From: Greg Kroah-Hartman Date: Thu, 1 Feb 2018 13:18:20 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.115~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=598febb6f63ac799f6e149178bb1a7859f3dd8b0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch bcache-check-return-value-of-register_shrinker.patch btrfs-fix-deadlock-when-writing-out-space-cache.patch cpufreq-add-loongson-machine-dependencies.patch drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch drm-amdkfd-fix-sdma-oversubsription-handling.patch drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch hwmon-pmbus-use-64bit-math-for-direct-format-values.patch kmemleak-add-scheduling-point-to-kmemleak_scan.patch kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch kvm-x86-fix-operand-address-size-during-instruction-decoding.patch kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch mac80211-fix-the-update-of-path-metric-for-rann-frame.patch media-usbtv-add-a-new-usbid.patch net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch nfsd-check-for-use-of-the-closed-special-stateid.patch nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch openvswitch-fix-the-incorrect-flow-action-alloc-size.patch quota-check-for-register_shrinker-failure.patch scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch sunrpc-allow-connect-to-return-ehostunreach.patch usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch xen-netfront-remove-warning-when-unloading-module.patch xfs-ubsan-fixes.patch --- diff --git a/queue-4.4/acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch b/queue-4.4/acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch new file mode 100644 index 00000000000..0a9e5273352 --- /dev/null +++ b/queue-4.4/acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Hans de Goede +Date: Sun, 15 Oct 2017 21:24:49 +0200 +Subject: ACPI / bus: Leave modalias empty for devices which are not present + +From: Hans de Goede + + +[ Upstream commit 10809bb976648ac58194a629e3d7af99e7400297 ] + +Most Bay and Cherry Trail devices use a generic DSDT with all possible +peripheral devices present in the DSDT, with their _STA returning 0x00 or +0x0f based on AML variables which describe what is actually present on +the board. + +Since ACPI device objects with a 0x00 status (not present) still get an +entry under /sys/bus/acpi/devices, and those entry had an acpi:PNPID +modalias, userspace would end up loading modules for non present hardware. + +This commit fixes this by leaving the modalias empty for non present +devices. This results in 10 modules less being loaded with a generic +distro kernel config on my Cherry Trail test-device (a GPD pocket). + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/device_sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -146,6 +146,10 @@ static int create_pnp_modalias(struct ac + int count; + struct acpi_hardware_id *id; + ++ /* Avoid unnecessarily loading modules for non present devices. */ ++ if (!acpi_device_is_present(acpi_dev)) ++ return 0; ++ + /* + * Since we skip ACPI_DT_NAMESPACE_HID from the modalias below, 0 should + * be returned if ACPI_DT_NAMESPACE_HID is the only ACPI/PNP ID in the diff --git a/queue-4.4/bcache-check-return-value-of-register_shrinker.patch b/queue-4.4/bcache-check-return-value-of-register_shrinker.patch new file mode 100644 index 00000000000..f9f0b200807 --- /dev/null +++ b/queue-4.4/bcache-check-return-value-of-register_shrinker.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Michael Lyle +Date: Fri, 24 Nov 2017 15:14:27 -0800 +Subject: bcache: check return value of register_shrinker + +From: Michael Lyle + + +[ Upstream commit 6c4ca1e36cdc1a0a7a84797804b87920ccbebf51 ] + +register_shrinker is now __must_check, so check it to kill a warning. +Caller of bch_btree_cache_alloc in super.c appropriately checks return +value so this is fully plumbed through. + +This V2 fixes checkpatch warnings and improves the commit description, +as I was too hasty getting the previous version out. + +Signed-off-by: Michael Lyle +Reviewed-by: Vojtech Pavlik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -808,7 +808,10 @@ int bch_btree_cache_alloc(struct cache_s + c->shrink.scan_objects = bch_mca_scan; + c->shrink.seeks = 4; + c->shrink.batch = c->btree_pages * 2; +- register_shrinker(&c->shrink); ++ ++ if (register_shrinker(&c->shrink)) ++ pr_warn("bcache: %s: could not register shrinker", ++ __func__); + + return 0; + } diff --git a/queue-4.4/btrfs-fix-deadlock-when-writing-out-space-cache.patch b/queue-4.4/btrfs-fix-deadlock-when-writing-out-space-cache.patch new file mode 100644 index 00000000000..2dc1ad528bc --- /dev/null +++ b/queue-4.4/btrfs-fix-deadlock-when-writing-out-space-cache.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Josef Bacik +Date: Wed, 15 Nov 2017 16:20:52 -0500 +Subject: btrfs: fix deadlock when writing out space cache + +From: Josef Bacik + + +[ Upstream commit b77000ed558daa3bef0899d29bf171b8c9b5e6a8 ] + +If we fail to prepare our pages for whatever reason (out of memory in +our case) we need to make sure to drop the block_group->data_rwsem, +otherwise hilarity ensues. + +Signed-off-by: Josef Bacik +Reviewed-by: Omar Sandoval +Reviewed-by: Liu Bo +Reviewed-by: David Sterba +[ add label and use existing unlocking code ] +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/free-space-cache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -1258,7 +1258,7 @@ static int __btrfs_write_out_cache(struc + /* Lock all pages first so we can lock the extent safely. */ + ret = io_ctl_prepare_pages(io_ctl, inode, 0); + if (ret) +- goto out; ++ goto out_unlock; + + lock_extent_bits(&BTRFS_I(inode)->io_tree, 0, i_size_read(inode) - 1, + 0, &cached_state); +@@ -1351,6 +1351,7 @@ out_nospc_locked: + out_nospc: + cleanup_write_cache_enospc(inode, io_ctl, &cached_state, &bitmap_list); + ++out_unlock: + if (block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA)) + up_write(&block_group->data_rwsem); + diff --git a/queue-4.4/cpufreq-add-loongson-machine-dependencies.patch b/queue-4.4/cpufreq-add-loongson-machine-dependencies.patch new file mode 100644 index 00000000000..b514959bc55 --- /dev/null +++ b/queue-4.4/cpufreq-add-loongson-machine-dependencies.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: James Hogan +Date: Wed, 15 Nov 2017 21:17:55 +0000 +Subject: cpufreq: Add Loongson machine dependencies + +From: James Hogan + + +[ Upstream commit 0d307935fefa6389eb726c6362351c162c949101 ] + +The MIPS loongson cpufreq drivers don't build unless configured for the +correct machine type, due to dependency on machine specific architecture +headers and symbols in machine specific platform code. + +More specifically loongson1-cpufreq.c uses RST_CPU_EN and RST_CPU, +neither of which is defined in asm/mach-loongson32/regs-clk.h unless +CONFIG_LOONGSON1_LS1B=y, and loongson2_cpufreq.c references +loongson2_clockmod_table[], which is only defined in +arch/mips/loongson64/lemote-2f/clock.c, i.e. when +CONFIG_LEMOTE_MACH2F=y. + +Add these dependencies to Kconfig to avoid randconfig / allyesconfig +build failures (e.g. when based on BMIPS which also has a cpufreq +driver). + +Signed-off-by: James Hogan +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/cpufreq/Kconfig ++++ b/drivers/cpufreq/Kconfig +@@ -236,6 +236,7 @@ endif + if MIPS + config LOONGSON2_CPUFREQ + tristate "Loongson2 CPUFreq Driver" ++ depends on LEMOTE_MACH2F + help + This option adds a CPUFreq driver for loongson processors which + support software configurable cpu frequency. +@@ -248,6 +249,7 @@ config LOONGSON2_CPUFREQ + + config LOONGSON1_CPUFREQ + tristate "Loongson1 CPUFreq Driver" ++ depends on LOONGSON1_LS1B + help + This option adds a CPUFreq driver for loongson1 processors which + support software configurable cpu frequency. diff --git a/queue-4.4/drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch b/queue-4.4/drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch new file mode 100644 index 00000000000..dff68ef3bd4 --- /dev/null +++ b/queue-4.4/drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Felix Kuehling +Date: Wed, 1 Nov 2017 19:21:55 -0400 +Subject: drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode + +From: Felix Kuehling + + +[ Upstream commit cf21654b40968609779751b34e7923180968fe5b ] + +Fix the SDMA load and unload sequence as suggested by HW document. + +Signed-off-by: