From: Greg Kroah-Hartman Date: Mon, 18 Dec 2017 13:19:45 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.89~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5fef8312de1df31ef362c43f034cd5715893bfcd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: afs-adjust-mode-bits-processing.patch afs-better-abort-and-net-error-handling.patch afs-deal-with-an-empty-callback-array.patch afs-fix-abort-on-signal-while-waiting-for-call-completion.patch afs-fix-afs_kill_pages.patch afs-fix-missing-put_page.patch afs-fix-page-leak-in-afs_write_begin.patch afs-fix-the-maths-in-afs_fs_store_data.patch afs-flush-outstanding-writes-when-an-fd-is-closed.patch afs-invalid-op-id-should-abort-with-rxgen_opcode.patch afs-migrate-vlocation-fields-to-64-bit.patch afs-populate-and-use-client-modification-time.patch afs-populate-group-id-from-vnode-status.patch afs-prevent-callback-expiry-timer-overflow.patch arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch arm64-prevent-regressions-in-compressed-kernel-image-size-when-upgrading-to-binutils-2.27.patch asoc-intel-skylake-fix-uuid_module-memory-leak-in-failure-case.patch asoc-rcar-clear-de-bit-only-in-pdmachcr-when-it-stops.patch asoc-rsnd-fix-sound-route-path-when-using-src6-src9.patch asoc-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent_mod.patch ath9k-fix-tx99-potential-info-leak.patch badblocks-fix-wrong-return-value-in-badblocks_set-if-badblocks-are-disabled.patch bcache-explicitly-destroy-mutex-while-exiting.patch bcache-fix-wrong-cache_misses-statistics.patch blk-mq-fix-tagset-reinit-in-the-presence-of-cpu-hot-unplug.patch bnxt_en-ignore-0-value-in-autoneg-supported-speed-from-firmware.patch btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch btrfs-tests-fix-a-memory-leak-in-error-handling-path-in-run_test.patch clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch clk-imx6-refine-hdmi_isfr-s-parent-to-make-hdmi-work-on-i.mx6-socs-w-o-vpu.patch clk-mediatek-add-the-option-for-determining-pll-source-clock.patch clk-tegra-fix-cclk_lp-divisor-register.patch crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch dmaengine-rcar-dmac-use-tcrb-instead-of-tcr-for-residue.patch dmaengine-ti-dma-crossbar-correct-am335x-am43xx-mux-value-type.patch drivers-hv-util-move-waiting-for-release-to-hv_utils_transport-itself.patch drm-amd-remove-broken-include-path.patch drm-amdgpu-fix-parser-init-error-path-to-avoid-crash-in-parser-fini.patch drm-omap-fix-dmabuf-mmap-for-dma_alloc-ed-buffers.patch drm-radeon-reinstate-oland-workaround-for-sclk.patch drm-radeon-si-add-dpm-quirk-for-oland.patch efi-esrt-cleanup-bad-memory-map-log-messages.patch fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch fjes-fix-wrong-netdevice-feature-flags.patch gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch hid-cp2112-fix-broken-gpio_direction_input-callback.patch ib-core-fix-calculation-of-maximum-roce-mtu.patch ib-hfi1-return-actual-operational-vls-in-port-info-query.patch ib-ipoib-grab-rtnl-lock-on-heavy-flush-when-calling-ndo_open-stop.patch icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch intel_th-pci-add-gemini-lake-support.patch iommu-amd-limit-the-iova-page-range-to-the-specified-addresses.patch iommu-io-pgtable-arm-v7s-check-for-leaf-entry-before-dereferencing-it.patch iommu-mediatek-fix-driver-name.patch irqchip-mvebu-odmi-select-generic_msi_irq_domain.patch iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch iwlwifi-mvm-cleanup-pending-frames-in-dqa-mode.patch kvm-nvmx-do-not-warn-when-msr-bitmap-address-is-not-backed.patch l2tp-cleanup-l2tp_tunnel_delete-calls.patch macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch md-cluster-free-md_cluster_info-if-node-leave-cluster.patch mlxsw-reg-fix-spvm-max-record-count.patch mlxsw-reg-fix-spvmlr-max-record-count.patch mm-handle-0-flags-in-_calc_vm_trans-macro.patch mmc-mediatek-fixed-bug-where-clock-frequency-could-be-set-wrong.patch net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch net-bcmgenet-power-down-internal-phy-if-open-or-resume-fails.patch net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch net-bcmgenet-reserved-phy-revisions-must-be-checked-first.patch net-bcmgenet-synchronize-irq0-status-between-the-isr-and-task.patch net-initialize-msg.msg_flags-in-recvfrom.patch net-mlx4_core-avoid-delays-during-vf-driver-device-shutdown.patch net-mlx5-don-t-save-pci-state-when-pci-error-is-detected.patch net-mlx5-fix-create-autogroup-prev-initializer.patch net-mpls-fix-nexthop-alive-tracking-on-down-events.patch net-resend-igmp-memberships-upon-peer-notification.patch net-wimax-i2400m-fix-null-deref-at-probe.patch netfilter-bridge-honor-frag_max_size-when-refragmenting.patch netfilter-ipvs-fix-inappropriate-output-of-procfs.patch nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch nfsd-fix-nfsd_reset_versions-for-nfsv4.patch nfsv4.1-respect-server-s-max-size-in-create_session.patch nvme-loop-fix-a-possible-use-after-free-when-destroying-the-admin-queue.patch nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch nvmet-confirm-sq-percpu-has-scheduled-and-switched-to-atomic.patch nvmet-rdma-fix-a-possible-uninitialized-variable-dereference.patch openrisc-fix-issue-handling-8-byte-get_user-calls.patch pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch pci-do-not-allocate-more-buses-than-available-in-parent.patch pci-pme-handle-invalid-data-when-reading-root-status.patch perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch pinctrl-adi2-fix-kconfig-build-problem.patch platform-x86-hp_accel-add-quirk-for-hp-probook-440-g4.patch platform-x86-intel_punit_ipc-fix-resource-ioremap-warning.patch platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch powerpc-ipic-fix-status-get-and-status-clear.patch powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch powerpc-perf-hv-24x7-fix-incorrect-comparison-in-memord.patch powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch ppp-destroy-the-mutex-when-cleanup.patch qed-align-cids-according-to-dorq-requirement.patch qed-fix-interrupt-flags-on-rx-ll2.patch qed-fix-mapping-leak-on-ll2-rx-flow.patch raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch rdma-cma-avoid-triggering-undefined-behavior.patch rdma-cxgb4-declare-stag-as-__be32.patch revert-x86-acpi-set-persistent-cpuid-nodeid-mapping-when-booting.patch rtc-pcf8563-fix-output-clock-rate.patch rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_createbss_cmd.patch rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_disassoc_cmd.patch rxrpc-ignore-busy-packets-on-old-calls.patch rxrpc-wake-up-the-transmitter-if-rx-window-size-increases-on-the-peer.patch sched-deadline-add-missing-update_rq_clock-in-dl_task_timer.patch sched-deadline-make-sure-the-replenishment-timer-fires-in-the-next-period.patch sched-deadline-throttle-a-constrained-deadline-task-activated-after-the-deadline.patch sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch scsi-bfa-integer-overflow-in-debugfs.patch scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-unloading.patch scsi-hpsa-destroy-sas-transport-properties-before-scsi_host.patch scsi-hpsa-do-not-timeout-reset-operations.patch scsi-hpsa-limit-outstanding-rescans.patch scsi-hpsa-update-check-for-logical-volume-status.patch scsi-scsi_debug-write_same-fix-error-report.patch scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch scsi-sd-change-allow_restart-to-bool-in-sysfs-interface.patch scsi-sd-change-manage_start_stop-to-bool-in-sysfs-interface.patch sfc-don-t-warn-on-successful-change-of-mac.patch soc-mediatek-pwrap-fix-compiler-errors.patch target-file-do-not-return-error-for-unmap-if-length-is-zero.patch target-fix-alua-transition-timeout-handling.patch target-fix-condition-return-in-core_pr_dump_initiator_port.patch target-fix-race-during-implicit-transition-work-flushes.patch target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch target-use-system-workqueue-for-alua-transitions.patch thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch tty-don-t-panic-on-oom-in-tty_set_ldisc.patch tty-fix-data-race-in-tty_ldisc_ref_wait.patch tty-fix-oops-when-rmmod-8250.patch udf-avoid-overflow-when-session-starts-at-large-offset.patch usb-phy-isp1301-add-of-device-id-table.patch usb-xhci-mtk-check-hcc_params-after-adding-primary-hcd.patch userfaultfd-selftest-vm-allow-to-build-in-vm-directory.patch userfaultfd-shmem-__do_fault-requires-vm_fault_nopage.patch video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch video-udlfb-fix-read-edid-timeout.patch vt6655-fix-a-possible-sleep-in-atomic-bug-in-vt6655_suspend.patch writeback-fix-memory-leak-in-wb_queue_work.patch xfs-fix-incorrect-extent-state-in-xfs_bmap_add_extent_unwritten_real.patch xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch xfs-truncate-pagecache-before-writeback-in-xfs_setattr_size.patch --- diff --git a/queue-4.9/afs-adjust-mode-bits-processing.patch b/queue-4.9/afs-adjust-mode-bits-processing.patch new file mode 100644 index 00000000000..6fcc1fe0de3 --- /dev/null +++ b/queue-4.9/afs-adjust-mode-bits-processing.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Marc Dionne +Date: Thu, 16 Mar 2017 16:27:44 +0000 +Subject: afs: Adjust mode bits processing + +From: Marc Dionne + + +[ Upstream commit 627f46943ff90bcc32ddeb675d881c043c6fa2ae ] + +Mode bits for an afs file should not be enforced in the usual +way. + +For files, the absence of user bits can restrict file access +with respect to what is granted by the server. + +These bits apply regardless of the owner or the current uid; the +rest of the mode bits (group, other) are ignored. + +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/security.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/afs/security.c ++++ b/fs/afs/security.c +@@ -340,17 +340,22 @@ int afs_permission(struct inode *inode, + } else { + if (!(access & AFS_ACE_LOOKUP)) + goto permission_denied; ++ if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) ++ goto permission_denied; + if (mask & (MAY_EXEC | MAY_READ)) { + if (!(access & AFS_ACE_READ)) + goto permission_denied; ++ if (!(inode->i_mode & S_IRUSR)) ++ goto permission_denied; + } else if (mask & MAY_WRITE) { + if (!(access & AFS_ACE_WRITE)) + goto permission_denied; ++ if (!(inode->i_mode & S_IWUSR)) ++ goto permission_denied; + } + } + + key_put(key); +- ret = generic_permission(inode, mask); + _leave(" = %d", ret); + return ret; + diff --git a/queue-4.9/afs-better-abort-and-net-error-handling.patch b/queue-4.9/afs-better-abort-and-net-error-handling.patch new file mode 100644 index 00000000000..a6e0560862a --- /dev/null +++ b/queue-4.9/afs-better-abort-and-net-error-handling.patch @@ -0,0 +1,116 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:47 +0000 +Subject: afs: Better abort and net error handling + +From: David Howells + + +[ Upstream commit 70af0e3bd65142f9e674961c975451638a7ce1d5 ] + +If we receive a network error, a remote abort or a protocol error whilst +we're still transmitting data, make sure we return an appropriate error to +the caller rather than ESHUTDOWN or ECONNABORTED. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/rxrpc.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +--- a/fs/afs/rxrpc.c ++++ b/fs/afs/rxrpc.c +@@ -321,6 +321,8 @@ int afs_make_call(struct in_addr *addr, + struct rxrpc_call *rxcall; + struct msghdr msg; + struct kvec iov[1]; ++ size_t offset; ++ u32 abort_code; + int ret; + + _enter("%x,{%d},", addr->s_addr, ntohs(call->port)); +@@ -368,9 +370,11 @@ int afs_make_call(struct in_addr *addr, + msg.msg_controllen = 0; + msg.msg_flags = (call->send_pages ? MSG_MORE : 0); + +- /* have to change the state *before* sending the last packet as RxRPC +- * might give us the reply before it returns from sending the +- * request */ ++ /* We have to change the state *before* sending the last packet as ++ * rxrpc might give us the reply before it returns from sending the ++ * request. Further, if the send fails, we may already have been given ++ * a notification and may have collected it. ++ */ + if (!call->send_pages) + call->state = AFS_CALL_AWAIT_REPLY; + ret = rxrpc_kernel_send_data(afs_socket, rxcall, +@@ -389,7 +393,17 @@ int afs_make_call(struct in_addr *addr, + return wait_mode->wait(call); + + error_do_abort: +- rxrpc_kernel_abort_call(afs_socket, rxcall, RX_USER_ABORT, -ret, "KSD"); ++ call->state = AFS_CALL_COMPLETE; ++ if (ret != -ECONNABORTED) { ++ rxrpc_kernel_abort_call(afs_socket, rxcall, RX_USER_ABORT, ++ -ret, "KSD"); ++ } else { ++ abort_code = 0; ++ offset = 0; ++ rxrpc_kernel_recv_data(afs_socket, rxcall, NULL, 0, &offset, ++ false, &abort_code); ++ ret = call->type->abort_to_error(abort_code); ++ } + error_kill_call: + afs_end_call(call); + _leave(" = %d", ret); +@@ -434,16 +448,18 @@ static void afs_deliver_to_call(struct a + case -EINPROGRESS: + case -EAGAIN: + goto out; ++ case -ECONNABORTED: ++ goto call_complete; + case -ENOTCONN: + abort_code = RX_CALL_DEAD; + rxrpc_kernel_abort_call(afs_socket, call->rxcall, + abort_code, -ret, "KNC"); +- goto do_abort; ++ goto save_error; + case -ENOTSUPP: + abort_code = RXGEN_OPCODE; + rxrpc_kernel_abort_call(afs_socket, call->rxcall, + abort_code, -ret, "KIV"); +- goto do_abort; ++ goto save_error; + case -ENODATA: + case -EBADMSG: + case -EMSGSIZE: +@@ -453,7 +469,7 @@ static void afs_deliver_to_call(struct a + abort_code = RXGEN_SS_UNMARSHAL; + rxrpc_kernel_abort_call(afs_socket, call->rxcall, + abort_code, EBADMSG, "KUM"); +- goto do_abort; ++ goto save_error; + } + } + +@@ -464,8 +480,9 @@ out: + _leave(""); + return; + +-do_abort: ++save_error: + call->error = ret; ++call_complete: + call->state = AFS_CALL_COMPLETE; + goto done; + } +@@ -513,6 +530,8 @@ static int afs_wait_for_call_to_complete + _debug("call incomplete"); + rxrpc_kernel_abort_call(afs_socket, call->rxcall, + RX_CALL_DEAD, -ret, abort_why); ++ } else if (call->error < 0) { ++ ret = call->error; + } + + _debug("call complete"); diff --git a/queue-4.9/afs-deal-with-an-empty-callback-array.patch b/queue-4.9/afs-deal-with-an-empty-callback-array.patch new file mode 100644 index 00000000000..117319470ea --- /dev/null +++ b/queue-4.9/afs-deal-with-an-empty-callback-array.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Marc Dionne +Date: Thu, 16 Mar 2017 16:27:44 +0000 +Subject: afs: Deal with an empty callback array + +From: Marc Dionne + + +[ Upstream commit bcd89270d93b7edebb5de5e5e7dca1a77a33496e ] + +Servers may send a callback array that is the same size as +the FID array, or an empty array. If the callback count is +0, the code would attempt to read (fid_count * 12) bytes of +data, which would fail and result in an unmarshalling error. +This would lead to stale data for remotely modified files +or directories. + +Store the callback array size in the internal afs_call +structure and use that to determine the amount of data to +read. + +Signed-off-by: Marc Dionne +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/cmservice.c | 11 +++++------ + fs/afs/internal.h | 5 ++++- + 2 files changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/afs/cmservice.c ++++ b/fs/afs/cmservice.c +@@ -168,7 +168,6 @@ static int afs_deliver_cb_callback(struc + struct afs_callback *cb; + struct afs_server *server; + __be32 *bp; +- u32 tmp; + int ret, loop; + + _enter("{%u}", call->unmarshall); +@@ -230,9 +229,9 @@ static int afs_deliver_cb_callback(struc + if (ret < 0) + return ret; + +- tmp = ntohl(call->tmp); +- _debug("CB count: %u", tmp); +- if (tmp != call->count && tmp != 0) ++ call->count2 = ntohl(call->tmp); ++ _debug("CB count: %u", call->count2); ++ if (call->count2 != call->count && call->count2 != 0) + return -EBADMSG; + call->offset = 0; + call->unmarshall++; +@@ -240,14 +239,14 @@ static int afs_deliver_cb_callback(struc + case 4: + _debug("extract CB array"); + ret = afs_extract_data(call, call->buffer, +- call->count * 3 * 4, false); ++ call->count2 * 3 * 4, false); + if (ret < 0) + return ret; + + _debug("unmarshall CB array"); + cb = call->request; + bp = call->buffer; +- for (loop = call->count; loop > 0; loop--, cb++) { ++ for (loop = call->count2; loop > 0; loop--, cb++) { + cb->version = ntohl(*bp++); + cb->expiry = ntohl(*bp++); + cb->type = ntohl(*bp++); +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -105,7 +105,10 @@ struct afs_call { + unsigned request_size; /* size of request data */ + unsigned reply_max; /* maximum size of reply */ + unsigned first_offset; /* offset into mapping[first] */ +- unsigned last_to; /* amount of mapping[last] */ ++ union { ++ unsigned last_to; /* amount of mapping[last] */ ++ unsigned count2; /* count used in unmarshalling */ ++ }; + unsigned char unmarshall; /* unmarshalling phase */ + bool incoming; /* T if incoming call */ + bool send_pages; /* T if data from mapping should be sent */ diff --git a/queue-4.9/afs-fix-abort-on-signal-while-waiting-for-call-completion.patch b/queue-4.9/afs-fix-abort-on-signal-while-waiting-for-call-completion.patch new file mode 100644 index 00000000000..f13b33dcb0c --- /dev/null +++ b/queue-4.9/afs-fix-abort-on-signal-while-waiting-for-call-completion.patch @@ -0,0 +1,80 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:49 +0000 +Subject: afs: Fix abort on signal while waiting for call completion + +From: David Howells + + +[ Upstream commit 954cd6dc02a65065aecb7150962c0870c5b0e322 ] + +Fix the way in which a call that's in progress and being waited for is +aborted in the case that EINTR is detected. We should be sending +RX_USER_ABORT rather than RX_CALL_DEAD as the abort code. + +Note that since the only two ways out of the loop are if the call completes +or if a signal happens, the kill-the-call clause after the loop has +finished can only happen in the case of EINTR. This means that we only +have one abort case to deal with, not two, and the "KWC" case can never +happen and so can be deleted. + +Note further that simply aborting the call isn't necessarily the best thing +here since at this point: the request has been entirely sent and it's +likely the server will do the operation anyway - whether we abort it or +not. In future, we should punt the handling of the remainder of the call +off to a background thread. + +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/rxrpc.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +--- a/fs/afs/rxrpc.c ++++ b/fs/afs/rxrpc.c +@@ -492,7 +492,6 @@ call_complete: + */ + static int afs_wait_for_call_to_complete(struct afs_call *call) + { +- const char *abort_why; + int ret; + + DECLARE_WAITQUEUE(myself, current); +@@ -511,13 +510,8 @@ static int afs_wait_for_call_to_complete + continue; + } + +- abort_why = "KWC"; +- ret = call->error; +- if (call->state == AFS_CALL_COMPLETE) +- break; +- abort_why = "KWI"; +- ret = -EINTR; +- if (signal_pending(current)) ++ if (call->state == AFS_CALL_COMPLETE || ++ signal_pending(current)) + break; + schedule(); + } +@@ -525,15 +519,14 @@ static int afs_wait_for_call_to_complete + remove_wait_queue(&call->waitq, &myself); + __set_current_state(TASK_RUNNING); + +- /* kill the call */ ++ /* Kill off the call if it's still live. */ + if (call->state < AFS_CALL_COMPLETE) { +- _debug("call incomplete"); ++ _debug("call interrupted"); + rxrpc_kernel_abort_call(afs_socket, call->rxcall, +- RX_CALL_DEAD, -ret, abort_why); +- } else if (call->error < 0) { +- ret = call->error; ++ RX_USER_ABORT, -EINTR, "KWI"); + } + ++ ret = call->error; + _debug("call complete"); + afs_end_call(call); + _leave(" = %d", ret); diff --git a/queue-4.9/afs-fix-afs_kill_pages.patch b/queue-4.9/afs-fix-afs_kill_pages.patch new file mode 100644 index 00000000000..919cbb5d6fd --- /dev/null +++ b/queue-4.9/afs-fix-afs_kill_pages.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:48 +0000 +Subject: afs: Fix afs_kill_pages() + +From: David Howells + + +[ Upstream commit 7286a35e893176169b09715096a4aca557e2ccd2 ] + +Fix afs_kill_pages() in two ways: + + (1) If a writeback has been partially flushed, then if we try and kill the + pages it contains, some of them may no longer be undergoing writeback + and end_page_writeback() will assert. + + Fix this by checking to see whether the page in question is actually + undergoing writeback before ending that writeback. + + (2) The loop that scans for pages to kill doesn't increase the first page + index, and so the loop may not terminate, but it will try to process + the same pages over and over again. + + Fix this by increasing the first page index to one after the last page + we processed. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/write.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -299,10 +299,14 @@ static void afs_kill_pages(struct afs_vn + ASSERTCMP(pv.nr, ==, count); + + for (loop = 0; loop < count; loop++) { +- ClearPageUptodate(pv.pages[loop]); ++ struct page *page = pv.pages[loop]; ++ ClearPageUptodate(page); + if (error) +- SetPageError(pv.pages[loop]); +- end_page_writeback(pv.pages[loop]); ++ SetPageError(page); ++ if (PageWriteback(page)) ++ end_page_writeback(page); ++ if (page->index >= first) ++ first = page->index + 1; + } + + __pagevec_release(&pv); diff --git a/queue-4.9/afs-fix-missing-put_page.patch b/queue-4.9/afs-fix-missing-put_page.patch new file mode 100644 index 00000000000..233bbb3a7b4 --- /dev/null +++ b/queue-4.9/afs-fix-missing-put_page.patch @@ -0,0 +1,30 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:43 +0000 +Subject: afs: Fix missing put_page() + +From: David Howells + + +[ Upstream commit 29c8bbbd6e21daa0997d1c3ee886b897ee7ad652 ] + +In afs_writepages_region(), inside the loop where we find dirty pages to +deal with, one of the if-statements is missing a put_page(). + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/write.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -502,6 +502,7 @@ static int afs_writepages_region(struct + + if (PageWriteback(page) || !PageDirty(page)) { + unlock_page(page); ++ put_page(page); + continue; + } + diff --git a/queue-4.9/afs-fix-page-leak-in-afs_write_begin.patch b/queue-4.9/afs-fix-page-leak-in-afs_write_begin.patch new file mode 100644 index 00000000000..05760c22d84 --- /dev/null +++ b/queue-4.9/afs-fix-page-leak-in-afs_write_begin.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:48 +0000 +Subject: afs: Fix page leak in afs_write_begin() + +From: David Howells + + +[ Upstream commit 6d06b0d25209c80e99c1e89700f1e09694a3766b ] + +afs_write_begin() leaks a ref and a lock on a page if afs_fill_page() +fails. Fix the leak by unlocking and releasing the page in the error path. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/write.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -148,12 +148,12 @@ int afs_write_begin(struct file *file, s + kfree(candidate); + return -ENOMEM; + } +- *pagep = page; +- /* page won't leak in error case: it eventually gets cleaned off LRU */ + + if (!PageUptodate(page) && len != PAGE_SIZE) { + ret = afs_fill_page(vnode, key, index << PAGE_SHIFT, page); + if (ret < 0) { ++ unlock_page(page); ++ put_page(page); + kfree(candidate); + _leave(" = %d [prep]", ret); + return ret; +@@ -161,6 +161,9 @@ int afs_write_begin(struct file *file, s + SetPageUptodate(page); + } + ++ /* page won't leak in error case: it eventually gets cleaned off LRU */ ++ *pagep = page; ++ + try_again: + spin_lock(&vnode->writeback_lock); + diff --git a/queue-4.9/afs-fix-the-maths-in-afs_fs_store_data.patch b/queue-4.9/afs-fix-the-maths-in-afs_fs_store_data.patch new file mode 100644 index 00000000000..c37ff0e840e --- /dev/null +++ b/queue-4.9/afs-fix-the-maths-in-afs_fs_store_data.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:47 +0000 +Subject: afs: Fix the maths in afs_fs_store_data() + +From: David Howells + + +[ Upstream commit 146a1192783697810b63a1e41c4d59fc93387340 ] + +afs_fs_store_data() works out of the size of the write it's going to make, +but it uses 32-bit unsigned subtraction in one place that gets +automatically cast to loff_t. + +However, if to < offset, then the number goes negative, but as the result +isn't signed, this doesn't get sign-extended to 64-bits when placed in a +loff_t. + +Fix by casting the operands to loff_t. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/fsclient.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/afs/fsclient.c ++++ b/fs/afs/fsclient.c +@@ -1178,7 +1178,7 @@ int afs_fs_store_data(struct afs_server + _enter(",%x,{%x:%u},,", + key_serial(wb->key), vnode->fid.vid, vnode->fid.vnode); + +- size = to - offset; ++ size = (loff_t)to - (loff_t)offset; + if (first != last) + size += (loff_t)(last - first) << PAGE_SHIFT; + pos = (loff_t)first << PAGE_SHIFT; diff --git a/queue-4.9/afs-flush-outstanding-writes-when-an-fd-is-closed.patch b/queue-4.9/afs-flush-outstanding-writes-when-an-fd-is-closed.patch new file mode 100644 index 00000000000..2b1aed5eebd --- /dev/null +++ b/queue-4.9/afs-flush-outstanding-writes-when-an-fd-is-closed.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:45 +0000 +Subject: afs: Flush outstanding writes when an fd is closed + +From: David Howells + + +[ Upstream commit 58fed94dfb17e89556b5705f20f90e5b2971b6a1 ] + +Flush outstanding writes in afs when an fd is closed. This is what NFS and +CIFS do. + +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/file.c | 1 + + fs/afs/internal.h | 1 + + fs/afs/write.c | 14 ++++++++++++++ + 3 files changed, 16 insertions(+) + +--- a/fs/afs/file.c ++++ b/fs/afs/file.c +@@ -29,6 +29,7 @@ static int afs_readpages(struct file *fi + + const struct file_operations afs_file_operations = { + .open = afs_open, ++ .flush = afs_flush, + .release = afs_release, + .llseek = generic_file_llseek, + .read_iter = generic_file_read_iter, +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -752,6 +752,7 @@ extern int afs_writepages(struct address + extern void afs_pages_written_back(struct afs_vnode *, struct afs_call *); + extern ssize_t afs_file_write(struct kiocb *, struct iov_iter *); + extern int afs_writeback_all(struct afs_vnode *); ++extern int afs_flush(struct file *, fl_owner_t); + extern int afs_fsync(struct file *, loff_t, loff_t, int); + + +--- a/fs/afs/write.c ++++ b/fs/afs/write.c +@@ -736,6 +736,20 @@ out: + } + + /* ++ * Flush out all outstanding writes on a file opened for writing when it is ++ * closed. ++ */ ++int afs_flush(struct file *file, fl_owner_t id) ++{ ++ _enter(""); ++ ++ if ((file->f_mode & FMODE_WRITE) == 0) ++ return 0; ++ ++ return vfs_fsync(file, 0); ++} ++ ++/* + * notification that a previously read-only page is about to become writable + * - if it returns an error, the caller will deliver a bus error signal + */ diff --git a/queue-4.9/afs-invalid-op-id-should-abort-with-rxgen_opcode.patch b/queue-4.9/afs-invalid-op-id-should-abort-with-rxgen_opcode.patch new file mode 100644 index 00000000000..0ed0b4ccbb4 --- /dev/null +++ b/queue-4.9/afs-invalid-op-id-should-abort-with-rxgen_opcode.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:47 +0000 +Subject: afs: Invalid op ID should abort with RXGEN_OPCODE + +From: David Howells + + +[ Upstream commit 1157f153f37a8586765034470e4f00a4a6c4ce6f ] + +When we are given an invalid operation ID, we should abort that with +RXGEN_OPCODE rather than RX_INVALID_OPERATION. + +Also map RXGEN_OPCODE to -ENOTSUPP. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/misc.c | 2 ++ + fs/afs/rxrpc.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/afs/misc.c ++++ b/fs/afs/misc.c +@@ -84,6 +84,8 @@ int afs_abort_to_error(u32 abort_code) + case RXKADDATALEN: return -EKEYREJECTED; + case RXKADILLEGALLEVEL: return -EKEYREJECTED; + ++ case RXGEN_OPCODE: return -ENOTSUPP; ++ + default: return -EREMOTEIO; + } + } +--- a/fs/afs/rxrpc.c ++++ b/fs/afs/rxrpc.c +@@ -440,7 +440,7 @@ static void afs_deliver_to_call(struct a + abort_code, -ret, "KNC"); + goto do_abort; + case -ENOTSUPP: +- abort_code = RX_INVALID_OPERATION; ++ abort_code = RXGEN_OPCODE; + rxrpc_kernel_abort_call(afs_socket, call->rxcall, + abort_code, -ret, "KIV"); + goto do_abort; diff --git a/queue-4.9/afs-migrate-vlocation-fields-to-64-bit.patch b/queue-4.9/afs-migrate-vlocation-fields-to-64-bit.patch new file mode 100644 index 00000000000..2d8c5e72b98 --- /dev/null +++ b/queue-4.9/afs-migrate-vlocation-fields-to-64-bit.patch @@ -0,0 +1,177 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Tina Ruchandani +Date: Thu, 16 Mar 2017 16:27:46 +0000 +Subject: afs: Migrate vlocation fields to 64-bit + +From: Tina Ruchandani + + +[ Upstream commit 8a79790bf0b7da216627ffb85f52cfb4adbf1e4e ] + +get_seconds() returns real wall-clock seconds. On 32-bit systems +this value will overflow in year 2038 and beyond. This patch changes +afs's vlocation record to use ktime_get_real_seconds() instead, for the +fields time_of_death and update_at. + +Signed-off-by: Tina Ruchandani +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/callback.c | 7 ++++--- + fs/afs/internal.h | 7 ++++--- + fs/afs/server.c | 6 +++--- + fs/afs/vlocation.c | 16 +++++++++------- + 4 files changed, 20 insertions(+), 16 deletions(-) + +--- a/fs/afs/callback.c ++++ b/fs/afs/callback.c +@@ -362,7 +362,7 @@ static void afs_callback_updater(struct + { + struct afs_server *server; + struct afs_vnode *vnode, *xvnode; +- time_t now; ++ time64_t now; + long timeout; + int ret; + +@@ -370,7 +370,7 @@ static void afs_callback_updater(struct + + _enter(""); + +- now = get_seconds(); ++ now = ktime_get_real_seconds(); + + /* find the first vnode to update */ + spin_lock(&server->cb_lock); +@@ -424,7 +424,8 @@ static void afs_callback_updater(struct + + /* and then reschedule */ + _debug("reschedule"); +- vnode->update_at = get_seconds() + afs_vnode_update_timeout; ++ vnode->update_at = ktime_get_real_seconds() + ++ afs_vnode_update_timeout; + + spin_lock(&server->cb_lock); + +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -11,6 +11,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -245,7 +246,7 @@ struct afs_cache_vhash { + */ + struct afs_vlocation { + atomic_t usage; +- time_t time_of_death; /* time at which put reduced usage to 0 */ ++ time64_t time_of_death; /* time at which put reduced usage to 0 */ + struct list_head link; /* link in cell volume location list */ + struct list_head grave; /* link in master graveyard list */ + struct list_head update; /* link in master update list */ +@@ -256,7 +257,7 @@ struct afs_vlocation { + struct afs_cache_vlocation vldb; /* volume information DB record */ + struct afs_volume *vols[3]; /* volume access record pointer (index by type) */ + wait_queue_head_t waitq; /* status change waitqueue */ +- time_t update_at; /* time at which record should be updated */ ++ time64_t update_at; /* time at which record should be updated */ + spinlock_t lock; /* access lock */ + afs_vlocation_state_t state; /* volume location state */ + unsigned short upd_rej_cnt; /* ENOMEDIUM count during update */ +@@ -269,7 +270,7 @@ struct afs_vlocation { + */ + struct afs_server { + atomic_t usage; +- time_t time_of_death; /* time at which put reduced usage to 0 */ ++ time64_t time_of_death; /* time at which put reduced usage to 0 */ + struct in_addr addr; /* server address */ + struct afs_cell *cell; /* cell in which server resides */ + struct list_head link; /* link in cell's server list */ +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -242,7 +242,7 @@ void afs_put_server(struct afs_server *s + spin_lock(&afs_server_graveyard_lock); + if (atomic_read(&server->usage) == 0) { + list_move_tail(&server->grave, &afs_server_graveyard); +- server->time_of_death = get_seconds(); ++ server->time_of_death = ktime_get_real_seconds(); + queue_delayed_work(afs_wq, &afs_server_reaper, + afs_server_timeout * HZ); + } +@@ -277,9 +277,9 @@ static void afs_reap_server(struct work_ + LIST_HEAD(corpses); + struct afs_server *server; + unsigned long delay, expiry; +- time_t now; ++ time64_t now; + +- now = get_seconds(); ++ now = ktime_get_real_seconds(); + spin_lock(&afs_server_graveyard_lock); + + while (!list_empty(&afs_server_graveyard)) { +--- a/fs/afs/vlocation.c ++++ b/fs/afs/vlocation.c +@@ -340,7 +340,8 @@ static void afs_vlocation_queue_for_upda + struct afs_vlocation *xvl; + + /* wait at least 10 minutes before updating... */ +- vl->update_at = get_seconds() + afs_vlocation_update_timeout; ++ vl->update_at = ktime_get_real_seconds() + ++ afs_vlocation_update_timeout; + + spin_lock(&afs_vlocation_updates_lock); + +@@ -506,7 +507,7 @@ void afs_put_vlocation(struct afs_vlocat + if (atomic_read(&vl->usage) == 0) { + _debug("buried"); + list_move_tail(&vl->grave, &afs_vlocation_graveyard); +- vl->time_of_death = get_seconds(); ++ vl->time_of_death = ktime_get_real_seconds(); + queue_delayed_work(afs_wq, &afs_vlocation_reap, + afs_vlocation_timeout * HZ); + +@@ -543,11 +544,11 @@ static void afs_vlocation_reaper(struct + LIST_HEAD(corpses); + struct afs_vlocation *vl; + unsigned long delay, expiry; +- time_t now; ++ time64_t now; + + _enter(""); + +- now = get_seconds(); ++ now = ktime_get_real_seconds(); + spin_lock(&afs_vlocation_graveyard_lock); + + while (!list_empty(&afs_vlocation_graveyard)) { +@@ -622,13 +623,13 @@ static void afs_vlocation_updater(struct + { + struct afs_cache_vlocation vldb; + struct afs_vlocation *vl, *xvl; +- time_t now; ++ time64_t now; + long timeout; + int ret; + + _enter(""); + +- now = get_seconds(); ++ now = ktime_get_real_seconds(); + + /* find a record to update */ + spin_lock(&afs_vlocation_updates_lock); +@@ -684,7 +685,8 @@ static void afs_vlocation_updater(struct + + /* and then reschedule */ + _debug("reschedule"); +- vl->update_at = get_seconds() + afs_vlocation_update_timeout; ++ vl->update_at = ktime_get_real_seconds() + ++ afs_vlocation_update_timeout; + + spin_lock(&afs_vlocation_updates_lock); + diff --git a/queue-4.9/afs-populate-and-use-client-modification-time.patch b/queue-4.9/afs-populate-and-use-client-modification-time.patch new file mode 100644 index 00000000000..87a894e2c04 --- /dev/null +++ b/queue-4.9/afs-populate-and-use-client-modification-time.patch @@ -0,0 +1,99 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Marc Dionne +Date: Thu, 16 Mar 2017 16:27:47 +0000 +Subject: afs: Populate and use client modification time + +From: Marc Dionne + + +[ Upstream commit ab94f5d0dd6fd82e7eeca5e7c8096eaea0a0261f ] + +The inode timestamps should be set from the client time +in the status received from the server, rather than the +server time which is meant for internal server use. + +Set AFS_SET_MTIME and populate the mtime for operations +that take an input status, such as file/dir creation +and StoreData. If an input time is not provided the +server will set the vnode times based on the current server +time. + +In a situation where the server has some skew with the +client, this could lead to the client seeing a timestamp +in the future for a file that it just created or wrote. + +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/fsclient.c | 18 +++++++++--------- + fs/afs/inode.c | 2 +- + 2 files changed, 10 insertions(+), 10 deletions(-) + +--- a/fs/afs/fsclient.c ++++ b/fs/afs/fsclient.c +@@ -105,7 +105,7 @@ static void xdr_decode_AFSFetchStatus(co + vnode->vfs_inode.i_mode = mode; + } + +- vnode->vfs_inode.i_ctime.tv_sec = status->mtime_server; ++ vnode->vfs_inode.i_ctime.tv_sec = status->mtime_client; + vnode->vfs_inode.i_mtime = vnode->vfs_inode.i_ctime; + vnode->vfs_inode.i_atime = vnode->vfs_inode.i_ctime; + vnode->vfs_inode.i_version = data_version; +@@ -676,8 +676,8 @@ int afs_fs_create(struct afs_server *ser + memset(bp, 0, padsz); + bp = (void *) bp + padsz; + } +- *bp++ = htonl(AFS_SET_MODE); +- *bp++ = 0; /* mtime */ ++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME); ++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */ + *bp++ = 0; /* owner */ + *bp++ = 0; /* group */ + *bp++ = htonl(mode & S_IALLUGO); /* unix mode */ +@@ -945,8 +945,8 @@ int afs_fs_symlink(struct afs_server *se + memset(bp, 0, c_padsz); + bp = (void *) bp + c_padsz; + } +- *bp++ = htonl(AFS_SET_MODE); +- *bp++ = 0; /* mtime */ ++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME); ++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */ + *bp++ = 0; /* owner */ + *bp++ = 0; /* group */ + *bp++ = htonl(S_IRWXUGO); /* unix mode */ +@@ -1145,8 +1145,8 @@ static int afs_fs_store_data64(struct af + *bp++ = htonl(vnode->fid.vnode); + *bp++ = htonl(vnode->fid.unique); + +- *bp++ = 0; /* mask */ +- *bp++ = 0; /* mtime */ ++ *bp++ = htonl(AFS_SET_MTIME); /* mask */ ++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */ + *bp++ = 0; /* owner */ + *bp++ = 0; /* group */ + *bp++ = 0; /* unix mode */ +@@ -1222,8 +1222,8 @@ int afs_fs_store_data(struct afs_server + *bp++ = htonl(vnode->fid.vnode); + *bp++ = htonl(vnode->fid.unique); + +- *bp++ = 0; /* mask */ +- *bp++ = 0; /* mtime */ ++ *bp++ = htonl(AFS_SET_MTIME); /* mask */ ++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */ + *bp++ = 0; /* owner */ + *bp++ = 0; /* group */ + *bp++ = 0; /* unix mode */ +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -72,7 +72,7 @@ static int afs_inode_map_status(struct a + inode->i_uid = vnode->status.owner; + inode->i_gid = vnode->status.group; + inode->i_size = vnode->status.size; +- inode->i_ctime.tv_sec = vnode->status.mtime_server; ++ inode->i_ctime.tv_sec = vnode->status.mtime_client; + inode->i_ctime.tv_nsec = 0; + inode->i_atime = inode->i_mtime = inode->i_ctime; + inode->i_blocks = 0; diff --git a/queue-4.9/afs-populate-group-id-from-vnode-status.patch b/queue-4.9/afs-populate-group-id-from-vnode-status.patch new file mode 100644 index 00000000000..e63380f36de --- /dev/null +++ b/queue-4.9/afs-populate-group-id-from-vnode-status.patch @@ -0,0 +1,32 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Marc Dionne +Date: Thu, 16 Mar 2017 16:27:43 +0000 +Subject: afs: Populate group ID from vnode status + +From: Marc Dionne + + +[ Upstream commit 6186f0788b31f44affceeedc7b48eb10faea120d ] + +The group was hard coded to GLOBAL_ROOT_GID; use the group +ID that was received from the server. + +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -70,7 +70,7 @@ static int afs_inode_map_status(struct a + + set_nlink(inode, vnode->status.nlink); + inode->i_uid = vnode->status.owner; +- inode->i_gid = GLOBAL_ROOT_GID; ++ inode->i_gid = vnode->status.group; + inode->i_size = vnode->status.size; + inode->i_ctime.tv_sec = vnode->status.mtime_server; + inode->i_ctime.tv_nsec = 0; diff --git a/queue-4.9/afs-prevent-callback-expiry-timer-overflow.patch b/queue-4.9/afs-prevent-callback-expiry-timer-overflow.patch new file mode 100644 index 00000000000..58b52f8d2ce --- /dev/null +++ b/queue-4.9/afs-prevent-callback-expiry-timer-overflow.