From: Greg Kroah-Hartman Date: Mon, 27 Nov 2017 16:03:34 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.85~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5a78501929320469c7a92eee09e78a1c5e44abbf;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: 9p-fix-missing-commas-in-mount-options.patch alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch alsa-hda-fix-yet-remaining-issue-with-vmaster-0db-initialization.patch alsa-hda-realtek-fix-alc275-no-sound-issue.patch alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch alsa-usb-audio-add-sanity-checks-to-fe-parser.patch alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch asoc-sun8i-codec-fix-left-and-right-channels-inversion.patch asoc-sun8i-codec-invert-master-slave-condition.patch asoc-sun8i-codec-set-the-bclk-divider.patch ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch autofs-don-t-fail-mount-for-transient-error.patch bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch bluetooth-btqcomsmd-add-support-for-bd-address-setup.patch btrfs-change-how-we-decide-to-commit-transactions-during-flushing.patch dm-discard-support-requires-all-targets-in-a-table-support-discards.patch dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch ext4-prevent-data-corruption-with-inline-data-dax.patch ext4-prevent-data-corruption-with-journaling-dax.patch f2fs-expose-some-sectors-to-user-in-inline-data-or-dentry-case.patch fanotify-fix-fsnotify_prepare_user_wait-failure.patch fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch fs-9p-compare-qid.path-in-v9fs_test_inode.patch fs-guard_bio_eod-needs-to-consider-partitions.patch fscrypt-lock-mutex-before-checking-for-bounce-page-pool.patch fsnotify-clean-up-fsnotify_prepare-finish_user_wait.patch fsnotify-fix-pinning-group-in-fsnotify_prepare_user_wait.patch fsnotify-pin-both-inode-and-vfsmount-mark.patch genirq-track-whether-the-trigger-type-has-been-set.patch irqchip-gic-v3-fix-ppi-partitions-lookup.patch iscsi-target-fix-non-immediate-tmr-reference-leak.patch iscsi-target-make-task_reassign-use-proper-se_cmd-cmd_kref.patch isofs-fix-timestamps-beyond-2027.patch iwlwifi-fix-firmware-names-for-9000-and-a000-series-hw.patch libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch lockd-double-unregister-of-inetaddr-notifiers.patch mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-sequence.patch md-bitmap-revert-a-patch.patch md-don-t-check-md_sb_change_clean-in-md_allow_write.patch md-fix-deadlock-error-in-recent-patch.patch mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch mips-fix-an-n32-core-file-generation-regset-support-regression.patch mips-fix-mips64-fp-save-restore-on-32-bit-kernels.patch mips-fix-odd-fp-register-warnings-with-mips64r2.patch mips-math-emu-fix-final-emulation-phase-for-certain-instructions.patch mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch mm-z3fold.c-use-kref-to-prevent-page-free-compact-race.patch mtd-avoid-probe-failures-when-mtd-dbg.dfs_dir-is-invalid.patch mtd-nand-atmel-actually-use-the-pm-ops.patch mtd-nand-export-nand_reset-symbol.patch mtd-nand-fix-writing-mtdoops-to-nand-flash.patch mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch mtd-nand-omap2-fix-subpage-write.patch net-9p-switch-to-wait_event_killable.patch nfs-avoid-rcu-usage-in-tracepoints.patch nfs-fix-typo-in-nomigration-mount-option.patch nfs-fix-ugly-referral-attributes.patch nfs-revalidate-.-etc-correctly-on-open.patch nfs-revert-nfs-move-the-flock-open-mode-check-into-nfs_flock.patch nfsd-deal-with-revoked-delegations-appropriately.patch nilfs2-fix-race-condition-that-causes-file-system-corruption.patch p54-don-t-unregister-leds-when-they-are-not-initialized.patch raid1-prevent-freeze_array-wait_all_barriers-deadlock.patch rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch scsi-lpfc-fix-crash-receiving-els-while-detaching-driver.patch scsi-lpfc-fix-fcp-hba_wqidx-assignment.patch scsi-lpfc-fix-oops-if-nvmet_fc_register_targetport-fails.patch scsi-lpfc-fix-pci-hot-plug-crash-in-list_add-call.patch scsi-lpfc-fix-pci-hot-plug-crash-in-timer-management-routines.patch scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_init_base_qpair.patch scsi-sd_zbc-fix-sd_zbc_read_zoned_characteristics.patch target-avoid-early-cmd_t_pre_execute-failures-during-abort_task.patch target-fix-buffer-offset-in-core_scsi3_pri_read_full_status.patch target-fix-caw_sem-leak-in-transport_generic_request_failure.patch target-fix-null-pointer-regression-in-core_tmr_drain_tmr_list.patch target-fix-queue_full-scsi-task-attribute-handling.patch target-fix-quiese-during-transport_write_pending_qf-endless-loop.patch --- diff --git a/queue-4.14/9p-fix-missing-commas-in-mount-options.patch b/queue-4.14/9p-fix-missing-commas-in-mount-options.patch new file mode 100644 index 00000000000..d4eca39077f --- /dev/null +++ b/queue-4.14/9p-fix-missing-commas-in-mount-options.patch @@ -0,0 +1,56 @@ +From 61b272c3aa170b3e461b8df636407b29f35f98eb Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen +Date: Sun, 19 Nov 2017 11:28:43 +0200 +Subject: 9p: Fix missing commas in mount options + +From: Tuomas Tynkkynen + +commit 61b272c3aa170b3e461b8df636407b29f35f98eb upstream. + +Since commit c4fac9100456 ("9p: Implement show_options"), the mount +options of 9p filesystems are printed out with some missing commas +between the individual options: + +p9-scratch on /mnt/scratch type 9p (rw,dirsync,loose,access=clienttrans=virtio) + +Add them back. + +Fixes: c4fac9100456 ("9p: Implement show_options") +Signed-off-by: Tuomas Tynkkynen +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 2 +- + net/9p/trans_fd.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -82,7 +82,7 @@ int p9_show_client_options(struct seq_fi + { + if (clnt->msize != 8192) + seq_printf(m, ",msize=%u", clnt->msize); +- seq_printf(m, "trans=%s", clnt->trans_mod->name); ++ seq_printf(m, ",trans=%s", clnt->trans_mod->name); + + switch (clnt->proto_version) { + case p9_proto_legacy: +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -724,12 +724,12 @@ static int p9_fd_show_options(struct seq + { + if (clnt->trans_mod == &p9_tcp_trans) { + if (clnt->trans_opts.tcp.port != P9_PORT) +- seq_printf(m, "port=%u", clnt->trans_opts.tcp.port); ++ seq_printf(m, ",port=%u", clnt->trans_opts.tcp.port); + } else if (clnt->trans_mod == &p9_fd_trans) { + if (clnt->trans_opts.fd.rfd != ~0) +- seq_printf(m, "rfd=%u", clnt->trans_opts.fd.rfd); ++ seq_printf(m, ",rfd=%u", clnt->trans_opts.fd.rfd); + if (clnt->trans_opts.fd.wfd != ~0) +- seq_printf(m, "wfd=%u", clnt->trans_opts.fd.wfd); ++ seq_printf(m, ",wfd=%u", clnt->trans_opts.fd.wfd); + } + return 0; + } diff --git a/queue-4.14/alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch b/queue-4.14/alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch new file mode 100644 index 00000000000..4068516759e --- /dev/null +++ b/queue-4.14/alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch @@ -0,0 +1,47 @@ +From c2432466f583cb719b35a41e757da587d9ab1d00 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 17 Nov 2017 12:08:40 +0100 +Subject: ALSA: hda: Fix too short HDMI/DP chmap reporting + +From: Takashi Iwai + +commit c2432466f583cb719b35a41e757da587d9ab1d00 upstream. + +We got a regression report about the HD-audio HDMI chmap, where some +surround channels are reported as UNKNOWN. The git bisection pointed +the culprit at the commit 9b3dc8aa3fb1 ("ALSA: hda - Register chmap +obj as priv data instead of codec"). The story behind scene is like +this: + +- While moving the code out of the legacy HDA to the HDA common place, + the patch modifies the code to obtain the chmap array indirectly in + a byte array, and it expands it to kctl value array. +- At the latter operation, the size of the array is wrongly passed by + sizeof() to the pointer. +- It can be 4 on 32bit arch, thus too short for 6+ channels. + (And that's the reason why it didn't hit other persons; it's 8 on + 64bit arch, thus it's usually enough.) + +The code was further changed meanwhile, but the problem persisted. +Let's fix it by correctly evaluating the array size. + +Fixes: 9b3dc8aa3fb1 ("ALSA: hda - Register chmap obj as priv data instead of codec") +Reported-by: VDR User +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/hda/hdmi_chmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/hda/hdmi_chmap.c ++++ b/sound/hda/hdmi_chmap.c +@@ -746,7 +746,7 @@ static int hdmi_chmap_ctl_get(struct snd + memset(pcm_chmap, 0, sizeof(pcm_chmap)); + chmap->ops.get_chmap(chmap->hdac, pcm_idx, pcm_chmap); + +- for (i = 0; i < sizeof(chmap); i++) ++ for (i = 0; i < ARRAY_SIZE(pcm_chmap); i++) + ucontrol->value.integer.value[i] = pcm_chmap[i]; + + return 0; diff --git a/queue-4.14/alsa-hda-fix-yet-remaining-issue-with-vmaster-0db-initialization.patch b/queue-4.14/alsa-hda-fix-yet-remaining-issue-with-vmaster-0db-initialization.patch new file mode 100644 index 00000000000..e5b789faecb --- /dev/null +++ b/queue-4.14/alsa-hda-fix-yet-remaining-issue-with-vmaster-0db-initialization.patch @@ -0,0 +1,101 @@ +From d6c0615f510bc1ee26cfb2b9a3343ac99b9c46fb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 22 Nov 2017 12:34:56 +0100 +Subject: ALSA: hda - Fix yet remaining issue with vmaster 0dB initialization + +From: Takashi Iwai + +commit d6c0615f510bc1ee26cfb2b9a3343ac99b9c46fb upstream. + +The previous fix for addressing the breakage in vmaster slave +initialization, commit a91d66129fb9 ("ALSA: hda - Fix incorrect TLV +callback check introduced during set_fs() removal"), introduced a new +helper to process over each slave kctl. However, this helper passes +only the original kctl, not the virtual slave kctl. As a result, +HD-audio driver (which is the only user so far) couldn't initialize +the slave correctly because it's trying to update the value directly +with the original kctl, not with the mapped kctl. + +This patch fixes the situation again by passing both the mapped slaved +and original slave kctls to the function. Luckily there is a single +caller as of now, so changing the call signature is no big matter. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197959 +Fixes: a91d66129fb9 ("ALSA: hda - Fix incorrect TLV callback check introduced during set_fs() removal") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/control.h | 4 +++- + sound/core/vmaster.c | 6 ++++-- + sound/pci/hda/hda_codec.c | 10 +++++++--- + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/include/sound/control.h ++++ b/include/sound/control.h +@@ -249,7 +249,9 @@ int snd_ctl_add_vmaster_hook(struct snd_ + void snd_ctl_sync_vmaster(struct snd_kcontrol *kctl, bool hook_only); + #define snd_ctl_sync_vmaster_hook(kctl) snd_ctl_sync_vmaster(kctl, true) + int snd_ctl_apply_vmaster_slaves(struct snd_kcontrol *kctl, +- int (*func)(struct snd_kcontrol *, void *), ++ int (*func)(struct snd_kcontrol *vslave, ++ struct snd_kcontrol *slave, ++ void *arg), + void *arg); + + /* +--- a/sound/core/vmaster.c ++++ b/sound/core/vmaster.c +@@ -495,7 +495,9 @@ EXPORT_SYMBOL_GPL(snd_ctl_sync_vmaster); + * Returns 0 if successful, or a negative error code. + */ + int snd_ctl_apply_vmaster_slaves(struct snd_kcontrol *kctl, +- int (*func)(struct snd_kcontrol *, void *), ++ int (*func)(struct snd_kcontrol *vslave, ++ struct snd_kcontrol *slave, ++ void *arg), + void *arg) + { + struct link_master *master; +@@ -507,7 +509,7 @@ int snd_ctl_apply_vmaster_slaves(struct + if (err < 0) + return err; + list_for_each_entry(slave, &master->slaves, list) { +- err = func(&slave->slave, arg); ++ err = func(slave->kctl, &slave->slave, arg); + if (err < 0) + return err; + } +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1823,7 +1823,9 @@ struct slave_init_arg { + }; + + /* initialize the slave volume with 0dB via snd_ctl_apply_vmaster_slaves() */ +-static int init_slave_0dB(struct snd_kcontrol *kctl, void *_arg) ++static int init_slave_0dB(struct snd_kcontrol *slave, ++ struct snd_kcontrol *kctl, ++ void *_arg) + { + struct slave_init_arg *arg = _arg; + int _tlv[4]; +@@ -1860,7 +1862,7 @@ static int init_slave_0dB(struct snd_kco + arg->step = step; + val = -tlv[2] / step; + if (val > 0) { +- put_kctl_with_value(kctl, val); ++ put_kctl_with_value(slave, val); + return val; + } + +@@ -1868,7 +1870,9 @@ static int init_slave_0dB(struct snd_kco + } + + /* unmute the slave via snd_ctl_apply_vmaster_slaves() */ +-static int init_slave_unmute(struct snd_kcontrol *slave, void *_arg) ++static int init_slave_unmute(struct snd_kcontrol *slave, ++ struct snd_kcontrol *kctl, ++ void *_arg) + { + return put_kctl_with_value(slave, 1); + } diff --git a/queue-4.14/alsa-hda-realtek-fix-alc275-no-sound-issue.patch b/queue-4.14/alsa-hda-realtek-fix-alc275-no-sound-issue.patch new file mode 100644 index 00000000000..30140edb578 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-fix-alc275-no-sound-issue.patch @@ -0,0 +1,36 @@ +From 3aabf94c2d95fe465d5fa8590113d1c1f7d8333d Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 8 Nov 2017 15:28:33 +0800 +Subject: ALSA: hda/realtek - Fix ALC275 no sound issue + +From: Kailang Yang + +commit 3aabf94c2d95fe465d5fa8590113d1c1f7d8333d upstream. + +Sound works after a cold boot but not after a reboot from windows. +This patch will solve this issue. This is relation with Class-D power control. + +[ The bug was reported in Bugzilla below for Sony VAIO SVS13A1C5E + -- tiwai] + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197737 +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -341,6 +341,9 @@ static void alc_fill_eapd_coef(struct hd + case 0x10ec0299: + alc_update_coef_idx(codec, 0x10, 1<<9, 0); + break; ++ case 0x10ec0275: ++ alc_update_coef_idx(codec, 0xe, 0, 1<<0); ++ break; + case 0x10ec0293: + alc_update_coef_idx(codec, 0xa, 1<<13, 0); + break; diff --git a/queue-4.14/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch b/queue-4.14/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch new file mode 100644 index 00000000000..a16f02d281d --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch @@ -0,0 +1,32 @@ +From 2d7fe6185722b0817bb345f62ab06b76a7b26542 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 22 Nov 2017 15:21:32 +0800 +Subject: ALSA: hda/realtek - Fix ALC700 family no sound issue + +From: Kailang Yang + +commit 2d7fe6185722b0817bb345f62ab06b76a7b26542 upstream. + +It maybe the typo for ALC700 support patch. +To fix the bit value on this patch. + +Fixes: 6fbae35a3170 ("ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703") +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6866,7 +6866,7 @@ static int patch_alc269(struct hda_codec + case 0x10ec0703: + spec->codec_variant = ALC269_TYPE_ALC700; + spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */ +- alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */ ++ alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */ + break; + + } diff --git a/queue-4.14/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch b/queue-4.14/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch new file mode 100644 index 00000000000..f47a92430e2 --- /dev/null +++ b/queue-4.14/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch @@ -0,0 +1,58 @@ +From 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 Mon Sep 17 00:00:00 2001 +From: Henrik Eriksson +Date: Tue, 21 Nov 2017 09:29:28 +0100 +Subject: ALSA: pcm: update tstamp only if audio_tstamp changed + +From: Henrik Eriksson + +commit 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 upstream. + +commit 3179f6200188 ("ALSA: core: add .get_time_info") had a side effect +of changing the behaviour of the PCM runtime tstamp. Prior to this +change tstamp was not updated by snd_pcm_update_hw_ptr0() unless the +hw_ptr had moved, after this change tstamp was always updated. + +For an application using alsa-lib, doing snd_pcm_readi() followed by +snd_pcm_status() to estimate the age of the read samples by subtracting +status->avail * [sample rate] from status->tstamp this change degraded +the accuracy of the estimate on devices where the pcm hw does not +provide a granular hw_ptr, e.g., devices using +soc-generic-dmaengine-pcm.c and a dma-engine with residue_granularity +DMA_RESIDUE_GRANULARITY_DESCRIPTOR. The accuracy of the estimate +depended on the latency between the PCM hw completing a period and the +driver called snd_pcm_period_elapsed() to notify ALSA core, typically +determined by interrupt handling latency. After the change the accuracy +of the estimate depended on the latency between the PCM hw completing a +period and the application calling snd_pcm_status(), determined by the +scheduling of the application process. The maximum error of the +estimate is one period length in both cases, but the error average and +variance is smaller when it depends on interrupt latency. + +Instead of always updating tstamp, update it only if audio_tstamp +changed. + +Fixes: 3179f6200188 ("ALSA: core: add .get_time_info") +Suggested-by: Pierre-Louis Bossart +Signed-off-by: Henrik Eriksson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_lib.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -248,8 +248,10 @@ static void update_audio_tstamp(struct s + runtime->rate); + *audio_tstamp = ns_to_timespec(audio_nsecs); + } +- runtime->status->audio_tstamp = *audio_tstamp; +- runtime->status->tstamp = *curr_tstamp; ++ if (!timespec_equal(&runtime->status->audio_tstamp, audio_tstamp)) { ++ runtime->status->audio_tstamp = *audio_tstamp; ++ runtime->status->tstamp = *curr_tstamp; ++ } + + /* + * re-take a driver timestamp to let apps detect if the reference tstamp diff --git a/queue-4.14/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch b/queue-4.14/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch new file mode 100644 index 00000000000..fd93946dfdf --- /dev/null +++ b/queue-4.14/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch @@ -0,0 +1,54 @@ +From 3d4e8303f2c747c8540a0a0126d0151514f6468b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 16:36:11 +0100 +Subject: ALSA: timer: Remove kernel warning at compat ioctl error paths + +From: Takashi Iwai + +commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream. + +Some timer compat ioctls have NULL checks of timer instance with +snd_BUG_ON() that bring up WARN_ON() when the debug option is set. +Actually the condition can be met in the normal situation and it's +confusing and bad to spew kernel warnings with stack trace there. +Let's remove snd_BUG_ON() invocation and replace with the simple +checks. Also, correct the error code to EBADFD to follow the native +ioctl error handling. + +Reported-by: syzbot +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer_compat.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/core/timer_compat.c ++++ b/sound/core/timer_compat.c +@@ -66,11 +66,11 @@ static int snd_timer_user_info_compat(st + struct snd_timer *t; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + t = tu->timeri->timer; +- if (snd_BUG_ON(!t)) +- return -ENXIO; ++ if (!t) ++ return -EBADFD; + memset(&info, 0, sizeof(info)); + info.card = t->card ? t->card->number : -1; + if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) +@@ -99,8 +99,8 @@ static int snd_timer_user_status_compat( + struct snd_timer_status32 status; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + memset(&status, 0, sizeof(status)); + status.tstamp.tv_sec = tu->tstamp.tv_sec; + status.tstamp.tv_nsec = tu->tstamp.tv_nsec; diff --git a/queue-4.14/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch b/queue-4.14/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch new file mode 100644 index 00000000000..52b88972f48 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch @@ -0,0 +1,57 @@ +From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:28:06 +0100 +Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers + +From: Takashi Iwai + +commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream. + +The helper functions to parse and look for the clock source, selector +and multiplier unit may return the descriptor with a too short length +than required, while there is no sanity check in the caller side. +Add some sanity checks in the parsers, at least, to guarantee the +given descriptor size, for avoiding the potential crashes. + +Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices") +Reported-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/clock.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -43,7 +43,7 @@ static struct uac_clock_source_descripto + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SOURCE))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + +@@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SELECTOR))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { ++ if (cs->bLength < 5 + cs->bNrInPins) ++ return NULL; + return cs; ++ } + } + + return NULL; +@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_MULTIPLIER))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + diff --git a/queue-4.14/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch b/queue-4.14/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch new file mode 100644 index 00000000000..4eb4ae257a2 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch @@ -0,0 +1,51 @@ +From d937cd6790a2bef2d07b500487646bd794c039bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 16:55:51 +0100 +Subject: ALSA: usb-audio: Add sanity checks to FE parser + +From: Takashi Iwai + +commit d937cd6790a2bef2d07b500487646bd794c039bb upstream. + +When the usb-audio descriptor contains the malformed feature unit +description with a too short length, the driver may access +out-of-bounds. Add a sanity check of the header size at the beginning +of parse_audio_feature_unit(). + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Reported-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1469,6 +1469,12 @@ static int parse_audio_feature_unit(stru + __u8 *bmaControls; + + if (state->mixer->protocol == UAC_VERSION_1) { ++ if (hdr->bLength < 7) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = hdr->bControlSize; + if (!csize) { + usb_audio_dbg(state->chip, +@@ -1486,6 +1492,12 @@ static int parse_audio_feature_unit(stru + } + } else { + struct uac2_feature_unit_descriptor *ftr = _ftr; ++ if (hdr->bLength < 6) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = 4; + channels = (hdr->bLength - 6) / 4 - 1; + bmaControls = ftr->bmaControls; diff --git a/queue-4.14/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch b/queue-4.14/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch new file mode 100644 index 00000000000..d0c771e7708 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch @@ -0,0 +1,34 @@ +From f658f17b5e0e339935dca23e77e0f3cad591926b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:00:32 +0100 +Subject: ALSA: usb-audio: Fix potential out-of-bound access at parsing SU + +From: Takashi Iwai + +commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream. + +The usb-audio driver may trigger an out-of-bound access at parsing a +malformed selector unit, as it checks the header length only after +evaluating bNrInPins field, which can be already above the given +length. Fix it by adding the length check beforehand. + +Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2098,7 +2098,8 @@ static int parse_audio_selector_unit(str + const struct usbmix_name_map *map; + char **namelist; + +- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) { ++ if (desc->bLength < 5 || !desc->bNrInPins || ++ desc->bLength < 5 + desc->bNrInPins) { + usb_audio_err(state->chip, + "invalid SELECTOR UNIT descriptor %d\n", unitid); + return -EINVAL; diff --git a/queue-4.14/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch b/queue-4.14/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch new file mode 100644 index 00000000000..94b23ca3d5e --- /dev/null +++ b/queue-4.14/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch @@ -0,0 +1,39 @@ +From 8428a8ebde2db1e988e41a58497a28beb7ce1705 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:07:43 +0100 +Subject: ALSA: usb-audio: Fix potential zero-division at parsing FU + +From: Takashi Iwai + +commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream. + +parse_audio_feature_unit() contains a code dividing potentially with +zero when a malformed FU descriptor is passed. Although there is +already a sanity check, it checks only the value zero, hence it can +still lead to a zero-division when a value 1 is passed there. + +Fix it by correcting the sanity check (and the error message +thereof). + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1476,9 +1476,9 @@ static int parse_audio_feature_unit(stru + return -EINVAL; + } + csize = hdr->bControlSize; +- if (!csize) { ++ if (csize <= 1) { + usb_audio_dbg(state->chip, +- "unit %u: invalid bControlSize == 0\n", ++ "unit %u: invalid bControlSize <= 1\n", + unitid); + return -EINVAL; + } diff --git a/queue-4.14/asoc-sun8i-codec-fix-left-and-right-channels-inversion.patch b/queue-4.14/asoc-sun8i-codec-fix-left-and-right-channels-inversion.patch new file mode 100644 index 00000000000..e2e0519c1dd --- /dev/null +++ b/queue-4.14/asoc-sun8i-codec-fix-left-and-right-channels-inversion.patch @@ -0,0 +1,36 @@ +From 18c1bf35c1c09bca05cf70bc984a4764e0b0372b Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Wed, 8 Nov 2017 16:47:10 +0100 +Subject: ASoC: sun8i-codec: Fix left and right channels inversion + +From: Maxime Ripard + +commit 18c1bf35c1c09bca05cf70bc984a4764e0b0372b upstream. + +Since its introduction, the codec had an inversion of the left and right +channels. It turned out to be pretty simple as it appears that the codec +doesn't have the same polarity on the LRCK signal than the I2S block. + +Fix this by inverting our bit value for the LRCK inversion. + +Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec") +Signed-off-by: Maxime Ripard +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sunxi/sun8i-codec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/sunxi/sun8i-codec.c ++++ b/sound/soc/sunxi/sun8i-codec.c +@@ -199,7 +199,7 @@ static int sun8i_set_fmt(struct snd_soc_ + value << SUN8I_AIF1CLK_CTRL_AIF1_BCLK_INV); + regmap_update_bits(scodec->regmap, SUN8I_AIF1CLK_CTRL, + BIT(SUN8I_AIF1CLK_CTRL_AIF1_LRCK_INV), +- value << SUN8I_AIF1CLK_CTRL_AIF1_LRCK_INV); ++ !value << SUN8I_AIF1CLK_CTRL_AIF1_LRCK_INV); + + /* DAI format */ + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { diff --git a/queue-4.14/asoc-sun8i-codec-invert-master-slave-condition.patch b/queue-4.14/asoc-sun8i-codec-invert-master-slave-condition.patch new file mode 100644 index 00000000000..98dd08eba34 --- /dev/null +++ b/queue-4.14/asoc-sun8i-codec-invert-master-slave-condition.patch @@ -0,0 +1,42 @@ +From 560bfe774f058e97596f30ff71cffdac52b72914 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Wed, 8 Nov 2017 16:47:08 +0100 +Subject: ASoC: sun8i-codec: Invert Master / Slave condition + +From: Maxime Ripard + +commit 560bfe774f058e97596f30ff71cffdac52b72914 upstream. + +The current code had the condition backward when checking if the codec +should be running in slave or master mode. + +Fix it, and make the comment a bit more readable. + +Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec") +Signed-off-by: Maxime Ripard +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sunxi/sun8i-codec.