From: Greg Kroah-Hartman Date: Sun, 27 May 2018 15:58:49 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.111~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=797f1b5b11327206847fdc392f931d8b9c224127;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch alsa-hda-use-is_reachable-for-dependency-on-input.patch alsa-vmaster-propagate-slave-error.patch arc-fix-malformed-arc_emul_unaligned-default.patch arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch arm-dts-ls1021a-specify-tbipa-register-address.patch arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch arm-dts-porter-fix-hdmi-output-routing.patch arm-dts-socfpga-fix-gic-ppi-warning.patch arm-omap-fix-dmtimer-init-for-omap1.patch arm-omap1-clock-fix-debugfs_create_-usage.patch arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch arm-omap3-fix-prm-wake-interrupt-for-resume.patch arm-orion5x-revert-commit-4904dbda41c8.patch arm64-dts-qcom-fix-spi5-config-on-msm8996.patch arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch arm64-relax-arm_smccc_arch_workaround_1-discovery.patch arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch asm-generic-provide-generic_pmdp_establish.patch ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch batman-adv-fix-netlink-dumping-of-bla-backbones.patch batman-adv-fix-netlink-dumping-of-bla-claims.patch batman-adv-fix-packet-checksum-in-receive-path.patch batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch batman-adv-invalidate-checksum-on-fragment-reassembly.patch bcache-fix-for-allocator-and-register-thread-race.patch bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch bcache-properly-set-task-state-in-bch_writeback_thread.patch bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch bcache-return-attach-error-when-no-cache-set-exist.patch bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch bpf-fix-rlimit-in-reuseport-net-selftest.patch bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch brcmfmac-fix-check-for-iso3166-code.patch btrfs-bail-out-on-error-during-replay_dir_deletes.patch btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch btrfs-fix-copy_items-return-value-when-logging-an-inode.patch btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch btrfs-fix-null-pointer-dereference-in-log_dir_items.patch btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch btrfs-fix-possible-softlock-on-single-core-machines.patch btrfs-fix-scrub-to-repair-raid6-corruption.patch btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch btrfs-set-plug-for-fsync.patch btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch builddeb-fix-header-package-regarding-dtc-source-links.patch cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch cpufreq-reorder-cpufreq_online-error-code-path.patch cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch cxgb4-fix-queue-free-path-of-uld-drivers.patch cxgb4-setup-fw-queues-before-registering-netdev.patch device-property-define-type-of-property_enrty_-macros.patch dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch drm-exynos-g2d-use-monotonic-timestamps.patch drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch drm-sun4i-fix-dclk_set_phase.patch e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch e1000e-fix-check_for_link-return-value-with-autoneg-off.patch enic-enable-rq-before-updating-rq-descriptors.patch f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch fm10k-fix-failed-to-kill-vid-message-for-vf.patch force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch fs-dcache-use-read_once-when-accessing-i_dir_seq.patch fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch gfs2-fix-fallocate-chunk-size.patch gianfar-fix-rx-byte-accounting-for-ndev-stats.patch gianfar-prevent-integer-wrapping-in-the-rx-handler.patch hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch hwmon-nct6775-fix-writing-pwmx_mode.patch hwmon-pmbus-adm1275-accept-negative-page-register-values.patch hwmon-pmbus-max8688-accept-negative-page-register-values.patch hwrng-stm32-add-reset-during-probe.patch i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch ia64-err-inject-use-get_user_pages_fast.patch ib-core-fix-possible-crash-to-access-null-netdev.patch ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch ib-ipoib-fix-for-potential-no-carrier-state.patch ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch ima-fallback-to-the-builtin-hash-algorithm.patch input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch integrity-security-fix-digsig.c-build-error-with-header-file.patch iommu-vt-d-use-domain-instead-of-cache-fetching.patch ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch irqchip-gic-v3-ignore-disabled-its-nodes.patch iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch iwlwifi-mvm-fix-security-bug-in-pn-checking.patch iwlwifi-mvm-fix-tx-of-ccmp-256.patch jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch kconfig-don-t-leak-main-menus-during-parsing.patch kconfig-fix-automatic-menu-creation-mem-leak.patch kconfig-fix-expr_free-e_not-leak.patch kdb-make-mdr-command-repeat.patch kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch libata-fix-compile-warning-with-ata_debug-enabled.patch llc-properly-handle-dev_queue_xmit-return-value.patch locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch mac80211-do-not-disconnect-on-invalid-operating-class.patch mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch mac80211-fix-a-possible-leak-of-station-stats.patch mac80211-fix-calling-sleeping-function-in-atomic-context.patch mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch macsec-missing-dev_put-on-error-in-macsec_newlink.patch macvlan-fix-use-after-free-in-macvlan_common_newlink.patch md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch md-raid1-fix-null-pointer-dereference.patch md-raid10-fix-null-deference-in-handle_write_completed.patch md-raid5-avoid-string-overflow-warning.patch microblaze-switch-to-no_bootmem.patch mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch mips-generic-fix-machine-compatible-matching.patch mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch mips-txx9-use-is_builtin-for-config_leds_class.patch mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch mm-ksm-fix-interaction-with-thp.patch mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch mm-mempolicy-fix-the-check-of-nodemask-from-user.patch mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch mm-thp-do-not-cause-memcg-oom-for-thp.patch mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch net-fix-untag-for-vlan-packets-without-ethernet-header.patch net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch net-mlx5-protect-from-command-bit-overflow.patch net-mvneta-fix-enable-of-all-initialized-rxqs.patch net-qcom-emac-use-proper-free-methods-during-tx.patch net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch net-smsc911x-fix-unload-crash-when-link-is-up.patch net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch net-tcp-illinois-replace-broken-algorithm-reference-link.patch netfilter-ebtables-convert-bug_ons-to-warn_ons.patch netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch nfc-llcp-limit-size-of-sdp-uri.patch nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch ntb_transport-fix-bug-with-max_mw_size-parameter.patch nvme-don-t-send-keep-alives-to-the-discovery-controller.patch nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch nvmet-fix-psdt-field-check-in-command-format.patch ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch perf-callchain-fix-attr.sample_max_stack-setting.patch perf-cgroup-fix-child-event-counting-bug.patch perf-core-fix-perf_output_read_group.patch perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch perf-stat-fix-core-dump-when-flag-t-is-used.patch perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch perf-top-fix-top.call-graph-config-option-reading.patch perf-x86-intel-fix-event-update-for-auto-reload.patch perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch pinctrl-msm-use-dynamic-gpio-numbering.patch pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch pkcs-7-fix-direct-verification-of-signerinfo-signature.patch powerpc-add-missing-prototype-for-arch_irq_work_raise.patch powerpc-boot-fix-random-libfdt-related-build-errors.patch powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch powerpc-numa-ensure-nodes-initialized-for-hotplug.patch powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch proc-fix-proc-map_files-lookup.patch ptr_ring-prevent-integer-overflow-when-calculating-size.patch qrtr-add-module_alias-macro-to-smd.patch r8152-fix-tx-packets-accounting.patch rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch rdma-qedr-fix-qp-s-ack-timeout-configuration.patch rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch rdma-ucma-correct-option-size-check-using-optlen.patch rds-ib-fix-null-pointer-issue.patch regmap-correct-comparison-in-regmap_cached.patch regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch regulatory-add-nul-to-request-alpha2.patch rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch rxrpc-work-around-usercopy-check.patch s390-cio-clear-timer-when-terminating-driver-i-o.patch s390-cio-fix-ccw_device_start_timeout-api.patch s390-cio-fix-return-code-after-missing-interrupt.patch sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch selftests-ftrace-add-a-testcase-for-probepoint.patch selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch selftests-ftrace-add-probe-event-argument-syntax-testcase.patch selftests-memfd-add-config-fragment-for-fuse.patch selftests-net-fixes-psock_fanout-ebpf-test-case.patch selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch selftests-print-the-test-we-re-running-to-dev-kmsg.patch selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch sit-fix-ifla_mtu-ignored-on-newlink.patch smsc75xx-fix-smsc75xx_set_features.patch soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch spi-bcm-qspi-fix-some-error-handling-paths.patch sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch sunvnet-does-not-support-gso-for-sctp.patch swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch tools-thermal-tmon-fix-for-segfault.patch tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch udf-provide-saner-default-for-invalid-uid-gid.patch vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch vti4-don-t-count-header-length-twice-on-tunnel-setup.patch vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch watchdog-f71808e_wdt-fix-magic-close-handling.patch watchdog-sbsa-use-32-bit-read-for-wcv.patch watchdog-sp5100_tco-fix-watchdog-disable-bit.patch workqueue-use-put_device-instead-of-kfree.patch x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch x86-devicetree-fix-device-irq-settings-in-dt.patch x86-devicetree-initialize-device-tree-before-using-it.patch x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch x86-power-fix-swsusp_arch_resume-prototype.patch x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch x86-tsc-allow-tsc-calibration-without-pit.patch xen-acpi-off-by-one-in-read_acpi_id.patch xen-grant-table-use-put_page-instead-of-free_page.patch xen-netfront-fix-race-between-device-setup-and-open.patch xen-pirq-fix-error-path-cleanup-when-binding-msis.patch xen-xenbus-use-put_device-instead-of-kfree.patch zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch --- diff --git a/queue-4.9/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch b/queue-4.9/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch new file mode 100644 index 00000000000..9f0140ff7ab --- /dev/null +++ b/queue-4.9/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Lenny Szubowicz +Date: Tue, 27 Mar 2018 09:56:40 -0400 +Subject: ACPI: acpi_pad: Fix memory leak in power saving threads + +From: Lenny Szubowicz + +[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ] + +Fix once per second (round_robin_time) memory leak of about 1 KB in +each acpi_pad kernel idling thread that is activated. + +Found by testing with kmemleak. + +Signed-off-by: Lenny Szubowicz +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_pad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -109,6 +109,7 @@ static void round_robin_cpu(unsigned int + cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus); + if (cpumask_empty(tmp)) { + mutex_unlock(&round_robin_lock); ++ free_cpumask_var(tmp); + return; + } + for_each_cpu(cpu, tmp) { +@@ -126,6 +127,8 @@ static void round_robin_cpu(unsigned int + mutex_unlock(&round_robin_lock); + + set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu)); ++ ++ free_cpumask_var(tmp); + } + + static void exit_round_robin(unsigned int tsk_index) diff --git a/queue-4.9/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch b/queue-4.9/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch new file mode 100644 index 00000000000..651cc4193f2 --- /dev/null +++ b/queue-4.9/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Chen Yu +Date: Mon, 29 Jan 2018 10:26:46 +0800 +Subject: ACPI: processor_perflib: Do not send _PPC change notification if not ready + +From: Chen Yu + +[ Upstream commit ba1edb9a5125a617d612f98eead14b9b84e75c3a ] + +The following warning was triggered after resumed from S3 - +if all the nonboot CPUs were put offline before suspend: + +[ 1840.329515] unchecked MSR access error: RDMSR from 0x771 at rIP: 0xffffffff86061e3a (native_read_msr+0xa/0x30) +[ 1840.329516] Call Trace: +[ 1840.329521] __rdmsr_on_cpu+0x33/0x50 +[ 1840.329525] generic_exec_single+0x81/0xb0 +[ 1840.329527] smp_call_function_single+0xd2/0x100 +[ 1840.329530] ? acpi_ds_result_pop+0xdd/0xf2 +[ 1840.329532] ? acpi_ds_create_operand+0x215/0x23c +[ 1840.329534] rdmsrl_on_cpu+0x57/0x80 +[ 1840.329536] ? cpumask_next+0x1b/0x20 +[ 1840.329538] ? rdmsrl_on_cpu+0x57/0x80 +[ 1840.329541] intel_pstate_update_perf_limits+0xf3/0x220 +[ 1840.329544] ? notifier_call_chain+0x4a/0x70 +[ 1840.329546] intel_pstate_set_policy+0x4e/0x150 +[ 1840.329548] cpufreq_set_policy+0xcd/0x2f0 +[ 1840.329550] cpufreq_update_policy+0xb2/0x130 +[ 1840.329552] ? cpufreq_update_policy+0x130/0x130 +[ 1840.329556] acpi_processor_ppc_has_changed+0x65/0x80 +[ 1840.329558] acpi_processor_notify+0x80/0x100 +[ 1840.329561] acpi_ev_notify_dispatch+0x44/0x5c +[ 1840.329563] acpi_os_execute_deferred+0x14/0x20 +[ 1840.329565] process_one_work+0x193/0x3c0 +[ 1840.329567] worker_thread+0x35/0x3b0 +[ 1840.329569] kthread+0x125/0x140 +[ 1840.329571] ? process_one_work+0x3c0/0x3c0 +[ 1840.329572] ? kthread_park+0x60/0x60 +[ 1840.329575] ? do_syscall_64+0x67/0x180 +[ 1840.329577] ret_from_fork+0x25/0x30 +[ 1840.329585] unchecked MSR access error: WRMSR to 0x774 (tried to write 0x0000000000000000) at rIP: 0xffffffff86061f78 (native_write_msr+0x8/0x30) +[ 1840.329586] Call Trace: +[ 1840.329587] __wrmsr_on_cpu+0x37/0x40 +[ 1840.329589] generic_exec_single+0x81/0xb0 +[ 1840.329592] smp_call_function_single+0xd2/0x100 +[ 1840.329594] ? acpi_ds_create_operand+0x215/0x23c +[ 1840.329595] ? cpumask_next+0x1b/0x20 +[ 1840.329597] wrmsrl_on_cpu+0x57/0x70 +[ 1840.329598] ? rdmsrl_on_cpu+0x57/0x80 +[ 1840.329599] ? wrmsrl_on_cpu+0x57/0x70 +[ 1840.329602] intel_pstate_hwp_set+0xd3/0x150 +[ 1840.329604] intel_pstate_set_policy+0x119/0x150 +[ 1840.329606] cpufreq_set_policy+0xcd/0x2f0 +[ 1840.329607] cpufreq_update_policy+0xb2/0x130 +[ 1840.329610] ? cpufreq_update_policy+0x130/0x130 +[ 1840.329613] acpi_processor_ppc_has_changed+0x65/0x80 +[ 1840.329615] acpi_processor_notify+0x80/0x100 +[ 1840.329617] acpi_ev_notify_dispatch+0x44/0x5c +[ 1840.329619] acpi_os_execute_deferred+0x14/0x20 +[ 1840.329620] process_one_work+0x193/0x3c0 +[ 1840.329622] worker_thread+0x35/0x3b0 +[ 1840.329624] kthread+0x125/0x140 +[ 1840.329625] ? process_one_work+0x3c0/0x3c0 +[ 1840.329626] ? kthread_park+0x60/0x60 +[ 1840.329628] ? do_syscall_64+0x67/0x180 +[ 1840.329631] ret_from_fork+0x25/0x30 + +This is because if there's only one online CPU, the MSR_PM_ENABLE +(package wide)can not be enabled after resumed, due to +intel_pstate_hwp_enable() will only be invoked on AP's online +process after resumed - if there's no AP online, the HWP remains +disabled after resumed (BIOS has disabled it in S3). Then if +there comes a _PPC change notification which touches HWP register +during this stage, the warning is triggered. + +Since we don't call acpi_processor_register_performance() when +HWP is enabled, the pr->performance will be NULL. When this is +NULL we don't need to do _PPC change notification. + +Reported-by: Doug Smythies +Suggested-by: Srinivas Pandruvada +Signed-off-by: Yu Chen +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_perflib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/processor_perflib.c ++++ b/drivers/acpi/processor_perflib.c +@@ -161,7 +161,7 @@ int acpi_processor_ppc_has_changed(struc + { + int ret; + +- if (ignore_ppc) { ++ if (ignore_ppc || !pr->performance) { + /* + * Only when it is notification event, the _OST object + * will be evaluated. Otherwise it is skipped. diff --git a/queue-4.9/acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch b/queue-4.9/acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch new file mode 100644 index 00000000000..98f745b7bf1 --- /dev/null +++ b/queue-4.9/acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Hans de Goede +Date: Fri, 26 Jan 2018 16:02:59 +0100 +Subject: ACPI / scan: Use acpi_bus_get_status() to initialize ACPI_TYPE_DEVICE devs + +From: Hans de Goede + +[ Upstream commit 63347db0affadcbccd5613116ea8431c70139b3e ] + +The acpi_get_bus_status wrapper for acpi_bus_get_status_handle has some +code to handle certain device quirks, in some cases we also need this +quirk handling for the initial _STA call. + +Specifically on some devices calling _STA before all _DEP dependencies +are met results in errors like these: + +[ 0.123579] ACPI Error: No handler for Region [ECRM] (00000000ba9edc4c) + [GenericSerialBus] (20170831/evregion-166) +[ 0.123601] ACPI Error: Region GenericSerialBus (ID=9) has no handler + (20170831/exfldio-299) +[ 0.123618] ACPI Error: Method parse/execution failed + \_SB.I2C1.BAT1._STA, AE_NOT_EXIST (20170831/psparse-550) + +acpi_get_bus_status already has code to avoid this, so by using it we +also silence these errors from the initial _STA call. + +Note that in order for the acpi_get_bus_status handling for this to work, +we initialize dep_unmet to 1 until acpi_device_dep_initialize gets called, +this means that battery devices will be instantiated with an initial +status of 0. This is not a problem, acpi_bus_attach will get called soon +after the instantiation anyways and it will update the status as first +point of order. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/scan.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1422,6 +1422,8 @@ void acpi_init_device_object(struct acpi + device_initialize(&device->dev); + dev_set_uevent_suppress(&device->dev, true); + acpi_init_coherency(device); ++ /* Assume there are unmet deps until acpi_device_dep_initialize() runs */ ++ device->dep_unmet = 1; + } + + void acpi_device_add_finalize(struct acpi_device *device) +@@ -1445,6 +1447,14 @@ static int acpi_add_single_object(struct + } + + acpi_init_device_object(device, handle, type, sta); ++ /* ++ * For ACPI_BUS_TYPE_DEVICE getting the status is delayed till here so ++ * that we can call acpi_bus_get_status() and use its quirk handling. ++ * Note this must be done before the get power-/wakeup_dev-flags calls. ++ */ ++ if (type == ACPI_BUS_TYPE_DEVICE) ++ acpi_bus_get_status(device); ++ + acpi_bus_get_power_flags(device); + acpi_bus_get_wakeup_device_flags(device); + +@@ -1517,9 +1527,11 @@ static int acpi_bus_type_and_status(acpi + return -ENODEV; + + *type = ACPI_BUS_TYPE_DEVICE; +- status = acpi_bus_get_status_handle(handle, sta); +- if (ACPI_FAILURE(status)) +- *sta = 0; ++ /* ++ * acpi_add_single_object updates this once we've an acpi_device ++ * so that acpi_bus_get_status' quirk handling can be used. ++ */ ++ *sta = 0; + break; + case ACPI_TYPE_PROCESSOR: + *type = ACPI_BUS_TYPE_PROCESSOR; +@@ -1621,6 +1633,8 @@ static void acpi_device_dep_initialize(s + acpi_status status; + int i; + ++ adev->dep_unmet = 0; ++ + if (!acpi_has_method(adev->handle, "_DEP")) + return; + diff --git a/queue-4.9/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch b/queue-4.9/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch new file mode 100644 index 00000000000..aa0b7bc66a3 --- /dev/null +++ b/queue-4.9/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Seunghun Han +Date: Wed, 14 Mar 2018 16:12:56 -0700 +Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c + +From: Seunghun Han + +[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ] + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.464168] ACPI: Added _OSI(Module Device) +>[ 0.467022] ACPI: Added _OSI(Processor Device) +>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.497683] ACPI: Interpreter enabled +>[ 0.499385] ACPI: (supports S0) +>[ 0.501151] ACPI: Using IOAPIC for interrupt routing +>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991) +>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 +>[ 0.529668] Call Trace: +>[ 0.530811] ? dump_stack+0x5c/0x81 +>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.537237] ? acpi_terminate+0xa/0x14 +>[ 0.538701] ? acpi_init+0x2af/0x34f +>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.541593] ? do_one_initcall+0x4e/0x1a0 +>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f +>[ 0.546202] ? rest_init+0x80/0x80 +>[ 0.547513] ? kernel_init+0xa/0x100 +>[ 0.548817] ? ret_from_fork+0x25/0x30 +>[ 0.550587] vgaarb: loaded +>[ 0.551716] EDAC MC: Ver: 3.0.0 +>[ 0.553744] PCI: Probing PCI hardware +>[ 0.555038] PCI host bridge to bus 0000:00 +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ns_evaluate() function +only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors +occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is +also not null. Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Signed-off-by: Seunghun Han +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/nseval.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/acpica/nseval.c ++++ b/drivers/acpi/acpica/nseval.c +@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi + /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */ + + status = AE_OK; ++ } else if (ACPI_FAILURE(status)) { ++ ++ /* If return_object exists, delete it */ ++ ++ if (info->return_object) { ++ acpi_ut_remove_reference(info->return_object); ++ info->return_object = NULL; ++ } + } + + ACPI_DEBUG_PRINT((ACPI_DB_NAMES, diff --git a/queue-4.9/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch b/queue-4.9/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch new file mode 100644 index 00000000000..63c4ceba9a8 --- /dev/null +++ b/queue-4.9/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Erik Schmauss +Date: Wed, 14 Mar 2018 16:13:08 -0700 +Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read + +From: Erik Schmauss + +[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ] + +This ensures that acpi_ev_fixed_event_detect() does not use fixed_status +and and fixed_enable as uninitialized variables. + +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/evevent.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpica/evevent.c ++++ b/drivers/acpi/acpica/evevent.c +@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void) + u32 fixed_status; + u32 fixed_enable; + u32 i; ++ acpi_status status; + + ACPI_FUNCTION_NAME(ev_fixed_event_detect); + +@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void) + * Read the fixed feature status and enable registers, as all the cases + * depend on their values. Ignore errors here. + */ +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); ++ status |= ++ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ if (ACPI_FAILURE(status)) { ++ return (int_status); ++ } + + ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS, + "Fixed Event Block: Enable %08X Status %08X\n", diff --git a/queue-4.9/alsa-hda-use-is_reachable-for-dependency-on-input.patch b/queue-4.9/alsa-hda-use-is_reachable-for-dependency-on-input.patch new file mode 100644 index 00000000000..96d2c498ce6 --- /dev/null +++ b/queue-4.9/alsa-hda-use-is_reachable-for-dependency-on-input.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Takashi Iwai +Date: Mon, 15 Jan 2018 10:44:35 +0100 +Subject: ALSA: hda - Use IS_REACHABLE() for dependency on input + +From: Takashi Iwai + +[ Upstream commit c469652bb5e8fb715db7d152f46d33b3740c9b87 ] + +The commit ffcd28d88e4f ("ALSA: hda - Select INPUT for Realtek +HD-audio codec") introduced the reverse-selection of CONFIG_INPUT for +Realtek codec in order to avoid the mess with dependency between +built-in and modules. Later on, we obtained IS_REACHABLE() macro +exactly for this kind of problems, and now we can remove th INPUT +selection in Kconfig and put IS_REACHABLE(INPUT) to the appropriate +places in the code, so that the driver doesn't need to select other +subsystem forcibly. + +Fixes: ffcd28d88e4f ("ALSA: hda - Select INPUT for Realtek HD-audio codec") +Reported-by: Randy Dunlap +Acked-by: Randy Dunlap # and build-tested +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/Kconfig | 1 - + sound/pci/hda/patch_realtek.c | 5 +++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/Kconfig ++++ b/sound/pci/hda/Kconfig +@@ -88,7 +88,6 @@ config SND_HDA_PATCH_LOADER + config SND_HDA_CODEC_REALTEK + tristate "Build Realtek HD-audio codec support" + select SND_HDA_GENERIC +- select INPUT + help + Say Y or M here to include Realtek HD-audio codec support in + snd-hda-intel driver, such as ALC880. +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3495,6 +3495,7 @@ static void alc280_fixup_hp_gpio4(struct + } + } + ++#if IS_REACHABLE(INPUT) + static void gpio2_mic_hotkey_event(struct hda_codec *codec, + struct hda_jack_callback *event) + { +@@ -3627,6 +3628,10 @@ static void alc233_fixup_lenovo_line2_mi + spec->kb_dev = NULL; + } + } ++#else /* INPUT */ ++#define alc280_fixup_hp_gpio2_mic_hotkey NULL ++#define alc233_fixup_lenovo_line2_mic_hotkey NULL ++#endif /* INPUT */ + + static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) diff --git a/queue-4.9/alsa-vmaster-propagate-slave-error.patch b/queue-4.9/alsa-vmaster-propagate-slave-error.patch new file mode 100644 index 00000000000..cbeec2971a3 --- /dev/null +++ b/queue-4.9/alsa-vmaster-propagate-slave-error.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Takashi Iwai +Date: Thu, 8 Mar 2018 08:26:48 +0100 +Subject: ALSA: vmaster: Propagate slave error + +From: Takashi Iwai + +[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ] + +In slave_update() of vmaster code ignores the error from the slave +get() callback and copies the values. It's not only about the missing +error code but also that this may potentially lead to a leak of +uninitialized variables when the slave get() don't clear them. + +This patch fixes slave_update() not to copy the potentially +uninitialized values when an error is returned from the slave get() +callback, and to propagate the error value properly. + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/vmaster.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/core/vmaster.c ++++ b/sound/core/vmaster.c +@@ -68,10 +68,13 @@ static int slave_update(struct link_slav + return -ENOMEM; + uctl->id = slave->slave.id; + err = slave->slave.get(&slave->slave, uctl); ++ if (err < 0) ++ goto error; + for (ch = 0; ch < slave->info.count; ch++) + slave->vals[ch] = uctl->value.integer.value[ch]; ++ error: + kfree(uctl); +- return 0; ++ return err < 0 ? err : 0; + } + + /* get the slave ctl info and save the initial values */ diff --git a/queue-4.9/arc-fix-malformed-arc_emul_unaligned-default.patch b/queue-4.9/arc-fix-malformed-arc_emul_unaligned-default.patch new file mode 100644 index 00000000000..b8e6de75233 --- /dev/null +++ b/queue-4.9/arc-fix-malformed-arc_emul_unaligned-default.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ulf Magnusson +Date: Mon, 5 Feb 2018 02:21:31 +0100 +Subject: ARC: Fix malformed ARC_EMUL_UNALIGNED default + +From: Ulf Magnusson + +[ Upstream commit 827cc2fa024dd6517d62de7a44c7b42f32af371b ] + +'default N' should be 'default n', though they happen to have the same +effect here, due to undefined symbols (N in this case) evaluating to n +in a tristate sense. + +Remove the default from ARC_EMUL_UNALIGNED instead of changing it. bool +and tristate symbols implicitly default to n. + +Discovered with the +https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ulfalizer_Kconfiglib_blob_master_examples_list-5Fundefined.py&d=DwIBAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=c14YS-cH-kdhTOW89KozFhBtBJgs1zXscZojEZQ0THs&m=WxxD8ozR7QQUVzNCBksiznaisBGO_crN7PBOvAoju8s&s=1LmxsNqxwT-7wcInVpZ6Z1J27duZKSoyKxHIJclXU_M&e= +script. + +Signed-off-by: Ulf Magnusson +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -495,7 +495,6 @@ config ARC_CURR_IN_REG + + config ARC_EMUL_UNALIGNED + bool "Emulate unaligned memory access (userspace only)" +- default N + select SYSCTL_ARCH_UNALIGN_NO_WARN + select SYSCTL_ARCH_UNALIGN_ALLOW + depends on ISA_ARCOMPACT diff --git a/queue-4.9/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch b/queue-4.9/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch new file mode 100644 index 00000000000..0e611ca893c --- /dev/null +++ b/queue-4.9/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch @@ -0,0 +1,89 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jinbum Park +Date: Tue, 6 Mar 2018 01:37:21 +0100 +Subject: ARM: 8748/1: mm: Define vdso_start, vdso_end as array + +From: Jinbum Park + +[ Upstream commit 73b9160d0dfe44dfdaffd6465dc1224c38a4a73c ] + +Define vdso_start, vdso_end as array to avoid compile-time analysis error +for the case of built with CONFIG_FORTIFY_SOURCE. + +and, since vdso_start, vdso_end are used in vdso.c only, +move extern-declaration from vdso.h to vdso.c. + +If kernel is built with CONFIG_FORTIFY_SOURCE, +compile-time error happens at this code. +- if (memcmp(&vdso_start, "177ELF", 4)) + +The size of "&vdso_start" is recognized as 1 byte, but n is 4, +So that compile-time error is reported. + +Acked-by: Kees Cook +Signed-off-by: Jinbum Park +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/vdso.h | 2 -- + arch/arm/kernel/vdso.c | 12 +++++++----- + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/arch/arm/include/asm/vdso.h ++++ b/arch/arm/include/asm/vdso.h +@@ -11,8 +11,6 @@ struct mm_struct; + + void arm_install_vdso(struct mm_struct *mm, unsigned long addr); + +-extern char vdso_start, vdso_end; +- + extern unsigned int vdso_total_pages; + + #else /* CONFIG_VDSO */ +--- a/arch/arm/kernel/vdso.c ++++ b/arch/arm/kernel/vdso.c +@@ -39,6 +39,8 @@ + + static struct page **vdso_text_pagelist; + ++extern char vdso_start[], vdso_end[]; ++ + /* Total number of pages needed for the data and text portions of the VDSO. */ + unsigned int vdso_total_pages __ro_after_init; + +@@ -179,13 +181,13 @@ static int __init vdso_init(void) + unsigned int text_pages; + int i; + +- if (memcmp(&vdso_start, "\177ELF", 4)) { ++ if (memcmp(vdso_start, "\177ELF", 4)) { + pr_err("VDSO is not a valid ELF object!\n"); + return -ENOEXEC; + } + +- text_pages = (&vdso_end - &vdso_start) >> PAGE_SHIFT; +- pr_debug("vdso: %i text pages at base %p\n", text_pages, &vdso_start); ++ text_pages = (vdso_end - vdso_start) >> PAGE_SHIFT; ++ pr_debug("vdso: %i text pages at base %p\n", text_pages, vdso_start); + + /* Allocate the VDSO text pagelist */ + vdso_text_pagelist = kcalloc(text_pages, sizeof(struct page *), +@@ -200,7 +202,7 @@ static int __init vdso_init(void) + for (i = 0; i < text_pages; i++) { + struct page *page; + +- page = virt_to_page(&vdso_start + i * PAGE_SIZE); ++ page = virt_to_page(vdso_start + i * PAGE_SIZE); + vdso_text_pagelist[i] = page; + } + +@@ -211,7 +213,7 @@ static int __init vdso_init(void) + + cntvct_ok = cntvct_functional(); + +- patch_vdso(&vdso_start); ++ patch_vdso(vdso_start); + + return 0; + } diff --git a/queue-4.9/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch b/queue-4.9/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch new file mode 100644 index 00000000000..2574c01491f --- /dev/null +++ b/queue-4.9/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Stefan Wahren +Date: Fri, 16 Feb 2018 11:55:34 +0100 +Subject: ARM: dts: bcm283x: Fix probing of bcm2835-i2s + +From: Stefan Wahren + +[ Upstream commit 79c81facdc0b43b1cef37b8d5689a8c8b78f8be0 ] + +Since 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +the bcm2835-i2s requires a clock as DT property. Unfortunately +the necessary DT change has never been applied. While we are at it +also fix the first PCM register range to cover the PCM_GRAY register. + +Fixes: 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +Signed-off-by: Stefan Wahren +Reviewed-by: Eric Anholt +Tested-by: Matthias Reichl +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm283x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -146,8 +146,8 @@ + + i2s: i2s@7e203000 { + compatible = "brcm,bcm2835-i2s"; +- reg = <0x7e203000 0x20>, +- <0x7e101098 0x02>; ++ reg = <0x7e203000 0x24>; ++ clocks = <&clocks BCM2835_CLOCK_PCM>; + + dmas = <&dma 2>, + <&dma 3>; diff --git a/queue-4.9/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch b/queue-4.9/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch new file mode 100644 index 00000000000..71c1ea0a2f4 --- /dev/null +++ b/queue-4.9/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Aapo Vienamo +Date: Wed, 31 Jan 2018 14:34:07 +0000 +Subject: ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet + +From: Aapo Vienamo + +[ Upstream commit 2bada7ac1fdcbf79a9689bd2ff65fa515ca7a31f ] + +The missing last digit of the CONFIG values is added. Looks like a typo +of some sort when comparing to the downstream dt. This fixes +intermittent behavior behaviour of the ethernet controllers. + +Signed-off-by: Aapo Vienamo +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7d-cl-som-imx7.dts | 52 ++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +--- a/arch/arm/boot/dts/imx7d-cl-som-imx7.dts ++++ b/arch/arm/boot/dts/imx7d-cl-som-imx7.dts +@@ -213,37 +213,37 @@ + &iomuxc { + pinctrl_enet1: enet1grp { + fsl,pins = < +- MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x3 +- MX7D_PAD_SD2_WP__ENET1_MDC 0x3 +- MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x1 +- MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x1 +- MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x1 +- MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x1 +- MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x1 +- MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x1 +- MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x1 +- MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x1 +- MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x1 +- MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x1 +- MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x1 +- MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x1 ++ MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x30 ++ MX7D_PAD_SD2_WP__ENET1_MDC 0x30 ++ MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x11 ++ MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x11 ++ MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x11 ++ MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x11 ++ MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x11 ++ MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x11 ++ MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x11 ++ MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x11 ++ MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x11 ++ MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x11 ++ MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x11 ++ MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x11 + >; + }; + + pinctrl_enet2: enet2grp { + fsl,pins = < +- MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x1 +- MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x1 +- MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x1 +- MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x1 +- MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x1 +- MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x1 +- MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x1 +- MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x1 +- MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x1 +- MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x1 +- MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x1 +- MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x1 ++ MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x11 ++ MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x11 ++ MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x11 ++ MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x11 ++ MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x11 ++ MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x11 ++ MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x11 ++ MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x11 ++ MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x11 ++ MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x11 ++ MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x11 ++ MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x11 + >; + }; + diff --git a/queue-4.9/arm-dts-ls1021a-specify-tbipa-register-address.patch b/queue-4.9/arm-dts-ls1021a-specify-tbipa-register-address.patch new file mode 100644 index 00000000000..0ce9ff4cb70 --- /dev/null +++ b/queue-4.9/arm-dts-ls1021a-specify-tbipa-register-address.