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Tina Ruchandani +Date: Thu, 16 Mar 2017 16:27:46 +0000 +Subject: afs: Prevent callback expiry timer overflow + +From: Tina Ruchandani + + +[ Upstream commit 56e714312e7dbd6bb83b2f78d3ec19a404c7649f ] + +get_seconds() returns real wall-clock seconds. On 32-bit systems +this value will overflow in year 2038 and beyond. This patch changes +afs_vnode record to use ktime_get_real_seconds() instead, for the +fields cb_expires and cb_expires_at. + +Signed-off-by: Tina Ruchandani +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/fsclient.c | 2 +- + fs/afs/inode.c | 7 ++++--- + fs/afs/internal.h | 4 ++-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/afs/fsclient.c ++++ b/fs/afs/fsclient.c +@@ -139,7 +139,7 @@ static void xdr_decode_AFSCallBack(const + vnode->cb_version = ntohl(*bp++); + vnode->cb_expiry = ntohl(*bp++); + vnode->cb_type = ntohl(*bp++); +- vnode->cb_expires = vnode->cb_expiry + get_seconds(); ++ vnode->cb_expires = vnode->cb_expiry + ktime_get_real_seconds(); + *_bp = bp; + } + +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -245,12 +245,13 @@ struct inode *afs_iget(struct super_bloc + vnode->cb_version = 0; + vnode->cb_expiry = 0; + vnode->cb_type = 0; +- vnode->cb_expires = get_seconds(); ++ vnode->cb_expires = ktime_get_real_seconds(); + } else { + vnode->cb_version = cb->version; + vnode->cb_expiry = cb->expiry; + vnode->cb_type = cb->type; +- vnode->cb_expires = vnode->cb_expiry + get_seconds(); ++ vnode->cb_expires = vnode->cb_expiry + ++ ktime_get_real_seconds(); + } + } + +@@ -323,7 +324,7 @@ int afs_validate(struct afs_vnode *vnode + !test_bit(AFS_VNODE_CB_BROKEN, &vnode->flags) && + !test_bit(AFS_VNODE_MODIFIED, &vnode->flags) && + !test_bit(AFS_VNODE_ZAP_DATA, &vnode->flags)) { +- if (vnode->cb_expires < get_seconds() + 10) { ++ if (vnode->cb_expires < ktime_get_real_seconds() + 10) { + _debug("callback expired"); + set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags); + } else { +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -373,8 +373,8 @@ struct afs_vnode { + struct rb_node server_rb; /* link in server->fs_vnodes */ + struct rb_node cb_promise; /* link in server->cb_promises */ + struct work_struct cb_broken_work; /* work to be done on callback break */ +- time_t cb_expires; /* time at which callback expires */ +- time_t cb_expires_at; /* time used to order cb_promise */ ++ time64_t cb_expires; /* time at which callback expires */ ++ time64_t cb_expires_at; /* time used to order cb_promise */ + unsigned cb_version; /* callback version */ + unsigned cb_expiry; /* callback expiry time */ + afs_callback_type_t cb_type; /* type of callback */ diff --git a/queue-4.9/arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch b/queue-4.9/arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch new file mode 100644 index 00000000000..dbfdcb117f9 --- /dev/null +++ b/queue-4.9/arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Suzuki K Poulose +Date: Fri, 3 Nov 2017 11:45:18 +0000 +Subject: arm-ccn: perf: Prevent module unload while PMU is in use + +From: Suzuki K Poulose + + +[ Upstream commit c7f5828bf77dcbd61d51f4736c1d5aa35663fbb4 ] + +When the PMU driver is built as a module, the perf expects the +pmu->module to be valid, so that the driver is prevented from +being unloaded while it is in use. Fix the CCN pmu driver to +fill in this field. + +Fixes: a33b0daab73a0 ("bus: ARM CCN PMU driver") +Cc: Pawel Moll +Cc: Will Deacon +Acked-by: Mark Rutland +Signed-off-by: Suzuki K Poulose +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/arm-ccn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bus/arm-ccn.c ++++ b/drivers/bus/arm-ccn.c +@@ -1280,6 +1280,7 @@ static int arm_ccn_pmu_init(struct arm_c + + /* Perf driver registration */ + ccn->dt.pmu = (struct pmu) { ++ .module = THIS_MODULE, + .attr_groups = arm_ccn_pmu_attr_groups, + .task_ctx_nr = perf_invalid_context, + .event_init = arm_ccn_pmu_event_init, diff --git a/queue-4.9/arm64-prevent-regressions-in-compressed-kernel-image-size-when-upgrading-to-binutils-2.27.patch b/queue-4.9/arm64-prevent-regressions-in-compressed-kernel-image-size-when-upgrading-to-binutils-2.27.patch new file mode 100644 index 00000000000..5f72b4bef65 --- /dev/null +++ b/queue-4.9/arm64-prevent-regressions-in-compressed-kernel-image-size-when-upgrading-to-binutils-2.27.patch @@ -0,0 +1,126 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Nick Desaulniers +Date: Fri, 27 Oct 2017 09:33:41 -0700 +Subject: arm64: prevent regressions in compressed kernel image size when upgrading to binutils 2.27 + +From: Nick Desaulniers + + +[ Upstream commit fd9dde6abcb9bfe6c6bee48834e157999f113971 ] + +Upon upgrading to binutils 2.27, we found that our lz4 and gzip +compressed kernel images were significantly larger, resulting is 10ms +boot time regressions. + +As noted by Rahul: +"aarch64 binaries uses RELA relocations, where each relocation entry +includes an addend value. This is similar to x86_64. On x86_64, the +addend values are also stored at the relocation offset for relative +relocations. This is an optimization: in the case where code does not +need to be relocated, the loader can simply skip processing relative +relocations. In binutils-2.25, both bfd and gold linkers did this for +x86_64, but only the gold linker did this for aarch64. The kernel build +here is using the bfd linker, which stored zeroes at the relocation +offsets for relative relocations. Since a set of zeroes compresses +better than a set of non-zero addend values, this behavior was resulting +in much better lz4 compression. + +The bfd linker in binutils-2.27 is now storing the actual addend values +at the relocation offsets. The behavior is now consistent with what it +does for x86_64 and what gold linker does for both architectures. The +change happened in this upstream commit: +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=1f56df9d0d5ad89806c24e71f296576d82344613 +Since a bunch of zeroes got replaced by non-zero addend values, we see +the side effect of lz4 compressed image being a bit bigger. + +To get the old behavior from the bfd linker, "--no-apply-dynamic-relocs" +flag can be used: +$ LDFLAGS="--no-apply-dynamic-relocs" make +With this flag, the compressed image size is back to what it was with +binutils-2.25. + +If the kernel is using ASLR, there aren't additional runtime costs to +--no-apply-dynamic-relocs, as the relocations will need to be applied +again anyway after the kernel is relocated to a random address. + +If the kernel is not using ASLR, then presumably the current default +behavior of the linker is better. Since the static linker performed the +dynamic relocs, and the kernel is not moved to a different address at +load time, it can skip applying the relocations all over again." + +Some measurements: + +$ ld -v +GNU ld (binutils-2.25-f3d35cf6) 2.25.51.20141117 + ^ +$ ls -l vmlinux +-rwxr-x--- 1 ndesaulniers eng 300652760 Oct 26 11:57 vmlinux +$ ls -l Image.lz4-dtb +-rw-r----- 1 ndesaulniers eng 16932627 Oct 26 11:57 Image.lz4-dtb + +$ ld -v +GNU ld (binutils-2.27-53dd00a1) 2.27.0.20170315 + ^ +pre patch: +$ ls -l vmlinux +-rwxr-x--- 1 ndesaulniers eng 300376208 Oct 26 11:43 vmlinux +$ ls -l Image.lz4-dtb +-rw-r----- 1 ndesaulniers eng 18159474 Oct 26 11:43 Image.lz4-dtb + +post patch: +$ ls -l vmlinux +-rwxr-x--- 1 ndesaulniers eng 300376208 Oct 26 12:06 vmlinux +$ ls -l Image.lz4-dtb +-rw-r----- 1 ndesaulniers eng 16932466 Oct 26 12:06 Image.lz4-dtb + +By Siqi's measurement w/ gzip: +binutils 2.27 with this patch (with --no-apply-dynamic-relocs): +Image 41535488 +Image.gz 13404067 + +binutils 2.27 without this patch (without --no-apply-dynamic-relocs): +Image 41535488 +Image.gz 14125516 + +Any compression scheme should be able to get better results from the +longer runs of zeros, not just GZIP and LZ4. + +10ms boot time savings isn't anything to get excited about, but users of +arm64+compression+bfd-2.27 should not have to pay a penalty for no +runtime improvement. + +Reported-by: Gopinath Elanchezhian +Reported-by: Sindhuri Pentyala +Reported-by: Wei Wang +Suggested-by: Ard Biesheuvel +Suggested-by: Rahul Chaudhry +Suggested-by: Siqi Lin +Suggested-by: Stephen Hines +Signed-off-by: Nick Desaulniers +Reviewed-by: Ard Biesheuvel +[will: added comment to Makefile] +Signed-off-by: Will Deacon + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Makefile | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -14,8 +14,12 @@ LDFLAGS_vmlinux :=-p --no-undefined -X + CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET) + GZFLAGS :=-9 + +-ifneq ($(CONFIG_RELOCATABLE),) +-LDFLAGS_vmlinux += -pie -shared -Bsymbolic ++ifeq ($(CONFIG_RELOCATABLE), y) ++# Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour ++# for relative relocs, since this leads to better Image compression ++# with the relocation offsets always being zero. ++LDFLAGS_vmlinux += -pie -shared -Bsymbolic \ ++ $(call ld-option, --no-apply-dynamic-relocs) + endif + + ifeq ($(CONFIG_ARM64_ERRATUM_843419),y) diff --git a/queue-4.9/asoc-intel-skylake-fix-uuid_module-memory-leak-in-failure-case.patch b/queue-4.9/asoc-intel-skylake-fix-uuid_module-memory-leak-in-failure-case.patch new file mode 100644 index 00000000000..c14afb89349 --- /dev/null +++ b/queue-4.9/asoc-intel-skylake-fix-uuid_module-memory-leak-in-failure-case.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Pankaj Bharadiya +Date: Tue, 7 Nov 2017 16:16:19 +0530 +Subject: ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case + +From: Pankaj Bharadiya + + +[ Upstream commit f8e066521192c7debe59127d90abbe2773577e25 ] + +In the loop that adds the uuid_module to the uuid_list list, allocated +memory is not properly freed in the error path free uuid_list whenever +any of the memory allocation in the loop fails to avoid memory leak. + +Signed-off-by: Pankaj Bharadiya +Signed-off-by: Guneshwor Singh +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/skylake/skl-sst-utils.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/sound/soc/intel/skylake/skl-sst-utils.c ++++ b/sound/soc/intel/skylake/skl-sst-utils.c +@@ -295,6 +295,7 @@ int snd_skl_parse_uuids(struct sst_dsp * + struct uuid_module *module; + struct firmware stripped_fw; + unsigned int safe_file; ++ int ret = 0; + + /* Get the FW pointer to derive ADSP header */ + stripped_fw.data = fw->data; +@@ -343,8 +344,10 @@ int snd_skl_parse_uuids(struct sst_dsp * + + for (i = 0; i < num_entry; i++, mod_entry++) { + module = kzalloc(sizeof(*module), GFP_KERNEL); +- if (!module) +- return -ENOMEM; ++ if (!module) { ++ ret = -ENOMEM; ++ goto free_uuid_list; ++ } + + uuid_bin = (uuid_le *)mod_entry->uuid.id; + memcpy(&module->uuid, uuid_bin, sizeof(module->uuid)); +@@ -355,8 +358,8 @@ int snd_skl_parse_uuids(struct sst_dsp * + size = sizeof(int) * mod_entry->instance_max_count; + module->instance_id = devm_kzalloc(ctx->dev, size, GFP_KERNEL); + if (!module->instance_id) { +- kfree(module); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto free_uuid_list; + } + + list_add_tail(&module->list, &skl->uuid_list); +@@ -367,6 +370,10 @@ int snd_skl_parse_uuids(struct sst_dsp * + } + + return 0; ++ ++free_uuid_list: ++ skl_freeup_uuid_list(skl); ++ return ret; + } + + void skl_freeup_uuid_list(struct skl_sst *ctx) diff --git a/queue-4.9/asoc-rcar-clear-de-bit-only-in-pdmachcr-when-it-stops.patch b/queue-4.9/asoc-rcar-clear-de-bit-only-in-pdmachcr-when-it-stops.patch new file mode 100644 index 00000000000..933056e483b --- /dev/null +++ b/queue-4.9/asoc-rcar-clear-de-bit-only-in-pdmachcr-when-it-stops.patch @@ -0,0 +1,60 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Kuninori Morimoto +Date: Tue, 14 Mar 2017 09:34:49 +0900 +Subject: ASoC: rcar: clear DE bit only in PDMACHCR when it stops + +From: Kuninori Morimoto + + +[ Upstream commit 62a10498afb27370ec6018e9d802b74850fd8d9a ] + +R-Car datasheet indicates "Clear DE in PDMACHCR" for transfer stop, +but current code clears all bits in PDMACHCR. +Because of this, DE bit might never been cleared, +and it causes CMD overflow. This patch fixes this issue. + +Signed-off-by: Kuninori Morimoto +Tested-by: Hiroyuki Yokoyama +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sh/rcar/dma.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/sound/soc/sh/rcar/dma.c ++++ b/sound/soc/sh/rcar/dma.c +@@ -361,6 +361,20 @@ static u32 rsnd_dmapp_read(struct rsnd_d + return ioread32(rsnd_dmapp_addr(dmac, dma, reg)); + } + ++static void rsnd_dmapp_bset(struct rsnd_dma *dma, u32 data, u32 mask, u32 reg) ++{ ++ struct rsnd_mod *mod = rsnd_mod_get(dma); ++ struct rsnd_priv *priv = rsnd_mod_to_priv(mod); ++ struct rsnd_dma_ctrl *dmac = rsnd_priv_to_dmac(priv); ++ volatile void __iomem *addr = rsnd_dmapp_addr(dmac, dma, reg); ++ u32 val = ioread32(addr); ++ ++ val &= ~mask; ++ val |= (data & mask); ++ ++ iowrite32(val, addr); ++} ++ + static int rsnd_dmapp_stop(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) +@@ -368,10 +382,10 @@ static int rsnd_dmapp_stop(struct rsnd_m + struct rsnd_dma *dma = rsnd_mod_to_dma(mod); + int i; + +- rsnd_dmapp_write(dma, 0, PDMACHCR); ++ rsnd_dmapp_bset(dma, 0, PDMACHCR_DE, PDMACHCR); + + for (i = 0; i < 1024; i++) { +- if (0 == rsnd_dmapp_read(dma, PDMACHCR)) ++ if (0 == (rsnd_dmapp_read(dma, PDMACHCR) & PDMACHCR_DE)) + return 0; + udelay(1); + } diff --git a/queue-4.9/asoc-rsnd-fix-sound-route-path-when-using-src6-src9.patch b/queue-4.9/asoc-rsnd-fix-sound-route-path-when-using-src6-src9.patch new file mode 100644 index 00000000000..e1b4e92f25e --- /dev/null +++ b/queue-4.9/asoc-rsnd-fix-sound-route-path-when-using-src6-src9.patch @@ -0,0 +1,88 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Hiroyuki Yokoyama +Date: Wed, 1 Mar 2017 03:51:00 +0000 +Subject: ASoC: rsnd: fix sound route path when using SRC6/SRC9 + +From: Hiroyuki Yokoyama + + +[ Upstream commit a1c2ff53726907aff5feb37e4cfd45c1ff626431 ] + +This patch fixes the problem that the missing value of the route path +setting table and incorrect values are set in the CMD_ROUTE_SELECT +register. + +Signed-off-by: Hiroyuki Yokoyama +[Kuninori: shared data on MIX and non-MIX case] +Signed-off-by: Kuninori Morimoto +Signed-off-by: Mark Brown + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sh/rcar/cmd.c | 36 ++++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +--- a/sound/soc/sh/rcar/cmd.c ++++ b/sound/soc/sh/rcar/cmd.c +@@ -31,23 +31,24 @@ static int rsnd_cmd_init(struct rsnd_mod + struct rsnd_mod *mix = rsnd_io_to_mod_mix(io); + struct device *dev = rsnd_priv_to_dev(priv); + u32 data; ++ u32 path[] = { ++ [1] = 1 << 0, ++ [5] = 1 << 8, ++ [6] = 1 << 12, ++ [9] = 1 << 15, ++ }; + + if (!mix && !dvc) + return 0; + ++ if (ARRAY_SIZE(path) < rsnd_mod_id(mod) + 1) ++ return -ENXIO; ++ + if (mix) { + struct rsnd_dai *rdai; + struct rsnd_mod *src; + struct rsnd_dai_stream *tio; + int i; +- u32 path[] = { +- [0] = 0, +- [1] = 1 << 0, +- [2] = 0, +- [3] = 0, +- [4] = 0, +- [5] = 1 << 8 +- }; + + /* + * it is assuming that integrater is well understanding about +@@ -70,16 +71,19 @@ static int rsnd_cmd_init(struct rsnd_mod + } else { + struct rsnd_mod *src = rsnd_io_to_mod_src(io); + +- u32 path[] = { +- [0] = 0x30000, +- [1] = 0x30001, +- [2] = 0x40000, +- [3] = 0x10000, +- [4] = 0x20000, +- [5] = 0x40100 ++ u8 cmd_case[] = { ++ [0] = 0x3, ++ [1] = 0x3, ++ [2] = 0x4, ++ [3] = 0x1, ++ [4] = 0x2, ++ [5] = 0x4, ++ [6] = 0x1, ++ [9] = 0x2, + }; + +- data = path[rsnd_mod_id(src)]; ++ data = path[rsnd_mod_id(src)] | ++ cmd_case[rsnd_mod_id(src)] << 16; + } + + dev_dbg(dev, "ctu/mix path = 0x%08x", data); diff --git a/queue-4.9/asoc-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent_mod.patch b/queue-4.9/asoc-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent_mod.patch new file mode 100644 index 00000000000..498f9504154 --- /dev/null +++ b/queue-4.9/asoc-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent_mod.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Kuninori Morimoto +Date: Wed, 1 Nov 2017 07:16:58 +0000 +Subject: ASoC: rsnd: rsnd_ssi_run_mods() needs to care ssi_parent_mod + +From: Kuninori Morimoto + + +[ Upstream commit 21781e87881f9c420871b1d1f3f29d4cd7bffb10 ] + +SSI parent mod might be NULL. ssi_parent_mod() needs to care +about it. Otherwise, it uses negative shift. +This patch fixes it. + +Signed-off-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sh/rcar/ssi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -172,10 +172,15 @@ static u32 rsnd_ssi_run_mods(struct rsnd + { + struct rsnd_mod *ssi_mod = rsnd_io_to_mod_ssi(io); + struct rsnd_mod *ssi_parent_mod = rsnd_io_to_mod_ssip(io); ++ u32 mods; + +- return rsnd_ssi_multi_slaves_runtime(io) | +- 1 << rsnd_mod_id(ssi_mod) | +- 1 << rsnd_mod_id(ssi_parent_mod); ++ mods = rsnd_ssi_multi_slaves_runtime(io) | ++ 1 << rsnd_mod_id(ssi_mod); ++ ++ if (ssi_parent_mod) ++ mods |= 1 << rsnd_mod_id(ssi_parent_mod); ++ ++ return mods; + } + + u32 rsnd_ssi_multi_slaves_runtime(struct rsnd_dai_stream *io) diff --git a/queue-4.9/ath9k-fix-tx99-potential-info-leak.patch b/queue-4.9/ath9k-fix-tx99-potential-info-leak.patch new file mode 100644 index 00000000000..0ae29f90e3c --- /dev/null +++ b/queue-4.9/ath9k-fix-tx99-potential-info-leak.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Miaoqing Pan +Date: Wed, 27 Sep 2017 09:13:34 +0800 +Subject: ath9k: fix tx99 potential info leak + +From: Miaoqing Pan + + +[ Upstream commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 ] + +When the user sets count to zero the string buffer would remain +completely uninitialized which causes the kernel to parse its +own stack data, potentially leading to an info leak. In addition +to that, the string might be not terminated properly when the +user data does not contain a 0-terminator. + +Signed-off-by: Miaoqing Pan +Reviewed-by: Christoph Böhmwalder +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/tx99.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/tx99.c ++++ b/drivers/net/wireless/ath/ath9k/tx99.c +@@ -179,6 +179,9 @@ static ssize_t write_file_tx99(struct fi + ssize_t len; + int r; + ++ if (count < 1) ++ return -EINVAL; ++ + if (sc->cur_chan->nvifs > 1) + return -EOPNOTSUPP; + +@@ -186,6 +189,8 @@ static ssize_t write_file_tx99(struct fi + if (copy_from_user(buf, user_buf, len)) + return -EFAULT; + ++ buf[len] = '\0'; ++ + if (strtobool(buf, &start)) + return -EINVAL; + diff --git a/queue-4.9/badblocks-fix-wrong-return-value-in-badblocks_set-if-badblocks-are-disabled.patch b/queue-4.9/badblocks-fix-wrong-return-value-in-badblocks_set-if-badblocks-are-disabled.patch new file mode 100644 index 00000000000..27136e30e8e --- /dev/null +++ b/queue-4.9/badblocks-fix-wrong-return-value-in-badblocks_set-if-badblocks-are-disabled.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Liu Bo +Date: Fri, 3 Nov 2017 11:24:44 -0600 +Subject: badblocks: fix wrong return value in badblocks_set if badblocks are disabled + +From: Liu Bo + + +[ Upstream commit 39b4954c0a1556f8f7f1fdcf59a227117fcd8a0b ] + +MD's rdev_set_badblocks() expects that badblocks_set() returns 1 if +badblocks are disabled, otherwise, rdev_set_badblocks() will record +superblock changes and return success in that case and md will fail to +report an IO error which it should. + +This bug has existed since badblocks were introduced in commit +9e0e252a048b ("badblocks: Add core badblock management code"). + +Signed-off-by: Liu Bo +Acked-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/badblocks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/badblocks.c ++++ b/block/badblocks.c +@@ -178,7 +178,7 @@ int badblocks_set(struct badblocks *bb, + + if (bb->shift < 0) + /* badblocks are disabled */ +- return 0; ++ return 1; + + if (bb->shift) { + /* round the start down, and the end up */ diff --git a/queue-4.9/bcache-explicitly-destroy-mutex-while-exiting.patch b/queue-4.9/bcache-explicitly-destroy-mutex-while-exiting.patch new file mode 100644 index 00000000000..03036ea231e --- /dev/null +++ b/queue-4.9/bcache-explicitly-destroy-mutex-while-exiting.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Liang Chen +Date: Mon, 30 Oct 2017 14:46:35 -0700 +Subject: bcache: explicitly destroy mutex while exiting + +From: Liang Chen + + +[ Upstream commit 330a4db89d39a6b43f36da16824eaa7a7509d34d ] + +mutex_destroy does nothing most of time, but it's better to call +it to make the code future proof and it also has some meaning +for like mutex debug. + +As Coly pointed out in a previous review, bcache_exit() may not be +able to handle all the references properly if userspace registers +cache and backing devices right before bch_debug_init runs and +bch_debug_init failes later. So not exposing userspace interface +until everything is ready to avoid that issue. + +Signed-off-by: Liang Chen +Reviewed-by: Michael Lyle +Reviewed-by: Coly Li +Reviewed-by: Eric Wheeler +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -2091,6 +2091,7 @@ static void bcache_exit(void) + if (bcache_major) + unregister_blkdev(bcache_major, "bcache"); + unregister_reboot_notifier(&reboot); ++ mutex_destroy(&bch_register_lock); + } + + static int __init bcache_init(void) +@@ -2109,14 +2110,15 @@ static int __init bcache_init(void) + bcache_major = register_blkdev(0, "bcache"); + if (bcache_major < 0) { + unregister_reboot_notifier(&reboot); ++ mutex_destroy(&bch_register_lock); + return bcache_major; + } + + if (!(bcache_wq = alloc_workqueue("bcache", WQ_MEM_RECLAIM, 0)) || + !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) || +- sysfs_create_files(bcache_kobj, files) || + bch_request_init() || +- bch_debug_init(bcache_kobj)) ++ bch_debug_init(bcache_kobj) || ++ sysfs_create_files(bcache_kobj, files)) + goto err; + + return 0; diff --git a/queue-4.9/bcache-fix-wrong-cache_misses-statistics.patch b/queue-4.9/bcache-fix-wrong-cache_misses-statistics.patch new file mode 100644 index 00000000000..75d1da82664 --- /dev/null +++ b/queue-4.9/bcache-fix-wrong-cache_misses-statistics.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: "tang.junhui" +Date: Mon, 30 Oct 2017 14:46:34 -0700 +Subject: bcache: fix wrong cache_misses statistics + +From: "tang.junhui" + + +[ Upstream commit c157313791a999646901b3e3c6888514ebc36d62 ] + +Currently, Cache missed IOs are identified by s->cache_miss, but actually, +there are many situations that missed IOs are not assigned a value for +s->cache_miss in cached_dev_cache_miss(), for example, a bypassed IO +(s->iop.bypass = 1), or the cache_bio allocate failed. In these situations, +it will go to out_put or out_submit, and s->cache_miss is null, which leads +bch_mark_cache_accounting() to treat this IO as a hit IO. + +[ML: applied by 3-way merge] + +Signed-off-by: tang.junhui +Reviewed-by: Michael Lyle +Reviewed-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/request.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -468,6 +468,7 @@ struct search { + unsigned recoverable:1; + unsigned write:1; + unsigned read_dirty_data:1; ++ unsigned cache_missed:1; + + unsigned long start_time; + +@@ -653,6 +654,7 @@ static inline struct search *search_allo + + s->orig_bio = bio; + s->cache_miss = NULL; ++ s->cache_missed = 0; + s->d = d; + s->recoverable = 1; + s->write = op_is_write(bio_op(bio)); +@@ -771,7 +773,7 @@ static void cached_dev_read_done_bh(stru + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + + bch_mark_cache_accounting(s->iop.c, s->d, +- !s->cache_miss, s->iop.bypass); ++ !s->cache_missed, s->iop.bypass); + trace_bcache_read(s->orig_bio, !s->cache_miss, s->iop.bypass); + + if (s->iop.error) +@@ -790,6 +792,8 @@ static int cached_dev_cache_miss(struct + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + struct bio *miss, *cache_bio; + ++ s->cache_missed = 1; ++ + if (s->cache_miss || s->iop.bypass) { + miss = bio_next_split(bio, sectors, GFP_NOIO, s->d->bio_split); + ret = miss == bio ? MAP_DONE : MAP_CONTINUE; diff --git a/queue-4.9/blk-mq-fix-tagset-reinit-in-the-presence-of-cpu-hot-unplug.patch b/queue-4.9/blk-mq-fix-tagset-reinit-in-the-presence-of-cpu-hot-unplug.patch new file mode 100644 index 00000000000..2f31749de0f --- /dev/null +++ b/queue-4.9/blk-mq-fix-tagset-reinit-in-the-presence-of-cpu-hot-unplug.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Sagi Grimberg +Date: Mon, 13 Mar 2017 16:10:11 +0200 +Subject: blk-mq: Fix tagset reinit in the presence of cpu hot-unplug + +From: Sagi Grimberg + + +[ Upstream commit 0067d4b020ea07a58540acb2c5fcd3364bf326e0 ] + +In case cpu was unplugged, we need to make sure not to assume +that the tags for that cpu are still allocated. so check +for null tags when reinitializing a tagset. + +Reported-by: Yi Zhang +Signed-off-by: Sagi Grimberg +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq-tag.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -311,6 +311,9 @@ int blk_mq_reinit_tagset(struct blk_mq_t + for (i = 0; i < set->nr_hw_queues; i++) { + struct blk_mq_tags *tags = set->tags[i]; + ++ if (!tags) ++ continue; ++ + for (j = 0; j < tags->nr_tags; j++) { + if (!tags->rqs[j]) + continue; diff --git a/queue-4.9/bnxt_en-ignore-0-value-in-autoneg-supported-speed-from-firmware.patch b/queue-4.9/bnxt_en-ignore-0-value-in-autoneg-supported-speed-from-firmware.patch new file mode 100644 index 00000000000..ec0c88dd432 --- /dev/null +++ b/queue-4.9/bnxt_en-ignore-0-value-in-autoneg-supported-speed-from-firmware.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Michael Chan +Date: Wed, 8 Mar 2017 18:44:35 -0500 +Subject: bnxt_en: Ignore 0 value in autoneg supported speed from firmware. + +From: Michael Chan + + +[ Upstream commit 520ad89a54edea84496695d528f73ddcf4a52ea4 ] + +In some situations, the firmware will return 0 for autoneg supported +speed. This may happen if the firmware detects no SFP module, for +example. The driver should ignore this so that we don't end up with +an invalid autoneg setting with nothing advertised. When SFP module +is inserted, we'll get the updated settings from firmware at that time. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5132,8 +5132,9 @@ static int bnxt_hwrm_phy_qcaps(struct bn + bp->lpi_tmr_hi = le32_to_cpu(resp->valid_tx_lpi_timer_high) & + PORT_PHY_QCAPS_RESP_TX_LPI_TIMER_HIGH_MASK; + } +- link_info->support_auto_speeds = +- le16_to_cpu(resp->supported_speeds_auto_mode); ++ if (resp->supported_speeds_auto_mode) ++ link_info->support_auto_speeds = ++ le16_to_cpu(resp->supported_speeds_auto_mode); + + hwrm_phy_qcaps_exit: + mutex_unlock(&bp->hwrm_cmd_lock); diff --git a/queue-4.9/btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch b/queue-4.9/btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch new file mode 100644 index 00000000000..15313d728ca --- /dev/null +++ b/queue-4.9/btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch @@ -0,0 +1,158 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Zygo Blaxell +Date: Fri, 10 Mar 2017 16:45:44 -0500 +Subject: btrfs: add missing memset while reading compressed inline extents + +From: Zygo Blaxell + + +[ Upstream commit e1699d2d7bf6e6cce3e1baff19f9dd4595a58664 ] + +This is a story about 4 distinct (and very old) btrfs bugs. + +Commit c8b978188c ("Btrfs: Add zlib compression support") added +three data corruption bugs for inline extents (bugs #1-3). + +Commit 93c82d5750 ("Btrfs: zero page past end of inline file items") +fixed bug #1: uncompressed inline extents followed by a hole and more +extents could get non-zero data in the hole as they were read. The fix +was to add a memset in btrfs_get_extent to zero out the hole. + +Commit 166ae5a418 ("btrfs: fix inline compressed read err corruption") +fixed bug #2: compressed inline extents which contained non-zero bytes +might be replaced with zero bytes in some cases. This patch removed an +unhelpful memset from uncompress_inline, but the case where memset is +required was missed. + +There is also a memset in the decompression code, but this only covers +decompressed data that is shorter than the ram_bytes from the extent +ref record. This memset doesn't cover the region between the end of the +decompressed data and the end of the page. It has also moved around a +few times over the years, so there's no single patch to refer to. + +This patch fixes bug #3: compressed inline extents followed by a hole +and more extents could get non-zero data in the hole as they were read +(i.e. bug #3 is the same as bug #1, but s/uncompressed/compressed/). +The fix is the same: zero out the hole in the compressed case too, +by putting a memset back in uncompress_inline, but this time with +correct parameters. + +The last and oldest bug, bug #0, is the cause of the offending inline +extent/hole/extent pattern. Bug #0 is a subtle and mostly-harmless quirk +of behavior somewhere in the btrfs write code. In a few special cases, +an inline extent and hole are allowed to persist where they normally +would be combined with later extents in the file. + +A fast reproducer for bug #0 is presented below. A few offending extents +are also created in the wild during large rsync transfers with the -S +flag. A Linux kernel build (git checkout; make allyesconfig; make -j8) +will produce a handful of offending files as well. Once an offending +file is created, it can present different content to userspace each +time it is read. + +Bug #0 is at least 4 and possibly 8 years old. I verified every vX.Y +kernel back to v3.5 has this behavior. There are fossil records of this +bug's effects in commits all the way back to v2.6.32. I have no reason +to believe bug #0 wasn't present at the beginning of btrfs compression +support in v2.6.29, but I can't easily test kernels that old to be sure. + +It is not clear whether bug #0 is worth fixing. A fix would likely +require injecting extra reads into currently write-only paths, and most +of the exceptional cases caused by bug #0 are already handled now. + +Whether we like them or not, bug #0's inline extents followed by holes +are part of the btrfs de-facto disk format now, and we need to be able +to read them without data corruption or an infoleak. So enough about +bug #0, let's get back to bug #3 (this patch). + +An example of on-disk structure leading to data corruption found in +the wild: + + item 61 key (606890 INODE_ITEM 0) itemoff 9662 itemsize 160 + inode generation 50 transid 50 size 47424 nbytes 49141 + block group 0 mode 100644 links 1 uid 0 gid 0 + rdev 0 flags 0x0(none) + item 62 key (606890 INODE_REF 603050) itemoff 9642 itemsize 20 + inode ref index 3 namelen 10 name: DB_File.so + item 63 key (606890 EXTENT_DATA 0) itemoff 8280 itemsize 1362 + inline extent data size 1341 ram 4085 compress(zlib) + item 64 key (606890 EXTENT_DATA 4096) itemoff 8227 itemsize 53 + extent data disk byte 5367308288 nr 20480 + extent data offset 0 nr 45056 ram 45056 + extent compression(zlib) + +Different data appears in userspace during each read of the 11 bytes +between 4085 and 4096. The extent in item 63 is not long enough to +fill the first page of the file, so a memset is required to fill the +space between item 63 (ending at 4085) and item 64 (beginning at 4096) +with zero. + +Here is a reproducer from Liu Bo, which demonstrates another method +of creating the same inline extent and hole pattern: + +Using 'page_poison=on' kernel command line (or enable +CONFIG_PAGE_POISONING) run the following: + + # touch foo + # chattr +c foo + # xfs_io -f -c "pwrite -W 0 1000" foo + # xfs_io -f -c "falloc 4 8188" foo + # od -x foo + # echo 3 >/proc/sys/vm/drop_caches + # od -x foo + +This produce the following on my box: + +Correct output: file contains 1000 data bytes followed +by zeros: + + 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd + * + 0001740 cdcd cdcd cdcd cdcd 0000 0000 0000 0000 + 0001760 0000 0000 0000 0000 0000 0000 0000 0000 + * + 0020000 + +Actual output: the data after the first 1000 bytes +will be different each run: + + 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd + * + 0001740 cdcd cdcd cdcd cdcd 6c63 7400 635f 006d + 0001760 5f74 6f43 7400 435f 0053 5f74 7363 7400 + 0002000 435f 0056 5f74 6164 7400 645f 0062 5f74 + (...) + +Signed-off-by: Zygo Blaxell +Reviewed-by: Liu Bo +Reviewed-by: Chris Mason +Signed-off-by: Chris Mason +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -6812,6 +6812,20 @@ static noinline int uncompress_inline(st + max_size = min_t(unsigned long, PAGE_SIZE, max_size); + ret = btrfs_decompress(compress_type, tmp, page, + extent_offset, inline_size, max_size); ++ ++ /* ++ * decompression code contains a memset to fill in any space between the end ++ * of the uncompressed data and the end of max_size in case the decompressed ++ * data ends up shorter than ram_bytes. That doesn't cover the hole between ++ * the end of an inline extent and the beginning of the next block, so we ++ * cover that region here. ++ */ ++ ++ if (max_size + pg_offset < PAGE_SIZE) { ++ char *map = kmap(page); ++ memset(map + pg_offset + max_size, 0, PAGE_SIZE - max_size - pg_offset); ++ kunmap(page); ++ } + kfree(tmp); + return ret; + } diff --git a/queue-4.9/btrfs-tests-fix-a-memory-leak-in-error-handling-path-in-run_test.patch b/queue-4.9/btrfs-tests-fix-a-memory-leak-in-error-handling-path-in-run_test.patch new file mode 100644 index 00000000000..b3b9cb3316f --- /dev/null +++ b/queue-4.9/btrfs-tests-fix-a-memory-leak-in-error-handling-path-in-run_test.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Christophe JAILLET +Date: Sun, 10 Sep 2017 13:19:38 +0200 +Subject: btrfs: tests: Fix a memory leak in error handling path in 'run_test()' + +From: Christophe JAILLET + + +[ Upstream commit 9ca2e97fa3c3216200afe35a3b111ec51cc796d2 ] + +If 'btrfs_alloc_path()' fails, we must free the resources already +allocated, as done in the other error handling paths in this function. + +Signed-off-by: Christophe JAILLET +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/free-space-tree-tests.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tests/free-space-tree-tests.c ++++ b/fs/btrfs/tests/free-space-tree-tests.c +@@ -501,7 +501,8 @@ static int run_test(test_func_t test_fun + path = btrfs_alloc_path(); + if (!path) { + test_msg("Couldn't allocate path\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto out; + } + + ret = add_block_group_free_space(&trans, root->fs_info, cache); diff --git a/queue-4.9/clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch b/queue-4.9/clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch new file mode 100644 index 00000000000..5285270157e --- /dev/null +++ b/queue-4.9/clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Leo Yan +Date: Fri, 1 Sep 2017 08:47:14 +0800 +Subject: clk: hi6220: mark clock cs_atb_syspll as critical + +From: Leo Yan + + +[ Upstream commit d2a3671ebe6479483a12f94fcca63c058d95ad64 ] + +Clock cs_atb_syspll is pll used for coresight trace bus; when clock +cs_atb_syspll is disabled and operates its child clock node cs_atb +results in system hang. So mark clock cs_atb_syspll as critical to +keep it enabled. + +Cc: Guodong Xu +Cc: Zhangfei Gao +Cc: Haojian Zhuang +Signed-off-by: Leo Yan +Signed-off-by: Michael Turquette +Link: lkml.kernel.org/r/1504226835-2115-2-git-send-email-leo.yan@linaro.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/hisilicon/clk-hi6220.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/hisilicon/clk-hi6220.c ++++ b/drivers/clk/hisilicon/clk-hi6220.c +@@ -144,7 +144,7 @@ static struct hisi_gate_clock hi6220_sep + { HI6220_BBPPLL_SEL, "bbppll_sel", "pll0_bbp_gate", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 9, 0, }, + { HI6220_MEDIA_PLL_SRC, "media_pll_src", "pll_media_gate", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 10, 0, }, + { HI6220_MMC2_SEL, "mmc2_sel", "mmc2_mux1", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 11, 0, }, +- { HI6220_CS_ATB_SYSPLL, "cs_atb_syspll", "syspll", CLK_SET_RATE_PARENT|CLK_IGNORE_UNUSED, 0x270, 12, 0, }, ++ { HI6220_CS_ATB_SYSPLL, "cs_atb_syspll", "syspll", CLK_SET_RATE_PARENT|CLK_IS_CRITICAL, 0x270, 12, 0, }, + }; + + static struct hisi_mux_clock hi6220_mux_clks_sys[] __initdata = { diff --git a/queue-4.9/clk-imx6-refine-hdmi_isfr-s-parent-to-make-hdmi-work-on-i.mx6-socs-w-o-vpu.patch b/queue-4.9/clk-imx6-refine-hdmi_isfr-s-parent-to-make-hdmi-work-on-i.mx6-socs-w-o-vpu.patch new file mode 100644 index 00000000000..e3dfcf86ed0 --- /dev/null +++ b/queue-4.9/clk-imx6-refine-hdmi_isfr-s-parent-to-make-hdmi-work-on-i.mx6-socs-w-o-vpu.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Sébastien Szymanski +Date: Tue, 1 Aug 2017 12:40:07 +0200 +Subject: clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU + +From: Sébastien Szymanski + + +[ Upstream commit c68ee58d9ee7b856ac722f18f4f26579c8fbd2b4 ] + +On i.MX6 SoCs without VPU (in my case MCIMX6D4AVT10AC), the hdmi driver +fails to probe: + +[ 2.540030] dwhdmi-imx 120000.hdmi: Unsupported HDMI controller +(0000:00:00) +[ 2.548199] imx-drm display-subsystem: failed to bind 120000.hdmi +(ops dw_hdmi_imx_ops): -19 +[ 2.557403] imx-drm display-subsystem: master bind failed: -19 + +That's because hdmi_isfr's parent, video_27m, is not correctly ungated. +As explained in commit 5ccc248cc537 ("ARM: imx6q: clk: Add support for +mipi_core_cfg clock as a shared clock gate"), video_27m is gated by +CCM_CCGR3[CG8]. + +On i.MX6 SoCs with VPU, the hdmi is working thanks to the +CCM_CMEOR[mod_en_ov_vpu] bit which makes the video_27m ungated whatever +is in CCM_CCGR3[CG8]. The issue can be reproduced by setting +CCMEOR[mod_en_ov_vpu] to 0. + +Make the HDMI work in every case by setting hdmi_isfr's parent to +mipi_core_cfg. + +Signed-off-by: Sébastien Szymanski +Reviewed-by: Fabio Estevam +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/imx/clk-imx6q.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/imx/clk-imx6q.c ++++ b/drivers/clk/imx/clk-imx6q.c +@@ -487,7 +487,7 @@ static void __init imx6q_clocks_init(str + clk[IMX6QDL_CLK_GPU2D_CORE] = imx_clk_gate2("gpu2d_core", "gpu2d_core_podf", base + 0x6c, 24); + clk[IMX6QDL_CLK_GPU3D_CORE] = imx_clk_gate2("gpu3d_core", "gpu3d_core_podf", base + 0x6c, 26); + clk[IMX6QDL_CLK_HDMI_IAHB] = imx_clk_gate2("hdmi_iahb", "ahb", base + 0x70, 0); +- clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "video_27m", base + 0x70, 4); ++ clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "mipi_core_cfg", base + 0x70, 4); + clk[IMX6QDL_CLK_I2C1] = imx_clk_gate2("i2c1", "ipg_per", base + 0x70, 6); + clk[IMX6QDL_CLK_I2C2] = imx_clk_gate2("i2c2", "ipg_per", base + 0x70, 8); + clk[IMX6QDL_CLK_I2C3] = imx_clk_gate2("i2c3", "ipg_per", base + 0x70, 10); diff --git a/queue-4.9/clk-mediatek-add-the-option-for-determining-pll-source-clock.patch b/queue-4.9/clk-mediatek-add-the-option-for-determining-pll-source-clock.patch new file mode 100644 index 00000000000..32c2c017116 --- /dev/null +++ b/queue-4.9/clk-mediatek-add-the-option-for-determining-pll-source-clock.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Chen Zhong +Date: Thu, 5 Oct 2017 11:50:23 +0800 +Subject: clk: mediatek: add the option for determining PLL source clock + +From: Chen Zhong + + +[ Upstream commit c955bf3998efa3355790a4d8c82874582f1bc727 ] + +Since the previous setup always sets the PLL using crystal 26MHz, this +doesn't always happen in every MediaTek platform. So the patch added +flexibility for assigning extra member for determining the PLL source +clock. + +Signed-off-by: Chen Zhong +Signed-off-by: Sean Wang +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mediatek/clk-mtk.h | 1 + + drivers/clk/mediatek/clk-pll.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/clk/mediatek/clk-mtk.h ++++ b/drivers/clk/mediatek/clk-mtk.h +@@ -185,6 +185,7 @@ struct mtk_pll_data { + uint32_t pcw_reg; + int pcw_shift; + const struct mtk_pll_div_table *div_table; ++ const char *parent_name; + }; + + void mtk_clk_register_plls(struct device_node *node, +--- a/drivers/clk/mediatek/clk-pll.c ++++ b/drivers/clk/mediatek/clk-pll.c +@@ -302,7 +302,10 @@ static struct clk *mtk_clk_register_pll( + + init.name = data->name; + init.ops = &mtk_pll_ops; +- init.parent_names = &parent_name; ++ if (data->parent_name) ++ init.parent_names = &data->parent_name; ++ else ++ init.parent_names = &parent_name; + init.num_parents = 1; + + clk = clk_register(NULL, &pll->hw); diff --git a/queue-4.9/clk-tegra-fix-cclk_lp-divisor-register.patch b/queue-4.9/clk-tegra-fix-cclk_lp-divisor-register.patch new file mode 100644 index 00000000000..17bcee3fa24 --- /dev/null +++ b/queue-4.9/clk-tegra-fix-cclk_lp-divisor-register.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Michał Mirosław +Date: Tue, 19 Sep 2017 04:48:10 +0200 +Subject: clk: tegra: Fix cclk_lp divisor register + +From: Michał Mirosław + + +[ Upstream commit 54eff2264d3e9fd7e3987de1d7eba1d3581c631e ] + +According to comments in code and common sense, cclk_lp uses its +own divisor, not cclk_g's. + +Fixes: b08e8c0ecc42 ("clk: tegra: add clock support for Tegra30") +Signed-off-by: Michał Mirosław +Acked-By: Peter De Schrijver +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/tegra/clk-tegra30.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/tegra/clk-tegra30.c ++++ b/drivers/clk/tegra/clk-tegra30.c +@@ -963,7 +963,7 @@ static void __init tegra30_super_clk_ini + * U71 divider of cclk_lp. + */ + clk = tegra_clk_register_divider("pll_p_out3_cclklp", "pll_p_out3", +- clk_base + SUPER_CCLKG_DIVIDER, 0, ++ clk_base + SUPER_CCLKLP_DIVIDER, 0, + TEGRA_DIVIDER_INT, 16, 8, 1, NULL); + clk_register_clkdev(clk, "pll_p_out3_cclklp", NULL); + diff --git a/queue-4.9/crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch b/queue-4.9/crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch new file mode 100644 index 00000000000..f096d4c06d7 --- /dev/null +++ b/queue-4.9/crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Robert Baronescu +Date: Tue, 10 Oct 2017 13:22:00 +0300 +Subject: crypto: tcrypt - fix buffer lengths in test_aead_speed() + +From: Robert Baronescu + + +[ Upstream commit 7aacbfcb331ceff3ac43096d563a1f93ed46e35e ] + +Fix the way the length of the buffers used for +encryption / decryption are computed. +For e.g. in case of encryption, input buffer does not contain +an authentication tag. + +Signed-off-by: Robert Baronescu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/tcrypt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/crypto/tcrypt.c ++++ b/crypto/tcrypt.c +@@ -342,7 +342,7 @@ static void test_aead_speed(const char * + } + + sg_init_aead(sg, xbuf, +- *b_size + (enc ? authsize : 0)); ++ *b_size + (enc ? 0 : authsize)); + + sg_init_aead(sgout, xoutbuf, + *b_size + (enc ? authsize : 0)); +@@ -350,7 +350,9 @@ static void test_aead_speed(const char * + sg_set_buf(&sg[0], assoc, aad_size); + sg_set_buf(&sgout[0], assoc, aad_size); + +- aead_request_set_crypt(req, sg, sgout, *b_size, iv); ++ aead_request_set_crypt(req, sg, sgout, ++ *b_size + (enc ? 0 : authsize), ++ iv); + aead_request_set_ad(req, aad_size); + + if (secs) diff --git a/queue-4.9/dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch b/queue-4.9/dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch new file mode 100644 index 00000000000..035877ea0b1 --- /dev/null +++ b/queue-4.9/dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Matthias Kaehlcke +Date: Mon, 13 Mar 2017 14:30:29 -0700 +Subject: dmaengine: Fix array index out of bounds warning in __get_unmap_pool() + +From: Matthias Kaehlcke + + +[ Upstream commit 23f963e91fd81f44f6b316b1c24db563354c6be8 ] + +This fixes the following warning when building with clang and +CONFIG_DMA_ENGINE_RAID=n : + +drivers/dma/dmaengine.c:1102:11: error: array index 2 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds] + return &unmap_pool[2]; + ^ ~ +drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here +static struct dmaengine_unmap_pool unmap_pool[] = { +^ +drivers/dma/dmaengine.c:1104:11: error: array index 3 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds] + return &unmap_pool[3]; + ^ ~ +drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here +static struct dmaengine_unmap_pool unmap_pool[] = { + +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Dan Williams +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dmaengine.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/dma/dmaengine.c ++++ b/drivers/dma/dmaengine.c +@@ -1107,12 +1107,14 @@ static struct dmaengine_unmap_pool *__ge + switch (order) { + case 0 ... 1: + return &unmap_pool[0]; ++#if IS_ENABLED(CONFIG_DMA_ENGINE_RAID) + case 2 ... 4: + return &unmap_pool[1]; + case 5 ... 7: + return &unmap_pool[2]; + case 8: + return &unmap_pool[3]; ++#endif + default: + BUG(); + return NULL; diff --git a/queue-4.9/dmaengine-rcar-dmac-use-tcrb-instead-of-tcr-for-residue.patch b/queue-4.9/dmaengine-rcar-dmac-use-tcrb-instead-of-tcr-for-residue.patch new file mode 100644 index 00000000000..f1ef3ed21f1 --- /dev/null +++ b/queue-4.9/dmaengine-rcar-dmac-use-tcrb-instead-of-tcr-for-residue.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Hiroyuki Yokoyama +Date: Thu, 19 Oct 2017 01:15:13 +0000 +Subject: dmaengine: rcar-dmac: use TCRB instead of TCR for residue + +From: Hiroyuki Yokoyama + + +[ Upstream commit 847449f23dcbff68234525f90dd53c7c7db18cad ] + +SYS/RT/Audio DMAC includes independent data buffers for reading +and writing. Therefore, the read transfer counter and write transfer +counter have different values. +TCR indicates read counter, and TCRB indicates write counter. +The relationship is like below. + + TCR TCRB +[SOURCE] -> [DMAC] -> [SINK] + +In the MEM_TO_DEV direction, what really matters is how much data has +been written to the device. If the DMA is interrupted between read and +write, then, the data doesn't end up in the destination, so shouldn't +be counted. TCRB is thus the register we should use in this cases. + +In the DEV_TO_MEM direction, the situation is more complex. Both the +read and write side are important. What matters from a data consumer +point of view is how much data has been written to memory. +On the other hand, if the transfer is interrupted between read and +write, we'll end up losing data. It can also be important to report. + +In the MEM_TO_MEM direction, what matters is of course how much data +has been written to memory from data consumer point of view. +Here, because read and write have independent data buffers, it will +take a while for TCR and TCRB to become equal. Thus we should check +TCRB in this case, too. + +Thus, all cases we should check TCRB instead of TCR. + +Without this patch, Sound Capture has noise after PluseAudio support +(= 07b7acb51d2 ("ASoC: rsnd: update pointer more accurate")), because +the recorder will use wrong residue counter which indicates transferred +from sound device, but in reality the data was not yet put to memory +and recorder will record it. + +Signed-off-by: Hiroyuki Yokoyama +[Kuninori: added detail information in log] +Signed-off-by: Kuninori Morimoto +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: Vinod Koul + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1289,7 +1289,7 @@ static unsigned int rcar_dmac_chan_get_r + } + + /* Add the residue for the current chunk. */ +- residue += rcar_dmac_chan_read(chan, RCAR_DMATCR) << desc->xfer_shift; ++ residue += rcar_dmac_chan_read(chan, RCAR_DMATCRB) << desc->xfer_shift; + + return residue; + } diff --git a/queue-4.9/dmaengine-ti-dma-crossbar-correct-am335x-am43xx-mux-value-type.patch b/queue-4.9/dmaengine-ti-dma-crossbar-correct-am335x-am43xx-mux-value-type.patch new file mode 100644 index 00000000000..013468b75e9 --- /dev/null +++ b/queue-4.9/dmaengine-ti-dma-crossbar-correct-am335x-am43xx-mux-value-type.