From: Greg Kroah-Hartman Date: Mon, 12 Mar 2018 15:47:06 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.14.27~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b2ba2212e9fc5d02e904b228a20db1b9594d046;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-hda-add-dock-and-led-support-for-hp-elitebook-820-g3.patch alsa-hda-add-dock-and-led-support-for-hp-probook-640-g2.patch alsa-hda-fix-a-wrong-fixup-for-alc289-on-dell-machines.patch alsa-hda-realtek-fix-dock-line-out-volume-on-dell-precision-7520.patch alsa-hda-realtek-limit-mic-boost-on-t480.patch alsa-hda-realtek-make-dock-sound-work-on-thinkpad-l570.patch alsa-seq-don-t-allow-resizing-pool-in-use.patch alsa-seq-more-protection-for-concurrent-write-and-ioctl-races.patch bcache-don-t-attach-backing-with-duplicate-uuid.patch bcache-fix-crashes-in-duplicate-cache-device-register.patch drm-allow-determining-if-current-task-is-output-poll-worker.patch drm-amdgpu-always-save-uvd-vcpu_bo-in-vm-mode.patch drm-amdgpu-correct-max-uvd-handles.patch drm-amdgpu-fix-deadlock-on-runtime-suspend.patch drm-amdgpu-fix-kv-harvesting.patch drm-amdgpu-notify-sbios-device-ready-before-send-request.patch drm-i915-always-call-to-intel_display_set_init_power-in-resume_early.patch drm-i915-try-edid-bitbanging-on-hdmi-after-failed-read.patch drm-nouveau-fix-deadlock-on-runtime-suspend.patch drm-radeon-fix-deadlock-on-runtime-suspend.patch drm-radeon-fix-kv-harvesting.patch ib-mlx5-fix-incorrect-size-of-klms-in-the-memory-region.patch input-matrix_keypad-fix-race-when-disabling-interrupts.patch kbuild-handle-builtin-dtb-file-names-containing-hyphens.patch kvm-s390-fix-memory-overwrites-when-not-using-sca-entries.patch loop-fix-lost-writes-caused-by-missing-flag.patch mips-ath25-check-for-kzalloc-allocation-failure.patch mips-bmips-do-not-mask-ipis-during-suspend.patch mips-octeon-irq-check-for-null-return-on-kzalloc-allocation.patch perf-tools-fix-trigger-class-trigger_on.patch scsi-qla2xxx-fix-null-pointer-crash-due-to-active-timer-for-abts.patch virtio_ring-fix-num_free-handling-in-error-case.patch workqueue-allow-retrieval-of-current-task-s-work-struct.patch x86-mce-serialize-sysfs-changes.patch x86-spectre_v2-don-t-check-microcode-versions-when-running-under-hypervisors.patch --- diff --git a/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-elitebook-820-g3.patch b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-elitebook-820-g3.patch new file mode 100644 index 00000000000..19a3a16357f --- /dev/null +++ b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-elitebook-820-g3.patch @@ -0,0 +1,32 @@ +From aea808172018ca01abf53db808323aed23281835 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Thu, 8 Mar 2018 15:49:03 +0100 +Subject: ALSA: hda: add dock and led support for HP EliteBook 820 G3 + +From: Dennis Wassenberg + +commit aea808172018ca01abf53db808323aed23281835 upstream. + +This patch adds missing initialisation for HP 2013 UltraSlim Dock +Line-In/Out PINs and activates keyboard mute/micmute leds +for HP EliteBook 820 G3 + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -849,6 +849,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC), + SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC), + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN), diff --git a/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g2.patch b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g2.patch new file mode 100644 index 00000000000..624bfac45c4 --- /dev/null +++ b/queue-4.9/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g2.patch @@ -0,0 +1,32 @@ +From 099fd6ca0ad25bc19c5ade2ea4b25b8fadaa11b3 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Thu, 8 Mar 2018 15:49:24 +0100 +Subject: ALSA: hda: add dock and led support for HP ProBook 640 G2 + +From: Dennis Wassenberg + +commit 099fd6ca0ad25bc19c5ade2ea4b25b8fadaa11b3 upstream. + +This patch adds missing initialisation for HP 2013 UltraSlim Dock +Line-In/Out PINs and activates keyboard mute/micmute leds +for HP ProBook 640 G2 + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -850,6 +850,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC), + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN), diff --git a/queue-4.9/alsa-hda-fix-a-wrong-fixup-for-alc289-on-dell-machines.patch b/queue-4.9/alsa-hda-fix-a-wrong-fixup-for-alc289-on-dell-machines.patch new file mode 100644 index 00000000000..0843b63f6af --- /dev/null +++ b/queue-4.9/alsa-hda-fix-a-wrong-fixup-for-alc289-on-dell-machines.patch @@ -0,0 +1,36 @@ +From d5078193e56bb24f4593f00102a3b5e07bb84ee0 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Fri, 2 Mar 2018 13:05:36 +0800 +Subject: ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines + +From: Hui Wang + +commit d5078193e56bb24f4593f00102a3b5e07bb84ee0 upstream. + +With the alc289, the Pin 0x1b is Headphone-Mic, so we should assign +ALC269_FIXUP_DELL4_MIC_NO_PRESENCE rather than +ALC225_FIXUP_DELL1_MIC_NO_PRESENCE to it. And this change is suggested +by Kailang of Realtek and is verified on the machine. + +Fixes: 3f2f7c553d07 ("ALSA: hda - Fix headset mic detection problem for two Dell machines") +Cc: Kailang Yang +Cc: +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6134,7 +6134,7 @@ static const struct snd_hda_pin_quirk al + {0x12, 0x90a60120}, + {0x14, 0x90170110}, + {0x21, 0x0321101f}), +- SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, ++ SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, + {0x12, 0xb7a60130}, + {0x14, 0x90170110}, + {0x21, 0x04211020}), diff --git a/queue-4.9/alsa-hda-realtek-fix-dock-line-out-volume-on-dell-precision-7520.patch b/queue-4.9/alsa-hda-realtek-fix-dock-line-out-volume-on-dell-precision-7520.patch new file mode 100644 index 00000000000..5ccf867ecda --- /dev/null +++ b/queue-4.9/alsa-hda-realtek-fix-dock-line-out-volume-on-dell-precision-7520.patch @@ -0,0 +1,72 @@ +From e312a869cd726c698a75caca0d9e5c22fd3f1534 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Mar 2018 12:14:17 +0100 +Subject: ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 + +From: Takashi Iwai + +commit e312a869cd726c698a75caca0d9e5c22fd3f1534 upstream. + +The dock line-out pin (NID 0x17 of ALC3254 codec) on Dell Precision +7520 may route to three different DACs, 0x02, 0x03 and 0x06. The +first two DACS have the volume amp controls while the last one +doesn't. And unfortunately, the auto-parser assigns this pin to DAC3, +resulting in the non-working volume control for the line out. + +Fix it by disabling the routing to DAC3 on the corresponding pin. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199029 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4760,6 +4760,16 @@ static void alc298_fixup_speaker_volume( + } + } + ++/* disable DAC3 (0x06) selection on NID 0x17 as it has no volume amp control */ ++static void alc295_fixup_disable_dac3(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ hda_nid_t conn[2] = { 0x02, 0x03 }; ++ snd_hda_override_conn_list(codec, 0x17, 2, conn); ++ } ++} ++ + /* Hook to update amp GPIO4 for automute */ + static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec, + struct hda_jack_callback *jack) +@@ -4909,6 +4919,7 @@ enum { + ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY, + ALC255_FIXUP_DELL_SPK_NOISE, + ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC295_FIXUP_DISABLE_DAC3, + ALC280_FIXUP_HP_HEADSET_MIC, + ALC221_FIXUP_HP_FRONT_MIC, + ALC292_FIXUP_TPT460, +@@ -5601,6 +5612,10 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE, + }, ++ [ALC295_FIXUP_DISABLE_DAC3] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc295_fixup_disable_dac3, ++ }, + [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -5664,6 +5679,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE), + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME), ++ SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3), + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), + SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), diff --git a/queue-4.9/alsa-hda-realtek-limit-mic-boost-on-t480.patch b/queue-4.9/alsa-hda-realtek-limit-mic-boost-on-t480.patch new file mode 100644 index 00000000000..f741bd77e96 --- /dev/null +++ b/queue-4.9/alsa-hda-realtek-limit-mic-boost-on-t480.patch @@ -0,0 +1,32 @@ +From 85981dfd6b0a0fd9ed87ca4a525981b67c21f098 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Wed, 14 Feb 2018 13:29:39 +0100 +Subject: ALSA: hda/realtek: Limit mic boost on T480 + +From: Benjamin Berg + +commit 85981dfd6b0a0fd9ed87ca4a525981b67c21f098 upstream. + +The internal mic boost on the T480 is too high. Fix this by applying the +ALC269_FIXUP_LIMIT_INT_MIC_BOOST fixup to the machine to limit the gain. + +Signed-off-by: Benjamin Berg +Tested-by: Benjamin Berg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5788,6 +5788,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x224b, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), diff --git a/queue-4.9/alsa-hda-realtek-make-dock-sound-work-on-thinkpad-l570.patch b/queue-4.9/alsa-hda-realtek-make-dock-sound-work-on-thinkpad-l570.patch new file mode 100644 index 00000000000..7df62517258 --- /dev/null +++ b/queue-4.9/alsa-hda-realtek-make-dock-sound-work-on-thinkpad-l570.patch @@ -0,0 +1,33 @@ +From e4c07b3b66b7d6a24c2fe3b1ddeff5cd9b378b3a Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Thu, 8 Mar 2018 13:17:54 +0100 +Subject: ALSA: hda/realtek - Make dock sound work on ThinkPad L570 + +From: Dennis Wassenberg + +commit e4c07b3b66b7d6a24c2fe3b1ddeff5cd9b378b3a upstream. + +One version of Lenovo Thinkpad T570 did not use ALC298 +(like other Kaby Lake devices). Instead it uses ALC292. +In order to make the Lenovo dock working with that codec +the dock quirk for ALC292 will be used. + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5801,6 +5801,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x2245, "Thinkpad T470", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2246, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2247, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x2249, "Thinkpad", ALC292_FIXUP_TPT460), + SND_PCI_QUIRK(0x17aa, 0x224b, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), diff --git a/queue-4.9/alsa-seq-don-t-allow-resizing-pool-in-use.patch b/queue-4.9/alsa-seq-don-t-allow-resizing-pool-in-use.patch new file mode 100644 index 00000000000..0ac1bceac76 --- /dev/null +++ b/queue-4.9/alsa-seq-don-t-allow-resizing-pool-in-use.patch @@ -0,0 +1,45 @@ +From d85739367c6d56e475c281945c68fdb05ca74b4c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 5 Mar 2018 22:00:55 +0100 +Subject: ALSA: seq: Don't allow resizing pool in use +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit d85739367c6d56e475c281945c68fdb05ca74b4c upstream. + +This is a fix for a (sort of) fallout in the recent commit +d15d662e89fc ("ALSA: seq: Fix racy pool initializations") for +CVE-2018-1000004. +As the pool resize deletes the existing cells, it may lead to a race +when another thread is writing concurrently, eventually resulting a +UAF. + +A simple workaround is not to allow the pool resizing when the pool is +in use. It's an invalid