From: Greg Kroah-Hartman Date: Sun, 20 May 2018 08:54:42 +0000 (+0200) Subject: 4.16-stable patches X-Git-Tag: v4.9.102~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5bbe175957cb7a7af9486f06283e0ea2fc4170b7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.16-stable patches added patches: cpufreq-armada-37xx-driver-relies-on-cpufreq-dt.patch drm-i915-gen9-add-waclearhiz_wm_chicken3-for-bxt-and-glk.patch drm-match-sysfs-name-in-link-removal-to-link-creation.patch lib-test_bitmap.c-fix-bitmap-optimisation-tests-to-report-errors-correctly.patch mm-don-t-allow-deferred-pages-with-need_per_cpu_km.patch radix-tree-fix-multi-order-iteration-race.patch s390-cpum_sf-ensure-sample-frequency-of-perf-event-attributes-is-non-zero.patch s390-crc32-vx-use-expoline-for-indirect-branches.patch s390-kernel-use-expoline-for-indirect-branches.patch s390-lib-use-expoline-for-indirect-branches.patch s390-qdio-don-t-release-memory-in-qdio_setup_irq.patch s390-qdio-fix-access-to-uninitialized-qdio_q-fields.patch s390-remove-indirect-branch-from-do_softirq_own_stack.patch --- diff --git a/queue-4.16/cpufreq-armada-37xx-driver-relies-on-cpufreq-dt.patch b/queue-4.16/cpufreq-armada-37xx-driver-relies-on-cpufreq-dt.patch new file mode 100644 index 00000000000..5d7dd704644 --- /dev/null +++ b/queue-4.16/cpufreq-armada-37xx-driver-relies-on-cpufreq-dt.patch @@ -0,0 +1,35 @@ +From 0cf442c6bcf572e04f5690340d5b8e62afcee2ca Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 24 Apr 2018 17:45:06 +0200 +Subject: cpufreq: armada-37xx: driver relies on cpufreq-dt + +From: Miquel Raynal + +commit 0cf442c6bcf572e04f5690340d5b8e62afcee2ca upstream. + +Armada-37xx driver registers a cpufreq-dt driver. Not having +CONFIG_CPUFREQ_DT selected leads to a silent abort during the probe. +Prevent that situation by having the former depending on the latter. + +Fixes: 92ce45fb875d7 (cpufreq: Add DVFS support for Armada 37xx) +Cc: 4.16+ # 4.16+ +Signed-off-by: Miquel Raynal +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/Kconfig.arm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cpufreq/Kconfig.arm ++++ b/drivers/cpufreq/Kconfig.arm +@@ -20,7 +20,7 @@ config ACPI_CPPC_CPUFREQ + + config ARM_ARMADA_37XX_CPUFREQ + tristate "Armada 37xx CPUFreq support" +- depends on ARCH_MVEBU ++ depends on ARCH_MVEBU && CPUFREQ_DT + help + This adds the CPUFreq driver support for Marvell Armada 37xx SoCs. + The Armada 37xx PMU supports 4 frequency and VDD levels. diff --git a/queue-4.16/drm-i915-gen9-add-waclearhiz_wm_chicken3-for-bxt-and-glk.patch b/queue-4.16/drm-i915-gen9-add-waclearhiz_wm_chicken3-for-bxt-and-glk.patch new file mode 100644 index 00000000000..b262dab74bc --- /dev/null +++ b/queue-4.16/drm-i915-gen9-add-waclearhiz_wm_chicken3-for-bxt-and-glk.patch @@ -0,0 +1,57 @@ +From b579f924a90f42fa561afd8201514fc216b71949 Mon Sep 17 00:00:00 2001 +From: Michel Thierry +Date: Mon, 14 May 2018 09:54:45 -0700 +Subject: drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk + +From: Michel Thierry + +commit b579f924a90f42fa561afd8201514fc216b71949 upstream. + +Factor in clear values wherever required while updating destination +min/max. + +References: HSDES#1604444184 +Signed-off-by: Michel Thierry +Cc: mesa-dev@lists.freedesktop.org +Cc: Mika Kuoppala +Cc: Oscar Mateo +Reviewed-by: Mika Kuoppala +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20180510200708.18097-1-michel.thierry@intel.com +Cc: stable@vger.kernel.org +Cc: Joonas Lahtinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180514165445.9198-1-michel.thierry@intel.com +(backported from commit 0c79f9cb77eae28d48a4f9fc1b3341aacbbd260c) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 3 +++ + drivers/gpu/drm/i915/intel_engine_cs.c | 4 ++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -7139,6 +7139,9 @@ enum { + #define SLICE_ECO_CHICKEN0 _MMIO(0x7308) + #define PIXEL_MASK_CAMMING_DISABLE (1 << 14) + ++#define GEN9_WM_CHICKEN3 _MMIO(0x5588) ++#define GEN9_FACTOR_IN_CLR_VAL_HIZ (1 << 9) ++ + /* WaCatErrorRejectionIssue */ + #define GEN7_SQ_CHICKEN_MBCUNIT_CONFIG _MMIO(0x9030) + #define