From: Greg Kroah-Hartman Date: Mon, 27 May 2019 12:12:15 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.1.6~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=705cd2b1efbfcfd1e821e1f4d298c4ff24422af6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: bio-fix-improper-use-of-smp_mb__before_atomic.patch crypto-vmx-ctr-always-increment-iv-as-quadword.patch f2fs-fix-use-of-number-of-devices.patch kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id.patch kvm-x86-fix-return-value-for-reserved-efer.patch libnvdimm-namespace-fix-label-tracking-error.patch libnvdimm-pmem-bypass-config_hardened_usercopy-overhead.patch mmc-sdhci-iproc-cygnus-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch mmc-sdhci-iproc-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch --- diff --git a/queue-4.14/bio-fix-improper-use-of-smp_mb__before_atomic.patch b/queue-4.14/bio-fix-improper-use-of-smp_mb__before_atomic.patch new file mode 100644 index 00000000000..e59c16cbdce --- /dev/null +++ b/queue-4.14/bio-fix-improper-use-of-smp_mb__before_atomic.patch @@ -0,0 +1,43 @@ +From f381c6a4bd0ae0fde2d6340f1b9bb0f58d915de6 Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Mon, 20 May 2019 19:23:56 +0200 +Subject: bio: fix improper use of smp_mb__before_atomic() + +From: Andrea Parri + +commit f381c6a4bd0ae0fde2d6340f1b9bb0f58d915de6 upstream. + +This barrier only applies to the read-modify-write operations; in +particular, it does not apply to the atomic_set() primitive. + +Replace the barrier with an smp_mb(). + +Fixes: dac56212e8127 ("bio: skip atomic inc/dec of ->bi_cnt for most use cases") +Cc: stable@vger.kernel.org +Reported-by: "Paul E. McKenney" +Reported-by: Peter Zijlstra +Signed-off-by: Andrea Parri +Reviewed-by: Ming Lei +Cc: Jens Axboe +Cc: Ming Lei +Cc: linux-block@vger.kernel.org +Cc: "Paul E. McKenney" +Cc: Peter Zijlstra +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/bio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/bio.h ++++ b/include/linux/bio.h +@@ -260,7 +260,7 @@ static inline void bio_cnt_set(struct bi + { + if (count != 1) { + bio->bi_flags |= (1 << BIO_REFFED); +- smp_mb__before_atomic(); ++ smp_mb(); + } + atomic_set(&bio->__bi_cnt, count); + } diff --git a/queue-4.14/crypto-vmx-ctr-always-increment-iv-as-quadword.patch b/queue-4.14/crypto-vmx-ctr-always-increment-iv-as-quadword.patch new file mode 100644 index 00000000000..042fc81c362 --- /dev/null +++ b/queue-4.14/crypto-vmx-ctr-always-increment-iv-as-quadword.patch @@ -0,0 +1,57 @@ +From 009b30ac7444c17fae34c4f435ebce8e8e2b3250 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Wed, 15 May 2019 20:24:50 +1000 +Subject: crypto: vmx - CTR: always increment IV as quadword + +From: Daniel Axtens + +commit 009b30ac7444c17fae34c4f435ebce8e8e2b3250 upstream. + +The kernel self-tests picked up an issue with CTR mode: +alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep" + +Test vector 3 has an IV of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD, so +after 3 increments it should wrap around to 0. + +In the aesp8-ppc code from OpenSSL, there are two paths that +increment IVs: the bulk (8 at a time) path, and the individual +path which is used when there are fewer than 8 AES blocks to +process. + +In the bulk path, the IV is incremented with vadduqm: "Vector +Add Unsigned Quadword Modulo", which does 128-bit addition. + +In the individual path, however, the IV is incremented with +vadduwm: "Vector Add Unsigned Word Modulo", which instead +does 4 32-bit additions. Thus the IV would instead become +FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result. + +Use vadduqm. + +This was probably a typo originally, what with q and w being +adjacent. It is a pretty narrow edge case: I am really +impressed by the quality of the kernel self-tests! + +Fixes: 5c380d623ed3 ("crypto: vmx - Add support for VMS instructions by ASM") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Axtens +Acked-by: Nayna Jain +Tested-by: Nayna Jain +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/vmx/aesp8-ppc.