behavior in anyway. + +Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations") +Reported-by: 范龙飞 +Reported-by: Nicolai Stange +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1835,6 +1835,9 @@ static int snd_seq_ioctl_set_client_pool + (! snd_seq_write_pool_allocated(client) || + info->output_pool != client->pool->size)) { + if (snd_seq_write_pool_allocated(client)) { ++ /* is the pool in use? */ ++ if (atomic_read(&client->pool->counter)) ++ return -EBUSY; + /* remove all existing cells */ + snd_seq_pool_mark_closing(client->pool); + snd_seq_queue_client_leave_cells(client->number); diff --git a/queue-4.9/alsa-seq-more-protection-for-concurrent-write-and-ioctl-races.patch b/queue-4.9/alsa-seq-more-protection-for-concurrent-write-and-ioctl-races.patch new file mode 100644 index 00000000000..d61c3ec31cf --- /dev/null +++ b/queue-4.9/alsa-seq-more-protection-for-concurrent-write-and-ioctl-races.patch @@ -0,0 +1,179 @@ +From 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 5 Mar 2018 22:06:09 +0100 +Subject: ALSA: seq: More protection for concurrent write and ioctl races +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9 upstream. + +This patch is an attempt for further hardening against races between +the concurrent write and ioctls. The previous fix d15d662e89fc +("ALSA: seq: Fix racy pool initializations") covered the race of the +pool initialization at writer and the pool resize ioctl by the +client->ioctl_mutex (CVE-2018-1000004). However, basically this mutex +should be applied more widely to the whole write operation for +avoiding the unexpected pool operations by another thread. + +The only change outside snd_seq_write() is the additional mutex +argument to helper functions, so that we can unlock / relock the given +mutex temporarily during schedule() call for blocking write. + +Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations") +Reported-by: 范龙飞 +Reported-by: Nicolai Stange +Reviewed-and-tested-by: Nicolai Stange +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 18 +++++++++++------- + sound/core/seq/seq_fifo.c | 2 +- + sound/core/seq/seq_memory.c | 14 ++++++++++---- + sound/core/seq/seq_memory.h | 3 ++- + 4 files changed, 24 insertions(+), 13 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -906,7 +906,8 @@ int snd_seq_dispatch_event(struct snd_se + static int snd_seq_client_enqueue_event(struct snd_seq_client *client, + struct snd_seq_event *event, + struct file *file, int blocking, +- int atomic, int hop) ++ int atomic, int hop, ++ struct mutex *mutexp) + { + struct snd_seq_event_cell *cell; + int err; +@@ -944,7 +945,8 @@ static int snd_seq_client_enqueue_event( + return -ENXIO; /* queue is not allocated */ + + /* allocate an event cell */ +- err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file); ++ err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, ++ file, mutexp); + if (err < 0) + return err; + +@@ -1013,12 +1015,11 @@ static ssize_t snd_seq_write(struct file + return -ENXIO; + + /* allocate the pool now if the pool is not allocated yet */ ++ mutex_lock(&client->ioctl_mutex); + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) { +- mutex_lock(&client->ioctl_mutex); + err = snd_seq_pool_init(client->pool); +- mutex_unlock(&client->ioctl_mutex); + if (err < 0) +- return -ENOMEM; ++ goto out; + } + + /* only process whole events */ +@@ -1069,7 +1070,7 @@ static ssize_t snd_seq_write(struct file + /* ok, enqueue it */ + err = snd_seq_client_enqueue_event(client, &event, file, + !(file->f_flags & O_NONBLOCK), +- 0, 0); ++ 0, 0, &client->ioctl_mutex); + if (err < 0) + break; + +@@ -1080,6 +1081,8 @@ static ssize_t snd_seq_write(struct file + written += len; + } + ++ out: ++ mutex_unlock(&client->ioctl_mutex); + return written ? written : err; + } + +@@ -2262,7 +2265,8 @@ static int kernel_client_enqueue(int cli + if (! cptr->accept_output) + result = -EPERM; + else /* send it */ +- result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop); ++ result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, ++ atomic, hop, NULL); + + snd_seq_client_unlock(cptr); + return result; +--- a/sound/core/seq/seq_fifo.c ++++ b/sound/core/seq/seq_fifo.c +@@ -123,7 +123,7 @@ int snd_seq_fifo_event_in(struct snd_seq + return -EINVAL; + + snd_use_lock_use(&f->use_lock); +- err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */ ++ err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */ + if (err < 0) { + if ((err == -ENOMEM) || (err == -EAGAIN)) + atomic_inc(&f->overflow); +--- a/sound/core/seq/seq_memory.c ++++ b/sound/core/seq/seq_memory.c +@@ -221,7 +221,8 @@ void snd_seq_cell_free(struct snd_seq_ev + */ + static int snd_seq_cell_alloc(struct snd_seq_pool *pool, + struct snd_seq_event_cell **cellp, +- int nonblock, struct file *file) ++ int nonblock, struct file *file, ++ struct mutex *mutexp) + { + struct snd_seq_event_cell *cell; + unsigned long flags; +@@ -245,7 +246,11 @@ static int snd_seq_cell_alloc(struct snd + set_current_state(TASK_INTERRUPTIBLE); + add_wait_queue(&pool->output_sleep, &wait); + spin_unlock_irq(&pool->lock); ++ if (mutexp) ++ mutex_unlock(mutexp); + schedule(); ++ if (mutexp) ++ mutex_lock(mutexp); + spin_lock_irq(&pool->lock); + remove_wait_queue(&pool->output_sleep, &wait); + /* interrupted? */ +@@ -288,7 +293,7 @@ __error: + */ + int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event, + struct snd_seq_event_cell **cellp, int nonblock, +- struct file *file) ++ struct file *file, struct mutex *mutexp) + { + int ncells, err; + unsigned int extlen; +@@ -305,7 +310,7 @@ int snd_seq_event_dup(struct snd_seq_poo + if (ncells >= pool->total_elements) + return -ENOMEM; + +- err = snd_seq_cell_alloc(pool, &cell, nonblock, file); ++ err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp); + if (err < 0) + return err; + +@@ -331,7 +336,8 @@ int snd_seq_event_dup(struct snd_seq_poo + int size = sizeof(struct snd_seq_event); + if (len < size) + size = len; +- err = snd_seq_cell_alloc(pool, &tmp, nonblock, file); ++ err = snd_seq_cell_alloc(pool, &tmp, nonblock, file, ++ mutexp); + if (err < 0) + goto __error; + if (cell->event.data.ext.ptr == NULL) +--- a/sound/core/seq/seq_memory.h ++++ b/sound/core/seq/seq_memory.h +@@ -66,7 +66,8 @@ struct snd_seq_pool { + void snd_seq_cell_free(struct snd_seq_event_cell *cell); + + int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event, +- struct snd_seq_event_cell **cellp, int nonblock, struct file *file); ++ struct snd_seq_event_cell **cellp, int nonblock, ++ struct file *file, struct mutex *mutexp); + + /* return number of unused (free) cells */ + static inline int snd_seq_unused_cells(struct snd_seq_pool *pool) diff --git a/queue-4.9/bcache-don-t-attach-backing-with-duplicate-uuid.patch b/queue-4.9/bcache-don-t-attach-backing-with-duplicate-uuid.patch new file mode 100644 index 00000000000..6cab90a4ce4 --- /dev/null +++ b/queue-4.9/bcache-don-t-attach-backing-with-duplicate-uuid.patch @@ -0,0 +1,65 @@ +From 86755b7a96faed57f910f9e6b8061e019ac1ec08 Mon Sep 17 00:00:00 2001 +From: Michael Lyle +Date: Mon, 5 Mar 2018 13:41:55 -0800 +Subject: bcache: don't attach backing with duplicate UUID + +From: Michael Lyle + +commit 86755b7a96faed57f910f9e6b8061e019ac1ec08 upstream. + +This can happen e.g. during disk cloning. + +This is an incomplete fix: it does not catch duplicate UUIDs earlier +when things are still unattached. It does not unregister the device. +Further changes to cope better with this are planned but conflict with +Coly's ongoing improvements to handling device errors. In the meantime, +one can manually stop the device after this has happened. + +Attempts to attach a duplicate device result in: + +[ 136.372404] loop: module loaded +[ 136.424461] bcache: register_bdev() registered backing device loop0 +[ 136.424464] bcache: bch_cached_dev_attach() Tried to attach loop0 but duplicate UUID already attached + +My test procedure is: + + dd if=/dev/sdb1 of=imgfile bs=1024 count=262144 + losetup -f imgfile + +Signed-off-by: Michael Lyle +Reviewed-by: Tang Junhui +Cc: +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -937,6 +937,7 @@ int bch_cached_dev_attach(struct cached_ + uint32_t rtime = cpu_to_le32(get_seconds()); + struct uuid_entry *u; + char buf[BDEVNAME_SIZE]; ++ struct cached_dev *exist_dc, *t; + + bdevname(dc->bdev, buf); + +@@ -960,6 +961,16 @@ int bch_cached_dev_attach(struct cached_ + return -EINVAL; + } + ++ /* Check whether already attached */ ++ list_for_each_entry_safe(exist_dc, t, &c->cached_devs, list) { ++ if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) { ++ pr_err("Tried to attach %s but duplicate UUID already attached", ++ buf); ++ ++ return -EINVAL; ++ } ++ } ++ + u = uuid_find(c, dc->sb.uuid); + + if (u && diff --git a/queue-4.9/bcache-fix-crashes-in-duplicate-cache-device-register.patch b/queue-4.9/bcache-fix-crashes-in-duplicate-cache-device-register.patch new file mode 100644 index 00000000000..fd9b92a2ea1 --- /dev/null +++ b/queue-4.9/bcache-fix-crashes-in-duplicate-cache-device-register.patch @@ -0,0 +1,165 @@ +From cc40daf91bdddbba72a4a8cd0860640e06668309 Mon Sep 17 00:00:00 2001 +From: Tang Junhui +Date: Mon, 5 Mar 2018 13:41:54 -0800 +Subject: bcache: fix crashes in duplicate cache device register + +From: Tang Junhui + +commit cc40daf91bdddbba72a4a8cd0860640e06668309 upstream. + +Kernel crashed when register a duplicate cache device, the call trace is +bellow: +[ 417.643790] CPU: 1 PID: 16886 Comm: bcache-register Tainted: G + W OE 4.15.5-amd64-preempt-sysrq-20171018 #2 +[ 417.643861] Hardware name: LENOVO 20ERCTO1WW/20ERCTO1WW, BIOS +N1DET41W (1.15 ) 12/31/2015 +[ 417.643870] RIP: 0010:bdevname+0x13/0x1e +[ 417.643876] RSP: 0018:ffffa3aa9138fd38 EFLAGS: 00010282 +[ 417.643884] RAX: 0000000000000000 RBX: ffff8c8f2f2f8000 RCX: ffffd6701f8 +c7edf +[ 417.643890] RDX: ffffa3aa9138fd88 RSI: ffffa3aa9138fd88 RDI: 00000000000 +00000 +[ 417.643895] RBP: ffffa3aa9138fde0 R08: ffffa3aa9138fae8 R09: 00000000000 +1850e +[ 417.643901] R10: ffff8c8eed34b271 R11: ffff8c8eed34b250 R12: 00000000000 +00000 +[ 417.643906] R13: ffffd6701f78f940 R14: ffff8c8f38f80000 R15: ffff8c8ea7d +90000 +[ 417.643913] FS: 00007fde7e66f500(0000) GS:ffff8c8f61440000(0000) knlGS: +0000000000000000 +[ 417.643919] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 417.643925] CR2: 0000000000000314 CR3: 00000007e6fa0001 CR4: 00000000003 +606e0 +[ 417.643931] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000 +00000 +[ 417.643938] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000 +00400 +[ 417.643946] Call Trace: +[ 417.643978] register_bcache+0x1117/0x1270 [bcache] +[ 417.643994] ? slab_pre_alloc_hook+0x15/0x3c +[ 417.644001] ? slab_post_alloc_hook.isra.44+0xa/0x1a +[ 417.644013] ? kernfs_fop_write+0xf6/0x138 +[ 417.644020] kernfs_fop_write+0xf6/0x138 +[ 417.644031] __vfs_write+0x31/0xcc +[ 417.644043] ? current_kernel_time64+0x10/0x36 +[ 417.644115] ? __audit_syscall_entry+0xbf/0xe3 +[ 417.644124] vfs_write+0xa5/0xe2 +[ 417.644133] SyS_write+0x5c/0x9f +[ 417.644144] do_syscall_64+0x72/0x81 +[ 417.644161] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +[ 