shaoyun liu +Signed-off-by: Felix Kuehling +Acked-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 47 +++++++++++++++------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c +@@ -367,29 +367,50 @@ static int kgd_hqd_sdma_load(struct kgd_ + { + struct amdgpu_device *adev = get_amdgpu_device(kgd); + struct cik_sdma_rlc_registers *m; ++ unsigned long end_jiffies; + uint32_t sdma_base_addr; ++ uint32_t data; + + m = get_sdma_mqd(mqd); + sdma_base_addr = get_sdma_base_addr(m); + +- WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR, +- m->sdma_rlc_virtual_addr); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL, ++ m->sdma_rlc_rb_cntl & (~SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK)); + +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, +- m->sdma_rlc_rb_base); ++ end_jiffies = msecs_to_jiffies(2000) + jiffies; ++ while (true) { ++ data = RREG32(sdma_base_addr + mmSDMA0_RLC0_CONTEXT_STATUS); ++ if (data & SDMA0_RLC0_CONTEXT_STATUS__IDLE_MASK) ++ break; ++ if (time_after(jiffies, end_jiffies)) ++ return -ETIME; ++ usleep_range(500, 1000); ++ } ++ if (m->sdma_engine_id) { ++ data = RREG32(mmSDMA1_GFX_CONTEXT_CNTL); ++ data = REG_SET_FIELD(data, SDMA1_GFX_CONTEXT_CNTL, ++ RESUME_CTX, 0); ++ WREG32(mmSDMA1_GFX_CONTEXT_CNTL, data); ++ } else { ++ data = RREG32(mmSDMA0_GFX_CONTEXT_CNTL); ++ data = REG_SET_FIELD(data, SDMA0_GFX_CONTEXT_CNTL, ++ RESUME_CTX, 0); ++ WREG32(mmSDMA0_GFX_CONTEXT_CNTL, data); ++ } + ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, ++ m->sdma_rlc_doorbell); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR, ++ m->sdma_rlc_virtual_addr); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, m->sdma_rlc_rb_base); + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE_HI, + m->sdma_rlc_rb_base_hi); +- + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_LO, + m->sdma_rlc_rb_rptr_addr_lo); +- + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_HI, + m->sdma_rlc_rb_rptr_addr_hi); +- +- WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, +- m->sdma_rlc_doorbell); +- + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL, + m->sdma_rlc_rb_cntl); + +@@ -492,9 +513,9 @@ static int kgd_hqd_sdma_destroy(struct k + } + + WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, 0); +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0); +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0); +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, 0); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL, ++ RREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL) | ++ SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK); + + return 0; + } diff --git a/queue-4.4/drm-amdkfd-fix-sdma-oversubsription-handling.patch b/queue-4.4/drm-amdkfd-fix-sdma-oversubsription-handling.patch new file mode 100644 index 00000000000..ac5b67eb35f --- /dev/null +++ b/queue-4.4/drm-amdkfd-fix-sdma-oversubsription-handling.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Felix Kuehling +Date: Wed, 1 Nov 2017 19:21:57 -0400 +Subject: drm/amdkfd: Fix SDMA oversubsription handling + +From: Felix Kuehling + + +[ Upstream commit 8c946b8988acec785bcf67088b6bd0747f36d2d3 ] + +SDMA only supports a fixed number of queues. HWS cannot handle +oversubscription. + +Signed-off-by: shaoyun liu +Signed-off-by: Felix Kuehling +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 18 +++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -205,6 +205,24 @@ int pqm_create_queue(struct process_queu + + switch (type) { + case KFD_QUEUE_TYPE_SDMA: ++ if (dev->dqm->queue_count >= ++ CIK_SDMA_QUEUES_PER_ENGINE * CIK_SDMA_ENGINE_NUM) { ++ pr_err("Over-subscription is not allowed for SDMA.\n"); ++ retval = -EPERM; ++ goto err_create_queue; ++ } ++ ++ retval = create_cp_queue(pqm, dev, &q, properties, f, *qid); ++ if (retval != 0) ++ goto err_create_queue; ++ pqn->q = q; ++ pqn->kq = NULL; ++ retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd, ++ &q->properties.vmid); ++ pr_debug("DQM returned %d for create_queue\n", retval); ++ print_queue(q); ++ break; ++ + case KFD_QUEUE_TYPE_COMPUTE: + /* check if there is over subscription */ + if ((sched_policy == KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION) && diff --git a/queue-4.4/drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch b/queue-4.4/drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch new file mode 100644 index 00000000000..bfe254225c7 --- /dev/null +++ b/queue-4.4/drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: shaoyunl +Date: Wed, 1 Nov 2017 19:21:56 -0400 +Subject: drm/amdkfd: Fix SDMA ring buffer size calculation + +From: shaoyunl + + +[ Upstream commit d12fb13f23199faa7e536acec1db49068e5a067d ] + +ffs function return the position of the first bit set on 1 based. +(bit zero returns 1). + +Signed-off-by: shaoyun liu +Signed-off-by: Felix Kuehling +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c +@@ -215,8 +215,8 @@ static int update_mqd_sdma(struct mqd_ma + BUG_ON(!mm || !mqd || !q); + + m = get_sdma_mqd(mqd); +- m->sdma_rlc_rb_cntl = ffs(q->queue_size / sizeof(unsigned int)) << +- SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT | ++ m->sdma_rlc_rb_cntl = (ffs(q->queue_size / sizeof(unsigned int)) - 1) ++ << SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT | + q->vmid << SDMA0_RLC0_RB_CNTL__RB_VMID__SHIFT | + 1 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_ENABLE__SHIFT | + 6 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_TIMER__SHIFT; diff --git a/queue-4.4/drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch b/queue-4.4/drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch new file mode 100644 index 00000000000..b9e2b73a23b --- /dev/null +++ b/queue-4.4/drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Christophe JAILLET +Date: Sun, 24 Sep 2017 08:01:03 +0200 +Subject: drm/omap: Fix error handling path in 'omap_dmm_probe()' + +From: Christophe JAILLET + + +[ Upstream commit 8677b1ac2db021ab30bb1fa34f1e56ebe0051ec3 ] + +If we don't find a matching device node, we must free the memory allocated +in 'omap_dmm' a few lines above. + +Fixes: 7cb0d6c17b96 ("drm/omap: fix TILER on OMAP5") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -611,7 +611,8 @@ static int omap_dmm_probe(struct platfor + match = of_match_node(dmm_of_match, dev->dev.of_node); + if (!match) { + dev_err(&dev->dev, "failed to find matching device node\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto fail; + } + + omap_dmm->plat_data = match->data; diff --git a/queue-4.4/grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch b/queue-4.4/grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch new file mode 100644 index 00000000000..e764eeb673e --- /dev/null +++ b/queue-4.4/grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch @@ -0,0 +1,31 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Vasily Averin +Date: Mon, 6 Nov 2017 16:22:48 +0300 +Subject: grace: replace BUG_ON by WARN_ONCE in exit_net hook + +From: Vasily Averin + + +[ Upstream commit b872285751c1af010e12d02bce7069e2061a58ca ] + +Signed-off-by: Vasily Averin +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs_common/grace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfs_common/grace.c ++++ b/fs/nfs_common/grace.c +@@ -104,7 +104,9 @@ grace_exit_net(struct net *net) + { + struct list_head *grace_list = net_generic(net, grace_net_id); + +- BUG_ON(!list_empty(grace_list)); ++ WARN_ONCE(!list_empty(grace_list), ++ "net %x %s: grace_list is not empty\n", ++ net->ns.inum, __func__); + } + + static struct pernet_operations grace_net_ops = { diff --git a/queue-4.4/hwmon-pmbus-use-64bit-math-for-direct-format-values.patch b/queue-4.4/hwmon-pmbus-use-64bit-math-for-direct-format-values.patch new file mode 100644 index 00000000000..db6bb69138c --- /dev/null +++ b/queue-4.4/hwmon-pmbus-use-64bit-math-for-direct-format-values.patch @@ -0,0 +1,94 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Robert Lippert +Date: Mon, 27 Nov 2017 15:51:55 -0800 +Subject: hwmon: (pmbus) Use 64bit math for DIRECT format values + +From: Robert Lippert + + +[ Upstream commit bd467e4eababe4c04272c1e646f066db02734c79 ] + +Power values in the 100s of watt range can easily blow past +32bit math limits when processing everything in microwatts. + +Use 64bit math instead to avoid these issues on common 32bit ARM +BMC platforms. + +Fixes: 442aba78728e ("hwmon: PMBus device driver") +Signed-off-by: Robert Lippert +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/pmbus_core.