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Peter Ujfalusi +Date: Wed, 8 Nov 2017 12:02:25 +0200 +Subject: dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type + +From: Peter Ujfalusi + + +[ Upstream commit 288e7560e4d3e259aa28f8f58a8dfe63627a1bf6 ] + +The used 0x1f mask is only valid for am335x family of SoC, different family +using this type of crossbar might have different number of electable +events. In case of am43xx family 0x3f mask should have been used for +example. +Instead of trying to handle each family's mask, just use u8 type to store +the mux value since the event offsets are aligned to byte offset. + +Fixes: 42dbdcc6bf965 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx") +Signed-off-by: Peter Ujfalusi +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/ti-dma-crossbar.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/dma/ti-dma-crossbar.c ++++ b/drivers/dma/ti-dma-crossbar.c +@@ -49,12 +49,12 @@ struct ti_am335x_xbar_data { + + struct ti_am335x_xbar_map { + u16 dma_line; +- u16 mux_val; ++ u8 mux_val; + }; + +-static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u16 val) ++static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val) + { +- writeb_relaxed(val & 0x1f, iomem + event); ++ writeb_relaxed(val, iomem + event); + } + + static void ti_am335x_xbar_free(struct device *dev, void *route_data) +@@ -105,7 +105,7 @@ static void *ti_am335x_xbar_route_alloca + } + + map->dma_line = (u16)dma_spec->args[0]; +- map->mux_val = (u16)dma_spec->args[2]; ++ map->mux_val = (u8)dma_spec->args[2]; + + dma_spec->args[2] = 0; + dma_spec->args_count = 2; diff --git a/queue-4.9/drivers-hv-util-move-waiting-for-release-to-hv_utils_transport-itself.patch b/queue-4.9/drivers-hv-util-move-waiting-for-release-to-hv_utils_transport-itself.patch new file mode 100644 index 00000000000..3aee8f0919b --- /dev/null +++ b/queue-4.9/drivers-hv-util-move-waiting-for-release-to-hv_utils_transport-itself.patch @@ -0,0 +1,176 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Vitaly Kuznetsov +Date: Sat, 4 Mar 2017 18:13:59 -0700 +Subject: Drivers: hv: util: move waiting for release to hv_utils_transport itself + +From: Vitaly Kuznetsov + + +[ Upstream commit e9c18ae6eb2b312f16c63e34b43ea23926daa398 ] + +Waiting for release_event in all three drivers introduced issues on release +as on_reset() hook is not always called. E.g. if the device was never +opened we will never get the completion. + +Move the waiting code to hvutil_transport_destroy() and make sure it is +only called when the device is open. hvt->lock serialization should +guarantee the absence of races. + +Fixes: 5a66fecbf6aa ("Drivers: hv: util: kvp: Fix a rescind processing issue") +Fixes: 20951c7535b5 ("Drivers: hv: util: Fcopy: Fix a rescind processing issue") +Fixes: d77044d142e9 ("Drivers: hv: util: Backup: Fix a rescind processing issue") + +Reported-by: Dexuan Cui +Tested-by: Dexuan Cui +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/hv_fcopy.c | 4 ---- + drivers/hv/hv_kvp.c | 4 ---- + drivers/hv/hv_snapshot.c | 4 ---- + drivers/hv/hv_utils_transport.c | 12 ++++++++---- + drivers/hv/hv_utils_transport.h | 1 + + 5 files changed, 9 insertions(+), 16 deletions(-) + +--- a/drivers/hv/hv_fcopy.c ++++ b/drivers/hv/hv_fcopy.c +@@ -61,7 +61,6 @@ static DECLARE_WORK(fcopy_send_work, fco + static const char fcopy_devname[] = "vmbus/hv_fcopy"; + static u8 *recv_buffer; + static struct hvutil_transport *hvt; +-static struct completion release_event; + /* + * This state maintains the version number registered by the daemon. + */ +@@ -322,7 +321,6 @@ static void fcopy_on_reset(void) + + if (cancel_delayed_work_sync(&fcopy_timeout_work)) + fcopy_respond_to_host(HV_E_FAIL); +- complete(&release_event); + } + + int hv_fcopy_init(struct hv_util_service *srv) +@@ -330,7 +328,6 @@ int hv_fcopy_init(struct hv_util_service + recv_buffer = srv->recv_buffer; + fcopy_transaction.recv_channel = srv->channel; + +- init_completion(&release_event); + /* + * When this driver loads, the user level daemon that + * processes the host requests may not yet be running. +@@ -352,5 +349,4 @@ void hv_fcopy_deinit(void) + fcopy_transaction.state = HVUTIL_DEVICE_DYING; + cancel_delayed_work_sync(&fcopy_timeout_work); + hvutil_transport_destroy(hvt); +- wait_for_completion(&release_event); + } +--- a/drivers/hv/hv_kvp.c ++++ b/drivers/hv/hv_kvp.c +@@ -88,7 +88,6 @@ static DECLARE_WORK(kvp_sendkey_work, kv + static const char kvp_devname[] = "vmbus/hv_kvp"; + static u8 *recv_buffer; + static struct hvutil_transport *hvt; +-static struct completion release_event; + /* + * Register the kernel component with the user-level daemon. + * As part of this registration, pass the LIC version number. +@@ -717,7 +716,6 @@ static void kvp_on_reset(void) + if (cancel_delayed_work_sync(&kvp_timeout_work)) + kvp_respond_to_host(NULL, HV_E_FAIL); + kvp_transaction.state = HVUTIL_DEVICE_INIT; +- complete(&release_event); + } + + int +@@ -726,7 +724,6 @@ hv_kvp_init(struct hv_util_service *srv) + recv_buffer = srv->recv_buffer; + kvp_transaction.recv_channel = srv->channel; + +- init_completion(&release_event); + /* + * When this driver loads, the user level daemon that + * processes the host requests may not yet be running. +@@ -750,5 +747,4 @@ void hv_kvp_deinit(void) + cancel_delayed_work_sync(&kvp_timeout_work); + cancel_work_sync(&kvp_sendkey_work); + hvutil_transport_destroy(hvt); +- wait_for_completion(&release_event); + } +--- a/drivers/hv/hv_snapshot.c ++++ b/drivers/hv/hv_snapshot.c +@@ -66,7 +66,6 @@ static int dm_reg_value; + static const char vss_devname[] = "vmbus/hv_vss"; + static __u8 *recv_buffer; + static struct hvutil_transport *hvt; +-static struct completion release_event; + + static void vss_timeout_func(struct work_struct *dummy); + static void vss_handle_request(struct work_struct *dummy); +@@ -331,13 +330,11 @@ static void vss_on_reset(void) + if (cancel_delayed_work_sync(&vss_timeout_work)) + vss_respond_to_host(HV_E_FAIL); + vss_transaction.state = HVUTIL_DEVICE_INIT; +- complete(&release_event); + } + + int + hv_vss_init(struct hv_util_service *srv) + { +- init_completion(&release_event); + if (vmbus_proto_version < VERSION_WIN8_1) { + pr_warn("Integration service 'Backup (volume snapshot)'" + " not supported on this host version.\n"); +@@ -368,5 +365,4 @@ void hv_vss_deinit(void) + cancel_delayed_work_sync(&vss_timeout_work); + cancel_work_sync(&vss_handle_request_work); + hvutil_transport_destroy(hvt); +- wait_for_completion(&release_event); + } +--- a/drivers/hv/hv_utils_transport.c ++++ b/drivers/hv/hv_utils_transport.c +@@ -182,10 +182,11 @@ static int hvt_op_release(struct inode * + * connects back. + */ + hvt_reset(hvt); +- mutex_unlock(&hvt->lock); + + if (mode_old == HVUTIL_TRANSPORT_DESTROY) +- hvt_transport_free(hvt); ++ complete(&hvt->release); ++ ++ mutex_unlock(&hvt->lock); + + return 0; + } +@@ -304,6 +305,7 @@ struct hvutil_transport *hvutil_transpor + + init_waitqueue_head(&hvt->outmsg_q); + mutex_init(&hvt->lock); ++ init_completion(&hvt->release); + + spin_lock(&hvt_list_lock); + list_add(&hvt->list, &hvt_list); +@@ -351,6 +353,8 @@ void hvutil_transport_destroy(struct hvu + if (hvt->cn_id.idx > 0 && hvt->cn_id.val > 0) + cn_del_callback(&hvt->cn_id); + +- if (mode_old != HVUTIL_TRANSPORT_CHARDEV) +- hvt_transport_free(hvt); ++ if (mode_old == HVUTIL_TRANSPORT_CHARDEV) ++ wait_for_completion(&hvt->release); ++ ++ hvt_transport_free(hvt); + } +--- a/drivers/hv/hv_utils_transport.h ++++ b/drivers/hv/hv_utils_transport.h +@@ -41,6 +41,7 @@ struct hvutil_transport { + int outmsg_len; /* its length */ + wait_queue_head_t outmsg_q; /* poll/read wait queue */ + struct mutex lock; /* protects struct members */ ++ struct completion release; /* synchronize with fd release */ + }; + + struct hvutil_transport *hvutil_transport_init(const char *name, diff --git a/queue-4.9/drm-amd-remove-broken-include-path.patch b/queue-4.9/drm-amd-remove-broken-include-path.patch new file mode 100644 index 00000000000..1dd2556daf0 --- /dev/null +++ b/queue-4.9/drm-amd-remove-broken-include-path.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Arnd Bergmann +Date: Tue, 14 Mar 2017 22:27:11 +0100 +Subject: drm: amd: remove broken include path + +From: Arnd Bergmann + + +[ Upstream commit 655d9ca9ac075da1ef2a45012ba48a39f6eb1f58 ] + +The AMD ACP driver adds "-I../acp -I../acp/include" to the gcc command +line, which makes no sense, since these are evaluated relative to the +build directory. When we build with "make W=1", they instead cause +a warning: + +cc1: error: ../acp/: No such file or directory [-Werror=missing-include-dirs] +cc1: error: ../acp/include: No such file or directory [-Werror=missing-include-dirs] +cc1: all warnings being treated as errors +../scripts/Makefile.build:289: recipe for target 'drivers/gpu/drm/amd/amdgpu/amdgpu_drv.o' failed +../scripts/Makefile.build:289: recipe for target 'drivers/gpu/drm/amd/amdgpu/amdgpu_device.o' failed +../scripts/Makefile.build:289: recipe for target 'drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o' failed + +This removes the subdir-ccflags variable that evidently did not +serve any purpose here. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/acp/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/amd/acp/Makefile ++++ b/drivers/gpu/drm/amd/acp/Makefile +@@ -3,6 +3,4 @@ + # of AMDSOC/AMDGPU drm driver. + # It provides the HW control for ACP related functionalities. + +-subdir-ccflags-y += -I$(AMDACPPATH)/ -I$(AMDACPPATH)/include +- + AMD_ACP_FILES := $(AMDACPPATH)/acp_hw.o diff --git a/queue-4.9/drm-amdgpu-fix-parser-init-error-path-to-avoid-crash-in-parser-fini.patch b/queue-4.9/drm-amdgpu-fix-parser-init-error-path-to-avoid-crash-in-parser-fini.patch new file mode 100644 index 00000000000..097f947708e --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-parser-init-error-path-to-avoid-crash-in-parser-fini.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Dave Airlie +Date: Fri, 10 Mar 2017 12:13:04 +1000 +Subject: drm/amdgpu: fix parser init error path to avoid crash in parser fini + +From: Dave Airlie + + +[ Upstream commit 607523d19c9d67ba4cf7bdaced644f11ed04992c ] + +If we don't reset the chunk info in the error path, the subsequent +fini path will double free. + +Reviewed-by: Christian König +Signed-off-by: Dave Airlie +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -240,6 +240,8 @@ free_partial_kdata: + for (; i >= 0; i--) + drm_free_large(p->chunks[i].kdata); + kfree(p->chunks); ++ p->chunks = NULL; ++ p->nchunks = 0; + put_ctx: + amdgpu_ctx_put(p->ctx); + free_chunk: diff --git a/queue-4.9/drm-omap-fix-dmabuf-mmap-for-dma_alloc-ed-buffers.patch b/queue-4.9/drm-omap-fix-dmabuf-mmap-for-dma_alloc-ed-buffers.patch new file mode 100644 index 00000000000..64b6682f1e5 --- /dev/null +++ b/queue-4.9/drm-omap-fix-dmabuf-mmap-for-dma_alloc-ed-buffers.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Tomi Valkeinen +Date: Tue, 28 Feb 2017 10:11:45 +0200 +Subject: drm/omap: fix dmabuf mmap for dma_alloc'ed buffers + +From: Tomi Valkeinen + + +[ Upstream commit 9fa1d7537242bd580ffa99c4725a0407096aad26 ] + +omap_gem_dmabuf_mmap() returns an error (with a WARN) when called for a +buffer which is allocated with dma_alloc_*(). This prevents dmabuf mmap +from working on SoCs without DMM, e.g. AM4 and OMAP3. + +I could not find any reason for omap_gem_dmabuf_mmap() rejecting such +buffers, and just removing the if() fixes the limitation. + +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c ++++ b/drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c +@@ -147,9 +147,6 @@ static int omap_gem_dmabuf_mmap(struct d + struct drm_gem_object *obj = buffer->priv; + int ret = 0; + +- if (WARN_ON(!obj->filp)) +- return -EINVAL; +- + ret = drm_gem_mmap_obj(obj, omap_gem_mmap_size(obj), vma); + if (ret < 0) + return ret; diff --git a/queue-4.9/drm-radeon-reinstate-oland-workaround-for-sclk.patch b/queue-4.9/drm-radeon-reinstate-oland-workaround-for-sclk.patch new file mode 100644 index 00000000000..9c8c10f351d --- /dev/null +++ b/queue-4.9/drm-radeon-reinstate-oland-workaround-for-sclk.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Alex Deucher +Date: Wed, 15 Mar 2017 21:11:46 -0400 +Subject: drm/radeon: reinstate oland workaround for sclk + +From: Alex Deucher + + +[ Upstream commit 66822d815ae61ecb2d9dba9031517e8a8476969d ] + +Higher sclks seem to be unstable on some boards. + +bug: https://bugs.freedesktop.org/show_bug.cgi?id=100222 + +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/si_dpm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -3030,9 +3030,13 @@ static void si_apply_state_adjust_rules( + max_mclk = 80000; + } + } else if (rdev->family == CHIP_OLAND) { +- if ((rdev->pdev->device == 0x6604) && +- (rdev->pdev->subsystem_vendor == 0x1028) && +- (rdev->pdev->subsystem_device == 0x066F)) { ++ if ((rdev->pdev->revision == 0xC7) || ++ (rdev->pdev->revision == 0x80) || ++ (rdev->pdev->revision == 0x81) || ++ (rdev->pdev->revision == 0x83) || ++ (rdev->pdev->revision == 0x87) || ++ (rdev->pdev->device == 0x6604) || ++ (rdev->pdev->device == 0x6605)) { + max_sclk = 75000; + } + } diff --git a/queue-4.9/drm-radeon-si-add-dpm-quirk-for-oland.patch b/queue-4.9/drm-radeon-si-add-dpm-quirk-for-oland.patch new file mode 100644 index 00000000000..c033d4f1acb --- /dev/null +++ b/queue-4.9/drm-radeon-si-add-dpm-quirk-for-oland.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Alex Deucher +Date: Tue, 14 Mar 2017 14:42:03 -0400 +Subject: drm/radeon/si: add dpm quirk for Oland + +From: Alex Deucher + + +[ Upstream commit 0f424de1fd9bc4ab24bd1fe5430ab5618e803e31 ] + +OLAND 0x1002:0x6604 0x1028:0x066F 0x00 seems to have problems +with higher sclks. + +Acked-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -3029,6 +3029,12 @@ static void si_apply_state_adjust_rules( + max_sclk = 75000; + max_mclk = 80000; + } ++ } else if (rdev->family == CHIP_OLAND) { ++ if ((rdev->pdev->device == 0x6604) && ++ (rdev->pdev->subsystem_vendor == 0x1028) && ++ (rdev->pdev->subsystem_device == 0x066F)) { ++ max_sclk = 75000; ++ } + } + /* Apply dpm quirks */ + while (p && p->chip_device != 0) { diff --git a/queue-4.9/efi-esrt-cleanup-bad-memory-map-log-messages.patch b/queue-4.9/efi-esrt-cleanup-bad-memory-map-log-messages.patch new file mode 100644 index 00000000000..74a9ec01854 --- /dev/null +++ b/queue-4.9/efi-esrt-cleanup-bad-memory-map-log-messages.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Daniel Drake +Date: Tue, 7 Feb 2017 13:08:23 -0600 +Subject: efi/esrt: Cleanup bad memory map log messages + +From: Daniel Drake + + +[ Upstream commit 822f5845f710e57d7e2df1fd1ee00d6e19d334fe ] + +The Intel Compute Stick STCK1A8LFC and Weibu F3C platforms both +log 2 error messages during boot: + + efi: requested map not found. + esrt: ESRT header is not in the memory map. + +Searching the web, this seems to affect many other platforms too. +Since these messages are logged as errors, they appear on-screen during +the boot process even when using the "quiet" boot parameter used by +distros. + +Demote the ESRT error to a warning so that it does not appear on-screen, +and delete the error logging from efi_mem_desc_lookup; both callsites +of that function log more specific messages upon failure. + +Out of curiosity I looked closer at the Weibu F3C. There is no entry in +the UEFI-provided memory map which corresponds to the ESRT pointer, but +hacking the code to map it anyway, the ESRT does appear to be valid with +2 entries. + +Signed-off-by: Daniel Drake +Cc: Matt Fleming +Acked-by: Peter Jones +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/efi.c | 1 - + drivers/firmware/efi/esrt.c | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -384,7 +384,6 @@ int __init efi_mem_desc_lookup(u64 phys_ + return 0; + } + } +- pr_err_once("requested map not found.\n"); + return -ENOENT; + } + +--- a/drivers/firmware/efi/esrt.c ++++ b/drivers/firmware/efi/esrt.c +@@ -251,7 +251,7 @@ void __init efi_esrt_init(void) + + rc = efi_mem_desc_lookup(efi.esrt, &md); + if (rc < 0) { +- pr_err("ESRT header is not in the memory map.\n"); ++ pr_warn("ESRT header is not in the memory map.\n"); + return; + } + diff --git a/queue-4.9/fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch b/queue-4.9/fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch new file mode 100644 index 00000000000..8e6b91e6bfa --- /dev/null +++ b/queue-4.9/fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Geert Uytterhoeven +Date: Thu, 9 Nov 2017 18:09:33 +0100 +Subject: fbdev: controlfb: Add missing modes to fix out of bounds access + +From: Geert Uytterhoeven + + +[ Upstream commit ac831a379d34109451b3c41a44a20ee10ecb615f ] + +Dan's static analysis says: + + drivers/video/fbdev/controlfb.c:560 control_setup() + error: buffer overflow 'control_mac_modes' 20 <= 21 + +Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22, +which may lead to an out of bounds read when parsing vmode commandline +options. + +The bug was introduced in v2.4.5.6, when 2 new modes were added to +macmodes.h, but control_mac_modes[] wasn't updated: + +https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad + +Augment control_mac_modes[] with the two new video modes to fix this. + +Reported-by: Dan Carpenter +Signed-off-by: Geert Uytterhoeven +Cc: Dan Carpenter +Cc: Benjamin Herrenschmidt +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/controlfb.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/controlfb.h ++++ b/drivers/video/fbdev/controlfb.h +@@ -141,5 +141,7 @@ static struct max_cmodes control_mac_mod + {{ 1, 2}}, /* 1152x870, 75Hz */ + {{ 0, 1}}, /* 1280x960, 75Hz */ + {{ 0, 1}}, /* 1280x1024, 75Hz */ ++ {{ 1, 2}}, /* 1152x768, 60Hz */ ++ {{ 0, 1}}, /* 1600x1024, 60Hz */ + }; + diff --git a/queue-4.9/fjes-fix-wrong-netdevice-feature-flags.patch b/queue-4.9/fjes-fix-wrong-netdevice-feature-flags.patch new file mode 100644 index 00000000000..5c4f3b0b919 --- /dev/null +++ b/queue-4.9/fjes-fix-wrong-netdevice-feature-flags.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Taku Izumi +Date: Wed, 15 Mar 2017 13:47:50 +0900 +Subject: fjes: Fix wrong netdevice feature flags + +From: Taku Izumi + + +[ Upstream commit fe8daf5fa715f7214952f06a387e4b7de818c5be ] + +This patch fixes netdev->features for Extended Socket network device. + +Currently Extended Socket network device's netdev->feature claims +NETIF_F_HW_CSUM, however this is completely wrong. There's no feature +of checksum offloading. +That causes invalid TCP/UDP checksum and packet rejection when IP +forwarding from Extended Socket network device to other network device. + +NETIF_F_HW_CSUM should be omitted. + +Signed-off-by: Taku Izumi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/fjes/fjes_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/fjes/fjes_main.c ++++ b/drivers/net/fjes/fjes_main.c +@@ -1277,7 +1277,7 @@ static void fjes_netdev_setup(struct net + fjes_set_ethtool_ops(netdev); + netdev->mtu = fjes_support_mtu[3]; + netdev->flags |= IFF_BROADCAST; +- netdev->features |= NETIF_F_HW_CSUM | NETIF_F_HW_VLAN_CTAG_FILTER; ++ netdev->features |= NETIF_F_HW_VLAN_CTAG_FILTER; + } + + static void fjes_irq_watch_task(struct work_struct *work) diff --git a/queue-4.9/gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch b/queue-4.9/gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch new file mode 100644 index 00000000000..0c695135550 --- /dev/null +++ b/queue-4.9/gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Bob Peterson +Date: Wed, 20 Sep 2017 08:30:04 -0500 +Subject: GFS2: Take inode off order_write list when setting jdata flag + +From: Bob Peterson + + +[ Upstream commit cc555b09d8c3817aeebda43a14ab67049a5653f7 ] + +This patch fixes a deadlock caused when the jdata flag is set for +inodes that are already on the ordered write list. Since it is +on the ordered write list, log_flush calls gfs2_ordered_write which +calls filemap_fdatawrite. But since the inode had the jdata flag +set, that calls gfs2_jdata_writepages, which tries to start a new +transaction. A new transaction cannot be started because it tries +to acquire the log_flush rwsem which is already locked by the log +flush operation. + +The bottom line is: We cannot switch an inode from ordered to jdata +until we eliminate any ordered data pages (via log flush) or any +log_flush operation afterward will create the circular dependency +above. So we need to flush the log before setting the diskflags to +switch the file mode, then we need to remove the inode from the +ordered writes list. + +Before this patch, the log flush was done for jdata->ordered, but +that's wrong. If we're going from jdata to ordered, we don't need +to call gfs2_log_flush because the call to filemap_fdatawrite will +do it for us: + + filemap_fdatawrite() -> __filemap_fdatawrite_range() + __filemap_fdatawrite_range() -> do_writepages() + do_writepages() -> gfs2_jdata_writepages() + gfs2_jdata_writepages() -> gfs2_log_flush() + +This patch modifies function do_gfs2_set_flags so that if a file +has its jdata flag set, and it's already on the ordered write list, +the log will be flushed and it will be removed from the list +before setting the flag. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Acked-by: Abhijith Das +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -256,7 +256,7 @@ static int do_gfs2_set_flags(struct file + goto out; + } + if ((flags ^ new_flags) & GFS2_DIF_JDATA) { +- if (flags & GFS2_DIF_JDATA) ++ if (new_flags & GFS2_DIF_JDATA) + gfs2_log_flush(sdp, ip->i_gl, NORMAL_FLUSH); + error = filemap_fdatawrite(inode->i_mapping); + if (error) +@@ -264,6 +264,8 @@ static int do_gfs2_set_flags(struct file + error = filemap_fdatawait(inode->i_mapping); + if (error) + goto out; ++ if (new_flags & GFS2_DIF_JDATA) ++ gfs2_ordered_del_inode(ip); + } + error = gfs2_trans_begin(sdp, RES_DINODE, 0); + if (error) diff --git a/queue-4.9/hid-cp2112-fix-broken-gpio_direction_input-callback.patch b/queue-4.9/hid-cp2112-fix-broken-gpio_direction_input-callback.patch new file mode 100644 index 00000000000..1ad4d47409d --- /dev/null +++ b/queue-4.9/hid-cp2112-fix-broken-gpio_direction_input-callback.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Sébastien Szymanski +Date: Fri, 10 Nov 2017 10:01:43 +0100 +Subject: HID: cp2112: fix broken gpio_direction_input callback + +From: Sébastien Szymanski + + +[ Upstream commit 7da85fbf1c87d4f73621e0e7666a3387497075a9 ] + +When everything goes smoothly, ret is set to 0 which makes the function +to return EIO error. + +Fixes: 8e9faa15469e ("HID: cp2112: fix gpio-callback error handling") +Signed-off-by: Sébastien Szymanski +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-cp2112.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -188,6 +188,8 @@ static int cp2112_gpio_direction_input(s + HID_REQ_GET_REPORT); + if (ret != CP2112_GPIO_CONFIG_LENGTH) { + hid_err(hdev, "error requesting GPIO config: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; + goto exit; + } + +@@ -197,8 +199,10 @@ static int cp2112_gpio_direction_input(s + ret = hid_hw_raw_request(hdev, CP2112_GPIO_CONFIG, buf, + CP2112_GPIO_CONFIG_LENGTH, HID_FEATURE_REPORT, + HID_REQ_SET_REPORT); +- if (ret < 0) { ++ if (ret != CP2112_GPIO_CONFIG_LENGTH) { + hid_err(hdev, "error setting GPIO config: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; + goto exit; + } + +@@ -206,7 +210,7 @@ static int cp2112_gpio_direction_input(s + + exit: + mutex_unlock(&dev->lock); +- return ret < 0 ? ret : -EIO; ++ return ret; + } + + static void cp2112_gpio_set(struct gpio_chip *chip, unsigned offset, int value) diff --git a/queue-4.9/ib-core-fix-calculation-of-maximum-roce-mtu.patch b/queue-4.9/ib-core-fix-calculation-of-maximum-roce-mtu.patch new file mode 100644 index 00000000000..2abdebb5cb6 --- /dev/null +++ b/queue-4.9/ib-core-fix-calculation-of-maximum-roce-mtu.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Parav Pandit +Date: Mon, 16 Oct 2017 08:45:16 +0300 +Subject: IB/core: Fix calculation of maximum RoCE MTU + +From: Parav Pandit + + +[ Upstream commit 99260132fde7bddc6e0132ce53da94d1c9ccabcb ] + +The original code only took into consideration the largest header +possible after the IB_BTH_BYTES. This was incorrect, as the largest +possible header size is the largest possible combination of headers we +might run into. The new code accounts for all possible headers in the +largest possible combination and subtracts that from the MTU to make +sure that all packets will fit on the wire. + +Link: https://www.spinics.net/lists/linux-rdma/msg54558.html +Fixes: 3c86aa70bf67 ("RDMA/cm: Add RDMA CM support for IBoE devices") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Reported-by: Roland Dreier +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/rdma/ib_addr.h | 7 ++++--- + include/rdma/ib_pack.h | 19 +++++++++++-------- + 2 files changed, 15 insertions(+), 11 deletions(-) + +--- a/include/rdma/ib_addr.h ++++ b/include/rdma/ib_addr.h +@@ -243,10 +243,11 @@ static inline void rdma_addr_set_dgid(st + static inline enum ib_mtu iboe_get_mtu(int mtu) + { + /* +- * reduce IB headers from effective IBoE MTU. 28 stands for +- * atomic header which is the biggest possible header after BTH ++ * Reduce IB headers from effective IBoE MTU. + */ +- mtu = mtu - IB_GRH_BYTES - IB_BTH_BYTES - 28; ++ mtu = mtu - (IB_GRH_BYTES + IB_UDP_BYTES + IB_BTH_BYTES + ++ IB_EXT_XRC_BYTES + IB_EXT_ATOMICETH_BYTES + ++ IB_ICRC_BYTES); + + if (mtu >= ib_mtu_enum_to_int(IB_MTU_4096)) + return IB_MTU_4096; +--- a/include/rdma/ib_pack.h ++++ b/include/rdma/ib_pack.h +@@ -37,14 +37,17 @@ + #include + + enum { +- IB_LRH_BYTES = 8, +- IB_ETH_BYTES = 14, +- IB_VLAN_BYTES = 4, +- IB_GRH_BYTES = 40, +- IB_IP4_BYTES = 20, +- IB_UDP_BYTES = 8, +- IB_BTH_BYTES = 12, +- IB_DETH_BYTES = 8 ++ IB_LRH_BYTES = 8, ++ IB_ETH_BYTES = 14, ++ IB_VLAN_BYTES = 4, ++ IB_GRH_BYTES = 40, ++ IB_IP4_BYTES = 20, ++ IB_UDP_BYTES = 8, ++ IB_BTH_BYTES = 12, ++ IB_DETH_BYTES = 8, ++ IB_EXT_ATOMICETH_BYTES = 28, ++ IB_EXT_XRC_BYTES = 4, ++ IB_ICRC_BYTES = 4 + }; + + struct ib_field { diff --git a/queue-4.9/ib-hfi1-return-actual-operational-vls-in-port-info-query.patch b/queue-4.9/ib-hfi1-return-actual-operational-vls-in-port-info-query.patch new file mode 100644 index 00000000000..07aca0cb016 --- /dev/null +++ b/queue-4.9/ib-hfi1-return-actual-operational-vls-in-port-info-query.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Patel Jay P +Date: Mon, 23 Oct 2017 06:05:53 -0700 +Subject: Ib/hfi1: Return actual operational VLs in port info query + +From: Patel Jay P + + +[ Upstream commit 00f9203119dd2774564407c7a67b17d81916298b ] + +__subn_get_opa_portinfo stores value returned by hfi1_get_ib_cfg() as +operational vls. hfi1_get_ib_cfg() returns vls_operational field in +hfi1_pportdata. The problem with this is that the value is always equal +to vls_supported field in hfi1_pportdata. + +The logic to calculate operational_vls is to set value passed by FM +(in __subn_set_opa_portinfo routine). If no value is passed then +default value is stored in operational_vls. + +Field actual_vls_operational is calculated on the basis of buffer +control table. Hence, modifying hfi1_get_ib_cfg() to return +actual_operational_vls when used with HFI1_IB_CFG_OP_VLS parameter + +Reviewed-by: Mike Marciniszyn +Reviewed-by: Dennis Dalessandro +Signed-off-by: Patel Jay P +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -9769,7 +9769,7 @@ int hfi1_get_ib_cfg(struct hfi1_pportdat + goto unimplemented; + + case HFI1_IB_CFG_OP_VLS: +- val = ppd->vls_operational; ++ val = ppd->actual_vls_operational; + break; + case HFI1_IB_CFG_VL_HIGH_CAP: /* VL arb high priority table size */ + val = VL_ARB_HIGH_PRIO_TABLE_SIZE; diff --git a/queue-4.9/ib-ipoib-grab-rtnl-lock-on-heavy-flush-when-calling-ndo_open-stop.patch b/queue-4.9/ib-ipoib-grab-rtnl-lock-on-heavy-flush-when-calling-ndo_open-stop.patch new file mode 100644 index 00000000000..70aa510dddb --- /dev/null +++ b/queue-4.9/ib-ipoib-grab-rtnl-lock-on-heavy-flush-when-calling-ndo_open-stop.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Alex Vesker +Date: Tue, 10 Oct 2017 10:36:41 +0300 +Subject: IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop + +From: Alex Vesker + + +[ Upstream commit b4b678b06f6eef18bff44a338c01870234db0bc9 ] + +When ndo_open and ndo_stop are called RTNL lock should be held. +In this specific case ipoib_ib_dev_open calls the offloaded ndo_open +which re-sets the number of TX queue assuming RTNL lock is held. +Since RTNL lock is not held, RTNL assert will fail. + +Signed-off-by: Alex Vesker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -1177,10 +1177,15 @@ static void __ipoib_ib_dev_flush(struct + ipoib_ib_dev_down(dev); + + if (level == IPOIB_FLUSH_HEAVY) { ++ rtnl_lock(); + if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags)) + ipoib_ib_dev_stop(dev); +- if (ipoib_ib_dev_open(dev) != 0) ++ ++ result = ipoib_ib_dev_open(dev); ++ rtnl_unlock(); ++ if (result) + return; ++ + if (netif_queue_stopped(dev)) + netif_start_queue(dev); + } diff --git a/queue-4.9/icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch b/queue-4.9/icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch new file mode 100644 index 00000000000..14515d49167 --- /dev/null +++ b/queue-4.9/icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch @@ -0,0 +1,101 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Matteo Croce +Date: Thu, 12 Oct 2017 16:12:37 +0200 +Subject: icmp: don't fail on fragment reassembly time exceeded + +From: Matteo Croce + + +[ Upstream commit 258bbb1b0e594ad5f5652cb526b3c63e6a7fad3d ] + +The ICMP implementation currently replies to an ICMP time exceeded message +(type 11) with an ICMP host unreachable message (type 3, code 1). + +However, time exceeded messages can either represent "time to live exceeded +in transit" (code 0) or "fragment reassembly time exceeded" (code 1). + +Unconditionally replying to "fragment reassembly time exceeded" with +host unreachable messages might cause unjustified connection resets +which are now easily triggered as UFO has been removed, because, in turn, +sending large buffers triggers IP fragmentation. + +The issue can be easily reproduced by running a lot of UDP streams +which is likely to trigger IP fragmentation: + + # start netserver in the test namespace + ip netns add test + ip netns exec test netserver + + # create a VETH pair + ip link add name veth0 type veth peer name veth0 netns test + ip link set veth0 up + ip -n test link set veth0 up + + for i in $(seq 20 29); do + # assign addresses to both ends + ip addr add dev veth0 192.168.$i.1/24 + ip -n test addr add dev veth0 192.168.$i.2/24 + + # start the traffic + netperf -L 192.168.$i.1 -H 192.168.$i.2 -t UDP_STREAM -l 0 & + done + + # wait + send_data: data send error: No route to host (errno 113) + netperf: send_omni: send_data failed: No route to host + +We need to differentiate instead: if fragment reassembly time exceeded +is reported, we need to silently drop the packet, +if time to live exceeded is reported, maintain the current behaviour. +In both cases increment the related error count "icmpInTimeExcds". + +While at it, fix a typo in a comment, and convert the if statement +into a switch to mate it more readable. + +Signed-off-by: Matteo Croce +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/icmp.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -766,7 +766,7 @@ static bool icmp_tag_validation(int prot + } + + /* +- * Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEED, ICMP_QUENCH, and ++ * Handle ICMP_DEST_UNREACH, ICMP_TIME_EXCEEDED, ICMP_QUENCH, and + * ICMP_PARAMETERPROB. + */ + +@@ -794,7 +794,8 @@ static bool icmp_unreach(struct sk_buff + if (iph->ihl < 5) /* Mangled header, drop. */ + goto out_err; + +- if (icmph->type == ICMP_DEST_UNREACH) { ++ switch (icmph->type) { ++ case ICMP_DEST_UNREACH: + switch (icmph->code & 15) { + case ICMP_NET_UNREACH: + case ICMP_HOST_UNREACH: +@@ -830,8 +831,16 @@ static bool icmp_unreach(struct sk_buff + } + if (icmph->code > NR_ICMP_UNREACH) + goto out; +- } else if (icmph->type == ICMP_PARAMETERPROB) ++ break; ++ case ICMP_PARAMETERPROB: + info = ntohl(icmph->un.gateway) >> 24; ++ break; ++ case ICMP_TIME_EXCEEDED: ++ __ICMP_INC_STATS(net, ICMP_MIB_INTIMEEXCDS); ++ if (icmph->code == ICMP_EXC_FRAGTIME) ++ goto out; ++ break; ++ } + + /* + * Throw it at our lower layers diff --git a/queue-4.9/input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch b/queue-4.9/input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch new file mode 100644 index 00000000000..2ab37ac4fbc --- /dev/null +++ b/queue-4.9/input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Dmitry Torokhov +Date: Tue, 28 Feb 2017 17:14:41 -0800 +Subject: Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list + +From: Dmitry Torokhov + + +[ Upstream commit a4c2a13129f7c5bcf81704c06851601593303fd5 ] + +TUXEDO BU1406 does not implement active multiplexing mode properly, +and takes around 550 ms in i8042_set_mux_mode(). Given that the +device does not have external AUX port, there is no downside in +disabling the MUX mode. + +Reported-by: Paul Menzel +Suggested-by: Vojtech Pavlik +Reviewed-by: Marcos Paulo de Souza +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -520,6 +520,13 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"), + }, + }, ++ { ++ /* TUXEDO BU1406 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"), ++ }, ++ }, + { } + }; + diff --git a/queue-4.9/intel_th-pci-add-gemini-lake-support.patch b/queue-4.9/intel_th-pci-add-gemini-lake-support.patch new file mode 100644 index 00000000000..f996dff3fef --- /dev/null +++ b/queue-4.9/intel_th-pci-add-gemini-lake-support.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Alexander Shishkin +Date: Thu, 30 Jun 2016 16:10:51 +0300 +Subject: intel_th: pci: Add Gemini Lake support + +From: Alexander Shishkin + + +[ Upstream commit 340837f985c2cb87ca0868d4aa9ce42b0fab3a21 ] + +This adds Intel(R) Trace Hub PCI ID for Gemini Lake SOC. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -95,6 +95,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6), + .driver_data = (kernel_ulong_t)0, + }, ++ { ++ /* Gemini Lake */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e), ++ .driver_data = (kernel_ulong_t)0, ++ }, + { 0 }, + }; + diff --git a/queue-4.9/iommu-amd-limit-the-iova-page-range-to-the-specified-addresses.patch b/queue-4.9/iommu-amd-limit-the-iova-page-range-to-the-specified-addresses.patch new file mode 100644 index 00000000000..c87c71fe85d --- /dev/null +++ b/queue-4.9/iommu-amd-limit-the-iova-page-range-to-the-specified-addresses.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Gary R Hook +Date: Fri, 3 Nov 2017 10:50:34 -0600 +Subject: iommu/amd: Limit the IOVA page range to the specified addresses + +From: Gary R Hook + + +[ Upstream commit b92b4fb5c14257c0e7eae291ecc1f7b1962e1699 ] + +The extent of pages specified when applying a reserved region should +include up to the last page of the range, but not the page following +the range. + +Signed-off-by: Gary R Hook +Fixes: 8d54d6c8b8f3 ('iommu/amd: Implement apply_dm_region call-back') +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -3211,7 +3211,7 @@ static void amd_iommu_apply_dm_region(st + unsigned long start, end; + + start = IOVA_PFN(region->start); +- end = IOVA_PFN(region->start + region->length); ++ end = IOVA_PFN(region->start + region->length - 1); + + WARN_ON_ONCE(reserve_iova(&dma_dom->iovad, start, end) == NULL); + } diff --git a/queue-4.9/iommu-io-pgtable-arm-v7s-check-for-leaf-entry-before-dereferencing-it.patch b/queue-4.9/iommu-io-pgtable-arm-v7s-check-for-leaf-entry-before-dereferencing-it.patch new file mode 100644 index 00000000000..f3a8c3a6ae3 --- /dev/null +++ b/queue-4.9/iommu-io-pgtable-arm-v7s-check-for-leaf-entry-before-dereferencing-it.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Oleksandr Tyshchenko +Date: Mon, 27 Feb 2017 14:30:26 +0200 +Subject: iommu/io-pgtable-arm-v7s: Check for leaf entry before dereferencing it + +From: Oleksandr Tyshchenko + + +[ Upstream commit a03849e7210277fa212779b7cd9c30e1ab6194b2 ] + +Do a check for already installed leaf entry at the current level before +dereferencing it in order to avoid walking the page table down with +wrong pointer to the next level. + +Signed-off-by: Oleksandr Tyshchenko +CC: Will Deacon +CC: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/io-pgtable-arm-v7s.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/io-pgtable-arm-v7s.c ++++ b/drivers/iommu/io-pgtable-arm-v7s.c +@@ -418,8 +418,12 @@ static int __arm_v7s_map(struct arm_v7s_ + pte |= ARM_V7S_ATTR_NS_TABLE; + + __arm_v7s_set_pte(ptep, pte, 1, cfg); +- } else { ++ } else if (ARM_V7S_PTE_IS_TABLE(pte, lvl)) { + cptep = iopte_deref(pte, lvl); ++ } else { ++ /* We require an unmap first */ ++ WARN_ON(!selftest_running); ++ return -EEXIST; + } + + /* Rinse, repeat */ diff --git a/queue-4.9/iommu-mediatek-fix-driver-name.patch b/queue-4.9/iommu-mediatek-fix-driver-name.patch new file mode 100644 index 00000000000..d501176673e --- /dev/null +++ b/queue-4.9/iommu-mediatek-fix-driver-name.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Matthias Brugger +Date: Mon, 30 Oct 2017 12:37:55 +0100 +Subject: iommu/mediatek: Fix driver name + +From: Matthias Brugger + + +[ Upstream commit 395df08d2e1de238a9c8c33fdcd0e2160efd63a9 ] + +There exist two Mediatek iommu drivers for the two different +generations of the device. But both drivers have the same name +"mtk-iommu". This breaks the registration of the second driver: + +Error: Driver 'mtk-iommu' is already registered, aborting... + +Fix this by changing the name for first generation to +"mtk-iommu-v1". + +Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW") +Signed-off-by: Matthias Brugger +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/mtk_iommu_v1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/mtk_iommu_v1.c ++++ b/drivers/iommu/mtk_iommu_v1.c +@@ -703,7 +703,7 @@ static struct platform_driver mtk_iommu_ + .probe = mtk_iommu_probe, + .remove = mtk_iommu_remove, + .driver = { +- .name = "mtk-iommu", ++ .name = "mtk-iommu-v1", + .of_match_table = mtk_iommu_of_ids, + .pm = &mtk_iommu_pm_ops, + } diff --git a/queue-4.9/irqchip-mvebu-odmi-select-generic_msi_irq_domain.patch b/queue-4.9/irqchip-mvebu-odmi-select-generic_msi_irq_domain.patch new file mode 100644 index 00000000000..0525cbf9b65 --- /dev/null +++ b/queue-4.9/irqchip-mvebu-odmi-select-generic_msi_irq_domain.