417.644169] RIP: 0033:0x7fde7e1c1974 +[ 417.644175] RSP: 002b:00007fff13009a38 EFLAGS: 00000246 ORIG_RAX: 0000000 +000000001 +[ 417.644183] RAX: ffffffffffffffda RBX: 0000000001658280 RCX: 00007fde7e1c +1974 +[ 417.644188] RDX: 000000000000000a RSI: 0000000001658280 RDI: 000000000000 +0001 +[ 417.644193] RBP: 000000000000000a R08: 0000000000000003 R09: 000000000000 +0077 +[ 417.644198] R10: 000000000000089e R11: 0000000000000246 R12: 000000000000 +0001 +[ 417.644203] R13: 000000000000000a R14: 7fffffffffffffff R15: 000000000000 +0000 +[ 417.644213] Code: c7 c2 83 6f ee 98 be 20 00 00 00 48 89 df e8 6c 27 3b 0 +0 48 89 d8 5b c3 0f 1f 44 00 00 48 8b 47 70 48 89 f2 48 8b bf 80 00 00 00 <8 +b> b0 14 03 00 00 e9 73 ff ff ff 0f 1f 44 00 00 48 8b 47 40 39 +[ 417.644302] RIP: bdevname+0x13/0x1e RSP: ffffa3aa9138fd38 +[ 417.644306] CR2: 0000000000000314 + +When registering duplicate cache device in register_cache(), after failure +on calling register_cache_set(), bch_cache_release() will be called, then +bdev will be freed, so bdevname(bdev, name) caused kernel crash. + +Since bch_cache_release() will free bdev, so in this patch we make sure +bdev being freed if register_cache() fail, and do not free bdev again in +register_bcache() when register_cache() fail. + +Signed-off-by: Tang Junhui +Reported-by: Marc MERLIN +Tested-by: Michael Lyle +Reviewed-by: Michael Lyle +Cc: +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1182,7 +1182,7 @@ static void register_bdev(struct cache_s + + return; + err: +- pr_notice("error opening %s: %s", bdevname(bdev, name), err); ++ pr_notice("error %s: %s", bdevname(bdev, name), err); + bcache_device_stop(&dc->disk); + } + +@@ -1853,6 +1853,8 @@ static int register_cache(struct cache_s + const char *err = NULL; /* must be set for any error case */ + int ret = 0; + ++ bdevname(bdev, name); ++ + memcpy(&ca->sb, sb, sizeof(struct cache_sb)); + ca->bdev = bdev; + ca->bdev->bd_holder = ca; +@@ -1863,11 +1865,12 @@ static int register_cache(struct cache_s + ca->sb_bio.bi_io_vec[0].bv_page = sb_page; + get_page(sb_page); + +- if (blk_queue_discard(bdev_get_queue(ca->bdev))) ++ if (blk_queue_discard(bdev_get_queue(bdev))) + ca->discard = CACHE_DISCARD(&ca->sb); + + ret = cache_alloc(ca); + if (ret != 0) { ++ blkdev_put(bdev, FMODE_READ|FMODE_WRITE|FMODE_EXCL); + if (ret == -ENOMEM) + err = "cache_alloc(): -ENOMEM"; + else +@@ -1890,14 +1893,14 @@ static int register_cache(struct cache_s + goto out; + } + +- pr_info("registered cache device %s", bdevname(bdev, name)); ++ pr_info("registered cache device %s", name); + + out: + kobject_put(&ca->kobj); + + err: + if (err) +- pr_notice("error opening %s: %s", bdevname(bdev, name), err); ++ pr_notice("error %s: %s", name, err); + + return ret; + } +@@ -1986,6 +1989,7 @@ static ssize_t register_bcache(struct ko + if (err) + goto err_close; + ++ err = "failed to register device"; + if (SB_IS_BDEV(sb)) { + struct cached_dev *dc = kzalloc(sizeof(*dc), GFP_KERNEL); + if (!dc) +@@ -2000,7 +2004,7 @@ static ssize_t register_bcache(struct ko + goto err_close; + + if (register_cache(sb, sb_page, bdev, ca) != 0) +- goto err_close; ++ goto err; + } + out: + if (sb_page) +@@ -2013,7 +2017,7 @@ out: + err_close: + blkdev_put(bdev, FMODE_READ|FMODE_WRITE|FMODE_EXCL); + err: +- pr_info("error opening %s: %s", path, err); ++ pr_info("error %s: %s", path, err); + ret = -EINVAL; + goto out; + } diff --git a/queue-4.9/drm-allow-determining-if-current-task-is-output-poll-worker.patch b/queue-4.9/drm-allow-determining-if-current-task-is-output-poll-worker.patch new file mode 100644 index 00000000000..25a4429e09c --- /dev/null +++ b/queue-4.9/drm-allow-determining-if-current-task-is-output-poll-worker.patch @@ -0,0 +1,74 @@ +From 25c058ccaf2ebbc3e250ec1e199e161f91fe27d4 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 14 Feb 2018 06:41:25 +0100 +Subject: drm: Allow determining if current task is output poll worker + +From: Lukas Wunner + +commit 25c058ccaf2ebbc3e250ec1e199e161f91fe27d4 upstream. + +Introduce a helper to determine if the current task is an output poll +worker. + +This allows us to fix a long-standing deadlock in several DRM drivers +wherein the ->runtime_suspend callback waits for the output poll worker +to finish and the worker in turn calls a ->detect callback which waits +for runtime suspend to finish. The ->detect callback is invoked from +multiple call sites and waiting for runtime suspend to finish is the +correct thing to do except if it's executing in the context of the +worker. + +v2: Expand kerneldoc to specifically mention deadlock between + output poll worker and autosuspend worker as use case. (Lyude) + +Cc: Dave Airlie +Cc: Ben Skeggs +Cc: Alex Deucher +Reviewed-by: Lyude Paul +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/3549ce32e7f1467102e70d3e9cbf70c46bfe108e.1518593424.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_probe_helper.c | 20 ++++++++++++++++++++ + include/drm/drm_crtc_helper.h | 1 + + 2 files changed, 21 insertions(+) + +--- a/drivers/gpu/drm/drm_probe_helper.c ++++ b/drivers/gpu/drm/drm_probe_helper.c +@@ -461,6 +461,26 @@ out: + } + + /** ++ * drm_kms_helper_is_poll_worker - is %current task an output poll worker? ++ * ++ * Determine if %current task is an output poll worker. This can be used ++ * to select distinct code paths for output polling versus other contexts. ++ * ++ * One use case is to avoid a deadlock between the output poll worker and ++ * the autosuspend worker wherein the latter waits for polling to finish ++ * upon calling drm_kms_helper_poll_disable(), while the former waits for ++ * runtime suspend to finish upon calling pm_runtime_get_sync() in a ++ * connector ->detect hook. ++ */ ++bool drm_kms_helper_is_poll_worker(void) ++{ ++ struct work_struct *work = current_work(); ++ ++ return work && work->func == output_poll_execute; ++} ++EXPORT_SYMBOL(drm_kms_helper_is_poll_worker); ++ ++/** + * drm_kms_helper_poll_disable - disable output polling + * @dev: drm_device + * +--- a/include/drm/drm_crtc_helper.h ++++ b/include/drm/drm_crtc_helper.h +@@ -74,5 +74,6 @@ extern void drm_kms_helper_hotplug_event + extern void drm_kms_helper_poll_disable(struct drm_device *dev); + extern void drm_kms_helper_poll_enable(struct drm_device *dev); + extern void drm_kms_helper_poll_enable_locked(struct drm_device *dev); ++extern bool drm_kms_helper_is_poll_worker(void); + + #endif diff --git a/queue-4.9/drm-amdgpu-always-save-uvd-vcpu_bo-in-vm-mode.patch b/queue-4.9/drm-amdgpu-always-save-uvd-vcpu_bo-in-vm-mode.patch new file mode 100644 index 00000000000..da52e5a1e07 --- /dev/null +++ b/queue-4.9/drm-amdgpu-always-save-uvd-vcpu_bo-in-vm-mode.patch @@ -0,0 +1,51 @@ +From f8bee6135e167f5b35b7789c74c2956dad14d0d5 Mon Sep 17 00:00:00 2001 +From: James Zhu +Date: Tue, 6 Mar 2018 14:52:35 -0500 +Subject: drm/amdgpu:Always save uvd vcpu_bo in VM Mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Zhu + +commit f8bee6135e167f5b35b7789c74c2956dad14d0d5 upstream. + +When UVD is in VM mode, there is not uvd handle exchanged, +uvd.handles are always 0. So vcpu_bo always need save, +Otherwise amdgpu driver will fail during suspend/resume. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105021 +Signed-off-by: James Zhu +Reviewed-by: Leo Liu +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c +@@ -273,12 +273,15 @@ int amdgpu_uvd_suspend(struct amdgpu_dev + if (adev->uvd.vcpu_bo == NULL) + return 0; + +- for (i = 0; i < adev->uvd.max_handles; ++i) +- if (atomic_read(&adev->uvd.handles[i])) +- break; ++ /* only valid for physical mode */ ++ if (adev->asic_type < CHIP_POLARIS10) { ++ for (i = 0; i < adev->uvd.max_handles; ++i) ++ if (atomic_read(&adev->uvd.handles[i])) ++ break; + +- if (i == adev->uvd.max_handles) +- return 0; ++ if (i == adev->uvd.max_handles) ++ return 0; ++ } + + cancel_delayed_work_sync(&adev->uvd.idle_work); + diff --git a/queue-4.9/drm-amdgpu-correct-max-uvd-handles.patch b/queue-4.9/drm-amdgpu-correct-max-uvd-handles.patch new file mode 100644 index 00000000000..b80d1ee1d66 --- /dev/null +++ b/queue-4.9/drm-amdgpu-correct-max-uvd-handles.patch @@ -0,0 +1,37 @@ +From 0e5ee33d2a54e4c55fe92857f23e1cbb0440d6de Mon Sep 17 00:00:00 2001 +From: James Zhu +Date: Tue, 6 Mar 2018 14:43:50 -0500 +Subject: drm/amdgpu:Correct max uvd handles +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Zhu + +commit 0e5ee33d2a54e4c55fe92857f23e1cbb0440d6de upstream. + +Max uvd handles should use adev->uvd.max_handles instead of +AMDGPU_MAX_UVD_HANDLES here. + +Signed-off-by: James Zhu +Reviewed-by: Leo Liu +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c +@@ -277,7 +277,7 @@ int amdgpu_uvd_suspend(struct amdgpu_dev + if (atomic_read(&adev->uvd.handles[i])) + break; + +- if (i == AMDGPU_MAX_UVD_HANDLES) ++ if (i == adev->uvd.max_handles) + return 0; + + cancel_delayed_work_sync(&adev->uvd.idle_work); diff --git a/queue-4.9/drm-amdgpu-fix-deadlock-on-runtime-suspend.patch b/queue-4.9/drm-amdgpu-fix-deadlock-on-runtime-suspend.patch new file mode 100644 index 00000000000..155f5be40c2 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-deadlock-on-runtime-suspend.patch @@ -0,0 +1,151 @@ +From aa0aad57909eb321746325951d66af88a83bc956 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 11 Feb 2018 10:38:28 +0100 +Subject: drm/amdgpu: Fix deadlock on runtime suspend + +From: Lukas Wunner + +commit aa0aad57909eb321746325951d66af88a83bc956 upstream. + +amdgpu's ->runtime_suspend hook calls drm_kms_helper_poll_disable(), +which waits for the output poll worker to finish if it's running. + +The output poll worker meanwhile calls pm_runtime_get_sync() in +amdgpu's ->detect hooks, which waits for the ongoing suspend to finish, +causing a deadlock. + +Fix by not acquiring a runtime PM ref if the ->detect hooks are called +in the output poll worker's context. This is safe because the poll +worker is only enabled while runtime active and we know that +->runtime_suspend waits for it to finish. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Cc: stable@vger.kernel.org # v4.2+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct +Cc: stable@vger.kernel.org # v4.2+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker +Cc: Alex Deucher +Tested-by: Mike Lothian +Reviewed-by: Lyude Paul +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/4c9bf72aacae1eef062bd134cd112e0770a7f121.1518338789.