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/sunxi/sun8i-codec.c ++++ b/sound/soc/sunxi/sun8i-codec.c +@@ -170,11 +170,11 @@ static int sun8i_set_fmt(struct snd_soc_ + + /* clock masters */ + switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) { +- case SND_SOC_DAIFMT_CBS_CFS: /* DAI Slave */ +- value = 0x0; /* Codec Master */ ++ case SND_SOC_DAIFMT_CBS_CFS: /* Codec slave, DAI master */ ++ value = 0x1; + break; +- case SND_SOC_DAIFMT_CBM_CFM: /* DAI Master */ +- value = 0x1; /* Codec Slave */ ++ case SND_SOC_DAIFMT_CBM_CFM: /* Codec Master, DAI slave */ ++ value = 0x0; + break; + default: + return -EINVAL; diff --git a/queue-4.14/asoc-sun8i-codec-set-the-bclk-divider.patch b/queue-4.14/asoc-sun8i-codec-set-the-bclk-divider.patch new file mode 100644 index 00000000000..bf785a6273e --- /dev/null +++ b/queue-4.14/asoc-sun8i-codec-set-the-bclk-divider.patch @@ -0,0 +1,109 @@ +From 316b7758c998fb13371d14bb6c9e45ab129c19a7 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Thu, 9 Nov 2017 10:39:24 +0100 +Subject: ASoC: sun8i-codec: Set the BCLK divider + +From: Maxime Ripard + +commit 316b7758c998fb13371d14bb6c9e45ab129c19a7 upstream. + +While the current code was reporting to be able to work in master mode, it +failed to do so because the BCLK divider wasn't programmed, meaning that +the BCLK would run at the PLL's frequency no matter the sample rate. + +It was obviously a bit too fast. + +Add support to retrieve the divider to use, and set it. Since our PLL is +not always able to generate a perfect multiple of the sample rate, we'll +have to choose the closest divider that matches our setup. + +Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec") +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sunxi/sun8i-codec.c | 51 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +--- a/sound/soc/sunxi/sun8i-codec.c ++++ b/sound/soc/sunxi/sun8i-codec.c +@@ -73,6 +73,7 @@ + #define SUN8I_SYS_SR_CTRL_AIF2_FS_MASK GENMASK(11, 8) + #define SUN8I_AIF1CLK_CTRL_AIF1_WORD_SIZ_MASK GENMASK(5, 4) + #define SUN8I_AIF1CLK_CTRL_AIF1_LRCK_DIV_MASK GENMASK(8, 6) ++#define SUN8I_AIF1CLK_CTRL_AIF1_BCLK_DIV_MASK GENMASK(12, 9) + + struct sun8i_codec { + struct device *dev; +@@ -226,12 +227,57 @@ static int sun8i_set_fmt(struct snd_soc_ + return 0; + } + ++struct sun8i_codec_clk_div { ++ u8 div; ++ u8 val; ++}; ++ ++static const struct sun8i_codec_clk_div sun8i_codec_bclk_div[] = { ++ { .div = 1, .val = 0 }, ++ { .div = 2, .val = 1 }, ++ { .div = 4, .val = 2 }, ++ { .div = 6, .val = 3 }, ++ { .div = 8, .val = 4 }, ++ { .div = 12, .val = 5 }, ++ { .div = 16, .val = 6 }, ++ { .div = 24, .val = 7 }, ++ { .div = 32, .val = 8 }, ++ { .div = 48, .val = 9 }, ++ { .div = 64, .val = 10 }, ++ { .div = 96, .val = 11 }, ++ { .div = 128, .val = 12 }, ++ { .div = 192, .val = 13 }, ++}; ++ ++static u8 sun8i_codec_get_bclk_div(struct sun8i_codec *scodec, ++ unsigned int rate, ++ unsigned int word_size) ++{ ++ unsigned long clk_rate = clk_get_rate(scodec->clk_module); ++ unsigned int div = clk_rate / rate / word_size / 2; ++ unsigned int best_val = 0, best_diff = ~0; ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(sun8i_codec_bclk_div); i++) { ++ const struct sun8i_codec_clk_div *bdiv = &sun8i_codec_bclk_div[i]; ++ unsigned int diff = abs(bdiv->div - div); ++ ++ if (diff < best_diff) { ++ best_diff = diff; ++ best_val = bdiv->val; ++ } ++ } ++ ++ return best_val; ++} ++ + static int sun8i_codec_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *params, + struct snd_soc_dai *dai) + { + struct sun8i_codec *scodec = snd_soc_codec_get_drvdata(dai->codec); + int sample_rate; ++ u8 bclk_div; + + /* + * The CPU DAI handles only a sample of 16 bits. Configure the +@@ -241,6 +287,11 @@ static int sun8i_codec_hw_params(struct + SUN8I_AIF1CLK_CTRL_AIF1_WORD_SIZ_MASK, + SUN8I_AIF1CLK_CTRL_AIF1_WORD_SIZ_16); + ++ bclk_div = sun8i_codec_get_bclk_div(scodec, params_rate(params), 16); ++ regmap_update_bits(scodec->regmap, SUN8I_AIF1CLK_CTRL, ++ SUN8I_AIF1CLK_CTRL_AIF1_BCLK_DIV_MASK, ++ bclk_div << SUN8I_AIF1CLK_CTRL_AIF1_BCLK_DIV); ++ + regmap_update_bits(scodec->regmap, SUN8I_AIF1CLK_CTRL, + SUN8I_AIF1CLK_CTRL_AIF1_LRCK_DIV_MASK, + SUN8I_AIF1CLK_CTRL_AIF1_LRCK_DIV_16); diff --git a/queue-4.14/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch b/queue-4.14/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch new file mode 100644 index 00000000000..605e85271d8 --- /dev/null +++ b/queue-4.14/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch @@ -0,0 +1,39 @@ +From f1601113ddc0339a745e702f4fb1ca37d4875e65 Mon Sep 17 00:00:00 2001 +From: Rameshwar Prasad Sahu +Date: Thu, 2 Nov 2017 16:31:07 +0530 +Subject: ata: fixes kernel crash while tracing ata_eh_link_autopsy event + +From: Rameshwar Prasad Sahu + +commit f1601113ddc0339a745e702f4fb1ca37d4875e65 upstream. + +When tracing ata link error event, the kernel crashes when the disk is +removed due to NULL pointer access by trace_ata_eh_link_autopsy API. +This occurs as the dev is NULL when the disk disappeared. This patch +fixes this crash by calling trace_ata_eh_link_autopsy only if "dev" +is not NULL. + +v2 changes: + Removed direct passing "link" pointer instead of "dev" in trace API. + +Signed-off-by: Rameshwar Prasad Sahu +Signed-off-by: Tejun Heo +Fixes: 255c03d15a29 ("libata: Add tracepoints") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-eh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2264,8 +2264,8 @@ static void ata_eh_link_autopsy(struct a + if (dev->flags & ATA_DFLAG_DUBIOUS_XFER) + eflags |= ATA_EFLAG_DUBIOUS_XFER; + ehc->i.action |= ata_eh_speed_down(dev, eflags, all_err_mask); ++ trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + } +- trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + DPRINTK("EXIT\n"); + } + diff --git a/queue-4.14/autofs-don-t-fail-mount-for-transient-error.patch b/queue-4.14/autofs-don-t-fail-mount-for-transient-error.patch new file mode 100644 index 00000000000..610b6f4b893 --- /dev/null +++ b/queue-4.14/autofs-don-t-fail-mount-for-transient-error.patch @@ -0,0 +1,81 @@ +From ecc0c469f27765ed1e2b967be0aa17cee1a60b76 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 17 Nov 2017 15:29:13 -0800 +Subject: autofs: don't fail mount for transient error + +From: NeilBrown + +commit ecc0c469f27765ed1e2b967be0aa17cee1a60b76 upstream. + +Currently if the autofs kernel module gets an error when writing to the +pipe which links to the daemon, then it marks the whole moutpoint as +catatonic, and it will stop working. + +It is possible that the error is transient. This can happen if the +daemon is slow and more than 16 requests queue up. If a subsequent +process tries to queue a request, and is then signalled, the write to +the pipe will return -ERESTARTSYS and autofs will take that as total +failure. + +So change the code to assess -ERESTARTSYS and -ENOMEM as transient +failures which only abort the current request, not the whole mountpoint. + +It isn't a crash or a data corruption, but having autofs mountpoints +suddenly stop working is rather inconvenient. + +Ian said: + +: And given the problems with a half dozen (or so) user space applications +: consuming large amounts of CPU under heavy mount and umount activity this +: could happen more easily than we expect. + +Link: http://lkml.kernel.org/r/87y3norvgp.fsf@notabene.neil.brown.name +Signed-off-by: NeilBrown +Acked-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/autofs4/waitq.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -81,7 +81,8 @@ static int autofs4_write(struct autofs_s + spin_unlock_irqrestore(¤t->sighand->siglock, flags); + } + +- return (bytes > 0); ++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */ ++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO; + } + + static void autofs4_notify_daemon(struct autofs_sb_info *sbi, +@@ -95,6 +96,7 @@ static void autofs4_notify_daemon(struct + } pkt; + struct file *pipe = NULL; + size_t pktsz; ++ int ret; + + pr_debug("wait id = 0x%08lx, name = %.*s, type=%d\n", + (unsigned long) wq->wait_queue_token, +@@ -169,7 +171,18 @@ static void autofs4_notify_daemon(struct + mutex_unlock(&sbi->wq_mutex); + + if (autofs4_write(sbi, pipe, &pkt, pktsz)) ++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { ++ case 0: ++ break; ++ case -ENOMEM: ++ case -ERESTARTSYS: ++ /* Just fail this one */ ++ autofs4_wait_release(sbi, wq->wait_queue_token, ret); ++ break; ++ default: + autofs4_catatonic_mode(sbi); ++ break; ++ } + fput(pipe); + } + diff --git a/queue-4.14/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch b/queue-4.14/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch new file mode 100644 index 00000000000..c9878b8f101 --- /dev/null +++ b/queue-4.14/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch @@ -0,0 +1,46 @@ +From 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 13 Oct 2017 16:35:29 -0700 +Subject: bcache: check ca->alloc_thread initialized before wake up it + +From: Coly Li + +commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream. + +In bcache code, sysfs entries are created before all resources get +allocated, e.g. allocation thread of a cache set. + +There is posibility for NULL pointer deference if a resource is accessed +but which is not initialized yet. Indeed Jorg Bornschein catches one on +cache set allocation thread and gets a kernel oops. + +The reason for this bug is, when bch_bucket_alloc() is called during +cache set registration and attaching, ca->alloc_thread is not properly +allocated and initialized yet, call wake_up_process() on ca->alloc_thread +triggers NULL pointer deference failure. A simple and fast fix is, before +waking up ca->alloc_thread, checking whether it is allocated, and only +wake up ca->alloc_thread when it is not NULL. + +Signed-off-by: Coly Li +Reported-by: Jorg Bornschein +Cc: Kent Overstreet +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/alloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -407,7 +407,8 @@ long bch_bucket_alloc(struct cache *ca, + + finish_wait(&ca->set->bucket_wait, &w); + out: +- wake_up_process(ca->alloc_thread); ++ if (ca->alloc_thread) ++ wake_up_process(ca->alloc_thread); + + trace_bcache_alloc(ca, reserve); + diff --git a/queue-4.14/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch b/queue-4.14/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch new file mode 100644 index 00000000000..112bf749588 --- /dev/null +++ b/queue-4.14/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch @@ -0,0 +1,76 @@ +From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 30 Oct 2017 14:46:31 -0700 +Subject: bcache: only permit to recovery read error when cache device is clean + +From: Coly Li + +commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream. + +When bcache does read I/Os, for example in writeback or writethrough mode, +if a read request on cache device is failed, bcache will try to recovery +the request by reading from cached device. If the data on cached device is +not synced with cache device, then requester will get a stale data. + +For critical storage system like database, providing stale data from +recovery may result an application level data corruption, which is +unacceptible. + +With this patch, for a failed read request in writeback or writethrough +mode, recovery a recoverable read request only happens when cache device +is clean. That is to say, all data on cached device is up to update. + +For other cache modes in bcache, read request will never hit +cached_dev_read_error(), they don't need this patch. + +Please note, because cache mode can be switched arbitrarily in run time, a +writethrough mode might be switched from a writeback mode. Therefore +checking dc->has_data in writethrough mode still makes sense. + +Changelog: +V4: Fix parens error pointed by Michael Lyle. +v3: By response from Kent Oversteet, he thinks recovering stale data is a + bug to fix, and option to permit it is unnecessary. So this version + the sysfs file is removed. +v2: rename sysfs entry from allow_stale_data_on_failure to + allow_stale_data_on_failure, and fix the confusing commit log. +v1: initial patch posted. + +[small change to patch comment spelling by mlyle] + +Signed-off-by: Coly Li +Signed-off-by: Michael Lyle +Reported-by: Arne Wolf +Reviewed-by: Michael Lyle +Cc: Kent Overstreet +Cc: Nix +Cc: Kai Krakow +Cc: Eric Wheeler +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -698,8 +698,16 @@ static void cached_dev_read_error(struct + { + struct search *s = container_of(cl, struct search, cl); + struct bio *bio = &s->bio.bio; ++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + +- if (s->recoverable) { ++ /* ++ * If cache device is dirty (dc->has_dirty is non-zero), then ++ * recovery a failed read request from cached device may get a ++ * stale data back. So read failure recovery is only permitted ++ * when cache device is clean. ++ */ ++ if (s->recoverable && ++ (dc && !atomic_read(&dc->has_dirty))) { + /* Retry from the backing device: */ + trace_bcache_read_retry(s->orig_bio); + diff --git a/queue-4.14/block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch b/queue-4.14/block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch new file mode 100644 index 00000000000..5aa823016da --- /dev/null +++ b/queue-4.14/block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch @@ -0,0 +1,66 @@ +From 4e9b6f20828ac880dbc1fa2fdbafae779473d1af Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 19 Oct 2017 10:00:48 -0700 +Subject: block: Fix a race between blk_cleanup_queue() and timeout handling + +From: Bart Van Assche + +commit 4e9b6f20828ac880dbc1fa2fdbafae779473d1af upstream. + +Make sure that if the timeout timer fires after a queue has been +marked "dying" that the affected requests are finished. + +Reported-by: chenxiang (M) +Fixes: commit 287922eb0b18 ("block: defer timeouts to a workqueue") +Signed-off-by: Bart Van Assche +Tested-by: chenxiang (M) +Cc: Christoph Hellwig +Cc: Keith Busch +Cc: Hannes Reinecke +Cc: Ming Lei +Cc: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 2 ++ + block/blk-timeout.c | 3 --- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -333,6 +333,7 @@ EXPORT_SYMBOL(blk_stop_queue); + void blk_sync_queue(struct request_queue *q) + { + del_timer_sync(&q->timeout); ++ cancel_work_sync(&q->timeout_work); + + if (q->mq_ops) { + struct blk_mq_hw_ctx *hctx; +@@ -844,6 +845,7 @@ struct request_queue *blk_alloc_queue_no + setup_timer(&q->backing_dev_info->laptop_mode_wb_timer, + laptop_mode_timer_fn, (unsigned long) q); + setup_timer(&q->timeout, blk_rq_timed_out_timer, (unsigned long) q); ++ INIT_WORK(&q->timeout_work, NULL); + INIT_LIST_HEAD(&q->queue_head); + INIT_LIST_HEAD(&q->timeout_list); + INIT_LIST_HEAD(&q->icq_list); +--- a/block/blk-timeout.c ++++ b/block/blk-timeout.c +@@ -134,8 +134,6 @@ void blk_timeout_work(struct work_struct + struct request *rq, *tmp; + int next_set = 0; + +- if (blk_queue_enter(q, true)) +- return; + spin_lock_irqsave(q->queue_lock, flags); + + list_for_each_entry_safe(rq, tmp, &q->timeout_list, timeout_list) +@@ -145,7 +143,6 @@ void blk_timeout_work(struct work_struct + mod_timer(&q->timeout, round_jiffies_up(next)); + + spin_unlock_irqrestore(q->queue_lock, flags); +- blk_queue_exit(q); + } + + /** diff --git a/queue-4.14/bluetooth-btqcomsmd-add-support-for-bd-address-setup.patch b/queue-4.14/bluetooth-btqcomsmd-add-support-for-bd-address-setup.patch new file mode 100644 index 00000000000..eb44db36244 --- /dev/null +++ b/queue-4.14/bluetooth-btqcomsmd-add-support-for-bd-address-setup.patch @@ -0,0 +1,78 @@ +From 6e518111060c2290427d79c43d4add9600ad852b Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Tue, 5 Sep 2017 12:26:03 +0200 +Subject: Bluetooth: btqcomsmd: Add support for BD address setup + +From: Loic Poulain + +commit 6e518111060c2290427d79c43d4add9600ad852b upstream. + +This patch implements the hdev setup function since wcnss-bt does not have +persistent memory to store an allocated BD address. The device is therefore +marked as unconfigured if no BD address has been previously retrieved. + +Signed-off-by: Loic Poulain +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btqcomsmd.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/drivers/bluetooth/btqcomsmd.c ++++ b/drivers/bluetooth/btqcomsmd.c +@@ -26,6 +26,7 @@ + struct btqcomsmd { + struct hci_dev *hdev; + ++ bdaddr_t bdaddr; + struct rpmsg_endpoint *acl_channel; + struct rpmsg_endpoint *cmd_channel; + }; +@@ -100,6 +101,38 @@ static int btqcomsmd_close(struct hci_de + return 0; + } + ++static int btqcomsmd_setup(struct hci_dev *hdev) ++{ ++ struct btqcomsmd *btq = hci_get_drvdata(hdev); ++ struct sk_buff *skb; ++ int err; ++ ++ skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); ++ if (IS_ERR(skb)) ++ return PTR_ERR(skb); ++ kfree_skb(skb); ++ ++ /* Devices do not have persistent storage for BD address. If no ++ * BD address has been retrieved during probe, mark the device ++ * as having an invalid BD address. ++ */ ++ if (!bacmp(&btq->bdaddr, BDADDR_ANY)) { ++ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); ++ return 0; ++ } ++ ++ /* When setting a configured BD address fails, mark the device ++ * as having an invalid BD address. ++ */ ++ err = qca_set_bdaddr_rome(hdev, &btq->bdaddr); ++ if (err) { ++ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); ++ return 0; ++ } ++ ++ return 0; ++} ++ + static int btqcomsmd_probe(struct platform_device *pdev) + { + struct btqcomsmd *btq; +@@ -135,6 +168,7 @@ static int btqcomsmd_probe(struct platfo + hdev->open = btqcomsmd_open; + hdev->close = btqcomsmd_close; + hdev->send = btqcomsmd_send; ++ hdev->setup = btqcomsmd_setup; + hdev->set_bdaddr = qca_set_bdaddr_rome; + + ret = hci_register_dev(hdev); diff --git a/queue-4.14/btrfs-change-how-we-decide-to-commit-transactions-during-flushing.patch b/queue-4.14/btrfs-change-how-we-decide-to-commit-transactions-during-flushing.patch new file mode 100644 index 00000000000..6c1fba3dd23 --- /dev/null +++ b/queue-4.14/btrfs-change-how-we-decide-to-commit-transactions-during-flushing.patch @@ -0,0 +1,129 @@ +From 996478ca9c460886ac147eb0d00e99841b71d31b Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 22 Aug 2017 16:00:39 -0400 +Subject: btrfs: change how we decide to commit transactions during flushing + +From: Josef Bacik + +commit 996478ca9c460886ac147eb0d00e99841b71d31b upstream. + +Nikolay reported that generic/273 was failing currently with ENOSPC. +Turns out this is because we get to the point where the outstanding +reservations are greater than the pinned space on the fs. This is a +mistake, previously we used the current reservation amount in +may_commit_transaction, not the entire outstanding reservation amount. +Fix this to find the minimum byte size needed to make progress in +flushing, and pass that into may_commit_transaction. From there we can +make a smarter decision on whether to commit the transaction or not. +This fixes the failure in generic/273. + +From Nikolai, IOW: when we go to the final stage of deciding whether to +do trans commit, instead of passing all the reservations from all +tickets we just pass the reservation for the current ticket. Otherwise, +in case all reservations exceed pinned space, then we don't commit +transaction and fail prematurely. Before we passed num_bytes from +flush_space, where num_bytes was the sum of all pending reserverations, +but now all we do is take the first ticket and commit the trans if we +can satisfy that. + +Fixes: 957780eb2788 ("Btrfs: introduce ticketed enospc infrastructure") +Reported-by: Nikolay Borisov +Signed-off-by: Josef Bacik +Reviewed-by: Nikolay Borisov +Tested-by: Nikolay Borisov +[ added Nikolai's comment ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4919,6 +4919,13 @@ skip_async: + } + } + ++struct reserve_ticket { ++ u64 bytes; ++ int error; ++ struct list_head list; ++ wait_queue_head_t wait; ++}; ++ + /** + * maybe_commit_transaction - possibly commit the transaction if its ok to + * @root - the root we're allocating for +@@ -4930,18 +4937,29 @@ skip_async: + * will return -ENOSPC. + */ + static int may_commit_transaction(struct btrfs_fs_info *fs_info, +- struct btrfs_space_info *space_info, +- u64 bytes, int force) ++ struct btrfs_space_info *space_info) + { ++ struct reserve_ticket *ticket = NULL; + struct btrfs_block_rsv *delayed_rsv = &fs_info->delayed_block_rsv; + struct btrfs_trans_handle *trans; ++ u64 bytes; + + trans = (struct btrfs_trans_handle *)current->journal_info; + if (trans) + return -EAGAIN; + +- if (force) +- goto commit; ++ spin_lock(&space_info->lock); ++ if (!list_empty(&space_info->priority_tickets)) ++ ticket = list_first_entry(&space_info->priority_tickets, ++ struct reserve_ticket, list); ++ else if (!list_empty(&space_info->tickets)) ++ ticket = list_first_entry(&space_info->tickets, ++ struct reserve_ticket, list); ++ bytes = (ticket) ? ticket->bytes : 0; ++ spin_unlock(&space_info->lock); ++ ++ if (!bytes) ++ return 0; + + /* See if there is enough pinned space to make this reservation */ + if (percpu_counter_compare(&space_info->total_bytes_pinned, +@@ -4956,8 +4974,12 @@ static int may_commit_transaction(struct + return -ENOSPC; + + spin_lock(&delayed_rsv->lock); ++ if (delayed_rsv->size > bytes) ++ bytes = 0; ++ else ++ bytes -= delayed_rsv->size; + if (percpu_counter_compare(&space_info->total_bytes_pinned, +- bytes - delayed_rsv->size) < 0) { ++ bytes) < 0) { + spin_unlock(&delayed_rsv->lock); + return -ENOSPC; + } +@@ -4971,13 +4993,6 @@ commit: + return btrfs_commit_transaction(trans); + } + +-struct reserve_ticket { +- u64 bytes; +- int error; +- struct list_head list; +- wait_queue_head_t wait; +-}; +- + /* + * Try to flush some data based on policy set by @state. This is only advisory + * and may fail for various reasons. The caller is supposed to examine the +@@ -5027,8 +5042,7 @@ static void flush_space(struct btrfs_fs_ + ret = 0; + break; + case COMMIT_TRANS: +- ret = may_commit_transaction(fs_info, space_info, +- num_bytes, 0); ++ ret = may_commit_transaction(fs_info, space_info); + break; + default: + ret = -ENOSPC; diff --git a/queue-4.14/dm-discard-support-requires-all-targets-in-a-table-support-discards.patch b/queue-4.14/dm-discard-support-requires-all-targets-in-a-table-support-discards.patch new file mode 100644 index 00000000000..b9ff0bb2d4e --- /dev/null +++ b/queue-4.14/dm-discard-support-requires-all-targets-in-a-table-support-discards.patch @@ -0,0 +1,94 @@ +From 8a74d29d541cd86569139c6f3f44b2d210458071 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Tue, 14 Nov 2017 15:40:52 -0500 +Subject: dm: discard support requires all targets in a table support discards + +From: Mike Snitzer + +commit 8a74d29d541cd86569139c6f3f44b2d210458071 upstream. + +A DM device with a mix of discard capabilities (due to some underlying +devices not having discard support) _should_ just return -EOPNOTSUPP for +the region of the device that doesn't support discards (even if only by +way of the underlying driver formally not supporting discards). BUT, +that does ask the underlying driver to handle something that it never +advertised support for. In doing so we're exposing users to the +potential for a underlying disk driver hanging if/when a discard is +issued a the device that is incapable and never claimed to support +discards. + +Fix this by requiring that each DM target in a DM table provide discard +support as a prereq for a DM device to advertise support for discards. + +This may cause some configurations that were happily supporting discards +(even in the face of a mix of discard support) to stop supporting +discards -- but the risk of users hitting driver hangs, and forced +reboots, outweighs supporting those fringe mixed discard +configurations. + +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-table.c | 33 ++++++++++++++------------------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1758,13 +1758,12 @@ static bool dm_table_supports_write_zero + return true; + } + +- +-static int device_discard_capable(struct dm_target *ti, struct dm_dev *dev, +- sector_t start, sector_t len, void *data) ++static int device_not_discard_capable(struct dm_target *ti, struct dm_dev *dev, ++ sector_t start, sector_t len, void *data) + { + struct request_queue *q = bdev_get_queue(dev->bdev); + +- return q && blk_queue_discard(q); ++ return q && !blk_queue_discard(q); + } + + static bool dm_table_supports_discards(struct dm_table *t) +@@ -1772,28 +1771,24 @@ static bool dm_table_supports_discards(s + struct dm_target *ti; + unsigned i; + +- /* +- * Unless any target used by the table set discards_supported, +- * require at least one underlying device to support discards. +- * t->devices includes internal dm devices such as mirror logs +- * so we need to use iterate_devices here, which targets +- * supporting discard selectively must provide. +- */ + for (i = 0; i < dm_table_get_num_targets(t); i++) { + ti = dm_table_get_target(t, i); + + if (!ti->num_discard_bios) +- continue; +- +- if (ti->discards_supported) +- return true; ++ return false; + +- if (ti->type->iterate_devices && +- ti->type->iterate_devices(ti, device_discard_capable, NULL)) +- return true; ++ /* ++ * Either the target provides discard support (as implied by setting ++ * 'discards_supported') or it relies on _all_ data devices having ++ * discard support. ++ */ ++ if (!ti->discards_supported && ++ (!ti->type->iterate_devices || ++ ti->type->iterate_devices(ti, device_not_discard_capable, NULL))) ++ return false; + } + +- return false; ++ return true; + } + + void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q, diff --git a/queue-4.14/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch b/queue-4.14/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch new file mode 100644 index 00000000000..b8f27e134eb --- /dev/null +++ b/queue-4.14/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch @@ -0,0 +1,72 @@ +From b9a41d21dceadf8104812626ef85dc56ee8a60ed Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 1 Nov 2017 15:42:36 +0800 +Subject: dm: fix race between dm_get_from_kobject() and __dm_destroy() + +From: Hou Tao + +commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream. + +The following BUG_ON was hit when testing repeat creation and removal of +DM devices: + + kernel BUG at drivers/md/dm.c:2919! + CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44 + Call Trace: + [] dm_get_from_kobject+0x34/0x3a + [] dm_attr_show+0x2b/0x5e + [] ? mutex_lock+0x26/0x44 + [] sysfs_kf_seq_show+0x83/0xcf + [] kernfs_seq_show+0x23/0x25 + [] seq_read+0x16f/0x325 + [] kernfs_fop_read+0x3a/0x13f + [] __vfs_read+0x26/0x9d + [] ? security_file_permission+0x3c/0x44 + [] ? rw_verify_area+0x83/0xd9 + [] vfs_read+0x8f/0xcf + [] ? __fdget_pos+0x12/0x41 + [] SyS_read+0x4b/0x76 + [] system_call_fastpath+0x12/0x71 + +The bug can be easily triggered, if an extra delay (e.g. 10ms) is added +between the test of DMF_FREEING & DMF_DELETING and dm_get() in +dm_get_from_kobject(). + +To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and +dm_get() are done in an atomic way, so _minor_lock is used. + +The other callers of dm_get() have also been checked to be OK: some +callers invoke dm_get() under _minor_lock, some callers invoke it under +_hash_lock, and dm_start_request() invoke it after increasing +md->open_count. + +Signed-off-by: Hou Tao +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2709,11 +2709,15 @@ struct mapped_device *dm_get_from_kobjec + + md = container_of(kobj, struct mapped_device, kobj_holder.kobj); + +- if (test_bit(DMF_FREEING, &md->flags) || +- dm_deleting_md(md)) +- return NULL; +- ++ spin_lock(&_minor_lock); ++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) { ++ md = NULL; ++ goto out; ++ } + dm_get(md); ++out: ++ spin_unlock(&_minor_lock); ++ + return md; + } + diff --git a/queue-4.14/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch b/queue-4.14/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch new file mode 100644 index 00000000000..a3caa67aa65 --- /dev/null +++ b/queue-4.14/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch @@ -0,0 +1,43 @@ +From db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 22 Aug 2017 23:41:28 +0300 +Subject: eCryptfs: use after free in ecryptfs_release_messaging() + +From: Dan Carpenter + +commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream. + +We're freeing the list iterator so we should be using the _safe() +version of hlist_for_each_entry(). + +Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism") +Signed-off-by: Dan Carpenter +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/messaging.