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Arnd Bergmann +Date: Tue, 14 Mar 2017 13:54:12 +0100 +Subject: irqchip/mvebu-odmi: Select GENERIC_MSI_IRQ_DOMAIN + +From: Arnd Bergmann + + +[ Upstream commit fa23b9d1b89fdc34f296f02e496a20aeff5736be ] + +This driver uses the MSI domain but has no strict dependency on PCI_MSI, so we +may run into a build failure when CONFIG_GENERIC_MSI_IRQ_DOMAIN is disabled: + +drivers/irqchip/irq-mvebu-odmi.c:152:15: error: variable 'odmi_msi_ops' has initializer but incomplete type + static struct msi_domain_ops odmi_msi_ops = { + ^~~~~~~~~~~~~~ +drivers/irqchip/irq-mvebu-odmi.c:155:15: error: variable 'odmi_msi_domain_info' has initializer but incomplete type + static struct msi_domain_info odmi_msi_domain_info = { + ^~~~~~~~~~~~~~~ +drivers/irqchip/irq-mvebu-odmi.c:156:3: error: 'struct msi_domain_info' has no member named 'flags' + .flags = (MSI_FLAG_USE_DEF_DOM_OPS | MSI_FLAG_USE_DEF_CHIP_OPS), + ^~~~~ +drivers/irqchip/irq-mvebu-odmi.c:156:12: error: 'MSI_FLAG_USE_DEF_DOM_OPS' undeclared here (not in a function) + .flags = (MSI_FLAG_USE_DEF_DOM_OPS | MSI_FLAG_USE_DEF_CHIP_OPS), + ^~~~~~~~~~~~~~~~~~~~~~~~ +drivers/irqchip/irq-mvebu-odmi.c:156:39: error: 'MSI_FLAG_USE_DEF_CHIP_OPS' undeclared here (not in a function); did you mean 'MSI_FLAG_USE_DEF_DOM_OPS'? + +Selecting the option from this driver seems to solve this nicely, though I could +not find any other instance of this in irqchip drivers. + +Signed-off-by: Arnd Bergmann +Acked-by: Thomas Petazzoni +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -258,6 +258,7 @@ config IRQ_MXS + + config MVEBU_ODMI + bool ++ select GENERIC_MSI_IRQ_DOMAIN + + config MVEBU_PIC + bool diff --git a/queue-4.9/iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch b/queue-4.9/iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch new file mode 100644 index 00000000000..22d48523660 --- /dev/null +++ b/queue-4.9/iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: tangwenji +Date: Fri, 15 Sep 2017 16:03:13 +0800 +Subject: iscsi-target: fix memory leak in lio_target_tiqn_addtpg() + +From: tangwenji + + +[ Upstream commit 12d5a43b2dffb6cd28062b4e19024f7982393288 ] + +tpg must free when call core_tpg_register() return fail + +Signed-off-by: tangwenji +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target_configfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1144,7 +1144,7 @@ static struct se_portal_group *lio_targe + + ret = core_tpg_register(wwn, &tpg->tpg_se_tpg, SCSI_PROTOCOL_ISCSI); + if (ret < 0) +- return NULL; ++ goto free_out; + + ret = iscsit_tpg_add_portal_group(tiqn, tpg); + if (ret != 0) +@@ -1156,6 +1156,7 @@ static struct se_portal_group *lio_targe + return &tpg->tpg_se_tpg; + out: + core_tpg_deregister(&tpg->tpg_se_tpg); ++free_out: + kfree(tpg); + return NULL; + } diff --git a/queue-4.9/iwlwifi-mvm-cleanup-pending-frames-in-dqa-mode.patch b/queue-4.9/iwlwifi-mvm-cleanup-pending-frames-in-dqa-mode.patch new file mode 100644 index 00000000000..496794dd00f --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-cleanup-pending-frames-in-dqa-mode.patch @@ -0,0 +1,229 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Sara Sharon +Date: Tue, 14 Mar 2017 09:50:35 +0200 +Subject: iwlwifi: mvm: cleanup pending frames in DQA mode + +From: Sara Sharon + + +[ Upstream commit 9a3fcf912ef7f5c6e18f9af6875dd13f7311f7aa ] + +When a station is asleep, the fw will set it as "asleep". +All queues that are used only by one station will be stopped by +the fw. + +In pre-DQA mode this was relevant for aggregation queues. However, +in DQA mode a queue is owned by one station only, so all queues +will be stopped. +As a result, we don't expect to get filtered frames back to +mac80211 and don't have to maintain the entire pending_frames +state logic, the same way as we do in aggregations. + +The correct behavior is to align DQA behavior with the aggregation +queue behaviour pre-DQA: +- Don't count pending frames. +- Let mac80211 know we have frames in these queues so that it can +properly handle trigger frames. + +When a trigger frame is received, mac80211 tells the driver to send +frames from the queues using release_buffered_frames. +The driver will tell the fw to let frames out even if the station +is asleep. This is done by iwl_mvm_sta_modify_sleep_tx_count. + +Reported-and-tested-by: Jens Axboe +Reported-by: Linus Torvalds +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 +- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 11 +++-- + drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 2 - + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 41 +++++++++------------- + 4 files changed, 28 insertions(+), 31 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -2320,7 +2320,7 @@ iwl_mvm_mac_release_buffered_frames(stru + { + struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw); + +- /* Called when we need to transmit (a) frame(s) from agg queue */ ++ /* Called when we need to transmit (a) frame(s) from agg or dqa queue */ + + iwl_mvm_sta_modify_sleep_tx_count(mvm, sta, reason, num_frames, + tids, more_data, true); +@@ -2340,7 +2340,8 @@ static void iwl_mvm_mac_sta_notify(struc + for (tid = 0; tid < IWL_MAX_TID_COUNT; tid++) { + struct iwl_mvm_tid_data *tid_data = &mvmsta->tid_data[tid]; + +- if (tid_data->state != IWL_AGG_ON && ++ if (!iwl_mvm_is_dqa_supported(mvm) && ++ tid_data->state != IWL_AGG_ON && + tid_data->state != IWL_EMPTYING_HW_QUEUE_DELBA) + continue; + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -3032,7 +3032,7 @@ void iwl_mvm_sta_modify_sleep_tx_count(s + struct ieee80211_sta *sta, + enum ieee80211_frame_release_type reason, + u16 cnt, u16 tids, bool more_data, +- bool agg) ++ bool single_sta_queue) + { + struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); + struct iwl_mvm_add_sta_cmd cmd = { +@@ -3052,14 +3052,14 @@ void iwl_mvm_sta_modify_sleep_tx_count(s + for_each_set_bit(tid, &_tids, IWL_MAX_TID_COUNT) + cmd.awake_acs |= BIT(tid_to_ucode_ac[tid]); + +- /* If we're releasing frames from aggregation queues then check if the +- * all queues combined that we're releasing frames from have ++ /* If we're releasing frames from aggregation or dqa queues then check ++ * if all the queues that we're releasing frames from, combined, have: + * - more frames than the service period, in which case more_data + * needs to be set + * - fewer than 'cnt' frames, in which case we need to adjust the + * firmware command (but do that unconditionally) + */ +- if (agg) { ++ if (single_sta_queue) { + int remaining = cnt; + int sleep_tx_count; + +@@ -3069,7 +3069,8 @@ void iwl_mvm_sta_modify_sleep_tx_count(s + u16 n_queued; + + tid_data = &mvmsta->tid_data[tid]; +- if (WARN(tid_data->state != IWL_AGG_ON && ++ if (WARN(!iwl_mvm_is_dqa_supported(mvm) && ++ tid_data->state != IWL_AGG_ON && + tid_data->state != IWL_EMPTYING_HW_QUEUE_DELBA, + "TID %d state is %d\n", + tid, tid_data->state)) { +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.h +@@ -545,7 +545,7 @@ void iwl_mvm_sta_modify_sleep_tx_count(s + struct ieee80211_sta *sta, + enum ieee80211_frame_release_type reason, + u16 cnt, u16 tids, bool more_data, +- bool agg); ++ bool single_sta_queue); + int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta, + bool drain); + void iwl_mvm_sta_modify_disable_tx(struct iwl_mvm *mvm, +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -7,7 +7,7 @@ + * + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH +- * Copyright(c) 2016 Intel Deutschland GmbH ++ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -34,6 +34,7 @@ + * + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH ++ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -621,8 +622,10 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + * values. + * Note that we don't need to make sure it isn't agg'd, since we're + * TXing non-sta ++ * For DQA mode - we shouldn't increase it though + */ +- atomic_inc(&mvm->pending_frames[sta_id]); ++ if (!iwl_mvm_is_dqa_supported(mvm)) ++ atomic_inc(&mvm->pending_frames[sta_id]); + + return 0; + } +@@ -1009,11 +1012,8 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv + + spin_unlock(&mvmsta->lock); + +- /* Increase pending frames count if this isn't AMPDU */ +- if ((iwl_mvm_is_dqa_supported(mvm) && +- mvmsta->tid_data[tx_cmd->tid_tspec].state != IWL_AGG_ON && +- mvmsta->tid_data[tx_cmd->tid_tspec].state != IWL_AGG_STARTING) || +- (!iwl_mvm_is_dqa_supported(mvm) && !is_ampdu)) ++ /* Increase pending frames count if this isn't AMPDU or DQA queue */ ++ if (!iwl_mvm_is_dqa_supported(mvm) && !is_ampdu) + atomic_inc(&mvm->pending_frames[mvmsta->sta_id]); + + return 0; +@@ -1083,12 +1083,13 @@ static void iwl_mvm_check_ratid_empty(st + lockdep_assert_held(&mvmsta->lock); + + if ((tid_data->state == IWL_AGG_ON || +- tid_data->state == IWL_EMPTYING_HW_QUEUE_DELBA) && ++ tid_data->state == IWL_EMPTYING_HW_QUEUE_DELBA || ++ iwl_mvm_is_dqa_supported(mvm)) && + iwl_mvm_tid_queued(tid_data) == 0) { + /* +- * Now that this aggregation queue is empty tell mac80211 so it +- * knows we no longer have frames buffered for the station on +- * this TID (for the TIM bitmap calculation.) ++ * Now that this aggregation or DQA queue is empty tell ++ * mac80211 so it knows we no longer have frames buffered for ++ * the station on this TID (for the TIM bitmap calculation.) + */ + ieee80211_sta_set_buffered(sta, tid, false); + } +@@ -1261,7 +1262,6 @@ static void iwl_mvm_rx_tx_cmd_single(str + u8 skb_freed = 0; + u16 next_reclaimed, seq_ctl; + bool is_ndp = false; +- bool txq_agg = false; /* Is this TXQ aggregated */ + + __skb_queue_head_init(&skbs); + +@@ -1287,6 +1287,10 @@ static void iwl_mvm_rx_tx_cmd_single(str + info->flags |= IEEE80211_TX_STAT_ACK; + break; + case TX_STATUS_FAIL_DEST_PS: ++ /* In DQA, the FW should have stopped the queue and not ++ * return this status ++ */ ++ WARN_ON(iwl_mvm_is_dqa_supported(mvm)); + info->flags |= IEEE80211_TX_STAT_TX_FILTERED; + break; + default: +@@ -1391,15 +1395,6 @@ static void iwl_mvm_rx_tx_cmd_single(str + bool send_eosp_ndp = false; + + spin_lock_bh(&mvmsta->lock); +- if (iwl_mvm_is_dqa_supported(mvm)) { +- enum iwl_mvm_agg_state state; +- +- state = mvmsta->tid_data[tid].state; +- txq_agg = (state == IWL_AGG_ON || +- state == IWL_EMPTYING_HW_QUEUE_DELBA); +- } else { +- txq_agg = txq_id >= mvm->first_agg_queue; +- } + + if (!is_ndp) { + tid_data->next_reclaimed = next_reclaimed; +@@ -1456,11 +1451,11 @@ static void iwl_mvm_rx_tx_cmd_single(str + * If the txq is not an AMPDU queue, there is no chance we freed + * several skbs. Check that out... + */ +- if (txq_agg) ++ if (iwl_mvm_is_dqa_supported(mvm) || txq_id >= mvm->first_agg_queue) + goto out; + + /* We can't free more than one frame at once on a shared queue */ +- WARN_ON(!iwl_mvm_is_dqa_supported(mvm) && (skb_freed > 1)); ++ WARN_ON(skb_freed > 1); + + /* If we have still frames for this STA nothing to do here */ + if (!atomic_sub_and_test(skb_freed, &mvm->pending_frames[sta_id])) diff --git a/queue-4.9/kvm-nvmx-do-not-warn-when-msr-bitmap-address-is-not-backed.patch b/queue-4.9/kvm-nvmx-do-not-warn-when-msr-bitmap-address-is-not-backed.patch new file mode 100644 index 00000000000..b641e6c2236 --- /dev/null +++ b/queue-4.9/kvm-nvmx-do-not-warn-when-msr-bitmap-address-is-not-backed.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Radim Krčmář +Date: Tue, 7 Mar 2017 17:51:49 +0100 +Subject: KVM: nVMX: do not warn when MSR bitmap address is not backed + +From: Radim Krčmář + + +[ Upstream commit 05d8d34611139f8435af90ac54b65eb31e82e388 ] + +Before trying to do nested_get_page() in nested_vmx_merge_msr_bitmap(), +we have already checked that the MSR bitmap address is valid (4k aligned +and within physical limits). SDM doesn't specify what happens if the +there is no memory mapped at the valid address, but Intel CPUs treat the +situation as if the bitmap was configured to trap all MSRs. + +KVM already does that by returning false and a correct handling doesn't +need the guest-trigerrable warning that was reported by syzkaller: +(The warning was originally there to catch some possible bugs in nVMX.) + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 7832 at arch/x86/kvm/vmx.c:9709 + nested_vmx_merge_msr_bitmap arch/x86/kvm/vmx.c:9709 [inline] + WARNING: CPU: 0 PID: 7832 at arch/x86/kvm/vmx.c:9709 + nested_get_vmcs12_pages+0xfb6/0x15c0 arch/x86/kvm/vmx.c:9640 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 0 PID: 7832 Comm: syz-executor1 Not tainted 4.10.0+ #229 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:15 [inline] + dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 + panic+0x1fb/0x412 kernel/panic.c:179 + __warn+0x1c4/0x1e0 kernel/panic.c:540 + warn_slowpath_null+0x2c/0x40 kernel/panic.c:583 + nested_vmx_merge_msr_bitmap arch/x86/kvm/vmx.c:9709 [inline] + nested_get_vmcs12_pages+0xfb6/0x15c0 arch/x86/kvm/vmx.c:9640 + enter_vmx_non_root_mode arch/x86/kvm/vmx.c:10471 [inline] + nested_vmx_run+0x6186/0xaab0 arch/x86/kvm/vmx.c:10561 + handle_vmlaunch+0x1a/0x20 arch/x86/kvm/vmx.c:7312 + vmx_handle_exit+0xfc0/0x3f00 arch/x86/kvm/vmx.c:8526 + vcpu_enter_guest arch/x86/kvm/x86.c:6982 [inline] + vcpu_run arch/x86/kvm/x86.c:7044 [inline] + kvm_arch_vcpu_ioctl_run+0x1418/0x4840 arch/x86/kvm/x86.c:7205 + kvm_vcpu_ioctl+0x673/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2570 + +Reported-by: Dmitry Vyukov +Reviewed-by: Jim Mattson +[Jim Mattson explained the bare metal behavior: "I believe this behavior + would be documented in the chipset data sheet rather than the SDM, + since the chipset returns all 1s for an unclaimed read."] +Signed-off-by: Radim Krčmář + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9543,10 +9543,8 @@ static inline bool nested_vmx_merge_msr_ + return false; + + page = nested_get_page(vcpu, vmcs12->msr_bitmap); +- if (!page) { +- WARN_ON(1); ++ if (!page) + return false; +- } + msr_bitmap_l1 = (unsigned long *)kmap(page); + if (!msr_bitmap_l1) { + nested_release_page_clean(page); diff --git a/queue-4.9/l2tp-cleanup-l2tp_tunnel_delete-calls.patch b/queue-4.9/l2tp-cleanup-l2tp_tunnel_delete-calls.patch new file mode 100644 index 00000000000..c70d86d79f6 --- /dev/null +++ b/queue-4.9/l2tp-cleanup-l2tp_tunnel_delete-calls.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Jiri Slaby +Date: Wed, 25 Oct 2017 15:57:55 +0200 +Subject: l2tp: cleanup l2tp_tunnel_delete calls + +From: Jiri Slaby + + +[ Upstream commit 4dc12ffeaeac939097a3f55c881d3dc3523dff0c ] + +l2tp_tunnel_delete does not return anything since commit 62b982eeb458 +("l2tp: fix race condition in l2tp_tunnel_delete"). But call sites of +l2tp_tunnel_delete still do casts to void to avoid unused return value +warnings. + +Kill these now useless casts. + +Signed-off-by: Jiri Slaby +Cc: Sabrina Dubroca +Cc: Guillaume Nault +Cc: David S. Miller +Cc: netdev@vger.kernel.org +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 2 +- + net/l2tp/l2tp_netlink.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1944,7 +1944,7 @@ static __net_exit void l2tp_exit_net(str + + rcu_read_lock_bh(); + list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- (void)l2tp_tunnel_delete(tunnel); ++ l2tp_tunnel_delete(tunnel); + } + rcu_read_unlock_bh(); + +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -287,7 +287,7 @@ static int l2tp_nl_cmd_tunnel_delete(str + l2tp_tunnel_notify(&l2tp_nl_family, info, + tunnel, L2TP_CMD_TUNNEL_DELETE); + +- (void) l2tp_tunnel_delete(tunnel); ++ l2tp_tunnel_delete(tunnel); + + out: + return ret; diff --git a/queue-4.9/macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch b/queue-4.9/macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch new file mode 100644 index 00000000000..a139687ed3c --- /dev/null +++ b/queue-4.9/macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Alexander Duyck +Date: Fri, 13 Oct 2017 13:40:24 -0700 +Subject: macvlan: Only deliver one copy of the frame to the macvlan interface + +From: Alexander Duyck + + +[ Upstream commit dd6b9c2c332b40f142740d1b11fb77c653ff98ea ] + +This patch intoduces a slight adjustment for macvlan to address the fact +that in source mode I was seeing two copies of any packet addressed to the +macvlan interface being delivered where there should have been only one. + +The issue appears to be that one copy was delivered based on the source MAC +address and then the second copy was being delivered based on the +destination MAC address. To fix it I am just treating a unicast address +match as though it is not a match since source based macvlan isn't supposed +to be matching based on the destination MAC anyway. + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Signed-off-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -452,7 +452,7 @@ static rx_handler_result_t macvlan_handl + struct macvlan_dev, list); + else + vlan = macvlan_hash_lookup(port, eth->h_dest); +- if (vlan == NULL) ++ if (!vlan || vlan->mode == MACVLAN_MODE_SOURCE) + return RX_HANDLER_PASS; + + dev = vlan->dev; diff --git a/queue-4.9/md-cluster-free-md_cluster_info-if-node-leave-cluster.patch b/queue-4.9/md-cluster-free-md_cluster_info-if-node-leave-cluster.patch new file mode 100644 index 00000000000..70fdf6b1568 --- /dev/null +++ b/queue-4.9/md-cluster-free-md_cluster_info-if-node-leave-cluster.patch @@ -0,0 +1,32 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Guoqing Jiang +Date: Fri, 24 Feb 2017 11:15:12 +0800 +Subject: md-cluster: free md_cluster_info if node leave cluster + +From: Guoqing Jiang + + +[ Upstream commit 9c8043f337f14d1743006dfc59c03e80a42e3884 ] + +To avoid memory leak, we need to free the cinfo which +is allocated when node join cluster. + +Reviewed-by: NeilBrown +Signed-off-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-cluster.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -974,6 +974,7 @@ static int leave(struct mddev *mddev) + lockres_free(cinfo->bitmap_lockres); + unlock_all_bitmaps(mddev); + dlm_release_lockspace(cinfo->lockspace, 2); ++ kfree(cinfo); + return 0; + } + diff --git a/queue-4.9/mlxsw-reg-fix-spvm-max-record-count.patch b/queue-4.9/mlxsw-reg-fix-spvm-max-record-count.patch new file mode 100644 index 00000000000..f2374b09bc6 --- /dev/null +++ b/queue-4.9/mlxsw-reg-fix-spvm-max-record-count.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Jiri Pirko +Date: Tue, 14 Mar 2017 14:00:00 +0100 +Subject: mlxsw: reg: Fix SPVM max record count + +From: Jiri Pirko + + +[ Upstream commit f004ec065b4879d6bc9ba0211af2169b3ce3097f ] + +The num_rec field is 8 bit, so the maximal count number is 255. This +fixes vlans not being enabled for wider ranges than 255. + +Fixes: b2e345f9a454 ("mlxsw: reg: Add Switch Port VID and Switch Port VLAN Membership registers definitions") +Signed-off-by: Jiri Pirko +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h +@@ -788,7 +788,7 @@ static inline void mlxsw_reg_spvid_pack( + #define MLXSW_REG_SPVM_ID 0x200F + #define MLXSW_REG_SPVM_BASE_LEN 0x04 /* base length, without records */ + #define MLXSW_REG_SPVM_REC_LEN 0x04 /* record length */ +-#define MLXSW_REG_SPVM_REC_MAX_COUNT 256 ++#define MLXSW_REG_SPVM_REC_MAX_COUNT 255 + #define MLXSW_REG_SPVM_LEN (MLXSW_REG_SPVM_BASE_LEN + \ + MLXSW_REG_SPVM_REC_LEN * MLXSW_REG_SPVM_REC_MAX_COUNT) + diff --git a/queue-4.9/mlxsw-reg-fix-spvmlr-max-record-count.patch b/queue-4.9/mlxsw-reg-fix-spvmlr-max-record-count.patch new file mode 100644 index 00000000000..a7ecebd96d1 --- /dev/null +++ b/queue-4.9/mlxsw-reg-fix-spvmlr-max-record-count.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Jiri Pirko +Date: Tue, 14 Mar 2017 14:00:01 +0100 +Subject: mlxsw: reg: Fix SPVMLR max record count + +From: Jiri Pirko + + +[ Upstream commit e9093b1183bbac462d2caef3eac165778c0b1bf1 ] + +The num_rec field is 8 bit, so the maximal count number is 255. +This fixes vlans learning not being enabled for wider ranges than 255. + +Fixes: a4feea74cd7a ("mlxsw: reg: Add Switch Port VLAN MAC Learning register definition") +Signed-off-by: Jiri Pirko +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h +@@ -1757,7 +1757,7 @@ static inline void mlxsw_reg_sfmr_pack(c + #define MLXSW_REG_SPVMLR_ID 0x2020 + #define MLXSW_REG_SPVMLR_BASE_LEN 0x04 /* base length, without records */ + #define MLXSW_REG_SPVMLR_REC_LEN 0x04 /* record length */ +-#define MLXSW_REG_SPVMLR_REC_MAX_COUNT 256 ++#define MLXSW_REG_SPVMLR_REC_MAX_COUNT 255 + #define MLXSW_REG_SPVMLR_LEN (MLXSW_REG_SPVMLR_BASE_LEN + \ + MLXSW_REG_SPVMLR_REC_LEN * \ + MLXSW_REG_SPVMLR_REC_MAX_COUNT) diff --git a/queue-4.9/mm-handle-0-flags-in-_calc_vm_trans-macro.patch b/queue-4.9/mm-handle-0-flags-in-_calc_vm_trans-macro.patch new file mode 100644 index 00000000000..9f55117b229 --- /dev/null +++ b/queue-4.9/mm-handle-0-flags-in-_calc_vm_trans-macro.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Jan Kara +Date: Fri, 3 Nov 2017 12:21:21 +0100 +Subject: mm: Handle 0 flags in _calc_vm_trans() macro + +From: Jan Kara + + +[ Upstream commit 592e254502041f953e84d091eae2c68cba04c10b ] + +_calc_vm_trans() does not handle the situation when some of the passed +flags are 0 (which can happen if these VM flags do not make sense for +the architecture). Improve the _calc_vm_trans() macro to return 0 in +such situation. Since all passed flags are constant, this does not add +any runtime overhead. + +Signed-off-by: Jan Kara +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mman.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/mman.h ++++ b/include/linux/mman.h +@@ -63,8 +63,9 @@ static inline bool arch_validate_prot(un + * ("bit1" and "bit2" must be single bits) + */ + #define _calc_vm_trans(x, bit1, bit2) \ ++ ((!(bit1) || !(bit2)) ? 0 : \ + ((bit1) <= (bit2) ? ((x) & (bit1)) * ((bit2) / (bit1)) \ +- : ((x) & (bit1)) / ((bit1) / (bit2))) ++ : ((x) & (bit1)) / ((bit1) / (bit2)))) + + /* + * Combine the mmap "prot" argument into "vm_flags" used internally. diff --git a/queue-4.9/mmc-mediatek-fixed-bug-where-clock-frequency-could-be-set-wrong.patch b/queue-4.9/mmc-mediatek-fixed-bug-where-clock-frequency-could-be-set-wrong.patch new file mode 100644 index 00000000000..d01dcd73a40 --- /dev/null +++ b/queue-4.9/mmc-mediatek-fixed-bug-where-clock-frequency-could-be-set-wrong.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: yong mao +Date: Sat, 4 Mar 2017 15:10:03 +0800 +Subject: mmc: mediatek: Fixed bug where clock frequency could be set wrong + +From: yong mao + + +[ Upstream commit 40ceda09c8c84694c2ca6b00bcc6dc71e8e62d96 ] + +This patch can fix two issues: + +Issue 1: +In previous code, div may be overflow when setting clock frequency +as f_min. We can use DIV_ROUND_UP to fix this boundary related +issue. + +Issue 2: +In previous code, we can not set the correct clock frequency when +div equals 0xff. + +Signed-off-by: Yong Mao +Signed-off-by: Chaotian Jing +Reviewed-by: Daniel Kurtz +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -579,7 +579,7 @@ static void msdc_set_mclk(struct msdc_ho + } + } + sdr_set_field(host->base + MSDC_CFG, MSDC_CFG_CKMOD | MSDC_CFG_CKDIV, +- (mode << 8) | (div % 0xff)); ++ (mode << 8) | div); + sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN); + while (!(readl(host->base + MSDC_CFG) & MSDC_CFG_CKSTB)) + cpu_relax(); +@@ -1562,7 +1562,7 @@ static int msdc_drv_probe(struct platfor + host->src_clk_freq = clk_get_rate(host->src_clk); + /* Set host parameters to mmc */ + mmc->ops = &mt_msdc_ops; +- mmc->f_min = host->src_clk_freq / (4 * 255); ++ mmc->f_min = DIV_ROUND_UP(host->src_clk_freq, 4 * 255); + + mmc->caps |= MMC_CAP_ERASE | MMC_CAP_CMD23; + /* MMC core transfer sizes tunable parameters */ diff --git a/queue-4.9/net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch b/queue-4.9/net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch new file mode 100644 index 00000000000..804a45e46c3 --- /dev/null +++ b/queue-4.9/net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Doug Berger +Date: Thu, 9 Mar 2017 16:58:44 -0800 +Subject: net: bcmgenet: correct MIB access of UniMAC RUNT counters + +From: Doug Berger + + +[ Upstream commit 1ad3d225e5a40ca6c586989b4baaca710544c15a ] + +The gap between the Tx status counters and the Rx RUNT counters is now +being added to allow correct reporting of the registers. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Doug Berger +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -876,13 +876,16 @@ static void bcmgenet_update_mib_counters + case BCMGENET_STAT_NETDEV: + case BCMGENET_STAT_SOFT: + continue; +- case BCMGENET_STAT_MIB_RX: +- case BCMGENET_STAT_MIB_TX: + case BCMGENET_STAT_RUNT: +- if (s->type != BCMGENET_STAT_MIB_RX) +- offset = BCMGENET_STAT_OFFSET; ++ offset += BCMGENET_STAT_OFFSET; ++ /* fall through */ ++ case BCMGENET_STAT_MIB_TX: ++ offset += BCMGENET_STAT_OFFSET; ++ /* fall through */ ++ case BCMGENET_STAT_MIB_RX: + val = bcmgenet_umac_readl(priv, + UMAC_MIB_START + j + offset); ++ offset = 0; /* Reset Offset */ + break; + case BCMGENET_STAT_MISC: + if (GENET_IS_V1(priv)) { diff --git a/queue-4.9/net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch b/queue-4.9/net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch new file mode 100644 index 00000000000..850d16d54a8 --- /dev/null +++ b/queue-4.9/net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch @@ -0,0 +1,147 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Doug Berger +Date: Thu, 9 Mar 2017 16:58:43 -0800 +Subject: net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values + +From: Doug Berger + + +[ Upstream commit ffff71328a3c321f7c14cc1edd33577717037744 ] + +The location of the RBUF overflow and error counters has moved between +different version of the GENET MAC. This commit corrects the driver to +read from the correct locations depending on the version of the GENET +MAC. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Doug Berger +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 60 ++++++++++++++++++++++--- + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 10 ++-- + 2 files changed, 60 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1,7 +1,7 @@ + /* + * Broadcom GENET (Gigabit Ethernet) controller driver + * +- * Copyright (c) 2014 Broadcom Corporation ++ * Copyright (c) 2014-2017 Broadcom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -778,8 +778,9 @@ static const struct bcmgenet_stats bcmge + STAT_GENET_RUNT("rx_runt_bytes", mib.rx_runt_bytes), + /* Misc UniMAC counters */ + STAT_GENET_MISC("rbuf_ovflow_cnt", mib.rbuf_ovflow_cnt, +- UMAC_RBUF_OVFL_CNT), +- STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt, UMAC_RBUF_ERR_CNT), ++ UMAC_RBUF_OVFL_CNT_V1), ++ STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt, ++ UMAC_RBUF_ERR_CNT_V1), + STAT_GENET_MISC("mdf_err_cnt", mib.mdf_err_cnt, UMAC_MDF_ERR_CNT), + STAT_GENET_SOFT_MIB("alloc_rx_buff_failed", mib.alloc_rx_buff_failed), + STAT_GENET_SOFT_MIB("rx_dma_failed", mib.rx_dma_failed), +@@ -821,6 +822,45 @@ static void bcmgenet_get_strings(struct + } + } + ++static u32 bcmgenet_update_stat_misc(struct bcmgenet_priv *priv, u16 offset) ++{ ++ u16 new_offset; ++ u32 val; ++ ++ switch (offset) { ++ case UMAC_RBUF_OVFL_CNT_V1: ++ if (GENET_IS_V2(priv)) ++ new_offset = RBUF_OVFL_CNT_V2; ++ else ++ new_offset = RBUF_OVFL_CNT_V3PLUS; ++ ++ val = bcmgenet_rbuf_readl(priv, new_offset); ++ /* clear if overflowed */ ++ if (val == ~0) ++ bcmgenet_rbuf_writel(priv, 0, new_offset); ++ break; ++ case UMAC_RBUF_ERR_CNT_V1: ++ if (GENET_IS_V2(priv)) ++ new_offset = RBUF_ERR_CNT_V2; ++ else ++ new_offset = RBUF_ERR_CNT_V3PLUS; ++ ++ val = bcmgenet_rbuf_readl(priv, new_offset); ++ /* clear if overflowed */ ++ if (val == ~0) ++ bcmgenet_rbuf_writel(priv, 0, new_offset); ++ break; ++ default: ++ val = bcmgenet_umac_readl(priv, offset); ++ /* clear if overflowed */ ++ if (val == ~0) ++ bcmgenet_umac_writel(priv, 0, offset); ++ break; ++ } ++ ++ return val; ++} ++ + static void bcmgenet_update_mib_counters(struct bcmgenet_priv *priv) + { + int i, j = 0; +@@ -845,10 +885,16 @@ static void bcmgenet_update_mib_counters + UMAC_MIB_START + j + offset); + break; + case BCMGENET_STAT_MISC: +- val = bcmgenet_umac_readl(priv, s->reg_offset); +- /* clear if overflowed */ +- if (val == ~0) +- bcmgenet_umac_writel(priv, 0, s->reg_offset); ++ if (GENET_IS_V1(priv)) { ++ val = bcmgenet_umac_readl(priv, s->reg_offset); ++ /* clear if overflowed */ ++ if (val == ~0) ++ bcmgenet_umac_writel(priv, 0, ++ s->reg_offset); ++ } else { ++ val = bcmgenet_update_stat_misc(priv, ++ s->reg_offset); ++ } + break; + } + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2014 Broadcom Corporation ++ * Copyright (c) 2014-2017 Broadcom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -214,7 +214,9 @@ struct bcmgenet_mib_counters { + #define MDIO_REG_SHIFT 16 + #define MDIO_REG_MASK 0x1F + +-#define UMAC_RBUF_OVFL_CNT 0x61C ++#define UMAC_RBUF_OVFL_CNT_V1 0x61C ++#define RBUF_OVFL_CNT_V2 0x80 ++#define RBUF_OVFL_CNT_V3PLUS 0x94 + + #define UMAC_MPD_CTRL 0x620 + #define MPD_EN (1 << 0) +@@ -224,7 +226,9 @@ struct bcmgenet_mib_counters { + + #define UMAC_MPD_PW_MS 0x624 + #define UMAC_MPD_PW_LS 0x628 +-#define UMAC_RBUF_ERR_CNT 0x634 ++#define UMAC_RBUF_ERR_CNT_V1 0x634 ++#define RBUF_ERR_CNT_V2 0x84 ++#define RBUF_ERR_CNT_V3PLUS 0x98 + #define UMAC_MDF_ERR_CNT 0x638 + #define UMAC_MDF_CTRL 0x650 + #define UMAC_MDF_ADDR 0x654 diff --git a/queue-4.9/net-bcmgenet-power-down-internal-phy-if-open-or-resume-fails.patch b/queue-4.9/net-bcmgenet-power-down-internal-phy-if-open-or-resume-fails.patch new file mode 100644 index 00000000000..149afcca352 --- /dev/null +++ b/queue-4.9/net-bcmgenet-power-down-internal-phy-if-open-or-resume-fails.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Doug Berger +Date: Thu, 9 Mar 2017 16:58:46 -0800 +Subject: net: bcmgenet: power down internal phy if open or resume fails + +From: Doug Berger + + +[ Upstream commit 7627409cc4970e8c8b9de6945ad86a575290a94e ] + +Since the internal PHY is powered up during the open and resume +functions it should be powered back down if the functions fail. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Doug Berger +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2857,6 +2857,8 @@ err_irq0: + err_fini_dma: + bcmgenet_fini_dma(priv); + err_clk_disable: ++ if (priv->internal_phy) ++ bcmgenet_power_down(priv, GENET_POWER_PASSIVE); + clk_disable_unprepare(priv->clk); + return ret; + } +@@ -3560,6 +3562,8 @@ static int bcmgenet_resume(struct device + return 0; + + out_clk_disable: ++ if (priv->internal_phy) ++ bcmgenet_power_down(priv, GENET_POWER_PASSIVE); + clk_disable_unprepare(priv->clk); + return ret; + } diff --git a/queue-4.9/net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch b/queue-4.9/net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch new file mode 100644 index 00000000000..1a95d05fa20 --- /dev/null +++ b/queue-4.9/net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Doug Berger +Date: Thu, 9 Mar 2017 16:58:48 -0800 +Subject: net: bcmgenet: Power up the internal PHY before probing the MII + +From: Doug Berger + + +[ Upstream commit 6be371b053dc86f11465cc1abce2e99bda0a0574 ] + +When using the internal PHY it must be powered up when the MII is probed +or the PHY will not be detected. Since the PHY is powered up at reset +this has not been a problem. However, when the kernel is restarted with +kexec the PHY will likely be powered down when the kernel starts so it +will not be detected and the Ethernet link will not be established. + +This commit explicitly powers up the internal PHY when the GENET driver +is probed to correct this behavior. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Doug Berger +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3296,6 +3296,7 @@ static int bcmgenet_probe(struct platfor + const void *macaddr; + struct resource *r; + int err = -EIO; ++ const char *phy_mode_str; + + /* Up to GENET_MAX_MQ_CNT + 1 TX queues and RX queues */ + dev = alloc_etherdev_mqs(sizeof(*priv), GENET_MAX_MQ_CNT + 1, +@@ -3403,6 +3404,13 @@ static int bcmgenet_probe(struct platfor + priv->clk_eee = NULL; + } + ++ /* If this is an internal GPHY, power it on now, before UniMAC is ++ * brought out of reset as absolutely no UniMAC activity is allowed ++ */ ++ if (dn && !of_property_read_string(dn, "phy-mode", &phy_mode_str) && ++ !strcasecmp(phy_mode_str, "internal")) ++ bcmgenet_power_up(priv, GENET_POWER_PASSIVE); ++ + err = reset_umac(priv); + if (err) + goto err_clk_disable; diff --git a/queue-4.9/net-bcmgenet-reserved-phy-revisions-must-be-checked-first.patch b/queue-4.9/net-bcmgenet-reserved-phy-revisions-must-be-checked-first.patch new file mode 100644 index 00000000000..501460edc9f --- /dev/null +++ b/queue-4.9/net-bcmgenet-reserved-phy-revisions-must-be-checked-first.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Doug Berger +Date: Thu, 9 Mar 2017 16:58:45 -0800 +Subject: net: bcmgenet: reserved phy revisions must be checked first + +From: Doug Berger + + +[ Upstream commit eca4bad73409aedc6ff22f823c18b67a4f08c851 ] + +The reserved gphy_rev value of 0x01ff must be tested before the old +or new scheme for GPHY major versioning are tested, otherwise it will +be treated as 0xff00 according to the old scheme. + +Fixes: b04a2f5b9ff5 ("net: bcmgenet: add support for new GENET PHY revision scheme") +Signed-off-by: Doug Berger +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3233,6 +3233,12 @@ static void bcmgenet_set_hw_params(struc + */ + gphy_rev = reg & 0xffff; + ++ /* This is reserved so should require special treatment */ ++ if (gphy_rev == 0 || gphy_rev == 0x01ff) { ++ pr_warn("Invalid GPHY revision detected: 0x%04x\n", gphy_rev); ++ return; ++ } ++ + /* This is the good old scheme, just GPHY major, no minor nor patch */ + if ((gphy_rev & 0xf0) != 0) + priv->gphy_rev = gphy_rev << 8; +@@ -3241,12 +3247,6 @@ static void bcmgenet_set_hw_params(struc + else if ((gphy_rev & 0xff00) != 0) + priv->gphy_rev = gphy_rev; + +- /* This is reserved so should require special treatment */ +- else if (gphy_rev == 0 || gphy_rev == 0x01ff) { +- pr_warn("Invalid GPHY revision detected: 0x%04x\n", gphy_rev); +- return; +- } +- + #ifdef CONFIG_PHYS_ADDR_T_64BIT + if (!(params->flags & GENET_HAS_40BITS)) + pr_warn("GENET does not support 40-bits PA\n"); diff --git a/queue-4.9/net-bcmgenet-synchronize-irq0-status-between-the-isr-and-task.patch b/queue-4.9/net-bcmgenet-synchronize-irq0-status-between-the-isr-and-task.patch new file mode 100644 index 00000000000..745f65df9c5 --- /dev/null +++ b/queue-4.9/net-bcmgenet-synchronize-irq0-status-between-the-isr-and-task.patch @@ -0,0 +1,200 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Doug Berger +Date: Thu, 9 Mar 2017 16:58:47 -0800 +Subject: net: bcmgenet: synchronize irq0 status between the isr and task + +From: Doug Berger + + +[ Upstream commit 07c52d6a0b955a8a28834f9354793cfc4b81d0e9 ] + +Add a spinlock to ensure that irq0_stat is not unintentionally altered +as the result of preemption. Also removed unserviced irq0 interrupts +and removed irq1_stat since there is no bottom half service for those +interrupts. + +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Doug Berger +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 73 +++++++++++++------------ + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 6 +- + 2 files changed, 44 insertions(+), 35 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2513,24 +2513,28 @@ static int bcmgenet_init_dma(struct bcmg + /* Interrupt bottom half */ + static void bcmgenet_irq_task(struct work_struct *work) + { ++ unsigned long flags; ++ unsigned int status; + struct bcmgenet_priv *priv = container_of( + work, struct bcmgenet_priv, bcmgenet_irq_work); + + netif_dbg(priv, intr, priv->dev, "%s\n", __func__); + +- if (priv->irq0_stat & UMAC_IRQ_MPD_R) { +- priv->irq0_stat &= ~UMAC_IRQ_MPD_R; ++ spin_lock_irqsave(&priv->lock, flags); ++ status = priv->irq0_stat; ++ priv->irq0_stat = 0; ++ spin_unlock_irqrestore(&priv->lock, flags); ++ ++ if (status & UMAC_IRQ_MPD_R) { + netif_dbg(priv, wol, priv->dev, + "magic packet detected, waking up\n"); + bcmgenet_power_up(priv, GENET_POWER_WOL_MAGIC); + } + + /* Link UP/DOWN event */ +- if (priv->irq0_stat & UMAC_IRQ_LINK_EVENT) { ++ if (status & UMAC_IRQ_LINK_EVENT) + phy_mac_interrupt(priv->phydev, +- !!(priv->irq0_stat & UMAC_IRQ_LINK_UP)); +- priv->irq0_stat &= ~UMAC_IRQ_LINK_EVENT; +- } ++ !!(status & UMAC_IRQ_LINK_UP)); + } + + /* bcmgenet_isr1: handle Rx and Tx priority queues */ +@@ -2539,22 +2543,21 @@ static irqreturn_t bcmgenet_isr1(int irq + struct bcmgenet_priv *priv = dev_id; + struct bcmgenet_rx_ring *rx_ring; + struct bcmgenet_tx_ring *tx_ring; +- unsigned int index; ++ unsigned int index, status; + +- /* Save irq status for bottom-half processing. */ +- priv->irq1_stat = +- bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_STAT) & ++ /* Read irq status */ ++ status = bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_STAT) & + ~bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_MASK_STATUS); + + /* clear interrupts */ +- bcmgenet_intrl2_1_writel(priv, priv->irq1_stat, INTRL2_CPU_CLEAR); ++ bcmgenet_intrl2_1_writel(priv, status, INTRL2_CPU_CLEAR); + + netif_dbg(priv, intr, priv->dev, +- "%s: IRQ=0x%x\n", __func__, priv->irq1_stat); ++ "%s: IRQ=0x%x\n", __func__, status); + + /* Check Rx priority queue interrupts */ + for (index = 0; index < priv->hw_params->rx_queues; index++) { +- if (!(priv->irq1_stat & BIT(UMAC_IRQ1_RX_INTR_SHIFT + index))) ++ if (!(status & BIT(UMAC_IRQ1_RX_INTR_SHIFT + index))) + continue; + + rx_ring = &priv->rx_rings[index]; +@@ -2567,7 +2570,7 @@ static irqreturn_t bcmgenet_isr1(int irq + + /* Check Tx priority queue interrupts */ + for (index = 0; index < priv->hw_params->tx_queues; index++) { +- if (!(priv->irq1_stat & BIT(index))) ++ if (!(status & BIT(index))) + continue; + + tx_ring = &priv->tx_rings[index]; +@@ -2587,19 +2590,20 @@ static irqreturn_t bcmgenet_isr0(int irq + struct bcmgenet_priv *priv = dev_id; + struct bcmgenet_rx_ring *rx_ring; + struct bcmgenet_tx_ring *tx_ring; ++ unsigned int status; ++ unsigned long flags; + +- /* Save irq status for bottom-half processing. */ +- priv->irq0_stat = +- bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_STAT) & ++ /* Read irq status */ ++ status = bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_STAT) & + ~bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_MASK_STATUS); + + /* clear interrupts */ +- bcmgenet_intrl2_0_writel(priv, priv->irq0_stat, INTRL2_CPU_CLEAR); ++ bcmgenet_intrl2_0_writel(priv, status, INTRL2_CPU_CLEAR); + + netif_dbg(priv, intr, priv->dev, +- "IRQ=0x%x\n", priv->irq0_stat); ++ "IRQ=0x%x\n", status); + +- if (priv->irq0_stat & UMAC_IRQ_RXDMA_DONE) { ++ if (status & UMAC_IRQ_RXDMA_DONE) { + rx_ring = &priv->rx_rings[DESC_INDEX]; + + if (likely(napi_schedule_prep(&rx_ring->napi))) { +@@ -2608,7 +2612,7 @@ static irqreturn_t bcmgenet_isr0(int irq + } + } + +- if (priv->irq0_stat & UMAC_IRQ_TXDMA_DONE) { ++ if (status & UMAC_IRQ_TXDMA_DONE) { + tx_ring = &priv->tx_rings[DESC_INDEX]; + + if (likely(napi_schedule_prep(&tx_ring->napi))) { +@@ -2617,22 +2621,23 @@ static irqreturn_t bcmgenet_isr0(int irq + } + } + +- if (priv->irq0_stat & (UMAC_IRQ_PHY_DET_R | +- UMAC_IRQ_PHY_DET_F | +- UMAC_IRQ_LINK_EVENT | +- UMAC_IRQ_HFB_SM | +- UMAC_IRQ_HFB_MM | +- UMAC_IRQ_MPD_R)) { +- /* all other interested interrupts handled in bottom half */ +- schedule_work(&priv->bcmgenet_irq_work); +- } +- + if ((priv->hw_params->flags & GENET_HAS_MDIO_INTR) && +- priv->irq0_stat & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) { +- priv->irq0_stat &= ~(UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR); ++ status & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) { + wake_up(&priv->wq); + } + ++ /* all other interested interrupts handled in bottom half */ ++ status &= (UMAC_IRQ_LINK_EVENT | ++ UMAC_IRQ_MPD_R); ++ if (status) { ++ /* Save irq status for bottom-half processing. */ ++ spin_lock_irqsave(&priv->lock, flags); ++ priv->irq0_stat |= status; ++ spin_unlock_irqrestore(&priv->lock, flags); ++ ++ schedule_work(&priv->bcmgenet_irq_work); ++ } ++ + return IRQ_HANDLED; + } + +@@ -3334,6 +3339,8 @@ static int bcmgenet_probe(struct platfor + goto err; + } + ++ spin_lock_init(&priv->lock); ++ + SET_NETDEV_DEV(dev, &pdev->dev); + dev_set_drvdata(&pdev->dev, dev); + ether_addr_copy(dev->dev_addr, macaddr); +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -623,11 +623,13 @@ struct bcmgenet_priv { + struct work_struct bcmgenet_irq_work; + int irq0; + int irq1; +- unsigned int irq0_stat; +- unsigned int irq1_stat; + int wol_irq; + bool wol_irq_disabled; + ++ /* shared status */ ++ spinlock_t lock; ++ unsigned int irq0_stat; ++ + /* HW descriptors/checksum variables */ + bool desc_64b_en; + bool desc_rxchk_en; diff --git a/queue-4.9/net-initialize-msg.msg_flags-in-recvfrom.patch b/queue-4.9/net-initialize-msg.msg_flags-in-recvfrom.patch new file mode 100644 index 00000000000..e3f9657c396 --- /dev/null +++ b/queue-4.9/net-initialize-msg.msg_flags-in-recvfrom.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Alexander Potapenko +Date: Wed, 8 Mar 2017 18:08:16 +0100 +Subject: net: initialize msg.msg_flags in recvfrom + +From: Alexander Potapenko + + +[ Upstream commit 9f138fa609c47403374a862a08a41394be53d461 ] + +KMSAN reports a use of uninitialized memory in put_cmsg() because +msg.msg_flags in recvfrom haven't been initialized properly. +The flag values don't affect the result on this path, but it's still a +good idea to initialize them explicitly. + +Signed-off-by: Alexander Potapenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void + /* We assume all kernel code knows the size of sockaddr_storage */ + msg.msg_namelen = 0; + msg.msg_iocb = NULL; ++ msg.msg_flags = 0; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, flags); diff --git a/queue-4.9/net-mlx4_core-avoid-delays-during-vf-driver-device-shutdown.patch b/queue-4.9/net-mlx4_core-avoid-delays-during-vf-driver-device-shutdown.patch new file mode 100644 index 00000000000..21aa4c0561d --- /dev/null +++ b/queue-4.9/net-mlx4_core-avoid-delays-during-vf-driver-device-shutdown.patch @@ -0,0 +1,101 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Jack Morgenstein +Date: Mon, 13 Mar 2017 19:29:08 +0200 +Subject: net/mlx4_core: Avoid delays during VF driver device shutdown + +From: Jack Morgenstein + + +[ Upstream commit 4cbe4dac82e423ecc9a0ba46af24a860853259f4 ] + +Some Hypervisors detach VFs from VMs by instantly causing an FLR event +to be generated for a VF. + +In the mlx4 case, this will cause that VF's comm channel to be disabled +before the VM has an opportunity to invoke the VF device's "shutdown" +method. + +For such Hypervisors, there is a race condition between the VF's +shutdown method and its internal-error detection/reset thread. + +The internal-error detection/reset thread (which runs every 5 seconds) also +detects a disabled comm channel. If the internal-error detection/reset +flow wins the race, we still get delays (while that flow tries repeatedly +to detect comm-channel recovery). + +The cited commit fixed the command timeout problem when the +internal-error detection/reset flow loses the race. + +This commit avoids the unneeded delays when the internal-error +detection/reset flow wins. + +Fixes: d585df1c5ccf ("net/mlx4_core: Avoid command timeouts during VF driver device shutdown") +Signed-off-by: Jack Morgenstein +Reported-by: Simon Xiao +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/cmd.c | 11 +++++++++++ + drivers/net/ethernet/mellanox/mlx4/main.c | 11 +++++++++++ + include/linux/mlx4/device.h | 1 + + 3 files changed, 23 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c +@@ -2304,6 +2304,17 @@ static int sync_toggles(struct mlx4_dev + rd_toggle = swab32(readl(&priv->mfunc.comm->slave_read)); + if (wr_toggle == 0xffffffff || rd_toggle == 0xffffffff) { + /* PCI might be offline */ ++ ++ /* If device removal has been requested, ++ * do not continue retrying. ++ */ ++ if (dev->persist->interface_state & ++ MLX4_INTERFACE_STATE_NOWAIT) { ++ mlx4_warn(dev, ++ "communication channel is offline\n"); ++ return -EIO; ++ } ++ + msleep(100); + wr_toggle = swab32(readl(&priv->mfunc.comm-> + slave_write)); +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -1940,6 +1940,14 @@ static int mlx4_comm_check_offline(struc + (u32)(1 << COMM_CHAN_OFFLINE_OFFSET)); + if (!offline_bit) + return 0; ++ ++ /* If device removal has been requested, ++ * do not continue retrying. ++ */ ++ if (dev->persist->interface_state & ++ MLX4_INTERFACE_STATE_NOWAIT) ++ break; ++ + /* There are cases as part of AER/Reset flow that PF needs + * around 100 msec to load. We therefore sleep for 100 msec + * to allow other tasks to make use of that CPU during this +@@ -3954,6 +3962,9 @@ static void mlx4_remove_one(struct pci_d + struct devlink *devlink = priv_to_devlink(priv); + int active_vfs = 0; + ++ if (mlx4_is_slave(dev)) ++ persist->interface_state |= MLX4_INTERFACE_STATE_NOWAIT; ++ + mutex_lock(&persist->interface_state_mutex); + persist->interface_state |= MLX4_INTERFACE_STATE_DELETION; + mutex_unlock(&persist->interface_state_mutex); +--- a/include/linux/mlx4/device.h ++++ b/include/linux/mlx4/device.h +@@ -476,6 +476,7 @@ enum { + enum { + MLX4_INTERFACE_STATE_UP = 1 << 0, + MLX4_INTERFACE_STATE_DELETION = 1 << 1, ++ MLX4_INTERFACE_STATE_NOWAIT = 1 << 2, + }; + + #define MSTR_SM_CHANGE_MASK (MLX4_EQ_PORT_INFO_MSTR_SM_SL_CHANGE_MASK | \ diff --git a/queue-4.9/net-mlx5-don-t-save-pci-state-when-pci-error-is-detected.patch b/queue-4.9/net-mlx5-don-t-save-pci-state-when-pci-error-is-detected.patch new file mode 100644 index 00000000000..b76660b650b --- /dev/null +++ b/queue-4.9/net-mlx5-don-t-save-pci-state-when-pci-error-is-detected.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Daniel Jurgens +Date: Fri, 10 Mar 2017 14:33:02 +0200 +Subject: net/mlx5: Don't save PCI state when PCI error is detected + +From: Daniel Jurgens + + +[ Upstream commit 5d47f6c89d568ab61712d8c40676fbb020b68752 ] + +When a PCI error is detected the PCI state could be corrupt, don't save +it in that flow. Save the state after initialization. After restoring the +PCI state during slot reset save it again, restoring the state destroys +the previously saved state info. + +Fixes: 05ac2c0b7438 ('net/mlx5: Fix race between PCI error handlers and +health work') +Signed-off-by: Daniel Jurgens + +Signed-off-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1283,6 +1283,7 @@ static int init_one(struct pci_dev *pdev + if (err) + goto clean_load; + ++ pci_save_state(pdev); + return 0; + + clean_load: +@@ -1331,9 +1332,8 @@ static pci_ers_result_t mlx5_pci_err_det + + mlx5_enter_error_state(dev); + mlx5_unload_one(dev, priv, false); +- /* In case of kernel call save the pci state and drain the health wq */ ++ /* In case of kernel call drain the health wq */ + if (state) { +- pci_save_state(pdev); + mlx5_drain_health_wq(dev); + mlx5_pci_disable_device(dev); + } +@@ -1385,6 +1385,7 @@ static pci_ers_result_t mlx5_pci_slot_re + + pci_set_master(pdev); + pci_restore_state(pdev); ++ pci_save_state(pdev); + + if (wait_vital(pdev)) { + dev_err(&pdev->dev, "%s: wait_vital timed out\n", __func__); diff --git a/queue-4.9/net-mlx5-fix-create-autogroup-prev-initializer.patch b/queue-4.9/net-mlx5-fix-create-autogroup-prev-initializer.patch new file mode 100644 index 00000000000..9df8a71a059 --- /dev/null +++ b/queue-4.9/net-mlx5-fix-create-autogroup-prev-initializer.