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 58 ++++++++++++++++--------- + 1 file changed, 38 insertions(+), 20 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -739,9 +739,11 @@ amdgpu_connector_lvds_detect(struct drm_ + enum drm_connector_status ret = connector_status_disconnected; + int r; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + if (encoder) { + struct amdgpu_encoder *amdgpu_encoder = to_amdgpu_encoder(encoder); +@@ -760,8 +762,12 @@ amdgpu_connector_lvds_detect(struct drm_ + /* check acpi lid status ??? */ + + amdgpu_connector_update_scratch_regs(connector, ret); +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } ++ + return ret; + } + +@@ -871,9 +877,11 @@ amdgpu_connector_vga_detect(struct drm_c + enum drm_connector_status ret = connector_status_disconnected; + int r; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + encoder = amdgpu_connector_best_single_encoder(connector); + if (!encoder) +@@ -927,8 +935,10 @@ amdgpu_connector_vga_detect(struct drm_c + amdgpu_connector_update_scratch_regs(connector, ret); + + out: +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } + + return ret; + } +@@ -991,9 +1001,11 @@ amdgpu_connector_dvi_detect(struct drm_c + enum drm_connector_status ret = connector_status_disconnected; + bool dret = false, broken_edid = false; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { + ret = connector->status; +@@ -1118,8 +1130,10 @@ out: + amdgpu_connector_update_scratch_regs(connector, ret); + + exit: +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } + + return ret; + } +@@ -1362,9 +1376,11 @@ amdgpu_connector_dp_detect(struct drm_co + struct drm_encoder *encoder = amdgpu_connector_best_single_encoder(connector); + int r; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { + ret = connector->status; +@@ -1432,8 +1448,10 @@ amdgpu_connector_dp_detect(struct drm_co + + amdgpu_connector_update_scratch_regs(connector, ret); + out: +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } + + return ret; + } diff --git a/queue-4.9/drm-amdgpu-fix-kv-harvesting.patch b/queue-4.9/drm-amdgpu-fix-kv-harvesting.patch new file mode 100644 index 00000000000..a420347e0ae --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-kv-harvesting.patch @@ -0,0 +1,65 @@ +From 545b0bcde7fbd3ee408fa842ea0731451dc4bd0a Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 1 Mar 2018 11:05:31 -0500 +Subject: drm/amdgpu: fix KV harvesting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 545b0bcde7fbd3ee408fa842ea0731451dc4bd0a upstream. + +Always set the graphics values to the max for the +asic type. E.g., some 1 RB chips are actually 1 RB chips, +others are actually harvested 2 RB chips. + +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353 +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 30 ++---------------------------- + 1 file changed, 2 insertions(+), 28 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c +@@ -4475,34 +4475,8 @@ static void gfx_v7_0_gpu_early_init(stru + case CHIP_KAVERI: + adev->gfx.config.max_shader_engines = 1; + adev->gfx.config.max_tile_pipes = 4; +- if ((adev->pdev->device == 0x1304) || +- (adev->pdev->device == 0x1305) || +- (adev->pdev->device == 0x130C) || +- (adev->pdev->device == 0x130F) || +- (adev->pdev->device == 0x1310) || +- (adev->pdev->device == 0x1311) || +- (adev->pdev->device == 0x131C)) { +- adev->gfx.config.max_cu_per_sh = 8; +- adev->gfx.config.max_backends_per_se = 2; +- } else if ((adev->pdev->device == 0x1309) || +- (adev->pdev->device == 0x130A) || +- (adev->pdev->device == 0x130D) || +- (adev->pdev->device == 0x1313) || +- (adev->pdev->device == 0x131D)) { +- adev->gfx.config.max_cu_per_sh = 6; +- adev->gfx.config.max_backends_per_se = 2; +- } else if ((adev->pdev->device == 0x1306) || +- (adev->pdev->device == 0x1307) || +- (adev->pdev->device == 0x130B) || +- (adev->pdev->device == 0x130E) || +- (adev->pdev->device == 0x1315) || +- (adev->pdev->device == 0x131B)) { +- adev->gfx.config.max_cu_per_sh = 4; +- adev->gfx.config.max_backends_per_se = 1; +- } else { +- adev->gfx.config.max_cu_per_sh = 3; +- adev->gfx.config.max_backends_per_se = 1; +- } ++ adev->gfx.config.max_cu_per_sh = 8; ++ adev->gfx.config.max_backends_per_se = 2; + adev->gfx.config.max_sh_per_se = 1; + adev->gfx.config.max_texture_channel_caches = 4; + adev->gfx.config.max_gprs = 256; diff --git a/queue-4.9/drm-amdgpu-notify-sbios-device-ready-before-send-request.patch b/queue-4.9/drm-amdgpu-notify-sbios-device-ready-before-send-request.patch new file mode 100644 index 00000000000..49cc1284665 --- /dev/null +++ b/queue-4.9/drm-amdgpu-notify-sbios-device-ready-before-send-request.patch @@ -0,0 +1,35 @@ +From 1bced75f4ab04bec55aecb57d99435dc6d0ae5a0 Mon Sep 17 00:00:00 2001 +From: Rex Zhu +Date: Tue, 27 Feb 2018 18:20:53 +0800 +Subject: drm/amdgpu: Notify sbios device ready before send request + +From: Rex Zhu + +commit 1bced75f4ab04bec55aecb57d99435dc6d0ae5a0 upstream. + +it is required if a platform supports PCIe root complex +core voltage reduction. After receiving this notification, +SBIOS can apply default PCIe root complex power policy. + +Reviewed-by: Alex Deucher +Signed-off-by: Rex Zhu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -540,6 +540,9 @@ int amdgpu_acpi_pcie_performance_request + size_t size; + u32 retry = 3; + ++ if (amdgpu_acpi_pcie_notify_device_ready(adev)) ++ return -EINVAL; ++ + /* Get the device handle */ + handle = ACPI_HANDLE(&adev->pdev->dev); + if (!handle) diff --git a/queue-4.9/drm-i915-always-call-to-intel_display_set_init_power-in-resume_early.patch b/queue-4.9/drm-i915-always-call-to-intel_display_set_init_power-in-resume_early.patch new file mode 100644 index 00000000000..f6834d2a3d9 --- /dev/null +++ b/queue-4.9/drm-i915-always-call-to-intel_display_set_init_power-in-resume_early.patch @@ -0,0 +1,44 @@ +From d13a8479f3584613b6aacbb793eae64578b8f69a Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Tue, 16 Jan 2018 16:53:24 +0100 +Subject: drm/i915: Always call to intel_display_set_init_power() in resume_early. + +From: Maarten Lankhorst + +commit d13a8479f3584613b6aacbb793eae64578b8f69a upstream. + +intel_power_domains_init_hw() calls set_init_power, but when using +runtime power management this call is skipped. This prevents hw readout +from taking place. + +Signed-off-by: Maarten Lankhorst +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104172 +Link: https://patchwork.freedesktop.org/patch/msgid/20180116155324.75120-1-maarten.lankhorst@linux.intel.com +Fixes: bc87229f323e ("drm/i915/skl: enable PC9/10 power states during suspend-to-idle") +Cc: Nivedita Swaminathan +Cc: Imre Deak +Cc: Patrik Jakobsson +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: # v4.5+ +Reviewed-by: Imre Deak +(cherry picked from commit ac25dfed15d470d7f23dd817e965b54aa3f94a1e) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -1703,6 +1703,8 @@ static int i915_drm_resume_early(struct + if (IS_BROXTON(dev_priv) || + !(dev_priv->suspended_to_idle && dev_priv->csr.dmc_payload)) + intel_power_domains_init_hw(dev_priv, true); ++ else ++ intel_display_set_init_power(dev_priv, true); + + enable_rpm_wakeref_asserts(dev_priv); + diff --git a/queue-4.9/drm-i915-try-edid-bitbanging-on-hdmi-after-failed-read.patch b/queue-4.9/drm-i915-try-edid-bitbanging-on-hdmi-after-failed-read.patch new file mode 100644 index 00000000000..d2749dd68e9 --- /dev/null +++ b/queue-4.9/drm-i915-try-edid-bitbanging-on-hdmi-after-failed-read.patch @@ -0,0 +1,71 @@ +From 90024a5951029685acc5396258f1b0de9b23cf4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20Br=C3=BCns?= +Date: Sun, 31 Dec 2017 23:34:54 +0100 +Subject: drm/i915: Try EDID bitbanging on HDMI after failed read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Brüns + +commit 90024a5951029685acc5396258f1b0de9b23cf4a upstream. + +The ACK/NACK implementation as found in e.g. the G965 has the falling +clock edge and the release of the data line after the ACK for the received +byte happen at the same time. + +This is conformant with the I2C specification, which allows a zero hold +time, see footnote [3]: "A device must internally provide a hold time of +at least 300 ns for the SDA signal (with respect to the V IH(min) of the +SCL signal) to bridge the undefined region of the falling edge of SCL." + +Some HDMI-to-VGA converters apparently fail to adhere to this requirement +and latch SDA at the falling clock edge, so instead of an ACK +sometimes a NACK is read and the slave (i.e. the EDID ROM) ends the +transfer. + +The bitbanging releases the data line for the ACK only 1/4 bit time after +the falling clock edge, so a slave will see the correct value no matter +if it samples at the rising or the falling clock edge or in the center. + +Fallback to bitbanging is already done for the CRT connector. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92685 +Signed-off-by: Stefan Brüns +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/a39f080b-81a5-4c93-b3f7-7cb0a58daca3@rwthex-w2-a.rwth-ad.de +(cherry picked from commit cfb926e148e99acc02351d72e8b85e32b5f786ef) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_hdmi.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_hdmi.c ++++ b/drivers/gpu/drm/i915/intel_hdmi.c +@@ -1452,12 +1452,20 @@ intel_hdmi_set_edid(struct drm_connector + struct intel_hdmi *intel_hdmi = intel_attached_hdmi(connector); + struct edid *edid; + bool connected = false; ++ struct i2c_adapter *i2c; + + intel_display_power_get(dev_priv, POWER_DOMAIN_GMBUS); + +- edid = drm_get_edid(connector, +- intel_gmbus_get_adapter(dev_priv, +- intel_hdmi->ddc_bus)); ++ i2c = intel_gmbus_get_adapter(dev_priv, intel_hdmi->ddc_bus); ++ ++ edid = drm_get_edid(connector, i2c); ++ ++ if (!edid && !intel_gmbus_is_forced_bit(i2c)) { ++ DRM_DEBUG_KMS("HDMI GMBUS EDID read failed, retry using GPIO bit-banging\n"); ++ intel_gmbus_force_bit(i2c, true); ++ edid = drm_get_edid(connector, i2c); ++ intel_gmbus_force_bit(i2c, false); ++ } + + intel_hdmi_dp_dual_mode_detect(connector, edid != NULL); + diff --git a/queue-4.9/drm-nouveau-fix-deadlock-on-runtime-suspend.patch b/queue-4.9/drm-nouveau-fix-deadlock-on-runtime-suspend.patch new file mode 100644 index 00000000000..633ca59f9c5 --- /dev/null +++ b/queue-4.9/drm-nouveau-fix-deadlock-on-runtime-suspend.patch @@ -0,0 +1,115 @@ +From d61a5c1063515e855bedb1b81e20e50b0ac3541e Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 11 Feb 2018 10:38:28 +0100 +Subject: drm/nouveau: Fix deadlock on runtime suspend + +From: Lukas Wunner + +commit d61a5c1063515e855bedb1b81e20e50b0ac3541e upstream. + +nouveau's ->runtime_suspend hook calls drm_kms_helper_poll_disable(), +which waits for the output poll worker to finish if it's running. + +The output poll worker meanwhile calls pm_runtime_get_sync() in +nouveau_connector_detect() which waits for the ongoing suspend to finish, +causing a deadlock. + +Fix by not acquiring a runtime PM ref if nouveau_connector_detect() is +called in the output poll worker's context. This is safe because +the poll worker is only enabled while runtime active and we know that +->runtime_suspend waits for it to finish. + +Other contexts calling nouveau_connector_detect() do require a runtime +PM ref, these comprise: + + status_store() drm sysfs interface + ->fill_modes drm callback + drm_fb_helper_probe_connector_modes() + drm_mode_getconnector() + nouveau_connector_hotplug() + nouveau_display_hpd_work() + nv17_tv_set_property() + +Stack trace for posterity: + + INFO: task kworker/0:1:58 blocked for more than 120 seconds. + Workqueue: events output_poll_execute [drm_kms_helper] + Call Trace: + schedule+0x28/0x80 + rpm_resume+0x107/0x6e0 + __pm_runtime_resume+0x47/0x70 + nouveau_connector_detect+0x7e/0x4a0 [nouveau] + nouveau_connector_detect_lvds+0x132/0x180 [nouveau] + drm_helper_probe_detect_ctx+0x85/0xd0 [drm_kms_helper] + output_poll_execute+0x11e/0x1c0 [drm_kms_helper] + process_one_work+0x184/0x380 + worker_thread+0x2e/0x390 + + INFO: task kworker/0:2:252 blocked for more than 120 seconds. + Workqueue: pm pm_runtime_work + Call Trace: + schedule+0x28/0x80 + schedule_timeout+0x1e3/0x370 + wait_for_completion+0x123/0x190 + flush_work+0x142/0x1c0 + nouveau_pmops_runtime_suspend+0x7e/0xd0 [nouveau] + pci_pm_runtime_suspend+0x5c/0x180 + vga_switcheroo_runtime_suspend+0x1e/0xa0 + __rpm_callback+0xc1/0x200 + rpm_callback+0x1f/0x70 + rpm_suspend+0x13c/0x640 + pm_runtime_work+0x6e/0x90 + process_one_work+0x184/0x380 + worker_thread+0x2e/0x390 + +Bugzilla: https://bugs.archlinux.org/task/53497 +Bugzilla: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870523 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70388#c33 +Fixes: 5addcf0a5f0f ("nouveau: add runtime PM support (v0.9)") +Cc: stable@vger.kernel.org # v3.12+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct +Cc: stable@vger.kernel.org # v3.12+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker +Cc: Ben Skeggs +Cc: Dave Airlie +Reviewed-by: Lyude Paul +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/b7d2cbb609a80f59ccabfdf479b9d5907c603ea1.1518338789.