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/ecryptfs/messaging.c ++++ b/fs/ecryptfs/messaging.c +@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void) + } + if (ecryptfs_daemon_hash) { + struct ecryptfs_daemon *daemon; ++ struct hlist_node *n; + int i; + + mutex_lock(&ecryptfs_daemon_hash_mux); + for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { + int rc; + +- hlist_for_each_entry(daemon, +- &ecryptfs_daemon_hash[i], +- euid_chain) { ++ hlist_for_each_entry_safe(daemon, n, ++ &ecryptfs_daemon_hash[i], ++ euid_chain) { + rc = ecryptfs_exorcise_daemon(daemon); + if (rc) + printk(KERN_ERR "%s: Error whilst " diff --git a/queue-4.14/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch b/queue-4.14/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch new file mode 100644 index 00000000000..18ff9415711 --- /dev/null +++ b/queue-4.14/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch @@ -0,0 +1,64 @@ +From 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 6 Oct 2017 23:09:55 -0400 +Subject: ext4: fix interaction between i_size, fallocate, and delalloc after a crash + +From: Theodore Ts'o + +commit 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 upstream. + +If there are pending writes subject to delayed allocation, then i_size +will show size after the writes have completed, while i_disksize +contains the value of i_size on the disk (since the writes have not +been persisted to disk). + +If fallocate(2) is called with the FALLOC_FL_KEEP_SIZE flag, either +with or without the FALLOC_FL_ZERO_RANGE flag set, and the new size +after the fallocate(2) is between i_size and i_disksize, then after a +crash, if a journal commit has resulted in the changes made by the +fallocate() call to be persisted after a crash, but the delayed +allocation write has not resolved itself, i_size would not be updated, +and this would cause the following e2fsck complaint: + +Inode 12, end of extent exceeds allowed value + (logical block 33, physical block 33441, len 7) + +This can only take place on a sparse file, where the fallocate(2) call +is allocating blocks in a range which is before a pending delayed +allocation write which is extending i_size. Since this situation is +quite rare, and the window in which the crash must take place is +typically < 30 seconds, in practice this condition will rarely happen. + +Nevertheless, it can be triggered in testing, and in particular by +xfstests generic/456. + +Signed-off-by: Theodore Ts'o +Reported-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4794,7 +4794,8 @@ static long ext4_zero_range(struct file + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) +@@ -4965,7 +4966,8 @@ long ext4_fallocate(struct file *file, i + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) diff --git a/queue-4.14/ext4-prevent-data-corruption-with-inline-data-dax.patch b/queue-4.14/ext4-prevent-data-corruption-with-inline-data-dax.patch new file mode 100644 index 00000000000..69b16f90a74 --- /dev/null +++ b/queue-4.14/ext4-prevent-data-corruption-with-inline-data-dax.patch @@ -0,0 +1,80 @@ +From 559db4c6d784ceedc2a5418ced4d357cb843e221 Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Thu, 12 Oct 2017 11:52:34 -0400 +Subject: ext4: prevent data corruption with inline data + DAX + +From: Ross Zwisler + +commit 559db4c6d784ceedc2a5418ced4d357cb843e221 upstream. + +If an inode has inline data it is currently prevented from using DAX by a +check in ext4_set_inode_flags(). When the inode grows inline data via +ext4_create_inline_data() or removes its inline data via +ext4_destroy_inline_data_nolock(), the value of S_DAX can change. + +Currently these changes are unsafe because we don't hold off page faults +and I/O, write back dirty radix tree entries and invalidate all mappings. +There are also issues with mm-level races when changing the value of S_DAX, +as well as issues with the VM_MIXEDMAP flag: + +https://www.spinics.net/lists/linux-xfs/msg09859.html + +The unsafe transition of S_DAX can reliably cause data corruption, as shown +by the following fstest: + +https://patchwork.kernel.org/patch/9948381/ + +Fix this issue by preventing the DAX mount option from being used on +filesystems that were created to support inline data. Inline data is an +option given to mkfs.ext4. + +Signed-off-by: Ross Zwisler +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 10 ---------- + fs/ext4/super.c | 5 +++++ + 2 files changed, 5 insertions(+), 10 deletions(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -302,11 +302,6 @@ static int ext4_create_inline_data(handl + EXT4_I(inode)->i_inline_size = len + EXT4_MIN_INLINE_DATA_SIZE; + ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS); + ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA); +- /* +- * Propagate changes to inode->i_flags as well - e.g. S_DAX may +- * get cleared +- */ +- ext4_set_inode_flags(inode); + get_bh(is.iloc.bh); + error = ext4_mark_iloc_dirty(handle, inode, &is.iloc); + +@@ -451,11 +446,6 @@ static int ext4_destroy_inline_data_nolo + } + } + ext4_clear_inode_flag(inode, EXT4_INODE_INLINE_DATA); +- /* +- * Propagate changes to inode->i_flags as well - e.g. S_DAX may +- * get set. +- */ +- ext4_set_inode_flags(inode); + + get_bh(is.iloc.bh); + error = ext4_mark_iloc_dirty(handle, inode, &is.iloc); +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3708,6 +3708,11 @@ static int ext4_fill_super(struct super_ + } + + if (sbi->s_mount_opt & EXT4_MOUNT_DAX) { ++ if (ext4_has_feature_inline_data(sb)) { ++ ext4_msg(sb, KERN_ERR, "Cannot use DAX on a filesystem" ++ " that may contain inline data"); ++ goto failed_mount; ++ } + err = bdev_dax_supported(sb, blocksize); + if (err) + goto failed_mount; diff --git a/queue-4.14/ext4-prevent-data-corruption-with-journaling-dax.patch b/queue-4.14/ext4-prevent-data-corruption-with-journaling-dax.patch new file mode 100644 index 00000000000..59442cbaa79 --- /dev/null +++ b/queue-4.14/ext4-prevent-data-corruption-with-journaling-dax.patch @@ -0,0 +1,73 @@ +From e9072d859df3e0f2c3ba450f0d1739595c2d5d13 Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Thu, 12 Oct 2017 11:54:08 -0400 +Subject: ext4: prevent data corruption with journaling + DAX + +From: Ross Zwisler + +commit e9072d859df3e0f2c3ba450f0d1739595c2d5d13 upstream. + +The current code has the potential for data corruption when changing an +inode's journaling mode, as that can result in a subsequent unsafe change +in S_DAX. + +I've captured an instance of this data corruption in the following fstest: + +https://patchwork.kernel.org/patch/9948377/ + +Prevent this data corruption from happening by disallowing changes to the +journaling mode if the '-o dax' mount option was used. This means that for +a given filesystem we could have a mix of inodes using either DAX or +data journaling, but whatever state the inodes are in will be held for the +duration of the mount. + +Signed-off-by: Ross Zwisler +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 5 ----- + fs/ext4/ioctl.c | 16 +++++++++++++--- + 2 files changed, 13 insertions(+), 8 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5967,11 +5967,6 @@ int ext4_change_inode_journal_flag(struc + ext4_clear_inode_flag(inode, EXT4_INODE_JOURNAL_DATA); + } + ext4_set_aops(inode); +- /* +- * Update inode->i_flags after EXT4_INODE_JOURNAL_DATA was updated. +- * E.g. S_DAX may get cleared / set. +- */ +- ext4_set_inode_flags(inode); + + jbd2_journal_unlock_updates(journal); + percpu_up_write(&sbi->s_journal_flag_rwsem); +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -291,10 +291,20 @@ flags_err: + if (err) + goto flags_out; + +- if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) ++ if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) { ++ /* ++ * Changes to the journaling mode can cause unsafe changes to ++ * S_DAX if we are using the DAX mount option. ++ */ ++ if (test_opt(inode->i_sb, DAX)) { ++ err = -EBUSY; ++ goto flags_out; ++ } ++ + err = ext4_change_inode_journal_flag(inode, jflag); +- if (err) +- goto flags_out; ++ if (err) ++ goto flags_out; ++ } + if (migrate) { + if (flags & EXT4_EXTENTS_FL) + err = ext4_ext_migrate(inode); diff --git a/queue-4.14/f2fs-expose-some-sectors-to-user-in-inline-data-or-dentry-case.patch b/queue-4.14/f2fs-expose-some-sectors-to-user-in-inline-data-or-dentry-case.patch new file mode 100644 index 00000000000..d49a3dad897 --- /dev/null +++ b/queue-4.14/f2fs-expose-some-sectors-to-user-in-inline-data-or-dentry-case.patch @@ -0,0 +1,37 @@ +From 5b4267d195dd887c4412e34b5a7365baa741b679 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Fri, 13 Oct 2017 10:27:45 -0700 +Subject: f2fs: expose some sectors to user in inline data or dentry case + +From: Jaegeuk Kim + +commit 5b4267d195dd887c4412e34b5a7365baa741b679 upstream. + +If there's some data written through inline data or dentry, we need to shouw +st_blocks. This fixes reporting zero blocks even though there is small written +data. + +Reviewed-by: Chao Yu +[Jaegeuk Kim: avoid link file for quotacheck] +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/file.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -683,6 +683,12 @@ int f2fs_getattr(const struct path *path + STATX_ATTR_NODUMP); + + generic_fillattr(inode, stat); ++ ++ /* we need to show initial sectors used for inline_data/dentries */ ++ if ((S_ISREG(inode->i_mode) && f2fs_has_inline_data(inode)) || ++ f2fs_has_inline_dentry(inode)) ++ stat->blocks += (stat->size + 511) >> 9; ++ + return 0; + } + diff --git a/queue-4.14/fanotify-fix-fsnotify_prepare_user_wait-failure.patch b/queue-4.14/fanotify-fix-fsnotify_prepare_user_wait-failure.patch new file mode 100644 index 00000000000..1fe62e1b69d --- /dev/null +++ b/queue-4.14/fanotify-fix-fsnotify_prepare_user_wait-failure.patch @@ -0,0 +1,96 @@ +From f37650f1c7c71cf5180b43229d13b421d81e7170 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 30 Oct 2017 21:14:56 +0100 +Subject: fanotify: fix fsnotify_prepare_user_wait() failure + +From: Miklos Szeredi + +commit f37650f1c7c71cf5180b43229d13b421d81e7170 upstream. + +If fsnotify_prepare_user_wait() fails, we leave the event on the +notification list. Which will result in a warning in +fsnotify_destroy_event() and later use-after-free. + +Instead of adding a new helper to remove the event from the list in this +case, I opted to move the prepare/finish up into fanotify_handle_event(). + +This will allow these to be moved further out into the generic code later, +and perhaps let us move to non-sleeping RCU. + +Reviewed-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Fixes: 05f0e38724e8 ("fanotify: Release SRCU lock when waiting for userspace response") +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/fanotify/fanotify.c | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -65,19 +65,8 @@ static int fanotify_get_response(struct + + pr_debug("%s: group=%p event=%p\n", __func__, group, event); + +- /* +- * fsnotify_prepare_user_wait() fails if we race with mark deletion. +- * Just let the operation pass in that case. +- */ +- if (!fsnotify_prepare_user_wait(iter_info)) { +- event->response = FAN_ALLOW; +- goto out; +- } +- + wait_event(group->fanotify_data.access_waitq, event->response); + +- fsnotify_finish_user_wait(iter_info); +-out: + /* userspace responded, convert to something usable */ + switch (event->response) { + case FAN_ALLOW: +@@ -212,9 +201,21 @@ static int fanotify_handle_event(struct + pr_debug("%s: group=%p inode=%p mask=%x\n", __func__, group, inode, + mask); + ++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS ++ if (mask & FAN_ALL_PERM_EVENTS) { ++ /* ++ * fsnotify_prepare_user_wait() fails if we race with mark ++ * deletion. Just let the operation pass in that case. ++ */ ++ if (!fsnotify_prepare_user_wait(iter_info)) ++ return 0; ++ } ++#endif ++ + event = fanotify_alloc_event(inode, mask, data); ++ ret = -ENOMEM; + if (unlikely(!event)) +- return -ENOMEM; ++ goto finish; + + fsn_event = &event->fse; + ret = fsnotify_add_event(group, fsn_event, fanotify_merge); +@@ -224,7 +225,8 @@ static int fanotify_handle_event(struct + /* Our event wasn't used in the end. Free it. */ + fsnotify_destroy_event(group, fsn_event); + +- return 0; ++ ret = 0; ++ goto finish; + } + + #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS +@@ -233,6 +235,11 @@ static int fanotify_handle_event(struct + iter_info); + fsnotify_destroy_event(group, fsn_event); + } ++finish: ++ if (mask & FAN_ALL_PERM_EVENTS) ++ fsnotify_finish_user_wait(iter_info); ++#else ++finish: + #endif + return ret; + } diff --git a/queue-4.14/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch b/queue-4.14/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch new file mode 100644 index 00000000000..0d96e648238 --- /dev/null +++ b/queue-4.14/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch @@ -0,0 +1,40 @@ +From 11d49e9d089ccec81be87c2386dfdd010d7f7f6e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 24 Sep 2017 18:36:44 -0400 +Subject: fix a page leak in vhost_scsi_iov_to_sgl() error recovery + +From: Al Viro + +commit 11d49e9d089ccec81be87c2386dfdd010d7f7f6e upstream. + +we are advancing sg as we go, so the pages we need to drop in +case of error are *before* the current sg. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/scsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -688,6 +688,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_ + struct scatterlist *sg, int sg_count) + { + size_t off = iter->iov_offset; ++ struct scatterlist *p = sg; + int i, ret; + + for (i = 0; i < iter->nr_segs; i++) { +@@ -696,8 +697,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_ + + ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write); + if (ret < 0) { +- for (i = 0; i < sg_count; i++) { +- struct page *page = sg_page(&sg[i]); ++ while (p < sg) { ++ struct page *page = sg_page(p++); + if (page) + put_page(page); + } diff --git a/queue-4.14/fs-9p-compare-qid.path-in-v9fs_test_inode.patch b/queue-4.14/fs-9p-compare-qid.path-in-v9fs_test_inode.patch new file mode 100644 index 00000000000..6fa8fdf3e89 --- /dev/null +++ b/queue-4.14/fs-9p-compare-qid.path-in-v9fs_test_inode.patch @@ -0,0 +1,51 @@ +From 8ee031631546cf2f7859cc69593bd60bbdd70b46 Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen +Date: Wed, 6 Sep 2017 17:59:07 +0300 +Subject: fs/9p: Compare qid.path in v9fs_test_inode + +From: Tuomas Tynkkynen + +commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream. + +Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details +and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked() +instead of iget_locked(). However, the test() callback is not checking +fid.path at all, which means that a lookup in the inode cache can now +accidentally locate a completely wrong inode from the same inode hash +bucket if the other fields (qid.type and qid.version) match. + +Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.") +Reviewed-by: Latchesar Ionkov +Signed-off-by: Tuomas Tynkkynen +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_inode.c | 3 +++ + fs/9p/vfs_inode_dotl.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + diff --git a/queue-4.14/fs-guard_bio_eod-needs-to-consider-partitions.patch b/queue-4.14/fs-guard_bio_eod-needs-to-consider-partitions.patch new file mode 100644 index 00000000000..4df491a306a --- /dev/null +++ b/queue-4.14/fs-guard_bio_eod-needs-to-consider-partitions.patch @@ -0,0 +1,59 @@ +From 67f2519fe2903c4041c0e94394d14d372fe51399 Mon Sep 17 00:00:00 2001 +From: Greg Edwards +Date: Tue, 24 Oct 2017 11:21:48 -0600 +Subject: fs: guard_bio_eod() needs to consider partitions + +From: Greg Edwards + +commit 67f2519fe2903c4041c0e94394d14d372fe51399 upstream. + +guard_bio_eod() needs to look at the partition capacity, not just the +capacity of the whole device, when determining if truncation is +necessary. + +[ 60.268688] attempt to access beyond end of device +[ 60.268690] unknown-block(9,1): rw=0, want=67103509, limit=67103506 +[ 60.268693] buffer_io_error: 2 callbacks suppressed +[ 60.268696] Buffer I/O error on dev md1p7, logical block 4524305, async page read + +Fixes: 74d46992e0d9 ("block: replace bi_bdev with a gendisk pointer and partitions index") +Reviewed-by: Christoph Hellwig +Signed-off-by: Greg Edwards +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/buffer.c | 10 +++++++++- + include/linux/genhd.h | 1 + + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -3055,8 +3055,16 @@ void guard_bio_eod(int op, struct bio *b + sector_t maxsector; + struct bio_vec *bvec = &bio->bi_io_vec[bio->bi_vcnt - 1]; + unsigned truncated_bytes; ++ struct hd_struct *part; ++ ++ rcu_read_lock(); ++ part = __disk_get_part(bio->bi_disk, bio->bi_partno); ++ if (part) ++ maxsector = part_nr_sects_read(part); ++ else ++ maxsector = get_capacity(bio->bi_disk); ++ rcu_read_unlock(); + +- maxsector = get_capacity(bio->bi_disk); + if (!maxsector) + return; + +--- a/include/linux/genhd.h ++++ b/include/linux/genhd.h +@@ -243,6 +243,7 @@ static inline dev_t part_devt(struct hd_ + return part_to_dev(part)->devt; + } + ++extern struct hd_struct *__disk_get_part(struct gendisk *disk, int partno); + extern struct hd_struct *disk_get_part(struct gendisk *disk, int partno); + + static inline void disk_put_part(struct hd_struct *part) diff --git a/queue-4.14/fscrypt-lock-mutex-before-checking-for-bounce-page-pool.patch b/queue-4.14/fscrypt-lock-mutex-before-checking-for-bounce-page-pool.patch new file mode 100644 index 00000000000..71b5f99aa74 --- /dev/null +++ b/queue-4.14/fscrypt-lock-mutex-before-checking-for-bounce-page-pool.patch @@ -0,0 +1,55 @@ +From a0b3bc855374c50b5ea85273553485af48caf2f7 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 29 Oct 2017 06:30:19 -0400 +Subject: fscrypt: lock mutex before checking for bounce page pool + +From: Eric Biggers + +commit a0b3bc855374c50b5ea85273553485af48caf2f7 upstream. + +fscrypt_initialize(), which allocates the global bounce page pool when +an encrypted file is first accessed, uses "double-checked locking" to +try to avoid locking fscrypt_init_mutex. However, it doesn't use any +memory barriers, so it's theoretically possible for a thread to observe +a bounce page pool which has not been fully initialized. This is a +classic bug with "double-checked locking". + +While "only a theoretical issue" in the latest kernel, in pre-4.8 +kernels the pointer that was checked was not even the last to be +initialized, so it was easily possible for a crash (NULL pointer +dereference) to happen. This was changed only incidentally by the large +refactor to use fs/crypto/. + +Solve both problems in a trivial way that can easily be backported: just +always take the mutex. It's theoretically less efficient, but it +shouldn't be noticeable in practice as the mutex is only acquired very +briefly once per encrypted file. + +Later I'd like to make this use a helper macro like DO_ONCE(). However, +DO_ONCE() runs in atomic context, so we'd need to add a new macro that +allows blocking. + +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/crypto/crypto.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/fs/crypto/crypto.c ++++ b/fs/crypto/crypto.c +@@ -410,11 +410,8 @@ int fscrypt_initialize(unsigned int cop_ + { + int i, res = -ENOMEM; + +- /* +- * No need to allocate a bounce page pool if there already is one or +- * this FS won't use it. +- */ +- if (cop_flags & FS_CFLG_OWN_PAGES || fscrypt_bounce_page_pool) ++ /* No need to allocate a bounce page pool if this FS won't use it. */ ++ if (cop_flags & FS_CFLG_OWN_PAGES) + return 0; + + mutex_lock(&fscrypt_init_mutex); diff --git a/queue-4.14/fsnotify-clean-up-fsnotify_prepare-finish_user_wait.patch b/queue-4.14/fsnotify-clean-up-fsnotify_prepare-finish_user_wait.patch new file mode 100644 index 00000000000..58b9f9f82f8 --- /dev/null +++ b/queue-4.14/fsnotify-clean-up-fsnotify_prepare-finish_user_wait.patch @@ -0,0 +1,157 @@ +From 24c20305c7fc8959836211cb8c50aab93ae0e54f Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 30 Oct 2017 21:14:55 +0100 +Subject: fsnotify: clean up fsnotify_prepare/finish_user_wait() + +From: Miklos Szeredi + +commit 24c20305c7fc8959836211cb8c50aab93ae0e54f upstream. + +This patch doesn't actually fix any bug, just paves the way for fixing mark +and group pinning. + +Reviewed-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/mark.c | 98 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 49 insertions(+), 49 deletions(-) + +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -109,16 +109,6 @@ void fsnotify_get_mark(struct fsnotify_m + atomic_inc(&mark->refcnt); + } + +-/* +- * Get mark reference when we found the mark via lockless traversal of object +- * list. Mark can be already removed from the list by now and on its way to be +- * destroyed once SRCU period ends. +- */ +-static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark) +-{ +- return atomic_inc_not_zero(&mark->refcnt); +-} +- + static void __fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) + { + u32 new_mask = 0; +@@ -256,32 +246,63 @@ void fsnotify_put_mark(struct fsnotify_m + FSNOTIFY_REAPER_DELAY); + } + +-bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info) ++/* ++ * Get mark reference when we found the mark via lockless traversal of object ++ * list. Mark can be already removed from the list by now and on its way to be ++ * destroyed once SRCU period ends. ++ * ++ * Also pin the group so it doesn't disappear under us. ++ */ ++static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark) + { + struct fsnotify_group *group; + +- if (WARN_ON_ONCE(!iter_info->inode_mark && !iter_info->vfsmount_mark)) +- return false; +- +- if (iter_info->inode_mark) +- group = iter_info->inode_mark->group; +- else +- group = iter_info->vfsmount_mark->group; ++ if (!mark) ++ return true; + ++ group = mark->group; + /* + * Since acquisition of mark reference is an atomic op as well, we can + * be sure this inc is seen before any effect of refcount increment. + */ + atomic_inc(&group->user_waits); ++ if (atomic_inc_not_zero(&mark->refcnt)) ++ return true; ++ ++ if (atomic_dec_and_test(&group->user_waits) && group->shutdown) ++ wake_up(&group->notification_waitq); ++ ++ return false; ++} ++ ++/* ++ * Puts marks and wakes up group destruction if necessary. ++ * ++ * Pairs with fsnotify_get_mark_safe() ++ */ ++static void fsnotify_put_mark_wake(struct fsnotify_mark *mark) ++{ ++ if (mark) { ++ struct fsnotify_group *group = mark->group; + +- if (iter_info->inode_mark) { +- /* This can fail if mark is being removed */ +- if (!fsnotify_get_mark_safe(iter_info->inode_mark)) +- goto out_wait; +- } +- if (iter_info->vfsmount_mark) { +- if (!fsnotify_get_mark_safe(iter_info->vfsmount_mark)) +- goto out_inode; ++ fsnotify_put_mark(mark); ++ /* ++ * We abuse notification_waitq on group shutdown for waiting for ++ * all marks pinned when waiting for userspace. ++ */ ++ if (atomic_dec_and_test(&group->user_waits) && group->shutdown) ++ wake_up(&group->notification_waitq); ++ } ++} ++ ++bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info) ++{ ++ /* This can fail if mark is being removed */ ++ if (!fsnotify_get_mark_safe(iter_info->inode_mark)) ++ return false; ++ if (!fsnotify_get_mark_safe(iter_info->vfsmount_mark)) { ++ fsnotify_put_mark_wake(iter_info->inode_mark); ++ return false; + } + + /* +@@ -292,34 +313,13 @@ bool fsnotify_prepare_user_wait(struct f + srcu_read_unlock(&fsnotify_mark_srcu, iter_info->srcu_idx); + + return true; +-out_inode: +- if (iter_info->inode_mark) +- fsnotify_put_mark(iter_info->inode_mark); +-out_wait: +- if (atomic_dec_and_test(&group->user_waits) && group->shutdown) +- wake_up(&group->notification_waitq); +- return false; + } + + void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info) + { +- struct fsnotify_group *group = NULL; +- + iter_info->srcu_idx = srcu_read_lock(&fsnotify_mark_srcu); +- if (iter_info->inode_mark) { +- group = iter_info->inode_mark->group; +- fsnotify_put_mark(iter_info->inode_mark); +- } +- if (iter_info->vfsmount_mark) { +- group = iter_info->vfsmount_mark->group; +- fsnotify_put_mark(iter_info->vfsmount_mark); +- } +- /* +- * We abuse notification_waitq on group shutdown for waiting for all +- * marks pinned when waiting for userspace. +- */ +- if (atomic_dec_and_test(&group->user_waits) && group->shutdown) +- wake_up(&group->notification_waitq); ++ fsnotify_put_mark_wake(iter_info->inode_mark); ++ fsnotify_put_mark_wake(iter_info->vfsmount_mark); + } + + /* diff --git a/queue-4.14/fsnotify-fix-pinning-group-in-fsnotify_prepare_user_wait.patch b/queue-4.14/fsnotify-fix-pinning-group-in-fsnotify_prepare_user_wait.patch new file mode 100644 index 00000000000..4f82889649d --- /dev/null +++ b/queue-4.14/fsnotify-fix-pinning-group-in-fsnotify_prepare_user_wait.patch @@ -0,0 +1,64 @@ +From 9a31d7ad997f55768c687974ce36b759065b49e5 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 30 Oct 2017 21:14:56 +0100 +Subject: fsnotify: fix pinning group in fsnotify_prepare_user_wait() + +From: Miklos Szeredi + +commit 9a31d7ad997f55768c687974ce36b759065b49e5 upstream. + +Blind increment of group's user_waits is not enough, we could be far enough +in the group's destruction that it isn't taken into account (i.e. grabbing +the mark ref afterwards doesn't guarantee that it was the ref coming from +the _group_ that was grabbed). + +Instead we need to check (under lock) that the mark is still attached to +the group after having obtained a ref to the mark. If not, skip it. + +Reviewed-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Fixes: 9385a84d7e1f ("fsnotify: Pass fsnotify_iter_info into handle_event handler") +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/mark.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -255,23 +255,20 @@ void fsnotify_put_mark(struct fsnotify_m + */ + static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark) + { +- struct fsnotify_group *group; +- + if (!mark) + return true; + +- group = mark->group; +- /* +- * Since acquisition of mark reference is an atomic op as well, we can +- * be sure this inc is seen before any effect of refcount increment. +- */ +- atomic_inc(&group->user_waits); +- if (atomic_inc_not_zero(&mark->refcnt)) +- return true; +- +- if (atomic_dec_and_test(&group->user_waits) && group->shutdown) +- wake_up(&group->notification_waitq); +- ++ if (atomic_inc_not_zero(&mark->refcnt)) { ++ spin_lock(&mark->lock); ++ if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) { ++ /* mark is attached, group is still alive then */ ++ atomic_inc(&mark->group->user_waits); ++ spin_unlock(&mark->lock); ++ return true; ++ } ++ spin_unlock(&mark->lock); ++ fsnotify_put_mark(mark); ++ } + return false; + } + diff --git a/queue-4.14/fsnotify-pin-both-inode-and-vfsmount-mark.patch b/queue-4.14/fsnotify-pin-both-inode-and-vfsmount-mark.patch new file mode 100644 index 00000000000..5f1fb3d5740 --- /dev/null +++ b/queue-4.14/fsnotify-pin-both-inode-and-vfsmount-mark.patch @@ -0,0 +1,52 @@ +From 0d6ec079d6aaa098b978d6395973bb027c752a03 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 30 Oct 2017 21:14:55 +0100 +Subject: fsnotify: pin both inode and vfsmount mark + +From: Miklos Szeredi + +commit 0d6ec079d6aaa098b978d6395973bb027c752a03 upstream. + +We may fail to pin one of the marks in fsnotify_prepare_user_wait() when +dropping the srcu read lock, resulting in use after free at the next +iteration. + +Solution is to store both marks in iter_info instead of just the one we'll +be sending the event for. + +Reviewed-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Fixes: 9385a84d7e1f ("fsnotify: Pass fsnotify_iter_info into handle_event handler") +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/fsnotify.