GEN7_SQ_CHICKEN_MBCUNIT_SQINTMOB (1<<11) +--- a/drivers/gpu/drm/i915/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/intel_engine_cs.c +@@ -1098,6 +1098,10 @@ static int gen9_init_workarounds(struct + WA_SET_FIELD_MASKED(GEN8_CS_CHICKEN1, GEN9_PREEMPT_GPGPU_LEVEL_MASK, + GEN9_PREEMPT_GPGPU_COMMAND_LEVEL); + ++ /* WaClearHIZ_WM_CHICKEN3:bxt,glk */ ++ if (IS_GEN9_LP(dev_priv)) ++ WA_SET_BIT_MASKED(GEN9_WM_CHICKEN3, GEN9_FACTOR_IN_CLR_VAL_HIZ); ++ + /* WaVFEStateAfterPipeControlwithMediaStateClear:skl,bxt,glk,cfl */ + ret = wa_ring_whitelist_reg(engine, GEN9_CTX_PREEMPT_REG); + if (ret) diff --git a/queue-4.16/drm-match-sysfs-name-in-link-removal-to-link-creation.patch b/queue-4.16/drm-match-sysfs-name-in-link-removal-to-link-creation.patch new file mode 100644 index 00000000000..3ab92b863d0 --- /dev/null +++ b/queue-4.16/drm-match-sysfs-name-in-link-removal-to-link-creation.patch @@ -0,0 +1,48 @@ +From 7f6df440b8623c441c42d070bf592e2d2c1fa9bb Mon Sep 17 00:00:00 2001 +From: Haneen Mohammed +Date: Fri, 11 May 2018 07:15:42 +0300 +Subject: drm: Match sysfs name in link removal to link creation + +From: Haneen Mohammed + +commit 7f6df440b8623c441c42d070bf592e2d2c1fa9bb upstream. + +This patch matches the sysfs name used in the unlinking with the +linking function. Otherwise, remove_compat_control_link() fails to remove +sysfs created by create_compat_control_link() in drm_dev_register(). + +Fixes: 6449b088dd51 ("drm: Add fake controlD* symlinks for backwards +compat") +Cc: Dave Airlie +Cc: Alex Deucher +Cc: Emil Velikov +Cc: David Herrmann +Cc: Greg Kroah-Hartman +Cc: Daniel Vetter +Cc: Gustavo Padovan +Cc: Maarten Lankhorst +Cc: Sean Paul +Cc: David Airlie +Cc: dri-devel@lists.freedesktop.org +Cc: # v4.10+ +Signed-off-by: Haneen Mohammed +[seanpaul added Fixes and Cc tags] +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20180511041542.GA4253@haneen-vb +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -716,7 +716,7 @@ static void remove_compat_control_link(s + if (!minor) + return; + +- name = kasprintf(GFP_KERNEL, "controlD%d", minor->index); ++ name = kasprintf(GFP_KERNEL, "controlD%d", minor->index + 64); + if (!name) + return; + diff --git a/queue-4.16/lib-test_bitmap.c-fix-bitmap-optimisation-tests-to-report-errors-correctly.patch b/queue-4.16/lib-test_bitmap.c-fix-bitmap-optimisation-tests-to-report-errors-correctly.patch new file mode 100644 index 00000000000..98cb40323c5 --- /dev/null +++ b/queue-4.16/lib-test_bitmap.c-fix-bitmap-optimisation-tests-to-report-errors-correctly.patch @@ -0,0 +1,73 @@ +From 1e3054b98c5415d5cb5f8824fc33b548ae5644c3 Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox +Date: Fri, 18 May 2018 16:08:44 -0700 +Subject: lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly + +From: Matthew Wilcox + +commit 1e3054b98c5415d5cb5f8824fc33b548ae5644c3 upstream. + +I had neglected to increment the error counter when the tests failed, +which made the tests noisy when they fail, but not actually return an +error code. + +Link: http://lkml.kernel.org/r/20180509114328.9887-1-mpe@ellerman.id.au +Fixes: 3cc78125a081 ("lib/test_bitmap.c: add optimisation tests") +Signed-off-by: Matthew Wilcox +Signed-off-by: Michael Ellerman +Reported-by: Michael Ellerman +Tested-by: Michael Ellerman +Reviewed-by: Kees Cook +Cc: Yury Norov +Cc: Andy Shevchenko +Cc: Geert Uytterhoeven +Cc: [4.13+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_bitmap.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/lib/test_bitmap.c ++++ b/lib/test_bitmap.c +@@ -329,23 +329,32 @@ static void noinline __init test_mem_opt + unsigned int start, nbits; + + for (start = 0; start < 1024; start += 8) { +- memset(bmap1, 0x5a, sizeof(bmap1)); +- memset(bmap2, 0x5a, sizeof(bmap2)); + for (nbits = 0; nbits < 1024 - start; nbits += 8) { ++ memset(bmap1, 0x5a, sizeof(bmap1)); ++ memset(bmap2, 0x5a, sizeof(bmap2)); ++ + bitmap_set(bmap1, start, nbits); + __bitmap_set(bmap2, start, nbits); +- if (!bitmap_equal(bmap1, bmap2, 1024)) ++ if (!bitmap_equal(bmap1, bmap2, 1024)) { + printk("set not equal %d %d\n", start, nbits); +- if (!