[i].offset != + gen8_canonical_addr(exec[i].offset & PAGE_MASK)) + return -EINVAL; +- +- /* From drm_mm perspective address space is continuous, +- * so from this point we're always using non-canonical +- * form internally. +- */ +- exec[i].offset = gen8_noncanonical_addr(exec[i].offset); + } + ++ /* From drm_mm perspective address space is continuous, ++ * so from this point we're always using non-canonical ++ * form internally. ++ */ ++ exec[i].offset = gen8_noncanonical_addr(exec[i].offset); ++ + if (exec[i].alignment && !is_power_of_2(exec[i].alignment)) + return -EINVAL; + diff --git a/queue-4.9/drm-i915-bxt-add-mst-support-when-do-dpll-calculation.patch b/queue-4.9/drm-i915-bxt-add-mst-support-when-do-dpll-calculation.patch new file mode 100644 index 00000000000..d11d7c9b2fd --- /dev/null +++ b/queue-4.9/drm-i915-bxt-add-mst-support-when-do-dpll-calculation.patch @@ -0,0 +1,45 @@ +From 789ea12500e5ce3911d0a6a822277c3133451927 Mon Sep 17 00:00:00 2001 +From: "Lee, Shawn C" +Date: Fri, 3 Feb 2017 12:32:09 +0800 +Subject: drm/i915/bxt: Add MST support when do DPLL calculation + +From: Lee, Shawn C + +commit 789ea12500e5ce3911d0a6a822277c3133451927 upstream. + +Add the missing INTEL_OUTPUT_DP_MST case in bxt_get_dpll() +to correctly initialize the crtc_state and port plls when +link training a DP MST monitor on BXT/APL devices. + +Fixes: a277ca7dc01d ("drm/i915: Split bxt_ddi_pll_select()") +Bugs: https://bugs.freedesktop.org/show_bug.cgi?id=99572 +Reviewed-by: Cooper Chiou +Reviewed-by: Gary C Wang +Reviewed-by: Ciobanu, Nathan D +Reviewed-by: Herbert, Marc +Reviewed-by: Bride, Jim +Reviewed-by: Navare, Manasi D +Cc: Jani Nikula +Signed-off-by: Lee, Shawn C +Signed-off-by: Jani Nikula +Link: http://patchwork.freedesktop.org/patch/msgid/1486096329-6255-1-git-send-email-shawn.c.lee@intel.com +(cherry picked from commit 0aab2c721d81590012a5021a516f00666646741f) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dpll_mgr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_dpll_mgr.c ++++ b/drivers/gpu/drm/i915/intel_dpll_mgr.c +@@ -1723,7 +1723,8 @@ bxt_get_dpll(struct intel_crtc *crtc, + return NULL; + + if ((encoder->type == INTEL_OUTPUT_DP || +- encoder->type == INTEL_OUTPUT_EDP) && ++ encoder->type == INTEL_OUTPUT_EDP || ++ encoder->type == INTEL_OUTPUT_DP_MST) && + !bxt_ddi_dp_set_dpll_hw_state(clock, &dpll_hw_state)) + return NULL; + diff --git a/queue-4.9/drm-i915-fix-use-after-free-in-page_flip_completed.patch b/queue-4.9/drm-i915-fix-use-after-free-in-page_flip_completed.patch new file mode 100644 index 00000000000..5cef278e80b --- /dev/null +++ b/queue-4.9/drm-i915-fix-use-after-free-in-page_flip_completed.patch @@ -0,0 +1,66 @@ +From 5351fbb1bf1413f6024892093528280769ca852f Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Thu, 26 Jan 2017 17:32:11 +0300 +Subject: drm/i915: fix use-after-free in page_flip_completed() + +From: Andrey Ryabinin + +commit 5351fbb1bf1413f6024892093528280769ca852f upstream. + +page_flip_completed() dereferences 'work' variable after executing +queue_work(). This is not safe as the 'work' item might be already freed +by queued work: + + BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90 + Call Trace: + __asan_report_load8_noabort+0x59/0x80 + page_flip_completed+0x3ff/0x490 + intel_finish_page_flip_mmio+0xe3/0x130 + intel_pipe_handle_vblank+0x2d/0x40 + gen8_irq_handler+0x4a7/0xed0 + __handle_irq_event_percpu+0xf6/0x860 + handle_irq_event_percpu+0x6b/0x160 + handle_irq_event+0xc7/0x1b0 + handle_edge_irq+0x1f4/0xa50 + handle_irq+0x41/0x70 + do_IRQ+0x9a/0x200 + common_interrupt+0x89/0x89 + + Freed: + kfree+0x113/0x4d0 + intel_unpin_work_fn+0x29a/0x3b0 + process_one_work+0x79e/0x1b70 + worker_thread+0x611/0x1460 + kthread+0x241/0x3a0 + ret_from_fork+0x27/0x40 + +Move queue_work() after trace_i915_flip_complete() to fix this. + +Fixes: e5510fac98a7 ("drm/i915: add tracepoints for flip requests & completions") +Signed-off-by: Andrey Ryabinin +Reviewed-by: Chris Wilson +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.com +(cherry picked from commit 05c41f926fcc7ef838c80a6a99d84f67b4e0b824) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -4280,10 +4280,10 @@ static void page_flip_completed(struct i + drm_crtc_vblank_put(&intel_crtc->base); + + wake_up_all(&dev_priv->pending_flip_queue); +- queue_work(dev_priv->wq, &work->unpin_work); +- + trace_i915_flip_complete(intel_crtc->plane, + work->pending_flip_obj); ++ ++ queue_work(dev_priv->wq, &work->unpin_work); + } + + static int intel_crtc_wait_for_pending_flips(struct drm_crtc *crtc) diff --git a/queue-4.9/hns-avoid-stack-overflow-with-config_kasan.patch b/queue-4.9/hns-avoid-stack-overflow-with-config_kasan.patch new file mode 100644 index 00000000000..6552c000ce6 --- /dev/null +++ b/queue-4.9/hns-avoid-stack-overflow-with-config_kasan.patch @@ -0,0 +1,82 @@ +From b3f2d07f4649adcf6905953a10d217b5683e4077 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 3 Feb 2017 17:35:46 +0100 +Subject: hns: avoid stack overflow with CONFIG_KASAN + +From: Arnd Bergmann + +commit b3f2d07f4649adcf6905953a10d217b5683e4077 upstream. + +The use of ACCESS_ONCE() looks like a micro-optimization to force gcc to use +an indexed load for the register address, but it has an absolutely detrimental +effect on builds with gcc-5 and CONFIG_KASAN=y, leading to a very likely +kernel stack overflow aside from very complex object code: + +hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_update_stats': +hisilicon/hns/hns_dsaf_gmac.c:419:1: error: the frame size of 2912 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_reset_common': +hisilicon/hns/hns_dsaf_ppe.c:390:1: error: the frame size of 1184 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_get_regs': +hisilicon/hns/hns_dsaf_ppe.c:621:1: error: the frame size of 3632 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_common_regs': +hisilicon/hns/hns_dsaf_rcb.c:970:1: error: the frame size of 2784 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_get_regs': +hisilicon/hns/hns_dsaf_gmac.c:641:1: error: the frame size of 5728 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_ring_regs': +hisilicon/hns/hns_dsaf_rcb.c:1021:1: error: the frame size of 2208 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_comm_init': +hisilicon/hns/hns_dsaf_main.c:1209:1: error: the frame size of 1904 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_xgmac.c: In function 'hns_xgmac_get_regs': +hisilicon/hns/hns_dsaf_xgmac.c:748:1: error: the frame size of 4704 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_update_stats': +hisilicon/hns/hns_dsaf_main.c:2420:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_regs': +hisilicon/hns/hns_dsaf_main.c:2753:1: error: the frame size of 10768 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + +This does not seem to happen any more with gcc-7, but removing the ACCESS_ONCE +seems safe anyway and it avoids a serious issue for some people. I have verified +that with gcc-5.3.1, the object code we get is better in the new version +both with and without CONFIG_KASAN, as we no longer allocate a 1344 byte +stack frame for hns_dsaf_get_regs() but otherwise have practically identical +object code. + +With gcc-7.0.0, removing ACCESS_ONCE has no effect, the object code is already +good either way. + +This patch is probably not urgent to get into 4.11 as only KASAN=y builds +with certain compilers are affected, but I still think it makes sense to +backport into older kernels. + +Fixes: 511e6bc ("net: add Hisilicon Network Subsystem DSAF support") +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h +@@ -1007,9 +1007,7 @@ + + static inline void dsaf_write_reg(void __iomem *base, u32 reg, u32 value) + { +- u8 __iomem *reg_addr = ACCESS_ONCE(base); +- +- writel(value, reg_addr + reg); ++ writel(value, base + reg); + } + + #define dsaf_write_dev(a, reg, value) \ +@@ -1017,9 +1015,7 @@ static inline void dsaf_write_reg(void _ + + static inline u32 dsaf_read_reg(u8 __iomem *base, u32 reg) + { +- u8 __iomem *reg_addr = ACCESS_ONCE(base); +- +- return readl(reg_addr + reg); ++ return readl(base + reg); + } + + static inline void dsaf_write_syscon(struct regmap *base, u32 reg, u32 value) diff --git a/queue-4.9/ibmvscsis-add-sgl-limit.patch b/queue-4.9/ibmvscsis-add-sgl-limit.patch new file mode 100644 index 00000000000..47d24b1b0ba --- /dev/null +++ b/queue-4.9/ibmvscsis-add-sgl-limit.patch @@ -0,0 +1,31 @@ +From b22bc27868e8c11fe3f00937a341b44f80b50364 Mon Sep 17 00:00:00 2001 +From: "Bryant G. Ly" +Date: Mon, 6 Feb 2017 10:04:28 -0600 +Subject: ibmvscsis: Add SGL limit + +From: Bryant G. Ly + +commit b22bc27868e8c11fe3f00937a341b44f80b50364 upstream. + +This patch adds internal LIO sgl limit since the driver already +sets a max transfer limit on transport layer of 1MB to the client. + +Tested-by: Steven Royer +Signed-off-by: Bryant G. Ly +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -3929,6 +3929,7 @@ static struct configfs_attribute *ibmvsc + static const struct target_core_fabric_ops ibmvscsis_ops = { + .module = THIS_MODULE, + .name = "ibmvscsis", ++ .max_data_sg_nents = MAX_TXU / PAGE_SIZE, + .get_fabric_name = ibmvscsis_get_fabric_name, + .tpg_get_wwn = ibmvscsis_get_fabric_wwn, + .tpg_get_tag = ibmvscsis_get_tag, diff --git a/queue-4.9/mac80211-fix-adding-of-mesh-vendor-ies.patch b/queue-4.9/mac80211-fix-adding-of-mesh-vendor-ies.patch new file mode 100644 index 00000000000..69fce957956 --- /dev/null +++ b/queue-4.9/mac80211-fix-adding-of-mesh-vendor-ies.patch @@ -0,0 +1,39 @@ +From da7061c82e4a1bc6a5e134ef362c86261906c860 Mon Sep 17 00:00:00 2001 +From: Thorsten Horstmann +Date: Fri, 3 Feb 2017 14:38:29 +0100 +Subject: mac80211: Fix adding of mesh vendor IEs + +From: Thorsten Horstmann + +commit da7061c82e4a1bc6a5e134ef362c86261906c860 upstream. + +The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead +it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The +return value in mesh_add_vendor_ies must therefore be checked against +ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with +WLAN_EID_VENDOR_SPECIFIC will be rejected. + +Fixes: 082ebb0c258d ("mac80211: fix mesh beacon format") +Signed-off-by: Thorsten Horstmann +Signed-off-by: Mathias Kretschmer +Signed-off-by: Simon Wunderlich +[sven@narfation.org: Add commit message] +Signed-off-by: Sven Eckelmann +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mesh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -339,7 +339,7 @@ int mesh_add_vendor_ies(struct ieee80211 + /* fast-forward to vendor IEs */ + offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0); + +- if (offset) { ++ if (offset < ifmsh->ie_len) { + len = ifmsh->ie_len - offset; + data = ifmsh->ie + offset; + if (skb_tailroom(skb) < len) diff --git a/queue-4.9/mm-slub.c-fix-random_seq-offset-destruction.patch b/queue-4.9/mm-slub.c-fix-random_seq-offset-destruction.patch new file mode 100644 index 00000000000..4438d94f843 --- /dev/null +++ b/queue-4.9/mm-slub.c-fix-random_seq-offset-destruction.patch @@ -0,0 +1,51 @@ +From a810007afe239d59c1115fcaa06eb5b480f876e9 Mon Sep 17 00:00:00 2001 +From: Sean Rees +Date: Wed, 8 Feb 2017 14:30:59 -0800 +Subject: mm/slub.c: fix random_seq offset destruction + +From: Sean Rees + +commit a810007afe239d59c1115fcaa06eb5b480f876e9 upstream. + +Commit 210e7a43fa90 ("mm: SLUB freelist randomization") broke USB hub +initialisation as described in + + https://bugzilla.kernel.org/show_bug.cgi?id=177551. + +Bail out early from init_cache_random_seq if s->random_seq is already +initialised. This prevents destroying the previously computed +random_seq offsets later in the function. + +If the offsets are destroyed, then shuffle_freelist will truncate +page->freelist to just the first object (orphaning the rest). + +Fixes: 210e7a43fa90 ("mm: SLUB freelist randomization") +Link: http://lkml.kernel.org/r/20170207140707.20824-1-sean@erifax.org +Signed-off-by: Sean Rees +Reported-by: +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Thomas Garnier +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1419,6 +1419,10 @@ static int init_cache_random_seq(struct + int err; + unsigned long i, count = oo_objects(s->oo); + ++ /* Bailout if already initialised */ ++ if (s->random_seq) ++ return 0; ++ + err = cache_random_seq_create(s, count, GFP_KERNEL); + if (err) { + pr_err("SLUB: Unable to initialize free list for %s\n", diff --git a/queue-4.9/net-mlx5e-modify-tirs-hash-only-when-it-s-needed.patch b/queue-4.9/net-mlx5e-modify-tirs-hash-only-when-it-s-needed.patch new file mode 100644 index 00000000000..27367e5d2ec --- /dev/null +++ b/queue-4.9/net-mlx5e-modify-tirs-hash-only-when-it-s-needed.patch @@ -0,0 +1,68 @@ +From 1d3398facd08a7fd4202f269317a95668eb880b9 Mon Sep 17 00:00:00 2001 +From: Gal Pressman +Date: Wed, 11 Jan 2017 14:32:26 +0200 +Subject: net/mlx5e: Modify