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -271,9 +271,15 @@ nouveau_connector_detect(struct drm_conn + nv_connector->edid = NULL; + } + +- ret = pm_runtime_get_sync(connector->dev->dev); +- if (ret < 0 && ret != -EACCES) +- return conn_status; ++ /* Outputs are only polled while runtime active, so acquiring a ++ * runtime PM ref here is unnecessary (and would deadlock upon ++ * runtime suspend because it waits for polling to finish). ++ */ ++ if (!drm_kms_helper_is_poll_worker()) { ++ ret = pm_runtime_get_sync(connector->dev->dev); ++ if (ret < 0 && ret != -EACCES) ++ return conn_status; ++ } + + nv_encoder = nouveau_connector_ddc_detect(connector); + if (nv_encoder && (i2c = nv_encoder->i2c) != NULL) { +@@ -348,8 +354,10 @@ detect_analog: + + out: + +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } + + return conn_status; + } diff --git a/queue-4.9/drm-radeon-fix-deadlock-on-runtime-suspend.patch b/queue-4.9/drm-radeon-fix-deadlock-on-runtime-suspend.patch new file mode 100644 index 00000000000..4a8fdd82561 --- /dev/null +++ b/queue-4.9/drm-radeon-fix-deadlock-on-runtime-suspend.patch @@ -0,0 +1,217 @@ +From 15734feff2bdac24aa3266c437cffa42851990e3 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 11 Feb 2018 10:38:28 +0100 +Subject: drm/radeon: Fix deadlock on runtime suspend + +From: Lukas Wunner + +commit 15734feff2bdac24aa3266c437cffa42851990e3 upstream. + +radeon's ->runtime_suspend hook calls drm_kms_helper_poll_disable(), +which waits for the output poll worker to finish if it's running. + +The output poll worker meanwhile calls pm_runtime_get_sync() in +radeon's ->detect hooks, which waits for the ongoing suspend to finish, +causing a deadlock. + +Fix by not acquiring a runtime PM ref if the ->detect hooks are called +in the output poll worker's context. This is safe because the poll +worker is only enabled while runtime active and we know that +->runtime_suspend waits for it to finish. + +Stack trace for posterity: + + INFO: task kworker/0:3:31847 blocked for more than 120 seconds + Workqueue: events output_poll_execute [drm_kms_helper] + Call Trace: + schedule+0x3c/0x90 + rpm_resume+0x1e2/0x690 + __pm_runtime_resume+0x3f/0x60 + radeon_lvds_detect+0x39/0xf0 [radeon] + output_poll_execute+0xda/0x1e0 [drm_kms_helper] + process_one_work+0x14b/0x440 + worker_thread+0x48/0x4a0 + + INFO: task kworker/2:0:10493 blocked for more than 120 seconds. + Workqueue: pm pm_runtime_work + Call Trace: + schedule+0x3c/0x90 + schedule_timeout+0x1b3/0x240 + wait_for_common+0xc2/0x180 + wait_for_completion+0x1d/0x20 + flush_work+0xfc/0x1a0 + __cancel_work_timer+0xa5/0x1d0 + cancel_delayed_work_sync+0x13/0x20 + drm_kms_helper_poll_disable+0x1f/0x30 [drm_kms_helper] + radeon_pmops_runtime_suspend+0x3d/0xa0 [radeon] + pci_pm_runtime_suspend+0x61/0x1a0 + vga_switcheroo_runtime_suspend+0x21/0x70 + __rpm_callback+0x32/0x70 + rpm_callback+0x24/0x80 + rpm_suspend+0x12b/0x640 + pm_runtime_work+0x6f/0xb0 + process_one_work+0x14b/0x440 + worker_thread+0x48/0x4a0 + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94147 +Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)") +Cc: stable@vger.kernel.org # v3.13+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct +Cc: stable@vger.kernel.org # v3.13+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker +Cc: Ismo Toijala +Cc: Alex Deucher +Cc: Dave Airlie +Reviewed-by: Lyude Paul +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/64ea02c44f91dda19bc563902b97bbc699040392.1518338789.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 74 +++++++++++++++++++---------- + 1 file changed, 49 insertions(+), 25 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -897,9 +897,11 @@ radeon_lvds_detect(struct drm_connector + enum drm_connector_status ret = connector_status_disconnected; + int r; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + if (encoder) { + struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); +@@ -922,8 +924,12 @@ radeon_lvds_detect(struct drm_connector + /* check acpi lid status ??? */ + + radeon_connector_update_scratch_regs(connector, ret); +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } ++ + return ret; + } + +@@ -1037,9 +1043,11 @@ radeon_vga_detect(struct drm_connector * + enum drm_connector_status ret = connector_status_disconnected; + int r; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + encoder = radeon_best_single_encoder(connector); + if (!encoder) +@@ -1106,8 +1114,10 @@ radeon_vga_detect(struct drm_connector * + radeon_connector_update_scratch_regs(connector, ret); + + out: +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } + + return ret; + } +@@ -1171,9 +1181,11 @@ radeon_tv_detect(struct drm_connector *c + if (!radeon_connector->dac_load_detect) + return ret; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + encoder = radeon_best_single_encoder(connector); + if (!encoder) +@@ -1185,8 +1197,12 @@ radeon_tv_detect(struct drm_connector *c + if (ret == connector_status_connected) + ret = radeon_connector_analog_encoder_conflict_solve(connector, encoder, ret, false); + radeon_connector_update_scratch_regs(connector, ret); +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } ++ + return ret; + } + +@@ -1249,9 +1265,11 @@ radeon_dvi_detect(struct drm_connector * + enum drm_connector_status ret = connector_status_disconnected; + bool dret = false, broken_edid = false; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + if (radeon_connector->detected_hpd_without_ddc) { + force = true; +@@ -1434,8 +1452,10 @@ out: + } + + exit: +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } + + return ret; + } +@@ -1686,9 +1706,11 @@ radeon_dp_detect(struct drm_connector *c + if (radeon_dig_connector->is_mst) + return connector_status_disconnected; + +- r = pm_runtime_get_sync(connector->dev->dev); +- if (r < 0) +- return connector_status_disconnected; ++ if (!drm_kms_helper_is_poll_worker()) { ++ r = pm_runtime_get_sync(connector->dev->dev); ++ if (r < 0) ++ return connector_status_disconnected; ++ } + + if (!force && radeon_check_hpd_status_unchanged(connector)) { + ret = connector->status; +@@ -1775,8 +1797,10 @@ radeon_dp_detect(struct drm_connector *c + } + + out: +- pm_runtime_mark_last_busy(connector->dev->dev); +- pm_runtime_put_autosuspend(connector->dev->dev); ++ if (!drm_kms_helper_is_poll_worker()) { ++ pm_runtime_mark_last_busy(connector->dev->dev); ++ pm_runtime_put_autosuspend(connector->dev->dev); ++ } + + return ret; + } diff --git a/queue-4.9/drm-radeon-fix-kv-harvesting.patch b/queue-4.9/drm-radeon-fix-kv-harvesting.patch new file mode 100644 index 00000000000..fe0042a0f4a --- /dev/null +++ b/queue-4.9/drm-radeon-fix-kv-harvesting.patch @@ -0,0 +1,66 @@ +From 0b58d90f89545e021d188c289fa142e5ff9e708b Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 1 Mar 2018 11:03:27 -0500 +Subject: drm/radeon: fix KV harvesting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 0b58d90f89545e021d188c289fa142e5ff9e708b upstream. + +Always set the graphics values to the max for the +asic type. E.g., some 1 RB chips are actually 1 RB chips, +others are actually harvested 2 RB chips. + +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353 +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/cik.c | 31 ++----------------------------- + 1 file changed, 2 insertions(+), 29 deletions(-) + +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -3244,35 +3244,8 @@ static void cik_gpu_init(struct radeon_d + case CHIP_KAVERI: + rdev->config.cik.max_shader_engines = 1; + rdev->config.cik.max_tile_pipes = 4; +- if ((rdev->pdev->device == 0x1304) || +- (rdev->pdev->device == 0x1305) || +- (rdev->pdev->device == 0x130C) || +- (rdev->pdev->device == 0x130F) || +- (rdev->pdev->device == 0x1310) || +- (rdev->pdev->device == 0x1311) || +- (rdev->pdev->device == 0x131C)) { +- rdev->config.cik.max_cu_per_sh = 8; +- rdev->config.cik.max_backends_per_se = 2; +- } else if ((rdev->pdev->device == 0x1309) || +- (rdev->pdev->device == 0x130A) || +- (rdev->pdev->device == 0x130D) || +- (rdev->pdev->device == 0x1313) || +- (rdev->pdev->device == 0x131D)) { +- rdev->config.cik.max_cu_per_sh = 6; +- rdev->config.cik.max_backends_per_se = 2; +- } else if ((rdev->pdev->device == 0x1306) || +- (rdev->pdev->device == 0x1307) || +- (rdev->pdev->device == 0x130B) || +- (rdev->pdev->device == 0x130E) || +- (rdev->pdev->device == 0x1315) || +- (rdev->pdev->device == 0x1318) || +- (rdev->pdev->device == 0x131B)) { +- rdev->config.cik.max_cu_per_sh = 4; +- rdev->config.cik.max_backends_per_se = 1; +- } else { +- rdev->config.cik.max_cu_per_sh = 3; +- rdev->config.cik.max_backends_per_se = 1; +- } ++ rdev->config.cik.max_cu_per_sh = 8; ++ rdev->config.cik.max_backends_per_se = 2; + rdev->config.cik.max_sh_per_se = 1; + rdev->config.cik.max_texture_channel_caches = 4; + rdev->config.cik.max_gprs = 256; diff --git a/queue-4.9/ib-mlx5-fix-incorrect-size-of-klms-in-the-memory-region.patch b/queue-4.9/ib-mlx5-fix-incorrect-size-of-klms-in-the-memory-region.patch new file mode 100644 index 00000000000..91e627834bd --- /dev/null +++ b/queue-4.9/ib-mlx5-fix-incorrect-size-of-klms-in-the-memory-region.patch @@ -0,0 +1,50 @@ +From da343b6d90e11132f1e917d865d88ee35d6e6d00 Mon Sep 17 00:00:00 2001 +From: Sergey Gorenko +Date: Sun, 25 Feb 2018 13:39:48 +0200 +Subject: IB/mlx5: Fix incorrect size of klms in the memory region + +From: Sergey Gorenko + +commit da343b6d90e11132f1e917d865d88ee35d6e6d00 upstream. + +The value of mr->ndescs greater than mr->max_descs is set in the +function mlx5_ib_sg_to_klms() if sg_nents is greater than +mr->max_descs. This is an invalid value and it causes the +following error when registering mr: + +mlx5_0:dump_cqe:276:(pid 193): dump error cqe +00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000030: 00 00 00 00 0f 00 78 06 25 00 00 8b 08 1e 8f d3 + +Cc: # 4.5 +Fixes: b005d3164713 ("mlx5: Add arbitrary sg list support") +Signed-off-by: Sergey Gorenko +Tested-by: Laurence Oberman +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1821,7 +1821,6 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr + + mr->ibmr.iova = sg_dma_address(sg) + sg_offset; + mr->ibmr.length = 0; +- mr->ndescs = sg_nents; + + for_each_sg(sgl, sg, sg_nents, i) { + if (unlikely(i >= mr->max_descs)) +@@ -1833,6 +1832,7 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr + + sg_offset = 0; + } ++ mr->ndescs = i; + + if (sg_offset_p) + *sg_offset_p = sg_offset; diff --git a/queue-4.9/input-matrix_keypad-fix-race-when-disabling-interrupts.patch b/queue-4.9/input-matrix_keypad-fix-race-when-disabling-interrupts.patch new file mode 100644 index 00000000000..f16a687f284 --- /dev/null +++ b/queue-4.9/input-matrix_keypad-fix-race-when-disabling-interrupts.patch @@ -0,0 +1,40 @@ +From ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 Mon Sep 17 00:00:00 2001 +From: Zhang Bo +Date: Mon, 5 Feb 2018 14:56:21 -0800 +Subject: Input: matrix_keypad - fix race when disabling interrupts + +From: Zhang Bo + +commit ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 upstream. + +If matrix_keypad_stop() is executing and the keypad interrupt is triggered, +disable_row_irqs() may be called by both matrix_keypad_interrupt() and +matrix_keypad_stop() at the same time, causing interrupts to be disabled +twice and the keypad being "stuck" after resuming. + +Take lock when setting keypad->stopped to ensure that ISR will not race +with matrix_keypad_stop() disabling interrupts. + +Signed-off-by: Zhang Bo +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/keyboard/matrix_keypad.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/input/keyboard/matrix_keypad.c ++++ b/drivers/input/keyboard/matrix_keypad.c +@@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct in + { + struct matrix_keypad *keypad = input_get_drvdata(dev); + ++ spin_lock_irq(&keypad->lock); + keypad->stopped = true; +- mb(); ++ spin_unlock_irq(&keypad->lock); ++ + flush_work(&keypad->work.work); + /* + * matrix_keypad_scan() will leave IRQs enabled; diff --git a/queue-4.9/kbuild-handle-builtin-dtb-file-names-containing-hyphens.patch b/queue-4.9/kbuild-handle-builtin-dtb-file-names-containing-hyphens.patch new file mode 100644 index 00000000000..2ad17eac76b --- /dev/null +++ b/queue-4.9/kbuild-handle-builtin-dtb-file-names-containing-hyphens.patch @@ -0,0 +1,70 @@ +From 55fe6da9efba102866e2fb5b40b04b6a4b26c19e Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 8 Mar 2018 11:02:46 +0000 +Subject: kbuild: Handle builtin dtb file names containing hyphens + +From: James Hogan + +commit 55fe6da9efba102866e2fb5b40b04b6a4b26c19e upstream. + +cmd_dt_S_dtb constructs the assembly source to incorporate a devicetree +FDT (that is, the .dtb file) as binary data in the kernel image. This +assembly source contains labels before and after the binary data. The +label names incorporate the file name of the corresponding .dtb file. +Hyphens are not legal characters in labels, so .dtb files built into the +kernel with hyphens in the file name result in errors like the +following: + +bcm3368-netgear-cvg834g.dtb.S: Assembler messages: +bcm3368-netgear-cvg834g.dtb.S:5: Error: : no such section +bcm3368-netgear-cvg834g.dtb.S:5: Error: junk at end of line, first unrecognized character is `-' +bcm3368-netgear-cvg834g.dtb.S:6: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_begin:' +bcm3368-netgear-cvg834g.dtb.S:8: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_end:' +bcm3368-netgear-cvg834g.dtb.S:9: Error: : no such section +bcm3368-netgear-cvg834g.dtb.S:9: Error: junk at end of line, first unrecognized character is `-' + +Fix this by updating cmd_dt_S_dtb to transform all hyphens from the file +name to underscores when constructing the labels. + +As of v4.16-rc2, 1139 .dts files across ARM64, ARM, MIPS and PowerPC +contain hyphens in their names, but the issue only currently manifests +on Broadcom MIPS platforms, as that is the only place where such files +are built into the kernel. For example when CONFIG_DT_NETGEAR_CVG834G=y, +or on BMIPS kernels when the dtbs target is used (in the latter case it +admittedly shouldn't really build all the dtb.o files, but thats a +separate issue). + +Fixes: 695835511f96 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom") +Signed-off-by: James Hogan +Reviewed-by: Frank Rowand +Cc: Rob Herring +Cc: Michal Marek +Cc: Ralf Baechle +Cc: Florian Fainelli +Cc: Kevin Cernekee +Cc: # 4.9+ +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/Makefile.lib | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/scripts/Makefile.lib ++++ b/scripts/Makefile.lib +@@ -290,11 +290,11 @@ cmd_dt_S_dtb= \ + echo '\#include '; \ + echo '.section .dtb.init.rodata,"a"'; \ + echo '.balign STRUCT_ALIGNMENT'; \ +- echo '.global __dtb_$(*F)_begin'; \ +- echo '__dtb_$(*F)_begin:'; \ ++ echo '.global __dtb_$(subst -,_,$(*F))_begin'; \ ++ echo '__dtb_$(subst -,_,$(*F))_begin:'; \ + echo '.incbin "$<" '; \ +- echo '__dtb_$(*F)_end:'; \ +- echo '.global __dtb_$(*F)_end'; \ ++ echo '__dtb_$(subst -,_,$(*F))_end:'; \ ++ echo '.global __dtb_$(subst -,_,$(*F))_end'; \ + echo '.balign STRUCT_ALIGNMENT'; \ + ) > $@ + diff --git a/queue-4.9/kvm-s390-fix-memory-overwrites-when-not-using-sca-entries.patch b/queue-4.9/kvm-s390-fix-memory-overwrites-when-not-using-sca-entries.patch new file mode 100644 index 00000000000..88710a6661c --- /dev/null +++ b/queue-4.9/kvm-s390-fix-memory-overwrites-when-not-using-sca-entries.patch @@ -0,0 +1,43 @@ +From f07afa0462b76a5b9c4f3a43d5ac24fdb86a90c2 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Tue, 6 Mar 2018 14:27:58 +0100 +Subject: KVM: s390: fix memory overwrites when not using SCA entries + +From: David Hildenbrand + +commit f07afa0462b76a5b9c4f3a43d5ac24fdb86a90c2 upstream. + +Even if we don't have extended SCA support, we can have more than 64 CPUs +if we don't enable any HW features that might use the SCA entries. + +Now, this works just fine, but we missed a return, which is why we +would actually store the SCA entries. If we have more than 64 CPUs, this +means writing outside of the basic SCA - bad. + +Let's fix this. This allows > 64 CPUs when running nested (under vSIE) +without random crashes. + +Fixes: a6940674c384 ("KVM: s390: allow 255 VCPUs when sca entries aren't used") +Reported-by: Christian Borntraeger +Tested-by: Christian Borntraeger +Signed-off-by: David Hildenbrand +Message-Id: <20180306132758.21034-1-david@redhat.com> +Cc: stable@vger.kernel.org +Reviewed-by: Cornelia Huck +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1601,6 +1601,7 @@ static void sca_add_vcpu(struct kvm_vcpu + /* we still need the basic sca for the ipte control */ + vcpu->arch.sie_block->scaoh = (__u32)(((__u64)sca) >> 32); + vcpu->arch.sie_block->scaol = (__u32)(__u64)sca; ++ return; + } + read_lock(&vcpu->kvm->arch.sca_lock); + if (vcpu->kvm->arch.use_esca) { diff --git a/queue-4.9/loop-fix-lost-writes-caused-by-missing-flag.patch b/queue-4.9/loop-fix-lost-writes-caused-by-missing-flag.patch new file mode 100644 index 00000000000..635f3d87c27 --- /dev/null +++ b/queue-4.9/loop-fix-lost-writes-caused-by-missing-flag.patch @@ -0,0 +1,68 @@ +From 1d037577c323e5090ce281e96bc313ab2eee5be2 Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Fri, 9 Mar 2018 08:36:36 -0700 +Subject: loop: Fix lost writes caused by missing flag + +From: Ross Zwisler + +commit 1d037577c323e5090ce281e96bc313ab2eee5be2 upstream. + +The following commit: + +commit aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC") + +replaced __do_lo_send_write(), which used ITER_KVEC iterators, with +lo_write_bvec() which uses ITER_BVEC iterators. In this change, though, +the WRITE flag was lost: + +- iov_iter_kvec(&from, ITER_KVEC | WRITE, &kvec, 1, len); ++ iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len); + +This flag is necessary for the DAX case because we make decisions based on +whether or not the iterator is a READ or a WRITE in dax_iomap_actor() and +in dax_iomap_rw(). + +We end up going through this path in configurations where we combine a PMEM +device with 4k sectors, a loopback device and DAX. The consequence of this +missed flag is that what we intend as a write actually turns into a read in +the DAX code, so no data is ever written. + +The very simplest test case is to create a loopback device and try and +write a small string to it, then hexdump a few bytes of the device to see +if the write took. Without this patch you read back all zeros, with this +you read back the string you wrote. + +For XFS this causes us to fail or panic during the following xfstests: + + xfs/074 xfs/078 xfs/216 xfs/217 xfs/250 + +For ext4 we have a similar issue where writes never happen, but we don't +currently have any xfstests that use loopback and show this issue. + +Fix this by restoring the WRITE flag argument to iov_iter_bvec(). This +causes the xfstests to all pass. + +Cc: Al Viro +Cc: stable@vger.kernel.org +Fixes: commit aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC") +Reviewed-by: Christoph Hellwig +Reviewed-by: Ming Lei +Signed-off-by: Ross Zwisler +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -263,7 +263,7 @@ static int lo_write_bvec(struct file *fi + struct iov_iter i; + ssize_t bw; + +- iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len); ++ iov_iter_bvec(&i, ITER_BVEC | WRITE, bvec, 1, bvec->bv_len); + + file_start_write(file); + bw = vfs_iter_write(file, &i, ppos); diff --git a/queue-4.9/mips-ath25-check-for-kzalloc-allocation-failure.patch b/queue-4.9/mips-ath25-check-for-kzalloc-allocation-failure.patch new file mode 100644 index 00000000000..8c03ef1363d --- /dev/null +++ b/queue-4.9/mips-ath25-check-for-kzalloc-allocation-failure.patch @@ -0,0 +1,37 @@ +From 1b22b4b28fd5fbc51855219e3238b3ab81da8466 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 22 Feb 2018 17:50:12 +0000 +Subject: MIPS: ath25: Check for kzalloc allocation failure + +From: Colin Ian King + +commit 1b22b4b28fd5fbc51855219e3238b3ab81da8466 upstream. + +Currently there is no null check on a failed allocation of board_data, +and hence a null pointer dereference will occurr. Fix this by checking +for the out of memory null pointer. + +Fixes: a7473717483e ("MIPS: ath25: add board configuration detection") +Signed-off-by: Colin Ian King +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # 3.19+ +Patchwork: https://patchwork.linux-mips.org/patch/18657/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ath25/board.