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Paul Blakey +Date: Fri, 10 Mar 2017 14:33:01 +0200 +Subject: net/mlx5: Fix create autogroup prev initializer + +From: Paul Blakey + + +[ Upstream commit af36370569eb37420e1e78a2e60c277b781fcd00 ] + +The autogroups list is a list of non overlapping group boundaries +sorted by their start index. If the autogroups list wasn't empty +and an empty group slot was found at the start of the list, +the new group was added to the end of the list instead of the +beginning, as the prev initializer was incorrect. +When this was repeated, it caused multiple groups to have +overlapping boundaries. + +Fixed that by correctly initializing the prev pointer to the +start of the list. + +Fixes: eccec8da3b4e ('net/mlx5: Keep autogroups list ordered') +Signed-off-by: Paul Blakey +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -1015,7 +1015,7 @@ static struct mlx5_flow_group *create_au + u32 *match_criteria) + { + int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in); +- struct list_head *prev = ft->node.children.prev; ++ struct list_head *prev = &ft->node.children; + unsigned int candidate_index = 0; + struct mlx5_flow_group *fg; + void *match_criteria_addr; diff --git a/queue-4.9/net-mpls-fix-nexthop-alive-tracking-on-down-events.patch b/queue-4.9/net-mpls-fix-nexthop-alive-tracking-on-down-events.patch new file mode 100644 index 00000000000..f941111713a --- /dev/null +++ b/queue-4.9/net-mpls-fix-nexthop-alive-tracking-on-down-events.patch @@ -0,0 +1,77 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Ahern +Date: Mon, 13 Mar 2017 16:49:10 -0700 +Subject: net: mpls: Fix nexthop alive tracking on down events + +From: David Ahern + + +[ Upstream commit 61733c91c454a61be0ffc93fe46a5d5f2f048c1c ] + +Alive tracking of nexthops can account for a link twice if the carrier +goes down followed by an admin down of the same link rendering multipath +routes useless. This is similar to 79099aab38c8 for UNREGISTER events and +DOWN events. + +Fix by tracking number of alive nexthops in mpls_ifdown similar to the +logic in mpls_ifup. Checking the flags per nexthop once after all events +have been processed is simpler than trying to maintian a running count +through all event combinations. + +Also, WRITE_ONCE is used instead of ACCESS_ONCE to set rt_nhn_alive +per a comment from checkpatch: + WARNING: Prefer WRITE_ONCE(, ) over ACCESS_ONCE() = + +Fixes: c89359a42e2a4 ("mpls: support for dead routes") +Signed-off-by: David Ahern +Acked-by: Robert Shearman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mpls/af_mpls.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -937,6 +937,8 @@ static void mpls_ifdown(struct net_devic + { + struct mpls_route __rcu **platform_label; + struct net *net = dev_net(dev); ++ unsigned int nh_flags = RTNH_F_DEAD | RTNH_F_LINKDOWN; ++ unsigned int alive; + unsigned index; + + platform_label = rtnl_dereference(net->mpls.platform_label); +@@ -946,9 +948,11 @@ static void mpls_ifdown(struct net_devic + if (!rt) + continue; + ++ alive = 0; + change_nexthops(rt) { + if (rtnl_dereference(nh->nh_dev) != dev) +- continue; ++ goto next; ++ + switch (event) { + case NETDEV_DOWN: + case NETDEV_UNREGISTER: +@@ -956,13 +960,16 @@ static void mpls_ifdown(struct net_devic + /* fall through */ + case NETDEV_CHANGE: + nh->nh_flags |= RTNH_F_LINKDOWN; +- if (event != NETDEV_UNREGISTER) +- ACCESS_ONCE(rt->rt_nhn_alive) = rt->rt_nhn_alive - 1; + break; + } + if (event == NETDEV_UNREGISTER) + RCU_INIT_POINTER(nh->nh_dev, NULL); ++next: ++ if (!(nh->nh_flags & nh_flags)) ++ alive++; + } endfor_nexthops(rt); ++ ++ WRITE_ONCE(rt->rt_nhn_alive, alive); + } + } + diff --git a/queue-4.9/net-resend-igmp-memberships-upon-peer-notification.patch b/queue-4.9/net-resend-igmp-memberships-upon-peer-notification.patch new file mode 100644 index 00000000000..f5a1ef4ea56 --- /dev/null +++ b/queue-4.9/net-resend-igmp-memberships-upon-peer-notification.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Vlad Yasevich +Date: Tue, 14 Mar 2017 08:58:08 -0400 +Subject: net: Resend IGMP memberships upon peer notification. + +From: Vlad Yasevich + + +[ Upstream commit 37c343b4f4e70e9dc328ab04903c0ec8d154c1a4 ] + +When we notify peers of potential changes, it's also good to update +IGMP memberships. For example, during VM migration, updating IGMP +memberships will redirect existing multicast streams to the VM at the +new location. + +Signed-off-by: Vladislav Yasevich +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1304,6 +1304,7 @@ void netdev_notify_peers(struct net_devi + { + rtnl_lock(); + call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, dev); ++ call_netdevice_notifiers(NETDEV_RESEND_IGMP, dev); + rtnl_unlock(); + } + EXPORT_SYMBOL(netdev_notify_peers); diff --git a/queue-4.9/net-wimax-i2400m-fix-null-deref-at-probe.patch b/queue-4.9/net-wimax-i2400m-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..9affcbbd4ba --- /dev/null +++ b/queue-4.9/net-wimax-i2400m-fix-null-deref-at-probe.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:42:03 +0100 +Subject: net: wimax/i2400m: fix NULL-deref at probe + +From: Johan Hovold + + +[ Upstream commit 6e526fdff7be4f13b24f929a04c0e9ae6761291e ] + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +The endpoints are specifically dereferenced in the i2400m_bootrom_init +path during probe (e.g. in i2400mu_tx_bulk_out). + +Fixes: f398e4240fce ("i2400m/USB: probe/disconnect, dev init/shutdown +and reset backends") +Cc: Inaky Perez-Gonzalez + +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wimax/i2400m/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wimax/i2400m/usb.c ++++ b/drivers/net/wimax/i2400m/usb.c +@@ -467,6 +467,9 @@ int i2400mu_probe(struct usb_interface * + struct i2400mu *i2400mu; + struct usb_device *usb_dev = interface_to_usbdev(iface); + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 4) ++ return -ENODEV; ++ + if (usb_dev->speed != USB_SPEED_HIGH) + dev_err(dev, "device not connected as high speed\n"); + diff --git a/queue-4.9/netfilter-bridge-honor-frag_max_size-when-refragmenting.patch b/queue-4.9/netfilter-bridge-honor-frag_max_size-when-refragmenting.patch new file mode 100644 index 00000000000..56d2077f60e --- /dev/null +++ b/queue-4.9/netfilter-bridge-honor-frag_max_size-when-refragmenting.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Florian Westphal +Date: Thu, 9 Mar 2017 23:22:30 +0100 +Subject: netfilter: bridge: honor frag_max_size when refragmenting + +From: Florian Westphal + + +[ Upstream commit 4ca60d08cbe65f501baad64af50fceba79c19fbb ] + +consider a bridge with mtu 9000, but end host sending smaller +packets to another host with mtu < 9000. + +In this case, after reassembly, bridge+defrag would refragment, +and then attempt to send the reassembled packet as long as it +was below 9k. + +Instead we have to cap by the largest fragment size seen. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_netfilter_hooks.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -706,18 +706,20 @@ static unsigned int nf_bridge_mtu_reduct + + static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- struct nf_bridge_info *nf_bridge; +- unsigned int mtu_reserved; ++ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); ++ unsigned int mtu, mtu_reserved; + + mtu_reserved = nf_bridge_mtu_reduction(skb); ++ mtu = skb->dev->mtu; + +- if (skb_is_gso(skb) || skb->len + mtu_reserved <= skb->dev->mtu) { ++ if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) ++ mtu = nf_bridge->frag_max_size; ++ ++ if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) { + nf_bridge_info_free(skb); + return br_dev_queue_push_xmit(net, sk, skb); + } + +- nf_bridge = nf_bridge_info_get(skb); +- + /* This is wrong! We should preserve the original fragment + * boundaries by preserving frag_list rather than refragmenting. + */ diff --git a/queue-4.9/netfilter-ipvs-fix-inappropriate-output-of-procfs.patch b/queue-4.9/netfilter-ipvs-fix-inappropriate-output-of-procfs.patch new file mode 100644 index 00000000000..e43910d3f97 --- /dev/null +++ b/queue-4.9/netfilter-ipvs-fix-inappropriate-output-of-procfs.patch @@ -0,0 +1,78 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: KUWAZAWA Takuya +Date: Sun, 15 Oct 2017 20:54:10 +0900 +Subject: netfilter: ipvs: Fix inappropriate output of procfs + +From: KUWAZAWA Takuya + + +[ Upstream commit c5504f724c86ee925e7ffb80aa342cfd57959b13 ] + +Information about ipvs in different network namespace can be seen via procfs. + +How to reproduce: + + # ip netns add ns01 + # ip netns add ns02 + # ip netns exec ns01 ip a add dev lo 127.0.0.1/8 + # ip netns exec ns02 ip a add dev lo 127.0.0.1/8 + # ip netns exec ns01 ipvsadm -A -t 10.1.1.1:80 + # ip netns exec ns02 ipvsadm -A -t 10.1.1.2:80 + +The ipvsadm displays information about its own network namespace only. + + # ip netns exec ns01 ipvsadm -Ln + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 10.1.1.1:80 wlc + + # ip netns exec ns02 ipvsadm -Ln + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 10.1.1.2:80 wlc + +But I can see information about other network namespace via procfs. + + # ip netns exec ns01 cat /proc/net/ip_vs + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 0A010101:0050 wlc + TCP 0A010102:0050 wlc + + # ip netns exec ns02 cat /proc/net/ip_vs + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + TCP 0A010102:0050 wlc + +Signed-off-by: KUWAZAWA Takuya +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2040,12 +2040,16 @@ static int ip_vs_info_seq_show(struct se + seq_puts(seq, + " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n"); + } else { ++ struct net *net = seq_file_net(seq); ++ struct netns_ipvs *ipvs = net_ipvs(net); + const struct ip_vs_service *svc = v; + const struct ip_vs_iter *iter = seq->private; + const struct ip_vs_dest *dest; + struct ip_vs_scheduler *sched = rcu_dereference(svc->scheduler); + char *sched_name = sched ? sched->name : "none"; + ++ if (svc->ipvs != ipvs) ++ return 0; + if (iter->table == ip_vs_svc_table) { + #ifdef CONFIG_IP_VS_IPV6 + if (svc->af == AF_INET6) diff --git a/queue-4.9/nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch b/queue-4.9/nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch new file mode 100644 index 00000000000..c571dc0a7d3 --- /dev/null +++ b/queue-4.9/nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: NeilBrown +Date: Fri, 10 Mar 2017 11:36:39 +1100 +Subject: NFSD: fix nfsd_minorversion(.., NFSD_AVAIL) + +From: NeilBrown + + +[ Upstream commit 928c6fb3a9bfd6c5b287aa3465226add551c13c0 ] + +Current code will return 1 if the version is supported, +and -1 if it isn't. +This is confusing and inconsistent with the one place where this +is used. +So change to return 1 if it is supported, and zero if not. +i.e. an error is never returned. + +Signed-off-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfssvc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -155,7 +155,8 @@ int nfsd_vers(int vers, enum vers_op cha + + int nfsd_minorversion(u32 minorversion, enum vers_op change) + { +- if (minorversion > NFSD_SUPPORTED_MINOR_VERSION) ++ if (minorversion > NFSD_SUPPORTED_MINOR_VERSION && ++ change != NFSD_AVAIL) + return -1; + switch(change) { + case NFSD_SET: diff --git a/queue-4.9/nfsd-fix-nfsd_reset_versions-for-nfsv4.patch b/queue-4.9/nfsd-fix-nfsd_reset_versions-for-nfsv4.patch new file mode 100644 index 00000000000..53021d51c08 --- /dev/null +++ b/queue-4.9/nfsd-fix-nfsd_reset_versions-for-nfsv4.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: NeilBrown +Date: Fri, 10 Mar 2017 11:36:39 +1100 +Subject: NFSD: fix nfsd_reset_versions for NFSv4. + +From: NeilBrown + + +[ Upstream commit 800a938f0bf9130c8256116649c0cc5806bfb2fd ] + +If you write "-2 -3 -4" to the "versions" file, it will +notice that no versions are enabled, and nfsd_reset_versions() +is called. +This enables all major versions, not no minor versions. +So we lose the invariant that NFSv4 is only advertised when +at least one minor is enabled. + +Fix the code to explicitly enable minor versions for v4, +change it to use nfsd_vers() to test and set, and simplify +the code. + +Signed-off-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfssvc.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -400,23 +400,20 @@ static void nfsd_last_thread(struct svc_ + + void nfsd_reset_versions(void) + { +- int found_one = 0; + int i; + +- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++) { +- if (nfsd_program.pg_vers[i]) +- found_one = 1; +- } ++ for (i = 0; i < NFSD_NRVERS; i++) ++ if (nfsd_vers(i, NFSD_TEST)) ++ return; + +- if (!found_one) { +- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++) +- nfsd_program.pg_vers[i] = nfsd_version[i]; +-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) +- for (i = NFSD_ACL_MINVERS; i < NFSD_ACL_NRVERS; i++) +- nfsd_acl_program.pg_vers[i] = +- nfsd_acl_version[i]; +-#endif +- } ++ for (i = 0; i < NFSD_NRVERS; i++) ++ if (i != 4) ++ nfsd_vers(i, NFSD_SET); ++ else { ++ int minor = 0; ++ while (nfsd_minorversion(minor, NFSD_SET) >= 0) ++ minor++; ++ } + } + + /* diff --git a/queue-4.9/nfsv4.1-respect-server-s-max-size-in-create_session.patch b/queue-4.9/nfsv4.1-respect-server-s-max-size-in-create_session.patch new file mode 100644 index 00000000000..6465a24296b --- /dev/null +++ b/queue-4.9/nfsv4.1-respect-server-s-max-size-in-create_session.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Olga Kornievskaia +Date: Wed, 8 Mar 2017 14:39:15 -0500 +Subject: NFSv4.1 respect server's max size in CREATE_SESSION + +From: Olga Kornievskaia + + +[ Upstream commit 033853325fe3bdc70819a8b97915bd3bca41d3af ] + +Currently client doesn't respect max sizes server returns in CREATE_SESSION. +nfs4_session_set_rwsize() gets called and server->rsize, server->wsize are 0 +so they never get set to the sizes returned by the server. + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1004,9 +1004,9 @@ static void nfs4_session_set_rwsize(stru + server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead; + server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead; + +- if (server->rsize > server_resp_sz) ++ if (!server->rsize || server->rsize > server_resp_sz) + server->rsize = server_resp_sz; +- if (server->wsize > server_rqst_sz) ++ if (!server->wsize || server->wsize > server_rqst_sz) + server->wsize = server_rqst_sz; + #endif /* CONFIG_NFS_V4_1 */ + } diff --git a/queue-4.9/nvme-loop-fix-a-possible-use-after-free-when-destroying-the-admin-queue.patch b/queue-4.9/nvme-loop-fix-a-possible-use-after-free-when-destroying-the-admin-queue.patch new file mode 100644 index 00000000000..6da8a672a4f --- /dev/null +++ b/queue-4.9/nvme-loop-fix-a-possible-use-after-free-when-destroying-the-admin-queue.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Sagi Grimberg +Date: Mon, 27 Feb 2017 18:44:45 +0200 +Subject: nvme-loop: fix a possible use-after-free when destroying the admin queue + +From: Sagi Grimberg + + +[ Upstream commit e4c5d3762e2d6d274bd1cc948c47063becfa2103 ] + +we need to destroy the nvmet sq and let it finish gracefully +before continue to cleanup the queue. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/loop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -288,9 +288,9 @@ static struct blk_mq_ops nvme_loop_admin + + static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl) + { ++ nvmet_sq_destroy(&ctrl->queues[0].nvme_sq); + blk_cleanup_queue(ctrl->ctrl.admin_q); + blk_mq_free_tag_set(&ctrl->admin_tag_set); +- nvmet_sq_destroy(&ctrl->queues[0].nvme_sq); + } + + static void nvme_loop_free_ctrl(struct nvme_ctrl *nctrl) diff --git a/queue-4.9/nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch b/queue-4.9/nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch new file mode 100644 index 00000000000..a5c9b843944 --- /dev/null +++ b/queue-4.9/nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Christoph Hellwig +Date: Wed, 18 Oct 2017 13:20:01 +0200 +Subject: nvme: use kref_get_unless_zero in nvme_find_get_ns + +From: Christoph Hellwig + + +[ Upstream commit 2dd4122854f697afc777582d18548dded03ce5dd ] + +For kref_get_unless_zero to protect against lookup vs free races we need +to use it in all places where we aren't guaranteed to already hold a +reference. There is no such guarantee in nvme_find_get_ns, so switch to +kref_get_unless_zero in this function. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Hannes Reinecke +Reviewed-by: Johannes Thumshirn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1619,7 +1619,8 @@ static struct nvme_ns *nvme_find_get_ns( + mutex_lock(&ctrl->namespaces_mutex); + list_for_each_entry(ns, &ctrl->namespaces, list) { + if (ns->ns_id == nsid) { +- kref_get(&ns->kref); ++ if (!kref_get_unless_zero(&ns->kref)) ++ continue; + ret = ns; + break; + } diff --git a/queue-4.9/nvmet-confirm-sq-percpu-has-scheduled-and-switched-to-atomic.patch b/queue-4.9/nvmet-confirm-sq-percpu-has-scheduled-and-switched-to-atomic.patch new file mode 100644 index 00000000000..96b9711ebd8 --- /dev/null +++ b/queue-4.9/nvmet-confirm-sq-percpu-has-scheduled-and-switched-to-atomic.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Sagi Grimberg +Date: Mon, 6 Mar 2017 18:46:20 +0200 +Subject: nvmet: confirm sq percpu has scheduled and switched to atomic + +From: Sagi Grimberg + + +[ Upstream commit d11ea004a458b982e19b188c386e25a9b66ec446 ] + +percpu_ref_kill is not enough to prevent subsequent +percpu_ref_tryget_live from failing. Hence call +perfcpu_ref_kill_confirm to make it safe. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 11 ++++++++++- + drivers/nvme/target/nvmet.h | 1 + + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -422,6 +422,13 @@ void nvmet_sq_setup(struct nvmet_ctrl *c + ctrl->sqs[qid] = sq; + } + ++static void nvmet_confirm_sq(struct percpu_ref *ref) ++{ ++ struct nvmet_sq *sq = container_of(ref, struct nvmet_sq, ref); ++ ++ complete(&sq->confirm_done); ++} ++ + void nvmet_sq_destroy(struct nvmet_sq *sq) + { + /* +@@ -430,7 +437,8 @@ void nvmet_sq_destroy(struct nvmet_sq *s + */ + if (sq->ctrl && sq->ctrl->sqs && sq->ctrl->sqs[0] == sq) + nvmet_async_events_free(sq->ctrl); +- percpu_ref_kill(&sq->ref); ++ percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq); ++ wait_for_completion(&sq->confirm_done); + wait_for_completion(&sq->free_done); + percpu_ref_exit(&sq->ref); + +@@ -458,6 +466,7 @@ int nvmet_sq_init(struct nvmet_sq *sq) + return ret; + } + init_completion(&sq->free_done); ++ init_completion(&sq->confirm_done); + + return 0; + } +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -73,6 +73,7 @@ struct nvmet_sq { + u16 qid; + u16 size; + struct completion free_done; ++ struct completion confirm_done; + }; + + /** diff --git a/queue-4.9/nvmet-rdma-fix-a-possible-uninitialized-variable-dereference.patch b/queue-4.9/nvmet-rdma-fix-a-possible-uninitialized-variable-dereference.patch new file mode 100644 index 00000000000..f37bb79896c --- /dev/null +++ b/queue-4.9/nvmet-rdma-fix-a-possible-uninitialized-variable-dereference.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Sagi Grimberg +Date: Thu, 9 Mar 2017 13:45:52 +0200 +Subject: nvmet-rdma: Fix a possible uninitialized variable dereference + +From: Sagi Grimberg + + +[ Upstream commit b25634e2a051bef4b2524b11adddfbfa6448f6cd ] + +When handling a new recv command, we grab a new rsp resource and +check for the queue state being live. In case the queue is not in +live state, we simply restore the rsp back to the free list. However +in this flow we didn't set rsp->queue yet, so we cannot dereference it. + +Instead, make sure to initialize rsp->queue (and other rsp members) +as soon as possible so we won't reference uninitialized variables. + +Reported-by: Yi Zhang +Reported-by: Raju Rangoju +Reviewed-by: Christoph Hellwig +Tested-by: Raju Rangoju +Signed-off-by: Sagi Grimberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/rdma.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -703,11 +703,6 @@ static void nvmet_rdma_handle_command(st + { + u16 status; + +- cmd->queue = queue; +- cmd->n_rdma = 0; +- cmd->req.port = queue->port; +- +- + ib_dma_sync_single_for_cpu(queue->dev->device, + cmd->cmd->sge[0].addr, cmd->cmd->sge[0].length, + DMA_FROM_DEVICE); +@@ -760,9 +755,12 @@ static void nvmet_rdma_recv_done(struct + + cmd->queue = queue; + rsp = nvmet_rdma_get_rsp(queue); ++ rsp->queue = queue; + rsp->cmd = cmd; + rsp->flags = 0; + rsp->req.cmd = cmd->nvme_cmd; ++ rsp->req.port = queue->port; ++ rsp->n_rdma = 0; + + if (unlikely(queue->state != NVMET_RDMA_Q_LIVE)) { + unsigned long flags; diff --git a/queue-4.9/openrisc-fix-issue-handling-8-byte-get_user-calls.patch b/queue-4.9/openrisc-fix-issue-handling-8-byte-get_user-calls.patch new file mode 100644 index 00000000000..ec9fe791356 --- /dev/null +++ b/queue-4.9/openrisc-fix-issue-handling-8-byte-get_user-calls.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Stafford Horne +Date: Mon, 13 Mar 2017 07:44:45 +0900 +Subject: openrisc: fix issue handling 8 byte get_user calls + +From: Stafford Horne + + +[ Upstream commit 154e67cd8e8f964809d0e75e44bb121b169c75b3 ] + +Was getting the following error with allmodconfig: + + ERROR: "__get_user_bad" [lib/test_user_copy.ko] undefined! + +This was simply a missing break statement, causing an unwanted fall +through. + +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/openrisc/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/openrisc/include/asm/uaccess.h ++++ b/arch/openrisc/include/asm/uaccess.h +@@ -211,7 +211,7 @@ do { \ + case 1: __get_user_asm(x, ptr, retval, "l.lbz"); break; \ + case 2: __get_user_asm(x, ptr, retval, "l.lhz"); break; \ + case 4: __get_user_asm(x, ptr, retval, "l.lwz"); break; \ +- case 8: __get_user_asm2(x, ptr, retval); \ ++ case 8: __get_user_asm2(x, ptr, retval); break; \ + default: (x) = __get_user_bad(); \ + } \ + } while (0) diff --git a/queue-4.9/pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch b/queue-4.9/pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch new file mode 100644 index 00000000000..98e046318a0 --- /dev/null +++ b/queue-4.9/pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Alex Williamson +Date: Wed, 11 Oct 2017 15:35:56 -0600 +Subject: PCI: Detach driver before procfs & sysfs teardown on device remove + +From: Alex Williamson + + +[ Upstream commit 16b6c8bb687cc3bec914de09061fcb8411951fda ] + +When removing a device, for example a VF being removed due to SR-IOV +teardown, a "soft" hot-unplug via 'echo 1 > remove' in sysfs, or an actual +hot-unplug, we first remove the procfs and sysfs attributes for the device +before attempting to release the device from any driver bound to it. +Unbinding the driver from the device can take time. The device might need +to write out data or it might be actively in use. If it's in use by +userspace through a vfio driver, the unbind might block until the user +releases the device. This leads to a potentially non-trivial amount of +time where the device exists, but we've torn down the interfaces that +userspace uses to examine devices, for instance lspci might generate this +sort of error: + + pcilib: Cannot open /sys/bus/pci/devices/0000:01:0a.3/config + lspci: Unable to read the standard configuration space header of device 0000:01:0a.3 + +We don't seem to have any dependence on this teardown ordering in the +kernel, so let's unbind the driver first, which is also more symmetric with +the instantiation of the device in pci_bus_add_device(). + +Signed-off-by: Alex Williamson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/remove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/remove.c ++++ b/drivers/pci/remove.c +@@ -19,9 +19,9 @@ static void pci_stop_dev(struct pci_dev + pci_pme_active(dev, false); + + if (dev->is_added) { ++ device_release_driver(&dev->dev); + pci_proc_detach_device(dev); + pci_remove_sysfs_dev_files(dev); +- device_release_driver(&dev->dev); + dev->is_added = 0; + } + diff --git a/queue-4.9/pci-do-not-allocate-more-buses-than-available-in-parent.patch b/queue-4.9/pci-do-not-allocate-more-buses-than-available-in-parent.patch new file mode 100644 index 00000000000..e2e7b4ecdbc --- /dev/null +++ b/queue-4.9/pci-do-not-allocate-more-buses-than-available-in-parent.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Mika Westerberg +Date: Fri, 13 Oct 2017 21:35:43 +0300 +Subject: PCI: Do not allocate more buses than available in parent + +From: Mika Westerberg + + +[ Upstream commit a20c7f36bd3d20d245616ae223bb9d05dfb6f050 ] + +One can ask more buses to be reserved for hotplug bridges by passing +pci=hpbussize=N in the kernel command line. If the parent bus does not +have enough bus space available we incorrectly create child bus with the +requested number of subordinate buses. + +In the example below hpbussize is set to one more than we have available +buses in the root port: + + pci 0000:07:00.0: [8086:1578] type 01 class 0x060400 + pci 0000:07:00.0: scanning [bus 00-00] behind bridge, pass 0 + pci 0000:07:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring + pci 0000:07:00.0: scanning [bus 00-00] behind bridge, pass 1 + pci_bus 0000:08: busn_res: can not insert [bus 08-ff] under [bus 07-3f] (conflicts with (null) [bus 07-3f]) + pci_bus 0000:08: scanning bus + ... + pci_bus 0000:0a: bus scan returning with max=40 + pci_bus 0000:0a: busn_res: [bus 0a-ff] end is updated to 40 + pci_bus 0000:0a: [bus 0a-40] partially hidden behind bridge 0000:07 [bus 07-3f] + pci_bus 0000:08: bus scan returning with max=40 + pci_bus 0000:08: busn_res: [bus 08-ff] end is updated to 40 + +Instead of allowing this, limit the subordinate number to be less than or +equal the maximum subordinate number allocated for the parent bus (if it +has any). + +Signed-off-by: Mika Westerberg +[bhelgaas: remove irrelevant dmesg messages] +Signed-off-by: Bjorn Helgaas + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -932,7 +932,8 @@ int pci_scan_bridge(struct pci_bus *bus, + child = pci_add_new_bus(bus, dev, max+1); + if (!child) + goto out; +- pci_bus_insert_busn_res(child, max+1, 0xff); ++ pci_bus_insert_busn_res(child, max+1, ++ bus->busn_res.end); + } + max++; + buses = (buses & 0xff000000) +@@ -2136,6 +2137,10 @@ unsigned int pci_scan_child_bus(struct p + if (bus->self && bus->self->is_hotplug_bridge && pci_hotplug_bus_size) { + if (max - bus->busn_res.start < pci_hotplug_bus_size - 1) + max = bus->busn_res.start + pci_hotplug_bus_size - 1; ++ ++ /* Do not allocate more buses than we have room left */ ++ if (max > bus->busn_res.end) ++ max = bus->busn_res.end; + } + + /* diff --git a/queue-4.9/pci-pme-handle-invalid-data-when-reading-root-status.patch b/queue-4.9/pci-pme-handle-invalid-data-when-reading-root-status.patch new file mode 100644 index 00000000000..0423e81680f --- /dev/null +++ b/queue-4.9/pci-pme-handle-invalid-data-when-reading-root-status.patch @@ -0,0 +1,60 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Qiang +Date: Thu, 28 Sep 2017 11:54:34 +0800 +Subject: PCI/PME: Handle invalid data when reading Root Status + +From: Qiang + + +[ Upstream commit 3ad3f8ce50914288731a3018b27ee44ab803e170 ] + +PCIe PME and native hotplug share the same interrupt number, so hotplug +interrupts are also processed by PME. In some cases, e.g., a Link Down +interrupt, a device may be present but unreachable, so when we try to +read its Root Status register, the read fails and we get all ones data +(0xffffffff). + +Previously, we interpreted that data as PCI_EXP_RTSTA_PME being set, i.e., +"some device has asserted PME," so we scheduled pcie_pme_work_fn(). This +caused an infinite loop because pcie_pme_work_fn() tried to handle PME +requests until PCI_EXP_RTSTA_PME is cleared, but with the link down, +PCI_EXP_RTSTA_PME can't be cleared. + +Check for the invalid 0xffffffff data everywhere we read the Root Status +register. + +1469d17dd341 ("PCI: pciehp: Handle invalid data when reading from +non-existent devices") added similar checks in the hotplug driver. + +Signed-off-by: Qiang Zheng +[bhelgaas: changelog, also check in pcie_pme_work_fn(), use "~0" to follow +other similar checks] +Signed-off-by: Bjorn Helgaas + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pcie/pme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pcie/pme.c ++++ b/drivers/pci/pcie/pme.c +@@ -232,6 +232,9 @@ static void pcie_pme_work_fn(struct work + break; + + pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta); ++ if (rtsta == (u32) ~0) ++ break; ++ + if (rtsta & PCI_EXP_RTSTA_PME) { + /* + * Clear PME status of the port. If there are other +@@ -279,7 +282,7 @@ static irqreturn_t pcie_pme_irq(int irq, + spin_lock_irqsave(&data->lock, flags); + pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta); + +- if (!(rtsta & PCI_EXP_RTSTA_PME)) { ++ if (rtsta == (u32) ~0 || !(rtsta & PCI_EXP_RTSTA_PME)) { + spin_unlock_irqrestore(&data->lock, flags); + return IRQ_NONE; + } diff --git a/queue-4.9/perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch b/queue-4.9/perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch new file mode 100644 index 00000000000..114e2508bbd --- /dev/null +++ b/queue-4.9/perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Daniel Borkmann +Date: Wed, 15 Mar 2017 22:53:37 +0100 +Subject: perf symbols: Fix symbols__fixup_end heuristic for corner cases + +From: Daniel Borkmann + + +[ Upstream commit e7ede72a6d40cb3a30c087142d79381ca8a31dab ] + +The current symbols__fixup_end() heuristic for the last entry in the rb +tree is suboptimal as it leads to not being able to recognize the symbol +in the call graph in a couple of corner cases, for example: + + i) If the symbol has a start address (f.e. exposed via kallsyms) + that is at a page boundary, then the roundup(curr->start, 4096) + for the last entry will result in curr->start == curr->end with + a symbol length of zero. + +ii) If the symbol has a start address that is shortly before a page + boundary, then also here, curr->end - curr->start will just be + very few bytes, where it's unrealistic that we could perform a + match against. + +Instead, change the heuristic to roundup(curr->start, 4096) + 4096, so +that we can catch such corner cases and have a better chance to find +that specific symbol. It's still just best effort as the real end of the +symbol is unknown to us (and could even be at a larger offset than the +current range), but better than the current situation. + +Alexei reported that he recently run into case i) with a JITed eBPF +program (these are all page aligned) as the last symbol which wasn't +properly shown in the call graph (while other eBPF program symbols in +the rb tree were displayed correctly). Since this is a generic issue, +lets try to improve the heuristic a bit. + +Reported-and-Tested-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Fixes: 2e538c4a1847 ("perf tools: Improve kernel/modules symbol lookup") +Link: http://lkml.kernel.org/r/bb5c80d27743be6f12afc68405f1956a330e1bc9.1489614365.git.daniel@iogearbox.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/symbol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/symbol.c ++++ b/tools/perf/util/symbol.c +@@ -202,7 +202,7 @@ void symbols__fixup_end(struct rb_root * + + /* Last entry */ + if (curr->end == curr->start) +- curr->end = roundup(curr->start, 4096); ++ curr->end = roundup(curr->start, 4096) + 4096; + } + + void __map_groups__fixup_end(struct map_groups *mg, enum map_type type) diff --git a/queue-4.9/pinctrl-adi2-fix-kconfig-build-problem.patch b/queue-4.9/pinctrl-adi2-fix-kconfig-build-problem.patch new file mode 100644 index 00000000000..e7812f9b197 --- /dev/null +++ b/queue-4.9/pinctrl-adi2-fix-kconfig-build-problem.patch @@ -0,0 +1,99 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Linus Walleij +Date: Wed, 11 Oct 2017 11:57:15 +0200 +Subject: pinctrl: adi2: Fix Kconfig build problem + +From: Linus Walleij + + +[ Upstream commit 1c363531dd814dc4fe10865722bf6b0f72ce4673 ] + +The build robot is complaining on Blackfin: + +drivers/pinctrl/pinctrl-adi2.c: In function 'port_setup': +>> drivers/pinctrl/pinctrl-adi2.c:221:21: error: dereferencing + pointer to incomplete type 'struct gpio_port_t' + writew(readw(®s->port_fer) & ~BIT(offset), + ^~ +drivers/pinctrl/pinctrl-adi2.c: In function 'adi_gpio_ack_irq': +>> drivers/pinctrl/pinctrl-adi2.c:266:18: error: dereferencing +pointer to incomplete type 'struct bfin_pint_regs' + if (readl(®s->invert_set) & pintbit) + ^~ +It seems the driver need to include and +to compile. + +The Blackfin architecture was re-defining the Kconfig +PINCTRL symbol which is not OK, so replaced this with +PINCTRL_BLACKFIN_ADI2 which selects PINCTRL and PINCTRL_ADI2 +just like most arches do. + +Further, the old GPIO driver symbol GPIO_ADI was possible to +select at the same time as selecting PINCTRL. This was not +working because the arch-local header contains +an explicit #ifndef PINCTRL clause making compilation break +if you combine them. The same is true for DEBUG_MMRS. + +Make sure the ADI2 pinctrl driver is not selected at the same +time as the old GPIO implementation. (This should be converted +to use gpiolib or pincontrol and move to drivers/...) Also make +sure the old GPIO_ADI driver or DEBUG_MMRS is not selected at +the same time as the new PINCTRL implementation, and only make +PINCTRL_ADI2 selectable for the Blackfin families that actually +have it. + +This way it is still possible to add e.g. I2C-based pin +control expanders on the Blackfin. + +Cc: Steven Miao +Cc: Huanhuan Feng +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/blackfin/Kconfig | 7 +++++-- + arch/blackfin/Kconfig.debug | 1 + + drivers/pinctrl/Kconfig | 3 ++- + 3 files changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/blackfin/Kconfig ++++ b/arch/blackfin/Kconfig +@@ -319,11 +319,14 @@ config BF53x + + config GPIO_ADI + def_bool y ++ depends on !PINCTRL + depends on (BF51x || BF52x || BF53x || BF538 || BF539 || BF561) + +-config PINCTRL ++config PINCTRL_BLACKFIN_ADI2 + def_bool y +- depends on BF54x || BF60x ++ depends on (BF54x || BF60x) ++ select PINCTRL ++ select PINCTRL_ADI2 + + config MEM_MT48LC64M4A2FB_7E + bool +--- a/arch/blackfin/Kconfig.debug ++++ b/arch/blackfin/Kconfig.debug +@@ -17,6 +17,7 @@ config DEBUG_VERBOSE + + config DEBUG_MMRS + tristate "Generate Blackfin MMR tree" ++ depends on !PINCTRL + select DEBUG_FS + help + Create a tree of Blackfin MMRs via the debugfs tree. If +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -26,7 +26,8 @@ config DEBUG_PINCTRL + + config PINCTRL_ADI2 + bool "ADI pin controller driver" +- depends on BLACKFIN ++ depends on (BF54x || BF60x) ++ depends on !GPIO_ADI + select PINMUX + select IRQ_DOMAIN + help diff --git a/queue-4.9/platform-x86-hp_accel-add-quirk-for-hp-probook-440-g4.patch b/queue-4.9/platform-x86-hp_accel-add-quirk-for-hp-probook-440-g4.patch new file mode 100644 index 00000000000..3b62b95a06b --- /dev/null +++ b/queue-4.9/platform-x86-hp_accel-add-quirk-for-hp-probook-440-g4.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Osama Khan +Date: Sat, 21 Oct 2017 10:42:21 +0000 +Subject: platform/x86: hp_accel: Add quirk for HP ProBook 440 G4 + +From: Osama Khan + + +[ Upstream commit 163ca80013aafb6dc9cb295de3db7aeab9ab43f8 ] + +Added support for HP ProBook 440 G4 laptops by including the accelerometer +orientation quirk for that device. Testing was performed based on the +axis orientation guidelines here: +https://www.kernel.org/doc/Documentation/misc-devices/lis3lv02d +which states "If the left side is elevated, X increases (becomes positive)". + +When tested, on lifting the left edge, x values became increasingly negative +thus indicating an inverted x-axis on the installed lis3lv02d chip. +This was compensated by adding an entry for this device in hp_accel.c +specifying the quirk as x_inverted. The patch was tested on a +ProBook 440 G4 device and x-axis as well as y and z-axis values are now +generated as per spec. + +Signed-off-by: Osama Khan +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/hp_accel.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/x86/hp_accel.c ++++ b/drivers/platform/x86/hp_accel.c +@@ -240,6 +240,7 @@ static const struct dmi_system_id lis3lv + AXIS_DMI_MATCH("HDX18", "HP HDX 18", x_inverted), + AXIS_DMI_MATCH("HPB432x", "HP ProBook 432", xy_rotated_left), + AXIS_DMI_MATCH("HPB440G3", "HP ProBook 440 G3", x_inverted_usd), ++ AXIS_DMI_MATCH("HPB440G4", "HP ProBook 440 G4", x_inverted), + AXIS_DMI_MATCH("HPB442x", "HP ProBook 442", xy_rotated_left), + AXIS_DMI_MATCH("HPB452x", "HP ProBook 452", y_inverted), + AXIS_DMI_MATCH("HPB522x", "HP ProBook 522", xy_swap), diff --git a/queue-4.9/platform-x86-intel_punit_ipc-fix-resource-ioremap-warning.patch b/queue-4.9/platform-x86-intel_punit_ipc-fix-resource-ioremap-warning.patch new file mode 100644 index 00000000000..9ea78f6939c --- /dev/null +++ b/queue-4.9/platform-x86-intel_punit_ipc-fix-resource-ioremap-warning.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Kuppuswamy Sathyanarayanan +Date: Sun, 29 Oct 2017 02:49:54 -0700 +Subject: platform/x86: intel_punit_ipc: Fix resource ioremap warning + +From: Kuppuswamy Sathyanarayanan + + +[ Upstream commit 6cc8cbbc8868033f279b63e98b26b75eaa0006ab ] + +For PUNIT device, ISPDRIVER_IPC and GTDDRIVER_IPC resources are not +mandatory. So when PMC IPC driver creates a PUNIT device, if these +resources are not available then it creates dummy resource entries for +these missing resources. But during PUNIT device probe, doing ioremap on +these dummy resources generates following warning messages. + +intel_punit_ipc: can't request region for resource [mem 0x00000000] +intel_punit_ipc: can't request region for resource [mem 0x00000000] +intel_punit_ipc: can't request region for resource [mem 0x00000000] +intel_punit_ipc: can't request region for resource [mem 0x00000000] + +This patch fixes this issue by adding extra check for resource size +before performing ioremap operation. + +Signed-off-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel_punit_ipc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/platform/x86/intel_punit_ipc.c ++++ b/drivers/platform/x86/intel_punit_ipc.c +@@ -252,28 +252,28 @@ static int intel_punit_get_bars(struct p + * - GTDRIVER_IPC BASE_IFACE + */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 2); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[ISPDRIVER_IPC][BASE_DATA] = addr; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 3); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[ISPDRIVER_IPC][BASE_IFACE] = addr; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 4); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[GTDRIVER_IPC][BASE_DATA] = addr; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 5); +- if (res) { ++ if (res && resource_size(res) > 1) { + addr = devm_ioremap_resource(&pdev->dev, res); + if (!IS_ERR(addr)) + punit_ipcdev->base[GTDRIVER_IPC][BASE_IFACE] = addr; diff --git a/queue-4.9/platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch b/queue-4.9/platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch new file mode 100644 index 00000000000..be1bf544fda --- /dev/null +++ b/queue-4.9/platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Markus Elfring +Date: Wed, 1 Nov 2017 18:42:45 +0100 +Subject: platform/x86: sony-laptop: Fix error handling in sony_nc_setup_rfkill() + +From: Markus Elfring + + +[ Upstream commit f6c8a317ab208aee223776327c06f23342492d54 ] + +Source code review for a specific software refactoring showed the need +for another correction because the error code "-1" was returned so far +if a call of the function "sony_call_snc_handle" failed here. +Thus assign the return value from these two function calls also to +the variable "err" and provide it in case of a failure. + +Fixes: d6f15ed876b83a1a0eba1d0473eef58acc95444a ("sony-laptop: use soft rfkill status stored in hw") +Suggested-by: Andy Shevchenko +Link: https://lkml.org/lkml/2017/10/31/463 +Link: https://lkml.kernel.org/r/ +Signed-off-by: Markus Elfring +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/sony-laptop.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -1660,17 +1660,19 @@ static int sony_nc_setup_rfkill(struct a + if (!rfk) + return -ENOMEM; + +- if (sony_call_snc_handle(sony_rfkill_handle, 0x200, &result) < 0) { ++ err = sony_call_snc_handle(sony_rfkill_handle, 0x200, &result); ++ if (err < 0) { + rfkill_destroy(rfk); +- return -1; ++ return err; + } + hwblock = !(result & 0x1); + +- if (sony_call_snc_handle(sony_rfkill_handle, +- sony_rfkill_address[nc_type], +- &result) < 0) { ++ err = sony_call_snc_handle(sony_rfkill_handle, ++ sony_rfkill_address[nc_type], ++ &result); ++ if (err < 0) { + rfkill_destroy(rfk); +- return -1; ++ return err; + } + swblock = !(result & 0x2); + diff --git a/queue-4.9/powerpc-ipic-fix-status-get-and-status-clear.patch b/queue-4.9/powerpc-ipic-fix-status-get-and-status-clear.patch new file mode 100644 index 00000000000..e2c3144c7c8 --- /dev/null +++ b/queue-4.9/powerpc-ipic-fix-status-get-and-status-clear.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Christophe Leroy +Date: Wed, 18 Oct 2017 11:16:47 +0200 +Subject: powerpc/ipic: Fix status get and status clear + +From: Christophe Leroy + + +[ Upstream commit 6b148a7ce72a7f87c81cbcde48af014abc0516a9 ] + +IPIC Status is provided by register IPIC_SERSR and not by IPIC_SERMR +which is the mask register. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/ipic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/sysdev/ipic.c ++++ b/arch/powerpc/sysdev/ipic.c +@@ -845,12 +845,12 @@ void ipic_disable_mcp(enum ipic_mcp_irq + + u32 ipic_get_mcp_status(void) + { +- return ipic_read(primary_ipic->regs, IPIC_SERMR); ++ return ipic_read(primary_ipic->regs, IPIC_SERSR); + } + + void ipic_clear_mcp_status(u32 mask) + { +- ipic_write(primary_ipic->regs, IPIC_SERMR, mask); ++ ipic_write(primary_ipic->regs, IPIC_SERSR, mask); + } + + /* Return an interrupt vector or 0 if no interrupt is pending. */ diff --git a/queue-4.9/powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch b/queue-4.9/powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch new file mode 100644 index 00000000000..8cb17ab4dab --- /dev/null +++ b/queue-4.9/powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: "William A. Kennington III" +Date: Fri, 22 Sep 2017 16:58:00 -0700 +Subject: powerpc/opal: Fix EBUSY bug in acquiring tokens + +From: "William A. Kennington III" + + +[ Upstream commit 71e24d7731a2903b1ae2bba2b2971c654d9c2aa6 ] + +The current code checks the completion map to look for the first token +that is complete. In some cases, a completion can come in but the +token can still be on lease to the caller processing the completion. +If this completed but unreleased token is the first token found in the +bitmap by another tasks trying to acquire a token, then the +__test_and_set_bit call will fail since the token will still be on +lease. The acquisition will then fail with an EBUSY. + +This patch reorganizes the acquisition code to look at the +opal_async_token_map for an unleased token. If the token has no lease +it must have no outstanding completions so we should never see an +EBUSY, unless we have leased out too many tokens. Since +opal_async_get_token_inrerruptible is protected by a semaphore, we +will practically never see EBUSY anymore. + +Fixes: 8d7248232208 ("powerpc/powernv: Infrastructure to support OPAL async completion") +Signed-off-by: William A. Kennington III +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/opal-async.