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/vmx/aesp8-ppc.pl ++++ b/drivers/crypto/vmx/aesp8-ppc.pl +@@ -1318,7 +1318,7 @@ Loop_ctr32_enc: + addi $idx,$idx,16 + bdnz Loop_ctr32_enc + +- vadduwm $ivec,$ivec,$one ++ vadduqm $ivec,$ivec,$one + vmr $dat,$inptail + lvx $inptail,0,$inp + addi $inp,$inp,16 diff --git a/queue-4.14/f2fs-fix-use-of-number-of-devices.patch b/queue-4.14/f2fs-fix-use-of-number-of-devices.patch new file mode 100644 index 00000000000..c98dbf26c7b --- /dev/null +++ b/queue-4.14/f2fs-fix-use-of-number-of-devices.patch @@ -0,0 +1,149 @@ +From 0916878da355650d7e77104a7ac0fa1784eca852 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 16 Mar 2019 09:13:06 +0900 +Subject: f2fs: Fix use of number of devices + +From: Damien Le Moal + +commit 0916878da355650d7e77104a7ac0fa1784eca852 upstream. + +For a single device mount using a zoned block device, the zone +information for the device is stored in the sbi->devs single entry +array and sbi->s_ndevs is set to 1. This differs from a single device +mount using a regular block device which does not allocate sbi->devs +and sets sbi->s_ndevs to 0. + +However, sbi->s_devs == 0 condition is used throughout the code to +differentiate a single device mount from a multi-device mount where +sbi->s_ndevs is always larger than 1. This results in problems with +single zoned block device volumes as these are treated as multi-device +mounts but do not have the start_blk and end_blk information set. One +of the problem observed is skipping of zone discard issuing resulting in +write commands being issued to full zones or unaligned to a zone write +pointer. + +Fix this problem by simply treating the cases sbi->s_ndevs == 0 (single +regular block device mount) and sbi->s_ndevs == 1 (single zoned block +device mount) in the same manner. This is done by introducing the +helper function f2fs_is_multi_device() and using this helper in place +of direct tests of sbi->s_ndevs value, improving code readability. + +Fixes: 7bb3a371d199 ("f2fs: Fix zoned block device support") +Cc: +Signed-off-by: Damien Le Moal +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/data.c | 17 +++++++++++------ + fs/f2fs/f2fs.h | 11 +++++++++++ + fs/f2fs/file.c | 2 +- + fs/f2fs/gc.c | 2 +- + fs/f2fs/segment.c | 6 +++--- + 5 files changed, 27 insertions(+), 11 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -133,12 +133,14 @@ struct block_device *f2fs_target_device( + struct block_device *bdev = sbi->sb->s_bdev; + int i; + +- for (i = 0; i < sbi->s_ndevs; i++) { +- if (FDEV(i).start_blk <= blk_addr && +- FDEV(i).end_blk >= blk_addr) { +- blk_addr -= FDEV(i).start_blk; +- bdev = FDEV(i).bdev; +- break; ++ if (f2fs_is_multi_device(sbi)) { ++ for (i = 0; i < sbi->s_ndevs; i++) { ++ if (FDEV(i).start_blk <= blk_addr && ++ FDEV(i).end_blk >= blk_addr) { ++ blk_addr -= FDEV(i).start_blk; ++ bdev = FDEV(i).bdev; ++ break; ++ } + } + } + if (bio) { +@@ -152,6 +154,9 @@ int f2fs_target_device_index(struct f2fs + { + int i; + ++ if (!f2fs_is_multi_device(sbi)) ++ return 0; ++ + for (i = 0; i < sbi->s_ndevs; i++) + if (FDEV(i).start_blk <= blkaddr && FDEV(i).end_blk >= blkaddr) + return i; +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1167,6 +1167,17 @@ static inline bool time_to_inject(struct + } + #endif + ++/* ++ * Test if the mounted volume is a multi-device volume. ++ * - For a single regular disk volume, sbi->s_ndevs is 0. ++ * - For a single zoned disk volume, sbi->s_ndevs is 1. ++ * - For a multi-device volume, sbi->s_ndevs is always 2 or more. ++ */ ++static inline bool f2fs_is_multi_device(struct f2fs_sb_info *sbi) ++{ ++ return sbi->s_ndevs > 1; ++} ++ + /* For write statistics. Suppose sector size is 512 bytes, + * and the return value is in kbytes. s is of struct f2fs_sb_info. + */ +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2407,7 +2407,7 @@ static int f2fs_ioc_flush_device(struct + sizeof(range))) + return -EFAULT; + +- if (sbi->s_ndevs <= 1 || sbi->s_ndevs - 1 <= range.dev_num || ++ if (!f2fs_is_multi_device(sbi) || sbi->s_ndevs - 1 <= range.dev_num || + sbi->segs_per_sec != 1) { + f2fs_msg(sbi->sb, KERN_WARNING, + "Can't flush %u in %d for segs_per_sec %u != 1\n", +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1111,7 +1111,7 @@ void build_gc_manager(struct f2fs_sb_inf + BLKS_PER_SEC(sbi), (main_count - resv_count)); + + /* give warm/cold data area from slower device */ +- if (sbi->s_ndevs && sbi->segs_per_sec == 1) ++ if (f2fs_is_multi_device(sbi) && sbi->segs_per_sec == 1) + SIT_I(sbi)->last_victim[ALLOC_NEXT] = + GET_SEGNO(sbi, FDEV(0).end_blk) + 1; + } +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -495,7 +495,7 @@ static int submit_flush_wait(struct f2fs + int ret = __submit_flush_wait(sbi, sbi->sb->s_bdev); + int i; + +- if (!sbi->s_ndevs || ret) ++ if (!f2fs_is_multi_device(sbi) || ret) + return ret; + + for (i = 1; i < sbi->s_ndevs; i++) { +@@ -1050,7 +1050,7 @@ static int __queue_discard_cmd(struct f2 + + trace_f2fs_queue_discard(bdev, blkstart, blklen); + +- if (sbi->s_ndevs) { ++ if (f2fs_is_multi_device(sbi)) { + int devi = f2fs_target_device_index(sbi, blkstart); + + blkstart -= FDEV(devi).start_blk; +@@ -1283,7 +1283,7 @@ static int __f2fs_issue_discard_zone(str + block_t lblkstart = blkstart; + int devi = 0; + +- if (sbi->s_ndevs) { ++ if (f2fs_is_multi_device(sbi)) { + devi = f2fs_target_device_index(sbi, blkstart); + blkstart -= FDEV(devi).start_blk; + } diff --git a/queue-4.14/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id.patch b/queue-4.14/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id.patch new file mode 100644 index 00000000000..d7330b1156e --- /dev/null +++ b/queue-4.14/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id.patch @@ -0,0 +1,43 @@ +From c9bcd3e3335d0a29d89fabd2c385e1b989e6f1b0 Mon Sep 17 00:00:00 2001 +From: "Suthikulpanit, Suravee" +Date: Tue, 14 May 2019 15:49:52 +0000 +Subject: kvm: svm/avic: fix off-by-one in checking host APIC ID + +From: Suthikulpanit, Suravee + +commit c9bcd3e3335d0a29d89fabd2c385e1b989e6f1b0 upstream. + +Current logic does not allow VCPU to be loaded onto CPU with +APIC ID 255. This should be allowed since the host physical APIC ID +field in the AVIC Physical APIC table entry is an 8-bit value, +and APIC ID 255 is valid in system with x2APIC enabled. +Instead, do not allow VCPU load if the host APIC ID cannot be +represented by an 8-bit value. + +Also, use the more appropriate AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK +instead of AVIC_MAX_PHYSICAL_ID_COUNT. + +Signed-off-by: Suravee Suthikulpanit +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1567,7 +1567,11 @@ static void avic_vcpu_load(struct kvm_vc + if (!kvm_vcpu_apicv_active(vcpu)) + return; + +- if (WARN_ON(h_physical_id >= AVIC_MAX_PHYSICAL_ID_COUNT)) ++ /* ++ * Since the host physical APIC id is 8 bits, ++ * we can support host APIC ID upto 255. ++ */ ++ if (WARN_ON(h_physical_id > AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK)) + return; + + entry = READ_ONCE(*(svm->avic_physical_id_cache)); diff --git a/queue-4.14/kvm-x86-fix-return-value-for-reserved-efer.patch b/queue-4.14/kvm-x86-fix-return-value-for-reserved-efer.patch new file mode 100644 index 00000000000..11757bcf91c --- /dev/null +++ b/queue-4.14/kvm-x86-fix-return-value-for-reserved-efer.patch @@ -0,0 +1,36 @@ +From 66f61c92889ff3ca365161fb29dd36d6354682ba Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 24 May 2019 21:52:46 +0200 +Subject: KVM: x86: fix return value for reserved EFER + +From: Paolo Bonzini + +commit 66f61c92889ff3ca365161fb29dd36d6354682ba upstream. + +Commit 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for +host-initiated writes", 2019-04-02) introduced a "return false" in a +function returning int, and anyway set_efer has a "nonzero on error" +conventon so it should be returning 1. + +Reported-by: Pavel Machek +Fixes: 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes") +Cc: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1133,7 +1133,7 @@ static int set_efer(struct kvm_vcpu *vcp + u64 efer = msr_info->data; + + if (efer & efer_reserved_bits) +- return false; ++ return 1; + + if (!msr_info->host_initiated) { + if (!__kvm_valid_efer(vcpu, efer)) diff --git a/queue-4.14/libnvdimm-namespace-fix-label-tracking-error.patch b/queue-4.14/libnvdimm-namespace-fix-label-tracking-error.patch new file mode 100644 index 00000000000..b55f3e964ef --- /dev/null +++ b/queue-4.14/libnvdimm-namespace-fix-label-tracking-error.patch @@ -0,0 +1,159 @@ +From c4703ce11c23423d4b46e3d59aef7979814fd608 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 30 Apr 2019 21:51:21 -0700 +Subject: libnvdimm/namespace: Fix label tracking error + +From: Dan Williams + +commit c4703ce11c23423d4b46e3d59aef7979814fd608 upstream. + +Users have reported intermittent occurrences of DIMM initialization +failures due to duplicate allocations of address capacity detected in +the labels, or errors of the form below, both have the same root cause. + + nd namespace1.4: failed to track label: 0 + WARNING: CPU: 17 PID: 1381 at drivers/nvdimm/label.c:863 + + RIP: 0010:__pmem_label_update+0x56c/0x590 [libnvdimm] + Call Trace: + ? nd_pmem_namespace_label_update+0xd6/0x160 [libnvdimm] + nd_pmem_namespace_label_update+0xd6/0x160 [libnvdimm] + uuid_store+0x17e/0x190 [libnvdimm] + kernfs_fop_write+0xf0/0x1a0 + vfs_write+0xb7/0x1b0 + ksys_write+0x57/0xd0 + do_syscall_64+0x60/0x210 + +Unfortunately those reports were typically with a busy parallel +namespace creation / destruction loop making it difficult to see the +components of the bug. However, Jane provided a simple reproducer using +the work-in-progress sub-section implementation. + +When ndctl is reconfiguring a namespace it may take an existing defunct +/ disabled namespace and reconfigure it with a new uuid and other +parameters. Critically namespace_update_uuid() takes existing address +resources and renames them for the new namespace to use / reconfigure as +it sees fit. The bug is that this rename only happens in the resource +tracking tree. Existing labels with the old uuid are not reaped leading +to a scenario where multiple active labels reference the same span of +address range. + +Teach namespace_update_uuid() to flag any references to the old uuid for +reaping at the next label update attempt. + +Cc: +Fixes: bf9bccc14c05 ("libnvdimm: pmem label sets and namespace instantiation") +Link: https://github.com/pmem/ndctl/issues/91 +Reported-by: Jane Chu +Reported-by: Jeff Moyer +Reported-by: Erwin Tsaur +Cc: Johannes Thumshirn +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/nvdimm/label.c | 29 ++++++++++++++++------------- + drivers/nvdimm/namespace_devs.c | 15 +++++++++++++++ + drivers/nvdimm/nd.h | 4 ++++ + 3 files changed, 35 insertions(+), 13 deletions(-) + +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -614,6 +614,17 @@ static const guid_t *to_abstraction_guid + return &guid_null; + } + ++static void reap_victim(struct nd_mapping *nd_mapping, ++ struct nd_label_ent *victim) ++{ ++ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); ++ u32 slot = to_slot(ndd, victim->label); ++ ++ dev_dbg(ndd->dev, "free: %d\n", slot); ++ nd_label_free_slot(ndd, slot); ++ victim->label = NULL; ++} ++ + static int __pmem_label_update(struct nd_region *nd_region, + struct nd_mapping *nd_mapping, struct nd_namespace_pmem *nspm, + int pos, unsigned long flags) +@@ -621,9 +632,9 @@ static int __pmem_label_update(struct nd + struct nd_namespace_common *ndns = &nspm->nsio.common; + struct nd_interleave_set *nd_set = nd_region->nd_set; + struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); +- struct nd_label_ent *label_ent, *victim = NULL; + struct nd_namespace_label *nd_label; + struct nd_namespace_index *nsindex; ++ struct nd_label_ent *label_ent; + struct nd_label_id label_id; + struct resource *res; + unsigned long *free; +@@ -692,18 +703,10 @@ static int __pmem_label_update(struct nd + list_for_each_entry(label_ent, &nd_mapping->labels, list) { + if (!label_ent->label) + continue; +- if (memcmp(nspm->uuid, label_ent->label->uuid, +- NSLABEL_UUID_LEN) != 0) +- continue; +- victim = label_ent; +- list_move_tail(&victim->list, &nd_mapping->labels); +- break; +- } +- if (victim) { +- dev_dbg(ndd->dev, "%s: free: %d\n", __func__, slot); +- slot = to_slot(ndd, victim->label); +- nd_label_free_slot(ndd, slot); +- victim->label = NULL; ++ if (test_and_clear_bit(ND_LABEL_REAP, &label_ent->flags) ++ || memcmp(nspm->uuid, label_ent->label->uuid, ++ NSLABEL_UUID_LEN) == 0) ++ reap_victim(nd_mapping, label_ent); + } + + /* update index */ +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -1229,12 +1229,27 @@ static int namespace_update_uuid(struct + for (i = 0; i < nd_region->ndr_mappings; i++) { + struct nd_mapping *nd_mapping = &nd_region->mapping[i]; + struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); ++ struct nd_label_ent *label_ent; + struct resource *res; + + for_each_dpa_resource(ndd, res) + if (strcmp(res->name, old_label_id.id) == 0) + sprintf((void *) res->name, "%s", + new_label_id.id); ++ ++ mutex_lock(&nd_mapping->lock); ++ list_for_each_entry(label_ent, &nd_mapping->labels, list) { ++ struct nd_namespace_label *nd_label = label_ent->label; ++ struct nd_label_id label_id; ++ ++ if (!nd_label) ++ continue; ++ nd_label_gen_id(&label_id, nd_label->uuid, ++ __le32_to_cpu(nd_label->flags)); ++ if (strcmp(old_label_id.id, label_id.id) == 0) ++ set_bit(ND_LABEL_REAP, &label_ent->flags); ++ } ++ mutex_unlock(&nd_mapping->lock); + } + kfree(*old_uuid); + out: +--- a/drivers/nvdimm/nd.h ++++ b/drivers/nvdimm/nd.h +@@ -120,8 +120,12 @@ struct nd_percpu_lane { + spinlock_t lock; + }; + ++enum nd_label_flags { ++ ND_LABEL_REAP, ++}; + struct nd_label_ent { + struct list_head list; ++ unsigned long flags; + struct nd_namespace_label *label; + }; + diff --git a/queue-4.14/libnvdimm-pmem-bypass-config_hardened_usercopy-overhead.patch b/queue-4.14/libnvdimm-pmem-bypass-config_hardened_usercopy-overhead.patch new file mode 100644 index 00000000000..02ac7b2d21a --- /dev/null +++ b/queue-4.14/libnvdimm-pmem-bypass-config_hardened_usercopy-overhead.patch @@ -0,0 +1,72 @@ +From 52f476a323f9efc959be1c890d0cdcf12e1582e0 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 16 May 2019 17:05:21 -0700 +Subject: libnvdimm/pmem: Bypass CONFIG_HARDENED_USERCOPY overhead + +From: Dan Williams + +commit 52f476a323f9efc959be1c890d0cdcf12e1582e0 upstream. + +Jeff discovered that performance improves from ~375K iops to ~519K iops +on a simple psync-write fio workload when moving the location of 'struct +page' from the default PMEM location to DRAM. This result is surprising +because the expectation is that 'struct page' for dax is only needed for +third party references to dax mappings. For example, a dax-mapped buffer +passed to another system call for direct-I/O requires 'struct page' for +sending the request down the driver stack and pinning the page. There is +no usage of 'struct page' for first party access to a file via +read(2)/write(2) and friends. + +However, this "no page needed" expectation is violated by +CONFIG_HARDENED_USERCOPY and the check_copy_size() performed in +copy_from_iter_full_nocache() and copy_to_iter_mcsafe(). The +check_heap_object() helper routine assumes the buffer is backed by a +slab allocator (DRAM) page and applies some checks. Those checks are +invalid, dax pages do not originate from the slab, and redundant, +dax_iomap_actor() has already validated that the I/O is within bounds. +Specifically that routine validates that the logical file offset is +within bounds of the file, then it does a sector-to-pfn translation +which validates that the physical mapping is within bounds of the block +device. + +Bypass additional hardened usercopy overhead and call the 'no check' +versions of the copy_{to,from}_iter operations directly. + +Fixes: 0aed55af8834 ("x86, uaccess: introduce copy_from_iter_flushcache...") +Cc: +Cc: Jeff Moyer +Cc: Ingo Molnar +Cc: Christoph Hellwig +Cc: Al Viro +Cc: Thomas Gleixner +Cc: Matthew Wilcox +Reported-and-tested-by: Jeff Smits +Acked-by: Kees Cook +Acked-by: Jan Kara +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/pmem.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/nvdimm/pmem.c ++++ b/drivers/nvdimm/pmem.c +@@ -256,10 +256,16 @@ static long pmem_dax_direct_access(struc + return __pmem_direct_access(pmem, pgoff, nr_pages, kaddr, pfn); + } + ++/* ++ * Use the 'no check' versions of copy_from_iter_flushcache() and ++ * copy_to_iter_mcsafe() to bypass HARDENED_USERCOPY overhead. Bounds ++ * checking, both file offset and device offset, is handled by ++ * dax_iomap_actor() ++ */ + static size_t pmem_copy_from_iter(struct dax_device *dax_dev, pgoff_t pgoff, + void *addr, size_t bytes, struct iov_iter *i) + { +- return copy_from_iter_flushcache(addr, bytes, i); ++ return _copy_from_iter_flushcache(addr, bytes, i); + } + + static const struct dax_operations pmem_dax_ops = { diff --git a/queue-4.14/mmc-sdhci-iproc-cygnus-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch b/queue-4.14/mmc-sdhci-iproc-cygnus-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch new file mode 100644 index 00000000000..9e815681f6e --- /dev/null +++ b/queue-4.14/mmc-sdhci-iproc-cygnus-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch @@ -0,0 +1,46 @@ +From b7dfa695afc40d5396ed84b9f25aa3754de23e39 Mon Sep 17 00:00:00 2001 +From: Trac Hoang +Date: Thu, 9 May 2019 10:24:26 -0700 +Subject: mmc: sdhci-iproc: cygnus: Set NO_HISPD bit to fix HS50 data hold time problem + +From: Trac Hoang + +commit b7dfa695afc40d5396ed84b9f25aa3754de23e39 upstream. + +The iproc host eMMC/SD controller hold time does not meet the +specification in the HS50 mode. This problem can be mitigated +by disabling the HISPD bit; thus forcing the controller output +data to be driven on the falling clock edges rather than the +rising clock edges. + +This change applies only to the Cygnus