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Esben Haabendal +Date: Fri, 6 Apr 2018 14:46:35 +0200 +Subject: ARM: dts: ls1021a: Specify TBIPA register address + +From: Esben Haabendal + +[ Upstream commit 5571196135abb6d51e01592812997403c136067c ] + +The current (mildly evil) fsl_pq_mdio code uses an undocumented shadow of +the TBIPA register on LS1021A, which happens to be read-only. +Changing TBI PHY address therefore does not work on LS1021A. + +The real (and documented) address of the TBIPA registere lies in the eTSEC +block and not in MDIO/MII, which is read/write, so using that fixes +the problem. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/ls1021a.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -509,7 +509,8 @@ + device_type = "mdio"; + #address-cells = <1>; + #size-cells = <0>; +- reg = <0x0 0x2d24000 0x0 0x4000>; ++ reg = <0x0 0x2d24000 0x0 0x4000>, ++ <0x0 0x2d10030 0x0 0x4>; + }; + + ptp_clock@2d10e00 { diff --git a/queue-4.9/arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch b/queue-4.9/arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch new file mode 100644 index 00000000000..940e824c358 --- /dev/null +++ b/queue-4.9/arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Florian Fainelli +Date: Mon, 26 Feb 2018 17:00:35 -0800 +Subject: ARM: dts: NSP: Fix amount of RAM on BCM958625HR + +From: Florian Fainelli + +[ Upstream commit 0a5aff64f20d92c5a6e9aeed7b5950b0b817bcd9 ] + +Jon attempted to fix the amount of RAM on the BCM958625HR in commit +c53beb47f621 ("ARM: dts: NSP: Correct RAM amount for BCM958625HR board") +but it seems like we tripped over some poorly documented schematics. + +The top-level page of the schematics says the board has 2GB, but when +you end-up scrolling to page 6, you see two chips of 4GBit (512MB) but +what the bootloader really initializes only 512MB, any attempt to use +more than that results in data aborts. Fix this again back to 512MB. + +Fixes: c53beb47f621 ("ARM: dts: NSP: Correct RAM amount for BCM958625HR board") +Acked-by: Jon Mason +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm958625hr.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm958625hr.dts ++++ b/arch/arm/boot/dts/bcm958625hr.dts +@@ -49,7 +49,7 @@ + + memory { + device_type = "memory"; +- reg = <0x60000000 0x80000000>; ++ reg = <0x60000000 0x20000000>; + }; + + gpio-restart { diff --git a/queue-4.9/arm-dts-porter-fix-hdmi-output-routing.patch b/queue-4.9/arm-dts-porter-fix-hdmi-output-routing.patch new file mode 100644 index 00000000000..80f5837ceb2 --- /dev/null +++ b/queue-4.9/arm-dts-porter-fix-hdmi-output-routing.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Laurent Pinchart +Date: Sat, 13 Jan 2018 01:14:23 +0200 +Subject: ARM: dts: porter: Fix HDMI output routing + +From: Laurent Pinchart + +[ Upstream commit d4b78db6ac3e084e2bdc57d5518bd247c727f396 ] + +The HDMI encoder is connected to the RGB output of the DU, which is +port@0, not port@1. Fix the incorrect DT description. + +Fixes: c5af8a4248d3 ("ARM: dts: porter: add DU DT support") +Signed-off-by: Laurent Pinchart +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/r8a7791-porter.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/r8a7791-porter.dts ++++ b/arch/arm/boot/dts/r8a7791-porter.dts +@@ -428,7 +428,7 @@ + "dclkin.0", "dclkin.1"; + + ports { +- port@1 { ++ port@0 { + endpoint { + remote-endpoint = <&adv7511_in>; + }; diff --git a/queue-4.9/arm-dts-socfpga-fix-gic-ppi-warning.patch b/queue-4.9/arm-dts-socfpga-fix-gic-ppi-warning.patch new file mode 100644 index 00000000000..7fcc4e389e1 --- /dev/null +++ b/queue-4.9/arm-dts-socfpga-fix-gic-ppi-warning.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Philipp Puschmann +Date: Fri, 23 Mar 2018 10:22:15 +0100 +Subject: arm: dts: socfpga: fix GIC PPI warning + +From: Philipp Puschmann + +[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ] + +Fixes the warning "GIC: PPI13 is secure or misconfigured" by +changing the interrupt type from level_low to edge_raising + +Signed-off-by: Philipp Puschmann +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -759,7 +759,7 @@ + timer@fffec600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xfffec600 0x100>; +- interrupts = <1 13 0xf04>; ++ interrupts = <1 13 0xf01>; + clocks = <&mpu_periph_clk>; + }; + diff --git a/queue-4.9/arm-omap-fix-dmtimer-init-for-omap1.patch b/queue-4.9/arm-omap-fix-dmtimer-init-for-omap1.patch new file mode 100644 index 00000000000..47720015081 --- /dev/null +++ b/queue-4.9/arm-omap-fix-dmtimer-init-for-omap1.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tony Lindgren +Date: Thu, 22 Feb 2018 10:02:49 -0800 +Subject: ARM: OMAP: Fix dmtimer init for omap1 + +From: Tony Lindgren + +[ Upstream commit ba6887836178d43b3665b9da075c2c5dfe1d207c ] + +We need to enable PM runtime on omap1 also as otherwise we +will get errors: + +omap_timer omap_timer.1: omap_dm_timer_probe: pm_runtime_get_sync failed! +omap_timer: probe of omap_timer.1 failed with error -13 +... + +We are checking for OMAP_TIMER_NEEDS_RESET flag elsewhere so this is +safe to do. + +Cc: Aaro Koskinen +Cc: Keerthy +Cc: Ladislav Michl +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/plat-omap/dmtimer.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/arm/plat-omap/dmtimer.c ++++ b/arch/arm/plat-omap/dmtimer.c +@@ -890,11 +890,8 @@ static int omap_dm_timer_probe(struct pl + timer->irq = irq->start; + timer->pdev = pdev; + +- /* Skip pm_runtime_enable for OMAP1 */ +- if (!(timer->capability & OMAP_TIMER_NEEDS_RESET)) { +- pm_runtime_enable(dev); +- pm_runtime_irq_safe(dev); +- } ++ pm_runtime_enable(dev); ++ pm_runtime_irq_safe(dev); + + if (!timer->reserved) { + ret = pm_runtime_get_sync(dev); diff --git a/queue-4.9/arm-omap1-clock-fix-debugfs_create_-usage.patch b/queue-4.9/arm-omap1-clock-fix-debugfs_create_-usage.patch new file mode 100644 index 00000000000..adcc5f1a353 --- /dev/null +++ b/queue-4.9/arm-omap1-clock-fix-debugfs_create_-usage.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Geert Uytterhoeven +Date: Tue, 2 Jan 2018 16:25:35 +0100 +Subject: ARM: OMAP1: clock: Fix debugfs_create_*() usage + +From: Geert Uytterhoeven + +[ Upstream commit 8cbbf1745dcde7ba7e423dc70619d223de90fd43 ] + +When exposing data access through debugfs, the correct +debugfs_create_*() functions must be used, depending on data type. + +Remove all casts from data pointers passed to debugfs_create_*() +functions, as such casts prevent the compiler from flagging bugs. + +Correct all wrong usage: + - clk.rate is unsigned long, not u32, + - clk.flags is u8, not u32, which exposed the successive + clk.rate_offset and clk.src_offset fields. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap1/clock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-omap1/clock.c ++++ b/arch/arm/mach-omap1/clock.c +@@ -1031,17 +1031,17 @@ static int clk_debugfs_register_one(stru + return -ENOMEM; + c->dent = d; + +- d = debugfs_create_u8("usecount", S_IRUGO, c->dent, (u8 *)&c->usecount); ++ d = debugfs_create_u8("usecount", S_IRUGO, c->dent, &c->usecount); + if (!d) { + err = -ENOMEM; + goto err_out; + } +- d = debugfs_create_u32("rate", S_IRUGO, c->dent, (u32 *)&c->rate); ++ d = debugfs_create_ulong("rate", S_IRUGO, c->dent, &c->rate); + if (!d) { + err = -ENOMEM; + goto err_out; + } +- d = debugfs_create_x32("flags", S_IRUGO, c->dent, (u32 *)&c->flags); ++ d = debugfs_create_x8("flags", S_IRUGO, c->dent, &c->flags); + if (!d) { + err = -ENOMEM; + goto err_out; diff --git a/queue-4.9/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch b/queue-4.9/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch new file mode 100644 index 00000000000..729bb61ec79 --- /dev/null +++ b/queue-4.9/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Qi Hou +Date: Thu, 11 Jan 2018 12:54:43 +0800 +Subject: ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt + +From: Qi Hou + +[ Upstream commit db35340c536f1af0108ec9a0b2126a05d358d14a ] + +When more than one GP timers are used as kernel system timers and the +corresponding nodes in device-tree are marked with the same "disabled" +property, then the "attr" field of the property will be initialized +more than once as the property being added to sys file system via +__of_add_property_sysfs(). + +In __of_add_property_sysfs(), the "name" field of pp->attr.attr is set +directly to the return value of safe_name(), without taking care of +whether it's already a valid pointer to a memory block. If it is, its +old value will always be overwritten by the new one and the memory block +allocated before will a "ghost", then a kmemleak happened. + +That the same "disabled" property being added to different nodes of device +tree would cause that kind of kmemleak overhead, at least once. + +To fix it, allocate the property dynamically, and delete static one. + +Signed-off-by: Qi Hou +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/timer.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/arch/arm/mach-omap2/timer.c ++++ b/arch/arm/mach-omap2/timer.c +@@ -136,12 +136,6 @@ static struct clock_event_device clockev + .tick_resume = omap2_gp_timer_shutdown, + }; + +-static struct property device_disabled = { +- .name = "status", +- .length = sizeof("disabled"), +- .value = "disabled", +-}; +- + static const struct of_device_id omap_timer_match[] __initconst = { + { .compatible = "ti,omap2420-timer", }, + { .compatible = "ti,omap3430-timer", }, +@@ -183,8 +177,17 @@ static struct device_node * __init omap_ + of_get_property(np, "ti,timer-secure", NULL))) + continue; + +- if (!of_device_is_compatible(np, "ti,omap-counter32k")) +- of_add_property(np, &device_disabled); ++ if (!of_device_is_compatible(np, "ti,omap-counter32k")) { ++ struct property *prop; ++ ++ prop = kzalloc(sizeof(*prop), GFP_KERNEL); ++ if (!prop) ++ return NULL; ++ prop->name = "status"; ++ prop->value = "disabled"; ++ prop->length = strlen(prop->value); ++ of_add_property(np, prop); ++ } + return np; + } + diff --git a/queue-4.9/arm-omap3-fix-prm-wake-interrupt-for-resume.patch b/queue-4.9/arm-omap3-fix-prm-wake-interrupt-for-resume.patch new file mode 100644 index 00000000000..9ab22e98ee0 --- /dev/null +++ b/queue-4.9/arm-omap3-fix-prm-wake-interrupt-for-resume.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tony Lindgren +Date: Fri, 9 Feb 2018 08:15:53 -0800 +Subject: ARM: OMAP3: Fix prm wake interrupt for resume + +From: Tony Lindgren + +[ Upstream commit d3be6d2a08bd26580562d9714d3d97ea9ba22c73 ] + +For platform_suspend_ops, the finish call is too late to re-enable wake +irqs and we need re-enable wake irqs on wake call instead. + +Otherwise noirq resume for devices has already happened. And then +dev_pm_disarm_wake_irq() has already disabled the dedicated wake irqs +when the interrupt triggers and the wake irq is never handled. + +For devices that are already in PM runtime suspended state when we +enter suspend this means that a possible wake irq will never trigger. + +And this can lead into a situation where a device has a pending padconf +wake irq, and the device will stay unresponsive to any further wake +irqs. + +This issue can be easily reproduced by setting serial console log level +to zero, letting the serial console idle, and suspend the system from +an ssh terminal. Then try to wake up the system by typing to the serial +console. + +Note that this affects only omap3 PRM interrupt as that's currently +the only omap variant that does anything in omap_pm_wake(). + +In general, for the wake irqs to work, the interrupt must have either +IRQF_NO_SUSPEND or IRQF_EARLY_RESUME set for it to trigger before +dev_pm_disarm_wake_irq() disables the wake irqs. + +Reported-by: Grygorii Strashko +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/pm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-omap2/pm.c ++++ b/arch/arm/mach-omap2/pm.c +@@ -225,7 +225,7 @@ static void omap_pm_end(void) + cpu_idle_poll_ctrl(false); + } + +-static void omap_pm_finish(void) ++static void omap_pm_wake(void) + { + if (cpu_is_omap34xx()) + omap_prcm_irq_complete(); +@@ -235,7 +235,7 @@ static const struct platform_suspend_ops + .begin = omap_pm_begin, + .end = omap_pm_end, + .enter = omap_pm_enter, +- .finish = omap_pm_finish, ++ .wake = omap_pm_wake, + .valid = suspend_valid_only_mem, + }; + diff --git a/queue-4.9/arm-orion5x-revert-commit-4904dbda41c8.patch b/queue-4.9/arm-orion5x-revert-commit-4904dbda41c8.patch new file mode 100644 index 00000000000..f25d3af3bbf --- /dev/null +++ b/queue-4.9/arm-orion5x-revert-commit-4904dbda41c8.patch @@ -0,0 +1,201 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "David S. Miller" +Date: Mon, 26 Feb 2018 13:41:47 -0500 +Subject: ARM: orion5x: Revert commit 4904dbda41c8. + +From: "David S. Miller" + +[ Upstream commit 13a55372b64e00e564a08d785ca87bd9d454ba30 ] + +It is not valid for orion5x to use mac_pton(). + +First of all, the orion5x buffer is not NULL terminated. mac_pton() +has no business operating on non-NULL terminated buffers because +only the caller can know that this is valid and in what manner it +is ok to parse this NULL'less buffer. + +Second of all, orion5x operates on an __iomem pointer, which cannot +be dereferenced using normal C pointer operations. Accesses to +such areas much be performed with the proper iomem accessors. + +Fixes: 4904dbda41c8 ("ARM: orion5x: use mac_pton() helper") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-orion5x/Kconfig | 3 - + arch/arm/mach-orion5x/dns323-setup.c | 53 +++++++++++++++++++++++++++++++++-- + arch/arm/mach-orion5x/tsx09-common.c | 49 +++++++++++++++++++++++++++++--- + 3 files changed, 95 insertions(+), 10 deletions(-) + +--- a/arch/arm/mach-orion5x/Kconfig ++++ b/arch/arm/mach-orion5x/Kconfig +@@ -57,7 +57,6 @@ config MACH_KUROBOX_PRO + + config MACH_DNS323 + bool "D-Link DNS-323" +- select GENERIC_NET_UTILS + select I2C_BOARDINFO if I2C + help + Say 'Y' here if you want your kernel to support the +@@ -65,7 +64,6 @@ config MACH_DNS323 + + config MACH_TS209 + bool "QNAP TS-109/TS-209" +- select GENERIC_NET_UTILS + help + Say 'Y' here if you want your kernel to support the + QNAP TS-109/TS-209 platform. +@@ -107,7 +105,6 @@ config MACH_LINKSTATION_LS_HGL + + config MACH_TS409 + bool "QNAP TS-409" +- select GENERIC_NET_UTILS + help + Say 'Y' here if you want your kernel to support the + QNAP TS-409 platform. +--- a/arch/arm/mach-orion5x/dns323-setup.c ++++ b/arch/arm/mach-orion5x/dns323-setup.c +@@ -173,10 +173,42 @@ static struct mv643xx_eth_platform_data + .phy_addr = MV643XX_ETH_PHY_ADDR(8), + }; + ++/* dns323_parse_hex_*() taken from tsx09-common.c; should a common copy of these ++ * functions be kept somewhere? ++ */ ++static int __init dns323_parse_hex_nibble(char n) ++{ ++ if (n >= '0' && n <= '9') ++ return n - '0'; ++ ++ if (n >= 'A' && n <= 'F') ++ return n - 'A' + 10; ++ ++ if (n >= 'a' && n <= 'f') ++ return n - 'a' + 10; ++ ++ return -1; ++} ++ ++static int __init dns323_parse_hex_byte(const char *b) ++{ ++ int hi; ++ int lo; ++ ++ hi = dns323_parse_hex_nibble(b[0]); ++ lo = dns323_parse_hex_nibble(b[1]); ++ ++ if (hi < 0 || lo < 0) ++ return -1; ++ ++ return (hi << 4) | lo; ++} ++ + static int __init dns323_read_mac_addr(void) + { + u_int8_t addr[6]; +- void __iomem *mac_page; ++ int i; ++ char *mac_page; + + /* MAC address is stored as a regular ol' string in /dev/mtdblock4 + * (0x007d0000-0x00800000) starting at offset 196480 (0x2ff80). +@@ -185,8 +217,23 @@ static int __init dns323_read_mac_addr(v + if (!mac_page) + return -ENOMEM; + +- if (!mac_pton((__force const char *) mac_page, addr)) +- goto error_fail; ++ /* Sanity check the string we're looking at */ ++ for (i = 0; i < 5; i++) { ++ if (*(mac_page + (i * 3) + 2) != ':') { ++ goto error_fail; ++ } ++ } ++ ++ for (i = 0; i < 6; i++) { ++ int byte; ++ ++ byte = dns323_parse_hex_byte(mac_page + (i * 3)); ++ if (byte < 0) { ++ goto error_fail; ++ } ++ ++ addr[i] = byte; ++ } + + iounmap(mac_page); + printk("DNS-323: Found ethernet MAC address: %pM\n", addr); +--- a/arch/arm/mach-orion5x/tsx09-common.c ++++ b/arch/arm/mach-orion5x/tsx09-common.c +@@ -53,12 +53,53 @@ struct mv643xx_eth_platform_data qnap_ts + .phy_addr = MV643XX_ETH_PHY_ADDR(8), + }; + ++static int __init qnap_tsx09_parse_hex_nibble(char n) ++{ ++ if (n >= '0' && n <= '9') ++ return n - '0'; ++ ++ if (n >= 'A' && n <= 'F') ++ return n - 'A' + 10; ++ ++ if (n >= 'a' && n <= 'f') ++ return n - 'a' + 10; ++ ++ return -1; ++} ++ ++static int __init qnap_tsx09_parse_hex_byte(const char *b) ++{ ++ int hi; ++ int lo; ++ ++ hi = qnap_tsx09_parse_hex_nibble(b[0]); ++ lo = qnap_tsx09_parse_hex_nibble(b[1]); ++ ++ if (hi < 0 || lo < 0) ++ return -1; ++ ++ return (hi << 4) | lo; ++} ++ + static int __init qnap_tsx09_check_mac_addr(const char *addr_str) + { + u_int8_t addr[6]; ++ int i; + +- if (!mac_pton(addr_str, addr)) +- return -1; ++ for (i = 0; i < 6; i++) { ++ int byte; ++ ++ /* ++ * Enforce "xx:xx:xx:xx:xx:xx\n" format. ++ */ ++ if (addr_str[(i * 3) + 2] != ((i < 5) ? ':' : '\n')) ++ return -1; ++ ++ byte = qnap_tsx09_parse_hex_byte(addr_str + (i * 3)); ++ if (byte < 0) ++ return -1; ++ addr[i] = byte; ++ } + + printk(KERN_INFO "tsx09: found ethernet mac address %pM\n", addr); + +@@ -77,12 +118,12 @@ void __init qnap_tsx09_find_mac_addr(u32 + unsigned long addr; + + for (addr = mem_base; addr < (mem_base + size); addr += 1024) { +- void __iomem *nor_page; ++ char *nor_page; + int ret = 0; + + nor_page = ioremap(addr, 1024); + if (nor_page != NULL) { +- ret = qnap_tsx09_check_mac_addr((__force const char *)nor_page); ++ ret = qnap_tsx09_check_mac_addr(nor_page); + iounmap(nor_page); + } + diff --git a/queue-4.9/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch b/queue-4.9/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch new file mode 100644 index 00000000000..edc1739a297 --- /dev/null +++ b/queue-4.9/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ilia Lin +Date: Tue, 23 Jan 2018 09:36:18 +0200 +Subject: arm64: dts: qcom: Fix SPI5 config on MSM8996 + +From: Ilia Lin + +[ Upstream commit e723795c702b52cfceb3bb3faa63059eb4658313 ] + +Set correct clocks and interrupt values. +Fixes the incorrect SPI master configuration. This is +mandatory to make the SPI5 interface functional. + +Signed-off-by: Ilia Lin +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -326,8 +326,8 @@ + blsp2_spi5: spi@075ba000{ + compatible = "qcom,spi-qup-v2.2.1"; + reg = <0x075ba000 0x600>; +- interrupts = ; +- clocks = <&gcc GCC_BLSP2_QUP5_SPI_APPS_CLK>, ++ interrupts = ; ++ clocks = <&gcc GCC_BLSP2_QUP6_SPI_APPS_CLK>, + <&gcc GCC_BLSP2_AHB_CLK>; + clock-names = "core", "iface"; + pinctrl-names = "default", "sleep"; diff --git a/queue-4.9/arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch b/queue-4.9/arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch new file mode 100644 index 00000000000..ee33929e373 --- /dev/null +++ b/queue-4.9/arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch @@ -0,0 +1,125 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Pratyush Anand +Date: Mon, 5 Feb 2018 14:28:01 +0100 +Subject: arm64: fix unwind_frame() for filtered out fn for function graph tracing + +From: Pratyush Anand + +[ Upstream commit 9f416319f40cd857d2bb517630e5855a905ef3fb ] + +do_task_stat() calls get_wchan(), which further does unwind_frame(). +unwind_frame() restores frame->pc to original value in case function +graph tracer has modified a return address (LR) in a stack frame to hook +a function return. However, if function graph tracer has hit a filtered +function, then we can't unwind it as ftrace_push_return_trace() has +biased the index(frame->graph) with a 'huge negative' +offset(-FTRACE_NOTRACE_DEPTH). + +Moreover, arm64 stack walker defines index(frame->graph) as unsigned +int, which can not compare a -ve number. + +Similar problem we can have with calling of walk_stackframe() from +save_stack_trace_tsk() or dump_backtrace(). + +This patch fixes unwind_frame() to test the index for -ve value and +restore index accordingly before we can restore frame->pc. + +Reproducer: + +cd /sys/kernel/debug/tracing/ +echo schedule > set_graph_notrace +echo 1 > options/display-graph +echo wakeup > current_tracer +ps -ef | grep -i agent + +Above commands result in: +Unable to handle kernel paging request at virtual address ffff801bd3d1e000 +pgd = ffff8003cbe97c00 +[ffff801bd3d1e000] *pgd=0000000000000000, *pud=0000000000000000 +Internal error: Oops: 96000006 [#1] SMP +[...] +CPU: 5 PID: 11696 Comm: ps Not tainted 4.11.0+ #33 +[...] +task: ffff8003c21ba000 task.stack: ffff8003cc6c0000 +PC is at unwind_frame+0x12c/0x180 +LR is at get_wchan+0xd4/0x134 +pc : [] lr : [] pstate: 60000145 +sp : ffff8003cc6c3ab0 +x29: ffff8003cc6c3ab0 x28: 0000000000000001 +x27: 0000000000000026 x26: 0000000000000026 +x25: 00000000000012d8 x24: 0000000000000000 +x23: ffff8003c1c04000 x22: ffff000008c83000 +x21: ffff8003c1c00000 x20: 000000000000000f +x19: ffff8003c1bc0000 x18: 0000fffffc593690 +x17: 0000000000000000 x16: 0000000000000001 +x15: 0000b855670e2b60 x14: 0003e97f22cf1d0f +x13: 0000000000000001 x12: 0000000000000000 +x11: 00000000e8f4883e x10: 0000000154f47ec8 +x9 : 0000000070f367c0 x8 : 0000000000000000 +x7 : 00008003f7290000 x6 : 0000000000000018 +x5 : 0000000000000000 x4 : ffff8003c1c03cb0 +x3 : ffff8003c1c03ca0 x2 : 00000017ffe80000 +x1 : ffff8003cc6c3af8 x0 : ffff8003d3e9e000 + +Process ps (pid: 11696, stack limit = 0xffff8003cc6c0000) +Stack: (0xffff8003cc6c3ab0 to 0xffff8003cc6c4000) +[...] +[] unwind_frame+0x12c/0x180 +[] do_task_stat+0x864/0x870 +[] proc_tgid_stat+0x3c/0x48 +[] proc_single_show+0x5c/0xb8 +[] seq_read+0x160/0x414 +[] __vfs_read+0x58/0x164 +[] vfs_read+0x88/0x144 +[] SyS_read+0x60/0xc0 +[] __sys_trace_return+0x0/0x4 + +Fixes: 20380bb390a4 (arm64: ftrace: fix a stack tracer's output under function graph tracer) +Signed-off-by: Pratyush Anand +Signed-off-by: Jerome Marchand +[catalin.marinas@arm.com: replace WARN_ON with WARN_ON_ONCE] +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/stacktrace.h | 2 +- + arch/arm64/kernel/stacktrace.c | 5 +++++ + arch/arm64/kernel/time.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/stacktrace.h ++++ b/arch/arm64/include/asm/stacktrace.h +@@ -23,7 +23,7 @@ struct stackframe { + unsigned long sp; + unsigned long pc; + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +- unsigned int graph; ++ int graph; + #endif + }; + +--- a/arch/arm64/kernel/stacktrace.c ++++ b/arch/arm64/kernel/stacktrace.c +@@ -72,6 +72,11 @@ int notrace unwind_frame(struct task_str + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + if (tsk->ret_stack && + (frame->pc == (unsigned long)return_to_handler)) { ++ if (WARN_ON_ONCE(frame->graph == -1)) ++ return -EINVAL; ++ if (frame->graph < -1) ++ frame->graph += FTRACE_NOTRACE_DEPTH; ++ + /* + * This is a case where function graph tracer has + * modified a return address (LR) in a stack frame +--- a/arch/arm64/kernel/time.c ++++ b/arch/arm64/kernel/time.c +@@ -53,7 +53,7 @@ unsigned long profile_pc(struct pt_regs + frame.sp = regs->sp; + frame.pc = regs->pc; + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +- frame.graph = -1; /* no task info */ ++ frame.graph = current->curr_ret_stack; + #endif + do { + int ret = unwind_frame(NULL, &frame); diff --git a/queue-4.9/arm64-relax-arm_smccc_arch_workaround_1-discovery.patch b/queue-4.9/arm64-relax-arm_smccc_arch_workaround_1-discovery.patch new file mode 100644 index 00000000000..95d8f03a0e7 --- /dev/null +++ b/queue-4.9/arm64-relax-arm_smccc_arch_workaround_1-discovery.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Marc Zyngier +Date: Fri, 9 Mar 2018 15:40:50 +0000 +Subject: arm64: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery + +From: Marc Zyngier + +[ Upstream commit e21da1c992007594d391e7b301779cf30f438691 ] + +A recent update to the ARM SMCCC ARCH_WORKAROUND_1 specification +allows firmware to return a non zero, positive value to describe +that although the mitigation is implemented at the higher exception +level, the CPU on which the call is made is not affected. + +Let's relax the check on the return value from ARCH_WORKAROUND_1 +so that we only error out if the returned value is negative. + +Fixes: b092201e0020 ("arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support") +Signed-off-by: Marc Zyngier +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/cpu_errata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -160,7 +160,7 @@ static int enable_smccc_arch_workaround_ + case PSCI_CONDUIT_HVC: + arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, + ARM_SMCCC_ARCH_WORKAROUND_1, &res); +- if (res.a0) ++ if ((int)res.a0 < 0) + return 0; + cb = call_hvc_arch_workaround_1; + smccc_start = __smccc_workaround_1_hvc_start; +@@ -170,7 +170,7 @@ static int enable_smccc_arch_workaround_ + case PSCI_CONDUIT_SMC: + arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, + ARM_SMCCC_ARCH_WORKAROUND_1, &res); +- if (res.a0) ++ if ((int)res.a0 < 0) + return 0; + cb = call_smc_arch_workaround_1; + smccc_start = __smccc_workaround_1_smc_start; diff --git a/queue-4.9/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch b/queue-4.9/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch new file mode 100644 index 00000000000..277c3490789 --- /dev/null +++ b/queue-4.9/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Will Deacon +Date: Wed, 31 Jan 2018 12:12:20 +0000 +Subject: arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics + +From: Will Deacon + +[ Upstream commit 202fb4ef81e3ec765c23bd1e6746a5c25b797d0e ] + +If the spinlock "next" ticket wraps around between the initial LDR +and the cmpxchg in the LSE version of spin_trylock, then we can erroneously +think that we have successfuly acquired the lock because we only check +whether the next ticket return by the cmpxchg is equal to the owner ticket +in our updated lock word. + +This patch fixes the issue by performing a full 32-bit check of the lock +word when trying to determine whether or not the CASA instruction updated +memory. + +Reported-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/spinlock.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/spinlock.h ++++ b/arch/arm64/include/asm/spinlock.h +@@ -141,8 +141,8 @@ static inline int arch_spin_trylock(arch + " cbnz %w1, 1f\n" + " add %w1, %w0, %3\n" + " casa %w0, %w1, %2\n" +- " and %w1, %w1, #0xffff\n" +- " eor %w1, %w1, %w0, lsr #16\n" ++ " sub %w1, %w1, %3\n" ++ " eor %w1, %w1, %w0\n" + "1:") + : "=&r" (lockval), "=&r" (tmp), "+Q" (*lock) + : "I" (1 << TICKET_SHIFT) diff --git a/queue-4.9/asm-generic-provide-generic_pmdp_establish.patch b/queue-4.9/asm-generic-provide-generic_pmdp_establish.patch new file mode 100644 index 00000000000..a22b12e07e2 --- /dev/null +++ b/queue-4.9/asm-generic-provide-generic_pmdp_establish.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Kirill A. Shutemov" +Date: Wed, 31 Jan 2018 16:17:43 -0800 +Subject: asm-generic: provide generic_pmdp_establish() + +From: "Kirill A. Shutemov" + +[ Upstream commit c58f0bb77ed8bf93dfdde762b01cb67eebbdfc29 ] + +Patch series "Do not lose dirty bit on THP pages", v4. + +Vlastimil noted that pmdp_invalidate() is not atomic and we can lose +dirty and access bits if CPU sets them after pmdp dereference, but +before set_pmd_at(). + +The bug can lead to data loss, but the race window is tiny and I haven't +seen any reports that suggested that it happens in reality. So I don't +think it worth sending it to stable. + +Unfortunately, there's no way to address the issue in a generic way. We +need to fix all architectures that support THP one-by-one. + +All architectures that have THP supported have to provide atomic +pmdp_invalidate() that returns previous value. + +If generic implementation of pmdp_invalidate() is used, architecture +needs to provide atomic pmdp_estabish(). + +pmdp_estabish() is not used out-side generic implementation of +pmdp_invalidate() so far, but I think this can change in the future. + +This patch (of 12): + +This is an implementation of pmdp_establish() that is only suitable for +an architecture that doesn't have hardware dirty/accessed bits. In this +case we can't race with CPU which sets these bits and non-atomic +approach is fine. + +Link: http://lkml.kernel.org/r/20171213105756.69879-2-kirill.shutemov@linux.intel.com +Signed-off-by: Kirill A. Shutemov +Cc: Vlastimil Babka +Cc: Andrea Arcangeli +Cc: Michal Hocko +Cc: Aneesh Kumar K.V +Cc: Catalin Marinas +Cc: David Daney +Cc: David Miller +Cc: H. Peter Anvin +Cc: Hugh Dickins +Cc: Ingo Molnar +Cc: Martin Schwidefsky +Cc: Nitin Gupta +Cc: Ralf Baechle +Cc: Thomas Gleixner +Cc: Vineet Gupta +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/pgtable.h | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -234,6 +234,21 @@ extern void pgtable_trans_huge_deposit(s + extern pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp); + #endif + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* ++ * This is an implementation of pmdp_establish() that is only suitable for an ++ * architecture that doesn't have hardware dirty/accessed bits. In this case we ++ * can't race with CPU which sets these bits and non-atomic aproach is fine. ++ */ ++static inline pmd_t generic_pmdp_establish(struct vm_area_struct *vma, ++ unsigned long address, pmd_t *pmdp, pmd_t pmd) ++{ ++ pmd_t old_pmd = *pmdp; ++ set_pmd_at(vma->vm_mm, address, pmdp, pmd); ++ return old_pmd; ++} ++#endif ++ + #ifndef __HAVE_ARCH_PMDP_INVALIDATE + extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp); diff --git a/queue-4.9/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch b/queue-4.9/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch new file mode 100644 index 00000000000..9381ce84c62 --- /dev/null +++ b/queue-4.9/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch @@ -0,0 +1,104 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Karthikeyan Periyasamy +Date: Mon, 12 Mar 2018 17:09:40 +0530 +Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) + +From: Karthikeyan Periyasamy + +[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ] + +When attempt to run worker (ath10k_sta_rc_update_wk) after the station object +(ieee80211_sta) delete will trigger the kernel panic. + +This problem arise in AP + Mesh configuration, Where the current node AP VAP +and neighbor node mesh VAP MAC address are same. When the current mesh node +try to establish the mesh link with neighbor node, driver peer creation for +the neighbor mesh node fails due to duplication MAC address. Already the AP +VAP created with same MAC address. + +It is caused by the following scenario steps. + +Steps: +1. In above condition, ath10k driver sta_state callback (ath10k_sta_state) + fails to do the state change for a station from IEEE80211_STA_NOTEXIST + to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is + called from ieee80211_add_station() to handle the new station + (neighbor mesh node) request from the wpa_supplicant. +2. Concurrently ath10k receive the sta_rc_update callback notification from + the mesh_neighbour_update() to handle the beacon frames of the above + neighbor mesh node. since its atomic callback, ath10k driver queue the + work (ath10k_sta_rc_update_wk) to handle rc update. +3. Due to driver sta_state callback fails (step 1), mac80211 free the station + object. +4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access + the station object which is already deleted. so it will trigger kernel + panic. + +Added the peer exist check in sta_rc_update callback before queue the work. + +Kernel Panic log: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = c0204000 +[00000000] *pgd=00000000 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1 +task: dcef0000 ti: d72b6000 task.ti: d72b6000 +PC is at pwq_activate_delayed_work+0x10/0x40 +LR is at pwq_activate_delayed_work+0xc/0x40 +pc : [] lr : [] psr: 40000193 +sp : d72b7f18 ip : 0000007a fp : d72b6000 +r10: 00000000 r9 : dd404414 r8 : d8c31998 +r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300 +r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000 +Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 10c5787d Table: 595bc06a DAC: 00000015 +... +Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238) +Stack: (0xd72b7f18 to 0xd72b8000) +7f00: 00000001 dcee1300 +7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089 +7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000 +7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000 +7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340 +7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000 +7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[] (pwq_activate_delayed_work) from [] (pwq_dec_nr_in_flight+0x58/0xc4) +[] (pwq_dec_nr_in_flight) from [] (worker_thread+0x228/0x360) +[] (worker_thread) from [] (kthread+0xd8/0xec) +[] (kthread) from [] (ret_from_fork+0x14/0x34) +Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs +Rebooting in 3 seconds.. + +Signed-off-by: Karthikeyan Periyasamy +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -6928,10 +6928,20 @@ static void ath10k_sta_rc_update(struct + { + struct ath10k *ar = hw->priv; + struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv; ++ struct ath10k_vif *arvif = (void *)vif->drv_priv; ++ struct ath10k_peer *peer; + u32 bw, smps; + + spin_lock_bh(&ar->data_lock); + ++ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr); ++ if (!peer) { ++ spin_unlock_bh(&ar->data_lock); ++ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n", ++ sta->addr, arvif->vdev_id); ++ return; ++ } ++ + ath10k_dbg(ar, ATH10K_DBG_MAC, + "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n", + sta->addr, changed, sta->bandwidth, sta->rx_nss, diff --git a/queue-4.9/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch b/queue-4.9/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..d5869a00e40 --- /dev/null +++ b/queue-4.9/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Richard Guy Briggs +Date: Wed, 21 Feb 2018 04:30:07 -0500 +Subject: audit: return on memory error to avoid null pointer dereference + +From: Richard Guy Briggs + +[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ] + +If there is a memory allocation error when trying to change an audit +kernel feature value, the ignored allocation error will trigger a NULL +pointer dereference oops on subsequent use of that pointer. Return +instead. + +Passes audit-testsuite. +See: https://github.com/linux-audit/audit-kernel/issues/76 + +Signed-off-by: Richard Guy Briggs +[PM: not necessary (other funcs check for NULL), but a good practice] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -742,6 +742,8 @@ static void audit_log_feature_change(int + return; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); ++ if (!ab) ++ return; + audit_log_task_info(ab, current); + audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, diff --git a/queue-4.9/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch b/queue-4.9/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch new file mode 100644 index 00000000000..93eb59dee1b --- /dev/null +++ b/queue-4.9/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Matthias Schiffer +Date: Fri, 16 Mar 2018 11:29:10 +0100 +Subject: batman-adv: fix header size check in batadv_dbg_arp() + +From: Matthias Schiffer + +[ Upstream commit 6f27d2c2a8c236d296201c19abb8533ec20d212b ] + +Checking for 0 is insufficient: when an SKB without a batadv header, but +with a VLAN header is received, hdr_size will be 4, making the following +code interpret the Ethernet header as a batadv header. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/distributed-arp-table.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -391,7 +391,7 @@ static void batadv_dbg_arp(struct batadv + batadv_arp_hw_src(skb, hdr_size), &ip_src, + batadv_arp_hw_dst(skb, hdr_size), &ip_dst); + +- if (hdr_size == 0) ++ if (hdr_size < sizeof(struct batadv_unicast_packet)) + return; + + unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data; diff --git a/queue-4.9/batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch b/queue-4.9/batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch new file mode 100644 index 00000000000..532753e9724 --- /dev/null +++ b/queue-4.9/batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Linus Lüssing" +Date: Sun, 4 Mar 2018 13:08:17 +0100 +Subject: batman-adv: Fix multicast packet loss with a single WANT_ALL_IPV4/6 flag + +From: "Linus Lüssing" + +[ Upstream commit 74c12c630fe310eb7fcae1b292257d47781fff0a ] + +As the kernel doc describes too the code is supposed to skip adding +multicast TT entries if both the WANT_ALL_IPV4 and WANT_ALL_IPV6 flags +are present. + +Unfortunately, the current code even skips adding multicast TT entries +if only either the WANT_ALL_IPV4 or WANT_ALL_IPV6 is present. + +This could lead to IPv6 multicast packet loss if only an IGMP but not an +MLD querier is present for instance or vice versa. + +Fixes: 687937ab3489 ("batman-adv: Add multicast optimization support for bridged setups") +Signed-off-by: Linus LÃŒssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/multicast.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -527,8 +527,8 @@ update: + bat_priv->mcast.enabled = true; + } + +- return !(mcast_data.flags & +- (BATADV_MCAST_WANT_ALL_IPV4 | BATADV_MCAST_WANT_ALL_IPV6)); ++ return !(mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV4 && ++ mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV6); + } + + /** diff --git a/queue-4.9/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch b/queue-4.9/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch new file mode 100644 index 00000000000..e925ec47a83 --- /dev/null +++ b/queue-4.9/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Linus Lüssing" +Date: Tue, 20 Mar 2018 03:13:27 +0100 +Subject: batman-adv: fix multicast-via-unicast transmission with AP isolation + +From: "Linus Lüssing" + +[ Upstream commit f8fb3419ead44f9a3136995acd24e35da4525177 ] + +For multicast frames AP isolation is only supposed to be checked on +the receiving nodes and never on the originating one. + +Furthermore, the isolation or wifi flag bits should only be intepreted +as such for unicast and never multicast TT entries. + +By injecting flags to the multicast TT entry claimed by a single +target node it was verified in tests that this multicast address +becomes unreachable, leading to packet loss. + +Omitting the "src" parameter to the batadv_transtable_search() call +successfully skipped the AP isolation check and made the target +reachable again. + +Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets") +Signed-off-by: Linus LÃŒssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/multicast.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -769,8 +769,8 @@ static struct batadv_orig_node * + batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv, + struct ethhdr *ethhdr) + { +- return batadv_transtable_search(bat_priv, ethhdr->h_source, +- ethhdr->h_dest, BATADV_NO_FLAGS); ++ return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest, ++ BATADV_NO_FLAGS); + } + + /** diff --git a/queue-4.9/batman-adv-fix-netlink-dumping-of-bla-backbones.patch b/queue-4.9/batman-adv-fix-netlink-dumping-of-bla-backbones.patch new file mode 100644 index 00000000000..e13e7c4363f --- /dev/null +++ b/queue-4.9/batman-adv-fix-netlink-dumping-of-bla-backbones.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sven Eckelmann +Date: Sat, 24 Feb 2018 12:03:37 +0100 +Subject: batman-adv: Fix netlink dumping of BLA backbones + +From: Sven Eckelmann + +[ Upstream commit fce672db548ff19e76a08a32a829544617229bc2 ] + +The function batadv_bla_backbone_dump_bucket must be able to handle +non-complete dumps of a single bucket. It tries to do that by saving the +latest dumped index in *idx_skip to inform the caller about the current +state. + +But the caller only assumes that buckets were not completely dumped when +the return code is non-zero. This function must therefore also return a +non-zero index when the dumping of an entry failed. Otherwise the caller +will just skip all remaining buckets. + +And the function must also reset *idx_skip back to zero when it finished a +bucket. Otherwise it will skip the same number of entries in the next +bucket as the previous one had. + +Fixes: ea4152e11716 ("batman-adv: add backbone table netlink support") +Reported-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -2382,22 +2382,25 @@ batadv_bla_backbone_dump_bucket(struct s + { + struct batadv_bla_backbone_gw *backbone_gw; + int idx = 0; ++ int ret = 0; + + rcu_read_lock(); + hlist_for_each_entry_rcu(backbone_gw, head, hash_entry) { + if (idx++ < *idx_skip) + continue; +- if (batadv_bla_backbone_dump_entry(msg, portid, seq, +- primary_if, backbone_gw)) { ++ ++ ret = batadv_bla_backbone_dump_entry(msg, portid, seq, ++ primary_if, backbone_gw); ++ if (ret) { + *idx_skip = idx - 1; + goto unlock; + } + } + +- *idx_skip = idx; ++ *idx_skip = 0; + unlock: + rcu_read_unlock(); +- return 0; ++ return ret; + } + + /** diff --git a/queue-4.9/batman-adv-fix-netlink-dumping-of-bla-claims.patch b/queue-4.9/batman-adv-fix-netlink-dumping-of-bla-claims.patch new file mode 100644 index 00000000000..764161bbb06 --- /dev/null +++ b/queue-4.9/batman-adv-fix-netlink-dumping-of-bla-claims.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sven Eckelmann +Date: Sat, 24 Feb 2018 12:03:36 +0100 +Subject: batman-adv: Fix netlink dumping of BLA claims + +From: Sven Eckelmann + +[ Upstream commit b0264ecdfeab5f889b02ec54af7ca8cc1c245e2f ] + +The function batadv_bla_claim_dump_bucket must be able to handle +non-complete dumps of a single bucket. It tries to do that by saving the +latest dumped index in *idx_skip to inform the caller about the current +state. + +But the caller only assumes that buckets were not completely dumped when +the return code is non-zero. This function must therefore also return a +non-zero index when the dumping of an entry failed. Otherwise the caller +will just skip all remaining buckets. + +And the function must also reset *idx_skip back to zero when it finished a +bucket. Otherwise it will skip the same number of entries in the next +bucket as the previous one had. + +Fixes: 04f3f5bf1883 ("batman-adv: add B.A.T.M.A.N. Dump BLA claims via netlink") +Reported-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -2149,22 +2149,25 @@ batadv_bla_claim_dump_bucket(struct sk_b + { + struct batadv_bla_claim *claim; + int idx = 0; ++ int ret = 0; + + rcu_read_lock(); + hlist_for_each_entry_rcu(claim, head, hash_entry) { + if (idx++ < *idx_skip) + continue; +- if (batadv_bla_claim_dump_entry(msg, portid, seq, +- primary_if, claim)) { ++ ++ ret = batadv_bla_claim_dump_entry(msg, portid, seq, ++ primary_if, claim); ++ if (ret) { + *idx_skip = idx - 1; + goto unlock; + } + } + +- *idx_skip = idx; ++ *idx_skip = 0; + unlock: + rcu_read_unlock(); +- return 0; ++ return ret; + } + + /** diff --git a/queue-4.9/batman-adv-fix-packet-checksum-in-receive-path.patch b/queue-4.9/batman-adv-fix-packet-checksum-in-receive-path.patch new file mode 100644 index 00000000000..a2a2499b5d3 --- /dev/null +++ b/queue-4.9/batman-adv-fix-packet-checksum-in-receive-path.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Matthias Schiffer +Date: Tue, 23 Jan 2018 10:59:49 +0100 +Subject: batman-adv: fix packet checksum in receive path + +From: Matthias Schiffer + +[ Upstream commit abd6360591d3f8259f41c34e31ac4826dfe621b8 ] + +eth_type_trans() internally calls skb_pull(), which does not adjust the +skb checksum; skb_postpull_rcsum() is necessary to avoid log spam of the +form "bat0: hw csum failure" when packets with CHECKSUM_COMPLETE are +received. + +Note that in usual setups, packets don't reach batman-adv with +CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see +batadv's ethtype?), which is why the log messages do not occur on every +system using batman-adv. I could reproduce this issue by stacking +batman-adv on top of a VXLAN interface. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Tested-by: Maximilian Wilhelm +Signed-off-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/soft-interface.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -448,13 +448,7 @@ void batadv_interface_rx(struct net_devi + + /* skb->dev & skb->pkt_type are set here */ + skb->protocol = eth_type_trans(skb, soft_iface); +- +- /* should not be necessary anymore as we use skb_pull_rcsum() +- * TODO: please verify this and remove this TODO +- * -- Dec 21st 2009, Simon Wunderlich +- */ +- +- /* skb->ip_summed = CHECKSUM_UNNECESSARY; */ ++ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); + + batadv_inc_counter(bat_priv, BATADV_CNT_RX); + batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES, diff --git a/queue-4.9/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch b/queue-4.9/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch new file mode 100644 index 00000000000..cb47b453f0b --- /dev/null +++ b/queue-4.9/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch @@ -0,0 +1,77 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Linus Lüssing" +Date: Thu, 22 Mar 2018 00:21:32 +0100 +Subject: batman-adv: fix packet loss for broadcasted DHCP packets to a server + +From: "Linus Lüssing" + +[ Upstream commit a752c0a4524889cdc0765925258fd1fd72344100 ] + +DHCP connectivity issues can currently occur if the following conditions +are met: + +1) A DHCP packet from a client to a server +2) This packet has a multicast destination +3) This destination has a matching entry in the translation table + (FF:FF:FF:FF:FF:FF for IPv4, 33:33:00:01:00:02/33:33:00:01:00:03 + for IPv6) +4) The orig-node determined by TT for the multicast destination + does not match the orig-node determined by best-gateway-selection + +In this case the DHCP packet will be dropped. + +The "gateway-out-of-range" check is supposed to only be applied to +unicasted DHCP packets to a specific DHCP server. + +In that case dropping the the unicasted frame forces the client to +retry via a broadcasted one, but now directed to the new best +gateway. + +A DHCP packet with broadcast/multicast destination is already ensured to +always be delivered to the best gateway. Dropping a multicasted +DHCP packet here will only prevent completing DHCP as there is no +other fallback. + +So far, it seems the unicast check was implicitly performed by +expecting the batadv_transtable_search() to return NULL for multicast +destinations. However, a multicast address could have always ended up in +the translation table and in fact is now common. + +To fix this potential loss of a DHCP client-to-server packet to a +multicast address this patch adds an explicit multicast destination +check to reliably bail out of the gateway-out-of-range check for such +destinations. + +The issue and fix were tested in the following three node setup: + +- Line topology, A-B-C +- A: gateway client, DHCP client +- B: gateway server, hop-penalty increased: 30->60, DHCP server +- C: gateway server, code modifications to announce FF:FF:FF:FF:FF:FF + +Without this patch, A would never transmit its DHCP Discover packet +due to an always "out-of-range" condition. With this patch, +a full DHCP handshake between A and B was possible again. + +Fixes: be7af5cf9cae ("batman-adv: refactoring gateway handling code") +Signed-off-by: Linus LÃŒssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/gateway_client.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -715,6 +715,9 @@ bool batadv_gw_out_of_range(struct batad + + vid = batadv_get_vid(skb, 0); + ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ goto out; ++ + orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source, + ethhdr->h_dest, vid); + if (!orig_dst_node) diff --git a/queue-4.9/batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch b/queue-4.9/batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch new file mode 100644 index 00000000000..4e7d3bb17e6 --- /dev/null +++ b/queue-4.9/batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch @@ -0,0 +1,90 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sven Eckelmann +Date: Fri, 16 Mar 2018 21:14:32 +0100 +Subject: batman-adv: Fix skbuff rcsum on packet reroute + +From: Sven Eckelmann + +[ Upstream commit fc04fdb2c8a894283259f5621d31d75610701091 ] + +batadv_check_unicast_ttvn may redirect a packet to itself or another +originator. This involves rewriting the ttvn and the destination address in +the batadv unicast header. These field were not yet pulled (with skb rcsum +update) and thus any change to them also requires a change in the receive +checksum. + +Reported-by: Matthias Schiffer +Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/routing.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -724,6 +724,7 @@ out: + /** + * batadv_reroute_unicast_packet - update the unicast header for re-routing + * @bat_priv: the bat priv with all the soft interface information ++ * @skb: unicast packet to process + * @unicast_packet: the unicast header to be updated + * @dst_addr: the payload destination + * @vid: VLAN identifier +@@ -735,7 +736,7 @@ out: + * Return: true if the packet header has been updated, false otherwise + */ + static bool +-batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, ++batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, struct sk_buff *skb, + struct batadv_unicast_packet *unicast_packet, + u8 *dst_addr, unsigned short vid) + { +@@ -764,8 +765,10 @@ batadv_reroute_unicast_packet(struct bat + } + + /* update the packet header */ ++ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + ether_addr_copy(unicast_packet->dest, orig_addr); + unicast_packet->ttvn = orig_ttvn; ++ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + + ret = true; + out: +@@ -806,7 +809,7 @@ static bool batadv_check_unicast_ttvn(st + * the packet to + */ + if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) { +- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet, ++ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet, + ethhdr->h_dest, vid)) + batadv_dbg_ratelimited(BATADV_DBG_TT, + bat_priv, +@@ -852,7 +855,7 @@ static bool batadv_check_unicast_ttvn(st + * destination can possibly be updated and forwarded towards the new + * target host + */ +- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet, ++ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet, + ethhdr->h_dest, vid)) { + batadv_dbg_ratelimited(BATADV_DBG_TT, bat_priv, + "Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n", +@@ -875,12 +878,14 @@ static bool batadv_check_unicast_ttvn(st + if (!primary_if) + return false; + ++ /* update the packet header */ ++ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr); ++ unicast_packet->ttvn = curr_ttvn; ++ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + + batadv_hardif_put(primary_if); + +- unicast_packet->ttvn = curr_ttvn; +- + return true; + } + diff --git a/queue-4.9/batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch b/queue-4.9/batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch new file mode 100644 index 00000000000..7c8a6415896 --- /dev/null +++ b/queue-4.9/batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sven Eckelmann +Date: Mon, 19 Feb 2018 14:08:52 +0100 +Subject: batman-adv: Ignore invalid batadv_iv_gw during netlink send + +From: Sven Eckelmann + +[ Upstream commit 10d570284258a30dc104c50787c5289ec49f3d23 ] + +The function batadv_iv_gw_dump stops the processing loop when +batadv_iv_gw_dump_entry returns a non-0 return code. This should only +happen when the buffer is full. Otherwise, an empty message may be +returned by batadv_gw_dump. This empty message will then stop the netlink +dumping of gateway entries. At worst, not a single entry is returned to +userspace even when plenty of possible gateways exist. + +Fixes: efb766af06e3 ("batman-adv: add B.A.T.M.A.N. IV bat_gw_dump implementations") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -2705,7 +2705,7 @@ static int batadv_iv_gw_dump_entry(struc + struct batadv_neigh_ifinfo *router_ifinfo = NULL; + struct batadv_neigh_node *router; + struct batadv_gw_node *curr_gw; +- int ret = -EINVAL; ++ int ret = 0; + void *hdr; + + router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT); diff --git a/queue-4.9/batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch b/queue-4.9/batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch new file mode 100644 index 00000000000..a77971e919d --- /dev/null +++ b/queue-4.9/batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sven Eckelmann +Date: Mon, 19 Feb 2018 14:08:53 +0100 +Subject: batman-adv: Ignore invalid batadv_v_gw during netlink send + +From: Sven Eckelmann + +[ Upstream commit 011c935fceae5252619ef730baa610c655281dda ] + +The function batadv_v_gw_dump stops the processing loop when +batadv_v_gw_dump_entry returns a non-0 return code. This should only +happen when the buffer is full. Otherwise, an empty message may be +returned by batadv_gw_dump. This empty message will then stop the netlink +dumping of gateway entries. At worst, not a single entry is returned to +userspace even when plenty of possible gateways exist. + +Fixes: b71bb6f924fe ("batman-adv: add B.A.T.M.A.N. V bat_gw_dump implementations") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -920,7 +920,7 @@ static int batadv_v_gw_dump_entry(struct + struct batadv_neigh_ifinfo *router_ifinfo = NULL; + struct batadv_neigh_node *router; + struct batadv_gw_node *curr_gw; +- int ret = -EINVAL; ++ int ret = 0; + void *hdr; + + router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT); diff --git a/queue-4.9/batman-adv-invalidate-checksum-on-fragment-reassembly.patch b/queue-4.9/batman-adv-invalidate-checksum-on-fragment-reassembly.patch new file mode 100644 index 00000000000..2ddd5955bdd --- /dev/null +++ b/queue-4.9/batman-adv-invalidate-checksum-on-fragment-reassembly.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Matthias Schiffer +Date: Tue, 23 Jan 2018 10:59:50 +0100 +Subject: batman-adv: invalidate checksum on fragment reassembly + +From: Matthias Schiffer + +[ Upstream commit 3bf2a09da956b43ecfaa630a2ef9a477f991a46a ] + +A more sophisticated implementation could try to combine fragment checksums +when all fragments have CHECKSUM_COMPLETE and are split at even offsets. +For now, we just set ip_summed to CHECKSUM_NONE to avoid "hw csum failure" +warnings in the kernel log when fragmented frames are received. In +consequence, skb_pull_rcsum() can be replaced with skb_pull(). + +Note that in usual setups, packets don't reach batman-adv with +CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see +batadv's ethtype?), which is why the log messages do not occur on every +system using batman-adv. I could reproduce this issue by stacking +batman-adv on top of a VXLAN interface. + +Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") +Tested-by: Maximilian Wilhelm +Signed-off-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/fragmentation.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -276,7 +276,8 @@ batadv_frag_merge_packets(struct hlist_h + /* Move the existing MAC header to just before the payload. (Override + * the fragment header.) + */ +- skb_pull_rcsum(skb_out, hdr_size); ++ skb_pull(skb_out, hdr_size); ++ skb_out->ip_summed = CHECKSUM_NONE; + memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN); + skb_set_mac_header(skb_out, -ETH_HLEN); + skb_reset_network_header(skb_out); diff --git a/queue-4.9/bcache-fix-for-allocator-and-register-thread-race.patch b/queue-4.9/bcache-fix-for-allocator-and-register-thread-race.patch new file mode 100644 index 00000000000..fd3e4c46110 --- /dev/null +++ b/queue-4.9/bcache-fix-for-allocator-and-register-thread-race.patch @@ -0,0 +1,166 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tang Junhui +Date: Wed, 7 Feb 2018 11:41:43 -0800 +Subject: bcache: fix for allocator and register thread race + +From: Tang Junhui + +[ Upstream commit 682811b3ce1a5a4e20d700939a9042f01dbc66c4 ] + +After long time running of random small IO writing, +I reboot the machine, and after the machine power on, +I found bcache got stuck, the stack is: +[root@ceph153 ~]# cat /proc/2510/task/*/stack +[] closure_sync+0x25/0x90 [bcache] +[] bch_journal+0x118/0x2b0 [bcache] +[] bch_journal_meta+0x47/0x70 [bcache] +[] bch_prio_write+0x237/0x340 [bcache] +[] bch_allocator_thread+0x3c8/0x3d0 [bcache] +[] kthread+0xcf/0xe0 +[] ret_from_fork+0x58/0x90 +[] 0xffffffffffffffff +[root@ceph153 ~]# cat /proc/2038/task/*/stack +[] __bch_btree_map_nodes+0x12d/0x150 [bcache] +[] bch_btree_insert+0xf1/0x170 [bcache] +[] bch_journal_replay+0x13f/0x230 [bcache] +[] run_cache_set+0x79a/0x7c2 [bcache] +[] register_bcache+0xd48/0x1310 [bcache] +[] kobj_attr_store+0xf/0x20 +[] sysfs_write_file+0xc6/0x140 +[] vfs_write+0xbd/0x1e0 +[] SyS_write+0x7f/0xe0 +[] system_call_fastpath+0x16/0x1 +The stack shows the register thread and allocator thread +were getting stuck when registering cache device. + +I reboot the machine several times, the issue always +exsit in this machine. + +I debug the code, and found the call trace as bellow: +register_bcache() + ==>run_cache_set() + ==>bch_journal_replay() + ==>bch_btree_insert() + ==>__bch_btree_map_nodes() + ==>btree_insert_fn() + ==>btree_split() //node need split + ==>btree_check_reserve() +In btree_check_reserve(), It will check if there is enough buckets +of RESERVE_BTREE type, since allocator thread did not work yet, so +no buckets of RESERVE_BTREE type allocated, so the register thread +waits on c->btree_cache_wait, and goes to sleep. + +Then the allocator thread initialized, the call trace is bellow: +bch_allocator_thread() +==>bch_prio_write() + ==>bch_journal_meta() + ==>bch_journal() + ==>journal_wait_for_write() +In journal_wait_for_write(), It will check if journal is full by +journal_full(), but the long time random small IO writing +causes the exhaustion of journal buckets(journal.blocks_free=0), +In order to release the journal buckets, +the allocator calls btree_flush_write() to flush keys to +btree nodes, and waits on c->journal.wait until btree nodes writing +over or there has already some journal buckets space, then the +allocator thread goes to sleep. but in btree_flush_write(), since +bch_journal_replay() is not finished, so no btree nodes have journal +(condition "if (btree_current_write(b)->journal)" never satisfied), +so we got no btree node to flush, no journal bucket released, +and allocator sleep all the times. + +Through the above analysis, we can see that: +1) Register thread wait for allocator thread to allocate buckets of + RESERVE_BTREE type; +2) Alloctor thread wait for register thread to replay journal, so it + can flush btree nodes and get journal bucket. + then they are all got stuck by waiting for each other. + +Hua Rui provided a patch for me, by allocating some buckets of +RESERVE_BTREE type in advance, so the register thread can get bucket +when btree node splitting and no need to waiting for the allocator +thread. I tested it, it has effect, and register thread run a step +forward, but finally are still got stuck, the reason is only 8 bucket +of RESERVE_BTREE type were allocated, and in bch_journal_replay(), +after 2 btree nodes splitting, only 4 bucket of RESERVE_BTREE type left, +then btree_check_reserve() is not satisfied anymore, so it goes to sleep +again, and in the same time, alloctor thread did not flush enough btree +nodes to release a journal bucket, so they all got stuck again. + +So we need to allocate more buckets of RESERVE_BTREE type in advance, +but how much is enough? By experience and test, I think it should be +as much as journal buckets. Then I modify the code as this patch, +and test in the machine, and it works. + +This patch modified base on Hua Rui’s patch, and allocate more buckets +of RESERVE_BTREE type in advance to avoid register thread and allocate +thread going to wait for each other. + +[patch v2] ca->sb.njournal_buckets would be 0 in the first time after +cache creation, and no journal exists, so just 8 btree buckets is OK. + +Signed-off-by: Hua Rui +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 9 ++++++--- + drivers/md/bcache/super.c | 13 ++++++++++++- + 2 files changed, 18 insertions(+), 4 deletions(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1864,14 +1864,17 @@ void bch_initial_gc_finish(struct cache_ + */ + for_each_cache(ca, c, i) { + for_each_bucket(b, ca) { +- if (fifo_full(&ca->free[RESERVE_PRIO])) ++ if (fifo_full(&ca->free[RESERVE_PRIO]) && ++ fifo_full(&ca->free[RESERVE_BTREE])) + break; + + if (bch_can_invalidate_bucket(ca, b) && + !GC_MARK(b)) { + __bch_invalidate_one_bucket(ca, b); +- fifo_push(&ca->free[RESERVE_PRIO], +- b - ca->buckets); ++ if (!fifo_push(&ca->free[RESERVE_PRIO], ++ b - ca->buckets)) ++ fifo_push(&ca->free[RESERVE_BTREE], ++ b - ca->buckets); + } + } + } +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1831,6 +1831,7 @@ void bch_cache_release(struct kobject *k + static int cache_alloc(struct cache *ca) + { + size_t free; ++ size_t btree_buckets; + struct bucket *b; + + __module_get(THIS_MODULE); +@@ -1840,9 +1841,19 @@ static int cache_alloc(struct cache *ca) + ca->journal.bio.bi_max_vecs = 8; + ca->journal.bio.bi_io_vec = ca->journal.bio.bi_inline_vecs; + ++ /* ++ * when ca->sb.njournal_buckets is not zero, journal exists, ++ * and in bch_journal_replay(), tree node may split, ++ * so bucket of RESERVE_BTREE type is needed, ++ * the worst situation is all journal buckets are valid journal, ++ * and all the keys need to replay, ++ * so the number of RESERVE_BTREE type buckets should be as much ++ * as journal buckets ++ */ ++ btree_buckets = ca->sb.njournal_buckets ?: 8; + free = roundup_pow_of_two(ca->sb.nbuckets) >> 10; + +- if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) || ++ if (!init_fifo(&ca->free[RESERVE_BTREE], btree_buckets, GFP_KERNEL) || + !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) || diff --git a/queue-4.9/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch b/queue-4.9/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch new file mode 100644 index 00000000000..dfad23b0bfa --- /dev/null +++ b/queue-4.9/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch @@ -0,0 +1,121 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tang Junhui +Date: Wed, 7 Feb 2018 11:41:46 -0800 +Subject: bcache: fix for data collapse after re-attaching an attached device + +From: Tang Junhui + +[ Upstream commit 73ac105be390c1de42a2f21643c9778a5e002930 ] + +back-end device sdm has already attached a cache_set with ID +f67ebe1f-f8bc-4d73-bfe5-9dc88607f119, then try to attach with +another cache set, and it returns with an error: +[root]# cd /sys/block/sdm/bcache +[root]# echo 5ccd0a63-148e-48b8-afa2-aca9cbd6279f > attach +-bash: echo: write error: Invalid argument + +After that, execute a command to modify the label of bcache +device: +[root]# echo data_disk1 > label + +Then we reboot the system, when the system power on, the back-end +device can not attach to cache_set, a messages show in the log: +Feb 5 12:05:52 ceph152 kernel: [922385.508498] bcache: +bch_cached_dev_attach() couldn't find uuid for sdm in set + +In sysfs_attach(), dc->sb.set_uuid was assigned to the value +which input through sysfs, no matter whether it is success +or not in bch_cached_dev_attach(). For example, If the back-end +device has already attached to an cache set, bch_cached_dev_attach() +would fail, but dc->sb.set_uuid was changed. Then modify the +label of bcache device, it will call bch_write_bdev_super(), +which would write the dc->sb.set_uuid to the super block, so we +record a wrong cache set ID in the super block, after the system +reboot, the cache set couldn't find the uuid of the back-end +device, so the bcache device couldn't exist and use any more. + +In this patch, we don't assigned cache set ID to dc->sb.set_uuid +in sysfs_attach() directly, but input it into bch_cached_dev_attach(), +and assigned dc->sb.set_uuid to the cache set ID after the back-end +device attached to the cache set successful. + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/bcache.h | 2 +- + drivers/md/bcache/super.c | 10 ++++++---- + drivers/md/bcache/sysfs.c | 6 ++++-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -904,7 +904,7 @@ void bcache_write_super(struct cache_set + + int bch_flash_dev_create(struct cache_set *c, uint64_t size); + +-int bch_cached_dev_attach(struct cached_dev *, struct cache_set *); ++int bch_cached_dev_attach(struct cached_dev *, struct cache_set *, uint8_t *); + void bch_cached_dev_detach(struct cached_dev *); + void bch_cached_dev_run(struct cached_dev *); + void bcache_device_stop(struct bcache_device *); +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -938,7 +938,8 @@ void bch_cached_dev_detach(struct cached + cached_dev_put(dc); + } + +-int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c) ++int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c, ++ uint8_t *set_uuid) + { + uint32_t rtime = cpu_to_le32(get_seconds()); + struct uuid_entry *u; +@@ -947,7 +948,8 @@ int bch_cached_dev_attach(struct cached_ + + bdevname(dc->bdev, buf); + +- if (memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16)) ++ if ((set_uuid && memcmp(set_uuid, c->sb.set_uuid, 16)) || ++ (!set_uuid && memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16))) + return -ENOENT; + + if (dc->disk.c) { +@@ -1191,7 +1193,7 @@ static void register_bdev(struct cache_s + + list_add(&dc->list, &uncached_devices); + list_for_each_entry(c, &bch_cache_sets, list) +- bch_cached_dev_attach(dc, c); ++ bch_cached_dev_attach(dc, c, NULL); + + if (BDEV_STATE(&dc->sb) == BDEV_STATE_NONE || + BDEV_STATE(&dc->sb) == BDEV_STATE_STALE) +@@ -1714,7 +1716,7 @@ static void run_cache_set(struct cache_s + bcache_write_super(c); + + list_for_each_entry_safe(dc, t, &uncached_devices, list) +- bch_cached_dev_attach(dc, c); ++ bch_cached_dev_attach(dc, c, NULL); + + flash_devs_run(c); + +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -263,11 +263,13 @@ STORE(__cached_dev) + } + + if (attr == &sysfs_attach) { +- if (bch_parse_uuid(buf, dc->sb.set_uuid) < 16) ++ uint8_t set_uuid[16]; ++ ++ if (bch_parse_uuid(buf, set_uuid) < 16) + return -EINVAL; + + list_for_each_entry(c, &bch_cache_sets, list) { +- v = bch_cached_dev_attach(dc, c); ++ v = bch_cached_dev_attach(dc, c, set_uuid); + if (!v) + return size; + } diff --git a/queue-4.9/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch b/queue-4.9/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch new file mode 100644 index 00000000000..c9704e546c1 --- /dev/null +++ b/queue-4.9/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tang Junhui +Date: Tue, 27 Feb 2018 09:49:30 -0800 +Subject: bcache: fix kcrashes with fio in RAID5 backend dev + +From: Tang Junhui + +[ Upstream commit 60eb34ec5526e264c2bbaea4f7512d714d791caf ] + +Kernel crashed when run fio in a RAID5 backend bcache device, the call +trace is bellow: +[ 440.012034] kernel BUG at block/blk-ioc.c:146! +[ 440.012696] invalid opcode: 0000 [#1] SMP NOPTI +[ 440.026537] CPU: 2 PID: 2205 Comm: md127_raid5 Not tainted 4.15.0 #8 +[ 440.027441] Hardware name: HP ProLiant MicroServer Gen8, BIOS J06 07/16 +/2015 +[ 440.028615] RIP: 0010:put_io_context+0x8b/0x90 +[ 440.029246] RSP: 0018:ffffa8c882b43af8 EFLAGS: 00010246 +[ 440.029990] RAX: 0000000000000000 RBX: ffffa8c88294fca0 RCX: 0000000000 +0f4240 +[ 440.031006] RDX: 0000000000000004 RSI: 0000000000000286 RDI: ffffa8c882 +94fca0 +[ 440.032030] RBP: ffffa8c882b43b10 R08: 0000000000000003 R09: ffff949cb8 +0c1700 +[ 440.033206] R10: 0000000000000104 R11: 000000000000b71c R12: 00000000000 +01000 +[ 440.034222] R13: 0000000000000000 R14: ffff949cad84db70 R15: ffff949cb11 +bd1e0 +[ 440.035239] FS: 0000000000000000(0000) GS:ffff949cba280000(0000) knlGS: +0000000000000000 +[ 440.060190] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 440.084967] CR2: 00007ff0493ef000 CR3: 00000002f1e0a002 CR4: 00000000001 +606e0 +[ 440.110498] Call Trace: +[ 440.135443] bio_disassociate_task+0x1b/0x60 +[ 440.160355] bio_free+0x1b/0x60 +[ 440.184666] bio_put+0x23/0x30 +[ 440.208272] search_free+0x23/0x40 [bcache] +[ 440.231448] cached_dev_write_complete+0x31/0x70 [bcache] +[ 440.254468] closure_put+0xb6/0xd0 [bcache] +[ 440.277087] request_endio+0x30/0x40 [bcache] +[ 440.298703] bio_endio+0xa1/0x120 +[ 440.319644] handle_stripe+0x418/0x2270 [raid456] +[ 440.340614] ? load_balance+0x17b/0x9c0 +[ 440.360506] handle_active_stripes.isra.58+0x387/0x5a0 [raid456] +[ 440.380675] ? __release_stripe+0x15/0x20 [raid456] +[ 440.400132] raid5d+0x3ed/0x5d0 [raid456] +[ 440.419193] ? schedule+0x36/0x80 +[ 440.437932] ? schedule_timeout+0x1d2/0x2f0 +[ 440.456136] md_thread+0x122/0x150 +[ 440.473687] ? wait_woken+0x80/0x80 +[ 440.491411] kthread+0x102/0x140 +[ 440.508636] ? find_pers+0x70/0x70 +[ 440.524927] ? kthread_associate_blkcg+0xa0/0xa0 +[ 440.541791] ret_from_fork+0x35/0x40 +[ 440.558020] Code: c2 48 00 5b 41 5c 41 5d 5d c3 48 89 c6 4c 89 e7 e8 bb c2 +48 00 48 8b 3d bc 36 4b 01 48 89 de e8 7c f7 e0 ff 5b 41 5c 41 5d 5d c3 <0f> 0b +0f 1f 00 0f 1f 44 00 00 55 48 8d 47 b8 48 89 e5 41 57 41 +[ 440.610020] RIP: put_io_context+0x8b/0x90 RSP: ffffa8c882b43af8 +[ 440.628575] ---[ end trace a1fd79d85643a73e ]-- + +All the crash issue happened when a bypass IO coming, in such scenario +s->iop.bio is pointed to the s->orig_bio. In search_free(), it finishes the +s->orig_bio by calling bio_complete(), and after that, s->iop.bio became +invalid, then kernel would crash when calling bio_put(). Maybe its upper +layer's faulty, since bio should not be freed before we calling bio_put(), +but we'd better calling bio_put() first before calling bio_complete() to +notify upper layer ending this bio. + +This patch moves bio_complete() under bio_put() to avoid kernel crash. + +[mlyle: fixed commit subject for character limits] + +Reported-by: Matthias Ferdinand +Tested-by: Matthias Ferdinand +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -633,11 +633,11 @@ static void do_bio_hook(struct search *s + static void search_free(struct closure *cl) + { + struct search *s = container_of(cl, struct search, cl); +- bio_complete(s); + + if (s->iop.bio) + bio_put(s->iop.bio); + ++ bio_complete(s); + closure_debug_destroy(cl); + mempool_free(s, s->d->c->search); + } diff --git a/queue-4.9/bcache-properly-set-task-state-in-bch_writeback_thread.patch b/queue-4.9/bcache-properly-set-task-state-in-bch_writeback_thread.patch new file mode 100644 index 00000000000..5ccf86454f6 --- /dev/null +++ b/queue-4.9/bcache-properly-set-task-state-in-bch_writeback_thread.patch @@ -0,0 +1,112 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Coly Li +Date: Wed, 7 Feb 2018 11:41:41 -0800 +Subject: bcache: properly set task state in bch_writeback_thread() + +From: Coly Li + +[ Upstream commit 99361bbf26337186f02561109c17a4c4b1a7536a ] + +Kernel thread routine bch_writeback_thread() has the following code block, + +447 down_write(&dc->writeback_lock); +448~450 if (check conditions) { +451 up_write(&dc->writeback_lock); +452 set_current_state(TASK_INTERRUPTIBLE); +453 +454 if (kthread_should_stop()) +455 return 0; +456 +457 schedule(); +458 continue; +459 } + +If condition check is true, its task state is set to TASK_INTERRUPTIBLE +and call schedule() to wait for others to wake up it. + +There are 2 issues in current code, +1, Task state is set to TASK_INTERRUPTIBLE after the condition checks, if + another process changes the condition and call wake_up_process(dc-> + writeback_thread), then at line 452 task state is set back to + TASK_INTERRUPTIBLE, the writeback kernel thread will lose a chance to be + waken up. +2, At line 454 if kthread_should_stop() is true, writeback kernel thread + will return to kernel/kthread.c:kthread() with TASK_INTERRUPTIBLE and + call do_exit(). It is not good to enter do_exit() with task state + TASK_INTERRUPTIBLE, in following code path might_sleep() is called and a + warning message is reported by __might_sleep(): "WARNING: do not call + blocking ops when !TASK_RUNNING; state=1 set at [xxxx]". + +For the first issue, task state should be set before condition checks. +Ineed because dc->writeback_lock is required when modifying all the +conditions, calling set_current_state() inside code block where dc-> +writeback_lock is hold is safe. But this is quite implicit, so I still move +set_current_state() before all the condition checks. + +For the second issue, frankley speaking it does not hurt when kernel thread +exits with TASK_INTERRUPTIBLE state, but this warning message scares users, +makes them feel there might be something risky with bcache and hurt their +data. Setting task state to TASK_RUNNING before returning fixes this +problem. + +In alloc.c:allocator_wait(), there is also a similar issue, and is also +fixed in this patch. + +Changelog: +v3: merge two similar fixes into one patch +v2: fix the race issue in v1 patch. +v1: initial buggy fix. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Reviewed-by: Michael Lyle +Cc: Michael Lyle +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/alloc.c | 4 +++- + drivers/md/bcache/writeback.c | 7 +++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -284,8 +284,10 @@ do { \ + break; \ + \ + mutex_unlock(&(ca)->set->bucket_lock); \ +- if (kthread_should_stop()) \ ++ if (kthread_should_stop()) { \ ++ set_current_state(TASK_RUNNING); \ + return 0; \ ++ } \ + \ + schedule(); \ + mutex_lock(&(ca)->set->bucket_lock); \ +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -420,18 +420,21 @@ static int bch_writeback_thread(void *ar + + while (!kthread_should_stop()) { + down_write(&dc->writeback_lock); ++ set_current_state(TASK_INTERRUPTIBLE); + if (!atomic_read(&dc->has_dirty) || + (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && + !dc->writeback_running)) { + up_write(&dc->writeback_lock); +- set_current_state(TASK_INTERRUPTIBLE); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ set_current_state(TASK_RUNNING); + return 0; ++ } + + schedule(); + continue; + } ++ set_current_state(TASK_RUNNING); + + searched_full_index = refill_dirty(dc); + diff --git a/queue-4.9/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch b/queue-4.9/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch new file mode 100644 index 00000000000..263c4d13870 --- /dev/null +++ b/queue-4.9/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch @@ -0,0 +1,132 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:15 -0700 +Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set + +From: Coly Li + +[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ] + +In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()", +cached_dev_get() is called when creating dc->writeback_thread, and +cached_dev_put() is called when exiting dc->writeback_thread. This +modification works well unless people detach the bcache device manually by + 'echo 1 > /sys/block/bcache/bcache/detach' +Because this sysfs interface only calls bch_cached_dev_detach() which wakes +up dc->writeback_thread but does not stop it. The reason is, before patch +"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside +bch_writeback_thread(), if cache is not dirty after writeback, +cached_dev_put() will be called here. And in cached_dev_make_request() when +a new write request makes cache from clean to dirty, cached_dev_get() will +be called there. Since we don't operate dc->count in these locations, +refcount d->count cannot be dropped after cache becomes clean, and +cached_dev_detach_finish() won't be called to detach bcache device. + +This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is +set inside bch_writeback_thread(). If this bit is set and cache is clean +(no existing writeback_keys), break the while-loop, call cached_dev_put() +and quit the writeback thread. + +Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the +writeback thread should continue to perform writeback, this is the original +design of manually detach. + +It is safe to do the following check without locking, let me explain why, ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + +If the kenrel thread does not sleep and continue to run due to conditions +are not updated in time on the running CPU core, it just consumes more CPU +cycles and has no hurt. This should-sleep-but-run is safe here. We just +focus on the should-run-but-sleep condition, which means the writeback +thread goes to sleep in mistake while it should continue to run. +1, First of all, no matter the writeback thread is hung or not, + kthread_stop() from cached_dev_detach_finish() will wake up it and + terminate by making kthread_should_stop() return true. And in normal + run time, bit on index BCACHE_DEV_DETACHING is always cleared, the + condition + !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) + is always true and can be ignored as constant value. +2, If one of the following conditions is true, the writeback thread should + go to sleep, + "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)" + each of them independently controls the writeback thread should sleep or + not, let's analyse them one by one. +2.1 condition "!atomic_read(&dc->has_dirty)" + If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will + call bch_writeback_queue() immediately or call bch_writeback_add() which + indirectly calls bch_writeback_queue() too. In bch_writeback_queue(), + wake_up_process(dc->writeback_thread) is called. It sets writeback + thread's task state to TASK_RUNNING and following an implicit memory + barrier, then tries to wake up the writeback thread. + In writeback thread, its task state is set to TASK_INTERRUPTIBLE before + doing the condition check. If other CPU core sets the TASK_RUNNING state + after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread + will be scheduled to run very soon because its state is not + TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before + writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier + of wake_up_process() will make sure modification of dc->has_dirty on + other CPU core is updated and observed on the CPU core of writeback + thread. Therefore the condition check will correctly be false, and + continue writeback code without sleeping. +2.2 condition "!dc->writeback_running)" + dc->writeback_running can be changed via sysfs file, every time it is + modified, a following bch_writeback_queue() is alwasy called. So the + change is always observed on the CPU core of writeback thread. If + dc->writeback_running is changed from 0 to 1 on other CPU core, this + condition check will observe the modification and allow writeback + thread to continue to run without sleeping. +Now we can see, even without a locking protection, multiple conditions +check is safe here, no deadlock or process hang up will happen. + +I compose a separte patch because that patch "bcache: fix cached_dev->count +usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes +Reinecke. Also this fix is not trivial and good for a separate patch. + +Signed-off-by: Coly Li +Reviewed-by: Michael Lyle +Cc: Hannes Reinecke +Cc: Huijun Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/writeback.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -421,9 +421,15 @@ static int bch_writeback_thread(void *ar + while (!kthread_should_stop()) { + down_write(&dc->writeback_lock); + set_current_state(TASK_INTERRUPTIBLE); +- if (!atomic_read(&dc->has_dirty) || +- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && +- !dc->writeback_running)) { ++ /* ++ * If the bache device is detaching, skip here and continue ++ * to perform writeback. Otherwise, if no dirty data on cache, ++ * or there is dirty data on cache but writeback is disabled, ++ * the writeback thread should sleep here and wait for others ++ * to wake up it. ++ */ ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + up_write(&dc->writeback_lock); + + if (kthread_should_stop()) { +@@ -444,6 +450,14 @@ static int bch_writeback_thread(void *ar + cached_dev_put(dc); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); + bch_write_bdev_super(dc, NULL); ++ /* ++ * If bcache device is detaching via sysfs interface, ++ * writeback thread should stop after there is no dirty ++ * data on cache. BCACHE_DEV_DETACHING flag is set in ++ * bch_cached_dev_detach(). ++ */ ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) ++ break; + } + + up_write(&dc->writeback_lock); diff --git a/queue-4.9/bcache-return-attach-error-when-no-cache-set-exist.patch b/queue-4.9/bcache-return-attach-error-when-no-cache-set-exist.patch new file mode 100644 index 00000000000..44d73d67510 --- /dev/null +++ b/queue-4.9/bcache-return-attach-error-when-no-cache-set-exist.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tang Junhui +Date: Wed, 7 Feb 2018 11:41:45 -0800 +Subject: bcache: return attach error when no cache set exist + +From: Tang Junhui + +[ Upstream commit 7f4fc93d4713394ee8f1cd44c238e046e11b4f15 ] + +I attach a back-end device to a cache set, and the cache set is not +registered yet, this back-end device did not attach successfully, and no +error returned: +[root]# echo 87859280-fec6-4bcc-20df7ca8f86b > /sys/block/sde/bcache/attach +[root]# + +In sysfs_attach(), the return value "v" is initialized to "size" in +the beginning, and if no cache set exist in bch_cache_sets, the "v" value +would not change any more, and return to sysfs, sysfs regard it as success +since the "size" is a positive number. + +This patch fixes this issue by assigning "v" with "-ENOENT" in the +initialization. + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -191,7 +191,7 @@ STORE(__cached_dev) + { + struct cached_dev *dc = container_of(kobj, struct cached_dev, + disk.kobj); +- ssize_t v = size; ++ ssize_t v; + struct cache_set *c; + struct kobj_uevent_env *env; + +@@ -268,6 +268,7 @@ STORE(__cached_dev) + if (bch_parse_uuid(buf, set_uuid) < 16) + return -EINVAL; + ++ v = -ENOENT; + list_for_each_entry(c, &bch_cache_sets, list) { + v = bch_cached_dev_attach(dc, c, set_uuid); + if (!v) +@@ -275,7 +276,7 @@ STORE(__cached_dev) + } + + pr_err("Can't attach %s: cache set not found", buf); +- size = v; ++ return v; + } + + if (attr == &sysfs_detach && dc->disk.c) diff --git a/queue-4.9/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch b/queue-4.9/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch new file mode 100644 index 00000000000..aba6ed94f98 --- /dev/null +++ b/queue-4.9/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Chan +Date: Fri, 9 Mar 2018 23:46:10 -0500 +Subject: bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa(). + +From: Michael Chan + +[ Upstream commit 3c4fe80b32c685bdc02b280814d0cfe80d441c72 ] + +During initialization, if we encounter errors, there is a code path that +calls bnxt_hwrm_vnic_set_tpa() with invalid VNIC ID. This may cause a +warning in firmware logs. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -3401,6 +3401,9 @@ static int bnxt_hwrm_vnic_set_tpa(struct + struct bnxt_vnic_info *vnic = &bp->vnic_info[vnic_id]; + struct hwrm_vnic_tpa_cfg_input req = {0}; + ++ if (vnic->fw_vnic_id == INVALID_HW_RING_ID) ++ return 0; ++ + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_VNIC_TPA_CFG, -1, -1); + + if (tpa_flags) { diff --git a/queue-4.9/bpf-fix-rlimit-in-reuseport-net-selftest.patch b/queue-4.9/bpf-fix-rlimit-in-reuseport-net-selftest.patch new file mode 100644 index 00000000000..4aaaa8def4f --- /dev/null +++ b/queue-4.9/bpf-fix-rlimit-in-reuseport-net-selftest.patch @@ -0,0 +1,94 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Daniel Borkmann +Date: Fri, 9 Feb 2018 14:49:44 +0100 +Subject: bpf: fix rlimit in reuseport net selftest + +From: Daniel Borkmann + +[ Upstream commit 941ff6f11c020913f5cddf543a9ec63475d7c082 ] + +Fix two issues in the reuseport_bpf selftests that were +reported by Linaro CI: + + [...] + + ./reuseport_bpf + ---- IPv4 UDP ---- + Testing EBPF mod 10... + Reprograming, testing mod 5... + ./reuseport_bpf: ebpf error. log: + 0: (bf) r6 = r1 + 1: (20) r0 = *(u32 *)skb[0] + 2: (97) r0 %= 10 + 3: (95) exit + processed 4 insns + : Operation not permitted + + echo FAIL + [...] + ---- IPv4 TCP ---- + Testing EBPF mod 10... + ./reuseport_bpf: failed to bind send socket: Address already in use + + echo FAIL + [...] + +For the former adjust rlimit since this was the cause of +failure for loading the BPF prog, and for the latter add +SO_REUSEADDR. + +Reported-by: Naresh Kamboju +Link: https://bugs.linaro.org/show_bug.cgi?id=3502 +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/reuseport_bpf.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/reuseport_bpf.c ++++ b/tools/testing/selftests/net/reuseport_bpf.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #ifndef ARRAY_SIZE +@@ -190,11 +191,14 @@ static void send_from(struct test_params + struct sockaddr * const saddr = new_any_sockaddr(p.send_family, sport); + struct sockaddr * const daddr = + new_loopback_sockaddr(p.send_family, p.recv_port); +- const int fd = socket(p.send_family, p.protocol, 0); ++ const int fd = socket(p.send_family, p.protocol, 0), one = 1; + + if (fd < 0) + error(1, errno, "failed to create send socket"); + ++ if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) ++ error(1, errno, "failed to set reuseaddr"); ++ + if (bind(fd, saddr, sockaddr_size())) + error(1, errno, "failed to bind send socket"); + +@@ -433,6 +437,21 @@ void enable_fastopen(void) + } + } + ++static struct rlimit rlim_old, rlim_new; ++ ++static __attribute__((constructor)) void main_ctor(void) ++{ ++ getrlimit(RLIMIT_MEMLOCK, &rlim_old); ++ rlim_new.rlim_cur = rlim_old.rlim_cur + (1UL << 20); ++ rlim_new.rlim_max = rlim_old.rlim_max + (1UL << 20); ++ setrlimit(RLIMIT_MEMLOCK, &rlim_new); ++} ++ ++static __attribute__((destructor)) void main_dtor(void) ++{ ++ setrlimit(RLIMIT_MEMLOCK, &rlim_old); ++} ++ + int main(void) + { + fprintf(stderr, "---- IPv4 UDP ----\n"); diff --git a/queue-4.9/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch b/queue-4.9/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch new file mode 100644 index 00000000000..891de68d668 --- /dev/null +++ b/queue-4.9/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch @@ -0,0 +1,172 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yonghong Song +Date: Fri, 2 Feb 2018 22:37:15 -0800 +Subject: bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y + +From: Yonghong Song + +[ Upstream commit 09584b406742413ac4c8d7e030374d4daa045b69 ] + +With CONFIG_BPF_JIT_ALWAYS_ON is defined in the config file, +tools/testing/selftests/bpf/test_kmod.sh failed like below: + [root@localhost bpf]# ./test_kmod.sh + sysctl: setting key "net.core.bpf_jit_enable": Invalid argument + [ JIT enabled:0 hardened:0 ] + [ 132.175681] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 132.458834] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [ JIT enabled:1 hardened:0 ] + [ 133.456025] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 133.730935] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [ JIT enabled:1 hardened:1 ] + [ 134.769730] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 135.050864] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [ JIT enabled:1 hardened:2 ] + [ 136.442882] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 136.821810] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [root@localhost bpf]# + +The test_kmod.sh load/remove test_bpf.ko multiple times with different +settings for sysctl net.core.bpf_jit_{enable,harden}. The failed test #297 +of test_bpf.ko is designed such that JIT always fails. + +Commit 290af86629b2 (bpf: introduce BPF_JIT_ALWAYS_ON config) +introduced the following tightening logic: + ... + if (!bpf_prog_is_dev_bound(fp->aux)) { + fp = bpf_int_jit_compile(fp); + #ifdef CONFIG_BPF_JIT_ALWAYS_ON + if (!fp->jited) { + *err = -ENOTSUPP; + return fp; + } + #endif + ... +With this logic, Test #297 always gets return value -ENOTSUPP +when CONFIG_BPF_JIT_ALWAYS_ON is defined, causing the test failure. + +This patch fixed the failure by marking Test #297 as expected failure +when CONFIG_BPF_JIT_ALWAYS_ON is defined. + +Fixes: 290af86629b2 (bpf: introduce BPF_JIT_ALWAYS_ON config) +Signed-off-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_bpf.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -83,6 +83,7 @@ struct bpf_test { + __u32 result; + } test[MAX_SUBTESTS]; + int (*fill_helper)(struct bpf_test *self); ++ int expected_errcode; /* used when FLAG_EXPECTED_FAIL is set in the aux */ + __u8 frag_data[MAX_DATA]; + }; + +@@ -1900,7 +1901,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: div_k_0", +@@ -1910,7 +1913,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: unknown insn", +@@ -1921,7 +1926,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: out of range spill/fill", +@@ -1931,7 +1938,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "JUMPS + HOLES", +@@ -2023,6 +2032,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: LDX + RET X", +@@ -2033,6 +2044,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { /* Mainly checking JIT here. */ + "M[]: alt STX + LDX", +@@ -2207,6 +2220,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { /* Passes checker but fails during runtime. */ + "LD [SKF_AD_OFF-1]", +@@ -4803,6 +4818,7 @@ static struct bpf_test tests[] = { + { }, + { }, + .fill_helper = bpf_fill_maxinsns4, ++ .expected_errcode = -EINVAL, + }, + { /* Mainly checking JIT here. */ + "BPF_MAXINSNS: Very long jump", +@@ -4858,10 +4874,15 @@ static struct bpf_test tests[] = { + { + "BPF_MAXINSNS: Jump, gap, jump, ...", + { }, ++#ifdef CONFIG_BPF_JIT_ALWAYS_ON ++ CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, ++#else + CLASSIC | FLAG_NO_DATA, ++#endif + { }, + { { 0, 0xababcbac } }, + .fill_helper = bpf_fill_maxinsns11, ++ .expected_errcode = -ENOTSUPP, + }, + { + "BPF_MAXINSNS: ld_abs+get_processor_id", +@@ -5632,7 +5653,7 @@ static struct bpf_prog *generate_filter( + + *err = bpf_prog_create(&fp, &fprog); + if (tests[which].aux & FLAG_EXPECTED_FAIL) { +- if (*err == -EINVAL) { ++ if (*err == tests[which].expected_errcode) { + pr_cont("PASS\n"); + /* Verifier rejected filter as expected. */ + *err = 0; diff --git a/queue-4.9/brcmfmac-fix-check-for-iso3166-code.patch b/queue-4.9/brcmfmac-fix-check-for-iso3166-code.patch new file mode 100644 index 00000000000..08e7c6fad36 --- /dev/null +++ b/queue-4.9/brcmfmac-fix-check-for-iso3166-code.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Stefan Wahren +Date: Wed, 14 Mar 2018 20:02:59 +0100 +Subject: brcmfmac: Fix check for ISO3166 code + +From: Stefan Wahren + +[ Upstream commit 9b9322db5c5a1917a66c71fe47c3848a9a31227e ] + +The commit "regulatory: add NUL to request alpha2" increases the length of +alpha2 to 3. This causes a regression on brcmfmac, because +brcmf_cfg80211_reg_notifier() expect valid ISO3166 codes in the complete +array. So fix this accordingly. + +Fixes: 657308f73e67 ("regulatory: add NUL to request alpha2") +Signed-off-by: Stefan Wahren +Acked-by: Franky Lin +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6789,7 +6789,7 @@ static void brcmf_cfg80211_reg_notifier( + int i; + + /* ignore non-ISO3166 country codes */ +- for (i = 0; i < sizeof(req->alpha2); i++) ++ for (i = 0; i < 2; i++) + if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') { + brcmf_err("not a ISO3166 code (0x%02x 0x%02x)\n", + req->alpha2[0], req->alpha2[1]); diff --git a/queue-4.9/btrfs-bail-out-on-error-during-replay_dir_deletes.patch b/queue-4.9/btrfs-bail-out-on-error-during-replay_dir_deletes.patch new file mode 100644 index 00000000000..1eb7803e654 --- /dev/null +++ b/queue-4.9/btrfs-bail-out-on-error-during-replay_dir_deletes.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:48 +0800 +Subject: Btrfs: bail out on error during replay_dir_deletes + +From: Liu Bo + +[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ] + +If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs +to bail out, otherwise @ret would be forced to be 0 after 'break;' and +the caller won't be aware of it. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2241,8 +2241,10 @@ again: + nritems = btrfs_header_nritems(path->nodes[0]); + if (path->slots[0] >= nritems) { + ret = btrfs_next_leaf(root, path); +- if (ret) ++ if (ret == 1) + break; ++ else if (ret < 0) ++ goto out; + } + btrfs_item_key_to_cpu(path->nodes[0], &found_key, + path->slots[0]); diff --git a/queue-4.9/btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch b/queue-4.9/btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch new file mode 100644 index 00000000000..164452bdf1f --- /dev/null +++ b/queue-4.9/btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Anand Jain +Date: Tue, 9 Jan 2018 09:05:43 +0800 +Subject: btrfs: fail mount when sb flag is not in BTRFS_SUPER_FLAG_SUPP + +From: Anand Jain + +[ Upstream commit 6f794e3c5c8f8fdd3b5bb20d9ded894e685b5bbe ] + +It appears from the original commit [1] that there isn't any design +specific reason not to fail the mount instead of just warning. This +patch will change it to fail. + +[1] + commit 319e4d0661e5323c9f9945f0f8fb5905e5fe74c3 + btrfs: Enhance super validation check + +Fixes: 319e4d0661e5323 ("btrfs: Enhance super validation check") +Signed-off-by: Anand Jain +Reviewed-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4142,9 +4142,11 @@ static int btrfs_check_super_valid(struc + btrfs_err(fs_info, "no valid FS found"); + ret = -EINVAL; + } +- if (btrfs_super_flags(sb) & ~BTRFS_SUPER_FLAG_SUPP) +- btrfs_warn(fs_info, "unrecognized super flag: %llu", ++ if (btrfs_super_flags(sb) & ~BTRFS_SUPER_FLAG_SUPP) { ++ btrfs_err(fs_info, "unrecognized or unsupported super flag: %llu", + btrfs_super_flags(sb) & ~BTRFS_SUPER_FLAG_SUPP); ++ ret = -EINVAL; ++ } + if (btrfs_super_root_level(sb) >= BTRFS_MAX_LEVEL) { + btrfs_err(fs_info, "tree_root level too big: %d >= %d", + btrfs_super_root_level(sb), BTRFS_MAX_LEVEL); diff --git a/queue-4.9/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch b/queue-4.9/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch new file mode 100644 index 00000000000..7aa71b4e88c --- /dev/null +++ b/queue-4.9/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Filipe Manana +Date: Mon, 26 Mar 2018 23:59:12 +0100 +Subject: Btrfs: fix copy_items() return value when logging an inode + +From: Filipe Manana + +[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ] + +When logging an inode, at tree-log.c:copy_items(), if we call +btrfs_next_leaf() at the loop which checks for the need to log holes, we +need to make sure copy_items() returns the value 1 to its caller and +not 0 (on success). This is because the path the caller passed was +released and is now different from what is was before, and the caller +expects a return value of 0 to mean both success and that the path +has not changed, while a return value of 1 means both success and +signals the caller that it can not reuse the path, it has to perform +another tree search. + +Even though this is a case that should not be triggered on normal +circumstances or very rare at least, its consequences can be very +unpredictable (especially when replaying a log tree). + +Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3854,6 +3854,7 @@ fill_holes: + ASSERT(ret == 0); + src = src_path->nodes[0]; + i = 0; ++ need_find_last_extent = true; + } + + btrfs_item_key_to_cpu(src, &key, i); diff --git a/queue-4.9/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch b/queue-4.9/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch new file mode 100644 index 00000000000..e8689ce9daf --- /dev/null +++ b/queue-4.9/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch @@ -0,0 +1,436 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jeff Mahoney +Date: Fri, 16 Mar 2018 14:36:27 -0400 +Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers + +From: Jeff Mahoney + +[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ] + +While running btrfs/011, I hit the following lockdep splat. + +This is the important bit: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + +The percpu_counter_init call in btrfs_alloc_subvolume_writers +uses GFP_KERNEL, which we can't do during transaction commit. + +This switches it to GFP_NOFS. + +======================================================== +WARNING: possible irq lock inversion dependency detected +4.12.14-kvmsmall #8 Tainted: G W +-------------------------------------------------------- +kswapd0/50 just changed the state of lock: + (&delayed_node->mutex){+.+.-.}, at: [] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] +but this lock took another, RECLAIM_FS-unsafe lock in the past: + (pcpu_alloc_mutex){+.+.+.} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: +Chain exists of: + &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(pcpu_alloc_mutex); + local_irq_disable(); + lock(&delayed_node->mutex); + lock(&found->groups_sem); + + lock(&delayed_node->mutex); + + *** DEADLOCK *** + +2 locks held by kswapd0/50: + #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x7f/0x5b0 + #1: (&type->s_umount_key#30){+++++.}, at: [] trylock_super+0x16/0x50 + +the shortest dependencies between 2nd lock and 1st lock: + -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + RECLAIM_FS-ON-W at: + __kmalloc+0x47/0x310 + pcpu_extend_area_map+0x2b/0xc0 + pcpu_alloc+0x3ec/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + __kmem_cache_create+0x1bf/0x390 + create_cache+0xba/0x1b0 + kmem_cache_create+0x1f8/0x2b0 + ksm_init+0x6f/0x19d + do_one_initcall+0x50/0x1b0 + kernel_init_freeable+0x201/0x289 + kernel_init+0xa/0x100 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + setup_cpu_cache+0x2f/0x1f0 + __kmem_cache_create+0x1bf/0x390 + create_boot_cache+0x8b/0xb1 + kmem_cache_init+0xa1/0x19e + start_kernel+0x270/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + } + ... key at: [] pcpu_alloc_mutex+0x70/0xa0 + ... acquired at: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + transaction_kthread+0x176/0x1b0 [btrfs] + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + + -> (&fs_info->commit_root_sem){++++..} ops: 1566382 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.61970+0x0/0xfffffffffff9aa88 [btrfs] + ... acquired at: + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + btrfs_create_tree+0xbb/0x2a0 [btrfs] + btrfs_create_uuid_tree+0x37/0x140 [btrfs] + open_ctree+0x23c0/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + + -> (&found->groups_sem){++++..} ops: 2134587 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + INITIAL USE at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.59101+0x0/0xfffffffffff9ab78 [btrfs] + ... acquired at: + find_free_extent+0xcb4/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + __btrfs_cow_block+0x110/0x5b0 [btrfs] + btrfs_cow_block+0xd7/0x290 [btrfs] + btrfs_search_slot+0x1f6/0x960 [btrfs] + btrfs_lookup_inode+0x2a/0x90 [btrfs] + __btrfs_update_delayed_inode+0x65/0x210 [btrfs] + btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs] + btrfs_evict_inode+0x3fe/0x6a0 [btrfs] + evict+0xc4/0x190 + __dentry_kill+0xbf/0x170 + dput+0x2ae/0x2f0 + SyS_rename+0x2a6/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +-> (&delayed_node->mutex){+.+.-.} ops: 5580204 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + IN-RECLAIM_FS-W at: + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.56935+0x0/0xfffffffffff96b78 [btrfs] + ... acquired at: + __lock_acquire+0x264/0x11c0 + lock_acquire+0xbd/0x1e0 + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + +stack backtrace: +CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0x78/0xb7 + print_irq_inversion_bug.part.38+0x19f/0x1aa + check_usage_forwards+0x102/0x120 + ? ret_from_fork+0x3a/0x50 + ? check_usage_backwards+0x110/0x110 + mark_lock+0x16c/0x270 + __lock_acquire+0x264/0x11c0 + ? pagevec_lookup_entries+0x1a/0x30 + ? truncate_inode_pages_range+0x2b3/0x7f0 + lock_acquire+0xbd/0x1e0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + __mutex_lock+0x4e/0x8c0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs] + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ? mem_cgroup_shrink_node+0x2c0/0x2c0 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x3a/0x50 + +Signed-off-by: Jeff Mahoney +Reviewed-by: Liu Bo +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1281,7 +1281,7 @@ static struct btrfs_subvolume_writers *b + if (!writers) + return ERR_PTR(-ENOMEM); + +- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL); ++ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS); + if (ret < 0) { + kfree(writers); + return ERR_PTR(ret); diff --git a/queue-4.9/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch b/queue-4.9/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch new file mode 100644 index 00000000000..413c57e154f --- /dev/null +++ b/queue-4.9/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:47 +0800 +Subject: Btrfs: fix NULL pointer dereference in log_dir_items + +From: Liu Bo + +[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ] + +0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is +returned, path->nodes[0] could be NULL, log_dir_items lacks such a +check for <0 and we may run into a null pointer dereference panic. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3399,8 +3399,11 @@ static noinline int log_dir_items(struct + * from this directory and from this transaction + */ + ret = btrfs_next_leaf(root, path); +- if (ret == 1) { +- last_offset = (u64)-1; ++ if (ret) { ++ if (ret == 1) ++ last_offset = (u64)-1; ++ else ++ err = ret; + goto done; + } + btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]); diff --git a/queue-4.9/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch b/queue-4.9/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch new file mode 100644 index 00000000000..f839a2e3fc4 --- /dev/null +++ b/queue-4.9/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Nikolay Borisov +Date: Tue, 12 Dec 2017 11:14:49 +0200 +Subject: btrfs: Fix out of bounds access in btrfs_search_slot + +From: Nikolay Borisov + +[ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ] + +When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then +the level variable is going to be 7 (this is the max height of the +tree). On the other hand btrfs_cow_block is always called with +"level + 1" as an index into the nodes and slots arrays. This leads to +an out of bounds access. Admittdely this will be benign since an OOB +access of the nodes array will likely read the 0th element from the +slots array, which in this case is going to be 0 (since we start CoW at +the top of the tree). The OOB access into the slots array in turn will +read the 0th and 1st values of the locks array, which would both be 0 +at the time. However, this benign behavior relies on the fact that the +path being passed hasn't been initialised, if it has already been used to +query a btree then it could potentially have populated the nodes/slots arrays. + +Fix it by explicitly checking if we are at level 7 (the maximum allowed +index in nodes/slots arrays) and explicitly call the CoW routine with +NULL for parent's node/slot. + +Signed-off-by: Nikolay Borisov +Fixes-coverity-id: 711515 +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -2760,6 +2760,8 @@ again: + * contention with the cow code + */ + if (cow) { ++ bool last_level = (level == (BTRFS_MAX_LEVEL - 1)); ++ + /* + * if we don't really need to cow this block + * then we don't want to set the path blocking, +@@ -2784,9 +2786,13 @@ again: + } + + btrfs_set_path_blocking(p); +- err = btrfs_cow_block(trans, root, b, +- p->nodes[level + 1], +- p->slots[level + 1], &b); ++ if (last_level) ++ err = btrfs_cow_block(trans, root, b, NULL, 0, ++ &b); ++ else ++ err = btrfs_cow_block(trans, root, b, ++ p->nodes[level + 1], ++ p->slots[level + 1], &b); + if (err) { + ret = err; + goto done; diff --git a/queue-4.9/btrfs-fix-possible-softlock-on-single-core-machines.patch b/queue-4.9/btrfs-fix-possible-softlock-on-single-core-machines.patch new file mode 100644 index 00000000000..e799aa89ef4 --- /dev/null +++ b/queue-4.9/btrfs-fix-possible-softlock-on-single-core-machines.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Nikolay Borisov +Date: Thu, 5 Apr 2018 10:40:15 +0300 +Subject: btrfs: Fix possible softlock on single core machines + +From: Nikolay Borisov + +[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ] + +do_chunk_alloc implements a loop checking whether there is a pending +chunk allocation and if so causes the caller do loop. Generally this +loop is executed only once, however testing with btrfs/072 on a single +core vm machines uncovered an extreme case where the system could loop +indefinitely. This is due to a missing cond_resched when loop which +doesn't give a chance to the previous chunk allocator finish its job. + +The fix is to simply add the missing cond_resched. + +Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc") +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4527,6 +4527,7 @@ again: + if (wait_for_alloc) { + mutex_unlock(&fs_info->chunk_mutex); + wait_for_alloc = 0; ++ cond_resched(); + goto again; + } + diff --git a/queue-4.9/btrfs-fix-scrub-to-repair-raid6-corruption.patch b/queue-4.9/btrfs-fix-scrub-to-repair-raid6-corruption.patch new file mode 100644 index 00000000000..162ffbac111 --- /dev/null +++ b/queue-4.9/btrfs-fix-scrub-to-repair-raid6-corruption.patch @@ -0,0 +1,84 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Liu Bo +Date: Tue, 2 Jan 2018 13:36:41 -0700 +Subject: Btrfs: fix scrub to repair raid6 corruption + +From: Liu Bo + +[ Upstream commit 762221f095e3932669093466aaf4b85ed9ad2ac1 ] + +The raid6 corruption is that, +suppose that all disks can be read without problems and if the content +that was read out doesn't match its checksum, currently for raid6 +btrfs at most retries twice, + +- the 1st retry is to rebuild with all other stripes, it'll eventually + be a raid5 xor rebuild, +- if the 1st fails, the 2nd retry will deliberately fail parity p so + that it will do raid6 style rebuild, + +however, the chances are that another non-parity stripe content also +has something corrupted, so that the above retries are not able to +return correct content. + +We've fixed normal reads to rebuild raid6 correctly with more retries +in Patch "Btrfs: make raid6 rebuild retry more"[1], this is to fix +scrub to do the exactly same rebuild process. + +[1]: https://patchwork.kernel.org/patch/10091755/ + +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/raid56.c | 18 ++++++++++++++---- + fs/btrfs/volumes.c | 9 ++++++++- + 2 files changed, 22 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -2161,11 +2161,21 @@ int raid56_parity_recover(struct btrfs_r + } + + /* +- * reconstruct from the q stripe if they are +- * asking for mirror 3 ++ * Loop retry: ++ * for 'mirror == 2', reconstruct from all other stripes. ++ * for 'mirror_num > 2', select a stripe to fail on every retry. + */ +- if (mirror_num == 3) +- rbio->failb = rbio->real_stripes - 2; ++ if (mirror_num > 2) { ++ /* ++ * 'mirror == 3' is to fail the p stripe and ++ * reconstruct from the q stripe. 'mirror > 3' is to ++ * fail a data stripe and reconstruct from p+q stripe. ++ */ ++ rbio->failb = rbio->real_stripes - (mirror_num - 1); ++ ASSERT(rbio->failb > 0); ++ if (rbio->failb <= rbio->faila) ++ rbio->failb--; ++ } + + ret = lock_stripe_add(rbio); + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5186,7 +5186,14 @@ int btrfs_num_copies(struct btrfs_fs_inf + else if (map->type & BTRFS_BLOCK_GROUP_RAID5) + ret = 2; + else if (map->type & BTRFS_BLOCK_GROUP_RAID6) +- ret = 3; ++ /* ++ * There could be two corrupted data stripes, we need ++ * to loop retry in order to rebuild the correct data. ++ * ++ * Fail a stripe at a time on every retry except the ++ * stripe under reconstruction. ++ */ ++ ret = map->num_stripes; + else + ret = 1; + free_extent_map(em); diff --git a/queue-4.9/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch b/queue-4.9/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch new file mode 100644 index 00000000000..6bd41d910f7 --- /dev/null +++ b/queue-4.9/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Filipe Manana +Date: Tue, 6 Feb 2018 20:39:20 +0000 +Subject: Btrfs: send, fix issuing write op when processing hole in no data mode + +From: Filipe Manana + +[ Upstream commit d4dfc0f4d39475ccbbac947880b5464a74c30b99 ] + +When doing an incremental send of a filesystem with the no-holes feature +enabled, we end up issuing a write operation when using the no data mode +send flag, instead of issuing an update extent operation. Fix this by +issuing the update extent operation instead. + +Trivial reproducer: + + $ mkfs.btrfs -f -O no-holes /dev/sdc + $ mkfs.btrfs -f /dev/sdd + $ mount /dev/sdc /mnt/sdc + $ mount /dev/sdd /mnt/sdd + + $ xfs_io -f -c "pwrite -S 0xab 0 32K" /mnt/sdc/foobar + $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap1 + + $ xfs_io -c "fpunch 8K 8K" /mnt/sdc/foobar + $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap2 + + $ btrfs send /mnt/sdc/snap1 | btrfs receive /mnt/sdd + $ btrfs send --no-data -p /mnt/sdc/snap1 /mnt/sdc/snap2 \ + | btrfs receive -vv /mnt/sdd + +Before this change the output of the second receive command is: + + receiving snapshot snap2 uuid=f6922049-8c22-e544-9ff9-fc6755918447... + utimes + write foobar, offset 8192, len 8192 + utimes foobar + BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=f6922049-8c22-e544-9ff9-... + +After this change it is: + + receiving snapshot snap2 uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64... + utimes + update_extent foobar: offset=8192, len=8192 + utimes foobar + BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64... + +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -4822,6 +4822,9 @@ static int send_hole(struct send_ctx *sc + u64 len; + int ret = 0; + ++ if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA) ++ return send_update_extent(sctx, offset, end - offset); ++ + p = fs_path_alloc(); + if (!p) + return -ENOMEM; diff --git a/queue-4.9/btrfs-set-plug-for-fsync.patch b/queue-4.9/btrfs-set-plug-for-fsync.patch new file mode 100644 index 00000000000..89fc82f2ed4 --- /dev/null +++ b/queue-4.9/btrfs-set-plug-for-fsync.