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal-async.c ++++ b/arch/powerpc/platforms/powernv/opal-async.c +@@ -39,18 +39,18 @@ int __opal_async_get_token(void) + int token; + + spin_lock_irqsave(&opal_async_comp_lock, flags); +- token = find_first_bit(opal_async_complete_map, opal_max_async_tokens); ++ token = find_first_zero_bit(opal_async_token_map, opal_max_async_tokens); + if (token >= opal_max_async_tokens) { + token = -EBUSY; + goto out; + } + +- if (__test_and_set_bit(token, opal_async_token_map)) { ++ if (!__test_and_clear_bit(token, opal_async_complete_map)) { + token = -EBUSY; + goto out; + } + +- __clear_bit(token, opal_async_complete_map); ++ __set_bit(token, opal_async_token_map); + + out: + spin_unlock_irqrestore(&opal_async_comp_lock, flags); diff --git a/queue-4.9/powerpc-perf-hv-24x7-fix-incorrect-comparison-in-memord.patch b/queue-4.9/powerpc-perf-hv-24x7-fix-incorrect-comparison-in-memord.patch new file mode 100644 index 00000000000..7a291eaf16f --- /dev/null +++ b/queue-4.9/powerpc-perf-hv-24x7-fix-incorrect-comparison-in-memord.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Michael Ellerman +Date: Mon, 9 Oct 2017 21:52:44 +1100 +Subject: powerpc/perf/hv-24x7: Fix incorrect comparison in memord + +From: Michael Ellerman + + +[ Upstream commit 05c14c03138532a3cb2aa29c2960445c8753343b ] + +In the hv-24x7 code there is a function memord() which tries to +implement a sort function return -1, 0, 1. However one of the +conditions is incorrect, such that it can never be true, because we +will have already returned. + +I don't believe there is a bug in practice though, because the +comparisons are an optimisation prior to calling memcmp(). + +Fix it by swapping the second comparision, so it can be true. + +Reported-by: David Binderman +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/hv-24x7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/perf/hv-24x7.c ++++ b/arch/powerpc/perf/hv-24x7.c +@@ -516,7 +516,7 @@ static int memord(const void *d1, size_t + { + if (s1 < s2) + return 1; +- if (s2 > s1) ++ if (s1 > s2) + return -1; + + return memcmp(d1, d2, s1); diff --git a/queue-4.9/powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch b/queue-4.9/powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch new file mode 100644 index 00000000000..cb6c1e70d58 --- /dev/null +++ b/queue-4.9/powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Shriya +Date: Fri, 13 Oct 2017 10:06:41 +0530 +Subject: powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo + +From: Shriya + + +[ Upstream commit cd77b5ce208c153260ed7882d8910f2395bfaabd ] + +The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which +returns the last frequency requested by the kernel, but may not +reflect the actual frequency the processor is running at. This patch +makes a call to cpufreq_get() instead which returns the current +frequency reported by the hardware. + +Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()") +Signed-off-by: Shriya +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/setup.c ++++ b/arch/powerpc/platforms/powernv/setup.c +@@ -289,7 +289,7 @@ static unsigned long pnv_get_proc_freq(u + { + unsigned long ret_freq; + +- ret_freq = cpufreq_quick_get(cpu) * 1000ul; ++ ret_freq = cpufreq_get(cpu) * 1000ul; + + /* + * If the backend cpufreq driver does not exist, diff --git a/queue-4.9/ppp-destroy-the-mutex-when-cleanup.patch b/queue-4.9/ppp-destroy-the-mutex-when-cleanup.patch new file mode 100644 index 00000000000..86817056bf0 --- /dev/null +++ b/queue-4.9/ppp-destroy-the-mutex-when-cleanup.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Gao Feng +Date: Tue, 31 Oct 2017 18:25:37 +0800 +Subject: ppp: Destroy the mutex when cleanup + +From: Gao Feng + + +[ Upstream commit f02b2320b27c16b644691267ee3b5c110846f49e ] + +The mutex_destroy only makes sense when enable DEBUG_MUTEX. For the +good readbility, it's better to invoke it in exit func when the init +func invokes mutex_init. + +Signed-off-by: Gao Feng +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_generic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -958,6 +958,7 @@ static __net_exit void ppp_exit_net(stru + unregister_netdevice_many(&list); + rtnl_unlock(); + ++ mutex_destroy(&pn->all_ppp_mutex); + idr_destroy(&pn->units_idr); + } + diff --git a/queue-4.9/qed-align-cids-according-to-dorq-requirement.patch b/queue-4.9/qed-align-cids-according-to-dorq-requirement.patch new file mode 100644 index 00000000000..e38f2dc66fe --- /dev/null +++ b/queue-4.9/qed-align-cids-according-to-dorq-requirement.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Ram Amrani +Date: Tue, 14 Mar 2017 15:25:58 +0200 +Subject: qed: Align CIDs according to DORQ requirement + +From: Ram Amrani + + +[ Upstream commit f3e48119b97f56fb09310c95d49da122a27003d7 ] + +The Doorbell HW block can be configured at a granularity +of 16 x CIDs, so we need to make sure that the actual number +of CIDs configured would be a multiplication of 16. + +Today, when RoCE is enabled - given that the number is unaligned, +doorbelling the higher CIDs would fail to reach the firmware and +would eventually timeout. + +Fixes: dbb799c39717 ("qed: Initialize hardware for new protocols") +Signed-off-by: Ram Amrani +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_cxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +@@ -373,8 +373,9 @@ static void qed_cxt_set_proto_cid_count( + u32 page_sz = p_mgr->clients[ILT_CLI_CDUC].p_size.val; + u32 cxt_size = CONN_CXT_SIZE(p_hwfn); + u32 elems_per_page = ILT_PAGE_IN_BYTES(page_sz) / cxt_size; ++ u32 align = elems_per_page * DQ_RANGE_ALIGN; + +- p_conn->cid_count = roundup(p_conn->cid_count, elems_per_page); ++ p_conn->cid_count = roundup(p_conn->cid_count, align); + } + } + diff --git a/queue-4.9/qed-fix-interrupt-flags-on-rx-ll2.patch b/queue-4.9/qed-fix-interrupt-flags-on-rx-ll2.patch new file mode 100644 index 00000000000..747c19246e9 --- /dev/null +++ b/queue-4.9/qed-fix-interrupt-flags-on-rx-ll2.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Ram Amrani +Date: Tue, 14 Mar 2017 15:26:02 +0200 +Subject: qed: Fix interrupt flags on Rx LL2 + +From: Ram Amrani + + +[ Upstream commit 1df2adedcce17ad4a39fba74f0e2b611f797fe10 ] + +Before iterating over the the LL2 Rx ring, the ring's +spinlock is taken via spin_lock_irqsave(). +The actual processing of the packet [including handling +by the protocol driver] is done without said lock, +so qed releases the spinlock and re-claims it afterwards. + +Problem is that the final spin_lock_irqrestore() at the end +of the iteration uses the original flags saved from the +initial irqsave() instead of the flags from the most recent +irqsave(). So it's possible that the interrupt status would +be incorrect at the end of the processing. + +Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support"); +CC: Ram Amrani +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_ll2.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c +@@ -443,7 +443,7 @@ qed_ll2_rxq_completion_gsi(struct qed_hw + static int qed_ll2_rxq_completion_reg(struct qed_hwfn *p_hwfn, + struct qed_ll2_info *p_ll2_conn, + union core_rx_cqe_union *p_cqe, +- unsigned long lock_flags, ++ unsigned long *p_lock_flags, + bool b_last_cqe) + { + struct qed_ll2_rx_queue *p_rx = &p_ll2_conn->rx_queue; +@@ -464,10 +464,10 @@ static int qed_ll2_rxq_completion_reg(st + "Mismatch between active_descq and the LL2 Rx chain\n"); + list_add_tail(&p_pkt->list_entry, &p_rx->free_descq); + +- spin_unlock_irqrestore(&p_rx->lock, lock_flags); ++ spin_unlock_irqrestore(&p_rx->lock, *p_lock_flags); + qed_ll2b_complete_rx_packet(p_hwfn, p_ll2_conn->my_id, + p_pkt, &p_cqe->rx_cqe_fp, b_last_cqe); +- spin_lock_irqsave(&p_rx->lock, lock_flags); ++ spin_lock_irqsave(&p_rx->lock, *p_lock_flags); + + return 0; + } +@@ -507,7 +507,8 @@ static int qed_ll2_rxq_completion(struct + break; + case CORE_RX_CQE_TYPE_REGULAR: + rc = qed_ll2_rxq_completion_reg(p_hwfn, p_ll2_conn, +- cqe, flags, b_last_cqe); ++ cqe, &flags, ++ b_last_cqe); + break; + default: + rc = -EIO; diff --git a/queue-4.9/qed-fix-mapping-leak-on-ll2-rx-flow.patch b/queue-4.9/qed-fix-mapping-leak-on-ll2-rx-flow.patch new file mode 100644 index 00000000000..40b57ecbe06 --- /dev/null +++ b/queue-4.9/qed-fix-mapping-leak-on-ll2-rx-flow.patch @@ -0,0 +1,32 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: "Mintz, Yuval" +Date: Tue, 14 Mar 2017 15:26:00 +0200 +Subject: qed: Fix mapping leak on LL2 rx flow + +From: "Mintz, Yuval" + + +[ Upstream commit 752ecb2da11124a948567076b60767dc8034cfa5 ] + +When receiving an Rx LL2 packet, qed fails to unmap the previous buffer. + +Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support"); +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_ll2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c +@@ -187,6 +187,8 @@ static void qed_ll2b_complete_rx_packet( + /* If need to reuse or there's no replacement buffer, repost this */ + if (rc) + goto out_post; ++ dma_unmap_single(&cdev->pdev->dev, buffer->phys_addr, ++ cdev->ll2->rx_size, DMA_FROM_DEVICE); + + skb = build_skb(buffer->data, 0); + if (!skb) { diff --git a/queue-4.9/raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch b/queue-4.9/raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch new file mode 100644 index 00000000000..44c9b1040c9 --- /dev/null +++ b/queue-4.9/raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: NeilBrown +Date: Tue, 17 Oct 2017 16:18:36 +1100 +Subject: raid5: Set R5_Expanded on parity devices as well as data. + +From: NeilBrown + + +[ Upstream commit 235b6003fb28f0dd8e7ed8fbdb088bb548291766 ] + +When reshaping a fully degraded raid5/raid6 to a larger +nubmer of devices, the new device(s) are not in-sync +and so that can make the newly grown stripe appear to be +"failed". +To avoid this, we set the R5_Expanded flag to say "Even though +this device is not fully in-sync, this block is safe so +don't treat the device as failed for this stripe". +This flag is set for data devices, not not for parity devices. + +Consequently, if you have a RAID6 with two devices that are partly +recovered and a spare, and start a reshape to include the spare, +then when the reshape gets past the point where the recovery was +up to, it will think the stripes are failed and will get into +an infinite loop, failing to make progress. + +So when contructing parity on an EXPAND_READY stripe, +set R5_Expanded. + +Reported-by: Curt +Signed-off-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -1689,8 +1689,11 @@ static void ops_complete_reconstruct(voi + struct r5dev *dev = &sh->dev[i]; + + if (dev->written || i == pd_idx || i == qd_idx) { +- if (!discard && !test_bit(R5_SkipCopy, &dev->flags)) ++ if (!discard && !test_bit(R5_SkipCopy, &dev->flags)) { + set_bit(R5_UPTODATE, &dev->flags); ++ if (test_bit(STRIPE_EXPAND_READY, &sh->state)) ++ set_bit(R5_Expanded, &dev->flags); ++ } + if (fua) + set_bit(R5_WantFUA, &dev->flags); + if (sync) diff --git a/queue-4.9/rdma-cma-avoid-triggering-undefined-behavior.patch b/queue-4.9/rdma-cma-avoid-triggering-undefined-behavior.patch new file mode 100644 index 00000000000..81549067cd8 --- /dev/null +++ b/queue-4.9/rdma-cma-avoid-triggering-undefined-behavior.patch @@ -0,0 +1,79 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Bart Van Assche +Date: Wed, 11 Oct 2017 10:48:45 -0700 +Subject: RDMA/cma: Avoid triggering undefined behavior + +From: Bart Van Assche + + +[ Upstream commit c0b64f58e8d49570aa9ee55d880f92c20ff0166b ] + +According to the C standard the behavior of computations with +integer operands is as follows: +* A computation involving unsigned operands can never overflow, + because a result that cannot be represented by the resulting + unsigned integer type is reduced modulo the number that is one + greater than the largest value that can be represented by the + resulting type. +* The behavior for signed integer underflow and overflow is + undefined. + +Hence only use unsigned integers when checking for integer +overflow. + +This patch is what I came up with after having analyzed the +following smatch warnings: + +drivers/infiniband/core/cma.c:3448: cma_resolve_ib_udp() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len' +drivers/infiniband/core/cma.c:3505: cma_connect_ib() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len' + +Signed-off-by: Bart Van Assche +Acked-by: Sean Hefty +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1482,7 +1482,7 @@ static struct rdma_id_private *cma_id_fr + return id_priv; + } + +-static inline int cma_user_data_offset(struct rdma_id_private *id_priv) ++static inline u8 cma_user_data_offset(struct rdma_id_private *id_priv) + { + return cma_family(id_priv) == AF_IB ? 0 : sizeof(struct cma_hdr); + } +@@ -1877,7 +1877,8 @@ static int cma_req_handler(struct ib_cm_ + struct rdma_id_private *listen_id, *conn_id = NULL; + struct rdma_cm_event event; + struct net_device *net_dev; +- int offset, ret; ++ u8 offset; ++ int ret; + + listen_id = cma_id_from_event(cm_id, ib_event, &net_dev); + if (IS_ERR(listen_id)) +@@ -3309,7 +3310,8 @@ static int cma_resolve_ib_udp(struct rdm + struct ib_cm_sidr_req_param req; + struct ib_cm_id *id; + void *private_data; +- int offset, ret; ++ u8 offset; ++ int ret; + + memset(&req, 0, sizeof req); + offset = cma_user_data_offset(id_priv); +@@ -3366,7 +3368,8 @@ static int cma_connect_ib(struct rdma_id + struct rdma_route *route; + void *private_data; + struct ib_cm_id *id; +- int offset, ret; ++ u8 offset; ++ int ret; + + memset(&req, 0, sizeof req); + offset = cma_user_data_offset(id_priv); diff --git a/queue-4.9/rdma-cxgb4-declare-stag-as-__be32.patch b/queue-4.9/rdma-cxgb4-declare-stag-as-__be32.patch new file mode 100644 index 00000000000..94c08f8983e --- /dev/null +++ b/queue-4.9/rdma-cxgb4-declare-stag-as-__be32.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Leon Romanovsky +Date: Wed, 25 Oct 2017 07:41:11 +0300 +Subject: RDMA/cxgb4: Declare stag as __be32 + +From: Leon Romanovsky + + +[ Upstream commit 35fb2a88ed4b77356fa679a8525c869a3594e287 ] + +The scqe.stag is actually __b32, fix it. + + drivers/infiniband/hw/cxgb4/cq.c:754:52: warning: cast to restricted __be32 + +Cc: Steve Wise +Signed-off-by: Leon Romanovsky +Reviewed-by: Steve Wise +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/cxgb4/t4.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/cxgb4/t4.h ++++ b/drivers/infiniband/hw/cxgb4/t4.h +@@ -171,7 +171,7 @@ struct t4_cqe { + __be32 msn; + } rcqe; + struct { +- u32 stag; ++ __be32 stag; + u16 nada2; + u16 cidx; + } scqe; diff --git a/queue-4.9/revert-x86-acpi-set-persistent-cpuid-nodeid-mapping-when-booting.patch b/queue-4.9/revert-x86-acpi-set-persistent-cpuid-nodeid-mapping-when-booting.patch new file mode 100644 index 00000000000..9222b1e6465 --- /dev/null +++ b/queue-4.9/revert-x86-acpi-set-persistent-cpuid-nodeid-mapping-when-booting.patch @@ -0,0 +1,173 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Dou Liyang +Date: Fri, 3 Mar 2017 16:02:23 +0800 +Subject: Revert "x86/acpi: Set persistent cpuid <-> nodeid mapping when booting" + +From: Dou Liyang + + +[ Upstream commit c962cff17dfa11f4a8227ac16de2b28aea3312e4 ] + +Revert: dc6db24d2476 ("x86/acpi: Set persistent cpuid <-> nodeid mapping when booting") + +The mapping of "cpuid <-> nodeid" is established at boot time via ACPI +tables to keep associations of workqueues and other node related items +consistent across cpu hotplug. + +But, ACPI tables are unreliable and failures with that boot time mapping +have been reported on machines where the ACPI table and the physical +information which is retrieved at actual hotplug is inconsistent. + +Revert the mapping implementation so it can be replaced with a less error +prone approach. + +Signed-off-by: Dou Liyang +Tested-by: Xiaolong Ye +Cc: rjw@rjwysocki.net +Cc: linux-acpi@vger.kernel.org +Cc: guzheng1@huawei.com +Cc: izumi.taku@jp.fujitsu.com +Cc: lenb@kernel.org +Link: http://lkml.kernel.org/r/1488528147-2279-2-git-send-email-douly.fnst@cn.fujitsu.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/acpi/boot.c | 2 - + drivers/acpi/acpi_processor.c | 5 -- + drivers/acpi/bus.c | 1 + drivers/acpi/processor_core.c | 73 ------------------------------------------ + include/linux/acpi.h | 3 - + 5 files changed, 1 insertion(+), 83 deletions(-) + +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -720,7 +720,7 @@ static void __init acpi_set_irq_model_io + #ifdef CONFIG_ACPI_HOTPLUG_CPU + #include + +-int acpi_map_cpu2node(acpi_handle handle, int cpu, int physid) ++static int acpi_map_cpu2node(acpi_handle handle, int cpu, int physid) + { + #ifdef CONFIG_ACPI_NUMA + int nid; +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -182,11 +182,6 @@ int __weak arch_register_cpu(int cpu) + + void __weak arch_unregister_cpu(int cpu) {} + +-int __weak acpi_map_cpu2node(acpi_handle handle, int cpu, int physid) +-{ +- return -ENODEV; +-} +- + static int acpi_processor_hotadd_init(struct acpi_processor *pr) + { + unsigned long long sta; +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1197,7 +1197,6 @@ static int __init acpi_init(void) + acpi_wakeup_device_init(); + acpi_debugger_init(); + acpi_setup_sb_notify_handler(); +- acpi_set_processor_mapping(); + return 0; + } + +--- a/drivers/acpi/processor_core.c ++++ b/drivers/acpi/processor_core.c +@@ -280,79 +280,6 @@ int acpi_get_cpuid(acpi_handle handle, i + } + EXPORT_SYMBOL_GPL(acpi_get_cpuid); + +-#ifdef CONFIG_ACPI_HOTPLUG_CPU +-static bool __init +-map_processor(acpi_handle handle, phys_cpuid_t *phys_id, int *cpuid) +-{ +- int type, id; +- u32 acpi_id; +- acpi_status status; +- acpi_object_type acpi_type; +- unsigned long long tmp; +- union acpi_object object = { 0 }; +- struct acpi_buffer buffer = { sizeof(union acpi_object), &object }; +- +- status = acpi_get_type(handle, &acpi_type); +- if (ACPI_FAILURE(status)) +- return false; +- +- switch (acpi_type) { +- case ACPI_TYPE_PROCESSOR: +- status = acpi_evaluate_object(handle, NULL, NULL, &buffer); +- if (ACPI_FAILURE(status)) +- return false; +- acpi_id = object.processor.proc_id; +- +- /* validate the acpi_id */ +- if(acpi_processor_validate_proc_id(acpi_id)) +- return false; +- break; +- case ACPI_TYPE_DEVICE: +- status = acpi_evaluate_integer(handle, "_UID", NULL, &tmp); +- if (ACPI_FAILURE(status)) +- return false; +- acpi_id = tmp; +- break; +- default: +- return false; +- } +- +- type = (acpi_type == ACPI_TYPE_DEVICE) ? 1 : 0; +- +- *phys_id = __acpi_get_phys_id(handle, type, acpi_id, false); +- id = acpi_map_cpuid(*phys_id, acpi_id); +- +- if (id < 0) +- return false; +- *cpuid = id; +- return true; +-} +- +-static acpi_status __init +-set_processor_node_mapping(acpi_handle handle, u32 lvl, void *context, +- void **rv) +-{ +- phys_cpuid_t phys_id; +- int cpu_id; +- +- if (!map_processor(handle, &phys_id, &cpu_id)) +- return AE_ERROR; +- +- acpi_map_cpu2node(handle, cpu_id, phys_id); +- return AE_OK; +-} +- +-void __init acpi_set_processor_mapping(void) +-{ +- /* Set persistent cpu <-> node mapping for all processors. */ +- acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT, +- ACPI_UINT32_MAX, set_processor_node_mapping, +- NULL, NULL, NULL); +-} +-#else +-void __init acpi_set_processor_mapping(void) {} +-#endif /* CONFIG_ACPI_HOTPLUG_CPU */ +- + #ifdef CONFIG_ACPI_HOTPLUG_IOAPIC + static int get_ioapic_id(struct acpi_subtable_header *entry, u32 gsi_base, + u64 *phys_addr, int *ioapic_id) +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -276,11 +276,8 @@ bool acpi_processor_validate_proc_id(int + /* Arch dependent functions for cpu hotplug support */ + int acpi_map_cpu(acpi_handle handle, phys_cpuid_t physid, int *pcpu); + int acpi_unmap_cpu(int cpu); +-int acpi_map_cpu2node(acpi_handle handle, int cpu, int physid); + #endif /* CONFIG_ACPI_HOTPLUG_CPU */ + +-void acpi_set_processor_mapping(void); +- + #ifdef CONFIG_ACPI_HOTPLUG_IOAPIC + int acpi_get_ioapic_id(acpi_handle handle, u32 gsi_base, u64 *phys_addr); + #endif diff --git a/queue-4.9/rtc-pcf8563-fix-output-clock-rate.patch b/queue-4.9/rtc-pcf8563-fix-output-clock-rate.patch new file mode 100644 index 00000000000..9a8e8a95973 --- /dev/null +++ b/queue-4.9/rtc-pcf8563-fix-output-clock-rate.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Philipp Zabel +Date: Tue, 7 Nov 2017 13:12:17 +0100 +Subject: rtc: pcf8563: fix output clock rate + +From: Philipp Zabel + + +[ Upstream commit a3350f9c57ffad569c40f7320b89da1f3061c5bb ] + +The pcf8563_clkout_recalc_rate function erroneously ignores the +frequency index read from the CLKO register and always returns +32768 Hz. + +Fixes: a39a6405d5f9 ("rtc: pcf8563: add CLKOUT to common clock framework") +Signed-off-by: Philipp Zabel +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-pcf8563.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-pcf8563.c ++++ b/drivers/rtc/rtc-pcf8563.c +@@ -422,7 +422,7 @@ static unsigned long pcf8563_clkout_reca + return 0; + + buf &= PCF8563_REG_CLKO_F_MASK; +- return clkout_rates[ret]; ++ return clkout_rates[buf]; + } + + static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate, diff --git a/queue-4.9/rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_createbss_cmd.patch b/queue-4.9/rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_createbss_cmd.patch new file mode 100644 index 00000000000..15326cb0ec5 --- /dev/null +++ b/queue-4.9/rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_createbss_cmd.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Jia-Ju Bai +Date: Sun, 8 Oct 2017 19:54:45 +0800 +Subject: rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_createbss_cmd + +From: Jia-Ju Bai + + +[ Upstream commit 2bf9806d4228f7a6195f8e03eda0479d2a93b411 ] + +The driver may sleep under a spinlock, and the function call path is: +rtw_surveydone_event_callback(acquire the spinlock) + rtw_createbss_cmd + kzalloc(GFP_KERNEL) --> may sleep + +To fix it, GFP_KERNEL is replaced with GFP_ATOMIC. +This bug is found by my static analysis tool and my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/core/rtw_cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/core/rtw_cmd.c ++++ b/drivers/staging/rtl8188eu/core/rtw_cmd.c +@@ -342,7 +342,7 @@ u8 rtw_createbss_cmd(struct adapter *pa + else + RT_TRACE(_module_rtl871x_cmd_c_, _drv_info_, (" createbss for SSid:%s\n", pmlmepriv->assoc_ssid.Ssid)); + +- pcmd = kzalloc(sizeof(struct cmd_obj), GFP_KERNEL); ++ pcmd = kzalloc(sizeof(struct cmd_obj), GFP_ATOMIC); + if (!pcmd) { + res = _FAIL; + goto exit; diff --git a/queue-4.9/rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_disassoc_cmd.patch b/queue-4.9/rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_disassoc_cmd.patch new file mode 100644 index 00000000000..e945edd2995 --- /dev/null +++ b/queue-4.9/rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_disassoc_cmd.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Jia-Ju Bai +Date: Sun, 8 Oct 2017 19:54:07 +0800 +Subject: rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_disassoc_cmd + +From: Jia-Ju Bai + + +[ Upstream commit 08880f8e08cbd814e870e9d3ab9530abc1bce226 ] + +The driver may sleep under a spinlock, and the function call path is: +rtw_set_802_11_bssid(acquire the spinlock) + rtw_disassoc_cmd + kzalloc(GFP_KERNEL) --> may sleep + +To fix it, GFP_KERNEL is replaced with GFP_ATOMIC. +This bug is found by my static analysis tool and my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/core/rtw_cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/core/rtw_cmd.c ++++ b/drivers/staging/rtl8188eu/core/rtw_cmd.c +@@ -522,7 +522,7 @@ u8 rtw_disassoc_cmd(struct adapter *pada + + if (enqueue) { + /* need enqueue, prepare cmd_obj and enqueue */ +- cmdobj = kzalloc(sizeof(*cmdobj), GFP_KERNEL); ++ cmdobj = kzalloc(sizeof(*cmdobj), GFP_ATOMIC); + if (!cmdobj) { + res = _FAIL; + kfree(param); diff --git a/queue-4.9/rxrpc-ignore-busy-packets-on-old-calls.patch b/queue-4.9/rxrpc-ignore-busy-packets-on-old-calls.patch new file mode 100644 index 00000000000..a30c9d4ea45 --- /dev/null +++ b/queue-4.9/rxrpc-ignore-busy-packets-on-old-calls.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Thu, 16 Mar 2017 16:27:10 +0000 +Subject: rxrpc: Ignore BUSY packets on old calls + +From: David Howells + + +[ Upstream commit 4d4a6ac73e7466c2085c307fac41f74ce4568a45 ] + +If we receive a BUSY packet for a call we think we've just completed, the +packet is handed off to the connection processor to deal with - but the +connection processor doesn't expect a BUSY packet and so flags a protocol +error. + +Fix this by simply ignoring the BUSY packet for the moment. + +The symptom of this may appear as a system call failing with EPROTO. This +may be triggered by pressing ctrl-C under some circumstances. + +This comes about we abort calls due to interruption by a signal (which we +shouldn't do, but that's going to be a large fix and mostly in fs/afs/). +What happens is that we abort the call and may also abort follow up calls +too (this needs offloading somehoe). So we see a transmission of something +like the following sequence of packets: + + DATA for call N + ABORT call N + DATA for call N+1 + ABORT call N+1 + +in very quick succession on the same channel. However, the peer may have +deferred the processing of the ABORT from the call N to a background thread +and thus sees the DATA message from the call N+1 coming in before it has +cleared the channel. Thus it sends a BUSY packet[*]. + +[*] Note that some implementations (OpenAFS, for example) mark the BUSY + packet with one plus the callNumber of the call prior to call N. + Ordinarily, this would be call N, but there's no requirement for the + calls on a channel to be numbered strictly sequentially (the number is + required to increase). + + This is wrong and means that the callNumber in the BUSY packet should + be ignored (it really ought to be N+1 since that's what it's in + response to). + +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/conn_event.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -275,6 +275,10 @@ static int rxrpc_process_event(struct rx + rxrpc_conn_retransmit_call(conn, skb); + return 0; + ++ case RXRPC_PACKET_TYPE_BUSY: ++ /* Just ignore BUSY packets for now. */ ++ return 0; ++ + case RXRPC_PACKET_TYPE_ABORT: + if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), + &wtmp, sizeof(wtmp)) < 0) diff --git a/queue-4.9/rxrpc-wake-up-the-transmitter-if-rx-window-size-increases-on-the-peer.patch b/queue-4.9/rxrpc-wake-up-the-transmitter-if-rx-window-size-increases-on-the-peer.patch new file mode 100644 index 00000000000..4c25bd8edc9 --- /dev/null +++ b/queue-4.9/rxrpc-wake-up-the-transmitter-if-rx-window-size-increases-on-the-peer.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: David Howells +Date: Fri, 10 Mar 2017 07:48:49 +0000 +Subject: rxrpc: Wake up the transmitter if Rx window size increases on the peer + +From: David Howells + + +[ Upstream commit 702f2ac87a9a8da23bf8506466bc70175fc970b2 ] + +The RxRPC ACK packet may contain an extension that includes the peer's +current Rx window size for this call. We adjust the local Tx window size +to match. However, the transmitter can stall if the receive window is +reduced to 0 by the peer and then reopened. + +This is because the normal way that the transmitter is re-energised is by +dropping something out of our Tx queue and thus making space. When a +single gap is made, the transmitter is woken up. However, because there's +nothing in the Tx queue at this point, this doesn't happen. + +To fix this, perform a wake_up() any time we see the peer's Rx window size +increasing. + +The observable symptom is that calls start failing on ETIMEDOUT and the +following: + + kAFS: SERVER DEAD state=-62 + +appears in dmesg. + +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -649,6 +649,7 @@ static void rxrpc_input_ackinfo(struct r + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + struct rxrpc_peer *peer; + unsigned int mtu; ++ bool wake = false; + u32 rwind = ntohl(ackinfo->rwind); + + _proto("Rx ACK %%%u Info { rx=%u max=%u rwin=%u jm=%u }", +@@ -656,9 +657,14 @@ static void rxrpc_input_ackinfo(struct r + ntohl(ackinfo->rxMTU), ntohl(ackinfo->maxMTU), + rwind, ntohl(ackinfo->jumbo_max)); + +- if (rwind > RXRPC_RXTX_BUFF_SIZE - 1) +- rwind = RXRPC_RXTX_BUFF_SIZE - 1; +- call->tx_winsize = rwind; ++ if (call->tx_winsize != rwind) { ++ if (rwind > RXRPC_RXTX_BUFF_SIZE - 1) ++ rwind = RXRPC_RXTX_BUFF_SIZE - 1; ++ if (rwind > call->tx_winsize) ++ wake = true; ++ call->tx_winsize = rwind; ++ } ++ + if (call->cong_ssthresh > rwind) + call->cong_ssthresh = rwind; + +@@ -672,6 +678,9 @@ static void rxrpc_input_ackinfo(struct r + spin_unlock_bh(&peer->lock); + _net("Net MTU %u (maxdata %u)", peer->mtu, peer->maxdata); + } ++ ++ if (wake) ++ wake_up(&call->waitq); + } + + /* diff --git a/queue-4.9/sched-deadline-add-missing-update_rq_clock-in-dl_task_timer.patch b/queue-4.9/sched-deadline-add-missing-update_rq_clock-in-dl_task_timer.patch new file mode 100644 index 00000000000..fb335fbc069 --- /dev/null +++ b/queue-4.9/sched-deadline-add-missing-update_rq_clock-in-dl_task_timer.patch @@ -0,0 +1,73 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Wanpeng Li +Date: Mon, 6 Mar 2017 21:51:28 -0800 +Subject: sched/deadline: Add missing update_rq_clock() in dl_task_timer() + +From: Wanpeng Li + + +[ Upstream commit dcc3b5ffe1b32771c9a22e2c916fb94c4fcf5b79 ] + +The following warning can be triggered by hot-unplugging the CPU +on which an active SCHED_DEADLINE task is running on: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/sched.h:833 replenish_dl_entity+0x71e/0xc40 + rq->clock_update_flags < RQCF_ACT_SKIP + CPU: 7 PID: 0 Comm: swapper/7 Tainted: G B 4.11.0-rc1+ #24 + Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 + Call Trace: + + dump_stack+0x85/0xc4 + __warn+0x172/0x1b0 + warn_slowpath_fmt+0xb4/0xf0 + ? __warn+0x1b0/0x1b0 + ? debug_check_no_locks_freed+0x2c0/0x2c0 + ? cpudl_set+0x3d/0x2b0 + replenish_dl_entity+0x71e/0xc40 + enqueue_task_dl+0x2ea/0x12e0 + ? dl_task_timer+0x777/0x990 + ? __hrtimer_run_queues+0x270/0xa50 + dl_task_timer+0x316/0x990 + ? enqueue_task_dl+0x12e0/0x12e0 + ? enqueue_task_dl+0x12e0/0x12e0 + __hrtimer_run_queues+0x270/0xa50 + ? hrtimer_cancel+0x20/0x20 + ? hrtimer_interrupt+0x119/0x600 + hrtimer_interrupt+0x19c/0x600 + ? trace_hardirqs_off+0xd/0x10 + local_apic_timer_interrupt+0x74/0xe0 + smp_apic_timer_interrupt+0x76/0xa0 + apic_timer_interrupt+0x93/0xa0 + +The DL task will be migrated to a suitable later deadline rq once the DL +timer fires and currnet rq is offline. The rq clock of the new rq should +be updated. This patch fixes it by updating the rq clock after holding +the new rq's rq lock. + +Signed-off-by: Wanpeng Li +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Matt Fleming +Cc: Juri Lelli +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1488865888-15894-1-git-send-email-wanpeng.li@hotmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -638,6 +638,7 @@ static enum hrtimer_restart dl_task_time + lockdep_unpin_lock(&rq->lock, rf.cookie); + rq = dl_task_offline_migration(rq, p); + rf.cookie = lockdep_pin_lock(&rq->lock); ++ update_rq_clock(rq); + + /* + * Now that the task has been migrated to the new RQ and we diff --git a/queue-4.9/sched-deadline-make-sure-the-replenishment-timer-fires-in-the-next-period.patch b/queue-4.9/sched-deadline-make-sure-the-replenishment-timer-fires-in-the-next-period.patch new file mode 100644 index 00000000000..661582d4fe7 --- /dev/null +++ b/queue-4.9/sched-deadline-make-sure-the-replenishment-timer-fires-in-the-next-period.patch @@ -0,0 +1,110 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Daniel Bristot de Oliveira +Date: Thu, 2 Mar 2017 15:10:57 +0100 +Subject: sched/deadline: Make sure the replenishment timer fires in the next period + +From: Daniel Bristot de Oliveira + + +[ Upstream commit 5ac69d37784b237707a7b15d199cdb6c6fdb6780 ] + +Currently, the replenishment timer is set to fire at the deadline +of a task. Although that works for implicit deadline tasks because the +deadline is equals to the begin of the next period, that is not correct +for constrained deadline tasks (deadline < period). + +For instance: + +f.c: + --------------- %< --------------- +int main (void) +{ + for(;;); +} + --------------- >% --------------- + + # gcc -o f f.c + + # trace-cmd record -e sched:sched_switch \ + -e syscalls:sys_exit_sched_setattr \ + chrt -d --sched-runtime 490000000 \ + --sched-deadline 500000000 \ + --sched-period 1000000000 0 ./f + + # trace-cmd report | grep "{pid of ./f}" + +After setting parameters, the task is replenished and continue running +until being throttled: + + f-11295 [003] 13322.113776: sys_exit_sched_setattr: 0x0 + +The task is throttled after running 492318 ms, as expected: + + f-11295 [003] 13322.606094: sched_switch: f:11295 [-1] R ==> watchdog/3:32 [0] + +But then, the task is replenished 500719 ms after the first +replenishment: + + -0 [003] 13322.614495: sched_switch: swapper/3:0 [120] R ==> f:11295 [-1] + +Running for 490277 ms: + + f-11295 [003] 13323.104772: sched_switch: f:11295 [-1] R ==> swapper/3:0 [120] + +Hence, in the first period, the task runs 2 * runtime, and that is a bug. + +During the first replenishment, the next deadline is set one period away. +So the runtime / period starts to be respected. However, as the second +replenishment took place in the wrong instant, the next replenishment +will also be held in a wrong instant of time. Rather than occurring in +the nth period away from the first activation, it is taking place +in the (nth period - relative deadline). + +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Luca Abeni +Reviewed-by: Steven Rostedt (VMware) +Reviewed-by: Juri Lelli +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Romulo Silva de Oliveira +Cc: Steven Rostedt +Cc: Thomas Gleixner +Cc: Tommaso Cucinotta +Link: http://lkml.kernel.org/r/ac50d89887c25285b47465638354b63362f8adff.1488392936.git.bristot@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -505,10 +505,15 @@ static void update_dl_entity(struct sche + } + } + ++static inline u64 dl_next_period(struct sched_dl_entity *dl_se) ++{ ++ return dl_se->deadline - dl_se->dl_deadline + dl_se->dl_period; ++} ++ + /* + * If the entity depleted all its runtime, and if we want it to sleep + * while waiting for some new execution time to become available, we +- * set the bandwidth enforcement timer to the replenishment instant ++ * set the bandwidth replenishment timer to the replenishment instant + * and try to activate it. + * + * Notice that it is important for the caller to know if the timer +@@ -530,7 +535,7 @@ static int start_dl_timer(struct task_st + * that it is actually coming from rq->clock and not from + * hrtimer's time base reading. + */ +- act = ns_to_ktime(dl_se->deadline); ++ act = ns_to_ktime(dl_next_period(dl_se)); + now = hrtimer_cb_get_time(timer); + delta = ktime_to_ns(now) - rq_clock(rq); + act = ktime_add_ns(act, delta); diff --git a/queue-4.9/sched-deadline-throttle-a-constrained-deadline-task-activated-after-the-deadline.patch b/queue-4.9/sched-deadline-throttle-a-constrained-deadline-task-activated-after-the-deadline.patch new file mode 100644 index 00000000000..d3cbe220511 --- /dev/null +++ b/queue-4.9/sched-deadline-throttle-a-constrained-deadline-task-activated-after-the-deadline.patch @@ -0,0 +1,161 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Daniel Bristot de Oliveira +Date: Thu, 2 Mar 2017 15:10:58 +0100 +Subject: sched/deadline: Throttle a constrained deadline task activated after the deadline + +From: Daniel Bristot de Oliveira + + +[ Upstream commit df8eac8cafce7d086be3bd5cf5a838fa37594dfb ] + +During the activation, CBS checks if it can reuse the current task's +runtime and period. If the deadline of the task is in the past, CBS +cannot use the runtime, and so it replenishes the task. This rule +works fine for implicit deadline tasks (deadline == period), and the +CBS was designed for implicit deadline tasks. However, a task with +constrained deadline (deadine < period) might be awakened after the +deadline, but before the next period. In this case, replenishing the +task would allow it to run for runtime / deadline. As in this case +deadline < period, CBS enables a task to run for more than the +runtime / period. In a very loaded system, this can cause a domino +effect, making other tasks miss their deadlines. + +To avoid this problem, in the activation of a constrained deadline +task after the deadline but before the next period, throttle the +task and set the replenishing timer to the begin of the next period, +unless it is boosted. + +Reproducer: + + --------------- %< --------------- + int main (int argc, char **argv) + { + int ret; + int flags = 0; + unsigned long l = 0; + struct timespec ts; + struct sched_attr attr; + + memset(&attr, 0, sizeof(attr)); + attr.size = sizeof(attr); + + attr.sched_policy = SCHED_DEADLINE; + attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */ + attr.sched_deadline = 2 * 1000 * 1000; /* 2 ms */ + attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */ + + ts.tv_sec = 0; + ts.tv_nsec = 2000 * 1000; /* 2 ms */ + + ret = sched_setattr(0, &attr, flags); + + if (ret < 0) { + perror("sched_setattr"); + exit(-1); + } + + for(;;) { + /* XXX: you may need to adjust the loop */ + for (l = 0; l < 150000; l++); + /* + * The ideia is to go to sleep right before the deadline + * and then wake up before the next period to receive + * a new replenishment. + */ + nanosleep(&ts, NULL); + } + + exit(0); + } + --------------- >% --------------- + +On my box, this reproducer uses almost 50% of the CPU time, which is +obviously wrong for a task with 2/2000 reservation. + +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Peter Zijlstra (Intel) +Cc: Juri Lelli +Cc: Linus Torvalds +Cc: Luca Abeni +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Romulo Silva de Oliveira +Cc: Steven Rostedt +Cc: Thomas Gleixner +Cc: Tommaso Cucinotta +Link: http://lkml.kernel.org/r/edf58354e01db46bf42df8d2dd32418833f68c89.1488392936.git.bristot@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -695,6 +695,37 @@ void init_dl_task_timer(struct sched_dl_ + timer->function = dl_task_timer; + } + ++/* ++ * During the activation, CBS checks if it can reuse the current task's ++ * runtime and period. If the deadline of the task is in the past, CBS ++ * cannot use the runtime, and so it replenishes the task. This rule ++ * works fine for implicit deadline tasks (deadline == period), and the ++ * CBS was designed for implicit deadline tasks. However, a task with ++ * constrained deadline (deadine < period) might be awakened after the ++ * deadline, but before the next period. In this case, replenishing the ++ * task would allow it to run for runtime / deadline. As in this case ++ * deadline < period, CBS enables a task to run for more than the ++ * runtime / period. In a very loaded system, this can cause a domino ++ * effect, making other tasks miss their deadlines. ++ * ++ * To avoid this problem, in the activation of a constrained deadline ++ * task after the deadline but before the next period, throttle the ++ * task and set the replenishing timer to the begin of the next period, ++ * unless it is boosted. ++ */ ++static inline void dl_check_constrained_dl(struct sched_dl_entity *dl_se) ++{ ++ struct task_struct *p = dl_task_of(dl_se); ++ struct rq *rq = rq_of_dl_rq(dl_rq_of_se(dl_se)); ++ ++ if (dl_time_before(dl_se->deadline, rq_clock(rq)) && ++ dl_time_before(rq_clock(rq), dl_next_period(dl_se))) { ++ if (unlikely(dl_se->dl_boosted || !start_dl_timer(p))) ++ return; ++ dl_se->dl_throttled = 1; ++ } ++} ++ + static + int dl_runtime_exceeded(struct sched_dl_entity *dl_se) + { +@@ -928,6 +959,11 @@ static void dequeue_dl_entity(struct sch + __dequeue_dl_entity(dl_se); + } + ++static inline bool dl_is_constrained(struct sched_dl_entity *dl_se) ++{ ++ return dl_se->dl_deadline < dl_se->dl_period; ++} ++ + static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags) + { + struct task_struct *pi_task = rt_mutex_get_top_task(p); +@@ -954,6 +990,15 @@ static void enqueue_task_dl(struct rq *r + } + + /* ++ * Check if a constrained deadline task was activated ++ * after the deadline but before the next period. ++ * If that is the case, the task will be throttled and ++ * the replenishment timer will be set to the next period. ++ */ ++ if (!p->dl.dl_throttled && dl_is_constrained(&p->dl)) ++ dl_check_constrained_dl(&p->dl); ++ ++ /* + * If p is throttled, we do nothing. In fact, if it exhausted + * its budget it needs a replenishment and, since it now is on + * its rq, the bandwidth timer callback (which clearly has not diff --git a/queue-4.9/sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch b/queue-4.9/sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch new file mode 100644 index 00000000000..297ed1d89fa --- /dev/null +++ b/queue-4.9/sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch @@ -0,0 +1,100 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: "Steven Rostedt (VMware)" +Date: Thu, 2 Mar 2017 15:10:59 +0100 +Subject: sched/deadline: Use deadline instead of period when calculating overflow + +From: "Steven Rostedt (VMware)" + + +[ Upstream commit 2317d5f1c34913bac5971d93d69fb6c31bb74670 ] + +I was testing Daniel's changes with his test case, and tweaked it a +little. Instead of having the runtime equal to the deadline, I +increased the deadline ten fold. + +Daniel's test case had: + + attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */ + attr.sched_deadline = 2 * 1000 * 1000; /* 2 ms */ + attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */ + +To make it more interesting, I changed it to: + + attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */ + attr.sched_deadline = 20 * 1000 * 1000; /* 20 ms */ + attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */ + +The results were rather surprising. The behavior that Daniel's patch +was fixing came back. The task started using much more than .1% of the +CPU. More like 20%. + +Looking into this I found that it was due to the dl_entity_overflow() +constantly returning true. That's because it uses the relative period +against relative runtime vs the absolute deadline against absolute +runtime. + + runtime / (deadline - t) > dl_runtime / dl_period + +There's even a comment mentioning this, and saying that when relative +deadline equals relative period, that the equation is the same as using +deadline instead of period. That comment is backwards! What we really +want is: + + runtime / (deadline - t) > dl_runtime / dl_deadline + +We care about if the runtime can make its deadline, not its period. And +then we can say "when the deadline equals the period, the equation is +the same as using dl_period instead of dl_deadline". + +After correcting this, now when the task gets enqueued, it can throttle +correctly, and Daniel's fix to the throttling of sleeping deadline +tasks works even when the runtime and deadline are not the same. + +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Daniel Bristot de Oliveira +Cc: Juri Lelli +Cc: Linus Torvalds +Cc: Luca Abeni +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Romulo Silva de Oliveira +Cc: Steven Rostedt +Cc: Thomas Gleixner +Cc: Tommaso Cucinotta +Link: http://lkml.kernel.org/r/02135a27f1ae3fe5fd032568a5a2f370e190e8d7.1488392936.git.bristot@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -445,13 +445,13 @@ static void replenish_dl_entity(struct s + * + * This function returns true if: + * +- * runtime / (deadline - t) > dl_runtime / dl_period , ++ * runtime / (deadline - t) > dl_runtime / dl_deadline , + * + * IOW we can't recycle current parameters. + * +- * Notice that the bandwidth check is done against the period. For ++ * Notice that the bandwidth check is done against the deadline. For + * task with deadline equal to period this is the same of using +- * dl_deadline instead of dl_period in the equation above. ++ * dl_period instead of dl_deadline in the equation above. + */ + static bool dl_entity_overflow(struct sched_dl_entity *dl_se, + struct sched_dl_entity *pi_se, u64 t) +@@ -476,7 +476,7 @@ static bool dl_entity_overflow(struct sc + * of anything below microseconds resolution is actually fiction + * (but still we want to give the user that illusion >;). + */ +- left = (pi_se->dl_period >> DL_SCALE) * (dl_se->runtime >> DL_SCALE); ++ left = (pi_se->dl_deadline >> DL_SCALE) * (dl_se->runtime >> DL_SCALE); + right = ((dl_se->deadline - t) >> DL_SCALE) * + (pi_se->dl_runtime >> DL_SCALE); + diff --git a/queue-4.9/scsi-bfa-integer-overflow-in-debugfs.patch b/queue-4.9/scsi-bfa-integer-overflow-in-debugfs.patch new file mode 100644 index 00000000000..eeb9c8accd8 --- /dev/null +++ b/queue-4.9/scsi-bfa-integer-overflow-in-debugfs.