platform. + +Stable tag (v4.12+) chosen to assist stable kernel maintainers so that +the change does not produce merge conflicts backporting to older kernel +versions. In reality, the timing bug existed since the driver was first +introduced but there is no need for this driver to be supported in kernel +versions that old. + +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Trac Hoang +Signed-off-by: Scott Branden +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-iproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -185,7 +185,8 @@ static const struct sdhci_ops sdhci_ipro + }; + + static const struct sdhci_pltfm_data sdhci_iproc_cygnus_pltfm_data = { +- .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK, ++ .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK | ++ SDHCI_QUIRK_NO_HISPD_BIT, + .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN | SDHCI_QUIRK2_HOST_OFF_CARD_ON, + .ops = &sdhci_iproc_32only_ops, + }; diff --git a/queue-4.14/mmc-sdhci-iproc-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch b/queue-4.14/mmc-sdhci-iproc-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch new file mode 100644 index 00000000000..6ce7d1739b7 --- /dev/null +++ b/queue-4.14/mmc-sdhci-iproc-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch @@ -0,0 +1,44 @@ +From ec0970e0a1b2c807c908d459641a9f9a1be3e130 Mon Sep 17 00:00:00 2001 +From: Trac Hoang +Date: Thu, 9 May 2019 10:24:27 -0700 +Subject: mmc: sdhci-iproc: Set NO_HISPD bit to fix HS50 data hold time problem + +From: Trac Hoang + +commit ec0970e0a1b2c807c908d459641a9f9a1be3e130 upstream. + +The iproc host eMMC/SD controller hold time does not meet the +specification in the HS50 mode. This problem can be mitigated +by disabling the HISPD bit; thus forcing the controller output +data to be driven on the falling clock edges rather than the +rising clock edges. + +Stable tag (v4.12+) chosen to assist stable kernel maintainers so that +the change does not produce merge conflicts backporting to older kernel +versions. In reality, the timing bug existed since the driver was first +introduced but there is no need for this driver to be supported in kernel +versions that old. + +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Trac Hoang +Signed-off-by: Scott Branden +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-iproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -209,7 +209,8 @@ static const struct sdhci_iproc_data ipr + + static const struct sdhci_pltfm_data sdhci_iproc_pltfm_data = { + .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK | +- SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, ++ SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 | ++ SDHCI_QUIRK_NO_HISPD_BIT, + .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN, + .ops = &sdhci_iproc_ops, + }; diff --git a/queue-4.14/revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch b/queue-4.14/revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch new file mode 100644 index 00000000000..38de869dd1b --- /dev/null +++ b/queue-4.14/revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch @@ -0,0 +1,51 @@ +From 8acf608e602f6ec38b7cc37b04c80f1ce9a1a6cc Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Mon, 20 May 2019 10:57:18 -0400 +Subject: Revert "scsi: sd: Keep disk read-only when re-reading partition" + +From: Martin K. Petersen + +commit 8acf608e602f6ec38b7cc37b04c80f1ce9a1a6cc upstream. + +This reverts commit 20bd1d026aacc5399464f8328f305985c493cde3. + +This patch introduced regressions for devices that come online in +read-only state and subsequently switch to read-write. + +Given how the partition code is currently implemented it