__bitmap_equal(bmap1, bmap2, 1024)) ++ failed_tests++; ++ } ++ if (!__bitmap_equal(bmap1, bmap2, 1024)) { + printk("set not __equal %d %d\n", start, nbits); ++ failed_tests++; ++ } + + bitmap_clear(bmap1, start, nbits); + __bitmap_clear(bmap2, start, nbits); +- if (!bitmap_equal(bmap1, bmap2, 1024)) ++ if (!bitmap_equal(bmap1, bmap2, 1024)) { + printk("clear not equal %d %d\n", start, nbits); +- if (!__bitmap_equal(bmap1, bmap2, 1024)) ++ failed_tests++; ++ } ++ if (!__bitmap_equal(bmap1, bmap2, 1024)) { + printk("clear not __equal %d %d\n", start, + nbits); ++ failed_tests++; ++ } + } + } + } diff --git a/queue-4.16/mm-don-t-allow-deferred-pages-with-need_per_cpu_km.patch b/queue-4.16/mm-don-t-allow-deferred-pages-with-need_per_cpu_km.patch new file mode 100644 index 00000000000..85f269c1b67 --- /dev/null +++ b/queue-4.16/mm-don-t-allow-deferred-pages-with-need_per_cpu_km.patch @@ -0,0 +1,90 @@ +From ab1e8d8960b68f54af42b6484b5950bd13a4054b Mon Sep 17 00:00:00 2001 +From: Pavel Tatashin +Date: Fri, 18 May 2018 16:09:13 -0700 +Subject: mm: don't allow deferred pages with NEED_PER_CPU_KM + +From: Pavel Tatashin + +commit ab1e8d8960b68f54af42b6484b5950bd13a4054b upstream. + +It is unsafe to do virtual to physical translations before mm_init() is +called if struct page is needed in order to determine the memory section +number (see SECTION_IN_PAGE_FLAGS). This is because only in mm_init() +we initialize struct pages for all the allocated memory when deferred +struct pages are used. + +My recent fix in commit c9e97a1997 ("mm: initialize pages on demand +during boot") exposed this problem, because it greatly reduced number of +pages that are initialized before mm_init(), but the problem existed +even before my fix, as Fengguang Wu found. + +Below is a more detailed explanation of the problem. + +We initialize struct pages in four places: + +1. Early in boot a small set of struct pages is initialized to fill the + first section, and lower zones. + +2. During mm_init() we initialize "struct pages" for all the memory that + is allocated, i.e reserved in memblock. + +3. Using on-demand logic when pages are allocated after mm_init call + (when memblock is finished) + +4. After smp_init() when the rest free deferred pages are initialized. + +The problem occurs if we try to do va to phys translation of a memory +between steps 1 and 2. Because we have not yet initialized struct pages +for all the reserved pages, it is inherently unsafe to do va to phys if +the translation itself requires access of "struct page" as in case of +this combination: CONFIG_SPARSE && !CONFIG_SPARSE_VMEMMAP + +The following path exposes the problem: + + start_kernel() + trap_init() + setup_cpu_entry_areas() + setup_cpu_entry_area(cpu) + get_cpu_gdt_paddr(cpu) + per_cpu_ptr_to_phys(addr) + pcpu_addr_to_page(addr) + virt_to_page(addr) + pfn_to_page(__pa(addr) >> PAGE_SHIFT) + +We disable this path by not allowing NEED_PER_CPU_KM with deferred +struct pages feature. + +The problems are discussed in these threads: + http://lkml.kernel.org/r/20180418135300.inazvpxjxowogyge@wfg-t540p.sh.intel.com + http://lkml.kernel.org/r/20180419013128.iurzouiqxvcnpbvz@wfg-t540p.sh.intel.com + http://lkml.kernel.org/r/20180426202619.2768-1-pasha.tatashin@oracle.com + +Link: http://lkml.kernel.org/r/20180515175124.1770-1-pasha.tatashin@oracle.com +Fixes: 3a80a7fa7989 ("mm: meminit: initialise a subset of struct pages if CONFIG_DEFERRED_STRUCT_PAGE_INIT is set") +Signed-off-by: Pavel Tatashin +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Cc: Steven Sistare +Cc: Daniel Jordan +Cc: Mel Gorman +Cc: Fengguang Wu +Cc: Dennis Zhou +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -644,6 +644,7 @@ config DEFERRED_STRUCT_PAGE_INIT + default n + depends on NO_BOOTMEM + depends on !FLATMEM ++ depends on !NEED_PER_CPU_KM + help + Ordinarily all struct pages are initialised during early boot in a + single thread. On very large machines this can take a considerable diff --git a/queue-4.16/radix-tree-fix-multi-order-iteration-race.patch