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/ath25/board.c ++++ b/arch/mips/ath25/board.c +@@ -135,6 +135,8 @@ int __init ath25_find_config(phys_addr_t + } + + board_data = kzalloc(BOARD_CONFIG_BUFSZ, GFP_KERNEL); ++ if (!board_data) ++ goto error; + ath25_board.config = (struct ath25_boarddata *)board_data; + memcpy_fromio(board_data, bcfg, 0x100); + if (broken_boarddata) { diff --git a/queue-4.9/mips-bmips-do-not-mask-ipis-during-suspend.patch b/queue-4.9/mips-bmips-do-not-mask-ipis-during-suspend.patch new file mode 100644 index 00000000000..c03491b2b65 --- /dev/null +++ b/queue-4.9/mips-bmips-do-not-mask-ipis-during-suspend.patch @@ -0,0 +1,54 @@ +From 06a3f0c9f2725f5d7c63c4203839373c9bd00c28 Mon Sep 17 00:00:00 2001 +From: Justin Chen +Date: Wed, 27 Sep 2017 17:15:15 -0700 +Subject: MIPS: BMIPS: Do not mask IPIs during suspend + +From: Justin Chen + +commit 06a3f0c9f2725f5d7c63c4203839373c9bd00c28 upstream. + +Commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on CPU IRQs") fixes an +issue where disable_irq did not actually disable the irq. The bug caused +our IPIs to not be disabled, which actually is the correct behavior. + +With the addition of commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on +CPU IRQs"), the IPIs were getting disabled going into suspend, thus +schedule_ipi() was not being called. This caused deadlocks where +schedulable task were not being scheduled and other cpus were waiting +for them to do something. + +Add the IRQF_NO_SUSPEND flag so an irq_disable will not be called on the +IPIs during suspend. + +Signed-off-by: Justin Chen +Fixes: a3e6c1eff548 ("MIPS: IRQ: Fix disabled_irq on CPU IRQs") +Cc: Florian Fainelli +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/17385/ +[jhogan@kernel.org: checkpatch: wrap long lines and fix commit refs] +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/smp-bmips.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/kernel/smp-bmips.c ++++ b/arch/mips/kernel/smp-bmips.c +@@ -166,11 +166,11 @@ static void bmips_prepare_cpus(unsigned + return; + } + +- if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, IRQF_PERCPU, +- "smp_ipi0", NULL)) ++ if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, ++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi0", NULL)) + panic("Can't request IPI0 interrupt"); +- if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, IRQF_PERCPU, +- "smp_ipi1", NULL)) ++ if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, ++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi1", NULL)) + panic("Can't request IPI1 interrupt"); + } + diff --git a/queue-4.9/mips-octeon-irq-check-for-null-return-on-kzalloc-allocation.patch b/queue-4.9/mips-octeon-irq-check-for-null-return-on-kzalloc-allocation.patch new file mode 100644 index 00000000000..ff23e5bf1af --- /dev/null +++ b/queue-4.9/mips-octeon-irq-check-for-null-return-on-kzalloc-allocation.patch @@ -0,0 +1,39 @@ +From 902f4d067a50ccf645a58dd5fb1d113b6e0f9b5b Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 22 Feb 2018 18:08:53 +0000 +Subject: MIPS: OCTEON: irq: Check for null return on kzalloc allocation + +From: Colin Ian King + +commit 902f4d067a50ccf645a58dd5fb1d113b6e0f9b5b upstream. + +The allocation of host_data is not null checked, leading to a null +pointer dereference if the allocation fails. Fix this by adding a null +check and return with -ENOMEM. + +Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") +Signed-off-by: Colin Ian King +Acked-by: David Daney +Cc: Ralf Baechle +Cc: "Steven J. Hill" +Cc: linux-mips@linux-mips.org +Cc: # 4.0+ +Patchwork: https://patchwork.linux-mips.org/patch/18658/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/octeon-irq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2277,6 +2277,8 @@ static int __init octeon_irq_init_cib(st + } + + host_data = kzalloc(sizeof(*host_data), GFP_KERNEL); ++ if (!host_data) ++ return -ENOMEM; + raw_spin_lock_init(&host_data->lock); + + addr = of_get_address(ciu_node, 0, NULL, NULL); diff --git a/queue-4.9/perf-tools-fix-trigger-class-trigger_on.patch b/queue-4.9/perf-tools-fix-trigger-class-trigger_on.patch new file mode 100644 index 00000000000..0f78cd0ca07 --- /dev/null +++ b/queue-4.9/perf-tools-fix-trigger-class-trigger_on.patch @@ -0,0 +1,81 @@ +From de19e5c3c51fdb1ff20d0f61d099db902ff7494b Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 28 Feb 2018 10:39:04 +0200 +Subject: perf tools: Fix trigger class trigger_on() + +From: Adrian Hunter + +commit de19e5c3c51fdb1ff20d0f61d099db902ff7494b upstream. + +trigger_on() means that the trigger is available but not ready, however +trigger_on() was making it ready. That can segfault if the signal comes +before trigger_ready(). e.g. (USR2 signal delivery not shown) + + $ perf record -e intel_pt//u -S sleep 1 + perf: Segmentation fault + Obtained 16 stack frames. + /home/ahunter/bin/perf(sighandler_dump_stack+0x40) [0x4ec550] + /lib/x86_64-linux-gnu/libc.so.6(+0x36caf) [0x7fa76411acaf] + /home/ahunter/bin/perf(perf_evsel__disable+0x26) [0x4b9dd6] + /home/ahunter/bin/perf() [0x43a45b] + /lib/x86_64-linux-gnu/libc.so.6(+0x36caf) [0x7fa76411acaf] + /lib/x86_64-linux-gnu/libc.so.6(__xstat64+0x15) [0x7fa7641d2cc5] + /home/ahunter/bin/perf() [0x4ec6c9] + /home/ahunter/bin/perf() [0x4ec73b] + /home/ahunter/bin/perf() [0x4ec73b] + /home/ahunter/bin/perf() [0x4ec73b] + /home/ahunter/bin/perf() [0x4eca15] + /home/ahunter/bin/perf(machine__create_kernel_maps+0x257) [0x4f0b77] + /home/ahunter/bin/perf(perf_session__new+0xc0) [0x4f86f0] + /home/ahunter/bin/perf(cmd_record+0x722) [0x43c132] + /home/ahunter/bin/perf() [0x4a11ae] + /home/ahunter/bin/perf(main+0x5d4) [0x427fb4] + +Note, for testing purposes, this is hard to hit unless you add some sleep() +in builtin-record.c before record__open(). + +Signed-off-by: Adrian Hunter +Acked-by: Jiri Olsa +Cc: Wang Nan +Cc: stable@vger.kernel.org +Fixes: 3dcc4436fa6f ("perf tools: Introduce trigger class") +Link: http://lkml.kernel.org/r/1519807144-30694-1-git-send-email-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/trigger.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/tools/perf/util/trigger.h ++++ b/tools/perf/util/trigger.h +@@ -11,7 +11,7 @@ + * States and transits: + * + * +- * OFF--(on)--> READY --(hit)--> HIT ++ * OFF--> ON --> READY --(hit)--> HIT + * ^ | + * | (ready) + * | | +@@ -26,8 +26,9 @@ struct trigger { + volatile enum { + TRIGGER_ERROR = -2, + TRIGGER_OFF = -1, +- TRIGGER_READY = 0, +- TRIGGER_HIT = 1, ++ TRIGGER_ON = 0, ++ TRIGGER_READY = 1, ++ TRIGGER_HIT = 2, + } state; + const char *name; + }; +@@ -49,7 +50,7 @@ static inline bool trigger_is_error(stru + static inline void trigger_on(struct trigger *t) + { + TRIGGER_WARN_ONCE(t, TRIGGER_OFF); +- t->state = TRIGGER_READY; ++ t->state = TRIGGER_ON; + } + + static inline void trigger_ready(struct trigger *t) diff --git a/queue-4.9/scsi-qla2xxx-fix-null-pointer-crash-due-to-active-timer-for-abts.patch b/queue-4.9/scsi-qla2xxx-fix-null-pointer-crash-due-to-active-timer-for-abts.patch new file mode 100644 index 00000000000..6e763765e50 --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-fix-null-pointer-crash-due-to-active-timer-for-abts.patch @@ -0,0 +1,120 @@ +From 1514839b366417934e2f1328edb50ed1e8a719f5 Mon Sep 17 00:00:00 2001 +From: "himanshu.madhani@cavium.com" +Date: Mon, 12 Feb 2018 10:28:14 -0800 +Subject: scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS + +From: himanshu.madhani@cavium.com + +commit 1514839b366417934e2f1328edb50ed1e8a719f5 upstream. + +This patch fixes NULL pointer crash due to active timer running for abort +IOCB. + +From crash dump analysis it was discoverd that get_next_timer_interrupt() +encountered a corrupted entry on the timer list. + + #9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8 + [exception RIP: get_next_timer_interrupt+440] + RIP: ffffffff90ea3088 RSP: ffff95e1f6f0fdf0 RFLAGS: 00010013 + RAX: ffff95e1f6451028 RBX: 000218e2389e5f40 RCX: 00000001232ad600 + RDX: 0000000000000001 RSI: ffff95e1f6f0fdf0 RDI: 0000000001232ad6 + RBP: ffff95e1f6f0fe40 R8: ffff95e1f6451188 R9: 0000000000000001 + R10: 0000000000000016 R11: 0000000000000016 R12: 00000001232ad5f6 + R13: ffff95e1f6450000 R14: ffff95e1f6f0fdf8 R15: ffff95e1f6f0fe10 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +Looking at the assembly of get_next_timer_interrupt(), address came +from %r8 (ffff95e1f6451188) which is pointing to list_head with single +entry at ffff95e5ff621178. + + 0xffffffff90ea307a : mov (%r8),%rdx + 0xffffffff90ea307d : cmp %r8,%rdx + 0xffffffff90ea3080 : je 0xffffffff90ea30a7 + 0xffffffff90ea3082 : nopw 0x0(%rax,%rax,1) + 0xffffffff90ea3088 : testb $0x1,0x18(%rdx) + + crash> rd ffff95e1f6451188 10 + ffff95e1f6451188: ffff95e5ff621178 ffff95e5ff621178 x.b.....x.b..... + ffff95e1f6451198: ffff95e1f6451198 ffff95e1f6451198 ..E.......E..... + ffff95e1f64511a8: ffff95e1f64511a8 ffff95e1f64511a8 ..E.......E..... + ffff95e1f64511b8: ffff95e77cf509a0 ffff95e77cf509a0 ...|.......|.... + ffff95e1f64511c8: ffff95e1f64511c8 ffff95e1f64511c8 ..E.......E..... + + crash> rd ffff95e5ff621178 10 + ffff95e5ff621178: 0000000000000001 ffff95e15936aa00 ..........6Y.... + ffff95e5ff621188: 0000000000000000 00000000ffffffff ................ + ffff95e5ff621198: 00000000000000a0 0000000000000010 ................ + ffff95e5ff6211a8: ffff95e5ff621198 000000000000000c ..b............. + ffff95e5ff6211b8: 00000f5800000000 ffff95e751f8d720 ....X... ..Q.... + + ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080. + + CACHE NAME OBJSIZE ALLOCATED TOTAL SLABS SSIZE + ffff95dc7fd74d00 mnt_cache 384 19785 24948 594 16k + SLAB MEMORY NODE TOTAL ALLOCATED FREE + ffffdc5dabfd8800 ffff95e5ff620000 1 42 29 13 + FREE / [ALLOCATED] + ffff95e5ff621080 (cpu 6 cache) + +Examining the contents of that memory reveals a pointer to a constant string +in the driver, "abort\0", which is set by qla24xx_async_abort_cmd(). + + crash> rd ffffffffc059277c 20 + ffffffffc059277c: 6e490074726f6261 0074707572726574 abort.Interrupt. + ffffffffc059278c: 00676e696c6c6f50 6920726576697244 Polling.Driver i + ffffffffc059279c: 646f6d207325206e 6974736554000a65 n %s mode..Testi + ffffffffc05927ac: 636976656420676e 786c252074612065 ng device at %lx + ffffffffc05927bc: 6b63656843000a2e 646f727020676e69 ...Checking prod + ffffffffc05927cc: 6f20444920746375 0a2e706968632066 uct ID of chip.. + ffffffffc05927dc: 5120646e756f4600 204130303232414c .Found QLA2200A + ffffffffc05927ec: 43000a2e70696843 20676e696b636568 Chip...Checking + ffffffffc05927fc: 65786f626c69616d 6c636e69000a2e73 mailboxes...incl + ffffffffc059280c: 756e696c2f656475 616d2d616d642f78 ude/linux/dma-ma + + crash> struct -ox srb_iocb + struct srb_iocb { + union { + struct {...} logio; + struct {...} els_logo; + struct {...} tmf; + struct {...} fxiocb; + struct {...} abt; + struct ct_arg ctarg; + struct {...} mbx; + struct {...