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -335,6 +335,13 @@ int fsnotify(struct inode *to_tell, __u3 + struct fsnotify_mark, obj_list); + vfsmount_group = vfsmount_mark->group; + } ++ /* ++ * Need to protect both marks against freeing so that we can ++ * continue iteration from this place, regardless of which mark ++ * we actually happen to send an event for. ++ */ ++ iter_info.inode_mark = inode_mark; ++ iter_info.vfsmount_mark = vfsmount_mark; + + if (inode_group && vfsmount_group) { + int cmp = fsnotify_compare_groups(inode_group, +@@ -348,9 +355,6 @@ int fsnotify(struct inode *to_tell, __u3 + } + } + +- iter_info.inode_mark = inode_mark; +- iter_info.vfsmount_mark = vfsmount_mark; +- + ret = send_to_group(to_tell, inode_mark, vfsmount_mark, mask, + data, data_is, cookie, file_name, + &iter_info); diff --git a/queue-4.14/genirq-track-whether-the-trigger-type-has-been-set.patch b/queue-4.14/genirq-track-whether-the-trigger-type-has-been-set.patch new file mode 100644 index 00000000000..0e2504d88a1 --- /dev/null +++ b/queue-4.14/genirq-track-whether-the-trigger-type-has-been-set.patch @@ -0,0 +1,103 @@ +From 4f8413a3a799c958f7a10a6310a451e6b8aef5ad Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 9 Nov 2017 14:17:59 +0000 +Subject: genirq: Track whether the trigger type has been set + +From: Marc Zyngier + +commit 4f8413a3a799c958f7a10a6310a451e6b8aef5ad upstream. + +When requesting a shared interrupt, we assume that the firmware +support code (DT or ACPI) has called irqd_set_trigger_type +already, so that we can retrieve it and check that the requester +is being reasonnable. + +Unfortunately, we still have non-DT, non-ACPI systems around, +and these guys won't call irqd_set_trigger_type before requesting +the interrupt. The consequence is that we fail the request that +would have worked before. + +We can either chase all these use cases (boring), or address it +in core code (easier). Let's have a per-irq_desc flag that +indicates whether irqd_set_trigger_type has been called, and +let's just check it when checking for a shared interrupt. +If it hasn't been set, just take whatever the interrupt +requester asks. + +Fixes: 382bd4de6182 ("genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs") +Reported-and-tested-by: Petr Cvek +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/irq.h | 11 ++++++++++- + kernel/irq/manage.c | 13 ++++++++++++- + 2 files changed, 22 insertions(+), 2 deletions(-) + +--- a/include/linux/irq.h ++++ b/include/linux/irq.h +@@ -211,6 +211,7 @@ struct irq_data { + * IRQD_MANAGED_SHUTDOWN - Interrupt was shutdown due to empty affinity + * mask. Applies only to affinity managed irqs. + * IRQD_SINGLE_TARGET - IRQ allows only a single affinity target ++ * IRQD_DEFAULT_TRIGGER_SET - Expected trigger already been set + */ + enum { + IRQD_TRIGGER_MASK = 0xf, +@@ -231,6 +232,7 @@ enum { + IRQD_IRQ_STARTED = (1 << 22), + IRQD_MANAGED_SHUTDOWN = (1 << 23), + IRQD_SINGLE_TARGET = (1 << 24), ++ IRQD_DEFAULT_TRIGGER_SET = (1 << 25), + }; + + #define __irqd_to_state(d) ACCESS_PRIVATE((d)->common, state_use_accessors) +@@ -260,18 +262,25 @@ static inline void irqd_mark_affinity_wa + __irqd_to_state(d) |= IRQD_AFFINITY_SET; + } + ++static inline bool irqd_trigger_type_was_set(struct irq_data *d) ++{ ++ return __irqd_to_state(d) & IRQD_DEFAULT_TRIGGER_SET; ++} ++ + static inline u32 irqd_get_trigger_type(struct irq_data *d) + { + return __irqd_to_state(d) & IRQD_TRIGGER_MASK; + } + + /* +- * Must only be called inside irq_chip.irq_set_type() functions. ++ * Must only be called inside irq_chip.irq_set_type() functions or ++ * from the DT/ACPI setup code. + */ + static inline void irqd_set_trigger_type(struct irq_data *d, u32 type) + { + __irqd_to_state(d) &= ~IRQD_TRIGGER_MASK; + __irqd_to_state(d) |= type & IRQD_TRIGGER_MASK; ++ __irqd_to_state(d) |= IRQD_DEFAULT_TRIGGER_SET; + } + + static inline bool irqd_is_level_type(struct irq_data *d) +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1245,7 +1245,18 @@ __setup_irq(unsigned int irq, struct irq + * set the trigger type must match. Also all must + * agree on ONESHOT. + */ +- unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data); ++ unsigned int oldtype; ++ ++ /* ++ * If nobody did set the configuration before, inherit ++ * the one provided by the requester. ++ */ ++ if (irqd_trigger_type_was_set(&desc->irq_data)) { ++ oldtype = irqd_get_trigger_type(&desc->irq_data); ++ } else { ++ oldtype = new->flags & IRQF_TRIGGER_MASK; ++ irqd_set_trigger_type(&desc->irq_data, oldtype); ++ } + + if (!((old->flags & new->flags) & IRQF_SHARED) || + (oldtype != (new->flags & IRQF_TRIGGER_MASK)) || diff --git a/queue-4.14/irqchip-gic-v3-fix-ppi-partitions-lookup.patch b/queue-4.14/irqchip-gic-v3-fix-ppi-partitions-lookup.patch new file mode 100644 index 00000000000..cdfd73795fb --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-fix-ppi-partitions-lookup.patch @@ -0,0 +1,59 @@ +From 00ee9a1ca5080202bc37b44e998c3b2c74d45817 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 11 Nov 2017 17:51:25 +0100 +Subject: irqchip/gic-v3: Fix ppi-partitions lookup + +From: Johan Hovold + +commit 00ee9a1ca5080202bc37b44e998c3b2c74d45817 upstream. + +Fix child-node lookup during initialisation, which ended up searching +the whole device tree depth-first starting at the parent rather than +just matching on its children. + +To make things worse, the parent gic node was prematurely freed, while +the ppi-partitions node was leaked. + +Fixes: e3825ba1af3a ("irqchip/gic-v3: Add support for partitioned PPIs") +Signed-off-by: Johan Hovold +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -1071,18 +1071,18 @@ static void __init gic_populate_ppi_part + int nr_parts; + struct partition_affinity *parts; + +- parts_node = of_find_node_by_name(gic_node, "ppi-partitions"); ++ parts_node = of_get_child_by_name(gic_node, "ppi-partitions"); + if (!parts_node) + return; + + nr_parts = of_get_child_count(parts_node); + + if (!nr_parts) +- return; ++ goto out_put_node; + + parts = kzalloc(sizeof(*parts) * nr_parts, GFP_KERNEL); + if (WARN_ON(!parts)) +- return; ++ goto out_put_node; + + for_each_child_of_node(parts_node, child_part) { + struct partition_affinity *part; +@@ -1149,6 +1149,9 @@ static void __init gic_populate_ppi_part + + gic_data.ppi_descs[i] = desc; + } ++ ++out_put_node: ++ of_node_put(parts_node); + } + + static void __init gic_of_setup_kvm_info(struct device_node *node) diff --git a/queue-4.14/iscsi-target-fix-non-immediate-tmr-reference-leak.patch b/queue-4.14/iscsi-target-fix-non-immediate-tmr-reference-leak.patch new file mode 100644 index 00000000000..05250f6e4ae --- /dev/null +++ b/queue-4.14/iscsi-target-fix-non-immediate-tmr-reference-leak.patch @@ -0,0 +1,47 @@ +From 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 27 Oct 2017 20:52:56 -0700 +Subject: iscsi-target: Fix non-immediate TMR reference leak + +From: Nicholas Bellinger + +commit 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c upstream. + +This patch fixes a se_cmd->cmd_kref reference leak that can +occur when a non immediate TMR is proceeded our of command +sequence number order, and CMDSN_LOWER_THAN_EXP is returned +by iscsit_sequence_cmd(). + +To address this bug, call target_put_sess_cmd() during this +special case following what iscsit_process_scsi_cmd() does +upon CMDSN_LOWER_THAN_EXP. + +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -2099,12 +2099,14 @@ attach: + + if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) { + int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn); +- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) ++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) { + out_of_order_cmdsn = 1; +- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) ++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) { ++ target_put_sess_cmd(&cmd->se_cmd); + return 0; +- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) ++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) { + return -1; ++ } + } + iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn)); + diff --git a/queue-4.14/iscsi-target-make-task_reassign-use-proper-se_cmd-cmd_kref.patch b/queue-4.14/iscsi-target-make-task_reassign-use-proper-se_cmd-cmd_kref.patch new file mode 100644 index 00000000000..d71fe869531 --- /dev/null +++ b/queue-4.14/iscsi-target-make-task_reassign-use-proper-se_cmd-cmd_kref.patch @@ -0,0 +1,89 @@ +From ae072726f6109bb1c94841d6fb3a82dde298ea85 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 27 Oct 2017 12:32:59 -0700 +Subject: iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref + +From: Nicholas Bellinger + +commit ae072726f6109bb1c94841d6fb3a82dde298ea85 upstream. + +Since commit 59b6986dbf fixed a potential NULL pointer dereference +by allocating a se_tmr_req for ISCSI_TM_FUNC_TASK_REASSIGN, the +se_tmr_req is currently leaked by iscsit_free_cmd() because no +iscsi_cmd->se_cmd.se_tfo was associated. + +To address this, treat ISCSI_TM_FUNC_TASK_REASSIGN like any other +TMR and call transport_init_se_cmd() + target_get_sess_cmd() to +setup iscsi_cmd->se_cmd.se_tfo with se_cmd->cmd_kref of 2. + +This will ensure normal release operation once se_cmd->cmd_kref +reaches zero and target_release_cmd_kref() is invoked, se_tmr_req +will be released via existing target_free_cmd_mem() and +core_tmr_release_req() code. + +Reported-by: Donald White +Cc: Donald White +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1960,7 +1960,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + struct iscsi_tmr_req *tmr_req; + struct iscsi_tm *hdr; + int out_of_order_cmdsn = 0, ret; +- bool sess_ref = false; + u8 function, tcm_function = TMR_UNKNOWN; + + hdr = (struct iscsi_tm *) buf; +@@ -1993,22 +1992,23 @@ iscsit_handle_task_mgt_cmd(struct iscsi_ + + cmd->data_direction = DMA_NONE; + cmd->tmr_req = kzalloc(sizeof(*cmd->tmr_req), GFP_KERNEL); +- if (!cmd->tmr_req) ++ if (!cmd->tmr_req) { + return iscsit_add_reject_cmd(cmd, + ISCSI_REASON_BOOKMARK_NO_RESOURCES, + buf); ++ } ++ ++ transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, ++ conn->sess->se_sess, 0, DMA_NONE, ++ TCM_SIMPLE_TAG, cmd->sense_buffer + 2); ++ ++ target_get_sess_cmd(&cmd->se_cmd, true); + + /* + * TASK_REASSIGN for ERL=2 / connection stays inside of + * LIO-Target $FABRIC_MOD + */ + if (function != ISCSI_TM_FUNC_TASK_REASSIGN) { +- transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops, +- conn->sess->se_sess, 0, DMA_NONE, +- TCM_SIMPLE_TAG, cmd->sense_buffer + 2); +- +- target_get_sess_cmd(&cmd->se_cmd, true); +- sess_ref = true; + tcm_function = iscsit_convert_tmf(function); + if (tcm_function == TMR_UNKNOWN) { + pr_err("Unknown iSCSI TMR Function:" +@@ -2124,12 +2124,8 @@ attach: + * For connection recovery, this is also the default action for + * TMR TASK_REASSIGN. + */ +- if (sess_ref) { +- pr_debug("Handle TMR, using sess_ref=true check\n"); +- target_put_sess_cmd(&cmd->se_cmd); +- } +- + iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state); ++ target_put_sess_cmd(&cmd->se_cmd); + return 0; + } + EXPORT_SYMBOL(iscsit_handle_task_mgt_cmd); diff --git a/queue-4.14/isofs-fix-timestamps-beyond-2027.patch b/queue-4.14/isofs-fix-timestamps-beyond-2027.patch new file mode 100644 index 00000000000..ecf914efca8 --- /dev/null +++ b/queue-4.14/isofs-fix-timestamps-beyond-2027.patch @@ -0,0 +1,64 @@ +From 34be4dbf87fc3e474a842305394534216d428f5d Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 19 Oct 2017 16:47:48 +0200 +Subject: isofs: fix timestamps beyond 2027 + +From: Arnd Bergmann + +commit 34be4dbf87fc3e474a842305394534216d428f5d upstream. + +isofs uses a 'char' variable to load the number of years since +1900 for an inode timestamp. On architectures that use a signed +char type by default, this results in an invalid date for +anything beyond 2027. + +This changes the function argument to a 'u8' array, which +is defined the same way on all architectures, and unambiguously +lets us use years until 2155. + +This should be backported to all kernels that might still be +in use by that date. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/isofs.h | 2 +- + fs/isofs/rock.h | 2 +- + fs/isofs/util.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -107,7 +107,7 @@ static inline unsigned int isonum_733(ch + /* Ignore bigendian datum due to broken mastering programs */ + return get_unaligned_le32(p); + } +-extern int iso_date(char *, int); ++extern int iso_date(u8 *, int); + + struct inode; /* To make gcc happy */ + +--- a/fs/isofs/rock.h ++++ b/fs/isofs/rock.h +@@ -66,7 +66,7 @@ struct RR_PL_s { + }; + + struct stamp { +- char time[7]; ++ __u8 time[7]; /* actually 6 unsigned, 1 signed */ + } __attribute__ ((packed)); + + struct RR_TF_s { +--- a/fs/isofs/util.c ++++ b/fs/isofs/util.c +@@ -16,7 +16,7 @@ + * to GMT. Thus we should always be correct. + */ + +-int iso_date(char * p, int flag) ++int iso_date(u8 *p, int flag) + { + int year, month, day, hour, minute, second, tz; + int crtime; diff --git a/queue-4.14/iwlwifi-fix-firmware-names-for-9000-and-a000-series-hw.patch b/queue-4.14/iwlwifi-fix-firmware-names-for-9000-and-a000-series-hw.patch new file mode 100644 index 00000000000..9d466f766a1 --- /dev/null +++ b/queue-4.14/iwlwifi-fix-firmware-names-for-9000-and-a000-series-hw.patch @@ -0,0 +1,73 @@ +From c2c48ddfc8b03b9ecb51d2832b586497b37531bc Mon Sep 17 00:00:00 2001 +From: Thomas Backlund +Date: Tue, 14 Nov 2017 12:37:51 +0200 +Subject: iwlwifi: fix firmware names for 9000 and A000 series hw + +From: Thomas Backlund + +commit c2c48ddfc8b03b9ecb51d2832b586497b37531bc upstream. + +iwlwifi 9000 and a0000 series hw contains an extra dash in firmware +file name as seeen in modinfo output for kernel 4.14: + +firmware: iwlwifi-9260-th-b0-jf-b0--34.ucode +firmware: iwlwifi-9260-th-a0-jf-a0--34.ucode +firmware: iwlwifi-9000-pu-a0-jf-b0--34.ucode +firmware: iwlwifi-9000-pu-a0-jf-a0--34.ucode +firmware: iwlwifi-QuQnj-a0-hr-a0--34.ucode +firmware: iwlwifi-QuQnj-a0-jf-b0--34.ucode +firmware: iwlwifi-QuQnj-f0-hr-a0--34.ucode +firmware: iwlwifi-Qu-a0-jf-b0--34.ucode +firmware: iwlwifi-Qu-a0-hr-a0--34.ucode + +Fix that by dropping the extra adding of '"-"'. + +Signed-off-by: Thomas Backlund +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 6 +++--- + drivers/net/wireless/intel/iwlwifi/cfg/a000.c | 10 +++++----- + 2 files changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c +@@ -79,11 +79,11 @@ + #define IWL9000_MODULE_FIRMWARE(api) \ + IWL9000_FW_PRE "-" __stringify(api) ".ucode" + #define IWL9000RFB_MODULE_FIRMWARE(api) \ +- IWL9000RFB_FW_PRE "-" __stringify(api) ".ucode" ++ IWL9000RFB_FW_PRE __stringify(api) ".ucode" + #define IWL9260A_MODULE_FIRMWARE(api) \ +- IWL9260A_FW_PRE "-" __stringify(api) ".ucode" ++ IWL9260A_FW_PRE __stringify(api) ".ucode" + #define IWL9260B_MODULE_FIRMWARE(api) \ +- IWL9260B_FW_PRE "-" __stringify(api) ".ucode" ++ IWL9260B_FW_PRE __stringify(api) ".ucode" + + #define NVM_HW_SECTION_NUM_FAMILY_9000 10 + +--- a/drivers/net/wireless/intel/iwlwifi/cfg/a000.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/a000.c +@@ -80,15 +80,15 @@ + #define IWL_A000_HR_A0_FW_PRE "iwlwifi-QuQnj-a0-hr-a0-" + + #define IWL_A000_HR_MODULE_FIRMWARE(api) \ +- IWL_A000_HR_FW_PRE "-" __stringify(api) ".ucode" ++ IWL_A000_HR_FW_PRE __stringify(api) ".ucode" + #define IWL_A000_JF_MODULE_FIRMWARE(api) \ +- IWL_A000_JF_FW_PRE "-" __stringify(api) ".ucode" ++ IWL_A000_JF_FW_PRE __stringify(api) ".ucode" + #define IWL_A000_HR_F0_QNJ_MODULE_FIRMWARE(api) \ +- IWL_A000_HR_F0_FW_PRE "-" __stringify(api) ".ucode" ++ IWL_A000_HR_F0_FW_PRE __stringify(api) ".ucode" + #define IWL_A000_JF_B0_QNJ_MODULE_FIRMWARE(api) \ +- IWL_A000_JF_B0_FW_PRE "-" __stringify(api) ".ucode" ++ IWL_A000_JF_B0_FW_PRE __stringify(api) ".ucode" + #define IWL_A000_HR_A0_QNJ_MODULE_FIRMWARE(api) \ +- IWL_A000_HR_A0_FW_PRE "-" __stringify(api) ".ucode" ++ IWL_A000_HR_A0_FW_PRE __stringify(api) ".ucode" + + #define NVM_HW_SECTION_NUM_FAMILY_A000 10 + diff --git a/queue-4.14/libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch b/queue-4.14/libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch new file mode 100644 index 00000000000..52101b0fc2d --- /dev/null +++ b/queue-4.14/libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch @@ -0,0 +1,42 @@ +From b11270853fa3654f08d4a6a03b23ddb220512d8d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 6 Nov 2017 21:57:26 -0800 +Subject: libceph: don't WARN() if user tries to add invalid key + +From: Eric Biggers + +commit b11270853fa3654f08d4a6a03b23ddb220512d8d upstream. + +The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a +user tries to add a key of type "ceph" with an invalid payload as +follows (assuming CONFIG_CEPH_LIB=y): + + echo -e -n '\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \ + | keyctl padd ceph desc @s + +This can be hit by fuzzers. As this is merely bad input and not a +kernel bug, replace the WARN_ON() with return -EINVAL. + +Fixes: 7af3ea189a9a ("libceph: stop allocating a new cipher on every crypto request") +Signed-off-by: Eric Biggers +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/crypto.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ceph/crypto.c ++++ b/net/ceph/crypto.c +@@ -37,7 +37,9 @@ static int set_secret(struct ceph_crypto + return -ENOTSUPP; + } + +- WARN_ON(!key->len); ++ if (!key->len) ++ return -EINVAL; ++ + key->key = kmemdup(buf, key->len, GFP_NOIO); + if (!key->key) { + ret = -ENOMEM; diff --git a/queue-4.14/lockd-double-unregister-of-inetaddr-notifiers.patch b/queue-4.14/lockd-double-unregister-of-inetaddr-notifiers.patch new file mode 100644 index 00000000000..676f0f4846f --- /dev/null +++ b/queue-4.14/lockd-double-unregister-of-inetaddr-notifiers.patch @@ -0,0 +1,71 @@ +From dc3033e16c59a2c4e62b31341258a5786cbcee56 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Fri, 20 Oct 2017 17:33:18 +0300 +Subject: lockd: double unregister of inetaddr notifiers + +From: Vasily Averin + +commit dc3033e16c59a2c4e62b31341258a5786cbcee56 upstream. + +lockd_up() can call lockd_unregister_notifiers twice: +inside lockd_start_svc() when it calls lockd_svc_exit_thread() +and then in error path of lockd_up() + +Patch forces lockd_start_svc() to unregister notifiers in all error cases +and removes extra unregister in error path of lockd_up(). + +Fixes: cb7d224f82e4 "lockd: unregister notifier blocks if the service ..." +Signed-off-by: Vasily Averin +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/svc.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -369,6 +369,7 @@ static int lockd_start_svc(struct svc_se + printk(KERN_WARNING + "lockd_up: svc_rqst allocation failed, error=%d\n", + error); ++ lockd_unregister_notifiers(); + goto out_rqst; + } + +@@ -459,13 +460,16 @@ int lockd_up(struct net *net) + } + + error = lockd_up_net(serv, net); +- if (error < 0) +- goto err_net; ++ if (error < 0) { ++ lockd_unregister_notifiers(); ++ goto err_put; ++ } + + error = lockd_start_svc(serv); +- if (error < 0) +- goto err_start; +- ++ if (error < 0) { ++ lockd_down_net(serv, net); ++ goto err_put; ++ } + nlmsvc_users++; + /* + * Note: svc_serv structures have an initial use count of 1, +@@ -476,12 +480,6 @@ err_put: + err_create: + mutex_unlock(&nlmsvc_mutex); + return error; +- +-err_start: +- lockd_down_net(serv, net); +-err_net: +- lockd_unregister_notifiers(); +- goto err_put; + } + EXPORT_SYMBOL_GPL(lockd_up); + diff --git a/queue-4.14/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-sequence.patch b/queue-4.14/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-sequence.patch new file mode 100644 index 00000000000..b4a1efa9fbc --- /dev/null +++ b/queue-4.14/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-sequence.patch @@ -0,0 +1,70 @@ +From a371c10ea4b38a5f120e86d906d404d50a0f4660 Mon Sep 17 00:00:00 2001 +From: Anup Patel +Date: Tue, 3 Oct 2017 10:51:48 +0530 +Subject: mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence + +From: Anup Patel + +commit a371c10ea4b38a5f120e86d906d404d50a0f4660 upstream. + +As-per suggestion from FlexRM HW folks, we have to first set +FlexRM ring flush state and then clear it for FlexRM ring flush +to work properly. + +Currently, the FlexRM driver has incomplete FlexRM ring flush +sequence which causes repeated insmod+rmmod of mailbox client +drivers to fail. + +This patch fixes FlexRM ring flush sequence in flexrm_shutdown() +as described above. + +Fixes: dbc049eee730 ("mailbox: Add driver for Broadcom FlexRM +ring manager") + +Signed-off-by: Anup Patel +Reviewed-by: Scott Branden +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/bcm-flexrm-mailbox.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +--- a/drivers/mailbox/bcm-flexrm-mailbox.c ++++ b/drivers/mailbox/bcm-flexrm-mailbox.c +@@ -1365,8 +1365,8 @@ static void flexrm_shutdown(struct mbox_ + /* Disable/inactivate ring */ + writel_relaxed(0x0, ring->regs + RING_CONTROL); + +- /* Flush ring with timeout of 1s */ +- timeout = 1000; ++ /* Set ring flush state */ ++ timeout = 1000; /* timeout of 1s */ + writel_relaxed(BIT(CONTROL_FLUSH_SHIFT), + ring->regs + RING_CONTROL); + do { +@@ -1374,7 +1374,23 @@ static void flexrm_shutdown(struct mbox_ + FLUSH_DONE_MASK) + break; + mdelay(1); +- } while (timeout--); ++ } while (--timeout); ++ if (!timeout) ++ dev_err(ring->mbox->dev, ++ "setting ring%d flush state timedout\n", ring->num); ++ ++ /* Clear ring flush state */ ++ timeout = 1000; /* timeout of 1s */ ++ writel_relaxed(0x0, ring + RING_CONTROL); ++ do { ++ if (!(readl_relaxed(ring + RING_FLUSH_DONE) & ++ FLUSH_DONE_MASK)) ++ break; ++ mdelay(1); ++ } while (--timeout); ++ if (!timeout) ++ dev_err(ring->mbox->dev, ++ "clearing ring%d flush state timedout\n", ring->num); + + /* Abort all in-flight requests */ + for (reqid = 0; reqid < RING_MAX_REQ_COUNT; reqid++) { diff --git a/queue-4.14/md-bitmap-revert-a-patch.patch b/queue-4.14/md-bitmap-revert-a-patch.patch new file mode 100644 index 00000000000..529b6d1d849 --- /dev/null +++ b/queue-4.14/md-bitmap-revert-a-patch.patch @@ -0,0 +1,42 @@ +From 938b533d479e7428b7fa1b8179283646d2e2c53d Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Mon, 16 Oct 2017 19:03:44 -0700 +Subject: md/bitmap: revert a patch + +From: Shaohua Li + +commit 938b533d479e7428b7fa1b8179283646d2e2c53d upstream. + +This reverts commit 8031c3ddc70a. That patches doesn't work well if PAGE_SIZE > +4k. We will fix the original problem with a different approach. + +Fix: 8031c3ddc70a(md/bitmap: copy correct data for bitmap super) +Reported-by: Joshua Kinard +Suggested-by: Neil Brown +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bitmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/bitmap.c ++++ b/drivers/md/bitmap.c +@@ -625,7 +625,7 @@ re_read: + err = read_sb_page(bitmap->mddev, + offset, + sb_page, +- 0, PAGE_SIZE); ++ 0, sizeof(bitmap_super_t)); + } + if (err) + return err; +@@ -2123,7 +2123,7 @@ int bitmap_resize(struct bitmap *bitmap, + if (store.sb_page && bitmap->storage.sb_page) + memcpy(page_address(store.sb_page), + page_address(bitmap->storage.sb_page), +- PAGE_SIZE); ++ sizeof(bitmap_super_t)); + bitmap_file_unmap(&bitmap->storage); + bitmap->storage = store; + diff --git a/queue-4.14/md-don-t-check-md_sb_change_clean-in-md_allow_write.patch b/queue-4.14/md-don-t-check-md_sb_change_clean-in-md_allow_write.patch new file mode 100644 index 00000000000..7af630188f6 --- /dev/null +++ b/queue-4.14/md-don-t-check-md_sb_change_clean-in-md_allow_write.patch @@ -0,0 +1,57 @@ +From b90f6ff080c52e2f05364210733df120e3c4e597 Mon Sep 17 00:00:00 2001 +From: Artur Paszkiewicz +Date: Thu, 26 Oct 2017 15:56:54 +0200 +Subject: md: don't check MD_SB_CHANGE_CLEAN in md_allow_write + +From: Artur Paszkiewicz + +commit b90f6ff080c52e2f05364210733df120e3c4e597 upstream. + +Only MD_SB_CHANGE_PENDING should be used to wait for transition from +clean to dirty. Checking also MD_SB_CHANGE_CLEAN is unnecessary and can +race with e.g. md_do_sync(). This sporadically causes a hang when +changing consistency policy during resync: + +INFO: task mdadm:6183 blocked for more than 30 seconds. + Not tainted 4.14.0-rc3+ #391 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +mdadm D12752 6183 6022 0x00000000 +Call Trace: + __schedule+0x93f/0x990 + schedule+0x6b/0x90 + md_allow_write+0x100/0x130 [md_mod] + ? do_wait_intr_irq+0x90/0x90 + resize_stripes+0x3a/0x5b0 [raid456] + ? kernfs_fop_write+0xbe/0x180 + raid5_change_consistency_policy+0xa6/0x200 [raid456] + consistency_policy_store+0x2e/0x70 [md_mod] + md_attr_store+0x90/0xc0 [md_mod] + sysfs_kf_write+0x42/0x50 + kernfs_fop_write+0x119/0x180 + __vfs_write+0x28/0x110 + ? rcu_sync_lockdep_assert+0x12/0x60 + ? __sb_start_write+0x15a/0x1c0 + ? vfs_write+0xa3/0x1a0 + vfs_write+0xb4/0x1a0 + SyS_write+0x49/0xa0 + entry_SYSCALL_64_fastpath+0x18/0xad + +Fixes: 2214c260c72b ("md: don't return -EAGAIN in md_allow_write for external metadata arrays") +Signed-off-by: Artur Paszkiewicz +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8111,7 +8111,6 @@ void md_allow_write(struct mddev *mddev) + sysfs_notify_dirent_safe(mddev->sysfs_state); + /* wait for the dirty state to be recorded in the metadata */ + wait_event(mddev->sb_wait, +- !test_bit(MD_SB_CHANGE_CLEAN, &mddev->sb_flags) && + !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags)); + } else + spin_unlock(&mddev->lock); diff --git a/queue-4.14/md-fix-deadlock-error-in-recent-patch.patch b/queue-4.14/md-fix-deadlock-error-in-recent-patch.patch new file mode 100644 index 00000000000..ce40d47fc9e --- /dev/null +++ b/queue-4.14/md-fix-deadlock-error-in-recent-patch.patch @@ -0,0 +1,39 @@ +From d47c8ad261f787af22a220ffcc2d07afba809223 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 5 Oct 2017 16:23:16 +1100 +Subject: md: fix deadlock error in recent patch. + +From: NeilBrown + +commit d47c8ad261f787af22a220ffcc2d07afba809223 upstream. + +A recent patch aimed to cause md_write_start() to fail (rather than +block) when the mddev was suspending, so as to avoid deadlocks. +Unfortunately the test in wait_event() was wrong, and it didn't change +behaviour at all. + +We wait_event() must wait until the metadata is written OR the array is +suspending. + +Fixes: cc27b0c78c79 ("md: fix deadlock between mddev_suspend() and md_write_start()") +Reported-by: Xiao Ni +Signed-off-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8039,7 +8039,8 @@ bool md_write_start(struct mddev *mddev, + if (did_change) + sysfs_notify_dirent_safe(mddev->sysfs_state); + wait_event(mddev->sb_wait, +- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) && !mddev->suspended); ++ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) || ++ mddev->suspended); + if (test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags)) { + percpu_ref_put(&mddev->writes_pending); + return false; diff --git a/queue-4.14/mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch b/queue-4.14/mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch new file mode 100644 index 00000000000..09a07552e1f --- /dev/null +++ b/queue-4.14/mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch @@ -0,0 +1,31 @@ +From 07d70913dce59f3c8e5d0ca76250861158a9ca6c Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 11 Oct 2017 12:40:55 +0200 +Subject: mfd: lpc_ich: Avoton/Rangeley uses SPI_BYT method + +From: Joakim Tjernlund + +commit 07d70913dce59f3c8e5d0ca76250861158a9ca6c upstream. + +Avoton/Rangeley are based on Silvermount micro-architecture, like +Bay Trail, and uses the INTEL_SPI_BYT method to drive SPI. + +Signed-off-by: Joakim Tjernlund +Acked-by: Mika Westerberg +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/lpc_ich.