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Dan Carpenter +Date: Wed, 4 Oct 2017 10:50:37 +0300 +Subject: scsi: bfa: integer overflow in debugfs + +From: Dan Carpenter + + +[ Upstream commit 3e351275655d3c84dc28abf170def9786db5176d ] + +We could allocate less memory than intended because we do: + + bfad->regdata = kzalloc(len << 2, GFP_KERNEL); + +The shift can overflow leading to a crash. This is debugfs code so the +impact is very small. I fixed the network version of this in March with +commit 13e2d5187f6b ("bna: integer overflow bug in debugfs"). + +Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bfa/bfad_debugfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/bfa/bfad_debugfs.c ++++ b/drivers/scsi/bfa/bfad_debugfs.c +@@ -255,7 +255,8 @@ bfad_debugfs_write_regrd(struct file *fi + struct bfad_s *bfad = port->bfad; + struct bfa_s *bfa = &bfad->bfa; + struct bfa_ioc_s *ioc = &bfa->ioc; +- int addr, len, rc, i; ++ int addr, rc, i; ++ u32 len; + u32 *regbuf; + void __iomem *rb, *reg_addr; + unsigned long flags; +@@ -266,7 +267,7 @@ bfad_debugfs_write_regrd(struct file *fi + return PTR_ERR(kern_buf); + + rc = sscanf(kern_buf, "%x:%x", &addr, &len); +- if (rc < 2) { ++ if (rc < 2 || len > (UINT_MAX >> 2)) { + printk(KERN_INFO + "bfad[%d]: %s failed to read user buf\n", + bfad->inst_no, __func__); diff --git a/queue-4.9/scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-unloading.patch b/queue-4.9/scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-unloading.patch new file mode 100644 index 00000000000..cb3f9375c16 --- /dev/null +++ b/queue-4.9/scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-unloading.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Martin Wilck +Date: Fri, 20 Oct 2017 16:51:14 -0500 +Subject: scsi: hpsa: cleanup sas_phy structures in sysfs when unloading + +From: Martin Wilck + + +[ Upstream commit 55ca38b4255bb336c2d35990bdb2b368e19b435a ] + +I am resubmitting this patch on behalf of Martin Wilck with his +permission. + +The original patch can be found here: +https://www.spinics.net/lists/linux-scsi/msg102083.html + +This patch did not help until Hannes's +commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod") +was applied to the kernel. + +-------------------------------------- +Original patch description from Martin: +-------------------------------------- + +When the hpsa module is unloaded using rmmod, dangling +symlinks remain under /sys/class/sas_phy. Fix this by +calling sas_phy_delete() rather than sas_phy_free (which, +according to comments, should not be called for PHYs that +have been set up successfully, anyway). + +Tested-by: Don Brace +Reviewed-by: Don Brace +Signed-off-by: Martin Wilck +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hpsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -9632,9 +9632,9 @@ static void hpsa_free_sas_phy(struct hps + struct sas_phy *phy = hpsa_sas_phy->phy; + + sas_port_delete_phy(hpsa_sas_phy->parent_port->port, phy); +- sas_phy_free(phy); + if (hpsa_sas_phy->added_to_port) + list_del(&hpsa_sas_phy->phy_list_entry); ++ sas_phy_delete(phy); + kfree(hpsa_sas_phy); + } + diff --git a/queue-4.9/scsi-hpsa-destroy-sas-transport-properties-before-scsi_host.patch b/queue-4.9/scsi-hpsa-destroy-sas-transport-properties-before-scsi_host.patch new file mode 100644 index 00000000000..a8aea47c300 --- /dev/null +++ b/queue-4.9/scsi-hpsa-destroy-sas-transport-properties-before-scsi_host.patch @@ -0,0 +1,84 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Martin Wilck +Date: Fri, 20 Oct 2017 16:51:08 -0500 +Subject: scsi: hpsa: destroy sas transport properties before scsi_host + +From: Martin Wilck + + +[ Upstream commit dfb2e6f46b3074eb85203d8f0888b71ec1c2e37a ] + +This patch cleans up a lot of warnings when unloading the driver. + +A current example of the stack trace starts with: + [ 142.570715] sysfs group 'power' not found for kobject 'port-5:0' +There can be hundreds of these messages during a driver unload. + +I am resubmitting this patch on behalf of Martin Wilck with his +permission. + +His original patch can be found here: +https://www.spinics.net/lists/linux-scsi/msg102085.html + +This patch did not help until Hannes's +commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod") +was applied to the kernel. + +--------------------------- +Original patch description: +--------------------------- + +Unloading the hpsa driver causes warnings + +[ 1063.793652] WARNING: CPU: 1 PID: 4850 at ../fs/sysfs/group.c:237 device_del+0x54/0x240() +[ 1063.793659] sysfs group ffffffff81cf21a0 not found for kobject 'port-2:0' + +with two different stacks: +1) +[ 1063.793774] [] device_del+0x54/0x240 +[ 1063.793780] [] transport_remove_classdev+0x4a/0x60 +[ 1063.793784] [] attribute_container_device_trigger+0xa6/0xb0 +[ 1063.793802] [] sas_port_delete+0x126/0x160 [scsi_transport_sas] +[ 1063.793819] [] hpsa_free_sas_port+0x3c/0x70 [hpsa] + +2) +[ 1063.797103] [] device_del+0x54/0x240 +[ 1063.797118] [] sas_port_delete+0x12e/0x160 [scsi_transport_sas] +[ 1063.797134] [] hpsa_free_sas_port+0x3c/0x70 [hpsa] + +This is caused by the fact that host device hostX is deleted before the +SAS transport devices hostX/port-a:b. + +This patch fixes this by reverting the order of device deletions. + +Tested-by: Don Brace +Reviewed-by: Don Brace +Signed-off-by: Martin Wilck +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hpsa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -9105,6 +9105,8 @@ static void hpsa_remove_one(struct pci_d + destroy_workqueue(h->rescan_ctlr_wq); + destroy_workqueue(h->resubmit_wq); + ++ hpsa_delete_sas_host(h); ++ + /* + * Call before disabling interrupts. + * scsi_remove_host can trigger I/O operations especially +@@ -9139,8 +9141,6 @@ static void hpsa_remove_one(struct pci_d + h->lockup_detected = NULL; /* init_one 2 */ + /* (void) pci_disable_pcie_error_reporting(pdev); */ /* init_one 1 */ + +- hpsa_delete_sas_host(h); +- + kfree(h); /* init_one 1 */ + } + diff --git a/queue-4.9/scsi-hpsa-do-not-timeout-reset-operations.patch b/queue-4.9/scsi-hpsa-do-not-timeout-reset-operations.patch new file mode 100644 index 00000000000..61d4f081b8e --- /dev/null +++ b/queue-4.9/scsi-hpsa-do-not-timeout-reset-operations.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Don Brace +Date: Fri, 10 Mar 2017 14:35:23 -0600 +Subject: scsi: hpsa: do not timeout reset operations + +From: Don Brace + + +[ Upstream commit 2ef2884980873081a4edae92f9d88dd580c85f6e ] + +Resets can take longer than DEFAULT_TIMEOUT. + +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Reviewed-by: Tomas Henzl +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hpsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -2951,7 +2951,7 @@ static int hpsa_send_reset(struct ctlr_i + /* fill_cmd can't fail here, no data buffer to map. */ + (void) fill_cmd(c, reset_type, h, NULL, 0, 0, + scsi3addr, TYPE_MSG); +- rc = hpsa_scsi_do_simple_cmd(h, c, reply_queue, DEFAULT_TIMEOUT); ++ rc = hpsa_scsi_do_simple_cmd(h, c, reply_queue, NO_TIMEOUT); + if (rc) { + dev_warn(&h->pdev->dev, "Failed to send reset command\n"); + goto out; diff --git a/queue-4.9/scsi-hpsa-limit-outstanding-rescans.patch b/queue-4.9/scsi-hpsa-limit-outstanding-rescans.patch new file mode 100644 index 00000000000..6faa84350c7 --- /dev/null +++ b/queue-4.9/scsi-hpsa-limit-outstanding-rescans.patch @@ -0,0 +1,85 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Don Brace +Date: Fri, 10 Mar 2017 14:35:17 -0600 +Subject: scsi: hpsa: limit outstanding rescans + +From: Don Brace + + +[ Upstream commit 87b9e6aa87d9411f1059aa245c0c79976bc557ac ] + +Avoid rescan storms. No need to queue another if one is pending. + +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Reviewed-by: Tomas Henzl +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hpsa.c | 16 +++++++++++++++- + drivers/scsi/hpsa.h | 1 + + 2 files changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -5529,7 +5529,7 @@ static void hpsa_scan_complete(struct ct + + spin_lock_irqsave(&h->scan_lock, flags); + h->scan_finished = 1; +- wake_up_all(&h->scan_wait_queue); ++ wake_up(&h->scan_wait_queue); + spin_unlock_irqrestore(&h->scan_lock, flags); + } + +@@ -5547,11 +5547,23 @@ static void hpsa_scan_start(struct Scsi_ + if (unlikely(lockup_detected(h))) + return hpsa_scan_complete(h); + ++ /* ++ * If a scan is already waiting to run, no need to add another ++ */ ++ spin_lock_irqsave(&h->scan_lock, flags); ++ if (h->scan_waiting) { ++ spin_unlock_irqrestore(&h->scan_lock, flags); ++ return; ++ } ++ ++ spin_unlock_irqrestore(&h->scan_lock, flags); ++ + /* wait until any scan already in progress is finished. */ + while (1) { + spin_lock_irqsave(&h->scan_lock, flags); + if (h->scan_finished) + break; ++ h->scan_waiting = 1; + spin_unlock_irqrestore(&h->scan_lock, flags); + wait_event(h->scan_wait_queue, h->scan_finished); + /* Note: We don't need to worry about a race between this +@@ -5561,6 +5573,7 @@ static void hpsa_scan_start(struct Scsi_ + */ + } + h->scan_finished = 0; /* mark scan as in progress */ ++ h->scan_waiting = 0; + spin_unlock_irqrestore(&h->scan_lock, flags); + + if (unlikely(lockup_detected(h))) +@@ -8799,6 +8812,7 @@ reinit_after_soft_reset: + init_waitqueue_head(&h->event_sync_wait_queue); + mutex_init(&h->reset_mutex); + h->scan_finished = 1; /* no scan currently in progress */ ++ h->scan_waiting = 0; + + pci_set_drvdata(pdev, h); + h->ndevices = 0; +--- a/drivers/scsi/hpsa.h ++++ b/drivers/scsi/hpsa.h +@@ -203,6 +203,7 @@ struct ctlr_info { + dma_addr_t errinfo_pool_dhandle; + unsigned long *cmd_pool_bits; + int scan_finished; ++ u8 scan_waiting : 1; + spinlock_t scan_lock; + wait_queue_head_t scan_wait_queue; + diff --git a/queue-4.9/scsi-hpsa-update-check-for-logical-volume-status.patch b/queue-4.9/scsi-hpsa-update-check-for-logical-volume-status.patch new file mode 100644 index 00000000000..2d23e763e53 --- /dev/null +++ b/queue-4.9/scsi-hpsa-update-check-for-logical-volume-status.patch @@ -0,0 +1,141 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Don Brace +Date: Fri, 10 Mar 2017 14:35:11 -0600 +Subject: scsi: hpsa: update check for logical volume status + +From: Don Brace + + +[ Upstream commit 85b29008d8af6d94a0723aaa8d93cfb6e041158b ] + + - Add in a new case for volume offline. Resolves internal testing bug + for multilun array management. + - Return correct status for failed TURs. + +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hpsa.c | 35 ++++++++++++++++------------------- + drivers/scsi/hpsa_cmd.h | 2 ++ + 2 files changed, 18 insertions(+), 19 deletions(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -3686,7 +3686,7 @@ exit_failed: + * # (integer code indicating one of several NOT READY states + * describing why a volume is to be kept offline) + */ +-static int hpsa_volume_offline(struct ctlr_info *h, ++static unsigned char hpsa_volume_offline(struct ctlr_info *h, + unsigned char scsi3addr[]) + { + struct CommandList *c; +@@ -3707,7 +3707,7 @@ static int hpsa_volume_offline(struct ct + DEFAULT_TIMEOUT); + if (rc) { + cmd_free(h, c); +- return 0; ++ return HPSA_VPD_LV_STATUS_UNSUPPORTED; + } + sense = c->err_info->SenseInfo; + if (c->err_info->SenseLen > sizeof(c->err_info->SenseInfo)) +@@ -3718,19 +3718,13 @@ static int hpsa_volume_offline(struct ct + cmd_status = c->err_info->CommandStatus; + scsi_status = c->err_info->ScsiStatus; + cmd_free(h, c); +- /* Is the volume 'not ready'? */ +- if (cmd_status != CMD_TARGET_STATUS || +- scsi_status != SAM_STAT_CHECK_CONDITION || +- sense_key != NOT_READY || +- asc != ASC_LUN_NOT_READY) { +- return 0; +- } + + /* Determine the reason for not ready state */ + ldstat = hpsa_get_volume_status(h, scsi3addr); + + /* Keep volume offline in certain cases: */ + switch (ldstat) { ++ case HPSA_LV_FAILED: + case HPSA_LV_UNDERGOING_ERASE: + case HPSA_LV_NOT_AVAILABLE: + case HPSA_LV_UNDERGOING_RPI: +@@ -3752,7 +3746,7 @@ static int hpsa_volume_offline(struct ct + default: + break; + } +- return 0; ++ return HPSA_LV_OK; + } + + /* +@@ -3825,10 +3819,10 @@ static int hpsa_update_device_info(struc + /* Do an inquiry to the device to see what it is. */ + if (hpsa_scsi_do_inquiry(h, scsi3addr, 0, inq_buff, + (unsigned char) OBDR_TAPE_INQ_SIZE) != 0) { +- /* Inquiry failed (msg printed already) */ + dev_err(&h->pdev->dev, +- "hpsa_update_device_info: inquiry failed\n"); +- rc = -EIO; ++ "%s: inquiry failed, device will be skipped.\n", ++ __func__); ++ rc = HPSA_INQUIRY_FAILED; + goto bail_out; + } + +@@ -3857,15 +3851,19 @@ static int hpsa_update_device_info(struc + if ((this_device->devtype == TYPE_DISK || + this_device->devtype == TYPE_ZBC) && + is_logical_dev_addr_mode(scsi3addr)) { +- int volume_offline; ++ unsigned char volume_offline; + + hpsa_get_raid_level(h, scsi3addr, &this_device->raid_level); + if (h->fw_support & MISC_FW_RAID_OFFLOAD_BASIC) + hpsa_get_ioaccel_status(h, scsi3addr, this_device); + volume_offline = hpsa_volume_offline(h, scsi3addr); +- if (volume_offline < 0 || volume_offline > 0xff) +- volume_offline = HPSA_VPD_LV_STATUS_UNSUPPORTED; +- this_device->volume_offline = volume_offline & 0xff; ++ if (volume_offline == HPSA_LV_FAILED) { ++ rc = HPSA_LV_FAILED; ++ dev_err(&h->pdev->dev, ++ "%s: LV failed, device will be skipped.\n", ++ __func__); ++ goto bail_out; ++ } + } else { + this_device->raid_level = RAID_UNKNOWN; + this_device->offload_config = 0; +@@ -4353,8 +4351,7 @@ static void hpsa_update_scsi_devices(str + goto out; + } + if (rc) { +- dev_warn(&h->pdev->dev, +- "Inquiry failed, skipping device.\n"); ++ h->drv_req_rescan = 1; + continue; + } + +--- a/drivers/scsi/hpsa_cmd.h ++++ b/drivers/scsi/hpsa_cmd.h +@@ -156,6 +156,7 @@ + #define CFGTBL_BusType_Fibre2G 0x00000200l + + /* VPD Inquiry types */ ++#define HPSA_INQUIRY_FAILED 0x02 + #define HPSA_VPD_SUPPORTED_PAGES 0x00 + #define HPSA_VPD_LV_DEVICE_ID 0x83 + #define HPSA_VPD_LV_DEVICE_GEOMETRY 0xC1 +@@ -166,6 +167,7 @@ + /* Logical volume states */ + #define HPSA_VPD_LV_STATUS_UNSUPPORTED 0xff + #define HPSA_LV_OK 0x0 ++#define HPSA_LV_FAILED 0x01 + #define HPSA_LV_NOT_AVAILABLE 0x0b + #define HPSA_LV_UNDERGOING_ERASE 0x0F + #define HPSA_LV_UNDERGOING_RPI 0x12 diff --git a/queue-4.9/scsi-scsi_debug-write_same-fix-error-report.patch b/queue-4.9/scsi-scsi_debug-write_same-fix-error-report.patch new file mode 100644 index 00000000000..9423a2aad9e --- /dev/null +++ b/queue-4.9/scsi-scsi_debug-write_same-fix-error-report.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Douglas Gilbert +Date: Sun, 29 Oct 2017 10:47:19 -0400 +Subject: scsi: scsi_debug: write_same: fix error report + +From: Douglas Gilbert + + +[ Upstream commit e33d7c56450b0a5c7290cbf9e1581fab5174f552 ] + +The scsi_debug driver incorrectly suggests there is an error with the +SCSI WRITE SAME command when the number_of_logical_blocks is greater +than 1. It will also suggest there is an error when NDOB +(no data-out buffer) is set and the number_of_logical_blocks is +greater than 0. Both are valid, fix. + +Signed-off-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_debug.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -2996,11 +2996,11 @@ static int resp_write_same(struct scsi_c + if (-1 == ret) { + write_unlock_irqrestore(&atomic_rw, iflags); + return DID_ERROR << 16; +- } else if (sdebug_verbose && (ret < (num * sdebug_sector_size))) ++ } else if (sdebug_verbose && !ndob && (ret < sdebug_sector_size)) + sdev_printk(KERN_INFO, scp->device, +- "%s: %s: cdb indicated=%u, IO sent=%d bytes\n", ++ "%s: %s: lb size=%u, IO sent=%d bytes\n", + my_name, "write same", +- num * sdebug_sector_size, ret); ++ sdebug_sector_size, ret); + + /* Copy first sector to remaining blocks */ + for (i = 1 ; i < num ; i++) diff --git a/queue-4.9/scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch b/queue-4.9/scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch new file mode 100644 index 00000000000..3734c094b76 --- /dev/null +++ b/queue-4.9/scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Kurt Garloff +Date: Tue, 17 Oct 2017 09:10:45 +0200 +Subject: scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry + +From: Kurt Garloff + + +[ Upstream commit 909cf3e16a5274fe2127cf3cea5c8dba77b2c412 ] + +All EMC SYMMETRIX support REPORT_LUNS, even if configured to report +SCSI-2 for whatever reason. + +Signed-off-by: Kurt Garloff +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_devinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -160,7 +160,7 @@ static struct { + {"DGC", "RAID", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, storage on LUN 0 */ + {"DGC", "DISK", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, no storage on LUN 0 */ + {"EMC", "Invista", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, +- {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_FORCELUN}, ++ {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_REPORTLUN2}, + {"EMULEX", "MD21/S2 ESDI", NULL, BLIST_SINGLELUN}, + {"easyRAID", "16P", NULL, BLIST_NOREPORTLUN}, + {"easyRAID", "X6P", NULL, BLIST_NOREPORTLUN}, diff --git a/queue-4.9/scsi-sd-change-allow_restart-to-bool-in-sysfs-interface.patch b/queue-4.9/scsi-sd-change-allow_restart-to-bool-in-sysfs-interface.patch new file mode 100644 index 00000000000..9b797f78529 --- /dev/null +++ b/queue-4.9/scsi-sd-change-allow_restart-to-bool-in-sysfs-interface.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: weiping zhang +Date: Thu, 12 Oct 2017 14:56:44 +0800 +Subject: scsi: sd: change allow_restart to bool in sysfs interface + +From: weiping zhang + + +[ Upstream commit 658e9a6dc1126f21fa417cd213e1cdbff8be0ba2 ] + +/sys/class/scsi_disk/0:2:0:0/allow_restart can be changed to 0 +unexpectedly by writing an invalid string such as the following: + +echo asdf > /sys/class/scsi_disk/0:2:0:0/allow_restart + +Signed-off-by: weiping zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -260,6 +260,7 @@ static ssize_t + allow_restart_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { ++ bool v; + struct scsi_disk *sdkp = to_scsi_disk(dev); + struct scsi_device *sdp = sdkp->device; + +@@ -269,7 +270,10 @@ allow_restart_store(struct device *dev, + if (sdp->type != TYPE_DISK) + return -EINVAL; + +- sdp->allow_restart = simple_strtoul(buf, NULL, 10); ++ if (kstrtobool(buf, &v)) ++ return -EINVAL; ++ ++ sdp->allow_restart = v; + + return count; + } diff --git a/queue-4.9/scsi-sd-change-manage_start_stop-to-bool-in-sysfs-interface.patch b/queue-4.9/scsi-sd-change-manage_start_stop-to-bool-in-sysfs-interface.patch new file mode 100644 index 00000000000..2a6d1581a6c --- /dev/null +++ b/queue-4.9/scsi-sd-change-manage_start_stop-to-bool-in-sysfs-interface.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: weiping zhang +Date: Thu, 12 Oct 2017 14:57:06 +0800 +Subject: scsi: sd: change manage_start_stop to bool in sysfs interface + +From: weiping zhang + + +[ Upstream commit 623401ee33e42cee64d333877892be8db02951eb ] + +/sys/class/scsi_disk/0:2:0:0/manage_start_stop can be changed to 0 +unexpectly by writing an invalid string. + +Signed-off-by: weiping zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -234,11 +234,15 @@ manage_start_stop_store(struct device *d + { + struct scsi_disk *sdkp = to_scsi_disk(dev); + struct scsi_device *sdp = sdkp->device; ++ bool v; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + +- sdp->manage_start_stop = simple_strtoul(buf, NULL, 10); ++ if (kstrtobool(buf, &v)) ++ return -EINVAL; ++ ++ sdp->manage_start_stop = v; + + return count; + } diff --git a/queue-4.9/series b/queue-4.9/series index aea62b94804..d8529eacb78 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -21,3 +21,157 @@ dmaengine-dmatest-move-callback-wait-queue-to-thread-context.patch ext4-fix-fdatasync-2-after-fallocate-2-operation.patch ext4-fix-crash-when-a-directory-s-i_size-is-too-small.patch mac80211-fix-addition-of-mesh-configuration-element.patch +usb-phy-isp1301-add-of-device-id-table.patch +kvm-nvmx-do-not-warn-when-msr-bitmap-address-is-not-backed.patch +usb-xhci-mtk-check-hcc_params-after-adding-primary-hcd.patch +md-cluster-free-md_cluster_info-if-node-leave-cluster.patch +userfaultfd-shmem-__do_fault-requires-vm_fault_nopage.patch +userfaultfd-selftest-vm-allow-to-build-in-vm-directory.patch +net-initialize-msg.msg_flags-in-recvfrom.patch +bnxt_en-ignore-0-value-in-autoneg-supported-speed-from-firmware.patch +net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch +net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch +net-bcmgenet-reserved-phy-revisions-must-be-checked-first.patch +net-bcmgenet-power-down-internal-phy-if-open-or-resume-fails.patch +net-bcmgenet-synchronize-irq0-status-between-the-isr-and-task.patch +net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch +rxrpc-wake-up-the-transmitter-if-rx-window-size-increases-on-the-peer.patch +net-mlx5-fix-create-autogroup-prev-initializer.patch +net-mlx5-don-t-save-pci-state-when-pci-error-is-detected.patch +iommu-io-pgtable-arm-v7s-check-for-leaf-entry-before-dereferencing-it.patch +drm-amdgpu-fix-parser-init-error-path-to-avoid-crash-in-parser-fini.patch +nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch +nfsd-fix-nfsd_reset_versions-for-nfsv4.patch +input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch +drm-omap-fix-dmabuf-mmap-for-dma_alloc-ed-buffers.patch +netfilter-bridge-honor-frag_max_size-when-refragmenting.patch +asoc-rsnd-fix-sound-route-path-when-using-src6-src9.patch +blk-mq-fix-tagset-reinit-in-the-presence-of-cpu-hot-unplug.patch +writeback-fix-memory-leak-in-wb_queue_work.patch +net-wimax-i2400m-fix-null-deref-at-probe.patch +dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch +irqchip-mvebu-odmi-select-generic_msi_irq_domain.patch +net-resend-igmp-memberships-upon-peer-notification.patch +mlxsw-reg-fix-spvm-max-record-count.patch +mlxsw-reg-fix-spvmlr-max-record-count.patch +qed-align-cids-according-to-dorq-requirement.patch +qed-fix-mapping-leak-on-ll2-rx-flow.patch +qed-fix-interrupt-flags-on-rx-ll2.patch +drm-amd-remove-broken-include-path.patch +intel_th-pci-add-gemini-lake-support.patch +openrisc-fix-issue-handling-8-byte-get_user-calls.patch +asoc-rcar-clear-de-bit-only-in-pdmachcr-when-it-stops.patch +scsi-hpsa-update-check-for-logical-volume-status.patch +scsi-hpsa-limit-outstanding-rescans.patch +scsi-hpsa-do-not-timeout-reset-operations.patch +fjes-fix-wrong-netdevice-feature-flags.patch +drm-radeon-si-add-dpm-quirk-for-oland.patch +drivers-hv-util-move-waiting-for-release-to-hv_utils_transport-itself.patch +iwlwifi-mvm-cleanup-pending-frames-in-dqa-mode.patch +sched-deadline-add-missing-update_rq_clock-in-dl_task_timer.patch +sched-deadline-make-sure-the-replenishment-timer-fires-in-the-next-period.patch +sched-deadline-throttle-a-constrained-deadline-task-activated-after-the-deadline.patch +sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch +mmc-mediatek-fixed-bug-where-clock-frequency-could-be-set-wrong.patch +drm-radeon-reinstate-oland-workaround-for-sclk.patch +afs-fix-missing-put_page.patch +afs-populate-group-id-from-vnode-status.patch +afs-adjust-mode-bits-processing.patch +afs-deal-with-an-empty-callback-array.patch +afs-flush-outstanding-writes-when-an-fd-is-closed.patch +afs-migrate-vlocation-fields-to-64-bit.patch +afs-prevent-callback-expiry-timer-overflow.patch +afs-fix-the-maths-in-afs_fs_store_data.patch +afs-invalid-op-id-should-abort-with-rxgen_opcode.patch +afs-better-abort-and-net-error-handling.patch +afs-populate-and-use-client-modification-time.patch +afs-fix-page-leak-in-afs_write_begin.patch +afs-fix-afs_kill_pages.patch +afs-fix-abort-on-signal-while-waiting-for-call-completion.patch +nvme-loop-fix-a-possible-use-after-free-when-destroying-the-admin-queue.patch +nvmet-confirm-sq-percpu-has-scheduled-and-switched-to-atomic.patch +nvmet-rdma-fix-a-possible-uninitialized-variable-dereference.patch +net-mlx4_core-avoid-delays-during-vf-driver-device-shutdown.patch +net-mpls-fix-nexthop-alive-tracking-on-down-events.patch +rxrpc-ignore-busy-packets-on-old-calls.patch +tty-don-t-panic-on-oom-in-tty_set_ldisc.patch +tty-fix-data-race-in-tty_ldisc_ref_wait.patch +perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch +efi-esrt-cleanup-bad-memory-map-log-messages.patch +nfsv4.1-respect-server-s-max-size-in-create_session.patch +btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch +target-use-system-workqueue-for-alua-transitions.patch +target-fix-alua-transition-timeout-handling.patch +target-fix-race-during-implicit-transition-work-flushes.patch +revert-x86-acpi-set-persistent-cpuid-nodeid-mapping-when-booting.patch +hid-cp2112-fix-broken-gpio_direction_input-callback.patch +sfc-don-t-warn-on-successful-change-of-mac.patch +fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch +video-udlfb-fix-read-edid-timeout.patch +video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch +video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch +rtc-pcf8563-fix-output-clock-rate.patch +asoc-intel-skylake-fix-uuid_module-memory-leak-in-failure-case.patch +dmaengine-ti-dma-crossbar-correct-am335x-am43xx-mux-value-type.patch +pci-pme-handle-invalid-data-when-reading-root-status.patch +powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch +pci-do-not-allocate-more-buses-than-available-in-parent.patch +iommu-mediatek-fix-driver-name.patch +netfilter-ipvs-fix-inappropriate-output-of-procfs.patch +powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch +powerpc-ipic-fix-status-get-and-status-clear.patch +platform-x86-intel_punit_ipc-fix-resource-ioremap-warning.patch +platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch +target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch +iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch +target-fix-condition-return-in-core_pr_dump_initiator_port.patch +target-file-do-not-return-error-for-unmap-if-length-is-zero.patch +badblocks-fix-wrong-return-value-in-badblocks_set-if-badblocks-are-disabled.patch +iommu-amd-limit-the-iova-page-range-to-the-specified-addresses.patch +xfs-truncate-pagecache-before-writeback-in-xfs_setattr_size.patch +arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch +crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch +mm-handle-0-flags-in-_calc_vm_trans-macro.patch +clk-mediatek-add-the-option-for-determining-pll-source-clock.patch +clk-imx6-refine-hdmi_isfr-s-parent-to-make-hdmi-work-on-i.mx6-socs-w-o-vpu.patch +clk-hi6220-mark-clock-cs_atb_syspll-as-critical.patch +clk-tegra-fix-cclk_lp-divisor-register.patch +ppp-destroy-the-mutex-when-cleanup.patch +asoc-rsnd-rsnd_ssi_run_mods-needs-to-care-ssi_parent_mod.patch +thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch +scsi-scsi_debug-write_same-fix-error-report.patch +gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch +bcache-explicitly-destroy-mutex-while-exiting.patch +bcache-fix-wrong-cache_misses-statistics.patch +ib-hfi1-return-actual-operational-vls-in-port-info-query.patch +arm64-prevent-regressions-in-compressed-kernel-image-size-when-upgrading-to-binutils-2.27.patch +btrfs-tests-fix-a-memory-leak-in-error-handling-path-in-run_test.patch +platform-x86-hp_accel-add-quirk-for-hp-probook-440-g4.patch +nvme-use-kref_get_unless_zero-in-nvme_find_get_ns.patch +l2tp-cleanup-l2tp_tunnel_delete-calls.patch +xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch +xfs-fix-incorrect-extent-state-in-xfs_bmap_add_extent_unwritten_real.patch +rdma-cxgb4-declare-stag-as-__be32.patch +pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch +scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-unloading.patch +scsi-hpsa-destroy-sas-transport-properties-before-scsi_host.patch +powerpc-perf-hv-24x7-fix-incorrect-comparison-in-memord.patch +soc-mediatek-pwrap-fix-compiler-errors.patch +tty-fix-oops-when-rmmod-8250.patch +dmaengine-rcar-dmac-use-tcrb-instead-of-tcr-for-residue.patch +pinctrl-adi2-fix-kconfig-build-problem.patch +raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch +scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch +ib-core-fix-calculation-of-maximum-roce-mtu.patch +vt6655-fix-a-possible-sleep-in-atomic-bug-in-vt6655_suspend.patch +rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_createbss_cmd.patch +rtl8188eu-fix-a-possible-sleep-in-atomic-bug-in-rtw_disassoc_cmd.patch +scsi-sd-change-manage_start_stop-to-bool-in-sysfs-interface.patch +scsi-sd-change-allow_restart-to-bool-in-sysfs-interface.patch +scsi-bfa-integer-overflow-in-debugfs.patch +udf-avoid-overflow-when-session-starts-at-large-offset.patch +macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch +rdma-cma-avoid-triggering-undefined-behavior.patch +ib-ipoib-grab-rtnl-lock-on-heavy-flush-when-calling-ndo_open-stop.patch +icmp-don-t-fail-on-fragment-reassembly-time-exceeded.patch +ath9k-fix-tx99-potential-info-leak.patch diff --git a/queue-4.9/sfc-don-t-warn-on-successful-change-of-mac.patch b/queue-4.9/sfc-don-t-warn-on-successful-change-of-mac.patch new file mode 100644 index 00000000000..d97b4e61066 --- /dev/null +++ b/queue-4.9/sfc-don-t-warn-on-successful-change-of-mac.patch @@ -0,0 +1,30 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Robert Stonehouse +Date: Tue, 7 Nov 2017 17:30:30 +0000 +Subject: sfc: don't warn on successful change of MAC + +From: Robert Stonehouse + + +[ Upstream commit cbad52e92ad7f01f0be4ca58bde59462dc1afe3a ] + +Fixes: 535a61777f44e ("sfc: suppress handled MCDI failures when changing the MAC address") +Signed-off-by: Bert Kenward +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/ef10.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -4967,7 +4967,7 @@ static int efx_ef10_set_mac_address(stru + * MCFW do not support VFs. + */ + rc = efx_ef10_vport_set_mac_address(efx); +- } else { ++ } else if (rc) { + efx_mcdi_display_error(efx, MC_CMD_VADAPTOR_SET_MAC, + sizeof(inbuf), NULL, 0, rc); + } diff --git a/queue-4.9/soc-mediatek-pwrap-fix-compiler-errors.patch b/queue-4.9/soc-mediatek-pwrap-fix-compiler-errors.patch new file mode 100644 index 00000000000..77f5bb04da2 --- /dev/null +++ b/queue-4.9/soc-mediatek-pwrap-fix-compiler-errors.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Matthias Brugger +Date: Sat, 21 Oct 2017 10:17:47 +0200 +Subject: soc: mediatek: pwrap: fix compiler errors + +From: Matthias Brugger + + +[ Upstream commit fb2c1934f30577756e55e24e8870b45c78da3bc2 ] + +When compiling using sparse, we got the following error: +drivers/soc/mediatek/mtk-pmic-wrap.c:686:25: error: dubious one-bit signed bitfield + +Changing the data type to unsigned fixes this. + +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/mediatek/mtk-pmic-wrap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/mediatek/mtk-pmic-wrap.c ++++ b/drivers/soc/mediatek/mtk-pmic-wrap.c +@@ -522,7 +522,7 @@ struct pmic_wrapper_type { + u32 int_en_all; + u32 spi_w; + u32 wdt_src; +- int has_bridge:1; ++ unsigned int has_bridge:1; + int (*init_reg_clock)(struct pmic_wrapper *wrp); + int (*init_soc_specific)(struct pmic_wrapper *wrp); + }; diff --git a/queue-4.9/target-file-do-not-return-error-for-unmap-if-length-is-zero.patch b/queue-4.9/target-file-do-not-return-error-for-unmap-if-length-is-zero.patch new file mode 100644 index 00000000000..8238101a3ff --- /dev/null +++ b/queue-4.9/target-file-do-not-return-error-for-unmap-if-length-is-zero.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Jiang Yi +Date: Fri, 11 Aug 2017 11:29:44 +0800 +Subject: target/file: Do not return error for UNMAP if length is zero + +From: Jiang Yi + + +[ Upstream commit 594e25e73440863981032d76c9b1e33409ceff6e ] + +The function fd_execute_unmap() in target_core_file.c calles + +ret = file->f_op->fallocate(file, mode, pos, len); + +Some filesystems implement fallocate() to return error if +length is zero (e.g. btrfs) but according to SCSI Block +Commands spec UNMAP should return success for zero length. + +Signed-off-by: Jiang Yi +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -466,6 +466,10 @@ fd_execute_unmap(struct se_cmd *cmd, sec + struct inode *inode = file->f_mapping->host; + int ret; + ++ if (!nolb) { ++ return 0; ++ } ++ + if (cmd->se_dev->dev_attrib.pi_prot_type) { + ret = fd_do_prot_unmap(cmd, lba, nolb); + if (ret) diff --git a/queue-4.9/target-fix-alua-transition-timeout-handling.patch b/queue-4.9/target-fix-alua-transition-timeout-handling.patch new file mode 100644 index 00000000000..1c3751fa69b --- /dev/null +++ b/queue-4.9/target-fix-alua-transition-timeout-handling.patch @@ -0,0 +1,103 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Mike Christie +Date: Thu, 2 Mar 2017 04:59:48 -0600 +Subject: target: fix ALUA transition timeout handling + +From: Mike Christie + + +[ Upstream commit d7175373f2745ed4abe5b388d5aabd06304f801e ] + +The implicit transition time tells initiators the min time +to wait before timing out a transition. We currently schedule +the transition to occur in tg_pt_gp_implicit_trans_secs +seconds so there is no room for delays. If +core_alua_do_transition_tg_pt_work->core_alua_update_tpg_primary_metadata +needs to write out info to a remote file, then the initiator can +easily time out the operation. + +Signed-off-by: Mike Christie +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_alua.c | 23 ++++++++--------------- + include/target/target_core_base.h | 2 +- + 2 files changed, 9 insertions(+), 16 deletions(-) + +--- a/drivers/target/target_core_alua.c ++++ b/drivers/target/target_core_alua.c +@@ -1010,7 +1010,7 @@ static void core_alua_queue_state_change + static void core_alua_do_transition_tg_pt_work(struct work_struct *work) + { + struct t10_alua_tg_pt_gp *tg_pt_gp = container_of(work, +- struct t10_alua_tg_pt_gp, tg_pt_gp_transition_work.work); ++ struct t10_alua_tg_pt_gp, tg_pt_gp_transition_work); + struct se_device *dev = tg_pt_gp->tg_pt_gp_dev; + bool explicit = (tg_pt_gp->tg_pt_gp_alua_access_status == + ALUA_STATUS_ALTERED_BY_EXPLICIT_STPG); +@@ -1073,13 +1073,12 @@ static int core_alua_do_transition_tg_pt + /* + * Flush any pending transitions + */ +- if (!explicit && tg_pt_gp->tg_pt_gp_implicit_trans_secs && +- atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) == ++ if (!explicit && atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) == + ALUA_ACCESS_STATE_TRANSITION) { + /* Just in case */ + tg_pt_gp->tg_pt_gp_alua_pending_state = new_state; + tg_pt_gp->tg_pt_gp_transition_complete = &wait; +- flush_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work); ++ flush_work(&tg_pt_gp->tg_pt_gp_transition_work); + wait_for_completion(&wait); + tg_pt_gp->tg_pt_gp_transition_complete = NULL; + return 0; +@@ -1114,15 +1113,9 @@ static int core_alua_do_transition_tg_pt + atomic_inc(&tg_pt_gp->tg_pt_gp_ref_cnt); + spin_unlock(&dev->t10_alua.tg_pt_gps_lock); + +- if (!explicit && tg_pt_gp->tg_pt_gp_implicit_trans_secs) { +- unsigned long transition_tmo; +- +- transition_tmo = tg_pt_gp->tg_pt_gp_implicit_trans_secs * HZ; +- schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, +- transition_tmo); +- } else { ++ schedule_work(&tg_pt_gp->tg_pt_gp_transition_work); ++ if (explicit) { + tg_pt_gp->tg_pt_gp_transition_complete = &wait; +- schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, 0); + wait_for_completion(&wait); + tg_pt_gp->tg_pt_gp_transition_complete = NULL; + } +@@ -1690,8 +1683,8 @@ struct t10_alua_tg_pt_gp *core_alua_allo + mutex_init(&tg_pt_gp->tg_pt_gp_md_mutex); + spin_lock_init(&tg_pt_gp->tg_pt_gp_lock); + atomic_set(&tg_pt_gp->tg_pt_gp_ref_cnt, 0); +- INIT_DELAYED_WORK(&tg_pt_gp->tg_pt_gp_transition_work, +- core_alua_do_transition_tg_pt_work); ++ INIT_WORK(&tg_pt_gp->tg_pt_gp_transition_work, ++ core_alua_do_transition_tg_pt_work); + tg_pt_gp->tg_pt_gp_dev = dev; + atomic_set(&tg_pt_gp->tg_pt_gp_alua_access_state, + ALUA_ACCESS_STATE_ACTIVE_OPTIMIZED); +@@ -1799,7 +1792,7 @@ void core_alua_free_tg_pt_gp( + dev->t10_alua.alua_tg_pt_gps_counter--; + spin_unlock(&dev->t10_alua.tg_pt_gps_lock); + +- flush_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work); ++ flush_work(&tg_pt_gp->tg_pt_gp_transition_work); + + /* + * Allow a struct t10_alua_tg_pt_gp_member * referenced by +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -297,7 +297,7 @@ struct t10_alua_tg_pt_gp { + struct list_head tg_pt_gp_lun_list; + struct se_lun *tg_pt_gp_alua_lun; + struct se_node_acl *tg_pt_gp_alua_nacl; +- struct delayed_work tg_pt_gp_transition_work; ++ struct work_struct tg_pt_gp_transition_work; + struct completion *tg_pt_gp_transition_complete; + }; + diff --git a/queue-4.9/target-fix-condition-return-in-core_pr_dump_initiator_port.patch b/queue-4.9/target-fix-condition-return-in-core_pr_dump_initiator_port.patch new file mode 100644 index 00000000000..ff7efd43895 --- /dev/null +++ b/queue-4.9/target-fix-condition-return-in-core_pr_dump_initiator_port.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: tangwenji +Date: Thu, 24 Aug 2017 19:59:37 +0800 +Subject: target:fix condition return in core_pr_dump_initiator_port() + +From: tangwenji + + +[ Upstream commit 24528f089d0a444070aa4f715ace537e8d6bf168 ] + +When is pr_reg->isid_present_at_reg is false,this function should return. + +This fixes a regression originally introduced by: + + commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5 + Author: Andy Grover + Date: Thu May 16 10:40:55 2013 -0700 + + target: Alter core_pr_dump_initiator_port for ease of use + +Signed-off-by: tangwenji +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_pr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -56,8 +56,10 @@ void core_pr_dump_initiator_port( + char *buf, + u32 size) + { +- if (!pr_reg->isid_present_at_reg) ++ if (!pr_reg->isid_present_at_reg) { + buf[0] = '\0'; ++ return; ++ } + + snprintf(buf, size, ",i,0x%s", pr_reg->pr_reg_isid); + } diff --git a/queue-4.9/target-fix-race-during-implicit-transition-work-flushes.patch b/queue-4.9/target-fix-race-during-implicit-transition-work-flushes.patch new file mode 100644 index 00000000000..f9671a9c041 --- /dev/null +++ b/queue-4.9/target-fix-race-during-implicit-transition-work-flushes.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Mike Christie +Date: Thu, 2 Mar 2017 04:59:50 -0600 +Subject: target: fix race during implicit transition work flushes + +From: Mike Christie + + +[ Upstream commit 760bf578edf8122f2503a3a6a3f4b0de3b6ce0bb ] + +This fixes the following races: + +1. core_alua_do_transition_tg_pt could have read +tg_pt_gp_alua_access_state and gone into this if chunk: + +if (!explicit && + atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) == + ALUA_ACCESS_STATE_TRANSITION) { + +and then core_alua_do_transition_tg_pt_work could update the +state. core_alua_do_transition_tg_pt would then only set +tg_pt_gp_alua_pending_state and the tg_pt_gp_alua_access_state would +not get updated with the second calls state. + +2. core_alua_do_transition_tg_pt could be setting +tg_pt_gp_transition_complete while the tg_pt_gp_transition_work +is already completing. core_alua_do_transition_tg_pt then waits on the +completion that will never be called. + +To handle these issues, we just call flush_work which will return when +core_alua_do_transition_tg_pt_work has completed so there is no need +to do the complete/wait. And, if core_alua_do_transition_tg_pt_work +was running, instead of trying to sneak in the state change, we just +schedule up another core_alua_do_transition_tg_pt_work call. + +Note that this does not handle a possible race where there are multiple +threads call core_alua_do_transition_tg_pt at the same time. I think +we need a mutex in target_tg_pt_gp_alua_access_state_store. + +Signed-off-by: Mike Christie +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_alua.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/drivers/target/target_core_alua.c ++++ b/drivers/target/target_core_alua.c +@@ -1073,16 +1073,8 @@ static int core_alua_do_transition_tg_pt + /* + * Flush any pending transitions + */ +- if (!explicit && atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) == +- ALUA_ACCESS_STATE_TRANSITION) { +- /* Just in case */ +- tg_pt_gp->tg_pt_gp_alua_pending_state = new_state; +- tg_pt_gp->tg_pt_gp_transition_complete = &wait; ++ if (!explicit) + flush_work(&tg_pt_gp->tg_pt_gp_transition_work); +- wait_for_completion(&wait); +- tg_pt_gp->tg_pt_gp_transition_complete = NULL; +- return 0; +- } + + /* + * Save the old primary ALUA access state, and set the current state diff --git a/queue-4.9/target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch b/queue-4.9/target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch new file mode 100644 index 00000000000..d64d17b9f7b --- /dev/null +++ b/queue-4.9/target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Bart Van Assche +Date: Tue, 31 Oct 2017 11:03:17 -0700 +Subject: target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd() + +From: Bart Van Assche + + +[ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ] + +Avoid that cmd->se_cmd.se_tfo is read after a command has already been +freed. + +Signed-off-by: Bart Van Assche +Cc: Christoph Hellwig +Cc: Mike Christie +Reviewed-by: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -841,6 +841,7 @@ static int iscsit_add_reject_from_cmd( + unsigned char *buf) + { + struct iscsi_conn *conn; ++ const bool do_put = cmd->se_cmd.se_tfo != NULL; + + if (!cmd->conn) { + pr_err("cmd->conn is NULL for ITT: 0x%08x\n", +@@ -871,7 +872,7 @@ static int iscsit_add_reject_from_cmd( + * Perform the kref_put now if se_cmd has already been setup by + * scsit_setup_scsi_cmd() + */ +- if (cmd->se_cmd.se_tfo != NULL) { ++ if (do_put) { + pr_debug("iscsi reject: calling target_put_sess_cmd >>>>>>\n"); + target_put_sess_cmd(&cmd->se_cmd); + } diff --git a/queue-4.9/target-use-system-workqueue-for-alua-transitions.patch b/queue-4.9/target-use-system-workqueue-for-alua-transitions.patch new file mode 100644 index 00000000000..1951790e512 --- /dev/null +++ b/queue-4.9/target-use-system-workqueue-for-alua-transitions.