b/queue-4.16/radix-tree-fix-multi-order-iteration-race.patch new file mode 100644 index 00000000000..7ee3097329d --- /dev/null +++ b/queue-4.16/radix-tree-fix-multi-order-iteration-race.patch @@ -0,0 +1,119 @@ +From 9f418224e8114156d995b98fa4e0f4fd21f685fe Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Fri, 18 May 2018 16:09:06 -0700 +Subject: radix tree: fix multi-order iteration race + +From: Ross Zwisler + +commit 9f418224e8114156d995b98fa4e0f4fd21f685fe upstream. + +Fix a race in the multi-order iteration code which causes the kernel to +hit a GP fault. This was first seen with a production v4.15 based +kernel (4.15.6-300.fc27.x86_64) utilizing a DAX workload which used +order 9 PMD DAX entries. + +The race has to do with how we tear down multi-order sibling entries +when we are removing an item from the tree. Remember for example that +an order 2 entry looks like this: + + struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] + +where 'entry' is in some slot in the struct radix_tree_node, and the +three slots following 'entry' contain sibling pointers which point back +to 'entry.' + +When we delete 'entry' from the tree, we call : + + radix_tree_delete() + radix_tree_delete_item() + __radix_tree_delete() + replace_slot() + +replace_slot() first removes the siblings in order from the first to the +last, then at then replaces 'entry' with NULL. This means that for a +brief period of time we end up with one or more of the siblings removed, +so: + + struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] + +This causes an issue if you have a reader iterating over the slots in +the tree via radix_tree_for_each_slot() while only under +rcu_read_lock()/rcu_read_unlock() protection. This is a common case in +mm/filemap.c. + +The issue is that when __radix_tree_next_slot() => skip_siblings() tries +to skip over the sibling entries in the slots, it currently does so with +an exact match on the slot directly preceding our current slot. +Normally this works: + + V preceding slot + struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] + ^ current slot + +This lets you find the first sibling, and you skip them all in order. + +But in the case where one of the siblings is NULL, that slot is skipped +and then our sibling detection is interrupted: + + V preceding slot + struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] + ^ current slot + +This means that the sibling pointers aren't recognized since they point +all the way back to 'entry', so we think that they are normal internal +radix tree pointers. This causes us to think we need to walk down to a +struct radix_tree_node starting at the address of 'entry'. + +In a real running kernel this will crash the thread with a GP fault when +you try and dereference the slots in your broken node starting at +'entry'. + +We fix this race by fixing the way that skip_siblings() detects sibling +nodes. Instead of testing against the preceding slot we instead look +for siblings via is_sibling_entry() which compares against the position +of the struct radix_tree_node.slots[] array. This ensures that sibling +entries are properly identified, even if they are no longer contiguous +with the 'entry' they point to. + +Link: http://lkml.kernel.org/r/20180503192430.7582-6-ross.zwisler@linux.intel.com +Fixes: 148deab223b2 ("radix-tree: improve multiorder iterators") +Signed-off-by: Ross Zwisler +Reported-by: CR, Sapthagirish +Reviewed-by: Jan Kara +Cc: Matthew Wilcox +Cc: Christoph Hellwig +Cc: Dan Williams +Cc: Dave Chinner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/radix-tree.