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/lpc_ich.c ++++ b/drivers/mfd/lpc_ich.c +@@ -522,6 +522,7 @@ static struct lpc_ich_info lpc_chipset_i + .name = "Avoton SoC", + .iTCO_version = 3, + .gpio_version = AVOTON_GPIO, ++ .spi_type = INTEL_SPI_BYT, + }, + [LPC_BAYTRAIL] = { + .name = "Bay Trail SoC", diff --git a/queue-4.14/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch b/queue-4.14/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch new file mode 100644 index 00000000000..8999c7bb73f --- /dev/null +++ b/queue-4.14/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch @@ -0,0 +1,39 @@ +From 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 Mon Sep 17 00:00:00 2001 +From: Mirko Parthey +Date: Thu, 18 May 2017 21:30:03 +0200 +Subject: MIPS: BCM47XX: Fix LED inversion for WRT54GSv1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirko Parthey + +commit 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 upstream. + +The WLAN LED on the Linksys WRT54GSv1 is active low, but the software +treats it as active high. Fix the inverted logic. + +Fixes: 7bb26b169116 ("MIPS: BCM47xx: Fix LEDs on WRT54GS V1.0") +Signed-off-by: Mirko Parthey +Looks-ok-by: Rafał Miłecki +Cc: Hauke Mehrtens +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16071/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/bcm47xx/leds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/bcm47xx/leds.c ++++ b/arch/mips/bcm47xx/leds.c +@@ -331,7 +331,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __init + /* Verified on: WRT54GS V1.0 */ + static const struct gpio_led + bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = { +- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF), ++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF), + BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON), + BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF), + }; diff --git a/queue-4.14/mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch b/queue-4.14/mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch new file mode 100644 index 00000000000..cfccc4b8671 --- /dev/null +++ b/queue-4.14/mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch @@ -0,0 +1,32 @@ +From 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sun, 5 Nov 2017 14:30:52 +0900 +Subject: MIPS: dts: remove bogus bcm96358nb4ser.dtb from dtb-y entry + +From: Masahiro Yamada + +commit 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 upstream. + +arch/mips/boot/dts/brcm/bcm96358nb4ser.dts does not exist, so +we cannot build bcm96358nb4ser.dtb . + +Signed-off-by: Masahiro Yamada +Fixes: 695835511f96 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom") +Acked-by: James Hogan +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/boot/dts/brcm/Makefile | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/mips/boot/dts/brcm/Makefile ++++ b/arch/mips/boot/dts/brcm/Makefile +@@ -23,7 +23,6 @@ dtb-$(CONFIG_DT_NONE) += \ + bcm63268-comtrend-vr-3032u.dtb \ + bcm93384wvg.dtb \ + bcm93384wvg_viper.dtb \ +- bcm96358nb4ser.dtb \ + bcm96368mvwg.dtb \ + bcm9ejtagprb.dtb \ + bcm97125cbmb.dtb \ diff --git a/queue-4.14/mips-fix-an-n32-core-file-generation-regset-support-regression.patch b/queue-4.14/mips-fix-an-n32-core-file-generation-regset-support-regression.patch new file mode 100644 index 00000000000..373d7bbdff8 --- /dev/null +++ b/queue-4.14/mips-fix-an-n32-core-file-generation-regset-support-regression.patch @@ -0,0 +1,83 @@ +From 547da673173de51f73887377eb275304775064ad Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 7 Nov 2017 19:09:20 +0000 +Subject: MIPS: Fix an n32 core file generation regset support regression + +From: Maciej W. Rozycki + +commit 547da673173de51f73887377eb275304775064ad upstream. + +Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF +core dumper to use regsets.)", that caused n32 processes to dump o32 +core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file +header's `e_flags' member: + +$ file tls-core +tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...] +$ ./tls-core +Aborted (core dumped) +$ file core +core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style +$ + +Previously the flag was set as the result of a: + +statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the +regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is +no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the +`->e_flags' member of the regset view chosen is. We have the views +defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64 +one, and the latter is used for n32 as well. Consequently an o32 core +file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class +is chosen elsewhere, and the 32-bit one is correctly selected for n32). + +Correct the issue then by defining an n32 regset view and using it as +appropriate. Issue discovered in GDB testing. + +Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +Signed-off-by: Maciej W. Rozycki +Cc: Ralf Baechle +Cc: Djordje Todorovic +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17617/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -618,6 +618,19 @@ static const struct user_regset_view use + .n = ARRAY_SIZE(mips64_regsets), + }; + ++#ifdef CONFIG_MIPS32_N32 ++ ++static const struct user_regset_view user_mipsn32_view = { ++ .name = "mipsn32", ++ .e_flags = EF_MIPS_ABI2, ++ .e_machine = ELF_ARCH, ++ .ei_osabi = ELF_OSABI, ++ .regsets = mips64_regsets, ++ .n = ARRAY_SIZE(mips64_regsets), ++}; ++ ++#endif /* CONFIG_MIPS32_N32 */ ++ + #endif /* CONFIG_64BIT */ + + const struct user_regset_view *task_user_regset_view(struct task_struct *task) +@@ -629,6 +642,10 @@ const struct user_regset_view *task_user + if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) + return &user_mips_view; + #endif ++#ifdef CONFIG_MIPS32_N32 ++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR)) ++ return &user_mipsn32_view; ++#endif + return &user_mips64_view; + #endif + } diff --git a/queue-4.14/mips-fix-mips64-fp-save-restore-on-32-bit-kernels.patch b/queue-4.14/mips-fix-mips64-fp-save-restore-on-32-bit-kernels.patch new file mode 100644 index 00000000000..004ac30d1e2 --- /dev/null +++ b/queue-4.14/mips-fix-mips64-fp-save-restore-on-32-bit-kernels.patch @@ -0,0 +1,123 @@ +From 22b8ba765a726d90e9830ff6134c32b04f12c10f Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Mon, 3 Jul 2017 23:41:47 +0100 +Subject: MIPS: Fix MIPS64 FP save/restore on 32-bit kernels + +From: James Hogan + +commit 22b8ba765a726d90e9830ff6134c32b04f12c10f upstream. + +32-bit kernels can be configured to support MIPS64, in which case +neither CONFIG_64BIT or CONFIG_CPU_MIPS32_R* will be set. This causes +the CP0_Status.FR checks at the point of floating point register save +and restore to be compiled out, which results in odd FP registers not +being saved or restored to the task or signal context even when +CP0_Status.FR is set. + +Fix the ifdefs to use CONFIG_CPU_MIPSR2 and CONFIG_CPU_MIPSR6, which are +enabled for the relevant revisions of either MIPS32 or MIPS64, along +with some other CPUs such as Octeon (r2), Loongson1 (r2), XLP (r2), +Loongson 3A R2. + +The suspect code originates from commit 597ce1723e0f ("MIPS: Support for +64-bit FP with O32 binaries") in v3.14, however the code in +__enable_fpu() was consistent and refused to set FR=1, falling back to +software FPU emulation. This was suboptimal but should be functionally +correct. + +Commit fcc53b5f6c38 ("MIPS: fpu.h: Allow 64-bit FPU on a 64-bit MIPS R6 +CPU") in v4.2 (and stable tagged back to 4.0) later introduced the bug +by updating __enable_fpu() to set FR=1 but failing to update the other +similar ifdefs to enable FR=1 state handling. + +Fixes: fcc53b5f6c38 ("MIPS: fpu.h: Allow 64-bit FPU on a 64-bit MIPS R6 CPU") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16739/ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/asmmacro.h | 8 ++++---- + arch/mips/kernel/r4k_fpu.S | 20 ++++++++++---------- + 2 files changed, 14 insertions(+), 14 deletions(-) + +--- a/arch/mips/include/asm/asmmacro.h ++++ b/arch/mips/include/asm/asmmacro.h +@@ -130,8 +130,8 @@ + .endm + + .macro fpu_save_double thread status tmp +-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \ +- defined(CONFIG_CPU_MIPS32_R6) ++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \ ++ defined(CONFIG_CPU_MIPSR6) + sll \tmp, \status, 5 + bgez \tmp, 10f + fpu_save_16odd \thread +@@ -189,8 +189,8 @@ + .endm + + .macro fpu_restore_double thread status tmp +-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \ +- defined(CONFIG_CPU_MIPS32_R6) ++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \ ++ defined(CONFIG_CPU_MIPSR6) + sll \tmp, \status, 5 + bgez \tmp, 10f # 16 register mode? + +--- a/arch/mips/kernel/r4k_fpu.S ++++ b/arch/mips/kernel/r4k_fpu.S +@@ -40,8 +40,8 @@ + */ + LEAF(_save_fp) + EXPORT_SYMBOL(_save_fp) +-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \ +- defined(CONFIG_CPU_MIPS32_R6) ++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \ ++ defined(CONFIG_CPU_MIPSR6) + mfc0 t0, CP0_STATUS + #endif + fpu_save_double a0 t0 t1 # clobbers t1 +@@ -52,8 +52,8 @@ EXPORT_SYMBOL(_save_fp) + * Restore a thread's fp context. + */ + LEAF(_restore_fp) +-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \ +- defined(CONFIG_CPU_MIPS32_R6) ++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \ ++ defined(CONFIG_CPU_MIPSR6) + mfc0 t0, CP0_STATUS + #endif + fpu_restore_double a0 t0 t1 # clobbers t1 +@@ -246,11 +246,11 @@ LEAF(_save_fp_context) + cfc1 t1, fcr31 + .set pop + +-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \ +- defined(CONFIG_CPU_MIPS32_R6) ++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \ ++ defined(CONFIG_CPU_MIPSR6) + .set push + SET_HARDFLOAT +-#ifdef CONFIG_CPU_MIPS32_R2 ++#ifdef CONFIG_CPU_MIPSR2 + .set mips32r2 + .set fp=64 + mfc0 t0, CP0_STATUS +@@ -314,11 +314,11 @@ LEAF(_save_fp_context) + LEAF(_restore_fp_context) + EX lw t1, 0(a1) + +-#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPS32_R2) || \ +- defined(CONFIG_CPU_MIPS32_R6) ++#if defined(CONFIG_64BIT) || defined(CONFIG_CPU_MIPSR2) || \ ++ defined(CONFIG_CPU_MIPSR6) + .set push + SET_HARDFLOAT +-#ifdef CONFIG_CPU_MIPS32_R2 ++#ifdef CONFIG_CPU_MIPSR2 + .set mips32r2 + .set fp=64 + mfc0 t0, CP0_STATUS diff --git a/queue-4.14/mips-fix-odd-fp-register-warnings-with-mips64r2.patch b/queue-4.14/mips-fix-odd-fp-register-warnings-with-mips64r2.patch new file mode 100644 index 00000000000..f4b47c47986 --- /dev/null +++ b/queue-4.14/mips-fix-odd-fp-register-warnings-with-mips64r2.patch @@ -0,0 +1,79 @@ +From c7fd89a6407ea3a44a2a2fa12d290162c42499c4 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 10 Nov 2017 11:46:54 +0000 +Subject: MIPS: Fix odd fp register warnings with MIPS64r2 + +From: James Hogan + +commit c7fd89a6407ea3a44a2a2fa12d290162c42499c4 upstream. + +Building 32-bit MIPS64r2 kernels produces warnings like the following +on certain toolchains (such as GNU assembler 2.24.90, but not GNU +assembler 2.28.51) since commit 22b8ba765a72 ("MIPS: Fix MIPS64 FP +save/restore on 32-bit kernels"), due to the exposure of fpu_save_16odd +from fpu_save_double and fpu_restore_16odd from fpu_restore_double: + +arch/mips/kernel/r4k_fpu.S:47: Warning: float register should be even, was 1 +... +arch/mips/kernel/r4k_fpu.S:59: Warning: float register should be even, was 1 +... + +This appears to be because .set mips64r2 does not change the FPU ABI to +64-bit when -march=mips64r2 (or e.g. -march=xlp) is provided on the +command line on that toolchain, from the default FPU ABI of 32-bit due +to the -mabi=32. This makes access to the odd FPU registers invalid. + +Fix by explicitly changing the FPU ABI with .set fp=64 directives in +fpu_save_16odd and fpu_restore_16odd, and moving the undefine of fp up +in asmmacro.h so fp doesn't turn into $30. + +Fixes: 22b8ba765a72 ("MIPS: Fix MIPS64 FP save/restore on 32-bit kernels") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17656/ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/asmmacro.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/mips/include/asm/asmmacro.h ++++ b/arch/mips/include/asm/asmmacro.h +@@ -19,6 +19,9 @@ + #include + #endif + ++/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */ ++#undef fp ++ + /* + * Helper macros for generating raw instruction encodings. + */ +@@ -105,6 +108,7 @@ + .macro fpu_save_16odd thread + .set push + .set mips64r2 ++ .set fp=64 + SET_HARDFLOAT + sdc1 $f1, THREAD_FPR1(\thread) + sdc1 $f3, THREAD_FPR3(\thread) +@@ -163,6 +167,7 @@ + .macro fpu_restore_16odd thread + .set push + .set mips64r2 ++ .set fp=64 + SET_HARDFLOAT + ldc1 $f1, THREAD_FPR1(\thread) + ldc1 $f3, THREAD_FPR3(\thread) +@@ -234,9 +239,6 @@ + .endm + + #ifdef TOOLCHAIN_SUPPORTS_MSA +-/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */ +-#undef fp +- + .macro _cfcmsa rd, cs + .set push + .set mips32r2 diff --git a/queue-4.14/mips-math-emu-fix-final-emulation-phase-for-certain-instructions.patch b/queue-4.14/mips-math-emu-fix-final-emulation-phase-for-certain-instructions.patch new file mode 100644 index 00000000000..07b07da9324 --- /dev/null +++ b/queue-4.14/mips-math-emu-fix-final-emulation-phase-for-certain-instructions.patch @@ -0,0 +1,179 @@ +From 409fcace9963c1e8d2cb0f7ac62e8b34d47ef979 Mon Sep 17 00:00:00 2001 +From: Aleksandar Markovic +Date: Thu, 2 Nov 2017 12:13:58 +0100 +Subject: MIPS: math-emu: Fix final emulation phase for certain instructions + +From: Aleksandar Markovic + +commit 409fcace9963c1e8d2cb0f7ac62e8b34d47ef979 upstream. + +Fix final phase of . +emulation. Provide proper generation of SIGFPE signal and updating +debugfs FP exception stats in cases of any exception flags set in +preceding phases of emulation. + +CLASS. instruction may generate "Unimplemented Operation" FP +exception. . instructions may generate "Inexact", +"Unimplemented Operation", "Invalid Operation", "Overflow", and +"Underflow" FP exceptions. . instructions +can generate "Unimplemented Operation" and "Invalid Operation" FP +exceptions. + +The proper final processing of the cases when any FP exception +flag is set is achieved by replacing "break" statement with "goto +copcsr" statement. With such solution, this patch brings the final +phase of emulation of the above instructions consistent with the +one corresponding to the previously implemented emulation of other +related FPU instructions (ADD, SUB, etc.). + +Fixes: 38db37ba069f ("MIPS: math-emu: Add support for the MIPS R6 CLASS FPU instruction") +Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU instruction") +Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU instruction") +Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU instruction") +Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU instruction") +Signed-off-by: Aleksandar Markovic +Cc: Ralf Baechle +Cc: Douglas Leung +Cc: Goran Ferenc +Cc: "Maciej W. Rozycki" +Cc: Miodrag Dinic +Cc: Paul Burton +Cc: Petar Jovanovic +Cc: Raghu Gandham +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17581/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -1795,7 +1795,7 @@ static int fpu_emu(struct pt_regs *xcp, + SPFROMREG(fs, MIPSInst_FS(ir)); + SPFROMREG(fd, MIPSInst_FD(ir)); + rv.s = ieee754sp_maddf(fd, fs, ft); +- break; ++ goto copcsr; + } + + case fmsubf_op: { +@@ -1809,7 +1809,7 @@ static int fpu_emu(struct pt_regs *xcp, + SPFROMREG(fs, MIPSInst_FS(ir)); + SPFROMREG(fd, MIPSInst_FD(ir)); + rv.s = ieee754sp_msubf(fd, fs, ft); +- break; ++ goto copcsr; + } + + case frint_op: { +@@ -1834,7 +1834,7 @@ static int fpu_emu(struct pt_regs *xcp, + SPFROMREG(fs, MIPSInst_FS(ir)); + rv.w = ieee754sp_2008class(fs); + rfmt = w_fmt; +- break; ++ goto copcsr; + } + + case fmin_op: { +@@ -1847,7 +1847,7 @@ static int fpu_emu(struct pt_regs *xcp, + SPFROMREG(ft, MIPSInst_FT(ir)); + SPFROMREG(fs, MIPSInst_FS(ir)); + rv.s = ieee754sp_fmin(fs, ft); +- break; ++ goto copcsr; + } + + case fmina_op: { +@@ -1860,7 +1860,7 @@ static int fpu_emu(struct pt_regs *xcp, + SPFROMREG(ft, MIPSInst_FT(ir)); + SPFROMREG(fs, MIPSInst_FS(ir)); + rv.s = ieee754sp_fmina(fs, ft); +- break; ++ goto copcsr; + } + + case fmax_op: { +@@ -1873,7 +1873,7 @@ static int fpu_emu(struct pt_regs *xcp, + SPFROMREG(ft, MIPSInst_FT(ir)); + SPFROMREG(fs, MIPSInst_FS(ir)); + rv.s = ieee754sp_fmax(fs, ft); +- break; ++ goto copcsr; + } + + case fmaxa_op: { +@@ -1886,7 +1886,7 @@ static int fpu_emu(struct pt_regs *xcp, + SPFROMREG(ft, MIPSInst_FT(ir)); + SPFROMREG(fs, MIPSInst_FS(ir)); + rv.s = ieee754sp_fmaxa(fs, ft); +- break; ++ goto copcsr; + } + + case fabs_op: +@@ -2165,7 +2165,7 @@ copcsr: + DPFROMREG(fs, MIPSInst_FS(ir)); + DPFROMREG(fd, MIPSInst_FD(ir)); + rv.d = ieee754dp_maddf(fd, fs, ft); +- break; ++ goto copcsr; + } + + case fmsubf_op: { +@@ -2179,7 +2179,7 @@ copcsr: + DPFROMREG(fs, MIPSInst_FS(ir)); + DPFROMREG(fd, MIPSInst_FD(ir)); + rv.d = ieee754dp_msubf(fd, fs, ft); +- break; ++ goto copcsr; + } + + case frint_op: { +@@ -2204,7 +2204,7 @@ copcsr: + DPFROMREG(fs, MIPSInst_FS(ir)); + rv.l = ieee754dp_2008class(fs); + rfmt = l_fmt; +- break; ++ goto copcsr; + } + + case fmin_op: { +@@ -2217,7 +2217,7 @@ copcsr: + DPFROMREG(ft, MIPSInst_FT(ir)); + DPFROMREG(fs, MIPSInst_FS(ir)); + rv.d = ieee754dp_fmin(fs, ft); +- break; ++ goto copcsr; + } + + case fmina_op: { +@@ -2230,7 +2230,7 @@ copcsr: + DPFROMREG(ft, MIPSInst_FT(ir)); + DPFROMREG(fs, MIPSInst_FS(ir)); + rv.d = ieee754dp_fmina(fs, ft); +- break; ++ goto copcsr; + } + + case fmax_op: { +@@ -2243,7 +2243,7 @@ copcsr: + DPFROMREG(ft, MIPSInst_FT(ir)); + DPFROMREG(fs, MIPSInst_FS(ir)); + rv.d = ieee754dp_fmax(fs, ft); +- break; ++ goto copcsr; + } + + case fmaxa_op: { +@@ -2256,7 +2256,7 @@ copcsr: + DPFROMREG(ft, MIPSInst_FT(ir)); + DPFROMREG(fs, MIPSInst_FS(ir)); + rv.d = ieee754dp_fmaxa(fs, ft); +- break; ++ goto copcsr; + } + + case fabs_op: diff --git a/queue-4.14/mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch b/queue-4.14/mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch new file mode 100644 index 00000000000..b23e598e55d --- /dev/null +++ b/queue-4.14/mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch @@ -0,0 +1,34 @@ +From 8593b18ad348733b5d5ddfa0c79dcabf51dff308 Mon Sep 17 00:00:00 2001 +From: John Crispin +Date: Mon, 20 Feb 2017 10:29:43 +0100 +Subject: MIPS: pci: Remove KERN_WARN instance inside the mt7620 driver + +From: John Crispin + +commit 8593b18ad348733b5d5ddfa0c79dcabf51dff308 upstream. + +Switch the printk() call to the prefered pr_warn() api. + +Fixes: 7e5873d3755c ("MIPS: pci: Add MT7620a PCIE driver") +Signed-off-by: John Crispin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15321/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/pci/pci-mt7620.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/pci/pci-mt7620.c ++++ b/arch/mips/pci/pci-mt7620.c +@@ -121,7 +121,7 @@ static int wait_pciephy_busy(void) + else + break; + if (retry++ > WAITRETRY_MAX) { +- printk(KERN_WARN "PCIE-PHY retry failed.\n"); ++ pr_warn("PCIE-PHY retry failed.\n"); + return -1; + } + } diff --git a/queue-4.14/mm-z3fold.c-use-kref-to-prevent-page-free-compact-race.patch b/queue-4.14/mm-z3fold.c-use-kref-to-prevent-page-free-compact-race.patch new file mode 100644 index 00000000000..5f4ff564a8b --- /dev/null +++ b/queue-4.14/mm-z3fold.c-use-kref-to-prevent-page-free-compact-race.patch @@ -0,0 +1,72 @@ +From 5d03a6613957785e94af7a4a6212ad4af66aa5c2 Mon Sep 17 00:00:00 2001 +From: Vitaly Wool +Date: Fri, 17 Nov 2017 15:26:16 -0800 +Subject: mm/z3fold.c: use kref to prevent page free/compact race + +From: Vitaly Wool + +commit 5d03a6613957785e94af7a4a6212ad4af66aa5c2 upstream. + +There is a race in the current z3fold implementation between +do_compact() called in a work queue context and the page release +procedure when page's kref goes to 0. + +do_compact() may be waiting for page lock, which is released by +release_z3fold_page_locked right before putting the page onto the +"stale" list, and then the page may be freed as do_compact() modifies +its contents. + +The mechanism currently implemented to handle that (checking the +PAGE_STALE flag) is not reliable enough. Instead, we'll use page's kref +counter to guarantee that the page is not released if its compaction is +scheduled. It then becomes compaction function's responsibility to +decrease the counter and quit immediately if the page was actually +freed. + +Link: http://lkml.kernel.org/r/20171117092032.00ea56f42affbed19f4fcc6c@gmail.com +Signed-off-by: Vitaly Wool +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/z3fold.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -404,8 +404,7 @@ static void do_compact_page(struct z3fol + WARN_ON(z3fold_page_trylock(zhdr)); + else + z3fold_page_lock(zhdr); +- if (test_bit(PAGE_STALE, &page->private) || +- !test_and_clear_bit(NEEDS_COMPACTING, &page->private)) { ++ if (WARN_ON(!test_and_clear_bit(NEEDS_COMPACTING, &page->private))) { + z3fold_page_unlock(zhdr); + return; + } +@@ -413,6 +412,11 @@ static void do_compact_page(struct z3fol + list_del_init(&zhdr->buddy); + spin_unlock(&pool->lock); + ++ if (kref_put(&zhdr->refcount, release_z3fold_page_locked)) { ++ atomic64_dec(&pool->pages_nr); ++ return; ++ } ++ + z3fold_compact_page(zhdr); + unbuddied = get_cpu_ptr(pool->unbuddied); + fchunks = num_free_chunks(zhdr); +@@ -753,9 +757,11 @@ static void z3fold_free(struct z3fold_po + list_del_init(&zhdr->buddy); + spin_unlock(&pool->lock); + zhdr->cpu = -1; ++ kref_get(&zhdr->refcount); + do_compact_page(zhdr, true); + return; + } ++ kref_get(&zhdr->refcount); + queue_work_on(zhdr->cpu, pool->compact_wq, &zhdr->work); + z3fold_page_unlock(zhdr); + } diff --git a/queue-4.14/mtd-avoid-probe-failures-when-mtd-dbg.dfs_dir-is-invalid.patch b/queue-4.14/mtd-avoid-probe-failures-when-mtd-dbg.dfs_dir-is-invalid.patch new file mode 100644 index 00000000000..b55c0c4f831 --- /dev/null +++ b/queue-4.14/mtd-avoid-probe-failures-when-mtd-dbg.dfs_dir-is-invalid.patch @@ -0,0 +1,81 @@ +From 1530578abdac4edce9244c7a1962ded3ffdb58ce Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Sat, 11 Nov 2017 16:08:34 +0100 +Subject: mtd: Avoid probe failures when mtd->dbg.dfs_dir is invalid + +From: Boris Brezillon + +commit 1530578abdac4edce9244c7a1962ded3ffdb58ce upstream. + +Commit e8e3edb95ce6 ("mtd: create per-device and module-scope debugfs +entries") tried to make MTD related debugfs stuff consistent across the +MTD framework by creating a root /mtd/ directory containing +one directory per MTD device. + +The problem is that, by default, the MTD layer only registers the +master device if no partitions are defined for this master. This +behavior breaks all drivers that expect mtd->dbg.dfs_dir to be filled +correctly after calling mtd_device_register() in order to add their own +debugfs entries. + +The only way we can force all MTD masters to be registered no matter if +they expose partitions or not is by enabling the +CONFIG_MTD_PARTITIONED_MASTER option. + +In such situations, there's no other solution but to accept skipping +debugfs initialization when dbg.dfs_dir is invalid, and when this +happens, inform the user that he should consider enabling +CONFIG_MTD_PARTITIONED_MASTER. + +Fixes: e8e3edb95ce6 ("mtd: create per-device and module-scope debugfs entries") +Cc: Mario J. Rugiero +Signed-off-by: Boris Brezillon +Reported-by: Richard Weinberger +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/devices/docg3.c | 7 ++++++- + drivers/mtd/nand/nandsim.c | 13 +++++++++---- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/devices/docg3.c ++++ b/drivers/mtd/devices/docg3.c +@@ -1814,8 +1814,13 @@ static void __init doc_dbg_register(stru + struct dentry *root = floor->dbg.dfs_dir; + struct docg3 *docg3 = floor->priv; + +- if (IS_ERR_OR_NULL(root)) ++ if (IS_ERR_OR_NULL(root)) { ++ if (IS_ENABLED(CONFIG_DEBUG_FS) && ++ !IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER)) ++ dev_warn(floor->dev.parent, ++ "CONFIG_MTD_PARTITIONED_MASTER must be enabled to expose debugfs stuff\n"); + return; ++ } + + debugfs_create_file("docg3_flashcontrol", S_IRUSR, root, docg3, + &flashcontrol_fops); +--- a/drivers/mtd/nand/nandsim.c ++++ b/drivers/mtd/nand/nandsim.c +@@ -520,11 +520,16 @@ static int nandsim_debugfs_create(struct + struct dentry *root = nsmtd->dbg.dfs_dir; + struct dentry *dent; + +- if (!IS_ENABLED(CONFIG_DEBUG_FS)) ++ /* ++ * Just skip debugfs initialization when the debugfs directory is ++ * missing. ++ */ ++ if (IS_ERR_OR_NULL(root)) { ++ if (IS_ENABLED(CONFIG_DEBUG_FS) && ++ !IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER)) ++ NS_WARN("CONFIG_MTD_PARTITIONED_MASTER must be enabled to expose debugfs stuff\n"); + return 0; +- +- if (IS_ERR_OR_NULL(root)) +- return -1; ++ } + + dent = debugfs_create_file("nandsim_wear_report", S_IRUSR, + root, dev, &dfs_fops); diff --git a/queue-4.14/mtd-nand-atmel-actually-use-the-pm-ops.patch b/queue-4.14/mtd-nand-atmel-actually-use-the-pm-ops.patch new file mode 100644 index 00000000000..7a05a082dd6 --- /dev/null +++ b/queue-4.14/mtd-nand-atmel-actually-use-the-pm-ops.patch @@ -0,0 +1,33 @@ +From 1533bfa6f6b6bcca1ea1f172ef4a1c5ce5e7b335 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Thu, 5 Oct 2017 18:57:24 +0200 +Subject: mtd: nand: atmel: Actually use the PM ops + +From: Boris Brezillon + +commit 1533bfa6f6b6bcca1ea1f172ef4a1c5ce5e7b335 upstream. + +commit 6e532afaca8e ("mtd: nand: atmel: Add PM ops") was defining PM +ops but nothing was using/referencing those PM ops. + +Fixes: 6e532afaca8e ("mtd: nand: atmel: Add PM ops") +Cc: Romain Izard +Signed-off-by: Boris Brezillon +Acked-by: Wenyou Yang +Tested-by: Romain Izard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/atmel/nand-controller.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/atmel/nand-controller.c ++++ b/drivers/mtd/nand/atmel/nand-controller.c +@@ -2547,6 +2547,7 @@ static struct platform_driver atmel_nand + .driver = { + .name = "atmel-nand-controller", + .of_match_table = of_match_ptr(atmel_nand_controller_of_ids), ++ .pm = &atmel_nand_controller_pm_ops, + }, + .probe = atmel_nand_controller_probe, + .remove = atmel_nand_controller_remove, diff --git a/queue-4.14/mtd-nand-export-nand_reset-symbol.patch b/queue-4.14/mtd-nand-export-nand_reset-symbol.patch new file mode 100644 index 00000000000..625b673a091 --- /dev/null +++ b/queue-4.14/mtd-nand-export-nand_reset-symbol.patch @@ -0,0 +1,32 @@ +From b9bb98424c51437973b854691aa1e9b2bfd348f5 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Thu, 5 Oct 2017 18:53:19 +0200 +Subject: mtd: nand: Export nand_reset() symbol + +From: Boris Brezillon + +commit b9bb98424c51437973b854691aa1e9b2bfd348f5 upstream. + +Commit 6e532afaca8e ("mtd: nand: atmel: Add PM ops") started to use the +nand_reset() function which was not yet exported by the NAND framework +(because it was only used internally before that). Export this symbol +to avoid build errors when the driver is enabled as a module. + +Fixes: 6e532afaca8e ("mtd: nand: atmel: Add PM ops") +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -1246,6 +1246,7 @@ int nand_reset(struct nand_chip *chip, i + + return 0; + } ++EXPORT_SYMBOL_GPL(nand_reset); + + /** + * nand_check_erased_buf - check if a buffer contains (almost) only 0xff data diff --git a/queue-4.14/mtd-nand-fix-writing-mtdoops-to-nand-flash.patch b/queue-4.14/mtd-nand-fix-writing-mtdoops-to-nand-flash.patch new file mode 100644 index 00000000000..a8b41b8eba1 --- /dev/null +++ b/queue-4.14/mtd-nand-fix-writing-mtdoops-to-nand-flash.patch @@ -0,0 +1,50 @@ +From 30863e38ebeb500a31cecee8096fb5002677dd9b Mon Sep 17 00:00:00 2001 +From: Brent Taylor +Date: Mon, 30 Oct 2017 22:32:45 -0500 +Subject: mtd: nand: Fix writing mtdoops to nand flash. + +From: Brent Taylor + +commit 30863e38ebeb500a31cecee8096fb5002677dd9b upstream. + +When mtdoops calls mtd_panic_write(), it eventually calls +panic_nand_write() in nand_base.c. In order to properly wait for the +nand chip to be ready in panic_nand_wait(), the chip must first be +selected. + +When using the atmel nand flash controller, a panic would occur due to +a NULL pointer exception. + +Fixes: 2af7c6539931 ("mtd: Add panic_write for NAND flashes") +Signed-off-by: Brent Taylor +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2800,15 +2800,18 @@ static int panic_nand_write(struct mtd_i + size_t *retlen, const uint8_t *buf) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int chipnr = (int)(to >> chip->chip_shift); + struct mtd_oob_ops ops; + int ret; + +- /* Wait for the device to get ready */ +- panic_nand_wait(mtd, chip, 400); +- + /* Grab the device */ + panic_nand_get_device(chip, mtd, FL_WRITING); + ++ chip->select_chip(mtd, chipnr); ++ ++ /* Wait for the device to get ready */ ++ panic_nand_wait(mtd, chip, 400); ++ + memset(&ops, 0, sizeof(ops)); + ops.len = len; + ops.datbuf = (uint8_t *)buf; diff --git a/queue-4.14/mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch b/queue-4.14/mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch new file mode 100644 index 00000000000..d9719388073 --- /dev/null +++ b/queue-4.14/mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch @@ -0,0 +1,95 @@ +From 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d Mon Sep 17 00:00:00 2001 +From: Xiaolei Li +Date: Mon, 30 Oct 2017 10:39:56 +0800 +Subject: mtd: nand: mtk: fix infinite ECC decode IRQ issue + +From: Xiaolei Li + +commit 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d upstream. + +For MT2701 NAND Controller, there may generate infinite ECC decode IRQ +during long time burn test on some platforms. Once this issue occurred, +the ECC decode IRQ status cannot be cleared in the IRQ handler function, +and threads cannot be scheduled. + +ECC HW generates decode IRQ each sector, so there will have more than one +decode IRQ if read one page of large page NAND. + +Currently, ECC IRQ handle flow is that we will check whether it is decode +IRQ at first by reading the register ECC_DECIRQ_STA. This is a read-clear +type register. If this IRQ is decode IRQ, then the ECC IRQ signal will be +cleared at the same time. +Secondly, we will check whether all sectors are decoded by reading the +register ECC_DECDONE. This is because the current IRQ may be not dealed +in time, and the next sectors have been decoded before reading the +register ECC_DECIRQ_STA. Then, the next sectors's decode IRQs will not +be generated. +Thirdly, if all sectors are decoded by comparing with ecc->sectors, then we +will complete ecc->done, set ecc->sectors as 0, and disable ECC IRQ by +programming the register ECC_IRQ_REG(op) as 0. Otherwise, wait for the +next ECC IRQ. + +But, there is a timing issue between step one and two. When we read the +reigster ECC_DECIRQ_STA, all sectors are decoded except the last sector, +and the ECC IRQ signal is cleared. But the last sector is decoded before +reading ECC_DECDONE, so the ECC IRQ signal is enabled again by ECC HW, and +it means we will receive one extra ECC IRQ later. In step three, we will +find that all sectors were decoded, then disable ECC IRQ and return. +When deal with the extra ECC IRQ, the ECC IRQ status cannot be cleared +anymore. That is because the register ECC_DECIRQ_STA can only be cleared +when the register ECC_IRQ_REG(op) is enabled. But actually we have +disabled ECC IRQ in the previous ECC IRQ handle. So, there will +keep receiving ECC decode IRQ. + +Now, we read the register ECC_DECIRQ_STA once again before completing the +ecc done event. This ensures that there will be no extra ECC decode IRQ. + +Also, remove writel(0, ecc->regs + ECC_IRQ_REG(op)) from irq handler, +because ECC IRQ is disabled in mtk_ecc_disable(). And clear ECC_DECIRQ_STA +in mtk_ecc_disable() in case there is a timeout to wait decode IRQ. + +Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") +Signed-off-by: Xiaolei Li +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/mtk_ecc.