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Mike Christie +Date: Wed, 1 Mar 2017 23:13:26 -0600 +Subject: target: Use system workqueue for ALUA transitions + +From: Mike Christie + + +[ Upstream commit 207ee84133c00a8a2a5bdec94df4a5b37d78881c ] + +If tcmu-runner is processing a STPG and needs to change the kernel's +ALUA state then we cannot use the same work queue for task management +requests and ALUA transitions, because we could deadlock. The problem +occurs when a STPG times out before tcmu-runner is able to +call into target_tg_pt_gp_alua_access_state_store-> +core_alua_do_port_transition -> core_alua_do_transition_tg_pt -> +queue_work. In this case, the tmr is on the work queue waiting for +the STPG to complete, but the STPG transition is now queued behind +the waiting tmr. + +Note: +This bug will also be fixed by this patch: +http://www.spinics.net/lists/target-devel/msg14560.html +which switches the tmr code to use the system workqueues. + +For both, I am not sure if we need a dedicated workqueue since +it is not a performance path and I do not think we need WQ_MEM_RECLAIM +to make forward progress to free up memory like the block layer does. + +Signed-off-by: Mike Christie +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_alua.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/target/target_core_alua.c ++++ b/drivers/target/target_core_alua.c +@@ -1118,13 +1118,11 @@ static int core_alua_do_transition_tg_pt + unsigned long transition_tmo; + + transition_tmo = tg_pt_gp->tg_pt_gp_implicit_trans_secs * HZ; +- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq, +- &tg_pt_gp->tg_pt_gp_transition_work, +- transition_tmo); ++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, ++ transition_tmo); + } else { + tg_pt_gp->tg_pt_gp_transition_complete = &wait; +- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq, +- &tg_pt_gp->tg_pt_gp_transition_work, 0); ++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, 0); + wait_for_completion(&wait); + tg_pt_gp->tg_pt_gp_transition_complete = NULL; + } diff --git a/queue-4.9/thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch b/queue-4.9/thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch new file mode 100644 index 00000000000..d406345252f --- /dev/null +++ b/queue-4.9/thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch @@ -0,0 +1,154 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Daniel Lezcano +Date: Thu, 19 Oct 2017 19:05:58 +0200 +Subject: thermal/drivers/step_wise: Fix temperature regulation misbehavior + +From: Daniel Lezcano + + +[ Upstream commit 07209fcf33542c1ff1e29df2dbdf8f29cdaacb10 ] + +There is a particular situation when the cooling device is cpufreq and the heat +dissipation is not efficient enough where the temperature increases little by +little until reaching the critical threshold and leading to a SoC reset. + +The behavior is reproducible on a hikey6220 with bad heat dissipation (eg. +stacked with other boards). + +Running a simple C program doing while(1); for each CPU of the SoC makes the +temperature to reach the passive regulation trip point and ends up to the +maximum allowed temperature followed by a reset. + +This issue has been also reported by running the libhugetlbfs test suite. + +What is observed is a ping pong between two cpu frequencies, 1.2GHz and 900MHz +while the temperature continues to grow. + +It appears the step wise governor calls get_target_state() the first time with +the throttle set to true and the trend to 'raising'. The code selects logically +the next state, so the cpu frequency decreases from 1.2GHz to 900MHz, so far so +good. The temperature decreases immediately but still stays greater than the +trip point, then get_target_state() is called again, this time with the +throttle set to true *and* the trend to 'dropping'. From there the algorithm +assumes we have to step down the state and the cpu frequency jumps back to +1.2GHz. But the temperature is still higher than the trip point, so +get_target_state() is called with throttle=1 and trend='raising' again, we jump +to 900MHz, then get_target_state() is called with throttle=1 and +trend='dropping', we jump to 1.2GHz, etc ... but the temperature does not +stabilizes and continues to increase. + +[ 237.922654] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 237.922678] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 237.922690] thermal cooling_device0: cur_state=0 +[ 237.922701] thermal cooling_device0: old_target=0, target=1 +[ 238.026656] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 238.026680] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1 +[ 238.026694] thermal cooling_device0: cur_state=1 +[ 238.026707] thermal cooling_device0: old_target=1, target=0 +[ 238.134647] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 238.134667] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 238.134679] thermal cooling_device0: cur_state=0 +[ 238.134690] thermal cooling_device0: old_target=0, target=1 + +In this situation the temperature continues to increase while the trend is +oscillating between 'dropping' and 'raising'. We need to keep the current state +untouched if the throttle is set, so the temperature can decrease or a higher +state could be selected, thus preventing this oscillation. + +Keeping the next_target untouched when 'throttle' is true at 'dropping' time +fixes the issue. + +The following traces show the governor does not change the next state if +trend==2 (dropping) and throttle==1. + +[ 2306.127987] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 2306.128009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 2306.128021] thermal cooling_device0: cur_state=0 +[ 2306.128031] thermal cooling_device0: old_target=0, target=1 +[ 2306.231991] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 2306.232016] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1 +[ 2306.232030] thermal cooling_device0: cur_state=1 +[ 2306.232042] thermal cooling_device0: old_target=1, target=1 +[ 2306.335982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1 +[ 2306.336006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=1 +[ 2306.336021] thermal cooling_device0: cur_state=1 +[ 2306.336034] thermal cooling_device0: old_target=1, target=1 +[ 2306.439984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 2306.440008] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0 +[ 2306.440022] thermal cooling_device0: cur_state=1 +[ 2306.440034] thermal cooling_device0: old_target=1, target=0 + +[ ... ] + +After a while, if the temperature continues to increase, the next state becomes +2 which is 720MHz on the hikey. That results in the temperature stabilizing +around the trip point. + +[ 2455.831982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 2455.832006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=0 +[ 2455.832019] thermal cooling_device0: cur_state=1 +[ 2455.832032] thermal cooling_device0: old_target=1, target=1 +[ 2455.935985] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1 +[ 2455.936013] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0 +[ 2455.936027] thermal cooling_device0: cur_state=1 +[ 2455.936040] thermal cooling_device0: old_target=1, target=1 +[ 2456.043984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1 +[ 2456.044009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0 +[ 2456.044023] thermal cooling_device0: cur_state=1 +[ 2456.044036] thermal cooling_device0: old_target=1, target=1 +[ 2456.148001] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1 +[ 2456.148028] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1 +[ 2456.148042] thermal cooling_device0: cur_state=1 +[ 2456.148055] thermal cooling_device0: old_target=1, target=2 +[ 2456.252009] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1 +[ 2456.252041] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0 +[ 2456.252058] thermal cooling_device0: cur_state=2 +[ 2456.252075] thermal cooling_device0: old_target=2, target=1 + +IOW, this change is needed to keep the state for a cooling device if the +temperature trend is oscillating while the temperature increases slightly. + +Without this change, the situation above leads to a catastrophic crash by a +hardware reset on hikey. This issue has been reported to happen on an OMAP +dra7xx also. + +Signed-off-by: Daniel Lezcano +Cc: Keerthy +Cc: John Stultz +Cc: Leo Yan +Tested-by: Keerthy +Reviewed-by: Keerthy +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/step_wise.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/thermal/step_wise.c ++++ b/drivers/thermal/step_wise.c +@@ -31,8 +31,7 @@ + * If the temperature is higher than a trip point, + * a. if the trend is THERMAL_TREND_RAISING, use higher cooling + * state for this trip point +- * b. if the trend is THERMAL_TREND_DROPPING, use lower cooling +- * state for this trip point ++ * b. if the trend is THERMAL_TREND_DROPPING, do nothing + * c. if the trend is THERMAL_TREND_RAISE_FULL, use upper limit + * for this trip point + * d. if the trend is THERMAL_TREND_DROP_FULL, use lower limit +@@ -94,9 +93,11 @@ static unsigned long get_target_state(st + if (!throttle) + next_target = THERMAL_NO_TARGET; + } else { +- next_target = cur_state - 1; +- if (next_target > instance->upper) +- next_target = instance->upper; ++ if (!throttle) { ++ next_target = cur_state - 1; ++ if (next_target > instance->upper) ++ next_target = instance->upper; ++ } + } + break; + case THERMAL_TREND_DROP_FULL: diff --git a/queue-4.9/tty-don-t-panic-on-oom-in-tty_set_ldisc.patch b/queue-4.9/tty-don-t-panic-on-oom-in-tty_set_ldisc.patch new file mode 100644 index 00000000000..826b94f534c --- /dev/null +++ b/queue-4.9/tty-don-t-panic-on-oom-in-tty_set_ldisc.patch @@ -0,0 +1,181 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Dmitry Vyukov +Date: Sat, 4 Mar 2017 14:55:19 +0100 +Subject: tty: don't panic on OOM in tty_set_ldisc() + +From: Dmitry Vyukov + + +[ Upstream commit 5362544bebe85071188dd9e479b5a5040841c895 ] + +If tty_ldisc_open() fails in tty_set_ldisc(), it tries to go back +to the old discipline or N_TTY. But that can fail as well, in such +case it panics. This is not a graceful way to handle OOM. + +Leave ldisc==NULL if all attempts fail instead. +Also use existing tty_ldisc_reinit() helper function instead of +tty_ldisc_restore(). Also don't WARN/BUG in tty_ldisc_reinit() +if N_TTY fails, which would have the same net effect of bringing +kernel down on OOM. Instead print a single line message about +what has happened. + +Signed-off-by: Dmitry Vyukov +Cc: syzkaller@googlegroups.com +Cc: linux-kernel@vger.kernel.org +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Peter Hurley +Cc: One Thousand Gnomes +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_ldisc.c | 85 +++++++++--------------------------------------- + 1 file changed, 16 insertions(+), 69 deletions(-) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -489,41 +489,6 @@ static void tty_ldisc_close(struct tty_s + } + + /** +- * tty_ldisc_restore - helper for tty ldisc change +- * @tty: tty to recover +- * @old: previous ldisc +- * +- * Restore the previous line discipline or N_TTY when a line discipline +- * change fails due to an open error +- */ +- +-static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old) +-{ +- struct tty_ldisc *new_ldisc; +- int r; +- +- /* There is an outstanding reference here so this is safe */ +- old = tty_ldisc_get(tty, old->ops->num); +- WARN_ON(IS_ERR(old)); +- tty->ldisc = old; +- tty_set_termios_ldisc(tty, old->ops->num); +- if (tty_ldisc_open(tty, old) < 0) { +- tty_ldisc_put(old); +- /* This driver is always present */ +- new_ldisc = tty_ldisc_get(tty, N_TTY); +- if (IS_ERR(new_ldisc)) +- panic("n_tty: get"); +- tty->ldisc = new_ldisc; +- tty_set_termios_ldisc(tty, N_TTY); +- r = tty_ldisc_open(tty, new_ldisc); +- if (r < 0) +- panic("Couldn't open N_TTY ldisc for " +- "%s --- error %d.", +- tty_name(tty), r); +- } +-} +- +-/** + * tty_set_ldisc - set line discipline + * @tty: the terminal to set + * @ldisc: the line discipline +@@ -536,12 +501,7 @@ static void tty_ldisc_restore(struct tty + + int tty_set_ldisc(struct tty_struct *tty, int disc) + { +- int retval; +- struct tty_ldisc *old_ldisc, *new_ldisc; +- +- new_ldisc = tty_ldisc_get(tty, disc); +- if (IS_ERR(new_ldisc)) +- return PTR_ERR(new_ldisc); ++ int retval, old_disc; + + tty_lock(tty); + retval = tty_ldisc_lock(tty, 5 * HZ); +@@ -554,7 +514,8 @@ int tty_set_ldisc(struct tty_struct *tty + } + + /* Check the no-op case */ +- if (tty->ldisc->ops->num == disc) ++ old_disc = tty->ldisc->ops->num; ++ if (old_disc == disc) + goto out; + + if (test_bit(TTY_HUPPED, &tty->flags)) { +@@ -563,34 +524,25 @@ int tty_set_ldisc(struct tty_struct *tty + goto out; + } + +- old_ldisc = tty->ldisc; +- +- /* Shutdown the old discipline. */ +- tty_ldisc_close(tty, old_ldisc); +- +- /* Now set up the new line discipline. */ +- tty->ldisc = new_ldisc; +- tty_set_termios_ldisc(tty, disc); +- +- retval = tty_ldisc_open(tty, new_ldisc); ++ retval = tty_ldisc_reinit(tty, disc); + if (retval < 0) { + /* Back to the old one or N_TTY if we can't */ +- tty_ldisc_put(new_ldisc); +- tty_ldisc_restore(tty, old_ldisc); ++ if (tty_ldisc_reinit(tty, old_disc) < 0) { ++ pr_err("tty: TIOCSETD failed, reinitializing N_TTY\n"); ++ if (tty_ldisc_reinit(tty, N_TTY) < 0) { ++ /* At this point we have tty->ldisc == NULL. */ ++ pr_err("tty: reinitializing N_TTY failed\n"); ++ } ++ } + } + +- if (tty->ldisc->ops->num != old_ldisc->ops->num && tty->ops->set_ldisc) { ++ if (tty->ldisc && tty->ldisc->ops->num != old_disc && ++ tty->ops->set_ldisc) { + down_read(&tty->termios_rwsem); + tty->ops->set_ldisc(tty); + up_read(&tty->termios_rwsem); + } + +- /* At this point we hold a reference to the new ldisc and a +- reference to the old ldisc, or we hold two references to +- the old ldisc (if it was restored as part of error cleanup +- above). In either case, releasing a single reference from +- the old ldisc is correct. */ +- new_ldisc = old_ldisc; + out: + tty_ldisc_unlock(tty); + +@@ -598,7 +550,6 @@ out: + already running */ + tty_buffer_restart_work(tty->port); + err: +- tty_ldisc_put(new_ldisc); /* drop the extra reference */ + tty_unlock(tty); + return retval; + } +@@ -659,10 +610,8 @@ int tty_ldisc_reinit(struct tty_struct * + int retval; + + ld = tty_ldisc_get(tty, disc); +- if (IS_ERR(ld)) { +- BUG_ON(disc == N_TTY); ++ if (IS_ERR(ld)) + return PTR_ERR(ld); +- } + + if (tty->ldisc) { + tty_ldisc_close(tty, tty->ldisc); +@@ -674,10 +623,8 @@ int tty_ldisc_reinit(struct tty_struct * + tty_set_termios_ldisc(tty, disc); + retval = tty_ldisc_open(tty, tty->ldisc); + if (retval) { +- if (!WARN_ON(disc == N_TTY)) { +- tty_ldisc_put(tty->ldisc); +- tty->ldisc = NULL; +- } ++ tty_ldisc_put(tty->ldisc); ++ tty->ldisc = NULL; + } + return retval; + } diff --git a/queue-4.9/tty-fix-data-race-in-tty_ldisc_ref_wait.patch b/queue-4.9/tty-fix-data-race-in-tty_ldisc_ref_wait.patch new file mode 100644 index 00000000000..33088268e6b --- /dev/null +++ b/queue-4.9/tty-fix-data-race-in-tty_ldisc_ref_wait.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Dmitry Vyukov +Date: Sat, 4 Mar 2017 13:46:12 +0100 +Subject: tty: fix data race in tty_ldisc_ref_wait() + +From: Dmitry Vyukov + + +[ Upstream commit a4a3e061149f09c075f108b6f1cf04d9739a6bc2 ] + +tty_ldisc_ref_wait() checks tty->ldisc under tty->ldisc_sem. +But if ldisc==NULL it releases them sem and reloads +tty->ldisc without holding the sem. This is wrong and +can lead to returning non-NULL ldisc without protection. + +Don't reload tty->ldisc second time. + +Signed-off-by: Dmitry Vyukov +Cc: syzkaller@googlegroups.com +Cc: linux-kernel@vger.kernel.org +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Peter Hurley +Cc: One Thousand Gnomes +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_ldisc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -271,10 +271,13 @@ const struct file_operations tty_ldiscs_ + + struct tty_ldisc *tty_ldisc_ref_wait(struct tty_struct *tty) + { ++ struct tty_ldisc *ld; ++ + ldsem_down_read(&tty->ldisc_sem, MAX_SCHEDULE_TIMEOUT); +- if (!tty->ldisc) ++ ld = tty->ldisc; ++ if (!ld) + ldsem_up_read(&tty->ldisc_sem); +- return tty->ldisc; ++ return ld; + } + EXPORT_SYMBOL_GPL(tty_ldisc_ref_wait); + diff --git a/queue-4.9/tty-fix-oops-when-rmmod-8250.patch b/queue-4.9/tty-fix-oops-when-rmmod-8250.patch new file mode 100644 index 00000000000..0bbb1d43d9b --- /dev/null +++ b/queue-4.9/tty-fix-oops-when-rmmod-8250.patch @@ -0,0 +1,90 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: nixiaoming +Date: Fri, 15 Sep 2017 17:45:56 +0800 +Subject: tty fix oops when rmmod 8250 + +From: nixiaoming + + +[ Upstream commit c79dde629d2027ca80329c62854a7635e623d527 ] + +After rmmod 8250.ko +tty_kref_put starts kwork (release_one_tty) to release proc interface +oops when accessing driver->driver_name in proc_tty_unregister_driver + +Use jprobe, found driver->driver_name point to 8250.ko +static static struct uart_driver serial8250_reg +.driver_name= serial, + +Use name in proc_dir_entry instead of driver->driver_name to fix oops + +test on linux 4.1.12: + +BUG: unable to handle kernel paging request at ffffffffa01979de +IP: [] strchr+0x0/0x30 +PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: ... ... [last unloaded: 8250] +CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G O 4.1.12 #1 +Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015 +Workqueue: events release_one_tty +task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000 +RIP: 0010:[] [] strchr+0x0/0x30 +RSP: 0018:ffff880852887c90 EFLAGS: 00010282 +RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004 +RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de +RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0 +R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de +R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840 +FS: 0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0 +Stack: + ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2 + ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010 + ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08 +Call Trace: + [] ? __xlate_proc_name+0x71/0xd0 + [] remove_proc_entry+0x40/0x180 + [] ? _raw_spin_lock_irqsave+0x41/0x60 + [] ? destruct_tty_driver+0x60/0xe0 + [] proc_tty_unregister_driver+0x28/0x40 + [] destruct_tty_driver+0x88/0xe0 + [] tty_driver_kref_put+0x1d/0x20 + [] release_one_tty+0x5a/0xd0 + [] process_one_work+0x139/0x420 + [] worker_thread+0x121/0x450 + [] ? process_scheduled_works+0x40/0x40 + [] kthread+0xec/0x110 + [] ? tg_rt_schedulable+0x210/0x220 + [] ? kthread_freezable_should_stop+0x80/0x80 + [] ret_from_fork+0x42/0x70 + [] ? kthread_freezable_should_stop+0x80/0x80 + +Signed-off-by: nixiaoming +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_tty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/proc/proc_tty.c ++++ b/fs/proc/proc_tty.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include "internal.h" + + /* + * The /proc/tty directory inodes... +@@ -164,7 +165,7 @@ void proc_tty_unregister_driver(struct t + if (!ent) + return; + +- remove_proc_entry(driver->driver_name, proc_tty_driver); ++ remove_proc_entry(ent->name, proc_tty_driver); + + driver->proc_entry = NULL; + } diff --git a/queue-4.9/udf-avoid-overflow-when-session-starts-at-large-offset.patch b/queue-4.9/udf-avoid-overflow-when-session-starts-at-large-offset.patch new file mode 100644 index 00000000000..41d2eec7210 --- /dev/null +++ b/queue-4.9/udf-avoid-overflow-when-session-starts-at-large-offset.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Jan Kara +Date: Mon, 16 Oct 2017 11:38:11 +0200 +Subject: udf: Avoid overflow when session starts at large offset + +From: Jan Kara + + +[ Upstream commit abdc0eb06964fe1d2fea6dd1391b734d0590365d ] + +When session starts beyond offset 2^31 the arithmetics in +udf_check_vsd() would overflow. Make sure the computation is done in +large enough type. + +Reported-by: Cezary Sliwa +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -710,7 +710,7 @@ static loff_t udf_check_vsd(struct super + else + sectorsize = sb->s_blocksize; + +- sector += (sbi->s_session << sb->s_blocksize_bits); ++ sector += (((loff_t)sbi->s_session) << sb->s_blocksize_bits); + + udf_debug("Starting at sector %u (%ld byte sectors)\n", + (unsigned int)(sector >> sb->s_blocksize_bits), diff --git a/queue-4.9/usb-phy-isp1301-add-of-device-id-table.patch b/queue-4.9/usb-phy-isp1301-add-of-device-id-table.patch new file mode 100644 index 00000000000..8eed18a7d3c --- /dev/null +++ b/queue-4.9/usb-phy-isp1301-add-of-device-id-table.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Javier Martinez Canillas +Date: Wed, 22 Feb 2017 15:23:22 -0300 +Subject: usb: phy: isp1301: Add OF device ID table + +From: Javier Martinez Canillas + + +[ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ] + +The driver doesn't have a struct of_device_id table but supported devices +are registered via Device Trees. This is working on the assumption that a +I2C device registered via OF will always match a legacy I2C device ID and +that the MODALIAS reported will always be of the form i2c:. + +But this could change in the future so the correct approach is to have an +OF device ID table if the devices are registered via OF. + +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-isp1301.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/phy/phy-isp1301.c ++++ b/drivers/usb/phy/phy-isp1301.c +@@ -33,6 +33,12 @@ static const struct i2c_device_id isp130 + }; + MODULE_DEVICE_TABLE(i2c, isp1301_id); + ++static const struct of_device_id isp1301_of_match[] = { ++ {.compatible = "nxp,isp1301" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, isp1301_of_match); ++ + static struct i2c_client *isp1301_i2c_client; + + static int __isp1301_write(struct isp1301 *isp, u8 reg, u8 value, u8 clear) +@@ -130,6 +136,7 @@ static int isp1301_remove(struct i2c_cli + static struct i2c_driver isp1301_driver = { + .driver = { + .name = DRV_NAME, ++ .of_match_table = of_match_ptr(isp1301_of_match), + }, + .probe = isp1301_probe, + .remove = isp1301_remove, diff --git a/queue-4.9/usb-xhci-mtk-check-hcc_params-after-adding-primary-hcd.patch b/queue-4.9/usb-xhci-mtk-check-hcc_params-after-adding-primary-hcd.patch new file mode 100644 index 00000000000..27bd8277c3f --- /dev/null +++ b/queue-4.9/usb-xhci-mtk-check-hcc_params-after-adding-primary-hcd.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Chunfeng Yun +Date: Thu, 9 Mar 2017 15:39:34 +0200 +Subject: usb: xhci-mtk: check hcc_params after adding primary hcd + +From: Chunfeng Yun + + +[ Upstream commit 94a631d91ad341b3b4bdac72d1104d9f090e0ca9 ] + +hcc_params is set in xhci_gen_setup() called from usb_add_hcd(), +so checks the Maximum Primary Stream Array Size in the hcc_params +register after adding primary hcd. + +Signed-off-by: Chunfeng Yun +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mtk.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-mtk.c ++++ b/drivers/usb/host/xhci-mtk.c +@@ -632,13 +632,13 @@ static int xhci_mtk_probe(struct platfor + goto power_off_phys; + } + +- if (HCC_MAX_PSA(xhci->hcc_params) >= 4) +- xhci->shared_hcd->can_do_streams = 1; +- + ret = usb_add_hcd(hcd, irq, IRQF_SHARED); + if (ret) + goto put_usb3_hcd; + ++ if (HCC_MAX_PSA(xhci->hcc_params) >= 4) ++ xhci->shared_hcd->can_do_streams = 1; ++ + ret = usb_add_hcd(xhci->shared_hcd, irq, IRQF_SHARED); + if (ret) + goto dealloc_usb2_hcd; diff --git a/queue-4.9/userfaultfd-selftest-vm-allow-to-build-in-vm-directory.patch b/queue-4.9/userfaultfd-selftest-vm-allow-to-build-in-vm-directory.patch new file mode 100644 index 00000000000..e513bf0e741 --- /dev/null +++ b/queue-4.9/userfaultfd-selftest-vm-allow-to-build-in-vm-directory.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Andrea Arcangeli +Date: Thu, 9 Mar 2017 16:17:14 -0800 +Subject: userfaultfd: selftest: vm: allow to build in vm/ directory + +From: Andrea Arcangeli + + +[ Upstream commit 46aa6a302b53f543f8e8b8e1714dc5e449ad36a6 ] + +linux/tools/testing/selftests/vm $ make + + gcc -Wall -I ../../../../usr/include compaction_test.c -lrt -o /compaction_test + /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/../../../../x86_64-pc-linux-gnu/bin/ld: cannot open output file /compaction_test: Permission denied + collect2: error: ld returned 1 exit status + make: *** [../lib.mk:54: /compaction_test] Error 1 + +Since commit a8ba798bc8ec ("selftests: enable O and KBUILD_OUTPUT") +selftests/vm build fails if run from the "selftests/vm" directory, but +it works in the selftests/ directory. It's quicker to be able to do a +local vm-only build after a tree wipe and this patch allows for it +again. + +Link: http://lkml.kernel.org/r/20170302173738.18994-4-aarcange@redhat.com +Signed-off-by: Andrea Arcangeli +Cc: Mike Rapoport +Cc: "Dr. David Alan Gilbert" +Cc: Mike Kravetz +Cc: Pavel Emelyanov +Cc: Hillf Danton +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/vm/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/vm/Makefile ++++ b/tools/testing/selftests/vm/Makefile +@@ -1,5 +1,9 @@ + # Makefile for vm selftests + ++ifndef OUTPUT ++ OUTPUT := $(shell pwd) ++endif ++ + CFLAGS = -Wall -I ../../../../usr/include $(EXTRA_CFLAGS) + BINARIES = compaction_test + BINARIES += hugepage-mmap diff --git a/queue-4.9/userfaultfd-shmem-__do_fault-requires-vm_fault_nopage.patch b/queue-4.9/userfaultfd-shmem-__do_fault-requires-vm_fault_nopage.patch new file mode 100644 index 00000000000..bad51e82d5c --- /dev/null +++ b/queue-4.9/userfaultfd-shmem-__do_fault-requires-vm_fault_nopage.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Andrea Arcangeli +Date: Thu, 9 Mar 2017 16:16:28 -0800 +Subject: userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE + +From: Andrea Arcangeli + + +[ Upstream commit 6bbc4a4144b1a69743022ac68dfaf6e7d993abb9 ] + +__do_fault assumes vmf->page has been initialized and is valid if +VM_FAULT_NOPAGE is not returned by vma->vm_ops->fault(vma, vmf). + +handle_userfault() in turn should return VM_FAULT_NOPAGE if it doesn't +return VM_FAULT_SIGBUS or VM_FAULT_RETRY (the other two possibilities). + +This VM_FAULT_NOPAGE case is only invoked when signal are pending and it +didn't matter for anonymous memory before. It only started to matter +since shmem was introduced. hugetlbfs also takes a different path and +doesn't exercise __do_fault. + +Link: http://lkml.kernel.org/r/20170228154201.GH5816@redhat.com +Signed-off-by: Andrea Arcangeli +Reported-by: Dmitry Vyukov +Cc: "Kirill A. Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/userfaultfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -419,7 +419,7 @@ int handle_userfault(struct fault_env *f + * in such case. + */ + down_read(&mm->mmap_sem); +- ret = 0; ++ ret = VM_FAULT_NOPAGE; + } + } + diff --git a/queue-4.9/video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch b/queue-4.9/video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch new file mode 100644 index 00000000000..ac48207fe04 --- /dev/null +++ b/queue-4.9/video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Christophe JAILLET +Date: Thu, 9 Nov 2017 18:09:28 +0100 +Subject: video: fbdev: au1200fb: Release some resources if a memory allocation fails + +From: Christophe JAILLET + + +[ Upstream commit 451f130602619a17c8883dd0b71b11624faffd51 ] + +We should go through the error handling code instead of returning -ENOMEM +directly. + +Signed-off-by: Christophe JAILLET +Cc: Tejun Heo +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/au1200fb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1700,7 +1700,8 @@ static int au1200fb_drv_probe(struct pla + if (!fbdev->fb_mem) { + print_err("fail to allocate frambuffer (size: %dK))", + fbdev->fb_len / 1024); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto failed; + } + + /* diff --git a/queue-4.9/video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch b/queue-4.9/video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch new file mode 100644 index 00000000000..c5f8766f5d2 --- /dev/null +++ b/queue-4.9/video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Christophe JAILLET +Date: Thu, 9 Nov 2017 18:09:28 +0100 +Subject: video: fbdev: au1200fb: Return an error code if a memory allocation fails + +From: Christophe JAILLET + + +[ Upstream commit 8cae353e6b01ac3f18097f631cdbceb5ff28c7f3 ] + +'ret' is known to be 0 at this point. +In case of memory allocation error in 'framebuffer_alloc()', return +-ENOMEM instead. + +Signed-off-by: Christophe JAILLET +Cc: Tejun Heo +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/au1200fb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1681,8 +1681,10 @@ static int au1200fb_drv_probe(struct pla + + fbi = framebuffer_alloc(sizeof(struct au1200fb_device), + &dev->dev); +- if (!fbi) ++ if (!fbi) { ++ ret = -ENOMEM; + goto failed; ++ } + + _au1200fb_infos[plane] = fbi; + fbdev = fbi->par; diff --git a/queue-4.9/video-udlfb-fix-read-edid-timeout.patch b/queue-4.9/video-udlfb-fix-read-edid-timeout.patch new file mode 100644 index 00000000000..50b8ed5e272 --- /dev/null +++ b/queue-4.9/video-udlfb-fix-read-edid-timeout.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Ladislav Michl +Date: Thu, 9 Nov 2017 18:09:30 +0100 +Subject: video: udlfb: Fix read EDID timeout + +From: Ladislav Michl + + +[ Upstream commit c98769475575c8a585f5b3952f4b5f90266f699b ] + +While usb_control_msg function expects timeout in miliseconds, a value +of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error +message which looks like: +udlfb: Read EDID byte 78 failed err ffffff92 +as error is either negative errno or number of bytes transferred use %d +format specifier. + +Returned EDID is in second byte, so return error when less than two bytes +are received. + +Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support") +Signed-off-by: Ladislav Michl +Cc: Bernie Thompson +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/udlfb.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -769,11 +769,11 @@ static int dlfb_get_edid(struct dlfb_dat + + for (i = 0; i < len; i++) { + ret = usb_control_msg(dev->udev, +- usb_rcvctrlpipe(dev->udev, 0), (0x02), +- (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2, +- HZ); +- if (ret < 1) { +- pr_err("Read EDID byte %d failed err %x\n", i, ret); ++ usb_rcvctrlpipe(dev->udev, 0), 0x02, ++ (0x80 | (0x02 << 5)), i << 8, 0xA1, ++ rbuf, 2, USB_CTRL_GET_TIMEOUT); ++ if (ret < 2) { ++ pr_err("Read EDID byte %d failed: %d\n", i, ret); + i--; + break; + } diff --git a/queue-4.9/vt6655-fix-a-possible-sleep-in-atomic-bug-in-vt6655_suspend.patch b/queue-4.9/vt6655-fix-a-possible-sleep-in-atomic-bug-in-vt6655_suspend.patch new file mode 100644 index 00000000000..2588b3957d8 --- /dev/null +++ b/queue-4.9/vt6655-fix-a-possible-sleep-in-atomic-bug-in-vt6655_suspend.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Jia-Ju Bai +Date: Mon, 9 Oct 2017 16:45:55 +0800 +Subject: vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend + +From: Jia-Ju Bai + + +[ Upstream commit 42c8eb3f6e15367981b274cb79ee4657e2c6949d ] + +The driver may sleep under a spinlock, and the function call path is: +vt6655_suspend (acquire the spinlock) + pci_set_power_state + __pci_start_power_transition (drivers/pci/pci.c) + msleep --> may sleep + +To fix it, pci_set_power_state is called without having a spinlock. + +This bug is found by my static analysis tool and my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vt6655/device_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -1698,10 +1698,11 @@ static int vt6655_suspend(struct pci_dev + MACbShutdown(priv); + + pci_disable_device(pcid); +- pci_set_power_state(pcid, pci_choose_state(pcid, state)); + + spin_unlock_irqrestore(&priv->lock, flags); + ++ pci_set_power_state(pcid, pci_choose_state(pcid, state)); ++ + return 0; + } + diff --git a/queue-4.9/writeback-fix-memory-leak-in-wb_queue_work.patch b/queue-4.9/writeback-fix-memory-leak-in-wb_queue_work.patch new file mode 100644 index 00000000000..dc18c5eb837 --- /dev/null +++ b/queue-4.9/writeback-fix-memory-leak-in-wb_queue_work.patch @@ -0,0 +1,93 @@ +From foo@baz Mon Dec 18 14:12:34 CET 2017 +From: Tahsin Erdogan +Date: Fri, 10 Mar 2017 12:09:49 -0800 +Subject: writeback: fix memory leak in wb_queue_work() + +From: Tahsin Erdogan + + +[ Upstream commit 4a3a485b1ed0e109718cc8c9d094fa0f552de9b2 ] + +When WB_registered flag is not set, wb_queue_work() skips queuing the +work, but does not perform the necessary clean up. In particular, if +work->auto_free is true, it should free the memory. + +The leak condition can be reprouced by following these steps: + + mount /dev/sdb /mnt/sdb + /* In qemu console: device_del sdb */ + umount /dev/sdb + +Above will result in a wb_queue_work() call on an unregistered wb and +thus leak memory. + +Reported-by: John Sperbeck +Signed-off-by: Tahsin Erdogan +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fs-writeback.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -173,19 +173,33 @@ static void wb_wakeup(struct bdi_writeba + spin_unlock_bh(&wb->work_lock); + } + ++static void finish_writeback_work(struct bdi_writeback *wb, ++ struct wb_writeback_work *work) ++{ ++ struct wb_completion *done = work->done; ++ ++ if (work->auto_free) ++ kfree(work); ++ if (done && atomic_dec_and_test(&done->cnt)) ++ wake_up_all(&wb->bdi->wb_waitq); ++} ++ + static void wb_queue_work(struct bdi_writeback *wb, + struct wb_writeback_work *work) + { + trace_writeback_queue(wb, work); + +- spin_lock_bh(&wb->work_lock); +- if (!test_bit(WB_registered, &wb->state)) +- goto out_unlock; + if (work->done) + atomic_inc(&work->done->cnt); +- list_add_tail(&work->list, &wb->work_list); +- mod_delayed_work(bdi_wq, &wb->dwork, 0); +-out_unlock: ++ ++ spin_lock_bh(&wb->work_lock); ++ ++ if (test_bit(WB_registered, &wb->state)) { ++ list_add_tail(&work->list, &wb->work_list); ++ mod_delayed_work(bdi_wq, &wb->dwork, 0); ++ } else ++ finish_writeback_work(wb, work); ++ + spin_unlock_bh(&wb->work_lock); + } + +@@ -1875,16 +1889,9 @@ static long wb_do_writeback(struct bdi_w + + set_bit(WB_writeback_running, &wb->state); + while ((work = get_next_work_item(wb)) != NULL) { +- struct wb_completion *done = work->done; +- + trace_writeback_exec(wb, work); +- + wrote += wb_writeback(wb, work); +- +- if (work->auto_free) +- kfree(work); +- if (done && atomic_dec_and_test(&done->cnt)) +- wake_up_all(&wb->bdi->wb_waitq); ++ finish_writeback_work(wb, work); + } + + /* diff --git a/queue-4.9/xfs-fix-incorrect-extent-state-in-xfs_bmap_add_extent_unwritten_real.patch b/queue-4.9/xfs-fix-incorrect-extent-state-in-xfs_bmap_add_extent_unwritten_real.patch new file mode 100644 index 00000000000..2277a192937 --- /dev/null +++ b/queue-4.9/xfs-fix-incorrect-extent-state-in-xfs_bmap_add_extent_unwritten_real.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Christoph Hellwig +Date: Tue, 17 Oct 2017 14:16:19 -0700 +Subject: xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real + +From: Christoph Hellwig + + +[ Upstream commit 5e422f5e4fd71d18bc6b851eeb3864477b3d842e ] + +There was one spot in xfs_bmap_add_extent_unwritten_real that didn't use the +passed in new extent state but always converted to normal, leading to wrong +behavior when converting from normal to unwritten. + +Only found by code inspection, it seems like this code path to move partial +extent from written to unwritten while merging it with the next extent is +rarely exercised. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/libxfs/xfs_bmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -2713,7 +2713,7 @@ xfs_bmap_add_extent_unwritten_real( + &i))) + goto done; + XFS_WANT_CORRUPTED_GOTO(mp, i == 0, done); +- cur->bc_rec.b.br_state = XFS_EXT_NORM; ++ cur->bc_rec.b.br_state = new->br_state; + if ((error = xfs_btree_insert(cur, &i))) + goto done; + XFS_WANT_CORRUPTED_GOTO(mp, i == 1, done); diff --git a/queue-4.9/xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch b/queue-4.9/xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch new file mode 100644 index 00000000000..68667766dc3 --- /dev/null +++ b/queue-4.9/xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Brian Foster +Date: Thu, 26 Oct 2017 09:31:16 -0700 +Subject: xfs: fix log block underflow during recovery cycle verification + +From: Brian Foster + + +[ Upstream commit 9f2a4505800607e537e9dd9dea4f55c4b0c30c7a ] + +It is possible for mkfs to format very small filesystems with too +small of an internal log with respect to the various minimum size +and block count requirements. If this occurs when the log happens to +be smaller than the scan window used for cycle verification and the +scan wraps the end of the log, the start_blk calculation in +xlog_find_head() underflows and leads to an attempt to scan an +invalid range of log blocks. This results in log recovery failure +and a failed mount. + +Since there may be filesystems out in the wild with this kind of +geometry, we cannot simply refuse to mount. Instead, cap the scan +window for cycle verification to the size of the physical log. This +ensures that the cycle verification proceeds as expected when the +scan wraps the end of the log. + +Reported-by: Zorro Lang +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_log_recover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -753,7 +753,7 @@ xlog_find_head( + * in the in-core log. The following number can be made tighter if + * we actually look at the block size of the filesystem. + */ +- num_scan_bblks = XLOG_TOTAL_REC_SHIFT(log); ++ num_scan_bblks = min_t(int, log_bbnum, XLOG_TOTAL_REC_SHIFT(log)); + if (head_blk >= num_scan_bblks) { + /* + * We are guaranteed that the entire check can be performed diff --git a/queue-4.9/xfs-truncate-pagecache-before-writeback-in-xfs_setattr_size.patch b/queue-4.9/xfs-truncate-pagecache-before-writeback-in-xfs_setattr_size.patch new file mode 100644 index 00000000000..c882a953034 --- /dev/null +++ b/queue-4.9/xfs-truncate-pagecache-before-writeback-in-xfs_setattr_size.patch @@ -0,0 +1,118 @@ +From foo@baz Mon Dec 18 14:12:35 CET 2017 +From: Eryu Guan +Date: Wed, 1 Nov 2017 21:43:50 -0700 +Subject: xfs: truncate pagecache before writeback in xfs_setattr_size() + +From: Eryu Guan + + +[ Upstream commit 350976ae21873b0d36584ea005076356431b8f79 ] + +On truncate down, if new size is not block size aligned, we zero the +rest of block to avoid exposing stale data to user, and +iomap_truncate_page() skips zeroing if the range is already in +unwritten state or a hole. Then we writeback from on-disk i_size to +the new size if this range hasn't been written to disk yet, and +truncate page cache beyond new EOF and set in-core i_size. + +The problem is that we could write data between di_size and newsize +before removing the page cache beyond newsize, as the extents may +still be in unwritten state right after a buffer write. As such, the +page of data that newsize lies in has not been zeroed by page cache +invalidation before it is written, and xfs_do_writepage() hasn't +triggered it's "zero data beyond EOF" case because we haven't +updated in-core i_size yet. Then a subsequent mmap read could see +non-zeros past EOF. + +I occasionally see this in fsx runs in fstests generic/112, a +simplified fsx operation sequence is like (assuming 4k block size +xfs): + + fallocate 0x0 0x1000 0x0 keep_size + write 0x0 0x1000 0x0 + truncate 0x0 0x800 0x1000 + punch_hole 0x0 0x800 0x800 + mapread 0x0 0x800 0x800 + +where fallocate allocates unwritten extent but doesn't update +i_size, buffer write populates the page cache and extent is still +unwritten, truncate skips zeroing page past new EOF and writes the +page to disk, punch_hole invalidates the page cache, at last mapread +reads the block back and sees non-zero beyond EOF. + +Fix it by moving truncate_setsize() to before writeback so the page +cache invalidation zeros the partial page at the new EOF. This also +triggers "zero data beyond EOF" in xfs_do_writepage() at writeback +time, because newsize has been set and page straddles the newsize. + +Also fixed the wrong 'end' param of filemap_write_and_wait_range() +call while we're at it, the 'end' is inclusive and should be +'newsize - 1'. + +Suggested-by: Dave Chinner +Signed-off-by: Eryu Guan +Acked-by: Dave Chinner +Reviewed-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_iops.c | 36 ++++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -871,22 +871,6 @@ xfs_setattr_size( + return error; + + /* +- * We are going to log the inode size change in this transaction so +- * any previous writes that are beyond the on disk EOF and the new +- * EOF that have not been written out need to be written here. If we +- * do not write the data out, we expose ourselves to the null files +- * problem. Note that this includes any block zeroing we did above; +- * otherwise those blocks may not be zeroed after a crash. +- */ +- if (did_zeroing || +- (newsize > ip->i_d.di_size && oldsize != ip->i_d.di_size)) { +- error = filemap_write_and_wait_range(VFS_I(ip)->i_mapping, +- ip->i_d.di_size, newsize); +- if (error) +- return error; +- } +- +- /* + * We've already locked out new page faults, so now we can safely remove + * pages from the page cache knowing they won't get refaulted until we + * drop the XFS_MMAP_EXCL lock after the extent manipulations are +@@ -902,9 +886,29 @@ xfs_setattr_size( + * user visible changes). There's not much we can do about this, except + * to hope that the caller sees ENOMEM and retries the truncate + * operation. ++ * ++ * And we update in-core i_size and truncate page cache beyond newsize ++ * before writeback the [di_size, newsize] range, so we're guaranteed ++ * not to write stale data past the new EOF on truncate down. + */ + truncate_setsize(inode, newsize); + ++ /* ++ * We are going to log the inode size change in this transaction so ++ * any previous writes that are beyond the on disk EOF and the new ++ * EOF that have not been written out need to be written here. If we ++ * do not write the data out, we expose ourselves to the null files ++ * problem. Note that this includes any block zeroing we did above; ++ * otherwise those blocks may not be zeroed after a crash. ++ */ ++ if (did_zeroing || ++ (newsize > ip->i_d.di_size && oldsize != ip->i_d.di_size)) { ++ error = filemap_write_and_wait_range(VFS_I(ip)->i_mapping, ++ ip->i_d.di_size, newsize - 1); ++ if (error) ++ return error; ++ } ++ + error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, 0, 0, 0, &tp); + if (error) + return error;