is not +possible to persist the read-only flag across a device revalidate +call. This may need to get addressed in the future since it is common +for user applications to proactively call BLKRRPART. + +Reverting this commit will re-introduce a regression where a +device-initiated revalidate event will cause the admin state to be +forgotten. A separate patch will address this issue. + +Fixes: 20bd1d026aac ("scsi: sd: Keep disk read-only when re-reading partition") +Cc: +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2616,7 +2616,6 @@ sd_read_write_protect_flag(struct scsi_d + int res; + struct scsi_device *sdp = sdkp->device; + struct scsi_mode_data data; +- int disk_ro = get_disk_ro(sdkp->disk); + int old_wp = sdkp->write_prot; + + set_disk_ro(sdkp->disk, 0); +@@ -2657,7 +2656,7 @@ sd_read_write_protect_flag(struct scsi_d + "Test WP failed, assume Write Enabled\n"); + } else { + sdkp->write_prot = ((data.device_specific & 0x80) != 0); +- set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro); ++ set_disk_ro(sdkp->disk, sdkp->write_prot); + if (sdkp->first_scan || old_wp != sdkp->write_prot) { + sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n", + sdkp->write_prot ? "on" : "off"); diff --git a/queue-4.14/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch b/queue-4.14/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch new file mode 100644 index 00000000000..f3e8c58039b --- /dev/null +++ b/queue-4.14/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch @@ -0,0 +1,44 @@ +From a0934fd2b1208458e55fc4b48f55889809fce666 Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Mon, 20 May 2019 19:23:57 +0200 +Subject: sbitmap: fix improper use of smp_mb__before_atomic() + +From: Andrea Parri + +commit a0934fd2b1208458e55fc4b48f55889809fce666 upstream. + +This barrier only applies to the read-modify-write operations; in +particular, it does not apply to the atomic_set() primitive. + +Replace the barrier with an smp_mb(). + +Fixes: 6c0ca7ae292ad ("sbitmap: fix wakeup hang after sbq resize") +Cc: stable@vger.kernel.org +Reported-by: "Paul E. McKenney" +Reported-by: Peter Zijlstra +Signed-off-by: Andrea Parri +Reviewed-by: Ming Lei +Cc: Jens Axboe +Cc: Omar Sandoval +Cc: Ming Lei +Cc: linux-block@vger.kernel.org +Cc: "Paul E. McKenney" +Cc: Peter Zijlstra +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + lib/sbitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -338,7 +338,7 @@ void sbitmap_queue_resize(struct sbitmap + * Pairs with the memory barrier in sbq_wake_up() to ensure that + * the batch size is updated before the wait counts. + */ +- smp_mb__before_atomic(); ++ smp_mb(); + for (i = 0; i < SBQ_WAIT_QUEUES; i++) + atomic_set(&sbq->ws[i].wait_cnt, 1); + } diff --git a/queue-4.14/series b/queue-4.14/series index 7f28ec916e3..c38d8a8758c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,2 +1,13 @@ x86-hide-the-int3_emulate_call-jmp-functions-from-uml.patch ext4-do-not-delete-unlinked-inode-from-orphan-list-on-failed-truncate.patch +f2fs-fix-use-of-number-of-devices.patch +kvm-x86-fix-return-value-for-reserved-efer.patch +bio-fix-improper-use-of-smp_mb__before_atomic.patch +sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch +revert-scsi-sd-keep-disk-read-only-when-re-reading-partition.patch +crypto-vmx-ctr-always-increment-iv-as-quadword.patch +mmc-sdhci-iproc-cygnus-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch +mmc-sdhci-iproc-set-no_hispd-bit-to-fix-hs50-data-hold-time-problem.patch +kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id.patch +libnvdimm-pmem-bypass-config_hardened_usercopy-overhead.patch +libnvdimm-namespace-fix-label-tracking-error.patch