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -20,6 +20,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -476,8 +477,8 @@ static long pmbus_reg2data_linear(struct + static long pmbus_reg2data_direct(struct pmbus_data *data, + struct pmbus_sensor *sensor) + { +- long val = (s16) sensor->data; +- long m, b, R; ++ s64 b, val = (s16)sensor->data; ++ s32 m, R; + + m = data->info->m[sensor->class]; + b = data->info->b[sensor->class]; +@@ -505,11 +506,12 @@ static long pmbus_reg2data_direct(struct + R--; + } + while (R < 0) { +- val = DIV_ROUND_CLOSEST(val, 10); ++ val = div_s64(val + 5LL, 10L); /* round closest */ + R++; + } + +- return (val - b) / m; ++ val = div_s64(val - b, m); ++ return clamp_val(val, LONG_MIN, LONG_MAX); + } + + /* +@@ -629,7 +631,8 @@ static u16 pmbus_data2reg_linear(struct + static u16 pmbus_data2reg_direct(struct pmbus_data *data, + struct pmbus_sensor *sensor, long val) + { +- long m, b, R; ++ s64 b, val64 = val; ++ s32 m, R; + + m = data->info->m[sensor->class]; + b = data->info->b[sensor->class]; +@@ -646,18 +649,18 @@ static u16 pmbus_data2reg_direct(struct + R -= 3; /* Adjust R and b for data in milli-units */ + b *= 1000; + } +- val = val * m + b; ++ val64 = val64 * m + b; + + while (R > 0) { +- val *= 10; ++ val64 *= 10; + R--; + } + while (R < 0) { +- val = DIV_ROUND_CLOSEST(val, 10); ++ val64 = div_s64(val64 + 5LL, 10L); /* round closest */ + R++; + } + +- return val; ++ return (u16)clamp_val(val64, S16_MIN, S16_MAX); + } + + static u16 pmbus_data2reg_vid(struct pmbus_data *data, diff --git a/queue-4.4/kmemleak-add-scheduling-point-to-kmemleak_scan.patch b/queue-4.4/kmemleak-add-scheduling-point-to-kmemleak_scan.patch new file mode 100644 index 00000000000..55fe1b3e7e2 --- /dev/null +++ b/queue-4.4/kmemleak-add-scheduling-point-to-kmemleak_scan.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Yisheng Xie +Date: Wed, 29 Nov 2017 16:11:08 -0800 +Subject: kmemleak: add scheduling point to kmemleak_scan() + +From: Yisheng Xie + + +[ Upstream commit bde5f6bc68db51128f875a756e9082a6c6ff7b4c ] + +kmemleak_scan() will scan struct page for each node and it can be really +large and resulting in a soft lockup. We have seen a soft lockup when +do scan while compile kernel: + + watchdog: BUG: soft lockup - CPU#53 stuck for 22s! [bash:10287] + [...] + Call Trace: + kmemleak_scan+0x21a/0x4c0 + kmemleak_write+0x312/0x350 + full_proxy_write+0x5a/0xa0 + __vfs_write+0x33/0x150 + vfs_write+0xad/0x1a0 + SyS_write+0x52/0xc0 + do_syscall_64+0x61/0x1a0 + entry_SYSCALL64_slow_path+0x25/0x25 + +Fix this by adding cond_resched every MAX_SCAN_SIZE. + +Link: http://lkml.kernel.org/r/1511439788-20099-1-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Yisheng Xie +Suggested-by: Catalin Marinas +Acked-by: Catalin Marinas +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1394,6 +1394,8 @@ static void kmemleak_scan(void) + if (page_count(page) == 0) + continue; + scan_block(page, page + 1, NULL); ++ if (!(pfn % (MAX_SCAN_SIZE / sizeof(*page)))) ++ cond_resched(); + } + } + put_online_mems(); diff --git a/queue-4.4/kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch b/queue-4.4/kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch new file mode 100644 index 00000000000..27594f55870 --- /dev/null +++ b/queue-4.4/kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Wanpeng Li +Date: Mon, 20 Nov 2017 14:52:21 -0800 +Subject: KVM: VMX: Fix rflags cache during vCPU reset + +From: Wanpeng Li + + +[ Upstream commit c37c28730bb031cc8a44a130c2555c0f3efbe2d0 ] + +Reported by syzkaller: + + *** Guest State *** + CR0: actual=0x0000000080010031, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 + CR4: actual=0x0000000000002061, shadow=0x0000000000000000, gh_mask=ffffffffffffe8f1 + CR3 = 0x000000002081e000 + RSP = 0x000000000000fffa RIP = 0x0000000000000000 + RFLAGS=0x00023000 DR7 = 0x00000000000000 + ^^^^^^^^^^ + ------------[ cut here ]------------ + WARNING: CPU: 6 PID: 24431 at /home/kernel/linux/arch/x86/kvm//x86.c:7302 kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm] + CPU: 6 PID: 24431 Comm: reprotest Tainted: G W OE 4.14.0+ #26 + RIP: 0010:kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm] + RSP: 0018:ffff880291d179e0 EFLAGS: 00010202 + Call Trace: + kvm_vcpu_ioctl+0x479/0x880 [kvm] + do_vfs_ioctl+0x142/0x9a0 + SyS_ioctl+0x74/0x80 + entry_SYSCALL_64_fastpath+0x23/0x9a + +The failed vmentry is triggered by the following beautified testcase: + + #include + #include + #include + #include + #include + #include + #include + + long r[5]; + int main() + { + struct kvm_debugregs dr = { 0 }; + + r[2] = open("/dev/kvm", O_RDONLY); + r[3] = ioctl(r[2], KVM_CREATE_VM, 0); + r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7); + struct kvm_guest_debug debug = { + .control = 0xf0403, + .arch = { + .debugreg[6] = 0x2, + .debugreg[7] = 0x2 + } + }; + ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug); + ioctl(r[4], KVM_RUN, 0); + } + +which testcase tries to setup the processor specific debug +registers and configure vCPU for handling guest debug events through +KVM_SET_GUEST_DEBUG. The KVM_SET_GUEST_DEBUG ioctl will get and set +rflags in order to set TF bit if single step is needed. All regs' caches +are reset to avail and GUEST_RFLAGS vmcs field is reset to 0x2 during vCPU +reset. However, the cache of rflags is not reset during vCPU reset. The +function vmx_get_rflags() returns an unreset rflags cache value since +the cache is marked avail, it is 0 after boot. Vmentry fails if the +rflags reserved bit 1 is 0. + +This patch fixes it by resetting both the GUEST_RFLAGS vmcs field and +its cache to 0x2 during vCPU reset. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Reviewed-by: David Hildenbrand +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Nadav Amit +Cc: Dmitry Vyukov +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -4954,7 +4954,7 @@ static void vmx_vcpu_reset(struct kvm_vc + vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + } + +- vmcs_writel(GUEST_RFLAGS, 0x02); ++ kvm_set_rflags(vcpu, X86_EFLAGS_FIXED); + kvm_rip_write(vcpu, 0xfff0); + + vmcs_writel(GUEST_GDTR_BASE, 0); diff --git a/queue-4.4/kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch b/queue-4.4/kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch new file mode 100644 index 00000000000..3e11d1eba9a --- /dev/null +++ b/queue-4.4/kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Liran Alon +Date: Sun, 5 Nov 2017 16:56:34 +0200 +Subject: KVM: x86: Don't re-execute instruction when not passing CR2 value + +From: Liran Alon + + +[ Upstream commit 9b8ae63798cb97e785a667ff27e43fa6220cb734 ] + +In case of instruction-decode failure or emulation failure, +x86_emulate_instruction() will call reexecute_instruction() which will +attempt to use the cr2 value passed to x86_emulate_instruction(). +However, when x86_emulate_instruction() is called from +emulate_instruction(), cr2 is not passed (passed as 0) and therefore +it doesn't make sense to execute reexecute_instruction() logic at all. + +Fixes: 51d8b66199e9 ("KVM: cleanup emulate_instruction") + +Signed-off-by: Liran Alon +Reviewed-by: Nikita Leshenko +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 3 ++- + arch/x86/kvm/vmx.