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Liu Bo +Date: Wed, 15 Nov 2017 16:10:28 -0700 +Subject: Btrfs: set plug for fsync + +From: Liu Bo + +[ Upstream commit 343e4fc1c60971b0734de26dbbd475d433950982 ] + +Setting plug can merge adjacent IOs before dispatching IOs to the disk +driver. + +Without plug, it'd not be a problem for single disk usecases, but for +multiple disks using raid profile, a large IO can be split to several +IOs of stripe length, and plug can be helpful to bring them together +for each disk so that we can save several disk access. + +Moreover, fsync issues synchronous writes, so plug can really take +effect. + +Signed-off-by: Liu Bo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1912,10 +1912,19 @@ int btrfs_release_file(struct inode *ino + static int start_ordered_ops(struct inode *inode, loff_t start, loff_t end) + { + int ret; ++ struct blk_plug plug; + ++ /* ++ * This is only called in fsync, which would do synchronous writes, so ++ * a plug can merge adjacent IOs as much as possible. Esp. in case of ++ * multiple disks using raid profile, a large IO can be split to ++ * several segments of stripe length (currently 64K). ++ */ ++ blk_start_plug(&plug); + atomic_inc(&BTRFS_I(inode)->sync_writers); + ret = btrfs_fdatawrite_range(inode, start, end); + atomic_dec(&BTRFS_I(inode)->sync_writers); ++ blk_finish_plug(&plug); + + return ret; + } diff --git a/queue-4.9/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch b/queue-4.9/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch new file mode 100644 index 00000000000..ec9cca19729 --- /dev/null +++ b/queue-4.9/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Qu Wenruo +Date: Tue, 27 Mar 2018 20:44:18 +0800 +Subject: btrfs: tests/qgroup: Fix wrong tree backref level + +From: Qu Wenruo + +[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ] + +The extent tree of the test fs is like the following: + + BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919 + item 0 key (4096 168 4096) itemoff 3944 itemsize 51 + extent refs 1 gen 1 flags 2 + tree block key (68719476736 0 0) level 1 + ^^^^^^^ + ref#0: tree block backref root 5 + +And it's using an empty tree for fs tree, so there is no way that its +level can be 1. + +For REAL (created by mkfs) fs tree backref with no skinny metadata, the +result should look like: + + item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51 + refs 1 gen 4 flags TREE_BLOCK + tree block key (256 INODE_ITEM 0) level 0 + ^^^^^^^ + tree block backref root 5 + +Fix the level to 0, so it won't break later tree level checker. + +Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code") +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/qgroup-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tests/qgroup-tests.c ++++ b/fs/btrfs/tests/qgroup-tests.c +@@ -63,7 +63,7 @@ static int insert_normal_tree_ref(struct + btrfs_set_extent_generation(leaf, item, 1); + btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK); + block_info = (struct btrfs_tree_block_info *)(item + 1); +- btrfs_set_tree_block_level(leaf, block_info, 1); ++ btrfs_set_tree_block_level(leaf, block_info, 0); + iref = (struct btrfs_extent_inline_ref *)(block_info + 1); + if (parent > 0) { + btrfs_set_extent_inline_ref_type(leaf, iref, diff --git a/queue-4.9/builddeb-fix-header-package-regarding-dtc-source-links.patch b/queue-4.9/builddeb-fix-header-package-regarding-dtc-source-links.patch new file mode 100644 index 00000000000..283ae1f0c9f --- /dev/null +++ b/queue-4.9/builddeb-fix-header-package-regarding-dtc-source-links.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jan Kiszka +Date: Wed, 21 Mar 2018 13:15:28 +0800 +Subject: builddeb: Fix header package regarding dtc source links + +From: Jan Kiszka + +[ Upstream commit f8437520704cfd9cc442a99d73ed708a3cdadaf9 ] + +Since d5d332d3f7e8, a couple of links in scripts/dtc/include-prefixes +are additionally required in order to build device trees with the header +package. + +Signed-off-by: Jan Kiszka +Reviewed-by: Riku Voipio +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/package/builddeb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -325,7 +325,7 @@ fi + + # Build kernel header package + (cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl) > "$objtree/debian/hdrsrcfiles" +-(cd $srctree; find arch/*/include include scripts -type f) >> "$objtree/debian/hdrsrcfiles" ++(cd $srctree; find arch/*/include include scripts -type f -o -type l) >> "$objtree/debian/hdrsrcfiles" + (cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles" + (cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles" + if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then diff --git a/queue-4.9/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch b/queue-4.9/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch new file mode 100644 index 00000000000..36a6724fb1b --- /dev/null +++ b/queue-4.9/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch @@ -0,0 +1,155 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Maurizio Lombardi +Date: Fri, 9 Mar 2018 13:59:06 +0100 +Subject: cdrom: do not call check_disk_change() inside cdrom_open() + +From: Maurizio Lombardi + +[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ] + +when mounting an ISO filesystem sometimes (very rarely) +the system hangs because of a race condition between two tasks. + +PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount" + #0 [ffff880078447ae0] __schedule at ffffffff8168d605 + #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49 + #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995 + #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef + #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod] + #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50 + #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3 + #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs] + #8 [ffff880078447da8] mount_bdev at ffffffff81202570 + #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs] +#10 [ffff880078447e28] mount_fs at ffffffff81202d09 +#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f +#12 [ffff880078447ea8] do_mount at ffffffff81220fee +#13 [ffff880078447f28] sys_mount at ffffffff812218d6 +#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246 + RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010 + RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30 + RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010 + R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040 + R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30 + ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b + +This task was trying to mount the cdrom. It allocated and configured a +super_block struct and owned the write-lock for the super_block->s_umount +rwsem. While exclusively owning the s_umount lock, it called +sr_block_ioctl and waited to acquire the global sr_mutex lock. + +PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd" + #0 [ffff880078417898] __schedule at ffffffff8168d605 + #1 [ffff880078417900] schedule at ffffffff8168dc59 + #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605 + #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838 + #4 [ffff8800784179d0] down_read at ffffffff8168cde0 + #5 [ffff8800784179e8] get_super at ffffffff81201cc7 + #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de + #7 [ffff880078417a40] flush_disk at ffffffff8123a94b + #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50 + #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom] +#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod] +#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86 +#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65 +#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b +#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7 +#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf +#16 [ffff880078417d00] do_last at ffffffff8120d53d +#17 [ffff880078417db0] path_openat at ffffffff8120e6b2 +#18 [ffff880078417e48] do_filp_open at ffffffff8121082b +#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33 +#20 [ffff880078417f70] sys_open at ffffffff811fde4e +#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246 + RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000 + RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70 + RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020 + R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e + R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010 + ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b + +This task tried to open the cdrom device, the sr_block_open function +acquired the global sr_mutex lock. The call to check_disk_change() +then saw an event flag indicating a possible media change and tried +to flush any cached data for the device. +As part of the flush, it tried to acquire the super_block->s_umount +lock associated with the cdrom device. +This was the same super_block as created and locked by the previous task. + +The first task acquires the s_umount lock and then the sr_mutex_lock; +the second task acquires the sr_mutex_lock and then the s_umount lock. + +This patch fixes the issue by moving check_disk_change() out of +cdrom_open() and let the caller take care of it. + +Signed-off-by: Maurizio Lombardi +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/paride/pcd.c | 2 ++ + drivers/cdrom/cdrom.c | 3 --- + drivers/cdrom/gdrom.c | 3 +++ + drivers/ide/ide-cd.c | 2 ++ + drivers/scsi/sr.c | 2 ++ + 5 files changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/block/paride/pcd.c ++++ b/drivers/block/paride/pcd.c +@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_d + struct pcd_unit *cd = bdev->bd_disk->private_data; + int ret; + ++ check_disk_change(bdev); ++ + mutex_lock(&pcd_mutex); + ret = cdrom_open(&cd->info, bdev, mode); + mutex_unlock(&pcd_mutex); +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -1154,9 +1154,6 @@ int cdrom_open(struct cdrom_device_info + + cd_dbg(CD_OPEN, "entering cdrom_open\n"); + +- /* open is event synchronization point, check events first */ +- check_disk_change(bdev); +- + /* if this was a O_NONBLOCK open and we should honor the flags, + * do a quick open without drive/disc integrity checks. */ + cdi->use_count++; +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -497,6 +497,9 @@ static struct cdrom_device_ops gdrom_ops + static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) + { + int ret; ++ ++ check_disk_change(bdev); ++ + mutex_lock(&gdrom_mutex); + ret = cdrom_open(gd.cd_info, bdev, mode); + mutex_unlock(&gdrom_mutex); +--- a/drivers/ide/ide-cd.c ++++ b/drivers/ide/ide-cd.c +@@ -1593,6 +1593,8 @@ static int idecd_open(struct block_devic + struct cdrom_info *info; + int rc = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&ide_cd_mutex); + info = ide_cd_get(bdev->bd_disk); + if (!info) +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -522,6 +522,8 @@ static int sr_block_open(struct block_de + struct scsi_cd *cd; + int ret = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&sr_mutex); + cd = scsi_cd_get(bdev->bd_disk); + if (cd) { diff --git a/queue-4.9/ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch b/queue-4.9/ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch new file mode 100644 index 00000000000..af001a052d9 --- /dev/null +++ b/queue-4.9/ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch @@ -0,0 +1,68 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Chengguang Xu +Date: Fri, 9 Feb 2018 20:40:59 +0800 +Subject: ceph: fix dentry leak when failing to init debugfs + +From: Chengguang Xu + +[ Upstream commit 18106734b512664a8541026519ce4b862498b6c3 ] + +When failing from ceph_fs_debugfs_init() in ceph_real_mount(), +there is lack of dput of root_dentry and it causes slab errors, +so change the calling order of ceph_fs_debugfs_init() and +open_root_dentry() and do some cleanups to avoid this issue. + +Signed-off-by: Chengguang Xu +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -816,7 +816,6 @@ static struct dentry *ceph_real_mount(st + int err; + unsigned long started = jiffies; /* note the start time */ + struct dentry *root; +- int first = 0; /* first vfsmount for this super_block */ + + dout("mount start %p\n", fsc); + mutex_lock(&fsc->client->mount_mutex); +@@ -834,17 +833,17 @@ static struct dentry *ceph_real_mount(st + path = fsc->mount_options->server_path + 1; + dout("mount opening path %s\n", path); + } ++ ++ err = ceph_fs_debugfs_init(fsc); ++ if (err < 0) ++ goto out; ++ + root = open_root_dentry(fsc, path, started); + if (IS_ERR(root)) { + err = PTR_ERR(root); + goto out; + } + fsc->sb->s_root = dget(root); +- first = 1; +- +- err = ceph_fs_debugfs_init(fsc); +- if (err < 0) +- goto fail; + } else { + root = dget(fsc->sb->s_root); + } +@@ -854,11 +853,6 @@ static struct dentry *ceph_real_mount(st + mutex_unlock(&fsc->client->mount_mutex); + return root; + +-fail: +- if (first) { +- dput(fsc->sb->s_root); +- fsc->sb->s_root = NULL; +- } + out: + mutex_unlock(&fsc->client->mount_mutex); + return ERR_PTR(err); diff --git a/queue-4.9/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch b/queue-4.9/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch new file mode 100644 index 00000000000..7dad2594764 --- /dev/null +++ b/queue-4.9/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 16:48:47 +0100 +Subject: cifs: silence compiler warnings showing up with gcc-8.0.0 + +From: Arnd Bergmann + +[ Upstream commit ade7db991b47ab3016a414468164f4966bd08202 ] + +This bug was fixed before, but came up again with the latest +compiler in another function: + +fs/cifs/cifssmb.c: In function 'CIFSSMBSetEA': +fs/cifs/cifssmb.c:6362:3: error: 'strncpy' offset 8 is out of the bounds [0, 4] [-Werror=array-bounds] + strncpy(parm_data->list[0].name, ea_name, name_len); + +Let's apply the same fix that was used for the other instances. + +Fixes: b2a3ad9ca502 ("cifs: silence compiler warnings showing up with gcc-4.7.0") +Signed-off-by: Arnd Bergmann +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -6413,9 +6413,7 @@ SetEARetry: + pSMB->InformationLevel = + cpu_to_le16(SMB_SET_FILE_EA); + +- parm_data = +- (struct fealist *) (((char *) &pSMB->hdr.Protocol) + +- offset); ++ parm_data = (void *)pSMB + offsetof(struct smb_hdr, Protocol) + offset; + pSMB->ParameterOffset = cpu_to_le16(param_offset); + pSMB->DataOffset = cpu_to_le16(offset); + pSMB->SetupCount = 1; diff --git a/queue-4.9/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch b/queue-4.9/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch new file mode 100644 index 00000000000..e3757cf9277 --- /dev/null +++ b/queue-4.9/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Colin Ian King +Date: Mon, 26 Feb 2018 11:36:14 +0000 +Subject: clocksource/drivers/fsl_ftm_timer: Fix error return checking + +From: Colin Ian King + +[ Upstream commit f287eb9013ccf199cbfa4eabd80c36fedfc15a73 ] + +The error checks on freq for a negative error return always fails because +freq is unsigned and can never be negative. Fix this by making freq a +signed long. + +Detected with Coccinelle: +drivers/clocksource/fsl_ftm_timer.c:287:5-9: WARNING: Unsigned expression +compared with zero: freq <= 0 +drivers/clocksource/fsl_ftm_timer.c:291:5-9: WARNING: Unsigned expression +compared with zero: freq <= 0 + +Fixes: 2529c3a33079 ("clocksource: Add Freescale FlexTimer Module (FTM) timer support") +Signed-off-by: Colin Ian King +Signed-off-by: Thomas Gleixner +Cc: Daniel Lezcano +Cc: kernel-janitors@vger.kernel.org +Link: https://lkml.kernel.org/r/20180226113614.3092-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/fsl_ftm_timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clocksource/fsl_ftm_timer.c ++++ b/drivers/clocksource/fsl_ftm_timer.c +@@ -281,7 +281,7 @@ static int __init __ftm_clk_init(struct + + static unsigned long __init ftm_clk_init(struct device_node *np) + { +- unsigned long freq; ++ long freq; + + freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt"); + if (freq <= 0) diff --git a/queue-4.9/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch b/queue-4.9/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch new file mode 100644 index 00000000000..d5ac82f7e8d --- /dev/null +++ b/queue-4.9/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Shunyong Yang +Date: Fri, 6 Apr 2018 10:43:49 +0800 +Subject: cpufreq: CPPC: Initialize shared perf capabilities of CPUs + +From: Shunyong Yang + +[ Upstream commit 8913315e9459b146e5888ab5138e10daa061b885 ] + +When multiple CPUs are related in one cpufreq policy, the first online +CPU will be chosen by default to handle cpufreq operations. Let's take +cpu0 and cpu1 as an example. + +When cpu0 is offline, policy->cpu will be shifted to cpu1. cpu1's perf +capabilities should be initialized. Otherwise, perf capabilities are 0s +and speed change can not take effect. + +This patch copies perf capabilities of the first online CPU to other +shared CPUs when policy shared type is CPUFREQ_SHARED_TYPE_ANY. + +Acked-by: Viresh Kumar +Signed-off-by: Shunyong Yang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -151,9 +151,19 @@ static int cppc_cpufreq_cpu_init(struct + policy->cpuinfo.transition_latency = cppc_get_transition_latency(cpu_num); + policy->shared_type = cpu->shared_type; + +- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) ++ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) { ++ int i; ++ + cpumask_copy(policy->cpus, cpu->shared_cpu_map); +- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { ++ ++ for_each_cpu(i, policy->cpus) { ++ if (unlikely(i == policy->cpu)) ++ continue; ++ ++ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps, ++ sizeof(cpu->perf_caps)); ++ } ++ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { + /* Support only SW_ANY for now. */ + pr_debug("Unsupported CPU co-ord type\n"); + return -EFAULT; diff --git a/queue-4.9/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch b/queue-4.9/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch new file mode 100644 index 00000000000..5f364621871 --- /dev/null +++ b/queue-4.9/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Chunyu Hu +Date: Mon, 5 Mar 2018 13:40:38 +0800 +Subject: cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path + +From: Chunyu Hu + +[ Upstream commit 55b55abc17f238c61921360e61dde90dd9a326d1 ] + +Kmemleak reported the below leak. When cppc_cpufreq_init went into +failure path, the cpu mask is not freed. After fix, this report is +gone. And to avaoid potential NULL pointer reference, check the cpu +value first. + +unreferenced object 0xffff800fd5ea4880 (size 128): + comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s) + hex dump (first 32 bytes): + 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 .... ........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __kmalloc_node+0x278/0x634 + [] alloc_cpumask_var_node+0x28/0x60 + [] zalloc_cpumask_var+0x14/0x1c + [] cppc_cpufreq_init+0xd0/0x19c + [] do_one_initcall+0xec/0x15c + [] kernel_init_freeable+0x1f4/0x2a4 + [] kernel_init+0x18/0x10c + [] ret_from_fork+0x10/0x18 + [] 0xffffffffffffffff + +Signed-off-by: Chunyu Hu +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -228,8 +228,13 @@ static int __init cppc_cpufreq_init(void + return ret; + + out: +- for_each_possible_cpu(i) +- kfree(all_cpu_data[i]); ++ for_each_possible_cpu(i) { ++ cpu = all_cpu_data[i]; ++ if (!cpu) ++ break; ++ free_cpumask_var(cpu->shared_cpu_map); ++ kfree(cpu); ++ } + + kfree(all_cpu_data); + return -ENODEV; diff --git a/queue-4.9/cpufreq-reorder-cpufreq_online-error-code-path.patch b/queue-4.9/cpufreq-reorder-cpufreq_online-error-code-path.patch new file mode 100644 index 00000000000..ea93ecfcaeb --- /dev/null +++ b/queue-4.9/cpufreq-reorder-cpufreq_online-error-code-path.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Viresh Kumar +Date: Thu, 22 Feb 2018 11:29:43 +0530 +Subject: cpufreq: Reorder cpufreq_online() error code path + +From: Viresh Kumar + +[ Upstream commit b24b6478e65f140610ab1ffaadc7bc6bf0be8aad ] + +Ideally the de-allocation of resources should happen in the exact +opposite order in which they were allocated. It helps maintain the code +in long term, even if nothing really breaks with incorrect ordering. + +That wasn't followed in cpufreq_online() and it has some +inconsistencies. For example, the symlinks were created from within +the locked region while they are removed only after putting the locks. +Also ->exit() should have been called only after the symlinks are +removed and the lock is dropped, as that was the case when ->init() +was first called. + +Signed-off-by: Viresh Kumar +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1288,14 +1288,14 @@ static int cpufreq_online(unsigned int c + return 0; + + out_exit_policy: ++ for_each_cpu(j, policy->real_cpus) ++ remove_cpu_dev_symlink(policy, get_cpu_device(j)); ++ + up_write(&policy->rwsem); + + if (cpufreq_driver->exit) + cpufreq_driver->exit(policy); + +- for_each_cpu(j, policy->real_cpus) +- remove_cpu_dev_symlink(policy, get_cpu_device(j)); +- + out_free_policy: + cpufreq_policy_free(policy, !new_policy); + return ret; diff --git a/queue-4.9/cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch b/queue-4.9/cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch new file mode 100644 index 00000000000..22abffeeba2 --- /dev/null +++ b/queue-4.9/cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Kelley +Date: Wed, 14 Feb 2018 02:54:03 +0000 +Subject: cpumask: Make for_each_cpu_wrap() available on UP as well + +From: Michael Kelley + +[ Upstream commit d207af2eab3f8668b95ad02b21930481c42806fd ] + +for_each_cpu_wrap() was originally added in the #else half of a +large "#if NR_CPUS == 1" statement, but was omitted in the #if +half. This patch adds the missing #if half to prevent compile +errors when NR_CPUS is 1. + +Reported-by: kbuild test robot +Signed-off-by: Michael Kelley +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kys@microsoft.com +Cc: martin.petersen@oracle.com +Cc: mikelley@microsoft.com +Fixes: c743f0a5c50f ("sched/fair, cpumask: Export for_each_cpu_wrap()") +Link: http://lkml.kernel.org/r/SN6PR1901MB2045F087F59450507D4FCC17CBF50@SN6PR1901MB2045.namprd19.prod.outlook.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cpumask.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -164,6 +164,8 @@ static inline unsigned int cpumask_local + for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask) + #define for_each_cpu_not(cpu, mask) \ + for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask) ++#define for_each_cpu_wrap(cpu, mask, start) \ ++ for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask, (void)(start)) + #define for_each_cpu_and(cpu, mask, and) \ + for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask, (void)and) + #else diff --git a/queue-4.9/cxgb4-fix-queue-free-path-of-uld-drivers.patch b/queue-4.9/cxgb4-fix-queue-free-path-of-uld-drivers.patch new file mode 100644 index 00000000000..e58b1a20c34 --- /dev/null +++ b/queue-4.9/cxgb4-fix-queue-free-path-of-uld-drivers.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arjun Vynipadath +Date: Thu, 15 Mar 2018 17:34:14 +0530 +Subject: cxgb4: Fix queue free path of ULD drivers + +From: Arjun Vynipadath + +[ Upstream commit d7cb44496a9bb458632cb3c18acb08949c210448 ] + +Setting sge_uld_rxq_info to NULL in free_queues_uld(). +We are referencing sge_uld_rxq_info in cxgb_up(). This +will fix a panic when interface is brought up after a +ULDq creation failure. + +Fixes: 94cdb8bb993a (cxgb4: Add support for dynamic allocation + of resources for ULD) +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudhar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -342,6 +342,7 @@ static void free_queues_uld(struct adapt + { + struct sge_uld_rxq_info *rxq_info = adap->sge.uld_rxq_info[uld_type]; + ++ adap->sge.uld_rxq_info[uld_type] = NULL; + kfree(rxq_info->rspq_id); + kfree(rxq_info->uldrxq); + kfree(rxq_info); diff --git a/queue-4.9/cxgb4-setup-fw-queues-before-registering-netdev.patch b/queue-4.9/cxgb4-setup-fw-queues-before-registering-netdev.patch new file mode 100644 index 00000000000..d82d0b27907 --- /dev/null +++ b/queue-4.9/cxgb4-setup-fw-queues-before-registering-netdev.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arjun Vynipadath +Date: Fri, 23 Mar 2018 15:25:10 +0530 +Subject: cxgb4: Setup FW queues before registering netdev + +From: Arjun Vynipadath + +[ Upstream commit 843bd7db79c861b49e2912d723625f5fa8e94502 ] + +When NetworkManager is enabled, there are chances that interface up +is called even before probe completes. This means we have not yet +allocated the FW sge queues, hence rest of ingress queue allocation +wont be proper. Fix this by calling setup_fw_sge_queues() before +register_netdev(). + +Fixes: 0fbc81b3ad51 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's') +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -836,8 +836,6 @@ static int setup_fw_sge_queues(struct ad + + err = t4_sge_alloc_rxq(adap, &s->fw_evtq, true, adap->port[0], + adap->msi_idx, NULL, fwevtq_handler, NULL, -1); +- if (err) +- t4_free_sge_resources(adap); + return err; + } + +@@ -4940,6 +4938,13 @@ static int init_one(struct pci_dev *pdev + if (err) + goto out_free_dev; + ++ err = setup_fw_sge_queues(adapter); ++ if (err) { ++ dev_err(adapter->pdev_dev, ++ "FW sge queue allocation failed, err %d", err); ++ goto out_free_dev; ++ } ++ + /* + * The card is now ready to go. If any errors occur during device + * registration we do not fail the whole card but rather proceed only +@@ -4983,7 +4988,6 @@ static int init_one(struct pci_dev *pdev + } + + print_adapter_info(adapter); +- setup_fw_sge_queues(adapter); + return 0; + + sriov: +@@ -5035,6 +5039,7 @@ sriov: + #endif + + out_free_dev: ++ t4_free_sge_resources(adapter); + free_some_resources(adapter); + if (adapter->flags & USING_MSIX) + free_msix_info(adapter); diff --git a/queue-4.9/device-property-define-type-of-property_enrty_-macros.patch b/queue-4.9/device-property-define-type-of-property_enrty_-macros.patch new file mode 100644 index 00000000000..c02040520da --- /dev/null +++ b/queue-4.9/device-property-define-type-of-property_enrty_-macros.patch @@ -0,0 +1,76 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Andy Shevchenko +Date: Mon, 22 Jan 2018 18:01:42 +0200 +Subject: device property: Define type of PROPERTY_ENRTY_*() macros + +From: Andy Shevchenko + +[ Upstream commit c505cbd45f6e9c539d57dd171d95ec7e5e9f9cd0 ] + +Some of the drivers may use the macro at runtime flow, like + + struct property_entry p[10]; +... + p[index++] = PROPERTY_ENTRY_U8("u8 property", u8_data); + +In that case and absence of the data type compiler fails the build: + +drivers/char/ipmi/ipmi_dmi.c:79:29: error: Expected ; at end of statement +drivers/char/ipmi/ipmi_dmi.c:79:29: error: got { + +Acked-by: Corey Minyard +Cc: Corey Minyard +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/property.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/include/linux/property.h ++++ b/include/linux/property.h +@@ -187,7 +187,7 @@ struct property_entry { + */ + + #define PROPERTY_ENTRY_INTEGER_ARRAY(_name_, _type_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = ARRAY_SIZE(_val_) * sizeof(_type_), \ + .is_array = true, \ +@@ -205,7 +205,7 @@ struct property_entry { + PROPERTY_ENTRY_INTEGER_ARRAY(_name_, u64, _val_) + + #define PROPERTY_ENTRY_STRING_ARRAY(_name_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = ARRAY_SIZE(_val_) * sizeof(const char *), \ + .is_array = true, \ +@@ -214,7 +214,7 @@ struct property_entry { + } + + #define PROPERTY_ENTRY_INTEGER(_name_, _type_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = sizeof(_type_), \ + .is_string = false, \ +@@ -231,7 +231,7 @@ struct property_entry { + PROPERTY_ENTRY_INTEGER(_name_, u64, _val_) + + #define PROPERTY_ENTRY_STRING(_name_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = sizeof(_val_), \ + .is_string = true, \ +@@ -239,7 +239,7 @@ struct property_entry { + } + + #define PROPERTY_ENTRY_BOOL(_name_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + } + diff --git a/queue-4.9/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch b/queue-4.9/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch new file mode 100644 index 00000000000..4f12ce727a2 --- /dev/null +++ b/queue-4.9/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: mulhern +Date: Mon, 27 Nov 2017 10:02:39 -0500 +Subject: dm thin: fix documentation relative to low water mark threshold + +From: mulhern + +[ Upstream commit 9b28a1102efc75d81298198166ead87d643a29ce ] + +Fixes: +1. The use of "exceeds" when the opposite of exceeds, falls below, +was meant. +2. Properly speaking, a table can not exceed a threshold. + +It emphasizes the important point, which is that it is the userspace +daemon's responsibility to check for low free space when a device +is resumed, since it won't get a special event indicating low free +space in that situation. + +Signed-off-by: mulhern +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/device-mapper/thin-provisioning.txt | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/Documentation/device-mapper/thin-provisioning.txt ++++ b/Documentation/device-mapper/thin-provisioning.txt +@@ -112,9 +112,11 @@ $low_water_mark is expressed in blocks o + free space on the data device drops below this level then a dm event + will be triggered which a userspace daemon should catch allowing it to + extend the pool device. Only one such event will be sent. +-Resuming a device with a new table itself triggers an event so the +-userspace daemon can use this to detect a situation where a new table +-already exceeds the threshold. ++ ++No special event is triggered if a just resumed device's free space is below ++the low water mark. However, resuming a device always triggers an ++event; a userspace daemon should verify that free space exceeds the low ++water mark when handling this event. + + A low water mark for the metadata device is maintained in the kernel and + will trigger a dm event if free space on the metadata device drops below diff --git a/queue-4.9/dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch b/queue-4.9/dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch new file mode 100644 index 00000000000..fedba417110 --- /dev/null +++ b/queue-4.9/dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch @@ -0,0 +1,93 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Gregory CLEMENT +Date: Wed, 7 Mar 2018 16:40:10 +0100 +Subject: dmaengine: mv_xor_v2: Fix clock resource by adding a register clock + +From: Gregory CLEMENT + +[ Upstream commit 3cd2c313f1d618f92d1294addc6c685c17065761 ] + +On the CP110 components which are present on the Armada 7K/8K SoC we need +to explicitly enable the clock for the registers. However it is not +needed for the AP8xx component, that's why this clock is optional. + +With this patch both clock have now a name, but in order to be backward +compatible, the name of the first clock is not used. It allows to still +use this clock with a device tree using the old binding. + +Reviewed-by: Rob Herring +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/dma/mv-xor-v2.txt | 6 ++++ + drivers/dma/mv_xor_v2.c | 25 ++++++++++++++++---- + 2 files changed, 25 insertions(+), 6 deletions(-) + +--- a/Documentation/devicetree/bindings/dma/mv-xor-v2.txt ++++ b/Documentation/devicetree/bindings/dma/mv-xor-v2.txt +@@ -11,7 +11,11 @@ Required properties: + interrupts. + + Optional properties: +-- clocks: Optional reference to the clock used by the XOR engine. ++- clocks: Optional reference to the clocks used by the XOR engine. ++- clock-names: mandatory if there is a second clock, in this case the ++ name must be "core" for the first clock and "reg" for the second ++ one ++ + + Example: + +--- a/drivers/dma/mv_xor_v2.c ++++ b/drivers/dma/mv_xor_v2.c +@@ -152,6 +152,7 @@ struct mv_xor_v2_device { + void __iomem *dma_base; + void __iomem *glob_base; + struct clk *clk; ++ struct clk *reg_clk; + struct tasklet_struct irq_tasklet; + struct list_head free_sw_desc; + struct dma_device dmadev; +@@ -697,13 +698,26 @@ static int mv_xor_v2_probe(struct platfo + if (ret) + return ret; + ++ xor_dev->reg_clk = devm_clk_get(&pdev->dev, "reg"); ++ if (PTR_ERR(xor_dev->reg_clk) != -ENOENT) { ++ if (!IS_ERR(xor_dev->reg_clk)) { ++ ret = clk_prepare_enable(xor_dev->reg_clk); ++ if (ret) ++ return ret; ++ } else { ++ return PTR_ERR(xor_dev->reg_clk); ++ } ++ } ++ + xor_dev->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(xor_dev->clk) && PTR_ERR(xor_dev->clk) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (IS_ERR(xor_dev->clk) && PTR_ERR(xor_dev->clk) == -EPROBE_DEFER) { ++ ret = EPROBE_DEFER; ++ goto disable_reg_clk; ++ } + if (!IS_ERR(xor_dev->clk)) { + ret = clk_prepare_enable(xor_dev->clk); + if (ret) +- return ret; ++ goto disable_reg_clk; + } + + ret = platform_msi_domain_alloc_irqs(&pdev->dev, 1, +@@ -812,8 +826,9 @@ free_hw_desq: + free_msi_irqs: + platform_msi_domain_free_irqs(&pdev->dev); + disable_clk: +- if (!IS_ERR(xor_dev->clk)) +- clk_disable_unprepare(xor_dev->clk); ++ clk_disable_unprepare(xor_dev->clk); ++disable_reg_clk: ++ clk_disable_unprepare(xor_dev->reg_clk); + return ret; + } + diff --git a/queue-4.9/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch b/queue-4.9/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch new file mode 100644 index 00000000000..5a454ddd79e --- /dev/null +++ b/queue-4.9/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch @@ -0,0 +1,162 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Qi Hou +Date: Tue, 6 Mar 2018 09:13:37 +0800 +Subject: dmaengine: pl330: fix a race condition in case of threaded irqs + +From: Qi Hou + +[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ] + +When booting up with "threadirqs" in command line, all irq handlers of the DMA +controller pl330 will be threaded forcedly. These threads will race for the same +list, pl330->req_done. + +Before the callback, the spinlock was released. And after it, the spinlock was +taken. This opened an race window where another threaded irq handler could steal +the spinlock and be permitted to delete entries of the list, pl330->req_done. + +If the later deleted an entry that was still referred to by the former, there would +be a kernel panic when the former was scheduled and tried to get the next sibling +of the deleted entry. + +The scenario could be depicted as below: + + Thread: T1 pl330->req_done Thread: T2 + | | | + | -A-B-C-D- | + Locked | | + | | Waiting + Del A | | + | -B-C-D- | + Unlocked | | + | | Locked + Waiting | | + | | Del B + | | | + | -C-D- Unlocked + Waiting | | + | + Locked + | + get C via B + \ + - Kernel panic + +The kernel panic looked like as below: + +Unable to handle kernel paging request at virtual address dead000000000108 +pgd = ffffff8008c9e000 +[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000 +Internal error: Oops: 96000044 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2 +Hardware name: Broadcom NS2 SVK (DT) +task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000 +PC is at pl330_irq_handler+0x27c/0x390 +LR is at pl330_irq_handler+0x2a8/0x390 +pc : [] lr : [] pstate: 800001c5 +sp : ffffffc1f5ce3d00 +x29: ffffffc1f5ce3d00 x28: 0000000000000140 +x27: ffffffc1f5c530b0 x26: dead000000000100 +x25: dead000000000200 x24: 0000000000418958 +x23: 0000000000000001 x22: ffffffc1f5ccd668 +x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418 +x19: dead000000000060 x18: 0000000000000001 +x17: 0000000000000007 x16: 0000000000000001 +x15: ffffffffffffffff x14: ffffffffffffffff +x13: ffffffffffffffff x12: 0000000000000000 +x11: 0000000000000001 x10: 0000000000000840 +x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338 +x7 : ffffff8008ce2020 x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : dead000000000200 x2 : dead000000000100 +x1 : 0000000000000140 x0 : ffffffc1f5ccd590 + +Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020) +Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000) +3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600 +3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998 +3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000 +3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0 +3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001 +3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8 +3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00 +3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000 +3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68 +3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80 +3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648 +3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00 +3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90 +3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0 +3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000 +3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8 +Call trace: +Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60) +3b20: dead000000000060 0000008000000000 +3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88 +3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4 +3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc +3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000 +3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140 +3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000 +3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000 +3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff +3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007 +[] pl330_irq_handler+0x27c/0x390 +[] irq_forced_thread_fn+0x38/0x88 +[] irq_thread+0x140/0x200 +[] kthread+0xd8/0xf0 +[] ret_from_fork+0x10/0x40 +Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443) +---[ end trace f50005726d31199c ]--- +Kernel panic - not syncing: Fatal exception in interrupt +SMP: stopping secondary CPUs +SMP: failed to stop secondary CPUs 0-1 +Kernel Offset: disabled +Memory Limit: none +---[ end Kernel panic - not syncing: Fatal exception in interrupt + +To fix this, re-start with the list-head after dropping the lock then +re-takeing it. + +Reviewed-by: Frank Mori Hess +Tested-by: Frank Mori Hess +Signed-off-by: Qi Hou +Signed-off-by: Vinod Koul + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1570,7 +1570,7 @@ static void pl330_dotask(unsigned long d + /* Returns 1 if state was updated, 0 otherwise */ + static int pl330_update(struct pl330_dmac *pl330) + { +- struct dma_pl330_desc *descdone, *tmp; ++ struct dma_pl330_desc *descdone; + unsigned long flags; + void __iomem *regs; + u32 val; +@@ -1648,7 +1648,9 @@ static int pl330_update(struct pl330_dma + } + + /* Now that we are in no hurry, do the callbacks */ +- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) { ++ while (!list_empty(&pl330->req_done)) { ++ descdone = list_first_entry(&pl330->req_done, ++ struct dma_pl330_desc, rqd); + list_del(&descdone->rqd); + spin_unlock_irqrestore(&pl330->lock, flags); + dma_pl330_rqcb(descdone, PL330_ERR_NONE); diff --git a/queue-4.9/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch b/queue-4.9/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch new file mode 100644 index 00000000000..f182d5b9ad8 --- /dev/null +++ b/queue-4.9/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Srinivas Kandagatla +Date: Thu, 15 Feb 2018 12:25:09 +0000 +Subject: dmaengine: qcom: bam_dma: get num-channels and num-ees from dt + +From: Srinivas Kandagatla + +[ Upstream commit 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 ] + +When Linux is master of BAM, it can directly read registers to know number +of supported channels, however when its remotely controlled reading these +registers would trigger a crash if the BAM is not yet initialized or +powered up on the remote side. + +This patch allows driver to read num-channels and num-ees from Device Tree +for remotely controlled BAM. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/bam_dma.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -387,6 +387,7 @@ struct bam_device { + struct device_dma_parameters dma_parms; + struct bam_chan *channels; + u32 num_channels; ++ u32 num_ees; + + /* execution environment ID, from DT */ + u32 ee; +@@ -1076,15 +1077,19 @@ static int bam_init(struct bam_device *b + u32 val; + + /* read revision and configuration information */ +- val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)) >> NUM_EES_SHIFT; +- val &= NUM_EES_MASK; ++ if (!bdev->num_ees) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)); ++ bdev->num_ees = (val >> NUM_EES_SHIFT) & NUM_EES_MASK; ++ } + + /* check that configured EE is within range */ +- if (bdev->ee >= val) ++ if (bdev->ee >= bdev->num_ees) + return -EINVAL; + +- val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); +- bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ if (!bdev->num_channels) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); ++ bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ } + + if (bdev->controlled_remotely) + return 0; +@@ -1179,6 +1184,18 @@ static int bam_dma_probe(struct platform + bdev->controlled_remotely = of_property_read_bool(pdev->dev.of_node, + "qcom,controlled-remotely"); + ++ if (bdev->controlled_remotely) { ++ ret = of_property_read_u32(pdev->dev.of_node, "num-channels", ++ &bdev->num_channels); ++ if (ret) ++ dev_err(bdev->dev, "num-channels unspecified in dt\n"); ++ ++ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees", ++ &bdev->num_ees); ++ if (ret) ++ dev_err(bdev->dev, "num-ees unspecified in dt\n"); ++ } ++ + bdev->bamclk = devm_clk_get(bdev->dev, "bam_clk"); + if (IS_ERR(bdev->bamclk)) + return PTR_ERR(bdev->bamclk); diff --git a/queue-4.9/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch b/queue-4.9/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch new file mode 100644 index 00000000000..16141d51670 --- /dev/null +++ b/queue-4.9/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yoshihiro Shimoda +Date: Fri, 2 Feb 2018 19:05:15 +0900 +Subject: dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue() + +From: Yoshihiro Shimoda + +[ Upstream commit 3e081628d510b2ddbe493371d9c574d9275da17e ] + +This patch fixes an issue that a race condition happens between a client +driver and the rcar-dmac driver: + +- The rcar_dmac_isr_transfer_end() is called. + - The done list appears, and desc.running is the next active list. +- rcar_dmac_chan_get_residue() is called by a client driver before + rcar_dmac_isr_channel_thread() is called. + - The rcar_dmac_chan_get_residue() will not find any descriptors. + - And, the following WARNING happens: + WARN(1, "No descriptor for cookie!"); + +The sh-sci driver with HSCIF (921,600bps) on R-Car H3 can cause this +situation. +So, this patch checks the done lists in rcar_dmac_chan_get_residue() +and returns zero if the done lists has the argument cookie. + +Tested-by: Nguyen Viet Dung +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1246,8 +1246,17 @@ static unsigned int rcar_dmac_chan_get_r + * If the cookie doesn't correspond to the currently running transfer + * then the descriptor hasn't been processed yet, and the residue is + * equal to the full descriptor size. ++ * Also, a client driver is possible to call this function before ++ * rcar_dmac_isr_channel_thread() runs. In this case, the "desc.running" ++ * will be the next descriptor, and the done list will appear. So, if ++ * the argument cookie matches the done list's cookie, we can assume ++ * the residue is zero. + */ + if (cookie != desc->async_tx.cookie) { ++ list_for_each_entry(desc, &chan->desc.done, node) { ++ if (cookie == desc->async_tx.cookie) ++ return 0; ++ } + list_for_each_entry(desc, &chan->desc.pending, node) { + if (cookie == desc->async_tx.cookie) + return desc->size; diff --git a/queue-4.9/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch b/queue-4.9/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch new file mode 100644 index 00000000000..93fa99694fa --- /dev/null +++ b/queue-4.9/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yoshihiro Shimoda +Date: Wed, 14 Feb 2018 18:40:12 +0900 +Subject: dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3 + +From: Yoshihiro Shimoda + +[ Upstream commit d716d9b702bb759dd6fb50804f10a174bd156d71 ] + +According to R-Car Gen3 Rev.0.80 manual, the DMATCR can be set to +16,777,215 as maximum. So, this patch fixes the max_chunk_size for +safety on all of SoCs. Otherwise, a system may hang if the DMATCR +is set to 0 on R-Car Gen3. + +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -870,7 +870,7 @@ rcar_dmac_chan_prep_sg(struct rcar_dmac_ + + rcar_dmac_chan_configure_desc(chan, desc); + +- max_chunk_size = (RCAR_DMATCR_MASK + 1) << desc->xfer_shift; ++ max_chunk_size = RCAR_DMATCR_MASK << desc->xfer_shift; + + /* + * Allocate and fill the transfer chunk descriptors. We own the only diff --git a/queue-4.9/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch b/queue-4.9/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch new file mode 100644 index 00000000000..63ef37dd0b6 --- /dev/null +++ b/queue-4.9/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Esben Haabendal +Date: Sun, 8 Apr 2018 22:17:01 +0200 +Subject: dp83640: Ensure against premature access to PHY registers after reset + +From: Esben Haabendal + +[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ] + +The datasheet specifies a 3uS pause after performing a software +reset. The default implementation of genphy_soft_reset() does not +provide this, so implement soft_reset with the needed pause. + +Signed-off-by: Esben Haabendal +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1205,6 +1205,23 @@ static void dp83640_remove(struct phy_de + kfree(dp83640); + } + ++static int dp83640_soft_reset(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = genphy_soft_reset(phydev); ++ if (ret < 0) ++ return ret; ++ ++ /* From DP83640 datasheet: "Software driver code must wait 3 us ++ * following a software reset before allowing further serial MII ++ * operations with the DP83640." ++ */ ++ udelay(10); /* Taking udelay inaccuracy into account */ ++ ++ return 0; ++} ++ + static int dp83640_config_init(struct phy_device *phydev) + { + struct dp83640_private *dp83640 = phydev->priv; +@@ -1498,6 +1515,7 @@ static struct phy_driver dp83640_driver + .flags = PHY_HAS_INTERRUPT, + .probe = dp83640_probe, + .remove = dp83640_remove, ++ .soft_reset = dp83640_soft_reset, + .config_init = dp83640_config_init, + .config_aneg = genphy_config_aneg, + .read_status = genphy_read_status, diff --git a/queue-4.9/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch b/queue-4.9/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch new file mode 100644 index 00000000000..ed6da6bfa71 --- /dev/null +++ b/queue-4.9/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Aaro Koskinen +Date: Fri, 16 Mar 2018 22:17:28 +0200 +Subject: drivers: macintosh: rack-meter: really fix bogus memsets + +From: Aaro Koskinen + +[ Upstream commit e283655b5abe26462d53d5196f186c5e8863af3b ] + +We should zero an array using sizeof instead of number of elements. + +Fixes the following compiler (GCC 7.3.0) warnings: + +drivers/macintosh/rack-meter.c: In function 'rackmeter_do_pause': +drivers/macintosh/rack-meter.c:157:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] +drivers/macintosh/rack-meter.c:158:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] + +Fixes: 4f7bef7a9f69 ("drivers: macintosh: rack-meter: fix bogus memsets") +Reported-by: Stephen Rothwell +Signed-off-by: Aaro Koskinen +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/macintosh/rack-meter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/macintosh/rack-meter.c ++++ b/drivers/macintosh/rack-meter.c +@@ -154,8 +154,8 @@ static void rackmeter_do_pause(struct ra + DBDMA_DO_STOP(rm->dma_regs); + return; + } +- memset(rdma->buf1, 0, ARRAY_SIZE(rdma->buf1)); +- memset(rdma->buf2, 0, ARRAY_SIZE(rdma->buf2)); ++ memset(rdma->buf1, 0, sizeof(rdma->buf1)); ++ memset(rdma->buf2, 0, sizeof(rdma->buf2)); + + rm->dma_buf_v->mark = 0; + diff --git a/queue-4.9/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.9/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch new file mode 100644 index 00000000000..9d5215298d5 --- /dev/null +++ b/queue-4.9/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Wolfram Sang +Date: Mon, 5 Feb 2018 21:09:59 +0100 +Subject: drm/exynos: fix comparison to bitshift when dealing with a mask + +From: Wolfram Sang + +[ Upstream commit 1293b6191010672c0c9dacae8f71c6f3e4d70cbe ] + +Due to a typo, the mask was destroyed by a comparison instead of a bit +shift. + +Signed-off-by: Wolfram Sang +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/regs-fimc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/exynos/regs-fimc.h ++++ b/drivers/gpu/drm/exynos/regs-fimc.h +@@ -569,7 +569,7 @@ + #define EXYNOS_CIIMGEFF_FIN_EMBOSSING (4 << 26) + #define EXYNOS_CIIMGEFF_FIN_SILHOUETTE (5 << 26) + #define EXYNOS_CIIMGEFF_FIN_MASK (7 << 26) +-#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff < 13) | (0xff < 0)) ++#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff << 13) | (0xff << 0)) + + /* Real input DMA size register */ + #define EXYNOS_CIREAL_ISIZE_AUTOLOAD_ENABLE (1 << 31) diff --git a/queue-4.9/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch b/queue-4.9/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch new file mode 100644 index 00000000000..2b053846a72 --- /dev/null +++ b/queue-4.9/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Markus Elfring +Date: Thu, 8 Feb 2018 18:42:51 +0100 +Subject: drm/exynos: g2d: Delete an error message for a failed memory allocation in two functions + +From: Markus Elfring + +[ Upstream commit 6f0a60298bbbea43ab5e3955913ab19c153076f3 ] + +Omit an extra message for a memory allocation failure in these functions. + +This issue was detected by using the Coccinelle software. + +Signed-off-by: Markus Elfring +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +@@ -286,7 +286,6 @@ static int g2d_init_cmdlist(struct g2d_d + + node = kcalloc(G2D_CMDLIST_NUM, sizeof(*node), GFP_KERNEL); + if (!node) { +- dev_err(dev, "failed to allocate memory\n"); + ret = -ENOMEM; + goto err; + } +@@ -1358,10 +1357,9 @@ int exynos_g2d_exec_ioctl(struct drm_dev + return -EFAULT; + + runqueue_node = kmem_cache_alloc(g2d->runqueue_slab, GFP_KERNEL); +- if (!runqueue_node) { +- dev_err(dev, "failed to allocate memory\n"); ++ if (!runqueue_node) + return -ENOMEM; +- } ++ + run_cmdlist = &runqueue_node->run_cmdlist; + event_list = &runqueue_node->event_list; + INIT_LIST_HEAD(run_cmdlist); diff --git a/queue-4.9/drm-exynos-g2d-use-monotonic-timestamps.patch b/queue-4.9/drm-exynos-g2d-use-monotonic-timestamps.patch new file mode 100644 index 00000000000..636a4e571c9 --- /dev/null +++ b/queue-4.9/drm-exynos-g2d-use-monotonic-timestamps.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arnd Bergmann +Date: Wed, 17 Jan 2018 18:01:21 +0100 +Subject: drm/exynos: g2d: use monotonic timestamps + +From: Arnd Bergmann + +[ Upstream commit a588a8bb7b25a3fb4f7fed00feb7aec541fc2632 ] + +The exynos DRM driver uses real-time 'struct timeval' values +for exporting its timestamps to user space. This has multiple +problems: + +1. signed seconds overflow in y2038 +2. the 'struct timeval' definition is deprecated in the kernel +3. time may jump or go backwards after a 'settimeofday()' syscall +4. other DRM timestamps are in CLOCK_MONOTONIC domain, so they + can't be compared +5. exporting microseconds requires a division by 1000, which may + be slow on some architectures. + +The code existed in two places before, but the IPP portion was +removed in 8ded59413ccc ("drm/exynos: ipp: Remove Exynos DRM +IPP subsystem"), so we no longer need to worry about it. + +Ideally timestamps should just use 64-bit nanoseconds instead, but +of course we can't change that now. Instead, this tries to address +the first four points above by using monotonic 'timespec' values. + +According to Tobias Jakobi, user space doesn't care about the +timestamp at the moment, so we can change the format. Even if +there is something looking at them, it will work just fine with +monotonic times as long as the application only looks at the +relative values between two events. + +Link: https://patchwork.kernel.org/patch/10038593/ +Cc: Tobias Jakobi +Signed-off-by: Arnd Bergmann +Reviewed-by: Tobias Jakobi +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +@@ -926,7 +926,7 @@ static void g2d_finish_event(struct g2d_ + struct drm_device *drm_dev = g2d->subdrv.drm_dev; + struct g2d_runqueue_node *runqueue_node = g2d->runqueue_node; + struct drm_exynos_pending_g2d_event *e; +- struct timeval now; ++ struct timespec64 now; + + if (list_empty(&runqueue_node->event_list)) + return; +@@ -934,9 +934,9 @@ static void g2d_finish_event(struct g2d_ + e = list_first_entry(&runqueue_node->event_list, + struct drm_exynos_pending_g2d_event, base.link); + +- do_gettimeofday(&now); ++ ktime_get_ts64(&now); + e->event.tv_sec = now.tv_sec; +- e->event.tv_usec = now.tv_usec; ++ e->event.tv_usec = now.tv_nsec / NSEC_PER_USEC; + e->event.cmdlist_no = cmdlist_no; + + drm_send_event(drm_dev, &e->base); diff --git a/queue-4.9/drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch b/queue-4.9/drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch new file mode 100644 index 00000000000..15cf0ec4c6b --- /dev/null +++ b/queue-4.9/drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Lucas Stach +Date: Thu, 15 Mar 2018 10:11:59 +0100 +Subject: drm/imx: move arming of the vblank event to atomic_flush + +From: Lucas Stach + +[ Upstream commit 6a055b92de15af987b4027826d43aa103c65a3c4 ] + +Right now the vblank event completion is racing with the atomic update, +which is especially bad when the PRE is in use, as one of the hardware +issue workaround might extend the atomic commit for quite some time. + +If the vblank IRQ happens to trigger during that time, we will prematurely +signal the atomic commit completion to userspace, which causes tearing +when userspace re-uses a framebuffer we haven't managed to flip away from +yet. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -189,7 +189,11 @@ static void ipu_crtc_atomic_begin(struct + struct drm_crtc_state *old_crtc_state) + { + drm_crtc_vblank_on(crtc); ++} + ++static void ipu_crtc_atomic_flush(struct drm_crtc *crtc, ++ struct drm_crtc_state *old_crtc_state) ++{ + spin_lock_irq(&crtc->dev->event_lock); + if (crtc->state->event) { + WARN_ON(drm_crtc_vblank_get(crtc)); +@@ -257,6 +261,7 @@ static const struct drm_crtc_helper_func + .mode_set_nofb = ipu_crtc_mode_set_nofb, + .atomic_check = ipu_crtc_atomic_check, + .atomic_begin = ipu_crtc_atomic_begin, ++ .atomic_flush = ipu_crtc_atomic_flush, + .atomic_disable = ipu_crtc_atomic_disable, + .enable = ipu_crtc_enable, + }; diff --git a/queue-4.9/drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch b/queue-4.9/drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch new file mode 100644 index 00000000000..1aeb09a10fe --- /dev/null +++ b/queue-4.9/drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch @@ -0,0 +1,3087 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Karol Herbst +Date: Mon, 6 Nov 2017 16:32:41 +0100 +Subject: drm/nouveau/pmu/fuc: don't use movw directly anymore + +From: Karol Herbst + +[ Upstream commit fe9748b7b41cee11f8db57fb8b20bc540a33102a ] + +Fixes failure to compile with recent envyas as a result of the 'movw' +alias being removed for v5. + +A bit of history: + +v3 only has a 16-bit sign-extended immediate mov op. In order to set +the high bits, there's a separate 'sethi' op. envyas validates that +the value passed to mov(imm) is between -0x8000 and 0x7fff. In order +to simplify macros that load both the low and high word, a 'movw' +alias was added which takes an unsigned 16-bit immediate. However the +actual hardware op still sign extends. + +v5 has a full 32-bit immediate mov op. The v3 16-bit immediate mov op +is gone (loads 0 into the dst reg). However due to a bug in envyas, +the movw alias still existed, and selected the no-longer-present v3 +16-bit immediate mov op. As a result usage of movw on v5 is the same +as mov with a 0x0 argument. + +The proper fix throughout is to only ever use the 'movw' alias in +combination with 'sethi'. Anything else should get the sign-extended +validation to ensure that the intended value ends up in the +destination register. + +Changes in fuc3 binaries is the result of a different encoding being +selected for a mov with an 8-bit value. + +v2: added commit message written by Ilia, thanks for that! +v3: messed up rebasing, now it should apply + +Signed-off-by: Karol Herbst +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gf100.fuc3.h | 746 +++++------ + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gk208.fuc5.h | 802 +++++------ + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gt215.fuc3.h | 1006 +++++++-------- + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/memx.fuc | 30 + 4 files changed, 1292 insertions(+), 1292 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gf100.fuc3.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gf100.fuc3.h +@@ -46,8 +46,8 @@ uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x584d454d, +- 0x00000756, +- 0x00000748, ++ 0x00000754, ++ 0x00000746, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -68,8 +68,8 @@ uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x46524550, +- 0x0000075a, + 0x00000758, ++ 0x00000756, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -90,8 +90,8 @@ uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x5f433249, +- 0x00000b8a, +- 0x00000a2d, ++ 0x00000b88, ++ 0x00000a2b, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -112,8 +112,8 @@ uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x54534554, +- 0x00000bb3, +- 0x00000b8c, ++ 0x00000bb1, ++ 0x00000b8a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -134,8 +134,8 @@ uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x454c4449, +- 0x00000bbf, + 0x00000bbd, ++ 0x00000bbb, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -236,19 +236,19 @@ uint32_t gf100_pmu_data[] = { + 0x000005d3, + 0x00000003, + 0x00000002, +- 0x0000069d, ++ 0x0000069b, + 0x00040004, + 0x00000000, +- 0x000006b9, ++ 0x000006b7, + 0x00010005, + 0x00000000, +- 0x000006d6, ++ 0x000006d4, + 0x00010006, + 0x00000000, + 0x0000065b, + 0x00000007, + 0x00000000, +- 0x000006e1, ++ 0x000006df, + /* 0x03c4: memx_func_tail */ + /* 0x03c4: memx_ts_start */ + 0x00000000, +@@ -1372,432 +1372,432 @@ uint32_t gf100_pmu_code[] = { + /* 0x065b: memx_func_wait_vblank */ + 0x9800f840, + 0x66b00016, +- 0x130bf400, ++ 0x120bf400, + 0xf40166b0, + 0x0ef4060b, + /* 0x066d: memx_func_wait_vblank_head1 */ +- 0x2077f12e, +- 0x070ef400, +-/* 0x0674: memx_func_wait_vblank_head0 */ +- 0x000877f1, +-/* 0x0678: memx_func_wait_vblank_0 */ +- 0x07c467f1, +- 0xcf0664b6, +- 0x67fd0066, +- 0xf31bf404, +-/* 0x0688: memx_func_wait_vblank_1 */ +- 0x07c467f1, +- 0xcf0664b6, +- 0x67fd0066, +- 0xf30bf404, +-/* 0x0698: memx_func_wait_vblank_fini */ +- 0xf80410b6, +-/* 0x069d: memx_func_wr32 */ +- 0x00169800, +- 0xb6011598, +- 0x60f90810, +- 0xd0fc50f9, +- 0x21f4e0fc, +- 0x0242b640, +- 0xf8e91bf4, +-/* 0x06b9: memx_func_wait */ +- 0x2c87f000, +- 0xcf0684b6, +- 0x1e980088, +- 0x011d9800, +- 0x98021c98, +- 0x10b6031b, +- 0xa321f410, +-/* 0x06d6: memx_func_delay */ +- 0x1e9800f8, +- 0x0410b600, +- 0xf87e21f4, +-/* 0x06e1: memx_func_train */ +-/* 0x06e3: memx_exec */ +- 0xf900f800, +- 0xb9d0f9e0, +- 0xb2b902c1, +-/* 0x06ed: memx_exec_next */ +- 0x00139802, +- 0xe70410b6, +- 0xe701f034, +- 0xb601e033, +- 0x30f00132, +- 0xde35980c, +- 0x12b855f9, +- 0xe41ef406, +- 0x98f10b98, +- 0xcbbbf20c, +- 0xc4b7f102, +- 0x06b4b607, +- 0xfc00bbcf, +- 0xf5e0fcd0, +- 0xf8033621, +-/* 0x0729: memx_info */ +- 0x01c67000, +-/* 0x072f: memx_info_data */ +- 0xf10e0bf4, +- 0xf103ccc7, +- 0xf40800b7, +-/* 0x073a: memx_info_train */ +- 0xc7f10b0e, +- 0xb7f10bcc, +-/* 0x0742: memx_info_send */ +- 0x21f50100, +- 0x00f80336, +-/* 0x0748: memx_recv */ +- 0xf401d6b0, +- 0xd6b0980b, +- 0xd80bf400, +-/* 0x0756: memx_init */ +- 0x00f800f8, +-/* 0x0758: perf_recv */ +-/* 0x075a: perf_init */ ++ 0x2077f02c, ++/* 0x0673: memx_func_wait_vblank_head0 */ ++ 0xf0060ef4, ++/* 0x0676: memx_func_wait_vblank_0 */ ++ 0x67f10877, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x0686: memx_func_wait_vblank_1 */ ++ 0x67f1f31b, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x0696: memx_func_wait_vblank_fini */ ++ 0x10b6f30b, ++/* 0x069b: memx_func_wr32 */ ++ 0x9800f804, ++ 0x15980016, ++ 0x0810b601, ++ 0x50f960f9, ++ 0xe0fcd0fc, ++ 0xb64021f4, ++ 0x1bf40242, ++/* 0x06b7: memx_func_wait */ ++ 0xf000f8e9, ++ 0x84b62c87, ++ 0x0088cf06, ++ 0x98001e98, ++ 0x1c98011d, ++ 0x031b9802, ++ 0xf41010b6, ++ 0x00f8a321, ++/* 0x06d4: memx_func_delay */ ++ 0xb6001e98, ++ 0x21f40410, ++/* 0x06df: memx_func_train */ ++ 0xf800f87e, ++/* 0x06e1: memx_exec */ ++ 0xf9e0f900, ++ 0x02c1b9d0, ++/* 0x06eb: memx_exec_next */ ++ 0x9802b2b9, ++ 0x10b60013, ++ 0xf034e704, ++ 0xe033e701, ++ 0x0132b601, ++ 0x980c30f0, ++ 0x55f9de35, ++ 0xf40612b8, ++ 0x0b98e41e, ++ 0xf20c98f1, ++ 0xf102cbbb, ++ 0xb607c4b7, ++ 0xbbcf06b4, ++ 0xfcd0fc00, ++ 0x3621f5e0, ++/* 0x0727: memx_info */ ++ 0x7000f803, ++ 0x0bf401c6, ++/* 0x072d: memx_info_data */ ++ 0xccc7f10e, ++ 0x00b7f103, ++ 0x0b0ef408, ++/* 0x0738: memx_info_train */ ++ 0x0bccc7f1, ++ 0x0100b7f1, ++/* 0x0740: memx_info_send */ ++ 0x033621f5, ++/* 0x0746: memx_recv */ ++ 0xd6b000f8, ++ 0x980bf401, ++ 0xf400d6b0, ++ 0x00f8d80b, ++/* 0x0754: memx_init */ ++/* 0x0756: perf_recv */ + 0x00f800f8, +-/* 0x075c: i2c_drive_scl */ +- 0xf40036b0, +- 0x07f1110b, +- 0x04b607e0, +- 0x0001d006, +- 0x00f804bd, +-/* 0x0770: i2c_drive_scl_lo */ +- 0x07e407f1, +- 0xd00604b6, +- 0x04bd0001, +-/* 0x077e: i2c_drive_sda */ ++/* 0x0758: perf_init */ ++/* 0x075a: i2c_drive_scl */ + 0x36b000f8, + 0x110bf400, + 0x07e007f1, + 0xd00604b6, +- 0x04bd0002, +-/* 0x0792: i2c_drive_sda_lo */ ++ 0x04bd0001, ++/* 0x076e: i2c_drive_scl_lo */ + 0x07f100f8, + 0x04b607e4, ++ 0x0001d006, ++ 0x00f804bd, ++/* 0x077c: i2c_drive_sda */ ++ 0xf40036b0, ++ 0x07f1110b, ++ 0x04b607e0, + 0x0002d006, + 0x00f804bd, +-/* 0x07a0: i2c_sense_scl */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0431fd00, +- 0xf4060bf4, +-/* 0x07b6: i2c_sense_scl_done */ +- 0x00f80131, +-/* 0x07b8: i2c_sense_sda */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0432fd00, +- 0xf4060bf4, +-/* 0x07ce: i2c_sense_sda_done */ +- 0x00f80131, +-/* 0x07d0: i2c_raise_scl */ +- 0x47f140f9, +- 0x37f00898, +- 0x5c21f501, +-/* 0x07dd: i2c_raise_scl_wait */ +- 0xe8e7f107, +- 0x7e21f403, +- 0x07a021f5, +- 0xb60901f4, +- 0x1bf40142, +-/* 0x07f1: i2c_raise_scl_done */ +- 0xf840fcef, +-/* 0x07f5: i2c_start */ +- 0xa021f500, +- 0x0d11f407, +- 0x07b821f5, +- 0xf40611f4, +-/* 0x0806: i2c_start_rep */ +- 0x37f0300e, +- 0x5c21f500, +- 0x0137f007, +- 0x077e21f5, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0xd021f550, +- 0x0464b607, +-/* 0x0833: i2c_start_send */ +- 0xf01f11f4, ++/* 0x0790: i2c_drive_sda_lo */ ++ 0x07e407f1, ++ 0xd00604b6, ++ 0x04bd0002, ++/* 0x079e: i2c_sense_scl */ ++ 0x32f400f8, ++ 0xc437f101, ++ 0x0634b607, ++ 0xfd0033cf, ++ 0x0bf40431, ++ 0x0131f406, ++/* 0x07b4: i2c_sense_scl_done */ ++/* 0x07b6: i2c_sense_sda */ ++ 0x32f400f8, ++ 0xc437f101, ++ 0x0634b607, ++ 0xfd0033cf, ++ 0x0bf40432, ++ 0x0131f406, ++/* 0x07cc: i2c_sense_sda_done */ ++/* 0x07ce: i2c_raise_scl */ ++ 0x40f900f8, ++ 0x089847f1, ++ 0xf50137f0, ++/* 0x07db: i2c_raise_scl_wait */ ++ 0xf1075a21, ++ 0xf403e8e7, ++ 0x21f57e21, ++ 0x01f4079e, ++ 0x0142b609, ++/* 0x07ef: i2c_raise_scl_done */ ++ 0xfcef1bf4, ++/* 0x07f3: i2c_start */ ++ 0xf500f840, ++ 0xf4079e21, ++ 0x21f50d11, ++ 0x11f407b6, ++ 0x300ef406, ++/* 0x0804: i2c_start_rep */ ++ 0xf50037f0, ++ 0xf0075a21, ++ 0x21f50137, ++ 0x76bb077c, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb607ce21, ++ 0x11f40464, ++/* 0x0831: i2c_start_send */ ++ 0x0037f01f, ++ 0x077c21f5, ++ 0x1388e7f1, ++ 0xf07e21f4, + 0x21f50037, +- 0xe7f1077e, ++ 0xe7f1075a, + 0x21f41388, +- 0x0037f07e, +- 0x075c21f5, +- 0x1388e7f1, +-/* 0x084f: i2c_start_out */ +- 0xf87e21f4, +-/* 0x0851: i2c_stop */ +- 0x0037f000, +- 0x075c21f5, +- 0xf50037f0, +- 0xf1077e21, +- 0xf403e8e7, +- 0x37f07e21, +- 0x5c21f501, +- 0x88e7f107, +- 0x7e21f413, ++/* 0x084d: i2c_start_out */ ++/* 0x084f: i2c_stop */ ++ 0xf000f87e, ++ 0x21f50037, ++ 0x37f0075a, ++ 0x7c21f500, ++ 0xe8e7f107, ++ 0x7e21f403, + 0xf50137f0, +- 0xf1077e21, ++ 0xf1075a21, + 0xf41388e7, +- 0x00f87e21, +-/* 0x0884: i2c_bitw */ +- 0x077e21f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x07d021f5, +- 0xf40464b6, +- 0xe7f11811, +- 0x21f41388, +- 0x0037f07e, +- 0x075c21f5, +- 0x1388e7f1, +-/* 0x08c3: i2c_bitw_out */ +- 0xf87e21f4, +-/* 0x08c5: i2c_bitr */ +- 0x0137f000, +- 0x077e21f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x07d021f5, +- 0xf40464b6, +- 0x21f51b11, +- 0x37f007b8, +- 0x5c21f500, ++ 0x37f07e21, ++ 0x7c21f501, + 0x88e7f107, + 0x7e21f413, +- 0xf4013cf0, +-/* 0x090a: i2c_bitr_done */ +- 0x00f80131, +-/* 0x090c: i2c_get_byte */ +- 0xf00057f0, +-/* 0x0912: i2c_get_byte_next */ +- 0x54b60847, +- 0x0076bb01, ++/* 0x0882: i2c_bitw */ ++ 0x21f500f8, ++ 0xe7f1077c, ++ 0x21f403e8, ++ 0x0076bb7e, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b608c5, +- 0x2b11f404, +- 0xb60553fd, +- 0x1bf40142, +- 0x0137f0d8, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0x8421f550, +- 0x0464b608, +-/* 0x095c: i2c_get_byte_done */ +-/* 0x095e: i2c_put_byte */ +- 0x47f000f8, +-/* 0x0961: i2c_put_byte_next */ +- 0x0142b608, +- 0xbb3854ff, ++ 0x64b607ce, ++ 0x1811f404, ++ 0x1388e7f1, ++ 0xf07e21f4, ++ 0x21f50037, ++ 0xe7f1075a, ++ 0x21f41388, ++/* 0x08c1: i2c_bitw_out */ ++/* 0x08c3: i2c_bitr */ ++ 0xf000f87e, ++ 0x21f50137, ++ 0xe7f1077c, ++ 0x21f403e8, ++ 0x0076bb7e, ++ 0xf90465b6, ++ 0x04659450, ++ 0xbd0256bb, ++ 0x0475fd50, ++ 0x21f550fc, ++ 0x64b607ce, ++ 0x1b11f404, ++ 0x07b621f5, ++ 0xf50037f0, ++ 0xf1075a21, ++ 0xf41388e7, ++ 0x3cf07e21, ++ 0x0131f401, ++/* 0x0908: i2c_bitr_done */ ++/* 0x090a: i2c_get_byte */ ++ 0x57f000f8, ++ 0x0847f000, ++/* 0x0910: i2c_get_byte_next */ ++ 0xbb0154b6, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x088421f5, ++ 0x08c321f5, + 0xf40464b6, +- 0x46b03411, +- 0xd81bf400, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0xc521f550, +- 0x0464b608, +- 0xbb0f11f4, +- 0x36b00076, +- 0x061bf401, +-/* 0x09b7: i2c_put_byte_done */ +- 0xf80132f4, +-/* 0x09b9: i2c_addr */ +- 0x0076bb00, ++ 0x53fd2b11, ++ 0x0142b605, ++ 0xf0d81bf4, ++ 0x76bb0137, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb6088221, ++/* 0x095a: i2c_get_byte_done */ ++ 0x00f80464, ++/* 0x095c: i2c_put_byte */ ++/* 0x095f: i2c_put_byte_next */ ++ 0xb60847f0, ++ 0x54ff0142, ++ 0x0076bb38, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b607f5, +- 0x2911f404, +- 0x012ec3e7, +- 0xfd0134b6, +- 0x76bb0553, ++ 0x64b60882, ++ 0x3411f404, ++ 0xf40046b0, ++ 0x76bbd81b, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0xf550fc04, +- 0xb6095e21, +-/* 0x09fe: i2c_addr_done */ +- 0x00f80464, +-/* 0x0a00: i2c_acquire_addr */ +- 0xb6f8cec7, +- 0xe0b702e4, +- 0xee980d1c, +-/* 0x0a0f: i2c_acquire */ +- 0xf500f800, +- 0xf40a0021, +- 0xd9f00421, +- 0x4021f403, +-/* 0x0a1e: i2c_release */ +- 0x21f500f8, +- 0x21f40a00, +- 0x03daf004, +- 0xf84021f4, +-/* 0x0a2d: i2c_recv */ +- 0x0132f400, +- 0xb6f8c1c7, +- 0x16b00214, +- 0x3a1ff528, +- 0xf413a001, +- 0x0032980c, +- 0x0ccc13a0, +- 0xf4003198, +- 0xd0f90231, +- 0xd0f9e0f9, +- 0x000067f1, +- 0x100063f1, +- 0xbb016792, ++ 0xb608c321, ++ 0x11f40464, ++ 0x0076bb0f, ++ 0xf40136b0, ++ 0x32f4061b, ++/* 0x09b5: i2c_put_byte_done */ ++/* 0x09b7: i2c_addr */ ++ 0xbb00f801, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0a0f21f5, +- 0xfc0464b6, +- 0x00d6b0d0, +- 0x00b31bf5, +- 0xbb0057f0, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x09b921f5, +- 0xf50464b6, +- 0xc700d011, +- 0x76bbe0c5, +- 0x0465b600, +- 0x659450f9, +- 0x0256bb04, +- 0x75fd50bd, +- 0xf550fc04, +- 0xb6095e21, +- 0x11f50464, +- 0x57f000ad, ++ 0x07f321f5, ++ 0xf40464b6, ++ 0xc3e72911, ++ 0x34b6012e, ++ 0x0553fd01, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x5c21f550, ++ 0x0464b609, ++/* 0x09fc: i2c_addr_done */ ++/* 0x09fe: i2c_acquire_addr */ ++ 0xcec700f8, ++ 0x02e4b6f8, ++ 0x0d1ce0b7, ++ 0xf800ee98, ++/* 0x0a0d: i2c_acquire */ ++ 0xfe21f500, ++ 0x0421f409, ++ 0xf403d9f0, ++ 0x00f84021, ++/* 0x0a1c: i2c_release */ ++ 0x09fe21f5, ++ 0xf00421f4, ++ 0x21f403da, ++/* 0x0a2b: i2c_recv */ ++ 0xf400f840, ++ 0xc1c70132, ++ 0x0214b6f8, ++ 0xf52816b0, ++ 0xa0013a1f, ++ 0x980cf413, ++ 0x13a00032, ++ 0x31980ccc, ++ 0x0231f400, ++ 0xe0f9d0f9, ++ 0x67f1d0f9, ++ 0x63f10000, ++ 0x67921000, + 0x0076bb01, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b609b9, +- 0x8a11f504, ++ 0x64b60a0d, ++ 0xb0d0fc04, ++ 0x1bf500d6, ++ 0x57f000b3, + 0x0076bb00, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b6090c, +- 0x6a11f404, +- 0xbbe05bcb, ++ 0x64b609b7, ++ 0xd011f504, ++ 0xe0c5c700, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x5c21f550, ++ 0x0464b609, ++ 0x00ad11f5, ++ 0xbb0157f0, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x085121f5, +- 0xb90464b6, +- 0x74bd025b, +-/* 0x0b33: i2c_recv_not_rd08 */ +- 0xb0430ef4, +- 0x1bf401d6, +- 0x0057f03d, +- 0x09b921f5, +- 0xc73311f4, +- 0x21f5e0c5, +- 0x11f4095e, +- 0x0057f029, +- 0x09b921f5, +- 0xc71f11f4, +- 0x21f5e0b5, +- 0x11f4095e, +- 0x5121f515, +- 0xc774bd08, +- 0x1bf408c5, +- 0x0232f409, +-/* 0x0b73: i2c_recv_not_wr08 */ +-/* 0x0b73: i2c_recv_done */ +- 0xc7030ef4, +- 0x21f5f8ce, +- 0xe0fc0a1e, +- 0x12f4d0fc, +- 0x027cb90a, +- 0x033621f5, +-/* 0x0b88: i2c_recv_exit */ +-/* 0x0b8a: i2c_init */ +- 0x00f800f8, +-/* 0x0b8c: test_recv */ +- 0x05d817f1, ++ 0x09b721f5, ++ 0xf50464b6, ++ 0xbb008a11, ++ 0x65b60076, ++ 0x9450f904, ++ 0x56bb0465, ++ 0xfd50bd02, ++ 0x50fc0475, ++ 0x090a21f5, ++ 0xf40464b6, ++ 0x5bcb6a11, ++ 0x0076bbe0, ++ 0xf90465b6, ++ 0x04659450, ++ 0xbd0256bb, ++ 0x0475fd50, ++ 0x21f550fc, ++ 0x64b6084f, ++ 0x025bb904, ++ 0x0ef474bd, ++/* 0x0b31: i2c_recv_not_rd08 */ ++ 0x01d6b043, ++ 0xf03d1bf4, ++ 0x21f50057, ++ 0x11f409b7, ++ 0xe0c5c733, ++ 0x095c21f5, ++ 0xf02911f4, ++ 0x21f50057, ++ 0x11f409b7, ++ 0xe0b5c71f, ++ 0x095c21f5, ++ 0xf51511f4, ++ 0xbd084f21, ++ 0x08c5c774, ++ 0xf4091bf4, ++ 0x0ef40232, ++/* 0x0b71: i2c_recv_not_wr08 */ ++/* 0x0b71: i2c_recv_done */ ++ 0xf8cec703, ++ 0x0a1c21f5, ++ 0xd0fce0fc, ++ 0xb90a12f4, ++ 0x21f5027c, ++/* 0x0b86: i2c_recv_exit */ ++ 0x00f80336, ++/* 0x0b88: i2c_init */ ++/* 0x0b8a: test_recv */ ++ 0x17f100f8, ++ 0x14b605d8, ++ 0x0011cf06, ++ 0xf10110b6, ++ 0xb605d807, ++ 0x01d00604, ++ 0xf104bd00, ++ 0xf1d900e7, ++ 0xf5134fe3, ++ 0xf8025621, ++/* 0x0bb1: test_init */ ++ 0x00e7f100, ++ 0x5621f508, ++/* 0x0bbb: idle_recv */ ++ 0xf800f802, ++/* 0x0bbd: idle */ ++ 0x0031f400, ++ 0x05d417f1, + 0xcf0614b6, + 0x10b60011, +- 0xd807f101, ++ 0xd407f101, + 0x0604b605, + 0xbd0001d0, +- 0x00e7f104, +- 0x4fe3f1d9, +- 0x5621f513, +-/* 0x0bb3: test_init */ +- 0xf100f802, +- 0xf50800e7, +- 0xf8025621, +-/* 0x0bbd: idle_recv */ +-/* 0x0bbf: idle */ +- 0xf400f800, +- 0x17f10031, +- 0x14b605d4, +- 0x0011cf06, +- 0xf10110b6, +- 0xb605d407, +- 0x01d00604, +-/* 0x0bdb: idle_loop */ +- 0xf004bd00, +- 0x32f45817, +-/* 0x0be1: idle_proc */ +-/* 0x0be1: idle_proc_exec */ +- 0xb910f902, +- 0x21f5021e, +- 0x10fc033f, +- 0xf40911f4, +- 0x0ef40231, +-/* 0x0bf5: idle_proc_next */ +- 0x5810b6ef, +- 0xf4061fb8, +- 0x02f4e61b, +- 0x0028f4dd, +- 0x00bb0ef4, ++/* 0x0bd9: idle_loop */ ++ 0x5817f004, ++/* 0x0bdf: idle_proc */ ++/* 0x0bdf: idle_proc_exec */ ++ 0xf90232f4, ++ 0x021eb910, ++ 0x033f21f5, ++ 0x11f410fc, ++ 0x0231f409, ++/* 0x0bf3: idle_proc_next */ ++ 0xb6ef0ef4, ++ 0x1fb85810, ++ 0xe61bf406, ++ 0xf4dd02f4, ++ 0x0ef40028, ++ 0x000000bb, + 0x00000000, + 0x00000000, + 0x00000000, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gk208.fuc5.