TIRs hash only when it's needed + +From: Gal Pressman + +commit 1d3398facd08a7fd4202f269317a95668eb880b9 upstream. + +We don't need to modify our TIRs unless the user requested a change in +the hash function/key, for example when changing indirection only. + +Tested: + # Modify TIRs hash is needed +ethtool -X ethX hkey +ethtool -X ethX hfunc + + # Modify TIRs hash is not needed +ethtool -X ethX equal + +All cases are verified with TCP Multi-Stream traffic over IPv4 & IPv6. + +Fixes: bdfc028de1b3 ("net/mlx5e: Fix ethtool RX hash func configuration change") +Signed-off-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -991,6 +991,7 @@ static int mlx5e_set_rxfh(struct net_dev + { + struct mlx5e_priv *priv = netdev_priv(dev); + int inlen = MLX5_ST_SZ_BYTES(modify_tir_in); ++ bool hash_changed = false; + void *in; + + if ((hfunc != ETH_RSS_HASH_NO_CHANGE) && +@@ -1012,14 +1013,21 @@ static int mlx5e_set_rxfh(struct net_dev + mlx5e_redirect_rqt(priv, rqtn, MLX5E_INDIR_RQT_SIZE, 0); + } + +- if (key) ++ if (hfunc != ETH_RSS_HASH_NO_CHANGE && ++ hfunc != priv->params.rss_hfunc) { ++ priv->params.rss_hfunc = hfunc; ++ hash_changed = true; ++ } ++ ++ if (key) { + memcpy(priv->params.toeplitz_hash_key, key, + sizeof(priv->params.toeplitz_hash_key)); ++ hash_changed = hash_changed || ++ priv->params.rss_hfunc == ETH_RSS_HASH_TOP; ++ } + +- if (hfunc != ETH_RSS_HASH_NO_CHANGE) +- priv->params.rss_hfunc = hfunc; +- +- mlx5e_modify_tirs_hash(priv, in, inlen); ++ if (hash_changed) ++ mlx5e_modify_tirs_hash(priv, in, inlen); + + mutex_unlock(&priv->state_lock); + diff --git a/queue-4.9/nl80211-fix-mesh-ht-operation-check.patch b/queue-4.9/nl80211-fix-mesh-ht-operation-check.patch new file mode 100644 index 00000000000..64878800205 --- /dev/null +++ b/queue-4.9/nl80211-fix-mesh-ht-operation-check.patch @@ -0,0 +1,35 @@ +From fd551bac4795854adaa87bad7e5136083719802b Mon Sep 17 00:00:00 2001 +From: Masashi Honma +Date: Thu, 26 Jan 2017 08:56:13 +0900 +Subject: nl80211: Fix mesh HT operation check + +From: Masashi Honma + +commit fd551bac4795854adaa87bad7e5136083719802b upstream. + +A previous change to fix checks for NL80211_MESHCONF_HT_OPMODE +missed setting the flag when replacing FILL_IN_MESH_PARAM_IF_SET +with checking codes. This results in dropping the received HT +operation value when called by nl80211_update_mesh_config(). Fix +this by setting the flag properly. + +Fixes: 9757235f451c ("nl80211: correct checks for NL80211_MESHCONF_HT_OPMODE value") +Signed-off-by: Masashi Honma +[rewrite commit message to use Fixes: line] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -5874,6 +5874,7 @@ do { \ + break; + } + cfg->ht_opmode = ht_opmode; ++ mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1)); + } + FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout, + 1, 65535, mask, diff --git a/queue-4.9/rtlwifi-rtl8192ce-fix-loading-of-incorrect-firmware.patch b/queue-4.9/rtlwifi-rtl8192ce-fix-loading-of-incorrect-firmware.patch new file mode 100644 index 00000000000..45ac1eaf094 --- /dev/null +++ b/queue-4.9/rtlwifi-rtl8192ce-fix-loading-of-incorrect-firmware.patch @@ -0,0 +1,56 @@ +From 52f5631a4c056ad01682393be56d2be237e81610 Mon Sep 17 00:00:00 2001 +From: Jurij Smakov +Date: Mon, 30 Jan 2017 15:41:36 -0600 +Subject: rtlwifi: rtl8192ce: Fix loading of incorrect firmware + +From: Jurij Smakov + +commit 52f5631a4c056ad01682393be56d2be237e81610 upstream. + +In commit cf4747d7535a ("rtlwifi: Fix regression caused by commit +d86e64768859, an error in the edit results in the wrong firmware +being loaded for some models of the RTL8188/8192CE. In this condition, +the connection suffered from high ping latency, slow transfer rates, + and required higher signal strengths to work at all + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853073, +https://bugzilla.opensuse.org/show_bug.cgi?id=1017471, and +https://github.com/lwfinger/rtlwifi_new/issues/203 for descriptions +of the problems. This patch fixes all of those problems. + +Fixes: cf4747d7535a ("rtlwifi: Fix regression caused by commit d86e64768859") +Signed-off-by: Jurij Smakov +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/sw.c +@@ -96,7 +96,7 @@ int rtl92c_init_sw_vars(struct ieee80211 + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); + struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); +- char *fw_name = "rtlwifi/rtl8192cfwU.bin"; ++ char *fw_name; + + rtl8192ce_bt_reg_init(hw); + +@@ -168,8 +168,13 @@ int rtl92c_init_sw_vars(struct ieee80211 + } + + /* request fw */ +- if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version)) ++ if (IS_VENDOR_UMC_A_CUT(rtlhal->version) && ++ !IS_92C_SERIAL(rtlhal->version)) ++ fw_name = "rtlwifi/rtl8192cfwU.bin"; ++ else if (IS_81XXC_VENDOR_UMC_B_CUT(rtlhal->version)) + fw_name = "rtlwifi/rtl8192cfwU_B.bin"; ++ else ++ fw_name = "rtlwifi/rtl8192cfw.bin"; + + rtlpriv->max_fw_size = 0x4000; + pr_info("Using firmware %s\n", fw_name); diff --git a/queue-4.9/series b/queue-4.9/series index 44da863a192..4ae1383a1d3 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -13,3 +13,23 @@ arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch selinux-fix-off-by-one-in-setprocattr.patch revert-x86-ioapic-restore-io-apic-irq_chip-retrigger-callback.patch +rtlwifi-rtl8192ce-fix-loading-of-incorrect-firmware.patch +cpumask-use-nr_cpumask_bits-for-parsing-functions.patch +mm-slub.c-fix-random_seq-offset-destruction.patch +ibmvscsis-add-sgl-limit.patch +hns-avoid-stack-overflow-with-config_kasan.patch +arm-8643-3-arm-ptrace-preserve-previous-registers-for-short-regset-write.patch +drm-i915-fix-use-after-free-in-page_flip_completed.patch +drm-i915-bxt-add-mst-support-when-do-dpll-calculation.patch +drm-atomic-fix-double-free-in-drm_atomic_state_default_clear.patch +target-don-t-bug_on-during-nodeacl-dynamic-explicit-conversion.patch +target-use-correct-scsi-status-during-extended_copy-exception.patch +target-fix-early-transport_generic_handle_tmr-abort-scenario.patch +target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch +target-fix-compare_and_write-ref-leak-for-non-good-status.patch +arm-dts-imx6dl-fix-gpio4-range.patch +arm-8642-1-lpae-catch-pending-imprecise-abort-on-unmask.patch +drm-i915-always-convert-incoming-exec-offsets-to-non-canonical.patch +nl80211-fix-mesh-ht-operation-check.patch +mac80211-fix-adding-of-mesh-vendor-ies.patch +net-mlx5e-modify-tirs-hash-only-when-it-s-needed.patch diff --git a/queue-4.9/target-don-t-bug_on-during-nodeacl-dynamic-explicit-conversion.patch b/queue-4.9/target-don-t-bug_on-during-nodeacl-dynamic-explicit-conversion.patch new file mode 100644 index 00000000000..cc0aa206919 --- /dev/null +++ b/queue-4.9/target-don-t-bug_on-during-nodeacl-dynamic-explicit-conversion.patch @@ -0,0 +1,51 @@ +From 391e2a6de9781e4906dd7e0b1cc097050bf43e11 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 23 Oct 2016 14:28:15 -0700 +Subject: target: Don't BUG_ON during NodeACL dynamic -> explicit conversion + +From: Nicholas Bellinger + +commit 391e2a6de9781e4906dd7e0b1cc097050bf43e11 upstream. + +After the v4.2+ RCU conversion to se_node_acl->lun_entry_hlist, +a BUG_ON() was added in core_enable_device_list_for_node() to +detect when the located orig->se_lun_acl contains an existing +se_lun_acl pointer reference. + +However, this scenario can happen when a dynamically generated +NodeACL is being converted to an explicit NodeACL, when the +explicit NodeACL contains a different LUN mapping than the +default provided by the WWN endpoint. + +So instead of triggering BUG_ON(), go ahead and fail instead +following the original pre RCU conversion logic. + +Reported-by: Benjamin ESTRABAUD +Cc: Benjamin ESTRABAUD +Reviewed-by: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_device.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -351,7 +351,15 @@ int core_enable_device_list_for_node( + kfree(new); + return -EINVAL; + } +- BUG_ON(orig->se_lun_acl != NULL); ++ if (orig->se_lun_acl != NULL) { ++ pr_warn_ratelimited("Detected existing explicit" ++ " se_lun_acl->se_lun_group reference for %s" ++ " mapped_lun: %llu, failing\n", ++ nacl->initiatorname, mapped_lun); ++ mutex_unlock(&nacl->lun_entry_mutex); ++ kfree(new); ++ return -EINVAL; ++ } + + rcu_assign_pointer(new->se_lun, lun); + rcu_assign_pointer(new->se_lun_acl, lun_acl); diff --git a/queue-4.9/target-fix-compare_and_write-ref-leak-for-non-good-status.patch b/queue-4.9/target-fix-compare_and_write-ref-leak-for-non-good-status.patch new file mode 100644 index 00000000000..41411c6292f --- /dev/null +++ b/queue-4.9/target-fix-compare_and_write-ref-leak-for-non-good-status.patch @@ -0,0 +1,73 @@ +From 9b2792c3da1e80f2d460167d319302a24c9ca2b7 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 6 Feb 2017 14:28:09 -0800 +Subject: target: Fix COMPARE_AND_WRITE ref leak for non GOOD status + +From: Nicholas Bellinger + +commit 9b2792c3da1e80f2d460167d319302a24c9ca2b7 upstream. + +This patch addresses a long standing bug where the commit phase +of COMPARE_AND_WRITE would result in a se_cmd->cmd_kref reference +leak if se_cmd->scsi_status returned non SAM_STAT_GOOD. + +This would manifest first as a lost SCSI response, and eventual +hung task during fabric driver logout or re-login, as existing +shutdown logic waited for the COMPARE_AND_WRITE se_cmd->cmd_kref +to reach zero. + +To address this bug, compare_and_write_post() has been changed +to drop the incorrect !cmd->scsi_status conditional that was +preventing *post_ret = 1 for being set during non SAM_STAT_GOOD +status. + +This patch has been tested with SAM_STAT_CHECK_CONDITION status +from normal target_complete_cmd() callback path, as well as the +incoming __target_execute_cmd() submission failure path when +se_cmd->execute_cmd() returns non zero status. + +Reported-by: Donald White +Cc: Donald White +Tested-by: Gary Guo +Cc: Gary Guo +Reviewed-by: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_sbc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -450,6 +450,7 @@ static sense_reason_t compare_and_write_ + int *post_ret) + { + struct se_device *dev = cmd->se_dev; ++ sense_reason_t ret = TCM_NO_SENSE; + + /* + * Only set SCF_COMPARE_AND_WRITE_POST to force a response fall-through +@@ -457,9 +458,12 @@ static sense_reason_t compare_and_write_ + * sent to the backend driver. + */ + spin_lock_irq(&cmd->t_state_lock); +- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) { ++ if (cmd->transport_state & CMD_T_SENT) { + cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST; + *post_ret = 1; ++ ++ if (cmd->scsi_status == SAM_STAT_CHECK_CONDITION) ++ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + } + spin_unlock_irq(&cmd->t_state_lock); + +@@ -469,7 +473,7 @@ static sense_reason_t compare_and_write_ + */ + up(&dev->caw_sem); + +- return TCM_NO_SENSE; ++ return ret; + } + + static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success, diff --git a/queue-4.9/target-fix-early-transport_generic_handle_tmr-abort-scenario.patch b/queue-4.9/target-fix-early-transport_generic_handle_tmr-abort-scenario.patch new file mode 100644 index 00000000000..ed1a9ab81ff --- /dev/null +++ b/queue-4.9/target-fix-early-transport_generic_handle_tmr-abort-scenario.patch @@ -0,0 +1,77 @@ +From c54eeffbe9338fa982dc853d816fda9202a13b5a Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 6 Dec 2016 22:45:46 -0800 +Subject: target: Fix early transport_generic_handle_tmr abort scenario + +From: Nicholas Bellinger + +commit c54eeffbe9338fa982dc853d816fda9202a13b5a upstream. + +This patch fixes a bug where incoming task management requests +can be explicitly aborted during an active LUN_RESET, but who's +struct work_struct are canceled in-flight before execution. + +This occurs when core_tmr_drain_tmr_list() invokes cancel_work_sync() +for the incoming se_tmr_req->task_cmd->work, resulting in cmd->work +for target_tmr_work() never getting invoked and the aborted TMR +waiting indefinately within transport_wait_for_tasks(). + +To address this case, perform a CMD_T_ABORTED check early in +transport_generic_handle_tmr(), and invoke the normal path via +transport_cmd_check_stop_to_fabric() to complete any TMR kthreads +blocked waiting for CMD_T_STOP in transport_wait_for_tasks(). + +Also, move the TRANSPORT_ISTATE_PROCESSING assignment earlier +into transport_generic_handle_tmr() so the existing check in +core_tmr_drain_tmr_list() avoids attempting abort the incoming +se_tmr_req->task_cmd->work if it has already been queued into +se_device->tmr_wq. + +Reported-by: Rob Millner +Tested-by: Rob Millner +Cc: Rob Millner +Reviewed-by: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -3086,7 +3086,6 @@ static void target_tmr_work(struct work_ + spin_unlock_irqrestore(&cmd->t_state_lock, flags); + goto check_stop; + } +- cmd->t_state = TRANSPORT_ISTATE_PROCESSING; + spin_unlock_irqrestore(&cmd->t_state_lock, flags); + + cmd->se_tfo->queue_tm_rsp(cmd); +@@ -3099,11 +3098,25 @@ int transport_generic_handle_tmr( + struct se_cmd *cmd) + { + unsigned long flags; ++ bool aborted = false; + + spin_lock_irqsave(&cmd->t_state_lock, flags); +- cmd->transport_state |= CMD_T_ACTIVE; ++ if (cmd->transport_state & CMD_T_ABORTED) { ++ aborted = true; ++ } else { ++ cmd->t_state = TRANSPORT_ISTATE_PROCESSING; ++ cmd->transport_state |= CMD_T_ACTIVE; ++ } + spin_unlock_irqrestore(&cmd->t_state_lock, flags); + ++ if (aborted) { ++ pr_warn_ratelimited("handle_tmr caught CMD_T_ABORTED TMR %d" ++ "ref_tag: %llu tag: %llu\n", cmd->se_tmr_req->function, ++ cmd->se_tmr_req->ref_task_tag, cmd->tag); ++ transport_cmd_check_stop_to_fabric(cmd); ++ return 0; ++ } ++ + INIT_WORK(&cmd->work, target_tmr_work); + queue_work(cmd->se_dev->tmr_wq, &cmd->work); + return 0; diff --git a/queue-4.9/target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch b/queue-4.9/target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch new file mode 100644 index 00000000000..2e3b295ee6a --- /dev/null +++ b/queue-4.9/target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch @@ -0,0 +1,175 @@ +From 01d4d673558985d9a118e1e05026633c3e2ade9b Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Wed, 7 Dec 2016 12:55:54 -0800 +Subject: target: Fix multi-session dynamic se_node_acl double free OOPs + +From: Nicholas Bellinger + +commit 01d4d673558985d9a118e1e05026633c3e2ade9b upstream. + +This patch addresses a long-standing bug with multi-session +(eg: iscsi-target + iser-target) se_node_acl dynamic free +withini transport_deregister_session(). + +This bug is caused when a storage endpoint is configured with +demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1) +initiators, and initiator login creates a new dynamic node acl +and attaches two sessions to it. + +After that, demo-mode for the storage instance is disabled via +configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and +the existing dynamic acl is never converted to an explicit ACL. + +The end result is dynamic acl resources are released twice when +the sessions are shutdown in transport_deregister_session(). + +If the storage instance is not changed to disable demo-mode, +or the dynamic acl is converted to an explict ACL, or there +is only a single session associated with the dynamic ACL, +the bug is not triggered. + +To address this big, move the release of dynamic se_node_acl +memory into target_complete_nacl() so it's only freed once +when se_node_acl->acl_kref reaches zero. + +(Drop unnecessary list_del_init usage - HCH) + +Reported-by: Rob Millner +Tested-by: Rob Millner +Cc: Rob Millner +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 69 ++++++++++++++++++++------------- + include/target/target_core_base.h | 1 + 2 files changed, 44 insertions(+), 26 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -457,8 +457,20 @@ static void target_complete_nacl(struct + { + struct se_node_acl *nacl = container_of(kref, + struct se_node_acl, acl_kref); ++ struct se_portal_group *se_tpg = nacl->se_tpg; + +- complete(&nacl->acl_free_comp); ++ if (!nacl->dynamic_stop) { ++ complete(&nacl->acl_free_comp); ++ return; ++ } ++ ++ mutex_lock(&se_tpg->acl_node_mutex); ++ list_del(&nacl->acl_list); ++ mutex_unlock(&se_tpg->acl_node_mutex); ++ ++ core_tpg_wait_for_nacl_pr_ref(nacl); ++ core_free_device_list_for_node(nacl, se_tpg); ++ kfree(nacl); + } + + void target_put_nacl(struct se_node_acl *nacl) +@@ -499,12 +511,39 @@ EXPORT_SYMBOL(transport_deregister_sessi + void transport_free_session(struct se_session *se_sess) + { + struct se_node_acl *se_nacl = se_sess->se_node_acl; ++ + /* + * Drop the se_node_acl->nacl_kref obtained from within + * core_tpg_get_initiator_node_acl(). + */ + if (se_nacl) { ++ struct se_portal_group *se_tpg = se_nacl->se_tpg; ++ const struct target_core_fabric_ops *se_tfo = se_tpg->se_tpg_tfo; ++ unsigned long flags; ++ + se_sess->se_node_acl = NULL; ++ ++ /* ++ * Also determine if we need to drop the extra ->cmd_kref if ++ * it had been previously dynamically generated, and ++ * the endpoint is not caching dynamic ACLs. ++ */ ++ mutex_lock(&se_tpg->acl_node_mutex); ++ if (se_nacl->dynamic_node_acl && ++ !se_tfo->tpg_check_demo_mode_cache(se_tpg)) { ++ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags); ++ if (list_empty(&se_nacl->acl_sess_list)) ++ se_nacl->dynamic_stop = true; ++ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags); ++ ++ if (se_nacl->dynamic_stop) ++ list_del(&se_nacl->acl_list); ++ } ++ mutex_unlock(&se_tpg->acl_node_mutex); ++ ++ if (se_nacl->dynamic_stop) ++ target_put_nacl(se_nacl); ++ + target_put_nacl(se_nacl); + } + if (se_sess->sess_cmd_map) { +@@ -518,16 +557,12 @@ EXPORT_SYMBOL(transport_free_session); + void transport_deregister_session(struct se_session *se_sess) + { + struct se_portal_group *se_tpg = se_sess->se_tpg; +- const struct target_core_fabric_ops *se_tfo; +- struct se_node_acl *se_nacl; + unsigned long flags; +- bool drop_nacl = false; + + if (!se_tpg) { + transport_free_session(se_sess); + return; + } +- se_tfo = se_tpg->se_tpg_tfo; + + spin_lock_irqsave(&se_tpg->session_lock, flags); + list_del(&se_sess->sess_list); +@@ -535,33 +570,15 @@ void transport_deregister_session(struct + se_sess->fabric_sess_ptr = NULL; + spin_unlock_irqrestore(&se_tpg->session_lock, flags); + +- /* +- * Determine if we need to do extra work for this initiator node's +- * struct se_node_acl if it had been previously dynamically generated. +- */ +- se_nacl = se_sess->se_node_acl; +- +- mutex_lock(&se_tpg->acl_node_mutex); +- if (se_nacl && se_nacl->dynamic_node_acl) { +- if (!se_tfo->tpg_check_demo_mode_cache(se_tpg)) { +- list_del(&se_nacl->acl_list); +- drop_nacl = true; +- } +- } +- mutex_unlock(&se_tpg->acl_node_mutex); +- +- if (drop_nacl) { +- core_tpg_wait_for_nacl_pr_ref(se_nacl); +- core_free_device_list_for_node(se_nacl, se_tpg); +- se_sess->se_node_acl = NULL; +- kfree(se_nacl); +- } + pr_debug("TARGET_CORE[%s]: Deregistered fabric_sess\n", + se_tpg->se_tpg_tfo->get_fabric_name()); + /* + * If last kref is dropping now for an explicit NodeACL, awake sleeping + * ->acl_free_comp caller to wakeup configfs se_node_acl->acl_group + * removal context from within transport_free_session() code. ++ * ++ * For dynamic ACL, target_put_nacl() uses target_complete_nacl() ++ * to release all remaining generate_node_acl=1 created ACL resources. + */ + + transport_free_session(se_sess); +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -538,6 +538,7 @@ struct se_node_acl { + char initiatorname[TRANSPORT_IQN_LEN]; + /* Used to signal demo mode created ACL, disabled by default */ + bool dynamic_node_acl; ++ bool dynamic_stop; + u32 queue_depth; + u32 acl_index; + enum target_prot_type saved_prot_type; diff --git a/queue-4.9/target-use-correct-scsi-status-during-extended_copy-exception.patch b/queue-4.9/target-use-correct-scsi-status-during-extended_copy-exception.patch new file mode 100644 index 00000000000..252ab9851e5 --- /dev/null +++ b/queue-4.9/target-use-correct-scsi-status-during-extended_copy-exception.patch @@ -0,0 +1,44 @@ +From 0583c261e6325f392c1f7a1b9112e31298e1a4bd Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 31 Oct 2016 00:54:40 -0700 +Subject: target: Use correct SCSI status during EXTENDED_COPY exception + +From: Nicholas Bellinger + +commit 0583c261e6325f392c1f7a1b9112e31298e1a4bd upstream. + +This patch adds the missing target_complete_cmd() SCSI status +parameter change in target_xcopy_do_work(), that was originally +missing in commit 926317de33. + +It correctly propigates up the correct SCSI status during +EXTENDED_COPY exception cases, instead of always using the +hardcoded SAM_STAT_CHECK_CONDITION from original code. + +This is required for ESX host environments that expect to +hit SAM_STAT_RESERVATION_CONFLICT for certain scenarios, +and SAM_STAT_CHECK_CONDITION results in non-retriable +status for these cases. + +Reported-by: Nixon Vincent +Tested-by: Nixon Vincent +Cc: Nixon Vincent +Reviewed-by: Christoph Hellwig +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_xcopy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_xcopy.c ++++ b/drivers/target/target_core_xcopy.c +@@ -836,7 +836,7 @@ out: + " CHECK_CONDITION -> sending response\n", rc); + ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION; + } +- target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION); ++ target_complete_cmd(ec_cmd, ec_cmd->scsi_status); + } + + sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)