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -998,7 +998,8 @@ int x86_emulate_instruction(struct kvm_v + static inline int emulate_instruction(struct kvm_vcpu *vcpu, + int emulation_type) + { +- return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0); ++ return x86_emulate_instruction(vcpu, 0, ++ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0); + } + + void kvm_enable_efer_bits(u64); +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6023,7 +6023,7 @@ static int handle_invalid_guest_state(st + if (test_bit(KVM_REQ_EVENT, &vcpu->requests)) + return 1; + +- err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE); ++ err = emulate_instruction(vcpu, 0); + + if (err == EMULATE_USER_EXIT) { + ++vcpu->stat.mmio_exits; diff --git a/queue-4.4/kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch b/queue-4.4/kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch new file mode 100644 index 00000000000..6e51984d8bf --- /dev/null +++ b/queue-4.4/kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Liran Alon +Date: Sun, 5 Nov 2017 16:56:33 +0200 +Subject: KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure + +From: Liran Alon + + +[ Upstream commit 1f4dcb3b213235e642088709a1c54964d23365e9 ] + +On this case, handle_emulation_failure() fills kvm_run with +internal-error information which it expects to be delivered +to user-mode for further processing. +However, the code reports a wrong return-value which makes KVM to never +return to user-mode on this scenario. + +Fixes: 6d77dbfc88e3 ("KVM: inject #UD if instruction emulation fails and exit to +userspace") + +Signed-off-by: Liran Alon +Reviewed-by: Nikita Leshenko +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5153,7 +5153,7 @@ static int handle_emulation_failure(stru + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; + vcpu->run->internal.ndata = 0; +- r = EMULATE_FAIL; ++ r = EMULATE_USER_EXIT; + } + kvm_queue_exception(vcpu, UD_VECTOR); + diff --git a/queue-4.4/kvm-x86-fix-operand-address-size-during-instruction-decoding.patch b/queue-4.4/kvm-x86-fix-operand-address-size-during-instruction-decoding.patch new file mode 100644 index 00000000000..830543359ea --- /dev/null +++ b/queue-4.4/kvm-x86-fix-operand-address-size-during-instruction-decoding.patch @@ -0,0 +1,61 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Wanpeng Li +Date: Sun, 5 Nov 2017 16:54:47 -0800 +Subject: KVM: X86: Fix operand/address-size during instruction decoding + +From: Wanpeng Li + + +[ Upstream commit 3853be2603191829b442b64dac6ae8ba0c027bf9 ] + +Pedro reported: + During tests that we conducted on KVM, we noticed that executing a "PUSH %ES" + instruction under KVM produces different results on both memory and the SP + register depending on whether EPT support is enabled. With EPT the SP is + reduced by 4 bytes (and the written value is 0-padded) but without EPT support + it is only reduced by 2 bytes. The difference can be observed when the CS.DB + field is 1 (32-bit) but not when it's 0 (16-bit). + +The internal segment descriptor cache exist even in real/vm8096 mode. The CS.D +also should be respected instead of just default operand/address-size/66H +prefix/67H prefix during instruction decoding. This patch fixes it by also +adjusting operand/address-size according to CS.D. + +Reported-by: Pedro Fonseca +Tested-by: Pedro Fonseca +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Nadav Amit +Cc: Pedro Fonseca +Signed-off-by: Wanpeng Li +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4978,6 +4978,8 @@ int x86_decode_insn(struct x86_emulate_c + bool op_prefix = false; + bool has_seg_override = false; + struct opcode opcode; ++ u16 dummy; ++ struct desc_struct desc; + + ctxt->memop.type = OP_NONE; + ctxt->memopp = NULL; +@@ -4996,6 +4998,11 @@ int x86_decode_insn(struct x86_emulate_c + switch (mode) { + case X86EMUL_MODE_REAL: + case X86EMUL_MODE_VM86: ++ def_op_bytes = def_ad_bytes = 2; ++ ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS); ++ if (desc.d) ++ def_op_bytes = def_ad_bytes = 4; ++ break; + case X86EMUL_MODE_PROT16: + def_op_bytes = def_ad_bytes = 2; + break; diff --git a/queue-4.4/kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch b/queue-4.4/kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch new file mode 100644 index 00000000000..f7c911d0be8 --- /dev/null +++ b/queue-4.4/kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch @@ -0,0 +1,58 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Nikita Leshenko +Date: Sun, 5 Nov 2017 15:52:32 +0200 +Subject: KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered + +From: Nikita Leshenko + + +[ Upstream commit a8bfec2930525808c01f038825d1df3904638631 ] + +Some OSes (Linux, Xen) use this behavior to clear the Remote IRR bit for +IOAPICs without an EOI register. They simulate the EOI message manually +by changing the trigger mode to edge and then back to level, with the +entry being masked during this. + +QEMU implements this feature in commit ed1263c363c9 +("ioapic: clear remote irr bit for edge-triggered interrupts") + +As a side effect, this commit removes an incorrect behavior where Remote +IRR was cleared when the redirection table entry was rewritten. This is not +consistent with the manual and also opens an opportunity for a strange +behavior when a redirection table entry is modified from an interrupt +handler that handles the same entry: The modification will clear the +Remote IRR bit even though the interrupt handler is still running. + +Signed-off-by: Nikita Leshenko +Reviewed-by: Liran Alon +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Reviewed-by: Steve Rutherford +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/ioapic.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -296,8 +296,17 @@ static void ioapic_write_indirect(struct + } else { + e->bits &= ~0xffffffffULL; + e->bits |= (u32) val; +- e->fields.remote_irr = 0; + } ++ ++ /* ++ * Some OSes (Linux, Xen) assume that Remote IRR bit will ++ * be cleared by IOAPIC hardware when the entry is configured ++ * as edge-triggered. This behavior is used to simulate an ++ * explicit EOI on IOAPICs that don't have the EOI register. ++ */ ++ if (e->fields.trig_mode == IOAPIC_EDGE_TRIG) ++ e->fields.remote_irr = 0; ++ + mask_after = e->fields.mask; + if (mask_before != mask_after) + kvm_fire_mask_notifiers(ioapic->kvm, KVM_IRQCHIP_IOAPIC, index, mask_after); diff --git a/queue-4.4/kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch b/queue-4.4/kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch new file mode 100644 index 00000000000..8954fcfac99 --- /dev/null +++ b/queue-4.4/kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Nikita Leshenko +Date: Sun, 5 Nov 2017 15:52:29 +0200 +Subject: KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race + +From: Nikita Leshenko + + +[ Upstream commit 0fc5a36dd6b345eb0d251a65c236e53bead3eef7 ] + +KVM uses ioapic_handled_vectors to track vectors that need to notify the +IOAPIC on EOI. The problem is that IOAPIC can be reconfigured while an +interrupt with old configuration is pending or running and +ioapic_handled_vectors only remembers the newest configuration; +thus EOI from the old interrupt is not delievered to the IOAPIC. + +A previous commit db2bdcbbbd32 +("KVM: x86: fix edge EOI and IOAPIC reconfig race") +addressed this issue by adding pending edge-triggered interrupts to +ioapic_handled_vectors, fixing this race for edge-triggered interrupts. +The commit explicitly ignored level-triggered interrupts, +but this race applies to them as well: + +1) IOAPIC sends a level triggered interrupt vector to VCPU0 +2) VCPU0's handler deasserts the irq line and reconfigures the IOAPIC + to route the vector to VCPU1. The reconfiguration rewrites only the + upper 32 bits of the IOREDTBLn register. (Causes KVM to update + ioapic_handled_vectors for VCPU0 and it no longer includes the vector.) +3) VCPU0 sends EOI for the vector, but it's not delievered to the + IOAPIC because the ioapic_handled_vectors doesn't include the vector. +4) New interrupts are not delievered to VCPU1 because remote_irr bit + is set forever. + +Therefore, the correct behavior is to add all pending and running +interrupts to ioapic_handled_vectors. + +This commit introduces a slight performance hit similar to +commit db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race") +for the rare case that the vector is reused by a non-IOAPIC source on +VCPU0. We prefer to keep solution simple and not handle this case just +as the original commit does. + +Fixes: db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race") + +Signed-off-by: Nikita Leshenko +Reviewed-by: Liran Alon +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/ioapic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -247,8 +247,7 @@ void kvm_ioapic_scan_entry(struct kvm_vc + index == RTC_GSI) { + if (kvm_apic_match_dest(vcpu, NULL, 0, + e->fields.dest_id, e->fields.dest_mode) || +- (e->fields.trig_mode == IOAPIC_EDGE_TRIG && +- kvm_apic_pending_eoi(vcpu, e->fields.vector))) ++ kvm_apic_pending_eoi(vcpu, e->fields.vector)) + __set_bit(e->fields.vector, + (unsigned long *)eoi_exit_bitmap); + } diff --git a/queue-4.4/kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch b/queue-4.4/kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch new file mode 100644 index 00000000000..959e6f4956b --- /dev/null +++ b/queue-4.4/kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Nikita Leshenko +Date: Sun, 5 Nov 2017 15:52:33 +0200 +Subject: KVM: x86: ioapic: Preserve read-only values in the redirection table + +From: Nikita Leshenko + + +[ Upstream commit b200dded0a6974a3b69599832b2203483920ab25 ] + +According to 82093AA (IOAPIC) manual, Remote IRR and Delivery Status are +read-only. QEMU implements the bits as RO in commit 479c2a1cb7fb +("ioapic: keep RO bits for IOAPIC entry"). + +Signed-off-by: Nikita Leshenko +Reviewed-by: Liran Alon +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Reviewed-by: Steve Rutherford +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/ioapic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -268,6 +268,7 @@ static void ioapic_write_indirect(struct + { + unsigned index; + bool mask_before, mask_after; ++ int old_remote_irr, old_delivery_status; + union kvm_ioapic_redirect_entry *e; + + switch (ioapic->ioregsel) { +@@ -290,6 +291,9 @@ static void ioapic_write_indirect(struct + return; + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; ++ /* Preserve read-only fields */ ++ old_remote_irr = e->fields.remote_irr; ++ old_delivery_status = e->fields.delivery_status; + if (ioapic->ioregsel & 1) { + e->bits &= 0xffffffff; + e->bits |= (u64) val << 32; +@@ -297,6 +301,8 @@ static void ioapic_write_indirect(struct + e->bits &= ~0xffffffffULL; + e->bits |= (u32) val; + } ++ e->fields.remote_irr = old_remote_irr; ++ e->fields.delivery_status = old_delivery_status; + + /* + * Some OSes (Linux, Xen) assume that Remote IRR bit will diff --git a/queue-4.4/lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch b/queue-4.4/lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch new file mode 100644 index 00000000000..c6c625970b5 --- /dev/null +++ b/queue-4.4/lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch @@ -0,0 +1,84 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Vasily Averin +Date: Mon, 13 Nov 2017 07:25:40 +0300 +Subject: lockd: fix "list_add double add" caused by legacy signal interface + +From: Vasily Averin + + +[ Upstream commit 81833de1a46edce9ca20cfe079872ac1c20ef359 ] + +restart_grace() uses hardcoded init_net. +It can cause to "list_add double add" in following scenario: + +1) nfsd and lockd was started in several net namespaces +2) nfsd in init_net was stopped (lockd was not stopped because + it have users from another net namespaces) +3) lockd got signal, called restart_grace() -> set_grace_period() + and enabled lock_manager in hardcoded init_net. +4) nfsd in init_net is started again, + its lockd_up() calls set_grace_period() and tries to add + lock_manager into init_net 2nd time. + +Jeff Layton suggest: +"Make it safe to call locks_start_grace multiple times on the same +lock_manager. If it's already on the global grace_list, then don't try +to add it again. (But we don't intentionally add twice, so for now we +WARN about that case.) + +With this change, we also need to ensure that the nfsd4 lock manager +initializes the list before we call locks_start_grace. While we're at +it, move the rest of the nfsd_net initialization into +nfs4_state_create_net. I see no reason to have it spread over two +functions like it is today." + +Suggested patch was updated to generate warning in described situation. + +Suggested-by: Jeff Layton +Signed-off-by: Vasily Averin +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs_common/grace.c | 6 +++++- + fs/nfsd/nfs4state.c | 7 ++++--- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/nfs_common/grace.c ++++ b/fs/nfs_common/grace.c +@@ -30,7 +30,11 @@ locks_start_grace(struct net *net, struc + struct list_head *grace_list = net_generic(net, grace_net_id); + + spin_lock(&grace_lock); +- list_add(&lm->list, grace_list); ++ if (list_empty(&lm->list)) ++ list_add(&lm->list, grace_list); ++ else ++ WARN(1, "double list_add attempt detected in net %x %s\n", ++ net->ns.inum, (net == &init_net) ? "(init_net)" : ""); + spin_unlock(&grace_lock); + } + EXPORT_SYMBOL_GPL(locks_start_grace); +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -6792,6 +6792,10 @@ static int nfs4_state_create_net(struct + INIT_LIST_HEAD(&nn->sessionid_hashtbl[i]); + nn->conf_name_tree = RB_ROOT; + nn->unconf_name_tree = RB_ROOT; ++ nn->boot_time = get_seconds(); ++ nn->grace_ended = false; ++ nn->nfsd4_manager.block_opens = true; ++ INIT_LIST_HEAD(&nn->nfsd4_manager.list); + INIT_LIST_HEAD(&nn->client_lru); + INIT_LIST_HEAD(&nn->close_lru); + INIT_LIST_HEAD(&nn->del_recall_lru); +@@ -6846,9 +6850,6 @@ nfs4_state_start_net(struct net *net) + ret = nfs4_state_create_net(net); + if (ret) + return ret; +- nn->boot_time = get_seconds(); +- nn->grace_ended = false; +- nn->nfsd4_manager.block_opens = true; + locks_start_grace(net, &nn->nfsd4_manager); + nfsd4_client_tracking_init(net); + printk(KERN_INFO "NFSD: starting %ld-second grace period (net %p)\n", diff --git a/queue-4.4/mac80211-fix-the-update-of-path-metric-for-rann-frame.patch b/queue-4.4/mac80211-fix-the-update-of-path-metric-for-rann-frame.patch new file mode 100644 index 00000000000..229d81da63b --- /dev/null +++ b/queue-4.4/mac80211-fix-the-update-of-path-metric-for-rann-frame.patch @@ -0,0 +1,81 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Chun-Yeow Yeoh +Date: Tue, 14 Nov 2017 23:20:05 +0800 +Subject: mac80211: fix the update of path metric for RANN frame + +From: Chun-Yeow Yeoh + + +[ Upstream commit fbbdad5edf0bb59786a51b94a9d006bc8c2da9a2 ] + +The previous path metric update from RANN frame has not considered +the own link metric toward the transmitting mesh STA. Fix this. + +Reported-by: Michael65535 +Signed-off-by: Chun-Yeow Yeoh +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_hwmp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -776,7 +776,7 @@ static void hwmp_rann_frame_process(stru + struct mesh_path *mpath; + u8 ttl, flags, hopcount; + const u8 *orig_addr; +- u32 orig_sn, metric, metric_txsta, interval; ++ u32 orig_sn, new_metric, orig_metric, last_hop_metric, interval; + bool root_is_gate; + + ttl = rann->rann_ttl; +@@ -787,7 +787,7 @@ static void hwmp_rann_frame_process(stru + interval = le32_to_cpu(rann->rann_interval); + hopcount = rann->rann_hopcount; + hopcount++; +- metric = le32_to_cpu(rann->rann_metric); ++ orig_metric = le32_to_cpu(rann->rann_metric); + + /* Ignore our own RANNs */ + if (ether_addr_equal(orig_addr, sdata->vif.addr)) +@@ -804,7 +804,10 @@ static void hwmp_rann_frame_process(stru + return; + } + +- metric_txsta = airtime_link_metric_get(local, sta); ++ last_hop_metric = airtime_link_metric_get(local, sta); ++ new_metric = orig_metric + last_hop_metric; ++ if (new_metric < orig_metric) ++ new_metric = MAX_METRIC; + + mpath = mesh_path_lookup(sdata, orig_addr); + if (!mpath) { +@@ -817,7 +820,7 @@ static void hwmp_rann_frame_process(stru + } + + if (!(SN_LT(mpath->sn, orig_sn)) && +- !(mpath->sn == orig_sn && metric < mpath->rann_metric)) { ++ !(mpath->sn == orig_sn && new_metric < mpath->rann_metric)) { + rcu_read_unlock(); + return; + } +@@ -835,7 +838,7 @@ static void hwmp_rann_frame_process(stru + } + + mpath->sn = orig_sn; +- mpath->rann_metric = metric + metric_txsta; ++ mpath->rann_metric = new_metric; + mpath->is_root = true; + /* Recording RANNs sender address to send individually + * addressed PREQs destined for root mesh STA */ +@@ -855,7 +858,7 @@ static void hwmp_rann_frame_process(stru + mesh_path_sel_frame_tx(MPATH_RANN, flags, orig_addr, + orig_sn, 0, NULL, 0, broadcast_addr, + hopcount, ttl, interval, +- metric + metric_txsta, 0, sdata); ++ new_metric, 0, sdata); + } + + rcu_read_unlock(); diff --git a/queue-4.4/media-usbtv-add-a-new-usbid.patch b/queue-4.4/media-usbtv-add-a-new-usbid.patch new file mode 100644 index 00000000000..84fa18994fb --- /dev/null +++ b/queue-4.4/media-usbtv-add-a-new-usbid.