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gk208.fuc5.h +@@ -46,8 +46,8 @@ uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x584d454d, +- 0x000005f3, +- 0x000005e5, ++ 0x000005ee, ++ 0x000005e0, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -68,8 +68,8 @@ uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x46524550, +- 0x000005f7, +- 0x000005f5, ++ 0x000005f2, ++ 0x000005f0, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -90,8 +90,8 @@ uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x5f433249, +- 0x000009f8, +- 0x000008a2, ++ 0x000009f3, ++ 0x0000089d, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -112,8 +112,8 @@ uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x54534554, +- 0x00000a16, +- 0x000009fa, ++ 0x00000a11, ++ 0x000009f5, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -134,8 +134,8 @@ uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x454c4449, +- 0x00000a21, +- 0x00000a1f, ++ 0x00000a1c, ++ 0x00000a1a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -233,22 +233,22 @@ uint32_t gk208_pmu_data[] = { + /* 0x037c: memx_func_next */ + 0x00000002, + 0x00000000, +- 0x000004cf, ++ 0x000004cc, + 0x00000003, + 0x00000002, +- 0x00000546, ++ 0x00000541, + 0x00040004, + 0x00000000, +- 0x00000563, ++ 0x0000055e, + 0x00010005, + 0x00000000, +- 0x0000057d, ++ 0x00000578, + 0x00010006, + 0x00000000, +- 0x00000541, ++ 0x0000053c, + 0x00000007, + 0x00000000, +- 0x00000589, ++ 0x00000584, + /* 0x03c4: memx_func_tail */ + /* 0x03c4: memx_ts_start */ + 0x00000000, +@@ -1238,454 +1238,454 @@ uint32_t gk208_pmu_code[] = { + 0x0001f604, + 0x00f804bd, + /* 0x045c: memx_func_enter */ +- 0x162067f1, +- 0xf55d77f1, +- 0x047e6eb2, +- 0xd8b20000, +- 0xf90487fd, +- 0xfc80f960, +- 0x7ee0fcd0, +- 0x0700002d, +- 0x7e6eb2fe, ++ 0x47162046, ++ 0x6eb2f55d, ++ 0x0000047e, ++ 0x87fdd8b2, ++ 0xf960f904, ++ 0xfcd0fc80, ++ 0x002d7ee0, ++ 0xb2fe0700, ++ 0x00047e6e, ++ 0xfdd8b200, ++ 0x60f90487, ++ 0xd0fc80f9, ++ 0x2d7ee0fc, ++ 0xf0460000, ++ 0x7e6eb226, + 0xb2000004, + 0x0487fdd8, + 0x80f960f9, + 0xe0fcd0fc, + 0x00002d7e, +- 0x26f067f1, +- 0x047e6eb2, +- 0xd8b20000, +- 0xf90487fd, +- 0xfc80f960, +- 0x7ee0fcd0, +- 0x0600002d, +- 0x07e04004, +- 0xbd0006f6, +-/* 0x04b9: memx_func_enter_wait */ +- 0x07c04604, +- 0xf00066cf, +- 0x0bf40464, +- 0xcf2c06f7, +- 0x06b50066, +-/* 0x04cf: memx_func_leave */ +- 0x0600f8f1, +- 0x0066cf2c, +- 0x06f206b5, +- 0x07e44004, +- 0xbd0006f6, +-/* 0x04e1: memx_func_leave_wait */ +- 0x07c04604, +- 0xf00066cf, +- 0x1bf40464, +- 0xf067f1f7, ++ 0xe0400406, ++ 0x0006f607, ++/* 0x04b6: memx_func_enter_wait */ ++ 0xc04604bd, ++ 0x0066cf07, ++ 0xf40464f0, ++ 0x2c06f70b, ++ 0xb50066cf, ++ 0x00f8f106, ++/* 0x04cc: memx_func_leave */ ++ 0x66cf2c06, ++ 0xf206b500, ++ 0xe4400406, ++ 0x0006f607, ++/* 0x04de: memx_func_leave_wait */ ++ 0xc04604bd, ++ 0x0066cf07, ++ 0xf40464f0, ++ 0xf046f71b, + 0xb2010726, + 0x00047e6e, + 0xfdd8b200, + 0x60f90587, + 0xd0fc80f9, + 0x2d7ee0fc, +- 0x67f10000, +- 0x6eb21620, +- 0x0000047e, +- 0x87fdd8b2, +- 0xf960f905, +- 0xfcd0fc80, +- 0x002d7ee0, +- 0x0aa24700, +- 0x047e6eb2, +- 0xd8b20000, +- 0xf90587fd, +- 0xfc80f960, +- 0x7ee0fcd0, +- 0xf800002d, +-/* 0x0541: memx_func_wait_vblank */ ++ 0x20460000, ++ 0x7e6eb216, ++ 0xb2000004, ++ 0x0587fdd8, ++ 0x80f960f9, ++ 0xe0fcd0fc, ++ 0x00002d7e, ++ 0xb20aa247, ++ 0x00047e6e, ++ 0xfdd8b200, ++ 0x60f90587, ++ 0xd0fc80f9, ++ 0x2d7ee0fc, ++ 0x00f80000, ++/* 0x053c: memx_func_wait_vblank */ ++ 0xf80410b6, ++/* 0x0541: memx_func_wr32 */ ++ 0x00169800, ++ 0xb6011598, ++ 0x60f90810, ++ 0xd0fc50f9, ++ 0x2d7ee0fc, ++ 0x42b60000, ++ 0xe81bf402, ++/* 0x055e: memx_func_wait */ ++ 0x2c0800f8, ++ 0x980088cf, ++ 0x1d98001e, ++ 0x021c9801, ++ 0xb6031b98, ++ 0x747e1010, ++ 0x00f80000, ++/* 0x0578: memx_func_delay */ ++ 0xb6001e98, ++ 0x587e0410, ++ 0x00f80000, ++/* 0x0584: memx_func_train */ ++/* 0x0586: memx_exec */ ++ 0xe0f900f8, ++ 0xc1b2d0f9, ++/* 0x058e: memx_exec_next */ ++ 0x1398b2b2, + 0x0410b600, +-/* 0x0546: memx_func_wr32 */ +- 0x169800f8, +- 0x01159800, +- 0xf90810b6, +- 0xfc50f960, ++ 0x01f034e7, ++ 0x01e033e7, ++ 0xf00132b6, ++ 0x35980c30, ++ 0xa655f9de, ++ 0xe51ef412, ++ 0x98f10b98, ++ 0xcbbbf20c, ++ 0x07c44b02, ++ 0xfc00bbcf, + 0x7ee0fcd0, +- 0xb600002d, +- 0x1bf40242, +-/* 0x0563: memx_func_wait */ +- 0x0800f8e8, +- 0x0088cf2c, +- 0x98001e98, +- 0x1c98011d, +- 0x031b9802, +- 0x7e1010b6, +- 0xf8000074, +-/* 0x057d: memx_func_delay */ +- 0x001e9800, +- 0x7e0410b6, +- 0xf8000058, +-/* 0x0589: memx_func_train */ +-/* 0x058b: memx_exec */ +- 0xf900f800, +- 0xb2d0f9e0, +-/* 0x0593: memx_exec_next */ +- 0x98b2b2c1, +- 0x10b60013, +- 0xf034e704, +- 0xe033e701, +- 0x0132b601, +- 0x980c30f0, +- 0x55f9de35, +- 0x1ef412a6, +- 0xf10b98e5, +- 0xbbf20c98, +- 0xc44b02cb, +- 0x00bbcf07, +- 0xe0fcd0fc, +- 0x00029f7e, +-/* 0x05ca: memx_info */ +- 0xc67000f8, +- 0x0c0bf401, +-/* 0x05d0: memx_info_data */ +- 0x4b03cc4c, +- 0x0ef40800, +-/* 0x05d9: memx_info_train */ +- 0x0bcc4c09, +-/* 0x05df: memx_info_send */ +- 0x7e01004b, + 0xf800029f, +-/* 0x05e5: memx_recv */ +- 0x01d6b000, +- 0xb0a30bf4, +- 0x0bf400d6, +-/* 0x05f3: memx_init */ +- 0xf800f8dc, +-/* 0x05f5: perf_recv */ +-/* 0x05f7: perf_init */ +- 0xf800f800, +-/* 0x05f9: i2c_drive_scl */ +- 0x0036b000, +- 0x400d0bf4, +- 0x01f607e0, +- 0xf804bd00, +-/* 0x0609: i2c_drive_scl_lo */ +- 0x07e44000, +- 0xbd0001f6, +-/* 0x0613: i2c_drive_sda */ +- 0xb000f804, +- 0x0bf40036, +- 0x07e0400d, +- 0xbd0002f6, +-/* 0x0623: i2c_drive_sda_lo */ +- 0x4000f804, +- 0x02f607e4, +- 0xf804bd00, +-/* 0x062d: i2c_sense_scl */ +- 0x0132f400, +- 0xcf07c443, +- 0x31fd0033, +- 0x060bf404, +-/* 0x063f: i2c_sense_scl_done */ +- 0xf80131f4, +-/* 0x0641: i2c_sense_sda */ +- 0x0132f400, +- 0xcf07c443, +- 0x32fd0033, +- 0x060bf404, +-/* 0x0653: i2c_sense_sda_done */ +- 0xf80131f4, +-/* 0x0655: i2c_raise_scl */ +- 0x4440f900, +- 0x01030898, +- 0x0005f97e, +-/* 0x0660: i2c_raise_scl_wait */ +- 0x7e03e84e, +- 0x7e000058, +- 0xf400062d, +- 0x42b60901, +- 0xef1bf401, +-/* 0x0674: i2c_raise_scl_done */ +- 0x00f840fc, +-/* 0x0678: i2c_start */ +- 0x00062d7e, +- 0x7e0d11f4, +- 0xf4000641, +- 0x0ef40611, +-/* 0x0689: i2c_start_rep */ +- 0x7e00032e, +- 0x030005f9, +- 0x06137e01, ++/* 0x05c5: memx_info */ ++ 0x01c67000, ++/* 0x05cb: memx_info_data */ ++ 0x4c0c0bf4, ++ 0x004b03cc, ++ 0x090ef408, ++/* 0x05d4: memx_info_train */ ++ 0x4b0bcc4c, ++/* 0x05da: memx_info_send */ ++ 0x9f7e0100, ++ 0x00f80002, ++/* 0x05e0: memx_recv */ ++ 0xf401d6b0, ++ 0xd6b0a30b, ++ 0xdc0bf400, ++/* 0x05ee: memx_init */ ++ 0x00f800f8, ++/* 0x05f0: perf_recv */ ++/* 0x05f2: perf_init */ ++ 0x00f800f8, ++/* 0x05f4: i2c_drive_scl */ ++ 0xf40036b0, ++ 0xe0400d0b, ++ 0x0001f607, ++ 0x00f804bd, ++/* 0x0604: i2c_drive_scl_lo */ ++ 0xf607e440, ++ 0x04bd0001, ++/* 0x060e: i2c_drive_sda */ ++ 0x36b000f8, ++ 0x0d0bf400, ++ 0xf607e040, ++ 0x04bd0002, ++/* 0x061e: i2c_drive_sda_lo */ ++ 0xe44000f8, ++ 0x0002f607, ++ 0x00f804bd, ++/* 0x0628: i2c_sense_scl */ ++ 0x430132f4, ++ 0x33cf07c4, ++ 0x0431fd00, ++ 0xf4060bf4, ++/* 0x063a: i2c_sense_scl_done */ ++ 0x00f80131, ++/* 0x063c: i2c_sense_sda */ ++ 0x430132f4, ++ 0x33cf07c4, ++ 0x0432fd00, ++ 0xf4060bf4, ++/* 0x064e: i2c_sense_sda_done */ ++ 0x00f80131, ++/* 0x0650: i2c_raise_scl */ ++ 0x984440f9, ++ 0x7e010308, ++/* 0x065b: i2c_raise_scl_wait */ ++ 0x4e0005f4, ++ 0x587e03e8, ++ 0x287e0000, ++ 0x01f40006, ++ 0x0142b609, ++/* 0x066f: i2c_raise_scl_done */ ++ 0xfcef1bf4, ++/* 0x0673: i2c_start */ ++ 0x7e00f840, ++ 0xf4000628, ++ 0x3c7e0d11, ++ 0x11f40006, ++ 0x2e0ef406, ++/* 0x0684: i2c_start_rep */ ++ 0xf47e0003, ++ 0x01030005, ++ 0x00060e7e, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x06507e50, ++ 0x0464b600, ++/* 0x06af: i2c_start_send */ ++ 0x031d11f4, ++ 0x060e7e00, ++ 0x13884e00, ++ 0x0000587e, ++ 0xf47e0003, ++ 0x884e0005, ++ 0x00587e13, ++/* 0x06c9: i2c_start_out */ ++/* 0x06cb: i2c_stop */ ++ 0x0300f800, ++ 0x05f47e00, ++ 0x7e000300, ++ 0x4e00060e, ++ 0x587e03e8, ++ 0x01030000, ++ 0x0005f47e, ++ 0x7e13884e, ++ 0x03000058, ++ 0x060e7e01, ++ 0x13884e00, ++ 0x0000587e, ++/* 0x06fa: i2c_bitw */ ++ 0x0e7e00f8, ++ 0xe84e0006, ++ 0x00587e03, + 0x0076bb00, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, +- 0x557e50fc, ++ 0x507e50fc, + 0x64b60006, +- 0x1d11f404, +-/* 0x06b4: i2c_start_send */ +- 0x137e0003, +- 0x884e0006, +- 0x00587e13, +- 0x7e000300, +- 0x4e0005f9, +- 0x587e1388, +-/* 0x06ce: i2c_start_out */ +- 0x00f80000, +-/* 0x06d0: i2c_stop */ +- 0xf97e0003, +- 0x00030005, +- 0x0006137e, +- 0x7e03e84e, ++ 0x1711f404, ++ 0x7e13884e, + 0x03000058, +- 0x05f97e01, ++ 0x05f47e00, + 0x13884e00, + 0x0000587e, +- 0x137e0103, +- 0x884e0006, +- 0x00587e13, +-/* 0x06ff: i2c_bitw */ +- 0x7e00f800, +- 0x4e000613, +- 0x587e03e8, +- 0x76bb0000, ++/* 0x0738: i2c_bitw_out */ ++/* 0x073a: i2c_bitr */ ++ 0x010300f8, ++ 0x00060e7e, ++ 0x7e03e84e, ++ 0xbb000058, ++ 0x65b60076, ++ 0x9450f904, ++ 0x56bb0465, ++ 0xfd50bd02, ++ 0x50fc0475, ++ 0x0006507e, ++ 0xf40464b6, ++ 0x3c7e1a11, ++ 0x00030006, ++ 0x0005f47e, ++ 0x7e13884e, ++ 0xf0000058, ++ 0x31f4013c, ++/* 0x077d: i2c_bitr_done */ ++/* 0x077f: i2c_get_byte */ ++ 0x0500f801, ++/* 0x0783: i2c_get_byte_next */ ++ 0xb6080400, ++ 0x76bb0154, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0x7e50fc04, +- 0xb6000655, ++ 0xb600073a, + 0x11f40464, +- 0x13884e17, +- 0x0000587e, +- 0xf97e0003, +- 0x884e0005, +- 0x00587e13, +-/* 0x073d: i2c_bitw_out */ +-/* 0x073f: i2c_bitr */ +- 0x0300f800, +- 0x06137e01, +- 0x03e84e00, +- 0x0000587e, ++ 0x0553fd2a, ++ 0xf40142b6, ++ 0x0103d81b, + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0x06557e50, ++ 0x06fa7e50, + 0x0464b600, +- 0x7e1a11f4, +- 0x03000641, +- 0x05f97e00, +- 0x13884e00, +- 0x0000587e, +- 0xf4013cf0, +-/* 0x0782: i2c_bitr_done */ +- 0x00f80131, +-/* 0x0784: i2c_get_byte */ +- 0x08040005, +-/* 0x0788: i2c_get_byte_next */ +- 0xbb0154b6, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x00073f7e, +- 0xf40464b6, +- 0x53fd2a11, +- 0x0142b605, +- 0x03d81bf4, +- 0x0076bb01, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0xff7e50fc, +- 0x64b60006, +-/* 0x07d1: i2c_get_byte_done */ +-/* 0x07d3: i2c_put_byte */ +- 0x0400f804, +-/* 0x07d5: i2c_put_byte_next */ +- 0x0142b608, +- 0xbb3854ff, ++/* 0x07cc: i2c_get_byte_done */ ++/* 0x07ce: i2c_put_byte */ ++ 0x080400f8, ++/* 0x07d0: i2c_put_byte_next */ ++ 0xff0142b6, ++ 0x76bb3854, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0x7e50fc04, ++ 0xb60006fa, ++ 0x11f40464, ++ 0x0046b034, ++ 0xbbd81bf4, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0006ff7e, ++ 0x00073a7e, + 0xf40464b6, +- 0x46b03411, +- 0xd81bf400, ++ 0x76bb0f11, ++ 0x0136b000, ++ 0xf4061bf4, ++/* 0x0826: i2c_put_byte_done */ ++ 0x00f80132, ++/* 0x0828: i2c_addr */ + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0x073f7e50, ++ 0x06737e50, + 0x0464b600, +- 0xbb0f11f4, +- 0x36b00076, +- 0x061bf401, +-/* 0x082b: i2c_put_byte_done */ +- 0xf80132f4, +-/* 0x082d: i2c_addr */ +- 0x0076bb00, ++ 0xe72911f4, ++ 0xb6012ec3, ++ 0x53fd0134, ++ 0x0076bb05, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, +- 0x787e50fc, +- 0x64b60006, +- 0x2911f404, +- 0x012ec3e7, +- 0xfd0134b6, +- 0x76bb0553, +- 0x0465b600, +- 0x659450f9, +- 0x0256bb04, +- 0x75fd50bd, +- 0x7e50fc04, +- 0xb60007d3, +-/* 0x0872: i2c_addr_done */ +- 0x00f80464, +-/* 0x0874: i2c_acquire_addr */ +- 0xb6f8cec7, +- 0xe0b705e4, +- 0x00f8d014, +-/* 0x0880: i2c_acquire */ +- 0x0008747e, ++ 0xce7e50fc, ++ 0x64b60007, ++/* 0x086d: i2c_addr_done */ ++/* 0x086f: i2c_acquire_addr */ ++ 0xc700f804, ++ 0xe4b6f8ce, ++ 0x14e0b705, ++/* 0x087b: i2c_acquire */ ++ 0x7e00f8d0, ++ 0x7e00086f, ++ 0xf0000004, ++ 0x2d7e03d9, ++ 0x00f80000, ++/* 0x088c: i2c_release */ ++ 0x00086f7e, + 0x0000047e, +- 0x7e03d9f0, ++ 0x7e03daf0, + 0xf800002d, +-/* 0x0891: i2c_release */ +- 0x08747e00, +- 0x00047e00, +- 0x03daf000, +- 0x00002d7e, +-/* 0x08a2: i2c_recv */ +- 0x32f400f8, +- 0xf8c1c701, +- 0xb00214b6, +- 0x1ff52816, +- 0x13b80134, +- 0x98000cf4, +- 0x13b80032, +- 0x98000ccc, +- 0x31f40031, +- 0xf9d0f902, +- 0xd6d0f9e0, +- 0x10000000, +- 0xbb016792, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x0008807e, +- 0xfc0464b6, +- 0x00d6b0d0, +- 0x00b01bf5, +- 0x76bb0005, ++/* 0x089d: i2c_recv */ ++ 0x0132f400, ++ 0xb6f8c1c7, ++ 0x16b00214, ++ 0x341ff528, ++ 0xf413b801, ++ 0x3298000c, ++ 0xcc13b800, ++ 0x3198000c, ++ 0x0231f400, ++ 0xe0f9d0f9, ++ 0x00d6d0f9, ++ 0x92100000, ++ 0x76bb0167, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0x7e50fc04, +- 0xb600082d, +- 0x11f50464, +- 0xc5c700cc, +- 0x0076bbe0, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0xd37e50fc, +- 0x64b60007, +- 0xa911f504, +- 0xbb010500, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x00082d7e, +- 0xf50464b6, +- 0xbb008711, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x0007847e, +- 0xf40464b6, +- 0x5bcb6711, +- 0x0076bbe0, ++ 0xb600087b, ++ 0xd0fc0464, ++ 0xf500d6b0, ++ 0x0500b01b, ++ 0x0076bb00, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, +- 0xd07e50fc, +- 0x64b60006, +- 0xbd5bb204, +- 0x410ef474, +-/* 0x09a4: i2c_recv_not_rd08 */ +- 0xf401d6b0, +- 0x00053b1b, +- 0x00082d7e, +- 0xc73211f4, +- 0xd37ee0c5, +- 0x11f40007, +- 0x7e000528, +- 0xf400082d, +- 0xb5c71f11, +- 0x07d37ee0, +- 0x1511f400, +- 0x0006d07e, +- 0xc5c774bd, +- 0x091bf408, +- 0xf40232f4, +-/* 0x09e2: i2c_recv_not_wr08 */ +-/* 0x09e2: i2c_recv_done */ +- 0xcec7030e, +- 0x08917ef8, +- 0xfce0fc00, +- 0x0912f4d0, +- 0x9f7e7cb2, +-/* 0x09f6: i2c_recv_exit */ +- 0x00f80002, +-/* 0x09f8: i2c_init */ +-/* 0x09fa: test_recv */ +- 0x584100f8, +- 0x0011cf04, +- 0x400110b6, +- 0x01f60458, +- 0xde04bd00, +- 0x134fd900, +- 0x0001de7e, +-/* 0x0a16: test_init */ +- 0x004e00f8, +- 0x01de7e08, +-/* 0x0a1f: idle_recv */ ++ 0x287e50fc, ++ 0x64b60008, ++ 0xcc11f504, ++ 0xe0c5c700, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x07ce7e50, ++ 0x0464b600, ++ 0x00a911f5, ++ 0x76bb0105, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0x7e50fc04, ++ 0xb6000828, ++ 0x11f50464, ++ 0x76bb0087, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0x7e50fc04, ++ 0xb600077f, ++ 0x11f40464, ++ 0xe05bcb67, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x06cb7e50, ++ 0x0464b600, ++ 0x74bd5bb2, ++/* 0x099f: i2c_recv_not_rd08 */ ++ 0xb0410ef4, ++ 0x1bf401d6, ++ 0x7e00053b, ++ 0xf4000828, ++ 0xc5c73211, ++ 0x07ce7ee0, ++ 0x2811f400, ++ 0x287e0005, ++ 0x11f40008, ++ 0xe0b5c71f, ++ 0x0007ce7e, ++ 0x7e1511f4, ++ 0xbd0006cb, ++ 0x08c5c774, ++ 0xf4091bf4, ++ 0x0ef40232, ++/* 0x09dd: i2c_recv_not_wr08 */ ++/* 0x09dd: i2c_recv_done */ ++ 0xf8cec703, ++ 0x00088c7e, ++ 0xd0fce0fc, ++ 0xb20912f4, ++ 0x029f7e7c, ++/* 0x09f1: i2c_recv_exit */ ++/* 0x09f3: i2c_init */ + 0xf800f800, +-/* 0x0a21: idle */ +- 0x0031f400, +- 0xcf045441, +- 0x10b60011, +- 0x04544001, +- 0xbd0001f6, +-/* 0x0a35: idle_loop */ +- 0xf4580104, +-/* 0x0a3a: idle_proc */ +-/* 0x0a3a: idle_proc_exec */ +- 0x10f90232, +- 0xa87e1eb2, +- 0x10fc0002, +- 0xf40911f4, +- 0x0ef40231, +-/* 0x0a4d: idle_proc_next */ +- 0x5810b6f0, +- 0x1bf41fa6, +- 0xe002f4e8, +- 0xf40028f4, +- 0x0000c60e, ++/* 0x09f5: test_recv */ ++ 0x04584100, ++ 0xb60011cf, ++ 0x58400110, ++ 0x0001f604, ++ 0x00de04bd, ++ 0x7e134fd9, ++ 0xf80001de, ++/* 0x0a11: test_init */ ++ 0x08004e00, ++ 0x0001de7e, ++/* 0x0a1a: idle_recv */ ++ 0x00f800f8, ++/* 0x0a1c: idle */ ++ 0x410031f4, ++ 0x11cf0454, ++ 0x0110b600, ++ 0xf6045440, ++ 0x04bd0001, ++/* 0x0a30: idle_loop */ ++ 0x32f45801, ++/* 0x0a35: idle_proc */ ++/* 0x0a35: idle_proc_exec */ ++ 0xb210f902, ++ 0x02a87e1e, ++ 0xf410fc00, ++ 0x31f40911, ++ 0xf00ef402, ++/* 0x0a48: idle_proc_next */ ++ 0xa65810b6, ++ 0xe81bf41f, ++ 0xf4e002f4, ++ 0x0ef40028, ++ 0x000000c6, ++ 0x00000000, + 0x00000000, + 0x00000000, + 0x00000000, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gt215.fuc3.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gt215.fuc3.h +@@ -46,8 +46,8 @@ uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x584d454d, +- 0x0000083a, +- 0x0000082c, ++ 0x00000833, ++ 0x00000825, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -68,8 +68,8 @@ uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x46524550, +- 0x0000083e, +- 0x0000083c, ++ 0x00000837, ++ 0x00000835, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -90,8 +90,8 @@ uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x5f433249, +- 0x00000c6e, +- 0x00000b11, ++ 0x00000c67, ++ 0x00000b0a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -112,8 +112,8 @@ uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x54534554, +- 0x00000c97, +- 0x00000c70, ++ 0x00000c90, ++ 0x00000c69, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -134,8 +134,8 @@ uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x454c4449, +- 0x00000ca3, +- 0x00000ca1, ++ 0x00000c9c, ++ 0x00000c9a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -233,22 +233,22 @@ uint32_t gt215_pmu_data[] = { + /* 0x037c: memx_func_next */ + 0x00000002, + 0x00000000, +- 0x000005a0, ++ 0x0000059f, + 0x00000003, + 0x00000002, +- 0x00000632, ++ 0x0000062f, + 0x00040004, + 0x00000000, +- 0x0000064e, ++ 0x0000064b, + 0x00010005, + 0x00000000, +- 0x0000066b, ++ 0x00000668, + 0x00010006, + 0x00000000, +- 0x000005f0, ++ 0x000005ef, + 0x00000007, + 0x00000000, +- 0x00000676, ++ 0x00000673, + /* 0x03c4: memx_func_tail */ + /* 0x03c4: memx_ts_start */ + 0x00000000, +@@ -1304,560 +1304,560 @@ uint32_t gt215_pmu_code[] = { + 0x67f102d7, + 0x63f1fffc, + 0x76fdffff, +- 0x0267f104, +- 0x0576fd00, +- 0x70f980f9, +- 0xe0fcd0fc, +- 0xf04021f4, ++ 0x0267f004, ++ 0xf90576fd, ++ 0xfc70f980, ++ 0xf4e0fcd0, ++ 0x67f04021, ++ 0xe007f104, ++ 0x0604b607, ++ 0xbd0006d0, ++/* 0x0581: memx_func_enter_wait */ ++ 0xc067f104, ++ 0x0664b607, ++ 0xf00066cf, ++ 0x0bf40464, ++ 0x2c67f0f3, ++ 0xcf0664b6, ++ 0x06800066, ++/* 0x059f: memx_func_leave */ ++ 0xf000f8f1, ++ 0x64b62c67, ++ 0x0066cf06, ++ 0xf0f20680, + 0x07f10467, +- 0x04b607e0, ++ 0x04b607e4, + 0x0006d006, +-/* 0x0582: memx_func_enter_wait */ ++/* 0x05ba: memx_func_leave_wait */ + 0x67f104bd, + 0x64b607c0, + 0x0066cf06, + 0xf40464f0, +- 0x67f0f30b, +- 0x0664b62c, +- 0x800066cf, +- 0x00f8f106, +-/* 0x05a0: memx_func_leave */ +- 0xb62c67f0, +- 0x66cf0664, +- 0xf2068000, +- 0xf10467f0, +- 0xb607e407, +- 0x06d00604, +-/* 0x05bb: memx_func_leave_wait */ +- 0xf104bd00, +- 0xb607c067, +- 0x66cf0664, +- 0x0464f000, +- 0xf1f31bf4, +- 0xb9161087, +- 0x21f4028e, +- 0x02d7b904, +- 0xffcc67f1, +- 0xffff63f1, +- 0xf90476fd, +- 0xfc70f980, +- 0xf4e0fcd0, +- 0x00f84021, +-/* 0x05f0: memx_func_wait_vblank */ +- 0xb0001698, +- 0x0bf40066, +- 0x0166b013, +- 0xf4060bf4, +-/* 0x0602: memx_func_wait_vblank_head1 */ +- 0x77f12e0e, +- 0x0ef40020, +-/* 0x0609: memx_func_wait_vblank_head0 */ +- 0x0877f107, +-/* 0x060d: memx_func_wait_vblank_0 */ +- 0xc467f100, +- 0x0664b607, +- 0xfd0066cf, +- 0x1bf40467, +-/* 0x061d: memx_func_wait_vblank_1 */ +- 0xc467f1f3, +- 0x0664b607, +- 0xfd0066cf, +- 0x0bf40467, +-/* 0x062d: memx_func_wait_vblank_fini */ +- 0x0410b6f3, +-/* 0x0632: memx_func_wr32 */ +- 0x169800f8, +- 0x01159800, +- 0xf90810b6, +- 0xfc50f960, +- 0xf4e0fcd0, +- 0x42b64021, +- 0xe91bf402, +-/* 0x064e: memx_func_wait */ +- 0x87f000f8, +- 0x0684b62c, +- 0x980088cf, +- 0x1d98001e, +- 0x021c9801, +- 0xb6031b98, +- 0x21f41010, +-/* 0x066b: memx_func_delay */ +- 0x9800f8a3, +- 0x10b6001e, +- 0x7e21f404, +-/* 0x0676: memx_func_train */ +- 0x57f100f8, +- 0x77f10003, +- 0x97f10000, +- 0x93f00000, +- 0x029eb970, +- 0xb90421f4, +- 0xe7f102d8, +- 0x21f42710, +-/* 0x0695: memx_func_train_loop_outer */ +- 0x0158e07e, +- 0x0083f101, +- 0xe097f102, +- 0x1193f011, +- 0x80f990f9, ++ 0x87f1f31b, ++ 0x8eb91610, ++ 0x0421f402, ++ 0xf102d7b9, ++ 0xf1ffcc67, ++ 0xfdffff63, ++ 0x80f90476, ++ 0xd0fc70f9, ++ 0x21f4e0fc, ++/* 0x05ef: memx_func_wait_vblank */ ++ 0x9800f840, ++ 0x66b00016, ++ 0x120bf400, ++ 0xf40166b0, ++ 0x0ef4060b, ++/* 0x0601: memx_func_wait_vblank_head1 */ ++ 0x2077f02c, ++/* 0x0607: memx_func_wait_vblank_head0 */ ++ 0xf0060ef4, ++/* 0x060a: memx_func_wait_vblank_0 */ ++ 0x67f10877, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x061a: memx_func_wait_vblank_1 */ ++ 0x67f1f31b, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x062a: memx_func_wait_vblank_fini */ ++ 0x10b6f30b, ++/* 0x062f: memx_func_wr32 */ ++ 0x9800f804, ++ 0x15980016, ++ 0x0810b601, ++ 0x50f960f9, + 0xe0fcd0fc, +- 0xf94021f4, +- 0x0067f150, +-/* 0x06b5: memx_func_train_loop_inner */ +- 0x1187f100, +- 0x9068ff11, +- 0xfd109894, +- 0x97f10589, +- 0x93f00720, +- 0xf990f910, +- 0xfcd0fc80, +- 0x4021f4e0, +- 0x008097f1, +- 0xb91093f0, +- 0x21f4029e, +- 0x02d8b904, +- 0xf92088c5, ++ 0xb64021f4, ++ 0x1bf40242, ++/* 0x064b: memx_func_wait */ ++ 0xf000f8e9, ++ 0x84b62c87, ++ 0x0088cf06, ++ 0x98001e98, ++ 0x1c98011d, ++ 0x031b9802, ++ 0xf41010b6, ++ 0x00f8a321, ++/* 0x0668: memx_func_delay */ ++ 0xb6001e98, ++ 0x21f40410, ++/* 0x0673: memx_func_train */ ++ 0xf000f87e, ++ 0x77f00357, ++ 0x0097f100, ++ 0x7093f000, ++ 0xf4029eb9, ++ 0xd8b90421, ++ 0x10e7f102, ++ 0x7e21f427, ++/* 0x0690: memx_func_train_loop_outer */ ++ 0x010158e0, ++ 0x020083f1, ++ 0x11e097f1, ++ 0xf91193f0, ++ 0xfc80f990, ++ 0xf4e0fcd0, ++ 0x50f94021, ++/* 0x06af: memx_func_train_loop_inner */ ++ 0xf10067f0, ++ 0xff111187, ++ 0x98949068, ++ 0x0589fd10, ++ 0x072097f1, ++ 0xf91093f0, + 0xfc80f990, + 0xf4e0fcd0, + 0x97f14021, +- 0x93f0053c, +- 0x0287f110, +- 0x0083f130, +- 0xf990f980, ++ 0x93f00080, ++ 0x029eb910, ++ 0xb90421f4, ++ 0x88c502d8, ++ 0xf990f920, + 0xfcd0fc80, + 0x4021f4e0, +- 0x0560e7f1, +- 0xf110e3f0, +- 0xf10000d7, +- 0x908000d3, +- 0xb7f100dc, +- 0xb3f08480, +- 0xa321f41e, +- 0x000057f1, +- 0xffff97f1, +- 0x830093f1, +-/* 0x0734: memx_func_train_loop_4x */ +- 0x0080a7f1, +- 0xb910a3f0, +- 0x21f402ae, +- 0x02d8b904, +- 0xffdfb7f1, +- 0xffffb3f1, +- 0xf9048bfd, +- 0xfc80f9a0, ++ 0x053c97f1, ++ 0xf11093f0, ++ 0xf1300287, ++ 0xf9800083, ++ 0xfc80f990, + 0xf4e0fcd0, +- 0xa7f14021, +- 0xa3f0053c, +- 0x0287f110, +- 0x0083f130, +- 0xf9a0f980, +- 0xfcd0fc80, +- 0x4021f4e0, +- 0x0560e7f1, +- 0xf110e3f0, +- 0xf10000d7, +- 0xb98000d3, +- 0xb7f102dc, +- 0xb3f02710, +- 0xa321f400, +- 0xf402eeb9, +- 0xddb90421, +- 0x949dff02, ++ 0xe7f14021, ++ 0xe3f00560, ++ 0x00d7f110, ++ 0x00d3f100, ++ 0x00dc9080, ++ 0x8480b7f1, ++ 0xf41eb3f0, ++ 0x57f0a321, ++ 0xff97f100, ++ 0x0093f1ff, ++/* 0x072d: memx_func_train_loop_4x */ ++ 0x80a7f183, ++ 0x10a3f000, ++ 0xf402aeb9, ++ 0xd8b90421, ++ 0xdfb7f102, ++ 0xffb3f1ff, ++ 0x048bfdff, ++ 0x80f9a0f9, ++ 0xe0fcd0fc, ++ 0xf14021f4, ++ 0xf0053ca7, ++ 0x87f110a3, ++ 0x83f13002, ++ 0xa0f98000, ++ 0xd0fc80f9, ++ 0x21f4e0fc, ++ 0x60e7f140, ++ 0x10e3f005, ++ 0x0000d7f1, ++ 0x8000d3f1, ++ 0xf102dcb9, ++ 0xf02710b7, ++ 0x21f400b3, ++ 0x02eeb9a3, ++ 0xb90421f4, ++ 0x9dff02dd, ++ 0x0150b694, ++ 0xf4045670, ++ 0x7aa0921e, ++ 0xa9800bcc, ++ 0x0160b600, ++ 0x700470b6, ++ 0x1ef51066, ++ 0x50fcff01, + 0x700150b6, +- 0x1ef40456, +- 0xcc7aa092, +- 0x00a9800b, +- 0xb60160b6, +- 0x66700470, +- 0x001ef510, +- 0xb650fcff, +- 0x56700150, +- 0xd41ef507, +-/* 0x07c7: memx_exec */ +- 0xf900f8fe, +- 0xb9d0f9e0, +- 0xb2b902c1, +-/* 0x07d1: memx_exec_next */ +- 0x00139802, +- 0xe70410b6, +- 0xe701f034, +- 0xb601e033, +- 0x30f00132, +- 0xde35980c, +- 0x12b855f9, +- 0xe41ef406, +- 0x98f10b98, +- 0xcbbbf20c, +- 0xc4b7f102, +- 0x06b4b607, +- 0xfc00bbcf, +- 0xf5e0fcd0, ++ 0x1ef50756, ++ 0x00f8fed6, ++/* 0x07c0: memx_exec */ ++ 0xd0f9e0f9, ++ 0xb902c1b9, ++/* 0x07ca: memx_exec_next */ ++ 0x139802b2, ++ 0x0410b600, ++ 0x01f034e7, ++ 0x01e033e7, ++ 0xf00132b6, ++ 0x35980c30, ++ 0xb855f9de, ++ 0x1ef40612, ++ 0xf10b98e4, ++ 0xbbf20c98, ++ 0xb7f102cb, ++ 0xb4b607c4, ++ 0x00bbcf06, ++ 0xe0fcd0fc, ++ 0x033621f5, ++/* 0x0806: memx_info */ ++ 0xc67000f8, ++ 0x0e0bf401, ++/* 0x080c: memx_info_data */ ++ 0x03ccc7f1, ++ 0x0800b7f1, ++/* 0x0817: memx_info_train */ ++ 0xf10b0ef4, ++ 0xf10bccc7, ++/* 0x081f: memx_info_send */ ++ 0xf50100b7, + 0xf8033621, +-/* 0x080d: memx_info */ +- 0x01c67000, +-/* 0x0813: memx_info_data */ +- 0xf10e0bf4, +- 0xf103ccc7, +- 0xf40800b7, +-/* 0x081e: memx_info_train */ +- 0xc7f10b0e, +- 0xb7f10bcc, +-/* 0x0826: memx_info_send */ +- 0x21f50100, +- 0x00f80336, +-/* 0x082c: memx_recv */ +- 0xf401d6b0, +- 0xd6b0980b, +- 0xd80bf400, +-/* 0x083a: memx_init */ +- 0x00f800f8, +-/* 0x083c: perf_recv */ +-/* 0x083e: perf_init */ +- 0x00f800f8, +-/* 0x0840: i2c_drive_scl */ +- 0xf40036b0, +- 0x07f1110b, +- 0x04b607e0, +- 0x0001d006, +- 0x00f804bd, +-/* 0x0854: i2c_drive_scl_lo */ +- 0x07e407f1, +- 0xd00604b6, +- 0x04bd0001, +-/* 0x0862: i2c_drive_sda */ +- 0x36b000f8, +- 0x110bf400, +- 0x07e007f1, +- 0xd00604b6, +- 0x04bd0002, +-/* 0x0876: i2c_drive_sda_lo */ +- 0x07f100f8, +- 0x04b607e4, +- 0x0002d006, +- 0x00f804bd, +-/* 0x0884: i2c_sense_scl */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0431fd00, +- 0xf4060bf4, +-/* 0x089a: i2c_sense_scl_done */ +- 0x00f80131, +-/* 0x089c: i2c_sense_sda */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0432fd00, +- 0xf4060bf4, +-/* 0x08b2: i2c_sense_sda_done */ +- 0x00f80131, +-/* 0x08b4: i2c_raise_scl */ +- 0x47f140f9, +- 0x37f00898, +- 0x4021f501, +-/* 0x08c1: i2c_raise_scl_wait */ ++/* 0x0825: memx_recv */ ++ 0x01d6b000, ++ 0xb0980bf4, ++ 0x0bf400d6, ++/* 0x0833: memx_init */ ++ 0xf800f8d8, ++/* 0x0835: perf_recv */ ++/* 0x0837: perf_init */ ++ 0xf800f800, ++/* 0x0839: i2c_drive_scl */ ++ 0x0036b000, ++ 0xf1110bf4, ++ 0xb607e007, ++ 0x01d00604, ++ 0xf804bd00, ++/* 0x084d: i2c_drive_scl_lo */ ++ 0xe407f100, ++ 0x0604b607, ++ 0xbd0001d0, ++/* 0x085b: i2c_drive_sda */ ++ 0xb000f804, ++ 0x0bf40036, ++ 0xe007f111, ++ 0x0604b607, ++ 0xbd0002d0, ++/* 0x086f: i2c_drive_sda_lo */ ++ 0xf100f804, ++ 0xb607e407, ++ 0x02d00604, ++ 0xf804bd00, ++/* 0x087d: i2c_sense_scl */ ++ 0x0132f400, ++ 0x07c437f1, ++ 0xcf0634b6, ++ 0x31fd0033, ++ 0x060bf404, ++/* 0x0893: i2c_sense_scl_done */ ++ 0xf80131f4, ++/* 0x0895: i2c_sense_sda */ ++ 0x0132f400, ++ 0x07c437f1, ++ 0xcf0634b6, ++ 0x32fd0033, ++ 0x060bf404, ++/* 0x08ab: i2c_sense_sda_done */ ++ 0xf80131f4, ++/* 0x08ad: i2c_raise_scl */ ++ 0xf140f900, ++ 0xf0089847, ++ 0x21f50137, ++/* 0x08ba: i2c_raise_scl_wait */ ++ 0xe7f10839, ++ 0x21f403e8, ++ 0x7d21f57e, ++ 0x0901f408, ++ 0xf40142b6, ++/* 0x08ce: i2c_raise_scl_done */ ++ 0x40fcef1b, ++/* 0x08d2: i2c_start */ ++ 0x21f500f8, ++ 0x11f4087d, ++ 0x9521f50d, ++ 0x0611f408, ++/* 0x08e3: i2c_start_rep */ ++ 0xf0300ef4, ++ 0x21f50037, ++ 0x37f00839, ++ 0x5b21f501, ++ 0x0076bb08, ++ 0xf90465b6, ++ 0x04659450, ++ 0xbd0256bb, ++ 0x0475fd50, ++ 0x21f550fc, ++ 0x64b608ad, ++ 0x1f11f404, ++/* 0x0910: i2c_start_send */ ++ 0xf50037f0, ++ 0xf1085b21, ++ 0xf41388e7, ++ 0x37f07e21, ++ 0x3921f500, ++ 0x88e7f108, ++ 0x7e21f413, ++/* 0x092c: i2c_start_out */ ++/* 0x092e: i2c_stop */ ++ 0x37f000f8, ++ 0x3921f500, ++ 0x0037f008, ++ 0x085b21f5, ++ 0x03e8e7f1, ++ 0xf07e21f4, ++ 0x21f50137, ++ 0xe7f10839, ++ 0x21f41388, ++ 0x0137f07e, ++ 0x085b21f5, ++ 0x1388e7f1, ++ 0xf87e21f4, ++/* 0x0961: i2c_bitw */ ++ 0x5b21f500, + 0xe8e7f108, + 0x7e21f403, +- 0x088421f5, +- 0xb60901f4, +- 0x1bf40142, +-/* 0x08d5: i2c_raise_scl_done */ +- 0xf840fcef, +-/* 0x08d9: i2c_start */ +- 0x8421f500, +- 0x0d11f408, +- 0x089c21f5, +- 0xf40611f4, +-/* 0x08ea: i2c_start_rep */ +- 0x37f0300e, +- 0x4021f500, +- 0x0137f008, +- 0x086221f5, + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0xb421f550, ++ 0xad21f550, + 0x0464b608, +-/* 0x0917: i2c_start_send */ +- 0xf01f11f4, +- 0x21f50037, +- 0xe7f10862, +- 0x21f41388, +- 0x0037f07e, +- 0x084021f5, +- 0x1388e7f1, +-/* 0x0933: i2c_start_out */ +- 0xf87e21f4, +-/* 0x0935: i2c_stop */ +- 0x0037f000, +- 0x084021f5, +- 0xf50037f0, +- 0xf1086221, +- 0xf403e8e7, ++ 0xf11811f4, ++ 0xf41388e7, + 0x37f07e21, +- 0x4021f501, ++ 0x3921f500, + 0x88e7f108, + 0x7e21f413, +- 0xf50137f0, +- 0xf1086221, +- 0xf41388e7, +- 0x00f87e21, +-/* 0x0968: i2c_bitw */ +- 0x086221f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x08b421f5, +- 0xf40464b6, +- 0xe7f11811, ++/* 0x09a0: i2c_bitw_out */ ++/* 0x09a2: i2c_bitr */ ++ 0x37f000f8, ++ 0x5b21f501, ++ 0xe8e7f108, ++ 0x7e21f403, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0xad21f550, ++ 0x0464b608, ++ 0xf51b11f4, ++ 0xf0089521, ++ 0x21f50037, ++ 0xe7f10839, + 0x21f41388, +- 0x0037f07e, +- 0x084021f5, +- 0x1388e7f1, +-/* 0x09a7: i2c_bitw_out */ +- 0xf87e21f4, +-/* 0x09a9: i2c_bitr */ +- 0x0137f000, +- 0x086221f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x08b421f5, +- 0xf40464b6, +- 0x21f51b11, +- 0x37f0089c, +- 0x4021f500, +- 0x88e7f108, +- 0x7e21f413, +- 0xf4013cf0, +-/* 0x09ee: i2c_bitr_done */ +- 0x00f80131, +-/* 0x09f0: i2c_get_byte */ +- 0xf00057f0, +-/* 0x09f6: i2c_get_byte_next */ +- 0x54b60847, ++ 0x013cf07e, ++/* 0x09e7: i2c_bitr_done */ ++ 0xf80131f4, ++/* 0x09e9: i2c_get_byte */ ++ 0x0057f000, ++/* 0x09ef: i2c_get_byte_next */ ++ 0xb60847f0, ++ 0x76bb0154, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb609a221, ++ 0x11f40464, ++ 0x0553fd2b, ++ 0xf40142b6, ++ 0x37f0d81b, + 0x0076bb01, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b609a9, +- 0x2b11f404, +- 0xb60553fd, +- 0x1bf40142, +- 0x0137f0d8, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0x6821f550, +- 0x0464b609, +-/* 0x0a40: i2c_get_byte_done */ +-/* 0x0a42: i2c_put_byte */ +- 0x47f000f8, +-/* 0x0a45: i2c_put_byte_next */ +- 0x0142b608, +- 0xbb3854ff, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x096821f5, +- 0xf40464b6, +- 0x46b03411, +- 0xd81bf400, ++ 0x64b60961, ++/* 0x0a39: i2c_get_byte_done */ ++/* 0x0a3b: i2c_put_byte */ ++ 0xf000f804, ++/* 0x0a3e: i2c_put_byte_next */ ++ 0x42b60847, ++ 0x3854ff01, + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0xa921f550, ++ 0x6121f550, + 0x0464b609, +- 0xbb0f11f4, +- 0x36b00076, +- 0x061bf401, +-/* 0x0a9b: i2c_put_byte_done */ +- 0xf80132f4, +-/* 0x0a9d: i2c_addr */ +- 0x0076bb00, ++ 0xb03411f4, ++ 0x1bf40046, ++ 0x0076bbd8, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b608d9, +- 0x2911f404, +- 0x012ec3e7, +- 0xfd0134b6, +- 0x76bb0553, ++ 0x64b609a2, ++ 0x0f11f404, ++ 0xb00076bb, ++ 0x1bf40136, ++ 0x0132f406, ++/* 0x0a94: i2c_put_byte_done */ ++/* 0x0a96: i2c_addr */ ++ 0x76bb00f8, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0xf550fc04, +- 0xb60a4221, +-/* 0x0ae2: i2c_addr_done */ +- 0x00f80464, +-/* 0x0ae4: i2c_acquire_addr */ +- 0xb6f8cec7, +- 0xe0b702e4, +- 0xee980d1c, +-/* 0x0af3: i2c_acquire */ +- 0xf500f800, +- 0xf40ae421, +- 0xd9f00421, +- 0x4021f403, +-/* 0x0b02: i2c_release */ +- 0x21f500f8, +- 0x21f40ae4, +- 0x03daf004, +- 0xf84021f4, +-/* 0x0b11: i2c_recv */ +- 0x0132f400, +- 0xb6f8c1c7, +- 0x16b00214, +- 0x3a1ff528, +- 0xf413a001, +- 0x0032980c, +- 0x0ccc13a0, +- 0xf4003198, +- 0xd0f90231, +- 0xd0f9e0f9, +- 0x000067f1, +- 0x100063f1, +- 0xbb016792, ++ 0xb608d221, ++ 0x11f40464, ++ 0x2ec3e729, ++ 0x0134b601, ++ 0xbb0553fd, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0af321f5, +- 0xfc0464b6, +- 0x00d6b0d0, +- 0x00b31bf5, +- 0xbb0057f0, ++ 0x0a3b21f5, ++/* 0x0adb: i2c_addr_done */ ++ 0xf80464b6, ++/* 0x0add: i2c_acquire_addr */ ++ 0xf8cec700, ++ 0xb702e4b6, ++ 0x980d1ce0, ++ 0x00f800ee, ++/* 0x0aec: i2c_acquire */ ++ 0x0add21f5, ++ 0xf00421f4, ++ 0x21f403d9, ++/* 0x0afb: i2c_release */ ++ 0xf500f840, ++ 0xf40add21, ++ 0xdaf00421, ++ 0x4021f403, ++/* 0x0b0a: i2c_recv */ ++ 0x32f400f8, ++ 0xf8c1c701, ++ 0xb00214b6, ++ 0x1ff52816, ++ 0x13a0013a, ++ 0x32980cf4, ++ 0xcc13a000, ++ 0x0031980c, ++ 0xf90231f4, ++ 0xf9e0f9d0, ++ 0x0067f1d0, ++ 0x0063f100, ++ 0x01679210, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0xec21f550, ++ 0x0464b60a, ++ 0xd6b0d0fc, ++ 0xb31bf500, ++ 0x0057f000, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x9621f550, ++ 0x0464b60a, ++ 0x00d011f5, ++ 0xbbe0c5c7, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0a9d21f5, ++ 0x0a3b21f5, + 0xf50464b6, +- 0xc700d011, +- 0x76bbe0c5, ++ 0xf000ad11, ++ 0x76bb0157, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0xf550fc04, +- 0xb60a4221, ++ 0xb60a9621, + 0x11f50464, +- 0x57f000ad, +- 0x0076bb01, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0x21f550fc, +- 0x64b60a9d, +- 0x8a11f504, +- 0x0076bb00, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0x21f550fc, +- 0x64b609f0, +- 0x6a11f404, +- 0xbbe05bcb, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x093521f5, +- 0xb90464b6, +- 0x74bd025b, +-/* 0x0c17: i2c_recv_not_rd08 */ +- 0xb0430ef4, +- 0x1bf401d6, +- 0x0057f03d, +- 0x0a9d21f5, +- 0xc73311f4, +- 0x21f5e0c5, +- 0x11f40a42, +- 0x0057f029, +- 0x0a9d21f5, +- 0xc71f11f4, +- 0x21f5e0b5, +- 0x11f40a42, +- 0x3521f515, +- 0xc774bd09, +- 0x1bf408c5, +- 0x0232f409, +-/* 0x0c57: i2c_recv_not_wr08 */ +-/* 0x0c57: i2c_recv_done */ +- 0xc7030ef4, +- 0x21f5f8ce, +- 0xe0fc0b02, +- 0x12f4d0fc, +- 0x027cb90a, +- 0x033621f5, +-/* 0x0c6c: i2c_recv_exit */ +-/* 0x0c6e: i2c_init */ ++ 0x76bb008a, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb609e921, ++ 0x11f40464, ++ 0xe05bcb6a, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x2e21f550, ++ 0x0464b609, ++ 0xbd025bb9, ++ 0x430ef474, ++/* 0x0c10: i2c_recv_not_rd08 */ ++ 0xf401d6b0, ++ 0x57f03d1b, ++ 0x9621f500, ++ 0x3311f40a, ++ 0xf5e0c5c7, ++ 0xf40a3b21, ++ 0x57f02911, ++ 0x9621f500, ++ 0x1f11f40a, ++ 0xf5e0b5c7, ++ 0xf40a3b21, ++ 0x21f51511, ++ 0x74bd092e, ++ 0xf408c5c7, ++ 0x32f4091b, ++ 0x030ef402, ++/* 0x0c50: i2c_recv_not_wr08 */ ++/* 0x0c50: i2c_recv_done */ ++ 0xf5f8cec7, ++ 0xfc0afb21, ++ 0xf4d0fce0, ++ 0x7cb90a12, ++ 0x3621f502, ++/* 0x0c65: i2c_recv_exit */ ++/* 0x0c67: i2c_init */ ++ 0xf800f803, ++/* 0x0c69: test_recv */ ++ 0xd817f100, ++ 0x0614b605, ++ 0xb60011cf, ++ 0x07f10110, ++ 0x04b605d8, ++ 0x0001d006, ++ 0xe7f104bd, ++ 0xe3f1d900, ++ 0x21f5134f, ++ 0x00f80256, ++/* 0x0c90: test_init */ ++ 0x0800e7f1, ++ 0x025621f5, ++/* 0x0c9a: idle_recv */ + 0x00f800f8, +-/* 0x0c70: test_recv */ +- 0x05d817f1, +- 0xcf0614b6, +- 0x10b60011, +- 0xd807f101, +- 0x0604b605, +- 0xbd0001d0, +- 0x00e7f104, +- 0x4fe3f1d9, +- 0x5621f513, +-/* 0x0c97: test_init */ +- 0xf100f802, +- 0xf50800e7, +- 0xf8025621, +-/* 0x0ca1: idle_recv */ +-/* 0x0ca3: idle */ +- 0xf400f800, +- 0x17f10031, +- 0x14b605d4, +- 0x0011cf06, +- 0xf10110b6, +- 0xb605d407, +- 0x01d00604, +-/* 0x0cbf: idle_loop */ +- 0xf004bd00, +- 0x32f45817, +-/* 0x0cc5: idle_proc */ +-/* 0x0cc5: idle_proc_exec */ +- 0xb910f902, +- 0x21f5021e, +- 0x10fc033f, +- 0xf40911f4, +- 0x0ef40231, +-/* 0x0cd9: idle_proc_next */ +- 0x5810b6ef, +- 0xf4061fb8, +- 0x02f4e61b, +- 0x0028f4dd, +- 0x00bb0ef4, ++/* 0x0c9c: idle */ ++ 0xf10031f4, ++ 0xb605d417, ++ 0x11cf0614, ++ 0x0110b600, ++ 0x05d407f1, ++ 0xd00604b6, ++ 0x04bd0001, ++/* 0x0cb8: idle_loop */ ++ 0xf45817f0, ++/* 0x0cbe: idle_proc */ ++/* 0x0cbe: idle_proc_exec */ ++ 0x10f90232, ++ 0xf5021eb9, ++ 0xfc033f21, ++ 0x0911f410, ++ 0xf40231f4, ++/* 0x0cd2: idle_proc_next */ ++ 0x10b6ef0e, ++ 0x061fb858, ++ 0xf4e61bf4, ++ 0x28f4dd02, ++ 0xbb0ef400, ++ 0x00000000, ++ 0x00000000, + 0x00000000, + 0x00000000, + 0x00000000, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/memx.fuc ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/memx.fuc +@@ -82,15 +82,15 @@ memx_train_tail: + // $r0 - zero + memx_func_enter: + #if NVKM_PPWR_CHIPSET == GT215 +- movw $r8 0x1610 ++ mov $r8 0x1610 + nv_rd32($r7, $r8) + imm32($r6, 0xfffffffc) + and $r7 $r6 +- movw $r6 0x2 ++ mov $r6 0x2 + or $r7 $r6 + nv_wr32($r8, $r7) + #else +- movw $r6 0x001620 ++ mov $r6 0x001620 + imm32($r7, ~0x00000aa2); + nv_rd32($r8, $r6) + and $r8 $r7 +@@ -101,7 +101,7 @@ memx_func_enter: + and $r8 $r7 + nv_wr32($r6, $r8) + +- movw $r6 0x0026f0 ++ mov $r6 0x0026f0 + nv_rd32($r8, $r6) + and $r8 $r7 + nv_wr32($r6, $r8) +@@ -136,19 +136,19 @@ memx_func_leave: + bra nz #memx_func_leave_wait + + #if NVKM_PPWR_CHIPSET == GT215 +- movw $r8 0x1610 ++ mov $r8 0x1610 + nv_rd32($r7, $r8) + imm32($r6, 0xffffffcc) + and $r7 $r6 + nv_wr32($r8, $r7) + #else +- movw $r6 0x0026f0 ++ mov $r6 0x0026f0 + imm32($r7, 0x00000001) + nv_rd32($r8, $r6) + or $r8 $r7 + nv_wr32($r6, $r8) + +- movw $r6 0x001620 ++ mov $r6 0x001620 + nv_rd32($r8, $r6) + or $r8 $r7 + nv_wr32($r6, $r8) +@@ -177,11 +177,11 @@ memx_func_wait_vblank: + bra #memx_func_wait_vblank_fini + + memx_func_wait_vblank_head1: +- movw $r7 0x20 ++ mov $r7 0x20 + bra #memx_func_wait_vblank_0 + + memx_func_wait_vblank_head0: +- movw $r7 0x8 ++ mov $r7 0x8 + + memx_func_wait_vblank_0: + nv_iord($r6, NV_PPWR_INPUT) +@@ -273,13 +273,13 @@ memx_func_train: + // $r5 - outer loop counter + // $r6 - inner loop counter + // $r7 - entry counter (#memx_train_head + $r7) +- movw $r5 0x3 +- movw $r7 0x0 ++ mov $r5 0x3 ++ mov $r7 0x0 + + // Read random memory to wake up... things + imm32($r9, 0x700000) + nv_rd32($r8,$r9) +- movw $r14 0x2710 ++ mov $r14 0x2710 + call(nsec) + + memx_func_train_loop_outer: +@@ -289,9 +289,9 @@ memx_func_train: + nv_wr32($r9, $r8) + push $r5 + +- movw $r6 0x0 ++ mov $r6 0x0 + memx_func_train_loop_inner: +- movw $r8 0x1111 ++ mov $r8 0x1111 + mulu $r9 $r6 $r8 + shl b32 $r8 $r9 0x10 + or $r8 $r9 +@@ -315,7 +315,7 @@ memx_func_train: + + // $r5 - inner inner loop counter + // $r9 - result +- movw $r5 0 ++ mov $r5 0 + imm32($r9, 0x8300ffff) + memx_func_train_loop_4x: + imm32($r10, 0x100080) diff --git a/queue-4.9/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch b/queue-4.9/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch new file mode 100644 index 00000000000..36c872770e2 --- /dev/null +++ b/queue-4.9/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Eric Anholt +Date: Fri, 9 Mar 2018 15:33:32 -0800 +Subject: drm/panel: simple: Fix the bus format for the Ontat panel + +From: Eric Anholt + +[ Upstream commit 5651e5e094591f479adad5830ac1bc45196a39b3 ] + +This fixes bad color output. When I was first testing the device I +had the DPI hardware set to 666 mode, but apparently in the refactor +to use the bus_format information from the panel driver, I failed to +actually update the panel. + +Signed-off-by: Eric Anholt +Fixes: e8b6f561b2ee ("drm/panel: simple: Add the 7" DPI panel from Adafruit") +Cc: Thierry Reding +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20180309233332.1769-1-eric@anholt.