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/mtk_ecc.c ++++ b/drivers/mtd/nand/mtk_ecc.c +@@ -115,6 +115,11 @@ static irqreturn_t mtk_ecc_irq(int irq, + op = ECC_DECODE; + dec = readw(ecc->regs + ECC_DECDONE); + if (dec & ecc->sectors) { ++ /* ++ * Clear decode IRQ status once again to ensure that ++ * there will be no extra IRQ. ++ */ ++ readw(ecc->regs + ECC_DECIRQ_STA); + ecc->sectors = 0; + complete(&ecc->done); + } else { +@@ -130,8 +135,6 @@ static irqreturn_t mtk_ecc_irq(int irq, + } + } + +- writel(0, ecc->regs + ECC_IRQ_REG(op)); +- + return IRQ_HANDLED; + } + +@@ -307,6 +310,12 @@ void mtk_ecc_disable(struct mtk_ecc *ecc + + /* disable it */ + mtk_ecc_wait_idle(ecc, op); ++ if (op == ECC_DECODE) ++ /* ++ * Clear decode IRQ status in case there is a timeout to wait ++ * decode IRQ. ++ */ ++ readw(ecc->regs + ECC_DECIRQ_STA); + writew(0, ecc->regs + ECC_IRQ_REG(op)); + writew(ECC_OP_DISABLE, ecc->regs + ECC_CTL_REG(op)); + diff --git a/queue-4.14/mtd-nand-omap2-fix-subpage-write.patch b/queue-4.14/mtd-nand-omap2-fix-subpage-write.patch new file mode 100644 index 00000000000..3c59d3f3df3 --- /dev/null +++ b/queue-4.14/mtd-nand-omap2-fix-subpage-write.patch @@ -0,0 +1,460 @@ +From 739c64414f01748a36e7d82c8e0611dea94412bd Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Fri, 20 Oct 2017 15:16:21 +0300 +Subject: mtd: nand: omap2: Fix subpage write + +From: Roger Quadros + +commit 739c64414f01748a36e7d82c8e0611dea94412bd upstream. + +Since v4.12, NAND subpage writes were causing a NULL pointer +dereference on OMAP platforms (omap2-nand) using OMAP_ECC_BCH4_CODE_HW, +OMAP_ECC_BCH8_CODE_HW and OMAP_ECC_BCH16_CODE_HW. + +This is because for those ECC modes, omap_calculate_ecc_bch() +generates ECC bytes for the entire (multi-sector) page and this can +overflow the ECC buffer provided by nand_write_subpage_hwecc() +as it expects ecc.calculate() to return ECC bytes for just one sector. + +However, the root cause of the problem is present since v3.9 +but was not seen then as NAND buffers were being allocated +as one big chunk prior to commit 3deb9979c731 ("mtd: nand: allocate +aligned buffers if NAND_OWN_BUFFERS is unset"). + +Fix the issue by providing a OMAP optimized write_subpage() +implementation. + +Fixes: 62116e5171e0 ("mtd: nand: omap2: Support for hardware BCH error correction.") +Signed-off-by: Roger Quadros +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/omap2.c | 339 +++++++++++++++++++++++++++++++---------------- + 1 file changed, 224 insertions(+), 115 deletions(-) + +--- a/drivers/mtd/nand/omap2.c ++++ b/drivers/mtd/nand/omap2.c +@@ -1133,129 +1133,172 @@ static u8 bch8_polynomial[] = {0xef, 0x + 0x97, 0x79, 0xe5, 0x24, 0xb5}; + + /** +- * omap_calculate_ecc_bch - Generate bytes of ECC bytes ++ * _omap_calculate_ecc_bch - Generate ECC bytes for one sector + * @mtd: MTD device structure + * @dat: The pointer to data on which ecc is computed + * @ecc_code: The ecc_code buffer ++ * @i: The sector number (for a multi sector page) + * +- * Support calculating of BCH4/8 ecc vectors for the page ++ * Support calculating of BCH4/8/16 ECC vectors for one sector ++ * within a page. Sector number is in @i. + */ +-static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd, +- const u_char *dat, u_char *ecc_calc) ++static int _omap_calculate_ecc_bch(struct mtd_info *mtd, ++ const u_char *dat, u_char *ecc_calc, int i) + { + struct omap_nand_info *info = mtd_to_omap(mtd); + int eccbytes = info->nand.ecc.bytes; + struct gpmc_nand_regs *gpmc_regs = &info->reg; + u8 *ecc_code; +- unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4; ++ unsigned long bch_val1, bch_val2, bch_val3, bch_val4; + u32 val; +- int i, j; ++ int j; ++ ++ ecc_code = ecc_calc; ++ switch (info->ecc_opt) { ++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: ++ case OMAP_ECC_BCH8_CODE_HW: ++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); ++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); ++ bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]); ++ bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]); ++ *ecc_code++ = (bch_val4 & 0xFF); ++ *ecc_code++ = ((bch_val3 >> 24) & 0xFF); ++ *ecc_code++ = ((bch_val3 >> 16) & 0xFF); ++ *ecc_code++ = ((bch_val3 >> 8) & 0xFF); ++ *ecc_code++ = (bch_val3 & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 24) & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 16) & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 8) & 0xFF); ++ *ecc_code++ = (bch_val2 & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 24) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 16) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 8) & 0xFF); ++ *ecc_code++ = (bch_val1 & 0xFF); ++ break; ++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: ++ case OMAP_ECC_BCH4_CODE_HW: ++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); ++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); ++ *ecc_code++ = ((bch_val2 >> 12) & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 4) & 0xFF); ++ *ecc_code++ = ((bch_val2 & 0xF) << 4) | ++ ((bch_val1 >> 28) & 0xF); ++ *ecc_code++ = ((bch_val1 >> 20) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 12) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 4) & 0xFF); ++ *ecc_code++ = ((bch_val1 & 0xF) << 4); ++ break; ++ case OMAP_ECC_BCH16_CODE_HW: ++ val = readl(gpmc_regs->gpmc_bch_result6[i]); ++ ecc_code[0] = ((val >> 8) & 0xFF); ++ ecc_code[1] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result5[i]); ++ ecc_code[2] = ((val >> 24) & 0xFF); ++ ecc_code[3] = ((val >> 16) & 0xFF); ++ ecc_code[4] = ((val >> 8) & 0xFF); ++ ecc_code[5] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result4[i]); ++ ecc_code[6] = ((val >> 24) & 0xFF); ++ ecc_code[7] = ((val >> 16) & 0xFF); ++ ecc_code[8] = ((val >> 8) & 0xFF); ++ ecc_code[9] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result3[i]); ++ ecc_code[10] = ((val >> 24) & 0xFF); ++ ecc_code[11] = ((val >> 16) & 0xFF); ++ ecc_code[12] = ((val >> 8) & 0xFF); ++ ecc_code[13] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result2[i]); ++ ecc_code[14] = ((val >> 24) & 0xFF); ++ ecc_code[15] = ((val >> 16) & 0xFF); ++ ecc_code[16] = ((val >> 8) & 0xFF); ++ ecc_code[17] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result1[i]); ++ ecc_code[18] = ((val >> 24) & 0xFF); ++ ecc_code[19] = ((val >> 16) & 0xFF); ++ ecc_code[20] = ((val >> 8) & 0xFF); ++ ecc_code[21] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result0[i]); ++ ecc_code[22] = ((val >> 24) & 0xFF); ++ ecc_code[23] = ((val >> 16) & 0xFF); ++ ecc_code[24] = ((val >> 8) & 0xFF); ++ ecc_code[25] = ((val >> 0) & 0xFF); ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ /* ECC scheme specific syndrome customizations */ ++ switch (info->ecc_opt) { ++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: ++ /* Add constant polynomial to remainder, so that ++ * ECC of blank pages results in 0x0 on reading back ++ */ ++ for (j = 0; j < eccbytes; j++) ++ ecc_calc[j] ^= bch4_polynomial[j]; ++ break; ++ case OMAP_ECC_BCH4_CODE_HW: ++ /* Set 8th ECC byte as 0x0 for ROM compatibility */ ++ ecc_calc[eccbytes - 1] = 0x0; ++ break; ++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: ++ /* Add constant polynomial to remainder, so that ++ * ECC of blank pages results in 0x0 on reading back ++ */ ++ for (j = 0; j < eccbytes; j++) ++ ecc_calc[j] ^= bch8_polynomial[j]; ++ break; ++ case OMAP_ECC_BCH8_CODE_HW: ++ /* Set 14th ECC byte as 0x0 for ROM compatibility */ ++ ecc_calc[eccbytes - 1] = 0x0; ++ break; ++ case OMAP_ECC_BCH16_CODE_HW: ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ ++/** ++ * omap_calculate_ecc_bch_sw - ECC generator for sector for SW based correction ++ * @mtd: MTD device structure ++ * @dat: The pointer to data on which ecc is computed ++ * @ecc_code: The ecc_code buffer ++ * ++ * Support calculating of BCH4/8/16 ECC vectors for one sector. This is used ++ * when SW based correction is required as ECC is required for one sector ++ * at a time. ++ */ ++static int omap_calculate_ecc_bch_sw(struct mtd_info *mtd, ++ const u_char *dat, u_char *ecc_calc) ++{ ++ return _omap_calculate_ecc_bch(mtd, dat, ecc_calc, 0); ++} ++ ++/** ++ * omap_calculate_ecc_bch_multi - Generate ECC for multiple sectors ++ * @mtd: MTD device structure ++ * @dat: The pointer to data on which ecc is computed ++ * @ecc_code: The ecc_code buffer ++ * ++ * Support calculating of BCH4/8/16 ecc vectors for the entire page in one go. ++ */ ++static int omap_calculate_ecc_bch_multi(struct mtd_info *mtd, ++ const u_char *dat, u_char *ecc_calc) ++{ ++ struct omap_nand_info *info = mtd_to_omap(mtd); ++ int eccbytes = info->nand.ecc.bytes; ++ unsigned long nsectors; ++ int i, ret; + + nsectors = ((readl(info->reg.gpmc_ecc_config) >> 4) & 0x7) + 1; + for (i = 0; i < nsectors; i++) { +- ecc_code = ecc_calc; +- switch (info->ecc_opt) { +- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: +- case OMAP_ECC_BCH8_CODE_HW: +- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); +- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); +- bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]); +- bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]); +- *ecc_code++ = (bch_val4 & 0xFF); +- *ecc_code++ = ((bch_val3 >> 24) & 0xFF); +- *ecc_code++ = ((bch_val3 >> 16) & 0xFF); +- *ecc_code++ = ((bch_val3 >> 8) & 0xFF); +- *ecc_code++ = (bch_val3 & 0xFF); +- *ecc_code++ = ((bch_val2 >> 24) & 0xFF); +- *ecc_code++ = ((bch_val2 >> 16) & 0xFF); +- *ecc_code++ = ((bch_val2 >> 8) & 0xFF); +- *ecc_code++ = (bch_val2 & 0xFF); +- *ecc_code++ = ((bch_val1 >> 24) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 16) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 8) & 0xFF); +- *ecc_code++ = (bch_val1 & 0xFF); +- break; +- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: +- case OMAP_ECC_BCH4_CODE_HW: +- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); +- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); +- *ecc_code++ = ((bch_val2 >> 12) & 0xFF); +- *ecc_code++ = ((bch_val2 >> 4) & 0xFF); +- *ecc_code++ = ((bch_val2 & 0xF) << 4) | +- ((bch_val1 >> 28) & 0xF); +- *ecc_code++ = ((bch_val1 >> 20) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 12) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 4) & 0xFF); +- *ecc_code++ = ((bch_val1 & 0xF) << 4); +- break; +- case OMAP_ECC_BCH16_CODE_HW: +- val = readl(gpmc_regs->gpmc_bch_result6[i]); +- ecc_code[0] = ((val >> 8) & 0xFF); +- ecc_code[1] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result5[i]); +- ecc_code[2] = ((val >> 24) & 0xFF); +- ecc_code[3] = ((val >> 16) & 0xFF); +- ecc_code[4] = ((val >> 8) & 0xFF); +- ecc_code[5] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result4[i]); +- ecc_code[6] = ((val >> 24) & 0xFF); +- ecc_code[7] = ((val >> 16) & 0xFF); +- ecc_code[8] = ((val >> 8) & 0xFF); +- ecc_code[9] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result3[i]); +- ecc_code[10] = ((val >> 24) & 0xFF); +- ecc_code[11] = ((val >> 16) & 0xFF); +- ecc_code[12] = ((val >> 8) & 0xFF); +- ecc_code[13] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result2[i]); +- ecc_code[14] = ((val >> 24) & 0xFF); +- ecc_code[15] = ((val >> 16) & 0xFF); +- ecc_code[16] = ((val >> 8) & 0xFF); +- ecc_code[17] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result1[i]); +- ecc_code[18] = ((val >> 24) & 0xFF); +- ecc_code[19] = ((val >> 16) & 0xFF); +- ecc_code[20] = ((val >> 8) & 0xFF); +- ecc_code[21] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result0[i]); +- ecc_code[22] = ((val >> 24) & 0xFF); +- ecc_code[23] = ((val >> 16) & 0xFF); +- ecc_code[24] = ((val >> 8) & 0xFF); +- ecc_code[25] = ((val >> 0) & 0xFF); +- break; +- default: +- return -EINVAL; +- } +- +- /* ECC scheme specific syndrome customizations */ +- switch (info->ecc_opt) { +- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: +- /* Add constant polynomial to remainder, so that +- * ECC of blank pages results in 0x0 on reading back */ +- for (j = 0; j < eccbytes; j++) +- ecc_calc[j] ^= bch4_polynomial[j]; +- break; +- case OMAP_ECC_BCH4_CODE_HW: +- /* Set 8th ECC byte as 0x0 for ROM compatibility */ +- ecc_calc[eccbytes - 1] = 0x0; +- break; +- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: +- /* Add constant polynomial to remainder, so that +- * ECC of blank pages results in 0x0 on reading back */ +- for (j = 0; j < eccbytes; j++) +- ecc_calc[j] ^= bch8_polynomial[j]; +- break; +- case OMAP_ECC_BCH8_CODE_HW: +- /* Set 14th ECC byte as 0x0 for ROM compatibility */ +- ecc_calc[eccbytes - 1] = 0x0; +- break; +- case OMAP_ECC_BCH16_CODE_HW: +- break; +- default: +- return -EINVAL; +- } ++ ret = _omap_calculate_ecc_bch(mtd, dat, ecc_calc, i); ++ if (ret) ++ return ret; + +- ecc_calc += eccbytes; ++ ecc_calc += eccbytes; + } + + return 0; +@@ -1496,7 +1539,7 @@ static int omap_write_page_bch(struct mt + chip->write_buf(mtd, buf, mtd->writesize); + + /* Update ecc vector from GPMC result registers */ +- chip->ecc.calculate(mtd, buf, &ecc_calc[0]); ++ omap_calculate_ecc_bch_multi(mtd, buf, &ecc_calc[0]); + + ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0, + chip->ecc.total); +@@ -1509,6 +1552,72 @@ static int omap_write_page_bch(struct mt + } + + /** ++ * omap_write_subpage_bch - BCH hardware ECC based subpage write ++ * @mtd: mtd info structure ++ * @chip: nand chip info structure ++ * @offset: column address of subpage within the page ++ * @data_len: data length ++ * @buf: data buffer ++ * @oob_required: must write chip->oob_poi to OOB ++ * @page: page number to write ++ * ++ * OMAP optimized subpage write method. ++ */ ++static int omap_write_subpage_bch(struct mtd_info *mtd, ++ struct nand_chip *chip, u32 offset, ++ u32 data_len, const u8 *buf, ++ int oob_required, int page) ++{ ++ u8 *ecc_calc = chip->buffers->ecccalc; ++ int ecc_size = chip->ecc.size; ++ int ecc_bytes = chip->ecc.bytes; ++ int ecc_steps = chip->ecc.steps; ++ u32 start_step = offset / ecc_size; ++ u32 end_step = (offset + data_len - 1) / ecc_size; ++ int step, ret = 0; ++ ++ /* ++ * Write entire page at one go as it would be optimal ++ * as ECC is calculated by hardware. ++ * ECC is calculated for all subpages but we choose ++ * only what we want. ++ */ ++ ++ /* Enable GPMC ECC engine */ ++ chip->ecc.hwctl(mtd, NAND_ECC_WRITE); ++ ++ /* Write data */ ++ chip->write_buf(mtd, buf, mtd->writesize); ++ ++ for (step = 0; step < ecc_steps; step++) { ++ /* mask ECC of un-touched subpages by padding 0xFF */ ++ if (step < start_step || step > end_step) ++ memset(ecc_calc, 0xff, ecc_bytes); ++ else ++ ret = _omap_calculate_ecc_bch(mtd, buf, ecc_calc, step); ++ ++ if (ret) ++ return ret; ++ ++ buf += ecc_size; ++ ecc_calc += ecc_bytes; ++ } ++ ++ /* copy calculated ECC for whole page to chip->buffer->oob */ ++ /* this include masked-value(0xFF) for unwritten subpages */ ++ ecc_calc = chip->buffers->ecccalc; ++ ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0, ++ chip->ecc.total); ++ if (ret) ++ return ret; ++ ++ /* write OOB buffer to NAND device */ ++ chip->write_buf(mtd, chip->oob_poi, mtd->oobsize); ++ ++ return 0; ++} ++ ++/** + * omap_read_page_bch - BCH ecc based page read function for entire page + * @mtd: mtd info structure + * @chip: nand chip info structure +@@ -1544,7 +1653,7 @@ static int omap_read_page_bch(struct mtd + chip->ecc.total); + + /* Calculate ecc bytes */ +- chip->ecc.calculate(mtd, buf, ecc_calc); ++ omap_calculate_ecc_bch_multi(mtd, buf, ecc_calc); + + ret = mtd_ooblayout_get_eccbytes(mtd, ecc_code, chip->oob_poi, 0, + chip->ecc.total); +@@ -2044,7 +2153,7 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 4; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = nand_bch_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; ++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw; + mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops); + /* Reserve one byte for the OMAP marker */ + oobbytes_per_step = nand_chip->ecc.bytes + 1; +@@ -2066,9 +2175,9 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 4; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = omap_elm_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; + nand_chip->ecc.read_page = omap_read_page_bch; + nand_chip->ecc.write_page = omap_write_page_bch; ++ nand_chip->ecc.write_subpage = omap_write_subpage_bch; + mtd_set_ooblayout(mtd, &omap_ooblayout_ops); + oobbytes_per_step = nand_chip->ecc.bytes; + +@@ -2087,7 +2196,7 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 8; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = nand_bch_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; ++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw; + mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops); + /* Reserve one byte for the OMAP marker */ + oobbytes_per_step = nand_chip->ecc.bytes + 1; +@@ -2109,9 +2218,9 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 8; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = omap_elm_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; + nand_chip->ecc.read_page = omap_read_page_bch; + nand_chip->ecc.write_page = omap_write_page_bch; ++ nand_chip->ecc.write_subpage = omap_write_subpage_bch; + mtd_set_ooblayout(mtd, &omap_ooblayout_ops); + oobbytes_per_step = nand_chip->ecc.bytes; + +@@ -2131,9 +2240,9 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 16; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = omap_elm_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; + nand_chip->ecc.read_page = omap_read_page_bch; + nand_chip->ecc.write_page = omap_write_page_bch; ++ nand_chip->ecc.write_subpage = omap_write_subpage_bch; + mtd_set_ooblayout(mtd, &omap_ooblayout_ops); + oobbytes_per_step = nand_chip->ecc.bytes; + diff --git a/queue-4.14/net-9p-switch-to-wait_event_killable.patch b/queue-4.14/net-9p-switch-to-wait_event_killable.patch new file mode 100644 index 00000000000..1a5261aa738 --- /dev/null +++ b/queue-4.14/net-9p-switch-to-wait_event_killable.patch @@ -0,0 +1,96 @@ +From 9523feac272ccad2ad8186ba4fcc89103754de52 Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen +Date: Wed, 6 Sep 2017 17:59:08 +0300 +Subject: net/9p: Switch to wait_event_killable() + +From: Tuomas Tynkkynen + +commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream. + +Because userspace gets Very Unhappy when calls like stat() and execve() +return -EINTR on 9p filesystem mounts. For instance, when bash is +looking in PATH for things to execute and some SIGCHLD interrupts +stat(), bash can throw a spurious 'command not found' since it doesn't +retry the stat(). + +In practice, hitting the problem is rare and needs a really +slow/bogged down 9p server. + +Signed-off-by: Tuomas Tynkkynen +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 3 +-- + net/9p/trans_virtio.c | 13 ++++++------- + net/9p/trans_xen.c | 4 ++-- + 3 files changed, 9 insertions(+), 11 deletions(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -773,8 +773,7 @@ p9_client_rpc(struct p9_client *c, int8_ + } + again: + /* Wait for the response */ +- err = wait_event_interruptible(*req->wq, +- req->status >= REQ_STATUS_RCVD); ++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); + + /* + * Make sure our req is coherent with regard to updates in other +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -286,8 +286,8 @@ req_retry: + if (err == -ENOSPC) { + chan->ring_bufs_avail = 0; + spin_unlock_irqrestore(&chan->lock, flags); +- err = wait_event_interruptible(*chan->vc_wq, +- chan->ring_bufs_avail); ++ err = wait_event_killable(*chan->vc_wq, ++ chan->ring_bufs_avail); + if (err == -ERESTARTSYS) + return err; + +@@ -327,7 +327,7 @@ static int p9_get_mapped_pages(struct vi + * Other zc request to finish here + */ + if (atomic_read(&vp_pinned) >= chan->p9_max_pages) { +- err = wait_event_interruptible(vp_wq, ++ err = wait_event_killable(vp_wq, + (atomic_read(&vp_pinned) < chan->p9_max_pages)); + if (err == -ERESTARTSYS) + return err; +@@ -471,8 +471,8 @@ req_retry_pinned: + if (err == -ENOSPC) { + chan->ring_bufs_avail = 0; + spin_unlock_irqrestore(&chan->lock, flags); +- err = wait_event_interruptible(*chan->vc_wq, +- chan->ring_bufs_avail); ++ err = wait_event_killable(*chan->vc_wq, ++ chan->ring_bufs_avail); + if (err == -ERESTARTSYS) + goto err_out; + +@@ -489,8 +489,7 @@ req_retry_pinned: + virtqueue_kick(chan->vq); + spin_unlock_irqrestore(&chan->lock, flags); + p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n"); +- err = wait_event_interruptible(*req->wq, +- req->status >= REQ_STATUS_RCVD); ++ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); + /* + * Non kernel buffers are pinned, unpin them + */ +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -156,8 +156,8 @@ static int p9_xen_request(struct p9_clie + ring = &priv->rings[num]; + + again: +- while (wait_event_interruptible(ring->wq, +- p9_xen_write_todo(ring, size)) != 0) ++ while (wait_event_killable(ring->wq, ++ p9_xen_write_todo(ring, size)) != 0) + ; + + spin_lock_irqsave(&ring->lock, flags); diff --git a/queue-4.14/nfs-avoid-rcu-usage-in-tracepoints.patch b/queue-4.14/nfs-avoid-rcu-usage-in-tracepoints.patch new file mode 100644 index 00000000000..a491ea0bfde --- /dev/null +++ b/queue-4.14/nfs-avoid-rcu-usage-in-tracepoints.patch @@ -0,0 +1,88 @@ +From 3944369db701f075092357b511fd9f5755771585 Mon Sep 17 00:00:00 2001 +From: Anna Schumaker +Date: Wed, 1 Nov 2017 15:48:43 -0400 +Subject: NFS: Avoid RCU usage in tracepoints + +From: Anna Schumaker + +commit 3944369db701f075092357b511fd9f5755771585 upstream. + +There isn't an obvious way to acquire and release the RCU lock during a +tracepoint, so we can't use the rpc_peeraddr2str() function here. +Instead, rely on the client's cl_hostname, which should have similar +enough information without needing an rcu_dereference(). + +Reported-by: Dave Jones +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4trace.h | 24 ++++++------------------ + 1 file changed, 6 insertions(+), 18 deletions(-) + +--- a/fs/nfs/nfs4trace.h ++++ b/fs/nfs/nfs4trace.h +@@ -202,17 +202,13 @@ DECLARE_EVENT_CLASS(nfs4_clientid_event, + TP_ARGS(clp, error), + + TP_STRUCT__entry( +- __string(dstaddr, +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR)) ++ __string(dstaddr, clp->cl_hostname) + __field(int, error) + ), + + TP_fast_assign( + __entry->error = error; +- __assign_str(dstaddr, +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR)); ++ __assign_str(dstaddr, clp->cl_hostname); + ), + + TP_printk( +@@ -1133,9 +1129,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_ + __field(dev_t, dev) + __field(u32, fhandle) + __field(u64, fileid) +- __string(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __string(dstaddr, clp ? clp->cl_hostname : "unknown") + ), + + TP_fast_assign( +@@ -1148,9 +1142,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_ + __entry->fileid = 0; + __entry->dev = 0; + } +- __assign_str(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown") + ), + + TP_printk( +@@ -1192,9 +1184,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c + __field(dev_t, dev) + __field(u32, fhandle) + __field(u64, fileid) +- __string(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __string(dstaddr, clp ? clp->cl_hostname : "unknown") + __field(int, stateid_seq) + __field(u32, stateid_hash) + ), +@@ -1209,9 +1199,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c + __entry->fileid = 0; + __entry->dev = 0; + } +- __assign_str(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown") + __entry->stateid_seq = + be32_to_cpu(stateid->seqid); + __entry->stateid_hash = diff --git a/queue-4.14/nfs-fix-typo-in-nomigration-mount-option.patch b/queue-4.14/nfs-fix-typo-in-nomigration-mount-option.patch new file mode 100644 index 00000000000..eacf682b058 --- /dev/null +++ b/queue-4.14/nfs-fix-typo-in-nomigration-mount-option.patch @@ -0,0 +1,30 @@ +From f02fee227e5f21981152850744a6084ff3fa94ee Mon Sep 17 00:00:00 2001 +From: Joshua Watt +Date: Tue, 7 Nov 2017 16:25:47 -0600 +Subject: NFS: Fix typo in nomigration mount option + +From: Joshua Watt + +commit f02fee227e5f21981152850744a6084ff3fa94ee upstream. + +The option was incorrectly masking off all other options. + +Signed-off-by: Joshua Watt +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1332,7 +1332,7 @@ static int nfs_parse_mount_options(char + mnt->options |= NFS_OPTION_MIGRATION; + break; + case Opt_nomigration: +- mnt->options &= NFS_OPTION_MIGRATION; ++ mnt->options &= ~NFS_OPTION_MIGRATION; + break; + + /* diff --git a/queue-4.14/nfs-fix-ugly-referral-attributes.patch b/queue-4.14/nfs-fix-ugly-referral-attributes.patch new file mode 100644 index 00000000000..22ad2fa4fab --- /dev/null +++ b/queue-4.14/nfs-fix-ugly-referral-attributes.patch @@ -0,0 +1,85 @@ +From c05cefcc72416a37eba5a2b35f0704ed758a9145 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 5 Nov 2017 15:45:22 -0500 +Subject: nfs: Fix ugly referral attributes + +From: Chuck Lever + +commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream. + +Before traversing a referral and performing a mount, the mounted-on +directory looks strange: + +dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0 + +nfs4_get_referral is wiping out any cached attributes with what was +returned via GETATTR(fs_locations), but the bit mask for that +operation does not request any file attributes. + +Retrieve owner and timestamp information so that the memcpy in +nfs4_get_referral fills in more attributes. + +Changes since v1: +- Don't request attributes that the client unconditionally replaces +- Request only MOUNTED_ON_FILEID or FILEID attribute, not both +- encode_fs_locations() doesn't use the third bitmask word + +Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral") +Suggested-by: Pradeep Thomas +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -254,15 +254,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT + }; + + const u32 nfs4_fs_locations_bitmap[3] = { +- FATTR4_WORD0_TYPE +- | FATTR4_WORD0_CHANGE ++ FATTR4_WORD0_CHANGE + | FATTR4_WORD0_SIZE + | FATTR4_WORD0_FSID + | FATTR4_WORD0_FILEID + | FATTR4_WORD0_FS_LOCATIONS, +- FATTR4_WORD1_MODE +- | FATTR4_WORD1_NUMLINKS +- | FATTR4_WORD1_OWNER ++ FATTR4_WORD1_OWNER + | FATTR4_WORD1_OWNER_GROUP + | FATTR4_WORD1_RAWDEV + | FATTR4_WORD1_SPACE_USED +@@ -6777,9 +6774,7 @@ static int _nfs4_proc_fs_locations(struc + struct page *page) + { + struct nfs_server *server = NFS_SERVER(dir); +- u32 bitmask[3] = { +- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS, +- }; ++ u32 bitmask[3]; + struct nfs4_fs_locations_arg args = { + .dir_fh = NFS_FH(dir), + .name = name, +@@ -6798,12 +6793,15 @@ static int _nfs4_proc_fs_locations(struc + + dprintk("%s: start\n", __func__); + ++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS; ++ bitmask[1] = nfs4_fattr_bitmap[1]; ++ + /* Ask for the fileid of the absent filesystem if mounted_on_fileid + * is not supported */ + if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID) +- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID; ++ bitmask[0] &= ~FATTR4_WORD0_FILEID; + else +- bitmask[0] |= FATTR4_WORD0_FILEID; ++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID; + + nfs_fattr_init(&fs_locations->fattr); + fs_locations->server = server; diff --git a/queue-4.14/nfs-revalidate-.-etc-correctly-on-open.patch b/queue-4.14/nfs-revalidate-.-etc-correctly-on-open.patch new file mode 100644 index 00000000000..b294ce8fd4b --- /dev/null +++ b/queue-4.14/nfs-revalidate-.