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Icenowy Zheng +Date: Sun, 16 Apr 2017 02:51:16 -0400 +Subject: media: usbtv: add a new usbid + +From: Icenowy Zheng + + +[ Upstream commit 04226916d2360f56d57ad00bc48d2d1854d1e0b0 ] + +A new usbid of UTV007 is found in a newly bought device. + +The usbid is 1f71:3301. + +The ID on the chip is: +UTV007 +A89029.1 +1520L18K1 + +Both video and audio is tested with the modified usbtv driver. + +Signed-off-by: Icenowy Zheng +Acked-by: Lubomir Rintel +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/usbtv/usbtv-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/usb/usbtv/usbtv-core.c ++++ b/drivers/media/usb/usbtv/usbtv-core.c +@@ -127,6 +127,7 @@ static void usbtv_disconnect(struct usb_ + + static struct usb_device_id usbtv_id_table[] = { + { USB_DEVICE(0x1b71, 0x3002) }, ++ { USB_DEVICE(0x1f71, 0x3301) }, + {} + }; + MODULE_DEVICE_TABLE(usb, usbtv_id_table); diff --git a/queue-4.4/net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch b/queue-4.4/net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch new file mode 100644 index 00000000000..ff6d9acf339 --- /dev/null +++ b/queue-4.4/net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Geert Uytterhoeven +Date: Wed, 29 Nov 2017 11:01:09 +0100 +Subject: net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit + +From: Geert Uytterhoeven + + +[ Upstream commit 15bfe05c8d6386f1a90e9340d15336e85e32aad6 ] + +On 64-bit (e.g. powerpc64/allmodconfig): + + drivers/net/ethernet/xilinx/ll_temac_main.c: In function 'temac_start_xmit_done': + drivers/net/ethernet/xilinx/ll_temac_main.c:633:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] + dev_kfree_skb_irq((struct sk_buff *)cur_p->app4); + ^ + +cdmac_bd.app4 is u32, so it is too small to hold a kernel pointer. + +Note that several other fields in struct cdmac_bd are also too small to +hold physical addresses on 64-bit platforms. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/xilinx/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/xilinx/Kconfig ++++ b/drivers/net/ethernet/xilinx/Kconfig +@@ -34,6 +34,7 @@ config XILINX_AXI_EMAC + config XILINX_LL_TEMAC + tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver" + depends on (PPC || MICROBLAZE) ++ depends on !64BIT || BROKEN + select PHYLIB + ---help--- + This driver supports the Xilinx 10/100/1000 LocalLink TEMAC diff --git a/queue-4.4/nfsd-check-for-use-of-the-closed-special-stateid.patch b/queue-4.4/nfsd-check-for-use-of-the-closed-special-stateid.patch new file mode 100644 index 00000000000..a3df34f0ba3 --- /dev/null +++ b/queue-4.4/nfsd-check-for-use-of-the-closed-special-stateid.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Andrew Elble +Date: Thu, 9 Nov 2017 13:41:10 -0500 +Subject: nfsd: check for use of the closed special stateid + +From: Andrew Elble + + +[ Upstream commit ae254dac721d44c0bfebe2795df87459e2e88219 ] + +Prevent the use of the closed (invalid) special stateid by clients. + +Signed-off-by: Andrew Elble +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -72,6 +72,7 @@ static u64 current_sessionid = 1; + #define ZERO_STATEID(stateid) (!memcmp((stateid), &zero_stateid, sizeof(stateid_t))) + #define ONE_STATEID(stateid) (!memcmp((stateid), &one_stateid, sizeof(stateid_t))) + #define CURRENT_STATEID(stateid) (!memcmp((stateid), ¤tstateid, sizeof(stateid_t))) ++#define CLOSE_STATEID(stateid) (!memcmp((stateid), &close_stateid, sizeof(stateid_t))) + + /* forward declarations */ + static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner); +@@ -4704,7 +4705,8 @@ static __be32 nfsd4_validate_stateid(str + struct nfs4_stid *s; + __be32 status = nfserr_bad_stateid; + +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || ++ CLOSE_STATEID(stateid)) + return status; + /* Client debugging aid. */ + if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) { +@@ -4762,7 +4764,8 @@ nfsd4_lookup_stateid(struct nfsd4_compou + else if (typemask & NFS4_DELEG_STID) + typemask |= NFS4_REVOKED_DELEG_STID; + +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || ++ CLOSE_STATEID(stateid)) + return nfserr_bad_stateid; + status = lookup_clientid(&stateid->si_opaque.so_clid, cstate, nn); + if (status == nfserr_stale_clientid) { diff --git a/queue-4.4/nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch b/queue-4.4/nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch new file mode 100644 index 00000000000..a2b9a976063 --- /dev/null +++ b/queue-4.4/nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Trond Myklebust +Date: Fri, 3 Nov 2017 08:00:12 -0400 +Subject: nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) + +From: Trond Myklebust + + +[ Upstream commit fb500a7cfee7f2f447d2bbf30cb59629feab6ac1 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -63,6 +63,9 @@ static const stateid_t zero_stateid = { + static const stateid_t currentstateid = { + .si_generation = 1, + }; ++static const stateid_t close_stateid = { ++ .si_generation = 0xffffffffU, ++}; + + static u64 current_sessionid = 1; + +@@ -5243,6 +5246,11 @@ nfsd4_close(struct svc_rqst *rqstp, stru + nfsd4_close_open_stateid(stp); + mutex_unlock(&stp->st_mutex); + ++ /* See RFC5661 sectionm 18.2.4 */ ++ if (stp->st_stid.sc_client->cl_minorversion) ++ memcpy(&close->cl_stateid, &close_stateid, ++ sizeof(close->cl_stateid)); ++ + /* put reference from nfs4_preprocess_seqid_op */ + nfs4_put_stid(&stp->st_stid); + out: diff --git a/queue-4.4/nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch b/queue-4.4/nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch new file mode 100644 index 00000000000..7df3e367d01 --- /dev/null +++ b/queue-4.4/nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Trond Myklebust +Date: Fri, 3 Nov 2017 08:00:15 -0400 +Subject: nfsd: Ensure we check stateid validity in the seqid operation checks + +From: Trond Myklebust + + +[ Upstream commit 9271d7e509c1bfc0b9a418caec29ec8d1ac38270 ] + +After taking the stateid st_mutex, we want to know that the stateid +still represents valid state before performing any non-idempotent +actions. + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -5014,15 +5014,9 @@ static __be32 nfs4_seqid_op_checks(struc + status = nfsd4_check_seqid(cstate, sop, seqid); + if (status) + return status; +- if (stp->st_stid.sc_type == NFS4_CLOSED_STID +- || stp->st_stid.sc_type == NFS4_REVOKED_DELEG_STID) +- /* +- * "Closed" stateid's exist *only* to return +- * nfserr_replay_me from the previous step, and +- * revoked delegations are kept only for free_stateid. +- */ +- return nfserr_bad_stateid; +- mutex_lock(&stp->st_mutex); ++ status = nfsd4_lock_ol_stateid(stp); ++ if (status != nfs_ok) ++ return status; + status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate)); + if (status == nfs_ok) + status = nfs4_check_fh(current_fh, &stp->st_stid); diff --git a/queue-4.4/openvswitch-fix-the-incorrect-flow-action-alloc-size.patch b/queue-4.4/openvswitch-fix-the-incorrect-flow-action-alloc-size.patch new file mode 100644 index 00000000000..d054b320a0c --- /dev/null +++ b/queue-4.4/openvswitch-fix-the-incorrect-flow-action-alloc-size.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: zhangliping +Date: Sat, 25 Nov 2017 22:02:12 +0800 +Subject: openvswitch: fix the incorrect flow action alloc size + +From: zhangliping + + +[ Upstream commit 67c8d22a73128ff910e2287567132530abcf5b71 ] + +If we want to add a datapath flow, which has more than 500 vxlan outputs' +action, we will get the following error reports: + openvswitch: netlink: Flow action size 32832 bytes exceeds max + openvswitch: netlink: Flow action size 32832 bytes exceeds max + openvswitch: netlink: Actions may not be safe on all matching packets + ... ... + +It seems that we can simply enlarge the MAX_ACTIONS_BUFSIZE to fix it, but +this is not the root cause. For example, for a vxlan output action, we need +about 60 bytes for the nlattr, but after it is converted to the flow +action, it only occupies 24 bytes. This means that we can still support +more than 1000 vxlan output actions for a single datapath flow under the +the current 32k max limitation. + +So even if the nla_len(attr) is larger than MAX_ACTIONS_BUFSIZE, we +shouldn't report EINVAL and keep it move on, as the judgement can be +done by the reserve_sfa_size. + +Signed-off-by: zhangliping +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/flow_netlink.