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -1612,11 +1612,9 @@ static void set_iter_tags(struct radix_t + static void __rcu **skip_siblings(struct radix_tree_node **nodep, + void __rcu **slot, struct radix_tree_iter *iter) + { +- void *sib = node_to_entry(slot - 1); +- + while (iter->index < iter->next_index) { + *nodep = rcu_dereference_raw(*slot); +- if (*nodep && *nodep != sib) ++ if (*nodep && !is_sibling_entry(iter->node, *nodep)) + return slot; + slot++; + iter->index = __radix_tree_iter_add(iter, 1); +@@ -1631,7 +1629,7 @@ void __rcu **__radix_tree_next_slot(void + struct radix_tree_iter *iter, unsigned flags) + { + unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK; +- struct radix_tree_node *node = rcu_dereference_raw(*slot); ++ struct radix_tree_node *node; + + slot = skip_siblings(&node, slot, iter); + diff --git a/queue-4.16/s390-cpum_sf-ensure-sample-frequency-of-perf-event-attributes-is-non-zero.patch b/queue-4.16/s390-cpum_sf-ensure-sample-frequency-of-perf-event-attributes-is-non-zero.patch new file mode 100644 index 00000000000..0e4e5579a28 --- /dev/null +++ b/queue-4.16/s390-cpum_sf-ensure-sample-frequency-of-perf-event-attributes-is-non-zero.patch @@ -0,0 +1,38 @@ +From 4bbaf2584b86b0772413edeac22ff448f36351b1 Mon Sep 17 00:00:00 2001 +From: Hendrik Brueckner +Date: Thu, 3 May 2018 15:56:15 +0200 +Subject: s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero + +From: Hendrik Brueckner + +commit 4bbaf2584b86b0772413edeac22ff448f36351b1 upstream. + +Correct a trinity finding for the perf_event_open() system call with +a perf event attribute structure that uses a frequency but has the +sampling frequency set to zero. This causes a FP divide exception during +the sample rate initialization for the hardware sampling facility. + +Fixes: 8c069ff4bd606 ("s390/perf: add support for the CPU-Measurement Sampling Facility") +Cc: stable@vger.kernel.org # 3.14+ +Reviewed-by: Heiko Carstens +Signed-off-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/perf_cpum_sf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -753,6 +753,10 @@ static int __hw_perf_event_init(struct p + */ + rate = 0; + if (attr->freq) { ++ if (!attr->sample_freq) { ++ err = -EINVAL; ++ goto out; ++ } + rate = freq_to_sample_rate(&si, attr->sample_freq); + rate = hw_limit_rate(&si, rate); + attr->freq = 0; diff --git a/queue-4.16/s390-crc32-vx-use-expoline-for-indirect-branches.patch b/queue-4.16/s390-crc32-vx-use-expoline-for-indirect-branches.patch new file mode 100644 index 00000000000..2fb4aa6ca33 --- /dev/null +++ b/queue-4.16/s390-crc32-vx-use-expoline-for-indirect-branches.patch @@ -0,0 +1,77 @@ +From 467a3bf219cee12259182c5cb4821f88fd518a51 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 23 Apr 2018 14:31:36 +0200 +Subject: s390/crc32-vx: use expoline for indirect branches + +From: Martin Schwidefsky + +commit 467a3bf219cee12259182c5cb4821f88fd518a51 upstream. + +The return from the crc32_le_vgfm_16/crc32c_le_vgfm_16 and the +crc32_be_vgfm_16 functions are done with "br %r14". These are indirect +branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. + +Cc: stable@vger.kernel.org # 4.16 +Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/crypto/crc32be-vx.S | 5 ++++- + arch/s390/crypto/crc32le-vx.S | 4 +++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/s390/crypto/crc32be-vx.S ++++ b/arch/s390/crypto/crc32be-vx.S +@@ -13,6 +13,7 @@ + */ + + #include ++#include + #include + + /* Vector register range containing CRC-32 constants */ +@@ -67,6 +68,8 @@ + + .previous + ++ GEN_BR_THUNK %r14 ++ + .text + /* + * The CRC-32 function(s) use these calling conventions: +@@ -203,6 +206,6 @@ ENTRY(crc32_be_vgfm_16) + + .Ldone: + VLGVF %r2,%v2,3 +- br %r14 ++ BR_EX %r14 + + .previous +--- a/arch/s390/crypto/crc32le-vx.S ++++ b/arch/s390/crypto/crc32le-vx.S +@@ -14,6 +14,7 @@ + */ + + #include ++#include + #include + + /* Vector register range containing CRC-32 constants */ +@@ -76,6 +77,7 @@ + + .previous + ++ GEN_BR_THUNK %r14 + + .text + +@@ -264,6 +266,6 @@ crc32_le_vgfm_generic: + + .Ldone: + VLGVF %r2,%v2,2 +- br %r14 ++ BR_EX %r14 + + .previous diff --git a/queue-4.16/s390-kernel-use-expoline-for-indirect-branches.patch b/queue-4.16/s390-kernel-use-expoline-for-indirect-branches.patch new file mode 100644 index 00000000000..42048c87db1 --- /dev/null +++ b/queue-4.16/s390-kernel-use-expoline-for-indirect-branches.patch @@ -0,0 +1,165 @@ +From c50c84c3ac4d5db683904bdb3257798b6ef980ae Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Wed, 25 Apr 2018 18:41:30 +0200 +Subject: s390/kernel: use expoline for indirect