} nack; + [0x0 ] } u; + [0xb8] struct timer_list timer; + [0x108] void (*timeout)(void *); + } + SIZE: 0x110 + + crash> ! bc + ibase=16 + obase=10 + B8+40 + F8 + +The object is a srb_t, and at offset 0xf8 within that structure +(i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list. + +Cc: #4.4+ +Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.") +Signed-off-by: Himanshu Madhani +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -369,6 +369,7 @@ qla24xx_abort_sp_done(void *data, void * + srb_t *sp = (srb_t *)ptr; + struct srb_iocb *abt = &sp->u.iocb_cmd; + ++ del_timer(&sp->u.iocb_cmd.timer); + complete(&abt->u.abt.comp); + } + diff --git a/queue-4.9/series b/queue-4.9/series index 9c342c6b612..f4fcc17e091 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,3 +1,38 @@ rdma-ucma-limit-possible-option-size.patch rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch +drm-i915-try-edid-bitbanging-on-hdmi-after-failed-read.patch +scsi-qla2xxx-fix-null-pointer-crash-due-to-active-timer-for-abts.patch +drm-i915-always-call-to-intel_display_set_init_power-in-resume_early.patch +workqueue-allow-retrieval-of-current-task-s-work-struct.patch +drm-allow-determining-if-current-task-is-output-poll-worker.patch +drm-nouveau-fix-deadlock-on-runtime-suspend.patch +drm-radeon-fix-deadlock-on-runtime-suspend.patch +drm-amdgpu-fix-deadlock-on-runtime-suspend.patch +drm-amdgpu-notify-sbios-device-ready-before-send-request.patch +drm-radeon-fix-kv-harvesting.patch +drm-amdgpu-fix-kv-harvesting.patch +drm-amdgpu-correct-max-uvd-handles.patch +drm-amdgpu-always-save-uvd-vcpu_bo-in-vm-mode.patch +mips-bmips-do-not-mask-ipis-during-suspend.patch +mips-ath25-check-for-kzalloc-allocation-failure.patch +mips-octeon-irq-check-for-null-return-on-kzalloc-allocation.patch +input-matrix_keypad-fix-race-when-disabling-interrupts.patch +loop-fix-lost-writes-caused-by-missing-flag.patch +virtio_ring-fix-num_free-handling-in-error-case.patch +kvm-s390-fix-memory-overwrites-when-not-using-sca-entries.patch +kbuild-handle-builtin-dtb-file-names-containing-hyphens.patch +ib-mlx5-fix-incorrect-size-of-klms-in-the-memory-region.patch +bcache-fix-crashes-in-duplicate-cache-device-register.patch +bcache-don-t-attach-backing-with-duplicate-uuid.patch +x86-mce-serialize-sysfs-changes.patch +perf-tools-fix-trigger-class-trigger_on.patch +x86-spectre_v2-don-t-check-microcode-versions-when-running-under-hypervisors.patch +alsa-hda-realtek-limit-mic-boost-on-t480.patch +alsa-hda-realtek-fix-dock-line-out-volume-on-dell-precision-7520.patch +alsa-hda-realtek-make-dock-sound-work-on-thinkpad-l570.patch +alsa-seq-don-t-allow-resizing-pool-in-use.patch +alsa-seq-more-protection-for-concurrent-write-and-ioctl-races.patch +alsa-hda-fix-a-wrong-fixup-for-alc289-on-dell-machines.patch +alsa-hda-add-dock-and-led-support-for-hp-elitebook-820-g3.patch +alsa-hda-add-dock-and-led-support-for-hp-probook-640-g2.patch diff --git a/queue-4.9/virtio_ring-fix-num_free-handling-in-error-case.patch b/queue-4.9/virtio_ring-fix-num_free-handling-in-error-case.patch new file mode 100644 index 00000000000..012c4de5310 --- /dev/null +++ b/queue-4.9/virtio_ring-fix-num_free-handling-in-error-case.patch @@ -0,0 +1,35 @@ +From e82df670235138575b37ff0ec24412a471efd97f Mon Sep 17 00:00:00 2001 +From: Tiwei Bie +Date: Fri, 23 Feb 2018 19:41:30 +0800 +Subject: virtio_ring: fix num_free handling in error case + +From: Tiwei Bie + +commit e82df670235138575b37ff0ec24412a471efd97f upstream. + +The vq->vq.num_free hasn't been changed when error happens, +so it shouldn't be changed when handling the error. + +Fixes: 780bc7903a32 ("virtio_ring: Support DMA APIs") +Cc: Andy Lutomirski +Cc: Michael S. Tsirkin +Cc: stable@vger.kernel.org +Signed-off-by: Tiwei Bie +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_ring.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -423,8 +423,6 @@ unmap_release: + i = vq->vring.desc[i].next; + } + +- vq->vq.num_free += total_sg; +- + if (indirect) + kfree(desc); + diff --git a/queue-4.9/workqueue-allow-retrieval-of-current-task-s-work-struct.patch b/queue-4.9/workqueue-allow-retrieval-of-current-task-s-work-struct.patch new file mode 100644 index 00000000000..6dbaccbc273 --- /dev/null +++ b/queue-4.9/workqueue-allow-retrieval-of-current-task-s-work-struct.patch @@ -0,0 +1,69 @@ +From 27d4ee03078aba88c5e07dcc4917e8d01d046f38 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 11 Feb 2018 10:38:28 +0100 +Subject: workqueue: Allow retrieval of current task's work struct + +From: Lukas Wunner + +commit 27d4ee03078aba88c5e07dcc4917e8d01d046f38 upstream. + +Introduce a helper to retrieve the current task's work struct if it is +a workqueue worker. + +This allows us to fix a long-standing deadlock in several DRM drivers +wherein the ->runtime_suspend callback waits for a specific worker to +finish and that worker in turn calls a function which waits for runtime +suspend to finish. That function is invoked from multiple call sites +and waiting for runtime suspend to finish is the correct thing to do +except if it's executing in the context of the worker. + +Cc: Lai Jiangshan +Cc: Dave Airlie +Cc: Ben Skeggs +Cc: Alex Deucher +Acked-by: Tejun Heo +Reviewed-by: Lyude Paul +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/2d8f603074131eb87e588d2b803a71765bd3a2fd.1518338788.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/workqueue.h | 1 + + kernel/workqueue.c | 16 ++++++++++++++++ + 2 files changed, 17 insertions(+) + +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -453,6 +453,7 @@ extern bool cancel_delayed_work_sync(str + + extern void workqueue_set_max_active(struct workqueue_struct *wq, + int max_active); ++extern struct work_struct *current_work(void); + extern bool current_is_workqueue_rescuer(void); + extern bool workqueue_congested(int cpu, struct workqueue_struct *wq); + extern unsigned int work_busy(struct work_struct *work); +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -4130,6 +4130,22 @@ void workqueue_set_max_active(struct wor + EXPORT_SYMBOL_GPL(workqueue_set_max_active); + + /** ++ * current_work - retrieve %current task's work struct ++ * ++ * Determine if %current task is a workqueue worker and what it's working on. ++ * Useful to find out the context that the %current task is running in. ++ * ++ * Return: work struct if %current task is a workqueue worker, %NULL otherwise. ++ */ ++struct work_struct *current_work(void) ++{ ++ struct worker *worker = current_wq_worker(); ++ ++ return worker ? worker->current_work : NULL; ++} ++EXPORT_SYMBOL(current_work); ++ ++/** + * current_is_workqueue_rescuer - is %current workqueue rescuer? + * + * Determine whether %current is a workqueue rescuer. Can be used from diff --git a/queue-4.9/x86-mce-serialize-sysfs-changes.patch b/queue-4.9/x86-mce-serialize-sysfs-changes.patch new file mode 100644 index 00000000000..495e403b58d --- /dev/null +++ b/queue-4.9/x86-mce-serialize-sysfs-changes.patch @@ -0,0 +1,115 @@ +From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001 +From: Seunghun Han +Date: Tue, 6 Mar 2018 15:21:43 +0100 +Subject: x86/MCE: Serialize sysfs changes + +From: Seunghun Han + +commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream. + +The check_interval file in + + /sys/devices/system/machinecheck/machinecheck + +directory is a global timer value for MCE polling. If it is changed by one +CPU, mce_restart() broadcasts the event to other CPUs to delete and restart +the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the +mce_timer variable. + +If more than one CPU writes a specific value to the check_interval file +concurrently, mce_timer is not protected from such concurrent accesses and +all kinds of explosions happen. Since only root can write to those sysfs +variables, the issue is not a big deal security-wise. + +However, concurrent writes to these configuration variables is void of +reason so the proper thing to do is to serialize the access with a mutex. + +Boris: + + - Make store_int_with_restart() use device_store_ulong() to filter out + negative intervals + - Limit min interval to 1 second + - Correct locking + - Massage commit message + +Signed-off-by: Seunghun Han +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Cc: Greg Kroah-Hartman +Cc: Tony Luck +Cc: linux-edac +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -61,6 +61,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute + smp_load_acquire(&(p)); \ + }) + ++/* sysfs synchronization */ ++static DEFINE_MUTEX(mce_sysfs_mutex); ++ + #define CREATE_TRACE_POINTS + #include + +@@ -2308,6 +2311,7 @@ static ssize_t set_ignore_ce(struct devi + if (kstrtou64(buf, 0, &new) < 0) + return -EINVAL; + ++ mutex_lock(&mce_sysfs_mutex); + if (mca_cfg.ignore_ce ^ !!new) { + if (new) { + /* disable ce features */ +@@ -2320,6 +2324,8 @@ static ssize_t set_ignore_ce(struct devi + on_each_cpu(mce_enable_ce, (void *)1, 1); + } + } ++ mutex_unlock(&mce_sysfs_mutex); ++ + return size; + } + +@@ -2332,6 +2338,7 @@ static ssize_t set_cmci_disabled(struct + if (kstrtou64(buf, 0, &new) < 0) + return -EINVAL; + ++ mutex_lock(&mce_sysfs_mutex); + if (mca_cfg.cmci_disabled ^ !!new) { + if (new) { + /* disable cmci */ +@@ -2343,6 +2350,8 @@ static ssize_t set_cmci_disabled(struct + on_each_cpu(mce_enable_ce, NULL, 1); + } + } ++ mutex_unlock(&mce_sysfs_mutex); ++ + return size; + } + +@@ -2350,8 +2359,19 @@ static ssize_t store_int_with_restart(st + struct device_attribute *attr, + const char *buf, size_t size) + { +- ssize_t ret = device_store_int(s, attr, buf, size); ++ unsigned long old_check_interval = check_interval; ++ ssize_t ret = device_store_ulong(s, attr, buf, size); ++ ++ if (check_interval == old_check_interval) ++ return ret; ++ ++ if (check_interval < 1) ++ check_interval = 1; ++ ++ mutex_lock(&mce_sysfs_mutex); + mce_restart(); ++ mutex_unlock(&mce_sysfs_mutex); ++ + return ret; + } + diff --git a/queue-4.9/x86-spectre_v2-don-t-check-microcode-versions-when-running-under-hypervisors.patch b/queue-4.9/x86-spectre_v2-don-t-check-microcode-versions-when-running-under-hypervisors.patch new file mode 100644 index 00000000000..233faed4126 --- /dev/null +++ b/queue-4.9/x86-spectre_v2-don-t-check-microcode-versions-when-running-under-hypervisors.patch @@ -0,0 +1,57 @@ +From 36268223c1e9981d6cfc33aff8520b3bde4b8114 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Mon, 26 Feb 2018 09:35:01 -0500 +Subject: x86/spectre_v2: Don't check microcode versions when running under hypervisors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Konrad Rzeszutek Wilk + +commit 36268223c1e9981d6cfc33aff8520b3bde4b8114 upstream. + +As: + + 1) It's known that hypervisors lie about the environment anyhow (host + mismatch) + + 2) Even if the hypervisor (Xen, KVM, VMWare, etc) provided a valid + "correct" value, it all gets to be very murky when migration happens + (do you provide the "new" microcode of the machine?). + +And in reality the cloud vendors are the ones that should make sure that +the microcode that is running is correct and we should just sing lalalala +and trust them. + +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Thomas Gleixner +Reviewed-by: Paolo Bonzini +Cc: Wanpeng Li +Cc: kvm +Cc: Krčmář +Cc: Borislav Petkov +CC: "H. Peter Anvin" +CC: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180226213019.GE9497@char.us.oracle.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -103,6 +103,13 @@ static bool bad_spectre_microcode(struct + { + int i; + ++ /* ++ * We know that the hypervisor lie to us on the microcode version so ++ * we may as well hope that it is running the correct version. ++ */ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return false; ++ + for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) { + if (c->x86_model == spectre_bad_microcodes[i].model && + c->x86_stepping == spectre_bad_microcodes[i].stepping)