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1672,14 +1672,11 @@ int ovs_nla_put_mask(const struct sw_flo + + #define MAX_ACTIONS_BUFSIZE (32 * 1024) + +-static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log) ++static struct sw_flow_actions *nla_alloc_flow_actions(int size) + { + struct sw_flow_actions *sfa; + +- if (size > MAX_ACTIONS_BUFSIZE) { +- OVS_NLERR(log, "Flow action size %u bytes exceeds max", size); +- return ERR_PTR(-EINVAL); +- } ++ WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); + + sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); + if (!sfa) +@@ -1752,12 +1749,15 @@ static struct nlattr *reserve_sfa_size(s + new_acts_size = ksize(*sfa) * 2; + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { +- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) ++ if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { ++ OVS_NLERR(log, "Flow action size exceeds max %u", ++ MAX_ACTIONS_BUFSIZE); + return ERR_PTR(-EMSGSIZE); ++ } + new_acts_size = MAX_ACTIONS_BUFSIZE; + } + +- acts = nla_alloc_flow_actions(new_acts_size, log); ++ acts = nla_alloc_flow_actions(new_acts_size); + if (IS_ERR(acts)) + return (void *)acts; + +@@ -2369,7 +2369,7 @@ int ovs_nla_copy_actions(struct net *net + { + int err; + +- *sfa = nla_alloc_flow_actions(nla_len(attr), log); ++ *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); + if (IS_ERR(*sfa)) + return PTR_ERR(*sfa); + diff --git a/queue-4.4/quota-check-for-register_shrinker-failure.patch b/queue-4.4/quota-check-for-register_shrinker-failure.patch new file mode 100644 index 00000000000..8cec9a497a9 --- /dev/null +++ b/queue-4.4/quota-check-for-register_shrinker-failure.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Tetsuo Handa +Date: Wed, 29 Nov 2017 22:34:50 +0900 +Subject: quota: Check for register_shrinker() failure. + +From: Tetsuo Handa + + +[ Upstream commit 88bc0ede8d35edc969350852894dc864a2dc1859 ] + +register_shrinker() might return -ENOMEM error since Linux 3.12. +Call panic() as with other failure checks in this function if +register_shrinker() failed. + +Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work") +Signed-off-by: Tetsuo Handa +Cc: Jan Kara +Cc: Michal Hocko +Reviewed-by: Michal Hocko +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/quota/dquot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2919,7 +2919,8 @@ static int __init dquot_init(void) + pr_info("VFS: Dquot-cache hash table entries: %ld (order %ld," + " %ld bytes)\n", nr_hash, order, (PAGE_SIZE << order)); + +- register_shrinker(&dqcache_shrinker); ++ if (register_shrinker(&dqcache_shrinker)) ++ panic("Cannot register dquot shrinker"); + + return 0; + } diff --git a/queue-4.4/scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch b/queue-4.4/scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch new file mode 100644 index 00000000000..6becb3ffd30 --- /dev/null +++ b/queue-4.4/scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: "Guilherme G. Piccoli" +Date: Fri, 17 Nov 2017 19:14:55 -0200 +Subject: scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path + +From: "Guilherme G. Piccoli" + + +[ Upstream commit e4717292ddebcfe231651b5aff9fa19ca158d178 ] + +As part of the scsi EH path, aacraid performs a reinitialization of the +adapter, which encompass freeing resources and IRQs, NULLifying lots of +pointers, and then initialize it all over again. We've identified a +problem during the free IRQ portion of this path if CONFIG_DEBUG_SHIRQ +is enabled on kernel config file. + +Happens that, in case this flag was set, right after free_irq() +effectively clears the interrupt, it checks if it was requested as +IRQF_SHARED. In positive case, it performs another call to the IRQ +handler on driver. Problem is: since aacraid currently free some +resources *before* freeing the IRQ, once free_irq() path calls the +handler again (due to CONFIG_DEBUG_SHIRQ), aacraid crashes due to NULL +pointer dereference with the following trace: + + aac_src_intr_message+0xf8/0x740 [aacraid] + __free_irq+0x33c/0x4a0 + free_irq+0x78/0xb0 + aac_free_irq+0x13c/0x150 [aacraid] + aac_reset_adapter+0x2e8/0x970 [aacraid] + aac_eh_reset+0x3a8/0x5d0 [aacraid] + scsi_try_host_reset+0x74/0x180 + scsi_eh_ready_devs+0xc70/0x1510 + scsi_error_handler+0x624/0xa20 + +This patch prevents the crash by changing the order of the +deinitialization in this path of aacraid: first we clear the IRQ, then +we free other resources. No functional change intended. + +Signed-off-by: Guilherme G. Piccoli +Reviewed-by: Raghava Aditya Renukunta +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aacraid/commsup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -1363,13 +1363,13 @@ static int _aac_reset_adapter(struct aac + * will ensure that i/o is queisced and the card is flushed in that + * case. + */ ++ aac_free_irq(aac); + aac_fib_map_free(aac); + pci_free_consistent(aac->pdev, aac->comm_size, aac->comm_addr, aac->comm_phys); + aac->comm_addr = NULL; + aac->comm_phys = 0; + kfree(aac->queues); + aac->queues = NULL; +- aac_free_irq(aac); + kfree(aac->fsa_dev); + aac->fsa_dev = NULL; + quirks = aac_get_driver_ident(index)->quirks; diff --git a/queue-4.4/scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch b/queue-4.4/scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch new file mode 100644 index 00000000000..ff98483c0d9 --- /dev/null +++ b/queue-4.4/scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: "Gustavo A. R. Silva" +Date: Mon, 20 Nov 2017 08:12:29 -0600 +Subject: scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg + +From: "Gustavo A. R. Silva" + + +[ Upstream commit 727535903bea924c4f73abb202c4b3e85fff0ca4 ] + +_vreg_ is being dereferenced before it is null checked, hence there is a +potential null pointer dereference. + +Fix this by moving the pointer dereference after _vreg_ has been null +checked. + +This issue was detected with the help of Coccinelle. + +Fixes: aa4976130934 ("ufs: Add regulator enable support") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Subhash Jadavani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4392,12 +4392,15 @@ static int ufshcd_config_vreg(struct dev + struct ufs_vreg *vreg, bool on) + { + int ret = 0; +- struct regulator *reg = vreg->reg; +- const char *name = vreg->name; ++ struct regulator *reg; ++ const char *name; + int min_uV, uA_load; + + BUG_ON(!vreg); + ++ reg = vreg->reg; ++ name = vreg->name; ++ + if (regulator_count_voltages(reg) > 0) { + min_uV = on ? vreg->min_uV : 0; + ret = regulator_set_voltage(reg, min_uV, vreg->max_uV); diff --git a/queue-4.4/series b/queue-4.4/series index cb087b36e8d..01c13ff8695 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -18,3 +18,37 @@ gpio-iop-add-missing-module_description-author-license.patch gpio-ath79-add-missing-module_description-license.patch mtd-nand-denali_pci-add-missing-module_description-author-license.patch igb-free-irqs-when-device-is-hotplugged.patch +kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch +kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch +kvm-x86-fix-operand-address-size-during-instruction-decoding.patch +kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch +kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch +kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch +acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch +cpufreq-add-loongson-machine-dependencies.patch +bcache-check-return-value-of-register_shrinker.patch +drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch +drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch +drm-amdkfd-fix-sdma-oversubsription-handling.patch +openvswitch-fix-the-incorrect-flow-action-alloc-size.patch +mac80211-fix-the-update-of-path-metric-for-rann-frame.patch +btrfs-fix-deadlock-when-writing-out-space-cache.patch +kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch +xen-netfront-remove-warning-when-unloading-module.patch +nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch +nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch +grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch +nfsd-check-for-use-of-the-closed-special-stateid.patch +lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch +hwmon-pmbus-use-64bit-math-for-direct-format-values.patch +net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch +quota-check-for-register_shrinker-failure.patch +sunrpc-allow-connect-to-return-ehostunreach.patch +kmemleak-add-scheduling-point-to-kmemleak_scan.patch +drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch +xfs-ubsan-fixes.patch +scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch +scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch +media-usbtv-add-a-new-usbid.patch +usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch +staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch diff --git a/queue-4.4/staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch b/queue-4.4/staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch new file mode 100644 index 00000000000..89fa2911d0a --- /dev/null +++ b/queue-4.4/staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Larry Finger +Date: Sat, 25 Nov 2017 13:32:38 -0600 +Subject: staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID + +From: Larry Finger + + +[ Upstream commit b77992d2df9e47144354d1b25328b180afa33442 ] + +When not associated with an AP, wifi device drivers should respond to the +SIOCGIWESSID ioctl with a zero-length string for the SSID, which is the +behavior expected by dhcpcd. + +Currently, this driver returns an error code (-1) from the ioctl call, +which causes dhcpcd to assume that the device is not a wireless interface +and therefore it fails to work correctly with it thereafter. + +This problem was reported and tested at +https://github.com/lwfinger/rtl8188eu/issues/234. + +Signed-off-by: Larry Finger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +@@ -1399,19 +1399,13 @@ static int rtw_wx_get_essid(struct net_d + if ((check_fwstate(pmlmepriv, _FW_LINKED)) || + (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) { + len = pcur_bss->Ssid.SsidLength; +- +- wrqu->essid.length = len; +- + memcpy(extra, pcur_bss->Ssid.Ssid, len); +- +- wrqu->essid.flags = 1; + } else { +- ret = -1; +- goto exit; ++ len = 0; ++ *extra = 0; + } +- +-exit: +- ++ wrqu->essid.length = len; ++ wrqu->essid.flags = 1; + + return ret; + } diff --git a/queue-4.4/sunrpc-allow-connect-to-return-ehostunreach.patch b/queue-4.4/sunrpc-allow-connect-to-return-ehostunreach.patch new file mode 100644 index 00000000000..f41132e0553 --- /dev/null +++ b/queue-4.4/sunrpc-allow-connect-to-return-ehostunreach.patch @@ -0,0 +1,30 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Trond Myklebust +Date: Fri, 24 Nov 2017 12:00:24 -0500 +Subject: SUNRPC: Allow connect to return EHOSTUNREACH + +From: Trond Myklebust + + +[ Upstream commit 4ba161a793d5f43757c35feff258d9f20a082940 ] + +Reported-by: Dmitry Vyukov +Signed-off-by: Trond Myklebust +Tested-by: Dmitry Vyukov +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtsock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2360,6 +2360,7 @@ static void xs_tcp_setup_socket(struct w + case -ECONNREFUSED: + case -ECONNRESET: + case -ENETUNREACH: ++ case -EHOSTUNREACH: + case -EADDRINUSE: + case -ENOBUFS: + /* retry with existing socket, after a delay */ diff --git a/queue-4.4/usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch b/queue-4.4/usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch new file mode 100644 index 00000000000..9e5ad25096a --- /dev/null +++ b/queue-4.4/usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Colin Ian King +Date: Tue, 14 Nov 2017 16:18:28 +0000 +Subject: usb: gadget: don't dereference g until after it has been null checked + +From: Colin Ian King + + +[ Upstream commit b2fc059fa549fe6881d4c1f8d698b0f50bcd16ec ] + +Avoid dereferencing pointer g until after g has been sanity null checked; +move the assignment of cdev much later when it is required into a more +local scope. + +Detected by CoverityScan, CID#1222135 ("Dereference before null check") + +Fixes: b785ea7ce662 ("usb: gadget: composite: fix ep->maxburst initialization") +Signed-off-by: Colin Ian King +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -104,7 +104,6 @@ int config_ep_by_speed(struct usb_gadget + struct usb_function *f, + struct usb_ep *_ep) + { +- struct usb_composite_dev *cdev = get_gadget_data(g); + struct usb_endpoint_descriptor *chosen_desc = NULL; + struct usb_descriptor_header **speed_desc = NULL; + +@@ -176,8 +175,12 @@ ep_found: + _ep->maxburst = comp_desc->bMaxBurst + 1; + break; + default: +- if (comp_desc->bMaxBurst != 0) ++ if (comp_desc->bMaxBurst != 0) { ++ struct usb_composite_dev *cdev; ++ ++ cdev = get_gadget_data(g); + ERROR(cdev, "ep0 bMaxBurst must be 0\n"); ++ } + _ep->maxburst = 1; + break; + } diff --git a/queue-4.4/xen-netfront-remove-warning-when-unloading-module.patch b/queue-4.4/xen-netfront-remove-warning-when-unloading-module.patch new file mode 100644 index 00000000000..ce88c462c20 --- /dev/null +++ b/queue-4.4/xen-netfront-remove-warning-when-unloading-module.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: Eduardo Otubo +Date: Thu, 23 Nov 2017 15:18:35 +0100 +Subject: xen-netfront: remove warning when unloading module + +From: Eduardo Otubo + + +[ Upstream commit 5b5971df3bc2775107ddad164018a8a8db633b81 ] + +v2: + * Replace busy wait with wait_event()/wake_up_all() + * Cannot garantee that at the time xennet_remove is called, the + xen_netback state will not be XenbusStateClosed, so added a + condition for that + * There's a small chance for the xen_netback state is + XenbusStateUnknown by the time the xen_netfront switches to Closed, + so added a condition for that. + +When unloading module xen_netfront from guest, dmesg would output +warning messages like below: + + [ 105.236836] xen:grant_table: WARNING: g.e. 0x903 still in use! + [ 105.236839] deferring g.e. 0x903 (pfn 0x35805) + +This problem relies on netfront and netback being out of sync. By the time +netfront revokes the g.e.'s netback didn't have enough time to free all of +them, hence displaying the warnings on dmesg. + +The trick here is to make netfront to wait until netback frees all the g.e.'s +and only then continue to cleanup for the module removal, and this is done by +manipulating both device states. + +Signed-off-by: Eduardo Otubo +Acked-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -86,6 +86,8 @@ struct netfront_cb { + /* IRQ name is queue name with "-tx" or "-rx" appended */ + #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3) + ++static DECLARE_WAIT_QUEUE_HEAD(module_unload_q); ++ + struct netfront_stats { + u64 packets; + u64 bytes; +@@ -2037,10 +2039,12 @@ static void netback_changed(struct xenbu + break; + + case XenbusStateClosed: ++ wake_up_all(&module_unload_q); + if (dev->state == XenbusStateClosed) + break; + /* Missed the backend's CLOSING state -- fallthrough */ + case XenbusStateClosing: ++ wake_up_all(&module_unload_q); + xenbus_frontend_closed(dev); + break; + } +@@ -2146,6 +2150,20 @@ static int xennet_remove(struct xenbus_d + + dev_dbg(&dev->dev, "%s\n", dev->nodename); + ++ if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) { ++ xenbus_switch_state(dev, XenbusStateClosing); ++ wait_event(module_unload_q, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosing); ++ ++ xenbus_switch_state(dev, XenbusStateClosed); ++ wait_event(module_unload_q, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown); ++ } ++ + xennet_disconnect_backend(info); + + unregister_netdev(info->netdev); diff --git a/queue-4.4/xfs-ubsan-fixes.patch b/queue-4.4/xfs-ubsan-fixes.patch new file mode 100644 index 00000000000..02e11fd7e4d --- /dev/null +++ b/queue-4.4/xfs-ubsan-fixes.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Feb 1 14:14:46 CET 2018 +From: "Darrick J. Wong" +Date: Mon, 27 Nov 2017 09:50:17 -0800 +Subject: xfs: ubsan fixes + +From: "Darrick J. Wong" + + +[ Upstream commit 22a6c83777ac7c17d6c63891beeeac24cf5da450 ] + +Fix some complaints from the UBSAN about signed integer addition overflows. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_aops.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -310,7 +310,7 @@ xfs_map_blocks( + (ip->i_df.if_flags & XFS_IFEXTENTS)); + ASSERT(offset <= mp->m_super->s_maxbytes); + +- if (offset + count > mp->m_super->s_maxbytes) ++ if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes) + count = mp->m_super->s_maxbytes - offset; + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count); + offset_fsb = XFS_B_TO_FSBT(mp, offset); +@@ -1360,7 +1360,7 @@ xfs_map_trim_size( + if (mapping_size > size) + mapping_size = size; + if (offset < i_size_read(inode) && +- offset + mapping_size >= i_size_read(inode)) { ++ (xfs_ufsize_t)offset + mapping_size >= i_size_read(inode)) { + /* limit mapping to block that spans EOF */ + mapping_size = roundup_64(i_size_read(inode) - offset, + i_blocksize(inode)); +@@ -1416,7 +1416,7 @@ __xfs_get_blocks( + } + + ASSERT(offset <= mp->m_super->s_maxbytes); +- if (offset + size > mp->m_super->s_maxbytes) ++ if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes) + size = mp->m_super->s_maxbytes - offset; + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size); + offset_fsb = XFS_B_TO_FSBT(mp, offset);