branches + +From: Martin Schwidefsky + +commit c50c84c3ac4d5db683904bdb3257798b6ef980ae upstream. + +The assember code in arch/s390/kernel uses a few more indirect branches +which need to be done with execute trampolines for CONFIG_EXPOLINE=y. + +Cc: stable@vger.kernel.org # 4.16 +Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/base.S | 24 ++++++++++++++---------- + arch/s390/kernel/reipl.S | 7 +++++-- + arch/s390/kernel/swsusp.S | 10 ++++++---- + 3 files changed, 25 insertions(+), 16 deletions(-) + +--- a/arch/s390/kernel/base.S ++++ b/arch/s390/kernel/base.S +@@ -9,18 +9,22 @@ + + #include + #include ++#include + #include + #include + ++ GEN_BR_THUNK %r9 ++ GEN_BR_THUNK %r14 ++ + ENTRY(s390_base_mcck_handler) + basr %r13,0 + 0: lg %r15,__LC_PANIC_STACK # load panic stack + aghi %r15,-STACK_FRAME_OVERHEAD + larl %r1,s390_base_mcck_handler_fn +- lg %r1,0(%r1) +- ltgr %r1,%r1 ++ lg %r9,0(%r1) ++ ltgr %r9,%r9 + jz 1f +- basr %r14,%r1 ++ BASR_EX %r14,%r9 + 1: la %r1,4095 + lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) + lpswe __LC_MCK_OLD_PSW +@@ -37,10 +41,10 @@ ENTRY(s390_base_ext_handler) + basr %r13,0 + 0: aghi %r15,-STACK_FRAME_OVERHEAD + larl %r1,s390_base_ext_handler_fn +- lg %r1,0(%r1) +- ltgr %r1,%r1 ++ lg %r9,0(%r1) ++ ltgr %r9,%r9 + jz 1f +- basr %r14,%r1 ++ BASR_EX %r14,%r9 + 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC + ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit + lpswe __LC_EXT_OLD_PSW +@@ -57,10 +61,10 @@ ENTRY(s390_base_pgm_handler) + basr %r13,0 + 0: aghi %r15,-STACK_FRAME_OVERHEAD + larl %r1,s390_base_pgm_handler_fn +- lg %r1,0(%r1) +- ltgr %r1,%r1 ++ lg %r9,0(%r1) ++ ltgr %r9,%r9 + jz 1f +- basr %r14,%r1 ++ BASR_EX %r14,%r9 + lmg %r0,%r15,__LC_SAVE_AREA_SYNC + lpswe __LC_PGM_OLD_PSW + 1: lpswe disabled_wait_psw-0b(%r13) +@@ -117,7 +121,7 @@ ENTRY(diag308_reset) + larl %r4,.Lcontinue_psw # Restore PSW flags + lpswe 0(%r4) + .Lcontinue: +- br %r14 ++ BR_EX %r14 + .align 16 + .Lrestart_psw: + .long 0x00080000,0x80000000 + .Lrestart_part2 +--- a/arch/s390/kernel/reipl.S ++++ b/arch/s390/kernel/reipl.S +@@ -7,8 +7,11 @@ + + #include + #include ++#include + #include + ++ GEN_BR_THUNK %r9 ++ + # + # Issue "store status" for the current CPU to its prefix page + # and call passed function afterwards +@@ -67,9 +70,9 @@ ENTRY(store_status) + st %r4,0(%r1) + st %r5,4(%r1) + stg %r2,8(%r1) +- lgr %r1,%r2 ++ lgr %r9,%r2 + lgr %r2,%r3 +- br %r1 ++ BR_EX %r9 + + .section .bss + .align 8 +--- a/arch/s390/kernel/swsusp.S ++++ b/arch/s390/kernel/swsusp.S +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -24,6 +25,8 @@ + * (see below) in the resume process. + * This function runs with disabled interrupts. + */ ++ GEN_BR_THUNK %r14 ++ + .section .text + ENTRY(swsusp_arch_suspend) + stmg %r6,%r15,__SF_GPRS(%r15) +@@ -103,7 +106,7 @@ ENTRY(swsusp_arch_suspend) + spx 0x318(%r1) + lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) + lghi %r2,0 +- br %r14 ++ BR_EX %r14 + + /* + * Restore saved memory image to correct place and restore register context. +@@ -197,11 +200,10 @@ pgm_check_entry: + larl %r15,init_thread_union + ahi %r15,1<<(PAGE_SHIFT+THREAD_SIZE_ORDER) + larl %r2,.Lpanic_string +- larl %r3,sclp_early_printk + lghi %r1,0 + sam31 + sigp %r1,%r0,SIGP_SET_ARCHITECTURE +- basr %r14,%r3 ++ brasl %r14,sclp_early_printk + larl %r3,.Ldisabled_wait_31 + lpsw 0(%r3) + 4: +@@ -267,7 +269,7 @@ restore_registers: + /* Return 0 */ + lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) + lghi %r2,0 +- br %r14 ++ BR_EX %r14 + + .section .data..nosave,"aw",@progbits + .align 8 diff --git a/queue-4.16/s390-lib-use-expoline-for-indirect-branches.patch b/queue-4.16/s390-lib-use-expoline-for-indirect-branches.patch new file mode 100644 index 00000000000..0e6627f5296 --- /dev/null +++ b/queue-4.16/s390-lib-use-expoline-for-indirect-branches.patch @@ -0,0 +1,96 @@ +From 97489e0663fa700d6e7febddc43b58df98d7bcda Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 23 Apr 2018 14:31:36 +0200 +Subject: s390/lib: use expoline for indirect branches + +From: Martin Schwidefsky + +commit 