-etc-correctly-on-open.patch @@ -0,0 +1,60 @@ +From b688741cb06695312f18b730653d6611e1bad28d Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 25 Aug 2017 17:34:41 +1000 +Subject: NFS: revalidate "." etc correctly on "open". + +From: NeilBrown + +commit b688741cb06695312f18b730653d6611e1bad28d upstream. + +For correct close-to-open semantics, NFS must validate +the change attribute of a directory (or file) on open. + +Since commit ecf3d1f1aa74 ("vfs: kill FS_REVAL_DOT by adding a +d_weak_revalidate dentry op"), open() of "." or a path ending ".." is +not revalidated reliably (except when that direct is a mount point). + +Prior to that commit, "." was revalidated using nfs_lookup_revalidate() +which checks the LOOKUP_OPEN flag and forces revalidation if the flag is +set. +Since that commit, nfs_weak_revalidate() is used for NFSv3 (which +ignores the flags) and nothing is used for NFSv4. + +This is fixed by using nfs_lookup_verify_inode() in +nfs_weak_revalidate(). This does the revalidation exactly when needed. +Also, add a definition of .d_weak_revalidate for NFSv4. + +The incorrect behavior is easily demonstrated by running "echo *" in +some non-mountpoint NFS directory while watching network traffic. +Without this patch, "echo *" sometimes doesn't produce any traffic. +With the patch it always does. + +Fixes: ecf3d1f1aa74 ("vfs: kill FS_REVAL_DOT by adding a d_weak_revalidate dentry op") +Signed-off-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1241,8 +1241,7 @@ static int nfs_weak_revalidate(struct de + return 0; + } + +- if (nfs_mapping_need_revalidate_inode(inode)) +- error = __nfs_revalidate_inode(NFS_SERVER(inode), inode); ++ error = nfs_lookup_verify_inode(inode, flags); + dfprintk(LOOKUPCACHE, "NFS: %s: inode %lu is %s\n", + __func__, inode->i_ino, error ? "invalid" : "valid"); + return !error; +@@ -1393,6 +1392,7 @@ static int nfs4_lookup_revalidate(struct + + const struct dentry_operations nfs4_dentry_operations = { + .d_revalidate = nfs4_lookup_revalidate, ++ .d_weak_revalidate = nfs_weak_revalidate, + .d_delete = nfs_dentry_delete, + .d_iput = nfs_dentry_iput, + .d_automount = nfs_d_automount, diff --git a/queue-4.14/nfs-revert-nfs-move-the-flock-open-mode-check-into-nfs_flock.patch b/queue-4.14/nfs-revert-nfs-move-the-flock-open-mode-check-into-nfs_flock.patch new file mode 100644 index 00000000000..e14fb1be003 --- /dev/null +++ b/queue-4.14/nfs-revert-nfs-move-the-flock-open-mode-check-into-nfs_flock.patch @@ -0,0 +1,73 @@ +From fcfa447062b2061e11f68b846d61cbfe60d0d604 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 10 Nov 2017 06:27:49 -0500 +Subject: NFS: Revert "NFS: Move the flock open mode check into nfs_flock()" + +From: Benjamin Coddington + +commit fcfa447062b2061e11f68b846d61cbfe60d0d604 upstream. + +Commit e12937279c8b "NFS: Move the flock open mode check into nfs_flock()" +changed NFSv3 behavior for flock() such that the open mode must match the +lock type, however that requirement shouldn't be enforced for flock(). + +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/file.c | 18 ++---------------- + fs/nfs/nfs4proc.c | 14 ++++++++++++++ + 2 files changed, 16 insertions(+), 16 deletions(-) + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -829,23 +829,9 @@ int nfs_flock(struct file *filp, int cmd + if (NFS_SERVER(inode)->flags & NFS_MOUNT_LOCAL_FLOCK) + is_local = 1; + +- /* +- * VFS doesn't require the open mode to match a flock() lock's type. +- * NFS, however, may simulate flock() locking with posix locking which +- * requires the open mode to match the lock type. +- */ +- switch (fl->fl_type) { +- case F_UNLCK: ++ /* We're simulating flock() locks using posix locks on the server */ ++ if (fl->fl_type == F_UNLCK) + return do_unlk(filp, cmd, fl, is_local); +- case F_RDLCK: +- if (!(filp->f_mode & FMODE_READ)) +- return -EBADF; +- break; +- case F_WRLCK: +- if (!(filp->f_mode & FMODE_WRITE)) +- return -EBADF; +- } +- + return do_setlk(filp, cmd, fl, is_local); + } + EXPORT_SYMBOL_GPL(nfs_flock); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6568,6 +6568,20 @@ nfs4_proc_lock(struct file *filp, int cm + !test_bit(NFS_STATE_POSIX_LOCKS, &state->flags)) + return -ENOLCK; + ++ /* ++ * Don't rely on the VFS having checked the file open mode, ++ * since it won't do this for flock() locks. ++ */ ++ switch (request->fl_type) { ++ case F_RDLCK: ++ if (!(filp->f_mode & FMODE_READ)) ++ return -EBADF; ++ break; ++ case F_WRLCK: ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ } ++ + status = nfs4_set_lock_state(state, request); + if (status != 0) + return status; diff --git a/queue-4.14/nfsd-deal-with-revoked-delegations-appropriately.patch b/queue-4.14/nfsd-deal-with-revoked-delegations-appropriately.patch new file mode 100644 index 00000000000..6e8abb1a7a5 --- /dev/null +++ b/queue-4.14/nfsd-deal-with-revoked-delegations-appropriately.patch @@ -0,0 +1,84 @@ +From 95da1b3a5aded124dd1bda1e3cdb876184813140 Mon Sep 17 00:00:00 2001 +From: Andrew Elble +Date: Fri, 3 Nov 2017 14:06:31 -0400 +Subject: nfsd: deal with revoked delegations appropriately + +From: Andrew Elble + +commit 95da1b3a5aded124dd1bda1e3cdb876184813140 upstream. + +If a delegation has been revoked by the server, operations using that +delegation should error out with NFS4ERR_DELEG_REVOKED in the >4.1 +case, and NFS4ERR_BAD_STATEID otherwise. + +The server needs NFSv4.1 clients to explicitly free revoked delegations. +If the server returns NFS4ERR_DELEG_REVOKED, the client will do that; +otherwise it may just forget about the delegation and be unable to +recover when it later sees SEQ4_STATUS_RECALLABLE_STATE_REVOKED set on a +SEQUENCE reply. That can cause the Linux 4.1 client to loop in its +stage manager. + +Signed-off-by: Andrew Elble +Reviewed-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3966,7 +3966,8 @@ static struct nfs4_delegation *find_dele + { + struct nfs4_stid *ret; + +- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID); ++ ret = find_stateid_by_type(cl, s, ++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID); + if (!ret) + return NULL; + return delegstateid(ret); +@@ -3989,6 +3990,12 @@ nfs4_check_deleg(struct nfs4_client *cl, + deleg = find_deleg_stateid(cl, &open->op_delegate_stateid); + if (deleg == NULL) + goto out; ++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) { ++ nfs4_put_stid(&deleg->dl_stid); ++ if (cl->cl_minorversion) ++ status = nfserr_deleg_revoked; ++ goto out; ++ } + flags = share_access_to_flags(open->op_share_access); + status = nfs4_check_delegmode(deleg, flags); + if (status) { +@@ -4858,6 +4865,16 @@ nfsd4_lookup_stateid(struct nfsd4_compou + struct nfs4_stid **s, struct nfsd_net *nn) + { + __be32 status; ++ bool return_revoked = false; ++ ++ /* ++ * only return revoked delegations if explicitly asked. ++ * otherwise we report revoked or bad_stateid status. ++ */ ++ if (typemask & NFS4_REVOKED_DELEG_STID) ++ return_revoked = true; ++ else if (typemask & NFS4_DELEG_STID) ++ typemask |= NFS4_REVOKED_DELEG_STID; + + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) + return nfserr_bad_stateid; +@@ -4872,6 +4889,12 @@ nfsd4_lookup_stateid(struct nfsd4_compou + *s = find_stateid_by_type(cstate->clp, stateid, typemask); + if (!*s) + return nfserr_bad_stateid; ++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) { ++ nfs4_put_stid(*s); ++ if (cstate->minorversion) ++ return nfserr_deleg_revoked; ++ return nfserr_bad_stateid; ++ } + return nfs_ok; + } + diff --git a/queue-4.14/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch b/queue-4.14/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch new file mode 100644 index 00000000000..7bfa1f5a3aa --- /dev/null +++ b/queue-4.14/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch @@ -0,0 +1,84 @@ +From 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 Mon Sep 17 00:00:00 2001 +From: Andreas Rohner +Date: Fri, 17 Nov 2017 15:29:35 -0800 +Subject: nilfs2: fix race condition that causes file system corruption + +From: Andreas Rohner + +commit 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 upstream. + +There is a race condition between nilfs_dirty_inode() and +nilfs_set_file_dirty(). + +When a file is opened, nilfs_dirty_inode() is called to update the +access timestamp in the inode. It calls __nilfs_mark_inode_dirty() in a +separate transaction. __nilfs_mark_inode_dirty() caches the ifile +buffer_head in the i_bh field of the inode info structure and marks it +as dirty. + +After some data was written to the file in another transaction, the +function nilfs_set_file_dirty() is called, which adds the inode to the +ns_dirty_files list. + +Then the segment construction calls nilfs_segctor_collect_dirty_files(), +which goes through the ns_dirty_files list and checks the i_bh field. +If there is a cached buffer_head in i_bh it is not marked as dirty +again. + +Since nilfs_dirty_inode() and nilfs_set_file_dirty() use separate +transactions, it is possible that a segment construction that writes out +the ifile occurs in-between the two. If this happens the inode is not +on the ns_dirty_files list, but its ifile block is still marked as dirty +and written out. + +In the next segment construction, the data for the file is written out +and nilfs_bmap_propagate() updates the b-tree. Eventually the bmap root +is written into the i_bh block, which is not dirty, because it was +written out in another segment construction. + +As a result the bmap update can be lost, which leads to file system +corruption. Either the virtual block address points to an unallocated +DAT block, or the DAT entry will be reused for something different. + +The error can remain undetected for a long time. A typical error +message would be one of the "bad btree" errors or a warning that a DAT +entry could not be found. + +This bug can be reproduced reliably by a simple benchmark that creates +and overwrites millions of 4k files. + +Link: http://lkml.kernel.org/r/1509367935-3086-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp +Signed-off-by: Andreas Rohner +Signed-off-by: Ryusuke Konishi +Tested-by: Andreas Rohner +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/segment.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1958,8 +1958,6 @@ static int nilfs_segctor_collect_dirty_f + err, ii->vfs_inode.i_ino); + return err; + } +- mark_buffer_dirty(ibh); +- nilfs_mdt_mark_dirty(ifile); + spin_lock(&nilfs->ns_inode_lock); + if (likely(!ii->i_bh)) + ii->i_bh = ibh; +@@ -1968,6 +1966,10 @@ static int nilfs_segctor_collect_dirty_f + goto retry; + } + ++ // Always redirty the buffer to avoid race condition ++ mark_buffer_dirty(ii->i_bh); ++ nilfs_mdt_mark_dirty(ifile); ++ + clear_bit(NILFS_I_QUEUED, &ii->i_state); + set_bit(NILFS_I_BUSY, &ii->i_state); + list_move_tail(&ii->i_dirty, &sci->sc_dirty_files); diff --git a/queue-4.14/p54-don-t-unregister-leds-when-they-are-not-initialized.patch b/queue-4.14/p54-don-t-unregister-leds-when-they-are-not-initialized.patch new file mode 100644 index 00000000000..ea07637d47e --- /dev/null +++ b/queue-4.14/p54-don-t-unregister-leds-when-they-are-not-initialized.patch @@ -0,0 +1,80 @@ +From fc09785de0a364427a5df63d703bae9a306ed116 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Tue, 26 Sep 2017 17:11:33 +0200 +Subject: p54: don't unregister leds when they are not initialized + +From: Andrey Konovalov + +commit fc09785de0a364427a5df63d703bae9a306ed116 upstream. + +ieee80211_register_hw() in p54_register_common() may fail and leds won't +get initialized. Currently p54_unregister_common() doesn't check that and +always calls p54_unregister_leds(). The fix is to check priv->registered +flag before calling p54_unregister_leds(). + +Found by syzkaller. + +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 1 PID: 1404 Comm: kworker/1:1 Not tainted +4.14.0-rc1-42251-gebb2c2437d80-dirty #205 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769 + __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385 + lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002 + flush_work+0xf0/0x8c0 kernel/workqueue.c:2886 + __cancel_work_timer+0x51d/0x870 kernel/workqueue.c:2961 + cancel_delayed_work_sync+0x1f/0x30 kernel/workqueue.c:3081 + p54_unregister_leds+0x6c/0xc0 drivers/net/wireless/intersil/p54/led.c:160 + p54_unregister_common+0x3d/0xb0 drivers/net/wireless/intersil/p54/main.c:856 + p54u_disconnect+0x86/0x120 drivers/net/wireless/intersil/p54/p54usb.c:1073 + usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423 + __device_release_driver drivers/base/dd.c:861 + device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893 + device_release_driver+0x1e/0x30 drivers/base/dd.c:918 + bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565 + device_del+0x5c4/0xab0 drivers/base/core.c:1985 + usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170 + usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 + hub_port_connect drivers/usb/core/hub.c:4754 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + process_scheduled_works kernel/workqueue.c:2179 + worker_thread+0xb2b/0x1850 kernel/workqueue.c:2255 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 + +Signed-off-by: Andrey Konovalov +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intersil/p54/main.c ++++ b/drivers/net/wireless/intersil/p54/main.c +@@ -852,12 +852,11 @@ void p54_unregister_common(struct ieee80 + { + struct p54_common *priv = dev->priv; + +-#ifdef CONFIG_P54_LEDS +- p54_unregister_leds(priv); +-#endif /* CONFIG_P54_LEDS */ +- + if (priv->registered) { + priv->registered = false; ++#ifdef CONFIG_P54_LEDS ++ p54_unregister_leds(priv); ++#endif /* CONFIG_P54_LEDS */ + ieee80211_unregister_hw(dev); + } + diff --git a/queue-4.14/raid1-prevent-freeze_array-wait_all_barriers-deadlock.patch b/queue-4.14/raid1-prevent-freeze_array-wait_all_barriers-deadlock.patch new file mode 100644 index 00000000000..861fdb86efa --- /dev/null +++ b/queue-4.14/raid1-prevent-freeze_array-wait_all_barriers-deadlock.patch @@ -0,0 +1,81 @@ +From f6eca2d43ed694ab8124dd24c88277f7eca93b7d Mon Sep 17 00:00:00 2001 +From: Nate Dailey +Date: Tue, 17 Oct 2017 08:17:03 -0400 +Subject: raid1: prevent freeze_array/wait_all_barriers deadlock + +From: Nate Dailey + +commit f6eca2d43ed694ab8124dd24c88277f7eca93b7d upstream. + +If freeze_array is attempted in the middle of close_sync/ +wait_all_barriers, deadlock can occur. + +freeze_array will wait for nr_pending and nr_queued to line up. +wait_all_barriers increments nr_pending for each barrier bucket, one +at a time, but doesn't actually issue IO that could be counted in +nr_queued. So freeze_array is blocked until wait_all_barriers +completes and allow_all_barriers runs. At the same time, when +_wait_barrier sees array_frozen == 1, it stops and waits for +freeze_array to complete. + +Prevent the deadlock by making close_sync call _wait_barrier and +_allow_barrier for one bucket at a time, instead of deferring the +_allow_barrier calls until after all _wait_barriers are complete. + +Signed-off-by: Nate Dailey +Fix: fd76863e37fe(RAID1: a new I/O barrier implementation to remove resync window) +Reviewed-by: Coly Li +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 24 ++++++------------------ + 1 file changed, 6 insertions(+), 18 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -990,14 +990,6 @@ static void wait_barrier(struct r1conf * + _wait_barrier(conf, idx); + } + +-static void wait_all_barriers(struct r1conf *conf) +-{ +- int idx; +- +- for (idx = 0; idx < BARRIER_BUCKETS_NR; idx++) +- _wait_barrier(conf, idx); +-} +- + static void _allow_barrier(struct r1conf *conf, int idx) + { + atomic_dec(&conf->nr_pending[idx]); +@@ -1011,14 +1003,6 @@ static void allow_barrier(struct r1conf + _allow_barrier(conf, idx); + } + +-static void allow_all_barriers(struct r1conf *conf) +-{ +- int idx; +- +- for (idx = 0; idx < BARRIER_BUCKETS_NR; idx++) +- _allow_barrier(conf, idx); +-} +- + /* conf->resync_lock should be held */ + static int get_unqueued_pending(struct r1conf *conf) + { +@@ -1654,8 +1638,12 @@ static void print_conf(struct r1conf *co + + static void close_sync(struct r1conf *conf) + { +- wait_all_barriers(conf); +- allow_all_barriers(conf); ++ int idx; ++ ++ for (idx = 0; idx < BARRIER_BUCKETS_NR; idx++) { ++ _wait_barrier(conf, idx); ++ _allow_barrier(conf, idx); ++ } + + mempool_destroy(conf->r1buf_pool); + conf->r1buf_pool = NULL; diff --git a/queue-4.14/rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch b/queue-4.14/rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch new file mode 100644 index 00000000000..ac24c24187a --- /dev/null +++ b/queue-4.14/rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch @@ -0,0 +1,65 @@ +From bfa62a52cad93686bb8d8171ea5288813248a7c6 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 9 Nov 2017 11:59:24 +0100 +Subject: rt2x00usb: mark device removed when get ENOENT usb error + +From: Stanislaw Gruszka + +commit bfa62a52cad93686bb8d8171ea5288813248a7c6 upstream. + +ENOENT usb error mean "specified interface or endpoint does not exist or +is not enabled". Mark device not present when we encounter this error +similar like we do with ENODEV error. + +Otherwise we can have infinite loop in rt2x00usb_work_rxdone(), because +we remove and put again RX entries to the queue infinitely. + +We can have similar situation when submit urb will fail all the time +with other error, so we need consider to limit number of entries +processed by rxdone work. But for now, since the patch fixes +reproducible soft lockup issue on single processor systems +and taken ENOENT error meaning, let apply this fix. + +Patch adds additional ENOENT check not only in rx kick routine, but +also on other places where we check for ENODEV error. + +Reported-by: Richard Genoud +Debugged-by: Richard Genoud +Signed-off-by: Stanislaw Gruszka +Tested-by: Richard Genoud +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c +@@ -57,7 +57,7 @@ int rt2x00usb_vendor_request(struct rt2x + if (status >= 0) + return 0; + +- if (status == -ENODEV) { ++ if (status == -ENODEV || status == -ENOENT) { + /* Device has disappeared. */ + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + break; +@@ -321,7 +321,7 @@ static bool rt2x00usb_kick_tx_entry(stru + + status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); + if (status) { +- if (status == -ENODEV) ++ if (status == -ENODEV || status == -ENOENT) + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + set_bit(ENTRY_DATA_IO_FAILED, &entry->flags); + rt2x00lib_dmadone(entry); +@@ -410,7 +410,7 @@ static bool rt2x00usb_kick_rx_entry(stru + + status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); + if (status) { +- if (status == -ENODEV) ++ if (status == -ENODEV || status == -ENOENT) + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + set_bit(ENTRY_DATA_IO_FAILED, &entry->flags); + rt2x00lib_dmadone(entry); diff --git a/queue-4.14/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch b/queue-4.14/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch new file mode 100644 index 00000000000..0cd09a38f40 --- /dev/null +++ b/queue-4.14/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch @@ -0,0 +1,37 @@ +From 3f2a162fab15aee243178b5308bb5d1206fc4043 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 6 Nov 2017 14:55:35 +0100 +Subject: rtlwifi: fix uninitialized rtlhal->last_suspend_sec time + +From: Arnd Bergmann + +commit 3f2a162fab15aee243178b5308bb5d1206fc4043 upstream. + +We set rtlhal->last_suspend_sec to an uninitialized stack variable, +but unfortunately gcc never warned about this, I only found it +while working on another patch. I opened a gcc bug for this. + +Presumably the value of rtlhal->last_suspend_sec is not all that +important, but it does get used, so we probably want the +patch backported to stable kernels. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82839 +Signed-off-by: Arnd Bergmann +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1372,6 +1372,7 @@ static void _rtl8821ae_get_wakeup_reason + + ppsc->wakeup_reason = 0; + ++ do_gettimeofday(&ts); + rtlhal->last_suspend_sec = ts.tv_sec; + + switch (fw_reason) { diff --git a/queue-4.14/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch b/queue-4.14/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch new file mode 100644 index 00000000000..9f5b58d2acf --- /dev/null +++ b/queue-4.14/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch @@ -0,0 +1,47 @@ +From 519ce2f933fa14acf69d5c8cabcc18711943d629 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Thu, 14 Sep 2017 13:17:44 -0500 +Subject: rtlwifi: rtl8192ee: Fix memory leak when loading firmware + +From: Larry Finger + +commit 519ce2f933fa14acf69d5c8cabcc18711943d629 upstream. + +In routine rtl92ee_set_fw_rsvdpagepkt(), the driver allocates an skb, but +never calls rtl_cmd_send_packet(), which will free the buffer. All other +rtlwifi drivers perform this operation correctly. + +This problem has been in the driver since it was included in the kernel. +Fortunately, each firmware load only leaks 4 buffers, which likely +explains why it has not previously been detected. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c +@@ -682,7 +682,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); + struct sk_buff *skb = NULL; +- ++ bool rtstatus; + u32 totalpacketlen; + u8 u1rsvdpageloc[5] = { 0 }; + bool b_dlok = false; +@@ -768,7 +768,9 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i + skb = dev_alloc_skb(totalpacketlen); + skb_put_data(skb, &reserved_page_packet, totalpacketlen); + +- b_dlok = true; ++ rtstatus = rtl_cmd_send_packet(hw, skb); ++ if (rtstatus) ++ b_dlok = true; + + if (b_dlok) { + RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD , diff --git a/queue-4.14/scsi-lpfc-fix-crash-receiving-els-while-detaching-driver.patch b/queue-4.14/scsi-lpfc-fix-crash-receiving-els-while-detaching-driver.patch new file mode 100644 index 00000000000..5bef428cf26 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-crash-receiving-els-while-detaching-driver.patch @@ -0,0 +1,205 @@ +From 1234a6d54fed8a00091968c4eb2fb52e1cbb8e2e Mon Sep 17 00:00:00 2001 +From: Dick Kennedy +Date: Fri, 29 Sep 2017 17:34:29 -0700 +Subject: scsi: lpfc: Fix crash receiving ELS while detaching driver + +From: Dick Kennedy + +commit 1234a6d54fed8a00091968c4eb2fb52e1cbb8e2e upstream. + +The driver crashes when attempting to use a freed ndpl pointer. + +The pci_remove_one handler runs on a separate kernel thread. The order +of the removal is starting by freeing all of the ndlps and then +disabling interrupts. In between these two events the driver can still +receive an ELS and process it. When it tries to use the ndlp pointer +will be NULL + +Change the order of the pci_remove_one vs disable interrupts so that +interrupts are disabled before the ndlp's are freed. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_attr.c | 6 ++++-- + drivers/scsi/lpfc/lpfc_bsg.c | 4 +++- + drivers/scsi/lpfc/lpfc_els.c | 7 ++++++- + drivers/scsi/lpfc/lpfc_hbadisc.c | 5 ++++- + drivers/scsi/lpfc/lpfc_init.c | 14 +++++++------- + drivers/scsi/lpfc/lpfc_nportdisc.c | 2 +- + drivers/scsi/lpfc/lpfc_sli.c | 12 ++++++++++++ + 7 files changed, 37 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -3134,7 +3134,8 @@ lpfc_txq_hw_show(struct device *dev, str + struct lpfc_hba *phba = ((struct lpfc_vport *) shost->hostdata)->phba; + struct lpfc_sli_ring *pring = lpfc_phba_elsring(phba); + +- return snprintf(buf, PAGE_SIZE, "%d\n", pring->txq_max); ++ return snprintf(buf, PAGE_SIZE, "%d\n", ++ pring ? pring->txq_max : 0); + } + + static DEVICE_ATTR(txq_hw, S_IRUGO, +@@ -3147,7 +3148,8 @@ lpfc_txcmplq_hw_show(struct device *dev, + struct lpfc_hba *phba = ((struct lpfc_vport *) shost->hostdata)->phba; + struct lpfc_sli_ring *pring = lpfc_phba_elsring(phba); + +- return snprintf(buf, PAGE_SIZE, "%d\n", pring->txcmplq_max); ++ return snprintf(buf, PAGE_SIZE, "%d\n", ++ pring ? pring->txcmplq_max : 0); + } + + static DEVICE_ATTR(txcmplq_hw, S_IRUGO, +--- a/drivers/scsi/lpfc/lpfc_bsg.c ++++ b/drivers/scsi/lpfc/lpfc_bsg.c +@@ -2911,7 +2911,7 @@ static int lpfcdiag_loop_post_rxbufs(str + } + } + +- if (!cmdiocbq || !rxbmp || !rxbpl || !rxbuffer) { ++ if (!cmdiocbq || !rxbmp || !rxbpl || !rxbuffer || !pring) { + ret_val = -ENOMEM; + goto err_post_rxbufs_exit; + } +@@ -5421,6 +5421,8 @@ lpfc_bsg_timeout(struct bsg_job *job) + struct lpfc_iocbq *check_iocb, *next_iocb; + + pring = lpfc_phba_elsring(phba); ++ if (unlikely(!pring)) ++ return -EIO; + + /* if job's driver data is NULL, the command completed or is in the + * the process of completing. In this case, return status to request +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7430,6 +7430,8 @@ lpfc_els_timeout_handler(struct lpfc_vpo + timeout = (uint32_t)(phba->fc_ratov << 1); + + pring = lpfc_phba_elsring(phba); ++ if (unlikely(!pring)) ++ return; + + if ((phba->pport->load_flag & FC_UNLOADING)) + return; +@@ -9310,6 +9312,9 @@ void lpfc_fabric_abort_nport(struct lpfc + + pring = lpfc_phba_elsring(phba); + ++ if (unlikely(!pring)) ++ return; ++ + spin_lock_irq(&phba->hbalock); + list_for_each_entry_safe(piocb, tmp_iocb, &phba->fabric_iocb_list, + list) { +@@ -9416,7 +9421,7 @@ lpfc_sli4_els_xri_aborted(struct lpfc_hb + rxid, 1); + + /* Check if TXQ queue needs to be serviced */ +- if (!(list_empty(&pring->txq))) ++ if (pring && !list_empty(&pring->txq)) + lpfc_worker_wake_up(phba); + return; + } +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -3324,7 +3324,8 @@ lpfc_mbx_cmpl_read_topology(struct lpfc_ + + /* Unblock ELS traffic */ + pring = lpfc_phba_elsring(phba); +- pring->flag &= ~LPFC_STOP_IOCB_EVENT; ++ if (pring) ++ pring->flag &= ~LPFC_STOP_IOCB_EVENT; + + /* Check for error */ + if (mb->mbxStatus) { +@@ -5430,6 +5431,8 @@ lpfc_free_tx(struct lpfc_hba *phba, stru + + psli = &phba->sli; + pring = lpfc_phba_elsring(phba); ++ if (unlikely(!pring)) ++ return; + + /* Error matching iocb on txq or txcmplq + * First check the txq. +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -11404,6 +11404,13 @@ lpfc_pci_remove_one_s4(struct pci_dev *p + /* Remove FC host and then SCSI host with the physical port */ + fc_remove_host(shost); + scsi_remove_host(shost); ++ /* ++ * Bring down the SLI Layer. This step disables all interrupts, ++ * clears the rings, discards all mailbox commands, and resets ++ * the HBA FCoE function. ++ */ ++ lpfc_debugfs_terminate(vport); ++ lpfc_sli4_hba_unset(phba); + + /* Perform ndlp cleanup on the physical port. The nvme and nvmet + * localports are destroyed after to cleanup all transport memory. +@@ -11412,13 +11419,6 @@ lpfc_pci_remove_one_s4(struct pci_dev *p + lpfc_nvmet_destroy_targetport(phba); + lpfc_nvme_destroy_localport(vport); + +- /* +- * Bring down the SLI Layer. This step disables all interrupts, +- * clears the rings, discards all mailbox commands, and resets +- * the HBA FCoE function. +- */ +- lpfc_debugfs_terminate(vport); +- lpfc_sli4_hba_unset(phba); + + lpfc_stop_hba_timers(phba); + spin_lock_irq(&phba->hbalock); +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -216,7 +216,7 @@ lpfc_els_abort(struct lpfc_hba *phba, st + pring = lpfc_phba_elsring(phba); + + /* In case of error recovery path, we might have a NULL pring here */ +- if (!pring) ++ if (unlikely(!pring)) + return; + + /* Abort outstanding I/O on NPort */ +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -10632,6 +10632,14 @@ lpfc_sli_issue_abort_iotag(struct lpfc_h + (cmdiocb->iocb_flag & LPFC_DRIVER_ABORTED) != 0) + return 0; + ++ if (!pring) { ++ if (cmdiocb->iocb_flag & LPFC_IO_FABRIC) ++ cmdiocb->fabric_iocb_cmpl = lpfc_ignore_els_cmpl; ++ else ++ cmdiocb->iocb_cmpl = lpfc_ignore_els_cmpl; ++ goto abort_iotag_exit; ++ } ++ + /* + * If we're unloading, don't abort iocb on the ELS ring, but change + * the callback so that nothing happens when it finishes. +@@ -12500,6 +12508,8 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lp + unsigned long iflags; + + pring = lpfc_phba_elsring(phba); ++ if (unlikely(!pring)) ++ return NULL; + + wcqe = &irspiocbq->cq_event.cqe.wcqe_cmpl; + spin_lock_irqsave(&pring->ring_lock, iflags); +@@ -18694,6 +18704,8 @@ lpfc_drain_txq(struct lpfc_hba *phba) + uint32_t txq_cnt = 0; + + pring = lpfc_phba_elsring(phba); ++ if (unlikely(!pring)) ++ return 0; + + spin_lock_irqsave(&pring->ring_lock, iflags); + list_for_each_entry(piocbq, &pring->txq, list) { diff --git a/queue-4.14/scsi-lpfc-fix-fcp-hba_wqidx-assignment.patch b/queue-4.14/scsi-lpfc-fix-fcp-hba_wqidx-assignment.patch new file mode 100644 index 00000000000..55b6aa1b0cf --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-fcp-hba_wqidx-assignment.patch @@ -0,0 +1,40 @@ +From 8e036a9497c5d565baafda4c648f2f372999a547 Mon Sep 17 00:00:00 2001 +From: Dick Kennedy +Date: Fri, 29 Sep 2017 17:34:35 -0700 +Subject: scsi: lpfc: Fix FCP hba_wqidx assignment + +From: Dick Kennedy + +commit 8e036a9497c5d565baafda4c648f2f372999a547 upstream. + +The driver is encountering oops in lpfc_sli_calc_ring. + +The driver is setting hba_wqidx for FCP based on the policy in use for +NVME. The two may not be the same. Change to set the wqidx based on the +FCP policy. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 2893d4fb9654..8c37885f4851 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -9396,10 +9396,13 @@ lpfc_sli4_calc_ring(struct lpfc_hba *phba, struct lpfc_iocbq *piocb) + * for abort iocb hba_wqidx should already + * be setup based on what work queue we used. + */ +- if (!(piocb->iocb_flag & LPFC_USE_FCPWQIDX)) ++ if (!(piocb->iocb_flag & LPFC_USE_FCPWQIDX)) { + piocb->hba_wqidx = + lpfc_sli4_scmd_to_wqidx_distr(phba, + piocb->context1); ++ piocb->hba_wqidx = piocb->hba_wqidx % ++ phba->cfg_fcp_io_channel; ++ } + return phba->sli4_hba.fcp_wq[piocb->hba_wqidx]->pring; + } else { + if (unlikely(!phba->sli4_hba.oas_wq)) diff --git a/queue-4.14/scsi-lpfc-fix-oops-if-nvmet_fc_register_targetport-fails.patch b/queue-4.14/scsi-lpfc-fix-oops-if-nvmet_fc_register_targetport-fails.patch new file mode 100644 index 00000000000..c3895dc4ad1 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-oops-if-nvmet_fc_register_targetport-fails.patch @@ -0,0 +1,60 @@ +From e7981a2c725f8e237f749fa1358997707d57e32c Mon Sep 17 00:00:00 2001 +From: Dick Kennedy +Date: Fri, 29 Sep 2017 17:34:39 -0700 +Subject: scsi: lpfc: Fix oops if nvmet_fc_register_targetport fails + +From: Dick Kennedy + +commit e7981a2c725f8e237f749fa1358997707d57e32c upstream. + +if nvmet targetport registration fails, the driver encounters a NULL +pointer oops in lpfc_hb_timeout_handler. + +To fix: if registration fails, ensure nvmet_support is cleared on the +port structure. + +Also enhanced the log message on failure. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -1138,9 +1138,14 @@ lpfc_nvmet_create_targetport(struct lpfc + #endif + if (error) { + lpfc_printf_log(phba, KERN_ERR, LOG_NVME_DISC, +- "6025 Cannot register NVME targetport " +- "x%x\n", error); ++ "6025 Cannot register NVME targetport x%x: " ++ "portnm %llx nodenm %llx segs %d qs %d\n", ++ error, ++ pinfo.port_name, pinfo.node_name, ++ lpfc_tgttemplate.max_sgl_segments, ++ lpfc_tgttemplate.max_hw_queues); + phba->targetport = NULL; ++ phba->nvmet_support = 0; + + lpfc_nvmet_cleanup_io_context(phba); + +@@ -1152,9 +1157,11 @@ lpfc_nvmet_create_targetport(struct lpfc + lpfc_printf_log(phba, KERN_INFO, LOG_NVME_DISC, + "6026 Registered NVME " + "targetport: %p, private %p " +- "portnm %llx nodenm %llx\n", ++ "portnm %llx nodenm %llx segs %d qs %d\n", + phba->targetport, tgtp, +- pinfo.port_name, pinfo.node_name); ++ pinfo.port_name, pinfo.node_name, ++ lpfc_tgttemplate.max_sgl_segments, ++ lpfc_tgttemplate.max_hw_queues); + + atomic_set(&tgtp->rcv_ls_req_in, 0); + atomic_set(&tgtp->rcv_ls_req_out, 0); diff --git a/queue-4.14/scsi-lpfc-fix-pci-hot-plug-crash-in-list_add-call.patch b/queue-4.14/scsi-lpfc-fix-pci-hot-plug-crash-in-list_add-call.patch new file mode 100644 index 00000000000..4a15a4caa91 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-pci-hot-plug-crash-in-list_add-call.patch @@ -0,0 +1,66 @@ +From 401bb4169da655f3e5d28d0b208182e1ab60bf2a Mon Sep 17 00:00:00 2001 +From: Dick Kennedy +Date: Fri, 29 Sep 2017 17:34:28 -0700 +Subject: scsi: lpfc: fix pci hot plug crash in list_add call + +From: Dick Kennedy + +commit 401bb4169da655f3e5d28d0b208182e1ab60bf2a upstream. + +During pci hot plug, the kernel crashes in a list_add_call + +The lookup by tag function will return null if the IOCB is out of range +or does not have the on txcmplq flag set. + +Fix: Check for null return from lookup by tag. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_sli.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -12507,19 +12507,21 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lp + /* Look up the ELS command IOCB and create pseudo response IOCB */ + cmdiocbq = lpfc_sli_iocbq_lookup_by_tag(phba, pring, + bf_get(lpfc_wcqe_c_request_tag, wcqe)); +- /* Put the iocb back on the txcmplq */ +- lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq); +- spin_unlock_irqrestore(&pring->ring_lock, iflags); +- + if (unlikely(!cmdiocbq)) { ++ spin_unlock_irqrestore(&pring->ring_lock, iflags); + lpfc_printf_log(phba, KERN_WARNING, LOG_SLI, + "0386 ELS complete with no corresponding " +- "cmdiocb: iotag (%d)\n", +- bf_get(lpfc_wcqe_c_request_tag, wcqe)); ++ "cmdiocb: 0x%x 0x%x 0x%x 0x%x\n", ++ wcqe->word0, wcqe->total_data_placed, ++ wcqe->parameter, wcqe->word3); + lpfc_sli_release_iocbq(phba, irspiocbq); + return NULL; + } + ++ /* Put the iocb back on the txcmplq */ ++ lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq); ++ spin_unlock_irqrestore(&pring->ring_lock, iflags); ++ + /* Fake the irspiocbq and copy necessary response information */ + lpfc_sli4_iocb_param_transfer(phba, irspiocbq, cmdiocbq, wcqe); + +@@ -17137,7 +17139,8 @@ exit: + if (pcmd && pcmd->virt) + dma_pool_free(phba->lpfc_drb_pool, pcmd->virt, pcmd->phys); + kfree(pcmd); +- lpfc_sli_release_iocbq(phba, iocbq); ++ if (iocbq) ++ lpfc_sli_release_iocbq(phba, iocbq); + lpfc_in_buf_free(phba, &dmabuf->dbuf); + } + diff --git a/queue-4.14/scsi-lpfc-fix-pci-hot-plug-crash-in-timer-management-routines.patch b/queue-4.14/scsi-lpfc-fix-pci-hot-plug-crash-in-timer-management-routines.patch new file mode 100644 index 00000000000..d2120db773f --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-pci-hot-plug-crash-in-timer-management-routines.patch @@ -0,0 +1,38 @@ +From 1901762f2ca2747ed269239ca5332a8023ce4e3d Mon Sep 17 00:00:00 2001 +From: Dick Kennedy +Date: Fri, 29 Sep 2017 17:34:27 -0700 +Subject: scsi: lpfc: fix pci hot plug crash in timer management routines + +From: Dick Kennedy + +commit 1901762f2ca2747ed269239ca5332a8023ce4e3d upstream. + +During pci hot plug, the kernel crashes in timer management code. + +The sli4 remove_one handler is not stoping the timers as it starts to +remove the port so that it can be swapped. + +Fix: Stop the timers early in the handler routine. + +Note: Fix in SLI-4 only. SLI-3 already stopped the timers properly. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -11420,6 +11420,7 @@ lpfc_pci_remove_one_s4(struct pci_dev *p + lpfc_debugfs_terminate(vport); + lpfc_sli4_hba_unset(phba); + ++ lpfc_stop_hba_timers(phba); + spin_lock_irq(&phba->hbalock); + list_del_init(&vport->listentry); + spin_unlock_irq(&phba->hbalock); diff --git a/queue-4.14/scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_init_base_qpair.patch b/queue-4.14/scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_init_base_qpair.patch new file mode 100644 index 00000000000..a2622bbd817 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_init_base_qpair.patch @@ -0,0 +1,60 @@ +From 8653188763b56e0bcbdcab30cc7b059672c900ac Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 6 Nov 2017 11:59:05 -0800 +Subject: scsi: qla2xxx: Suppress a kernel complaint in qla_init_base_qpair() + +From: Bart Van Assche + +commit 8653188763b56e0bcbdcab30cc7b059672c900ac upstream. + +Avoid that the following is reported while loading the qla2xxx +kernel module: + +BUG: using smp_processor_id() in preemptible [00000000] code: modprobe/783 +caller is debug_smp_processor_id+0x17/0x20 +CPU: 7 PID: 783 Comm: modprobe Not tainted 4.14.0-rc8-dbg+ #2 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Call Trace: + dump_stack+0x8e/0xce + check_preemption_disabled+0xe3/0xf0 + debug_smp_processor_id+0x17/0x20 + qla2x00_probe_one+0xf43/0x26c0 [qla2xxx] + pci_device_probe+0xca/0x140 + driver_probe_device+0x2e2/0x440 + __driver_attach+0xa3/0xe0 + bus_for_each_dev+0x5f/0x90 + driver_attach+0x19/0x20 + bus_add_driver+0x1c0/0x260 + driver_register+0x5b/0xd0 + __pci_register_driver+0x63/0x70 + qla2x00_module_init+0x1d6/0x222 [qla2xxx] + do_one_initcall+0x3c/0x163 + do_init_module+0x55/0x1eb + load_module+0x20a2/0x2890 + SYSC_finit_module+0xd7/0xf0 + SyS_finit_module+0x9/0x10 + entry_SYSCALL_64_fastpath+0x23/0xc2 + +Fixes: commit 8abfa9e22683 ("scsi: qla2xxx: Add function call to qpair for door bell") +Signed-off-by: Bart Van Assche +Cc: Quinn Tran +Cc: Himanshu Madhani +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -388,7 +388,7 @@ static void qla_init_base_qpair(struct s + INIT_LIST_HEAD(&ha->base_qpair->nvme_done_list); + ha->base_qpair->enable_class_2 = ql2xenableclass2; + /* init qpair to this cpu. Will adjust at run time. */ +- qla_cpu_update(rsp->qpair, smp_processor_id()); ++ qla_cpu_update(rsp->qpair, raw_smp_processor_id()); + ha->base_qpair->pdev = ha->pdev; + + if (IS_QLA27XX(ha) || IS_QLA83XX(ha)) diff --git a/queue-4.14/scsi-sd_zbc-fix-sd_zbc_read_zoned_characteristics.patch b/queue-4.14/scsi-sd_zbc-fix-sd_zbc_read_zoned_characteristics.patch new file mode 100644 index 00000000000..1aca784428c --- /dev/null +++ b/queue-4.14/scsi-sd_zbc-fix-sd_zbc_read_zoned_characteristics.patch @@ -0,0 +1,46 @@ +From 4a109032e3941413d8a029f619543fc5aec1d26d Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Wed, 11 Oct 2017 05:54:25 +0900 +Subject: scsi: sd_zbc: Fix sd_zbc_read_zoned_characteristics() + +From: Damien Le Moal + +commit 4a109032e3941413d8a029f619543fc5aec1d26d upstream. + +The three values starting at byte 8 of the Zoned Block Device +Characteristics VPD page B6h are 32 bits values, not 64bits. So use +get_unaligned_be32() to retrieve the values and not get_unaligned_be64() + +Fixes: 89d947561077 ("sd: Implement support for ZBC devices") +Signed-off-by: Damien Le Moal +Reviewed-by: Bart Van Assche +Reviewed-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd_zbc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -375,15 +375,15 @@ static int sd_zbc_read_zoned_characteris + if (sdkp->device->type != TYPE_ZBC) { + /* Host-aware */ + sdkp->urswrz = 1; +- sdkp->zones_optimal_open = get_unaligned_be64(&buf[8]); +- sdkp->zones_optimal_nonseq = get_unaligned_be64(&buf[12]); ++ sdkp->zones_optimal_open = get_unaligned_be32(&buf[8]); ++ sdkp->zones_optimal_nonseq = get_unaligned_be32(&buf[12]); + sdkp->zones_max_open = 0; + } else { + /* Host-managed */ + sdkp->urswrz = buf[4] & 1; + sdkp->zones_optimal_open = 0; + sdkp->zones_optimal_nonseq = 0; +- sdkp->zones_max_open = get_unaligned_be64(&buf[16]); ++ sdkp->zones_max_open = get_unaligned_be32(&buf[16]); + } + + return 0; diff --git a/queue-4.14/series b/queue-4.14/series index 6163eea3786..9fb800ab3d0 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -42,3 +42,92 @@ dm-bufio-fix-integer-overflow-when-limiting-maximum-cache-size.patch ovl-put-upperdentry-if-ovl_check_origin-fails.patch dm-allocate-struct-mapped_device-with-kvzalloc.patch sched-rt-simplify-the-ipi-based-rt-balancing-logic.patch +mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch +dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch +dm-discard-support-requires-all-targets-in-a-table-support-discards.patch +mips-fix-odd-fp-register-warnings-with-mips64r2.patch +mips-fix-mips64-fp-save-restore-on-32-bit-kernels.patch +mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch +mips-fix-an-n32-core-file-generation-regset-support-regression.patch +mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch +mips-math-emu-fix-final-emulation-phase-for-certain-instructions.patch +rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch +mm-z3fold.c-use-kref-to-prevent-page-free-compact-race.patch +autofs-don-t-fail-mount-for-transient-error.patch +nilfs2-fix-race-condition-that-causes-file-system-corruption.patch +fscrypt-lock-mutex-before-checking-for-bounce-page-pool.patch +ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch +libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch +bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch +bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch +fs-guard_bio_eod-needs-to-consider-partitions.patch +fanotify-fix-fsnotify_prepare_user_wait-failure.patch +isofs-fix-timestamps-beyond-2027.patch +btrfs-change-how-we-decide-to-commit-transactions-during-flushing.patch +f2fs-expose-some-sectors-to-user-in-inline-data-or-dentry-case.patch +nfs-fix-typo-in-nomigration-mount-option.patch +nfs-revert-nfs-move-the-flock-open-mode-check-into-nfs_flock.patch +nfs-fix-ugly-referral-attributes.patch +nfs-avoid-rcu-usage-in-tracepoints.patch +nfs-revalidate-.-etc-correctly-on-open.patch +nfsd-deal-with-revoked-delegations-appropriately.patch +rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch +rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch +iwlwifi-fix-firmware-names-for-9000-and-a000-series-hw.patch +md-fix-deadlock-error-in-recent-patch.patch +md-don-t-check-md_sb_change_clean-in-md_allow_write.patch +bluetooth-btqcomsmd-add-support-for-bd-address-setup.patch +md-bitmap-revert-a-patch.patch +fsnotify-clean-up-fsnotify_prepare-finish_user_wait.patch +fsnotify-pin-both-inode-and-vfsmount-mark.patch +fsnotify-fix-pinning-group-in-fsnotify_prepare_user_wait.patch +ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch +ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch +ext4-prevent-data-corruption-with-inline-data-dax.patch +ext4-prevent-data-corruption-with-journaling-dax.patch +alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch +alsa-usb-audio-add-sanity-checks-to-fe-parser.patch +alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch +alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch +alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch +alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch +alsa-hda-realtek-fix-alc275-no-sound-issue.patch +alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch +alsa-hda-fix-yet-remaining-issue-with-vmaster-0db-initialization.patch +alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch +asoc-sun8i-codec-invert-master-slave-condition.patch +asoc-sun8i-codec-fix-left-and-right-channels-inversion.patch +asoc-sun8i-codec-set-the-bclk-divider.patch +mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch +fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch +9p-fix-missing-commas-in-mount-options.patch +fs-9p-compare-qid.path-in-v9fs_test_inode.patch +net-9p-switch-to-wait_event_killable.patch +scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_init_base_qpair.patch +scsi-sd_zbc-fix-sd_zbc_read_zoned_characteristics.patch +scsi-lpfc-fix-pci-hot-plug-crash-in-timer-management-routines.patch +scsi-lpfc-fix-pci-hot-plug-crash-in-list_add-call.patch +scsi-lpfc-fix-crash-receiving-els-while-detaching-driver.patch +scsi-lpfc-fix-fcp-hba_wqidx-assignment.patch +scsi-lpfc-fix-oops-if-nvmet_fc_register_targetport-fails.patch +iscsi-target-make-task_reassign-use-proper-se_cmd-cmd_kref.patch +iscsi-target-fix-non-immediate-tmr-reference-leak.patch +target-fix-null-pointer-regression-in-core_tmr_drain_tmr_list.patch +target-fix-buffer-offset-in-core_scsi3_pri_read_full_status.patch +target-fix-queue_full-scsi-task-attribute-handling.patch +target-fix-caw_sem-leak-in-transport_generic_request_failure.patch +target-fix-quiese-during-transport_write_pending_qf-endless-loop.patch +target-avoid-early-cmd_t_pre_execute-failures-during-abort_task.patch +mtd-avoid-probe-failures-when-mtd-dbg.dfs_dir-is-invalid.patch +mtd-nand-export-nand_reset-symbol.patch +mtd-nand-atmel-actually-use-the-pm-ops.patch +mtd-nand-omap2-fix-subpage-write.patch +mtd-nand-fix-writing-mtdoops-to-nand-flash.patch +mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch +mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-sequence.patch +p54-don-t-unregister-leds-when-they-are-not-initialized.patch +block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch +raid1-prevent-freeze_array-wait_all_barriers-deadlock.patch +genirq-track-whether-the-trigger-type-has-been-set.patch +irqchip-gic-v3-fix-ppi-partitions-lookup.patch +lockd-double-unregister-of-inetaddr-notifiers.patch diff --git a/queue-4.14/target-avoid-early-cmd_t_pre_execute-failures-during-abort_task.patch b/queue-4.14/target-avoid-early-cmd_t_pre_execute-failures-during-abort_task.patch new file mode 100644 index 00000000000..cb508f1fecb --- /dev/null +++ b/queue-4.14/target-avoid-early-cmd_t_pre_execute-failures-during-abort_task.patch @@ -0,0 +1,93 @@ +From 1c21a48055a67ceb693e9c2587824a8de60a217c Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 27 Oct 2017 22:19:26 -0800 +Subject: target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK + +From: Nicholas Bellinger + +commit 1c21a48055a67ceb693e9c2587824a8de60a217c upstream. + +This patch fixes bug where early se_cmd exceptions that occur +before backend execution can result in use-after-free if/when +a subsequent ABORT_TASK occurs for the same tag. + +Since an early se_cmd exception will have had se_cmd added to +se_session->sess_cmd_list via target_get_sess_cmd(), it will +not have CMD_T_COMPLETE set by the usual target_complete_cmd() +backend completion path. + +This causes a subsequent ABORT_TASK + __target_check_io_state() +to signal ABORT_TASK should proceed. As core_tmr_abort_task() +executes, it will bring the outstanding se_cmd->cmd_kref count +down to zero releasing se_cmd, after se_cmd has already been +queued with error status into fabric driver response path code. + +To address this bug, introduce a CMD_T_PRE_EXECUTE bit that is +set at target_get_sess_cmd() time, and cleared immediately before +backend driver dispatch in target_execute_cmd() once CMD_T_ACTIVE +is set. + +Then, check CMD_T_PRE_EXECUTE within __target_check_io_state() to +determine when an early exception has occured, and avoid aborting +this se_cmd since it will have already been queued into fabric +driver response path code. + +Reported-by: Donald White +Cc: Donald White +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_tmr.c | 9 +++++++++ + drivers/target/target_core_transport.c | 2 ++ + include/target/target_core_base.h | 1 + + 3 files changed, 12 insertions(+) + +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -133,6 +133,15 @@ static bool __target_check_io_state(stru + spin_unlock(&se_cmd->t_state_lock); + return false; + } ++ if (se_cmd->transport_state & CMD_T_PRE_EXECUTE) { ++ if (se_cmd->scsi_status) { ++ pr_debug("Attempted to abort io tag: %llu early failure" ++ " status: 0x%02x\n", se_cmd->tag, ++ se_cmd->scsi_status); ++ spin_unlock(&se_cmd->t_state_lock); ++ return false; ++ } ++ } + if (sess->sess_tearing_down || se_cmd->cmd_wait_set) { + pr_debug("Attempted to abort io tag: %llu already shutdown," + " skipping\n", se_cmd->tag); +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1974,6 +1974,7 @@ void target_execute_cmd(struct se_cmd *c + } + + cmd->t_state = TRANSPORT_PROCESSING; ++ cmd->transport_state &= ~CMD_T_PRE_EXECUTE; + cmd->transport_state |= CMD_T_ACTIVE | CMD_T_SENT; + spin_unlock_irq(&cmd->t_state_lock); + +@@ -2682,6 +2683,7 @@ int target_get_sess_cmd(struct se_cmd *s + ret = -ESHUTDOWN; + goto out; + } ++ se_cmd->transport_state |= CMD_T_PRE_EXECUTE; + list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list); + out: + spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -490,6 +490,7 @@ struct se_cmd { + #define CMD_T_STOP (1 << 5) + #define CMD_T_TAS (1 << 10) + #define CMD_T_FABRIC_STOP (1 << 11) ++#define CMD_T_PRE_EXECUTE (1 << 12) + spinlock_t t_state_lock; + struct kref cmd_kref; + struct completion t_transport_stop_comp; diff --git a/queue-4.14/target-fix-buffer-offset-in-core_scsi3_pri_read_full_status.patch b/queue-4.14/target-fix-buffer-offset-in-core_scsi3_pri_read_full_status.patch new file mode 100644 index 00000000000..87b4a00b4ba --- /dev/null +++ b/queue-4.14/target-fix-buffer-offset-in-core_scsi3_pri_read_full_status.patch @@ -0,0 +1,40 @@ +From c58a252beb04cf0e02d6a746b2ed7ea89b6deb71 Mon Sep 17 00:00:00 2001 +From: tangwenji +Date: Thu, 17 Aug 2017 19:51:54 +0800 +Subject: target: fix buffer offset in core_scsi3_pri_read_full_status + +From: tangwenji + +commit c58a252beb04cf0e02d6a746b2ed7ea89b6deb71 upstream. + +When at least two initiators register pr on the same LUN, +the target returns the exception data due to buffer offset +error, therefore the initiator executes command 'sg_persist -s' +may cause the initiator to appear segfault error. + +This fixes a regression originally introduced by: + + commit a85d667e58bddf73be84d1981b41eaac985ed216 + Author: Bart Van Assche + Date: Tue May 23 16:48:27 2017 -0700 + + target: Use {get,put}_unaligned_be*() instead of open coding these functions + +Signed-off-by: tangwenji +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -4011,6 +4011,7 @@ core_scsi3_pri_read_full_status(struct s + * Set the ADDITIONAL DESCRIPTOR LENGTH + */ + put_unaligned_be32(desc_len, &buf[off]); ++ off += 4; + /* + * Size of full desctipor header minus TransportID + * containing $FABRIC_MOD specific) initiator device/port diff --git a/queue-4.14/target-fix-caw_sem-leak-in-transport_generic_request_failure.patch b/queue-4.14/target-fix-caw_sem-leak-in-transport_generic_request_failure.patch new file mode 100644 index 00000000000..b7b0742b228 --- /dev/null +++ b/queue-4.14/target-fix-caw_sem-leak-in-transport_generic_request_failure.patch @@ -0,0 +1,72 @@ +From fd2f928b0ddd2fe8876d4f1344df2ace2b715a4d Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 29 Sep 2017 16:03:24 -0700 +Subject: target: Fix caw_sem leak in transport_generic_request_failure + +From: Nicholas Bellinger + +commit fd2f928b0ddd2fe8876d4f1344df2ace2b715a4d upstream. + +With the recent addition of transport_check_aborted_status() within +transport_generic_request_failure() to avoid sending a SCSI status +exception after CMD_T_ABORTED w/ TAS=1 has occured, it introduced +a COMPARE_AND_WRITE early failure regression. + +Namely when COMPARE_AND_WRITE fails and se_device->caw_sem has +been taken by sbc_compare_and_write(), if the new check for +transport_check_aborted_status() returns true and exits, +cmd->transport_complete_callback() -> compare_and_write_post() +is skipped never releasing se_device->caw_sem. + +This regression was originally introduced by: + + commit e3b88ee95b4e4bf3e9729a4695d695b9c7c296c8 + Author: Bart Van Assche + Date: Tue Feb 14 16:25:45 2017 -0800 + + target: Fix handling of aborted failed commands + +To address this bug, move the transport_check_aborted_status() +call after transport_complete_task_attr() and +cmd->transport_complete_callback(). + +Cc: Mike Christie +Cc: Hannes Reinecke +Cc: Bart Van Assche +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1730,9 +1730,6 @@ void transport_generic_request_failure(s + { + int ret = 0, post_ret = 0; + +- if (transport_check_aborted_status(cmd, 1)) +- return; +- + pr_debug("-----[ Storage Engine Exception; sense_reason %d\n", + sense_reason); + target_show_cmd("-----[ ", cmd); +@@ -1741,6 +1738,7 @@ void transport_generic_request_failure(s + * For SAM Task Attribute emulation for failed struct se_cmd + */ + transport_complete_task_attr(cmd); ++ + /* + * Handle special case for COMPARE_AND_WRITE failure, where the + * callback is expected to drop the per device ->caw_sem. +@@ -1749,6 +1747,9 @@ void transport_generic_request_failure(s + cmd->transport_complete_callback) + cmd->transport_complete_callback(cmd, false, &post_ret); + ++ if (transport_check_aborted_status(cmd, 1)) ++ return; ++ + switch (sense_reason) { + case TCM_NON_EXISTENT_LUN: + case TCM_UNSUPPORTED_SCSI_OPCODE: diff --git a/queue-4.14/target-fix-null-pointer-regression-in-core_tmr_drain_tmr_list.patch b/queue-4.14/target-fix-null-pointer-regression-in-core_tmr_drain_tmr_list.patch new file mode 100644 index 00000000000..4f51cc3f2e9 --- /dev/null +++ b/queue-4.14/target-fix-null-pointer-regression-in-core_tmr_drain_tmr_list.patch @@ -0,0 +1,42 @@ +From 88fb2fa7db7510bf1078226ab48d162d9854f3d4 Mon Sep 17 00:00:00 2001 +From: tangwenji +Date: Wed, 16 Aug 2017 16:39:00 +0800 +Subject: target: fix null pointer regression in core_tmr_drain_tmr_list + +From: tangwenji + +commit 88fb2fa7db7510bf1078226ab48d162d9854f3d4 upstream. + +The target system kernel crash when the initiator executes +the sg_persist -A command,because of the second argument to +be set to NULL when core_tmr_lun_reset is called in +core_scsi3_pro_preempt function. + +This fixes a regression originally introduced by: + + commit 51ec502a32665fed66c7f03799ede4023b212536 + Author: Bart Van Assche + Date: Tue Feb 14 16:25:54 2017 -0800 + + target: Delete tmr from list before processing + +Signed-off-by: tangwenji +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_tmr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -217,7 +217,8 @@ static void core_tmr_drain_tmr_list( + * LUN_RESET tmr.. + */ + spin_lock_irqsave(&dev->se_tmr_lock, flags); +- list_del_init(&tmr->tmr_list); ++ if (tmr) ++ list_del_init(&tmr->tmr_list); + list_for_each_entry_safe(tmr_p, tmr_pp, &dev->dev_tmr_list, tmr_list) { + cmd = tmr_p->task_cmd; + if (!cmd) { diff --git a/queue-4.14/target-fix-queue_full-scsi-task-attribute-handling.patch b/queue-4.14/target-fix-queue_full-scsi-task-attribute-handling.patch new file mode 100644 index 00000000000..bd649e4ec72 --- /dev/null +++ b/queue-4.14/target-fix-queue_full-scsi-task-attribute-handling.patch @@ -0,0 +1,57 @@ +From 1c79df1f349fb6050016cea4ef1dfbc3853a5685 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 22 Sep 2017 16:48:28 -0700 +Subject: target: Fix QUEUE_FULL + SCSI task attribute handling + +From: Nicholas Bellinger + +commit 1c79df1f349fb6050016cea4ef1dfbc3853a5685 upstream. + +This patch fixes a bug during QUEUE_FULL where transport_complete_qf() +calls transport_complete_task_attr() after it's already been invoked +by target_complete_ok_work() or transport_generic_request_failure() +during initial completion, preceeding QUEUE_FULL. + +This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id +and/or se_device->dev_ordered_sync being updated multiple times for +a single se_cmd. + +To address this bug, clear SCF_TASK_ATTR_SET after the first call +to transport_complete_task_attr(), and avoid updating SCSI task +attribute related counters for any subsequent calls. + +Also, when a se_cmd is deferred due to ordered tags and executed +via target_restart_delayed_cmds(), set CMD_T_SENT before execution +matching what target_execute_cmd() does. + +Cc: Michael Cyr +Cc: Bryant G. Ly +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2010,6 +2010,8 @@ static void target_restart_delayed_cmds( + list_del(&cmd->se_delayed_node); + spin_unlock(&dev->delayed_cmd_lock); + ++ cmd->transport_state |= CMD_T_SENT; ++ + __target_execute_cmd(cmd, true); + + if (cmd->sam_task_attr == TCM_ORDERED_TAG) +@@ -2045,6 +2047,8 @@ static void transport_complete_task_attr + pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n", + dev->dev_cur_ordered_id); + } ++ cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET; ++ + restart: + target_restart_delayed_cmds(dev); + } diff --git a/queue-4.14/target-fix-quiese-during-transport_write_pending_qf-endless-loop.patch b/queue-4.14/target-fix-quiese-during-transport_write_pending_qf-endless-loop.patch new file mode 100644 index 00000000000..0adf090f48b --- /dev/null +++ b/queue-4.14/target-fix-quiese-during-transport_write_pending_qf-endless-loop.patch @@ -0,0 +1,55 @@ +From 9574a497df2bbc0a676b609ce0dd24d237cee3a6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 29 Sep 2017 16:43:11 -0700 +Subject: target: Fix quiese during transport_write_pending_qf endless loop + +From: Nicholas Bellinger + +commit 9574a497df2bbc0a676b609ce0dd24d237cee3a6 upstream. + +This patch fixes a potential end-less loop during QUEUE_FULL, +where cmd->se_tfo->write_pending() callback fails repeatedly +but __transport_wait_for_tasks() has already been invoked to +quiese the outstanding se_cmd descriptor. + +To address this bug, this patch adds a CMD_T_STOP|CMD_T_ABORTED +check within transport_write_pending_qf() and invokes the +existing se_cmd->t_transport_stop_comp to signal quiese +completion back to __transport_wait_for_tasks(). + +Cc: Mike Christie +Cc: Hannes Reinecke +Cc: Bryant G. Ly +Cc: Michael Cyr +Cc: Potnuri Bharat Teja +Cc: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2575,7 +2575,20 @@ EXPORT_SYMBOL(transport_generic_new_cmd) + + static void transport_write_pending_qf(struct se_cmd *cmd) + { ++ unsigned long flags; + int ret; ++ bool stop; ++ ++ spin_lock_irqsave(&cmd->t_state_lock, flags); ++ stop = (cmd->transport_state & (CMD_T_STOP | CMD_T_ABORTED)); ++ spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ ++ if (stop) { ++ pr_debug("%s:%d CMD_T_STOP|CMD_T_ABORTED for ITT: 0x%08llx\n", ++ __func__, __LINE__, cmd->tag); ++ complete_all(&cmd->t_transport_stop_comp); ++ return; ++ } + + ret = cmd->se_tfo->write_pending(cmd); + if (ret) {