97489e0663fa700d6e7febddc43b58df98d7bcda upstream. + +The return from the memmove, memset, memcpy, __memset16, __memset32 and +__memset64 functions are done with "br %r14". These are indirect branches +as well and need to use execute trampolines for CONFIG_EXPOLINE=y. + +Cc: stable@vger.kernel.org # 4.16 +Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/lib/mem.S | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/arch/s390/lib/mem.S ++++ b/arch/s390/lib/mem.S +@@ -7,6 +7,9 @@ + + #include + #include ++#include ++ ++ GEN_BR_THUNK %r14 + + /* + * void *memmove(void *dest, const void *src, size_t n) +@@ -33,14 +36,14 @@ ENTRY(memmove) + .Lmemmove_forward_remainder: + larl %r5,.Lmemmove_mvc + ex %r4,0(%r5) +- br %r14 ++ BR_EX %r14 + .Lmemmove_reverse: + ic %r0,0(%r4,%r3) + stc %r0,0(%r4,%r1) + brctg %r4,.Lmemmove_reverse + ic %r0,0(%r4,%r3) + stc %r0,0(%r4,%r1) +- br %r14 ++ BR_EX %r14 + .Lmemmove_mvc: + mvc 0(1,%r1),0(%r3) + EXPORT_SYMBOL(memmove) +@@ -77,7 +80,7 @@ ENTRY(memset) + .Lmemset_clear_remainder: + larl %r3,.Lmemset_xc + ex %r4,0(%r3) +- br %r14 ++ BR_EX %r14 + .Lmemset_fill: + cghi %r4,1 + lgr %r1,%r2 +@@ -95,10 +98,10 @@ ENTRY(memset) + stc %r3,0(%r1) + larl %r5,.Lmemset_mvc + ex %r4,0(%r5) +- br %r14 ++ BR_EX %r14 + .Lmemset_fill_exit: + stc %r3,0(%r1) +- br %r14 ++ BR_EX %r14 + .Lmemset_xc: + xc 0(1,%r1),0(%r1) + .Lmemset_mvc: +@@ -121,7 +124,7 @@ ENTRY(memcpy) + .Lmemcpy_remainder: + larl %r5,.Lmemcpy_mvc + ex %r4,0(%r5) +- br %r14 ++ BR_EX %r14 + .Lmemcpy_loop: + mvc 0(256,%r1),0(%r3) + la %r1,256(%r1) +@@ -159,10 +162,10 @@ ENTRY(__memset\bits) + \insn %r3,0(%r1) + larl %r5,.L__memset_mvc\bits + ex %r4,0(%r5) +- br %r14 ++ BR_EX %r14 + .L__memset_exit\bits: + \insn %r3,0(%r2) +- br %r14 ++ BR_EX %r14 + .L__memset_mvc\bits: + mvc \bytes(1,%r1),0(%r1) + .endm diff --git a/queue-4.16/s390-qdio-don-t-release-memory-in-qdio_setup_irq.patch b/queue-4.16/s390-qdio-don-t-release-memory-in-qdio_setup_irq.patch new file mode 100644 index 00000000000..061b5a9ed09 --- /dev/null +++ b/queue-4.16/s390-qdio-don-t-release-memory-in-qdio_setup_irq.patch @@ -0,0 +1,65 @@ +From 2e68adcd2fb21b7188ba449f0fab3bee2910e500 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Wed, 2 May 2018 08:28:34 +0200 +Subject: s390/qdio: don't release memory in qdio_setup_irq() + +From: Julian Wiedmann + +commit 2e68adcd2fb21b7188ba449f0fab3bee2910e500 upstream. + +Calling qdio_release_memory() on error is just plain wrong. It frees +the main qdio_irq struct, when following code still uses it. + +Also, no other error path in qdio_establish() does this. So trust +callers to clean up via qdio_free() if some step of the QDIO +initialization fails. + +Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") +Cc: #v2.6.27+ +Signed-off-by: Julian Wiedmann +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/qdio_setup.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/s390/cio/qdio_setup.c ++++ b/drivers/s390/cio/qdio_setup.c +@@ -456,7 +456,6 @@ int qdio_setup_irq(struct qdio_initializ + { + struct ciw *ciw; + struct qdio_irq *irq_ptr = init_data->cdev->private->qdio_data; +- int rc; + + memset(&irq_ptr->qib, 0, sizeof(irq_ptr->qib)); + memset(&irq_ptr->siga_flag, 0, sizeof(irq_ptr->siga_flag)); +@@ -493,16 +492,14 @@ int qdio_setup_irq(struct qdio_initializ + ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_EQUEUE); + if (!ciw) { + DBF_ERROR("%4x NO EQ", irq_ptr->schid.sch_no); +- rc = -EINVAL; +- goto out_err; ++ return -EINVAL; + } + irq_ptr->equeue = *ciw; + + ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_AQUEUE); + if (!ciw) { + DBF_ERROR("%4x NO AQ", irq_ptr->schid.sch_no); +- rc = -EINVAL; +- goto out_err; ++ return -EINVAL; + } + irq_ptr->aqueue = *ciw; + +@@ -510,9 +507,6 @@ int qdio_setup_irq(struct qdio_initializ + irq_ptr->orig_handler = init_data->cdev->handler; + init_data->cdev->handler = qdio_int_handler; + return 0; +-out_err: +- qdio_release_memory(irq_ptr); +- return rc; + } + + void qdio_print_subchannel_info(struct qdio_irq *irq_ptr, diff --git a/queue-4.16/s390-qdio-fix-access-to-uninitialized-qdio_q-fields.patch b/queue-4.16/s390-qdio-fix-access-to-uninitialized-qdio_q-fields.patch new file mode 100644 index 00000000000..a3a4480b37a --- /dev/null +++ b/queue-4.16/s390-qdio-fix-access-to-uninitialized-qdio_q-fields.patch @@ -0,0 +1,42 @@ +From e521813468f786271a87e78e8644243bead48fad Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Wed, 2 May 2018 08:48:43 +0200 +Subject: s390/qdio: fix access to uninitialized qdio_q fields + +From: Julian Wiedmann + +commit e521813468f786271a87e78e8644243bead48fad upstream. + +Ever since CQ/QAOB support was added, calling qdio_free() straight after +qdio_alloc() results in qdio_release_memory() accessing uninitialized +memory (ie. q->u.out.use_cq and q->u.out.aobs). Followed by a +kmem_cache_free() on the random AOB addresses. + +For older kernels that don't have 6e30c549f6ca, the same applies if +qdio_establish() fails in the DEV_STATE_ONLINE check. + +While initializing q->u.out.use_cq would be enough to fix this +particular bug, the more future-proof change is to just zero-alloc the +whole struct. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Cc: #v3.2+ +Signed-off-by: Julian Wiedmann +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/qdio_setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/cio/qdio_setup.c ++++ b/drivers/s390/cio/qdio_setup.c +@@ -141,7 +141,7 @@ static int __qdio_allocate_qs(struct qdi + int i; + + for (i = 0; i < nr_queues; i++) { +- q = kmem_cache_alloc(qdio_q_cache, GFP_KERNEL); ++ q = kmem_cache_zalloc(qdio_q_cache, GFP_KERNEL); + if (!q) + return -ENOMEM; + diff --git a/queue-4.16/s390-remove-indirect-branch-from-do_softirq_own_stack.patch b/queue-4.16/s390-remove-indirect-branch-from-do_softirq_own_stack.patch new file mode 100644 index 00000000000..0531494a2d4 --- /dev/null +++ b/queue-4.16/s390-remove-indirect-branch-from-do_softirq_own_stack.patch @@ -0,0 +1,38 @@ +From 9f18fff63cfd6f559daa1eaae60640372c65f84b Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Tue, 24 Apr 2018 11:18:49 +0200 +Subject: s390: remove indirect branch from do_softirq_own_stack + +From: Martin Schwidefsky + +commit 9f18fff63cfd6f559daa1eaae60640372c65f84b upstream. + +The inline assembly to call __do_softirq on the irq stack uses +an indirect branch. This can be replaced with a normal relative +branch. + +Cc: stable@vger.kernel.org # 4.16 +Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/irq.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/s390/kernel/irq.c ++++ b/arch/s390/kernel/irq.c +@@ -176,10 +176,9 @@ void do_softirq_own_stack(void) + new -= STACK_FRAME_OVERHEAD; + ((struct stack_frame *) new)->back_chain = old; + asm volatile(" la 15,0(%0)\n" +- " basr 14,%2\n" ++ " brasl 14,__do_softirq\n" + " la 15,0(%1)\n" +- : : "a" (new), "a" (old), +- "a" (__do_softirq) ++ : : "a" (new), "a" (old) + : "0", "1", "2", "3", "4", "5", "14", + "cc", "memory" ); + } else { diff --git a/queue-4.16/series b/queue-4.16/series index 9da9bd922e6..7f59255dc46 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -31,3 +31,16 @@ arm64-dts-marvell-armada-cp110-add-mg_core_clk-for-ethernet-node.patch i2c-designware-fix-poll-after-enable-regression.patch mtd-rawnand-marvell-fix-read-logic-for-layouts-with-nchunks-2.patch powerpc-powernv-fix-nvram-sleep-in-invalid-context-when-crashing.patch +drm-match-sysfs-name-in-link-removal-to-link-creation.patch +cpufreq-armada-37xx-driver-relies-on-cpufreq-dt.patch +lib-test_bitmap.c-fix-bitmap-optimisation-tests-to-report-errors-correctly.patch +radix-tree-fix-multi-order-iteration-race.patch +mm-don-t-allow-deferred-pages-with-need_per_cpu_km.patch +drm-i915-gen9-add-waclearhiz_wm_chicken3-for-bxt-and-glk.patch +s390-lib-use-expoline-for-indirect-branches.patch +s390-crc32-vx-use-expoline-for-indirect-branches.patch +s390-qdio-fix-access-to-uninitialized-qdio_q-fields.patch +s390-cpum_sf-ensure-sample-frequency-of-perf-event-attributes-is-non-zero.patch +s390-qdio-don-t-release-memory-in-qdio_setup_irq.patch +s390-kernel-use-expoline-for-indirect-branches.patch +s390-remove-indirect-branch-from-do_softirq_own_stack.patch