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1250,7 +1250,7 @@ static const struct panel_desc ontat_yx7 + .width = 154, + .height = 83, + }, +- .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18, + }; + + static const struct drm_display_mode ortustech_com43h4m85ulc_mode = { diff --git a/queue-4.9/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch b/queue-4.9/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch new file mode 100644 index 00000000000..a521df0c1a9 --- /dev/null +++ b/queue-4.9/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Ørjan Eide" +Date: Tue, 30 Jan 2018 21:28:33 +0100 +Subject: drm/rockchip: Respect page offset for PRIME mmap calls + +From: "Ørjan Eide" + +[ Upstream commit 57de50af162b67612da99207b061ade3239e57db ] + +When mapping external DMA-bufs through the PRIME mmap call, we might be +given an offset which has to be respected. However for the internal DRM +GEM mmap path, we have to ignore the fake mmap offset used to identify +the buffer only. Currently the code always zeroes out vma->vm_pgoff, +which breaks the former. + +This patch fixes the problem by moving the vm_pgoff assignment to a +function that is used only for GEM mmap path, so that the PRIME path +retains the original offset. + +Cc: Daniel Kurtz +Signed-off-by: Ørjan Eide +Signed-off-by: Tomasz Figa +Signed-off-by: Sean Paul +Signed-off-by: Thierry Escande +Tested-by: Heiko Stuebner +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20180130202913.28724-4-thierry.escande@collabora.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c +@@ -64,7 +64,6 @@ static int rockchip_drm_gem_object_mmap( + * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap(). + */ + vma->vm_flags &= ~VM_PFNMAP; +- vma->vm_pgoff = 0; + + ret = dma_mmap_attrs(drm->dev, vma, rk_obj->kvaddr, rk_obj->dma_addr, + obj->size, rk_obj->dma_attrs); +@@ -96,6 +95,12 @@ int rockchip_gem_mmap(struct file *filp, + if (ret) + return ret; + ++ /* ++ * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the ++ * whole buffer from the start. ++ */ ++ vma->vm_pgoff = 0; ++ + obj = vma->vm_private_data; + + return rockchip_drm_gem_object_mmap(obj, vma); diff --git a/queue-4.9/drm-sun4i-fix-dclk_set_phase.patch b/queue-4.9/drm-sun4i-fix-dclk_set_phase.patch new file mode 100644 index 00000000000..981fbf84270 --- /dev/null +++ b/queue-4.9/drm-sun4i-fix-dclk_set_phase.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Giulio Benetti +Date: Wed, 28 Feb 2018 17:46:53 +0100 +Subject: drm/sun4i: Fix dclk_set_phase + +From: Giulio Benetti + +[ Upstream commit e64b6afa98f3629d0c0c46233bbdbe8acdb56f06 ] + +Phase value is not shifted before writing. + +Shift left of 28 bits to fit right bits + +Signed-off-by: Giulio Benetti +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/1519836413-35023-1-git-send-email-giulio.benetti@micronovasrl.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sun4i/sun4i_dotclock.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/sun4i/sun4i_dotclock.c ++++ b/drivers/gpu/drm/sun4i/sun4i_dotclock.c +@@ -129,10 +129,13 @@ static int sun4i_dclk_get_phase(struct c + static int sun4i_dclk_set_phase(struct clk_hw *hw, int degrees) + { + struct sun4i_dclk *dclk = hw_to_dclk(hw); ++ u32 val = degrees / 120; ++ ++ val <<= 28; + + regmap_update_bits(dclk->regmap, SUN4I_TCON0_IO_POL_REG, + GENMASK(29, 28), +- degrees / 120); ++ val); + + return 0; + } diff --git a/queue-4.9/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch b/queue-4.9/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch new file mode 100644 index 00000000000..91c03ff3ab9 --- /dev/null +++ b/queue-4.9/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch @@ -0,0 +1,85 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Pierre-Yves Kerbrat +Date: Fri, 26 Jan 2018 11:24:12 +0100 +Subject: e1000e: allocate ring descriptors with dma_zalloc_coherent + +From: Pierre-Yves Kerbrat + +[ Upstream commit aea3fca005fb45f80869f2e8d56fd4e64c1d1fdb ] + +Descriptor rings were not initialized at zero when allocated +When area contained garbage data, it caused skb_over_panic in +e1000_clean_rx_irq (if data had E1000_RXD_STAT_DD bit set) + +This patch makes use of dma_zalloc_coherent to make sure the +ring is memset at 0 to prevent the area from containing garbage. + +Following is the signature of the panic: +IODDR0@0.0: skbuff: skb_over_panic: text:80407b20 len:64010 put:64010 head:ab46d800 data:ab46d842 tail:0xab47d24c end:0xab46df40 dev:eth0 +IODDR0@0.0: BUG: failure at net/core/skbuff.c:105/skb_panic()! +IODDR0@0.0: Kernel panic - not syncing: BUG! +IODDR0@0.0: +IODDR0@0.0: Process swapper/0 (pid: 0, threadinfo=81728000, task=8173cc00 ,cpu: 0) +IODDR0@0.0: SP = <815a1c0c> +IODDR0@0.0: Stack: 00000001 +IODDR0@0.0: b2d89800 815e33ac +IODDR0@0.0: ea73c040 00000001 +IODDR0@0.0: 60040003 0000fa0a +IODDR0@0.0: 00000002 +IODDR0@0.0: +IODDR0@0.0: 804540c0 815a1c70 +IODDR0@0.0: b2744000 602ac070 +IODDR0@0.0: 815a1c44 b2d89800 +IODDR0@0.0: 8173cc00 815a1c08 +IODDR0@0.0: +IODDR0@0.0: 00000006 +IODDR0@0.0: 815a1b50 00000000 +IODDR0@0.0: 80079434 00000001 +IODDR0@0.0: ab46df40 b2744000 +IODDR0@0.0: b2d89800 +IODDR0@0.0: +IODDR0@0.0: 0000fa0a 8045745c +IODDR0@0.0: 815a1c88 0000fa0a +IODDR0@0.0: 80407b20 b2789f80 +IODDR0@0.0: 00000005 80407b20 +IODDR0@0.0: +IODDR0@0.0: +IODDR0@0.0: Call Trace: +IODDR0@0.0: [<804540bc>] skb_panic+0xa4/0xa8 +IODDR0@0.0: [<80079430>] console_unlock+0x2f8/0x6d0 +IODDR0@0.0: [<80457458>] skb_put+0xa0/0xc0 +IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 +IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 +IODDR0@0.0: [<804079c8>] e1000_clean_rx_irq+0x188/0x3e8 +IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 +IODDR0@0.0: [<80468b48>] __dev_kfree_skb_any+0x88/0xa8 +IODDR0@0.0: [<804101ac>] e1000e_poll+0x94/0x288 +IODDR0@0.0: [<8046e9d4>] net_rx_action+0x19c/0x4e8 +IODDR0@0.0: ... +IODDR0@0.0: Maximum depth to print reached. Use kstack= To specify a custom value (where 0 means to display the full backtrace) +IODDR0@0.0: ---[ end Kernel panic - not syncing: BUG! + +Signed-off-by: Pierre-Yves Kerbrat +Signed-off-by: Marius Gligor +Tested-by: Aaron Brown +Reviewed-by: Alexander Duyck +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -2331,8 +2331,8 @@ static int e1000_alloc_ring_dma(struct e + { + struct pci_dev *pdev = adapter->pdev; + +- ring->desc = dma_alloc_coherent(&pdev->dev, ring->size, &ring->dma, +- GFP_KERNEL); ++ ring->desc = dma_zalloc_coherent(&pdev->dev, ring->size, &ring->dma, ++ GFP_KERNEL); + if (!ring->desc) + return -ENOMEM; + diff --git a/queue-4.9/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch b/queue-4.9/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch new file mode 100644 index 00000000000..a74df8bc52a --- /dev/null +++ b/queue-4.9/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Benjamin Poirier +Date: Tue, 20 Feb 2018 15:12:00 +0900 +Subject: e1000e: Fix check_for_link return value with autoneg off + +From: Benjamin Poirier + +[ Upstream commit 4e7dc08e57c95673d2edaba8983c3de4dd1f65f5 ] + +When autoneg is off, the .check_for_link callback functions clear the +get_link_status flag and systematically return a "pseudo-error". This means +that the link is not detected as up until the next execution of the +e1000_watchdog_task() 2 seconds later. + +Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up") +Signed-off-by: Benjamin Poirier +Acked-by: Sasha Neftin +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +- + drivers/net/ethernet/intel/e1000e/mac.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -1600,7 +1600,7 @@ static s32 e1000_check_for_copper_link_i + * we have already determined whether we have link or not. + */ + if (!mac->autoneg) +- return -E1000_ERR_CONFIG; ++ return 1; + + /* Auto-Neg is enabled. Auto Speed Detection takes care + * of MAC speed/duplex configuration. So we only need to +--- a/drivers/net/ethernet/intel/e1000e/mac.c ++++ b/drivers/net/ethernet/intel/e1000e/mac.c +@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct + * we have already determined whether we have link or not. + */ + if (!mac->autoneg) +- return -E1000_ERR_CONFIG; ++ return 1; + + /* Auto-Neg is enabled. Auto Speed Detection takes care + * of MAC speed/duplex configuration. So we only need to diff --git a/queue-4.9/enic-enable-rq-before-updating-rq-descriptors.patch b/queue-4.9/enic-enable-rq-before-updating-rq-descriptors.patch new file mode 100644 index 00000000000..c169790610b --- /dev/null +++ b/queue-4.9/enic-enable-rq-before-updating-rq-descriptors.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Govindarajulu Varadarajan +Date: Thu, 1 Mar 2018 11:07:23 -0800 +Subject: enic: enable rq before updating rq descriptors + +From: Govindarajulu Varadarajan + +[ Upstream commit e8588e268509292550634d9a35f2723a207683b2 ] + +rq should be enabled before posting the buffers to rq desc. If not hw sees +stale value and casuses DMAR errors. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1726,6 +1726,8 @@ static int enic_open(struct net_device * + } + + for (i = 0; i < enic->rq_count; i++) { ++ /* enable rq before updating rq desc */ ++ vnic_rq_enable(&enic->rq[i]); + vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf); + /* Need at least one buffer on ring to get going */ + if (vnic_rq_desc_used(&enic->rq[i]) == 0) { +@@ -1737,8 +1739,6 @@ static int enic_open(struct net_device * + + for (i = 0; i < enic->wq_count; i++) + vnic_wq_enable(&enic->wq[i]); +- for (i = 0; i < enic->rq_count; i++) +- vnic_rq_enable(&enic->rq[i]); + + if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) + enic_dev_add_station_addr(enic); +@@ -1765,8 +1765,12 @@ static int enic_open(struct net_device * + return 0; + + err_out_free_rq: +- for (i = 0; i < enic->rq_count; i++) ++ for (i = 0; i < enic->rq_count; i++) { ++ err = vnic_rq_disable(&enic->rq[i]); ++ if (err) ++ return err; + vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); ++ } + enic_dev_notify_unset(enic); + err_out_free_intr: + enic_unset_affinity_hint(enic); diff --git a/queue-4.9/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch b/queue-4.9/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch new file mode 100644 index 00000000000..b123c230e0c --- /dev/null +++ b/queue-4.9/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Chao Yu +Date: Sat, 27 Jan 2018 17:29:49 +0800 +Subject: f2fs: fix to check extent cache in f2fs_drop_extent_tree + +From: Chao Yu + +[ Upstream commit bf617f7a92edc6bb2909db2bfa4576f50b280ee5 ] + +If noextent_cache mount option is on, we will never initialize extent tree +in inode, but still we're going to access it in f2fs_drop_extent_tree, +result in kernel panic as below: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 + IP: _raw_write_lock+0xc/0x30 + Call Trace: + ? f2fs_drop_extent_tree+0x41/0x70 [f2fs] + f2fs_fallocate+0x5a0/0xdd0 [f2fs] + ? common_file_perm+0x47/0xc0 + ? apparmor_file_permission+0x1a/0x20 + vfs_fallocate+0x15b/0x290 + SyS_fallocate+0x44/0x70 + do_syscall_64+0x6e/0x160 + entry_SYSCALL64_slow_path+0x25/0x25 + +This patch fixes to check extent cache status before using in +f2fs_drop_extent_tree. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -647,6 +647,9 @@ void f2fs_drop_extent_tree(struct inode + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct extent_tree *et = F2FS_I(inode)->extent_tree; + ++ if (!f2fs_may_extent_tree(inode)) ++ return; ++ + set_inode_flag(inode, FI_NO_EXTENT); + + write_lock(&et->lock); diff --git a/queue-4.9/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch b/queue-4.9/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch new file mode 100644 index 00000000000..30ff844bbec --- /dev/null +++ b/queue-4.9/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Peter Malone +Date: Wed, 7 Mar 2018 14:00:34 +0100 +Subject: fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). + +From: Peter Malone + +[ Upstream commit 250c6c49e3b68756b14983c076183568636e2bde ] + +Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in +sbusfb_ioctl_helper(). + +'index' is defined as an int in sbusfb_ioctl_helper(). +We retrieve this from the user: +if (get_user(index, &c->index) || + __get_user(count, &c->count) || + __get_user(ured, &c->red) || + __get_user(ugreen, &c->green) || + __get_user(ublue, &c->blue)) + return -EFAULT; + +and then we use 'index' in the following way: +red = cmap->red[index + i] >> 8; +green = cmap->green[index + i] >> 8; +blue = cmap->blue[index + i] >> 8; + +This is a classic information leak vulnerability. 'index' should be +an unsigned int, given its usage above. + +This patch is straight-forward; it changes 'index' to unsigned int +in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC. + +This patch fixes CVE-2018-6412. + +Signed-off-by: Peter Malone +Acked-by: Mathieu Malaterre +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/sbuslib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/sbuslib.c ++++ b/drivers/video/fbdev/sbuslib.c +@@ -121,7 +121,7 @@ int sbusfb_ioctl_helper(unsigned long cm + unsigned char __user *ured; + unsigned char __user *ugreen; + unsigned char __user *ublue; +- int index, count, i; ++ unsigned int index, count, i; + + if (get_user(index, &c->index) || + __get_user(count, &c->count) || +@@ -160,7 +160,7 @@ int sbusfb_ioctl_helper(unsigned long cm + unsigned char __user *ugreen; + unsigned char __user *ublue; + struct fb_cmap *cmap = &info->cmap; +- int index, count, i; ++ unsigned int index, count, i; + u8 red, green, blue; + + if (get_user(index, &c->index) || diff --git a/queue-4.9/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch b/queue-4.9/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch new file mode 100644 index 00000000000..0de4252f121 --- /dev/null +++ b/queue-4.9/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Hector Martin +Date: Fri, 3 Nov 2017 20:28:57 +0900 +Subject: firewire-ohci: work around oversized DMA reads on JMicron controllers + +From: Hector Martin + +[ Upstream commit 188775181bc05f29372b305ef96485840e351fde ] + +At least some JMicron controllers issue buggy oversized DMA reads when +fetching context descriptors, always fetching 0x20 bytes at once for +descriptors which are only 0x10 bytes long. This is often harmless, but +can cause page faults on modern systems with IOMMUs: + +DMAR: [DMA Read] Request device [05:00.0] fault addr fff56000 [fault reason 06] PTE Read access is not set +firewire_ohci 0000:05:00.0: DMA context IT0 has stopped, error code: evt_descriptor_read + +This works around the problem by always leaving 0x10 padding bytes at +the end of descriptor buffer pages, which should be harmless to do +unconditionally for controllers in case others have the same behavior. + +Signed-off-by: Hector Martin +Reviewed-by: Clemens Ladisch +Signed-off-by: Stefan Richter +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firewire/ohci.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -1130,7 +1130,13 @@ static int context_add_buffer(struct con + return -ENOMEM; + + offset = (void *)&desc->buffer - (void *)desc; +- desc->buffer_size = PAGE_SIZE - offset; ++ /* ++ * Some controllers, like JMicron ones, always issue 0x20-byte DMA reads ++ * for descriptors, even 0x10-byte ones. This can cause page faults when ++ * an IOMMU is in use and the oversized read crosses a page boundary. ++ * Work around this by always leaving at least 0x10 bytes of padding. ++ */ ++ desc->buffer_size = PAGE_SIZE - offset - 0x10; + desc->buffer_bus = bus_addr + offset; + desc->used = 0; + diff --git a/queue-4.9/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch b/queue-4.9/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch new file mode 100644 index 00000000000..ee71da5f24d --- /dev/null +++ b/queue-4.9/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch @@ -0,0 +1,85 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jean Delvare +Date: Sat, 3 Feb 2018 11:25:20 +0100 +Subject: firmware: dmi_scan: Fix handling of empty DMI strings + +From: Jean Delvare + +[ Upstream commit a7770ae194569e96a93c48aceb304edded9cc648 ] + +The handling of empty DMI strings looks quite broken to me: +* Strings from 1 to 7 spaces are not considered empty. +* True empty DMI strings (string index set to 0) are not considered + empty, and result in allocating a 0-char string. +* Strings with invalid index also result in allocating a 0-char + string. +* Strings starting with 8 spaces are all considered empty, even if + non-space characters follow (sounds like a weird thing to do, but + I have actually seen occurrences of this in DMI tables before.) +* Strings which are considered empty are reported as 8 spaces, + instead of being actually empty. + +Some of these issues are the result of an off-by-one error in memcmp, +the rest is incorrect by design. + +So let's get it square: missing strings and strings made of only +spaces, regardless of their length, should be treated as empty and +no memory should be allocated for them. All other strings are +non-empty and should be allocated. + +Signed-off-by: Jean Delvare +Fixes: 79da4721117f ("x86: fix DMI out of memory problems") +Cc: Parag Warudkar +Cc: Ingo Molnar +Cc: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/dmi_scan.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -18,7 +18,7 @@ EXPORT_SYMBOL_GPL(dmi_kobj); + * of and an antecedent to, SMBIOS, which stands for System + * Management BIOS. See further: http://www.dmtf.org/standards + */ +-static const char dmi_empty_string[] = " "; ++static const char dmi_empty_string[] = ""; + + static u32 dmi_ver __initdata; + static u32 dmi_len; +@@ -44,25 +44,21 @@ static int dmi_memdev_nr; + static const char * __init dmi_string_nosave(const struct dmi_header *dm, u8 s) + { + const u8 *bp = ((u8 *) dm) + dm->length; ++ const u8 *nsp; + + if (s) { +- s--; +- while (s > 0 && *bp) { ++ while (--s > 0 && *bp) + bp += strlen(bp) + 1; +- s--; +- } + +- if (*bp != 0) { +- size_t len = strlen(bp)+1; +- size_t cmp_len = len > 8 ? 8 : len; +- +- if (!memcmp(bp, dmi_empty_string, cmp_len)) +- return dmi_empty_string; ++ /* Strings containing only spaces are considered empty */ ++ nsp = bp; ++ while (*nsp == ' ') ++ nsp++; ++ if (*nsp != '\0') + return bp; +- } + } + +- return ""; ++ return dmi_empty_string; + } + + static const char * __init dmi_string(const struct dmi_header *dm, u8 s) diff --git a/queue-4.9/fm10k-fix-failed-to-kill-vid-message-for-vf.patch b/queue-4.9/fm10k-fix-failed-to-kill-vid-message-for-vf.patch new file mode 100644 index 00000000000..ee5bea8b455 --- /dev/null +++ b/queue-4.9/fm10k-fix-failed-to-kill-vid-message-for-vf.patch @@ -0,0 +1,84 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ngai-Mint Kwan +Date: Wed, 24 Jan 2018 14:18:22 -0800 +Subject: fm10k: fix "failed to kill vid" message for VF + +From: Ngai-Mint Kwan + +[ Upstream commit cf315ea596ec26d7aa542a9ce354990875a920c0 ] + +When a VF is under PF VLAN assignment: + +ip link set vf <#> vlan + +This will remove all previous entries in the VLAN table including those +generated by VLAN interfaces created on the VF. The issue arises when +the VF is under PF VLAN assignment and one or more of these VLAN +interfaces of the VF are deleted. When deleting these VLAN interfaces, +the following message will be generated in "dmesg": + +failed to kill vid 0081/ for device + +This is due to the fact that "ndo_vlan_rx_kill_vid" exits with an error. +The handler for this ndo is "fm10k_update_vid". Any calls to this +function while under PF VLAN management will exit prematurely and, thus, +it will generate the failure message. + +Additionally, since "fm10k_update_vid" exits prematurely, none of the +VLAN update is performed. So, even though the actual VLAN interfaces of +the VF will be deleted, the active_vlans bitmask is not cleared. When +the VF is no longer under PF VLAN assignment, the driver mistakenly +restores the previous entries of the VLAN table based on an +unsynchronized list of active VLANs. + +The solution to this issue involves checking the VLAN update action type +before exiting "fm10k_update_vid". If the VLAN update action type is to +"add", this action will not be permitted while the VF is under PF VLAN +assignment and the VLAN update is abandoned like before. + +However, if the VLAN update action type is to "kill", then we need to +also clear the active_vlans bitmask. However, we don't need to actually +queue any messages to the PF, because the MAC and VLAN tables have +already been cleared, and the PF would silently ignore these requests +anyways. + +Signed-off-by: Ngai-Mint Kwan +Signed-off-by: Jacob Keller +Tested-by: Krishneil Singh +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/fm10k/fm10k_netdev.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c +@@ -803,8 +803,12 @@ static int fm10k_update_vid(struct net_d + if (vid >= VLAN_N_VID) + return -EINVAL; + +- /* Verify we have permission to add VLANs */ +- if (hw->mac.vlan_override) ++ /* Verify that we have permission to add VLANs. If this is a request ++ * to remove a VLAN, we still want to allow the user to remove the ++ * VLAN device. In that case, we need to clear the bit in the ++ * active_vlans bitmask. ++ */ ++ if (set && hw->mac.vlan_override) + return -EACCES; + + /* update active_vlans bitmask */ +@@ -823,6 +827,12 @@ static int fm10k_update_vid(struct net_d + rx_ring->vid &= ~FM10K_VLAN_CLEAR; + } + ++ /* If our VLAN has been overridden, there is no reason to send VLAN ++ * removal requests as they will be silently ignored. ++ */ ++ if (hw->mac.vlan_override) ++ return 0; ++ + /* Do not remove default VLAN ID related entries from VLAN and MAC + * tables + */ diff --git a/queue-4.9/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch b/queue-4.9/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch new file mode 100644 index 00000000000..a8371c4f852 --- /dev/null +++ b/queue-4.9/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Carlos Maiolino +Date: Tue, 10 Apr 2018 22:39:04 -0700 +Subject: Force log to disk before reading the AGF during a fstrim + +From: Carlos Maiolino + +[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ] + +Forcing the log to disk after reading the agf is wrong, we might be +calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held. + +This can cause a deadlock when racing a fstrim with a filesystem +shutdown. + +The deadlock has been identified due a miscalculation bug in device-mapper +dm-thin, which returns lack of space to its users earlier than the device itself +really runs out of space, changing the device-mapper volume into an error state. + +The problem happened while filling the filesystem with a single file, +triggering the bug in device-mapper, consequently causing an IO error +and shutting down the filesystem. + +If such file is removed, and fstrim executed before the XFS finishes the +shut down process, the fstrim process will end up holding the buffer +lock, and going to sleep on the cil wait queue. + +At this point, the shut down process will try to wake up all the threads +waiting on the cil wait queue, but for this, it will try to hold the +same buffer log already held my the fstrim, locking up the filesystem. + +Signed-off-by: Carlos Maiolino +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_discard.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/xfs/xfs_discard.c ++++ b/fs/xfs/xfs_discard.c +@@ -50,19 +50,19 @@ xfs_trim_extents( + + pag = xfs_perag_get(mp, agno); + +- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); +- if (error || !agbp) +- goto out_put_perag; +- +- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); +- + /* + * Force out the log. This means any transactions that might have freed +- * space before we took the AGF buffer lock are now on disk, and the ++ * space before we take the AGF buffer lock are now on disk, and the + * volatile disk cache is flushed. + */ + xfs_log_force(mp, XFS_LOG_SYNC); + ++ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); ++ if (error || !agbp) ++ goto out_put_perag; ++ ++ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); ++ + /* + * Look up the longest btree in the AGF and start with it. + */ diff --git a/queue-4.9/fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch b/queue-4.9/fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch new file mode 100644 index 00000000000..21f6350a7ea --- /dev/null +++ b/queue-4.9/fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch @@ -0,0 +1,83 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Will Deacon +Date: Mon, 19 Feb 2018 14:55:54 +0000 +Subject: fs: dcache: Avoid livelock between d_alloc_parallel and __d_add + +From: Will Deacon + +[ Upstream commit 015555fd4d2930bc0c86952c46ad88b3392f66e4 ] + +If d_alloc_parallel runs concurrently with __d_add, it is possible for +d_alloc_parallel to continuously retry whilst i_dir_seq has been +incremented to an odd value by __d_add: + +CPU0: +__d_add + n = start_dir_add(dir); + cmpxchg(&dir->i_dir_seq, n, n + 1) == n + +CPU1: +d_alloc_parallel +retry: + seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1; + hlist_bl_lock(b); + bit_spin_lock(0, (unsigned long *)b); // Always succeeds + +CPU0: + __d_lookup_done(dentry) + hlist_bl_lock + bit_spin_lock(0, (unsigned long *)b); // Never succeeds + +CPU1: + if (unlikely(parent->d_inode->i_dir_seq != seq)) { + hlist_bl_unlock(b); + goto retry; + } + +Since the simple bit_spin_lock used to implement hlist_bl_lock does not +provide any fairness guarantees, then CPU1 can starve CPU0 of the lock +and prevent it from reaching end_dir_add(dir), therefore CPU1 cannot +exit its retry loop because the sequence number always has the bottom +bit set. + +This patch resolves the livelock by not taking hlist_bl_lock in +d_alloc_parallel if the sequence counter is odd, since any subsequent +masked comparison with i_dir_seq will fail anyway. + +Cc: Peter Zijlstra +Cc: Al Viro +Reported-by: Naresh Madhusudana +Acked-by: Peter Zijlstra (Intel) +Reviewed-by: Matthew Wilcox +Signed-off-by: Will Deacon +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2474,7 +2474,7 @@ struct dentry *d_alloc_parallel(struct d + + retry: + rcu_read_lock(); +- seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1; ++ seq = smp_load_acquire(&parent->d_inode->i_dir_seq); + r_seq = read_seqbegin(&rename_lock); + dentry = __d_lookup_rcu(parent, name, &d_seq); + if (unlikely(dentry)) { +@@ -2495,6 +2495,12 @@ retry: + rcu_read_unlock(); + goto retry; + } ++ ++ if (unlikely(seq & 1)) { ++ rcu_read_unlock(); ++ goto retry; ++ } ++ + hlist_bl_lock(b); + if (unlikely(parent->d_inode->i_dir_seq != seq)) { + hlist_bl_unlock(b); diff --git a/queue-4.9/fs-dcache-use-read_once-when-accessing-i_dir_seq.patch b/queue-4.9/fs-dcache-use-read_once-when-accessing-i_dir_seq.patch new file mode 100644 index 00000000000..e02e61a4695 --- /dev/null +++ b/queue-4.9/fs-dcache-use-read_once-when-accessing-i_dir_seq.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Will Deacon +Date: Mon, 19 Feb 2018 14:55:55 +0000 +Subject: fs: dcache: Use READ_ONCE when accessing i_dir_seq + +From: Will Deacon + +[ Upstream commit 8cc07c808c9d595e81cbe5aad419b7769eb2e5c9 ] + +i_dir_seq is subject to concurrent modification by a cmpxchg or +store-release operation, so ensure that the relaxed access in +d_alloc_parallel uses READ_ONCE. + +Reported-by: Peter Zijlstra +Signed-off-by: Will Deacon +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2502,7 +2502,7 @@ retry: + } + + hlist_bl_lock(b); +- if (unlikely(parent->d_inode->i_dir_seq != seq)) { ++ if (unlikely(READ_ONCE(parent->d_inode->i_dir_seq) != seq)) { + hlist_bl_unlock(b); + rcu_read_unlock(); + goto retry; diff --git a/queue-4.9/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch b/queue-4.9/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch new file mode 100644 index 00000000000..64f0aa3cfe4 --- /dev/null +++ b/queue-4.9/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Danilo Krummrich +Date: Tue, 10 Apr 2018 16:31:38 -0700 +Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table + +From: Danilo Krummrich + +[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ] + +proc_sys_link_fill_cache() does not take currently unregistering sysctl +tables into account, which might result into a page fault in +sysctl_follow_link() - add a check to fix it. + +This bug has been present since v3.4. + +Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: Danilo Krummrich +Acked-by: Kees Cook +Reviewed-by: Andrew Morton +Cc: "Luis R . Rodriguez" +Cc: "Eric W. Biederman" +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -660,7 +660,10 @@ static bool proc_sys_link_fill_cache(str + struct ctl_table *table) + { + bool ret = true; ++ + head = sysctl_head_grab(head); ++ if (IS_ERR(head)) ++ return false; + + if (S_ISLNK(table->mode)) { + /* It is not an error if we can not follow the link ignore it */ diff --git a/queue-4.9/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch b/queue-4.9/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch new file mode 100644 index 00000000000..d68c3674547 --- /dev/null +++ b/queue-4.9/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: David Howells +Date: Wed, 4 Apr 2018 13:41:26 +0100 +Subject: fscache: Fix hanging wait on page discarded by writeback + +From: David Howells + +[ Upstream commit 2c98425720233ae3e135add0c7e869b32913502f ] + +If the fscache asynchronous write operation elects to discard a page that's +pending storage to the cache because the page would be over the store limit +then it needs to wake the page as someone may be waiting on completion of +the write. + +The problem is that the store limit may be updated by a different +asynchronous operation - and so may miss the write - and that the store +limit may not even get updated until later by the netfs. + +Fix the kernel hang by making fscache_write_op() mark as written any pages +that are over the limit. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fscache/page.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/fscache/page.c ++++ b/fs/fscache/page.c +@@ -776,6 +776,7 @@ static void fscache_write_op(struct fsca + + _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage)); + ++again: + spin_lock(&object->lock); + cookie = object->cookie; + +@@ -816,10 +817,6 @@ static void fscache_write_op(struct fsca + goto superseded; + page = results[0]; + _debug("gang %d [%lx]", n, page->index); +- if (page->index >= op->store_limit) { +- fscache_stat(&fscache_n_store_pages_over_limit); +- goto superseded; +- } + + radix_tree_tag_set(&cookie->stores, page->index, + FSCACHE_COOKIE_STORING_TAG); +@@ -829,6 +826,9 @@ static void fscache_write_op(struct fsca + spin_unlock(&cookie->stores_lock); + spin_unlock(&object->lock); + ++ if (page->index >= op->store_limit) ++ goto discard_page; ++ + fscache_stat(&fscache_n_store_pages); + fscache_stat(&fscache_n_cop_write_page); + ret = object->cache->ops->write_page(op, page); +@@ -844,6 +844,11 @@ static void fscache_write_op(struct fsca + _leave(""); + return; + ++discard_page: ++ fscache_stat(&fscache_n_store_pages_over_limit); ++ fscache_end_page_write(object, page); ++ goto again; ++ + superseded: + /* this writer is going away and there aren't any more things to + * write */ diff --git a/queue-4.9/fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch b/queue-4.9/fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch new file mode 100644 index 00000000000..4a6114dd234 --- /dev/null +++ b/queue-4.9/fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Denis Kirjanov +Date: Sun, 4 Mar 2018 21:48:17 +0300 +Subject: fsl/fman: avoid sleeping in atomic context while adding an address + +From: Denis Kirjanov + +[ Upstream commit 803fafbe0cd522fa6b9e41ca3b96cfb2e2a2222d ] + +__dev_mc_add grabs an adress spinlock so use +atomic context in kmalloc. + +/ # ifconfig eth0 inet 192.168.0.111 +[ 89.331622] BUG: sleeping function called from invalid context at mm/slab.h:420 +[ 89.339002] in_atomic(): 1, irqs_disabled(): 0, pid: 1035, name: ifconfig +[ 89.345799] 2 locks held by ifconfig/1035: +[ 89.349908] #0: (rtnl_mutex){+.+.}, at: [<(ptrval)>] devinet_ioctl+0xc0/0x8a0 +[ 89.357258] #1: (_xmit_ETHER){+...}, at: [<(ptrval)>] __dev_mc_add+0x28/0x80 +[ 89.364520] CPU: 1 PID: 1035 Comm: ifconfig Not tainted 4.16.0-rc3-dirty #8 +[ 89.371464] Call Trace: +[ 89.373908] [e959db60] [c066f948] dump_stack+0xa4/0xfc (unreliable) +[ 89.380177] [e959db80] [c00671d8] ___might_sleep+0x248/0x280 +[ 89.385833] [e959dba0] [c01aec34] kmem_cache_alloc_trace+0x174/0x320 +[ 89.392179] [e959dbd0] [c04ab920] dtsec_add_hash_mac_address+0x130/0x240 +[ 89.398874] [e959dc00] [c04a9d74] set_multi+0x174/0x1b0 +[ 89.404093] [e959dc30] [c04afb68] dpaa_set_rx_mode+0x68/0xe0 +[ 89.409745] [e959dc40] [c057baf8] __dev_mc_add+0x58/0x80 +[ 89.415052] [e959dc60] [c060fd64] igmp_group_added+0x164/0x190 +[ 89.420878] [e959dca0] [c060ffa8] ip_mc_inc_group+0x218/0x460 +[ 89.426617] [e959dce0] [c06120fc] ip_mc_up+0x3c/0x190 +[ 89.431662] [e959dd10] [c0607270] inetdev_event+0x250/0x620 +[ 89.437227] [e959dd50] [c005f190] notifier_call_chain+0x80/0xf0 +[ 89.443138] [e959dd80] [c0573a74] __dev_notify_flags+0x54/0xf0 +[ 89.448964] [e959dda0] [c05743f8] dev_change_flags+0x48/0x60 +[ 89.454615] [e959ddc0] [c0606744] devinet_ioctl+0x544/0x8a0 +[ 89.460180] [e959de10] [c060987c] inet_ioctl+0x9c/0x1f0 +[ 89.465400] [e959de80] [c05479a8] sock_ioctl+0x168/0x460 +[ 89.470708] [e959ded0] [c01cf3ec] do_vfs_ioctl+0xac/0x8c0 +[ 89.476099] [e959df20] [c01cfc40] SyS_ioctl+0x40/0xc0 +[ 89.481147] [e959df40] [c0011318] ret_from_syscall+0x0/0x3c +[ 89.486715] --- interrupt: c01 at 0x1006943c +[ 89.486715] LR = 0x100c45ec + +Signed-off-by: Denis Kirjanov +Acked-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fman/fman_dtsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +@@ -1036,7 +1036,7 @@ int dtsec_add_hash_mac_address(struct fm + set_bucket(dtsec->regs, bucket, true); + + /* Create element to be added to the driver hash table */ +- hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL); ++ hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC); + if (!hash_entry) + return -ENOMEM; + hash_entry->addr = addr; diff --git a/queue-4.9/gfs2-fix-fallocate-chunk-size.patch b/queue-4.9/gfs2-fix-fallocate-chunk-size.patch new file mode 100644 index 00000000000..80f5c7ea0b5 --- /dev/null +++ b/queue-4.9/gfs2-fix-fallocate-chunk-size.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Andreas Gruenbacher +Date: Tue, 20 Feb 2018 08:03:24 -0700 +Subject: gfs2: Fix fallocate chunk size + +From: Andreas Gruenbacher + +[ Upstream commit 174d1232ebc84fcde8f5889d1171c9c7e74a10a7 ] + +The chunk size of allocations in __gfs2_fallocate is calculated +incorrectly. The size can collapse, causing __gfs2_fallocate to +allocate one block at a time, which is very inefficient. This needs +fixing in two places: + +In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate +that there is no quota limit. This fixes callers that rely on +ap->allowed to be set even when quotas are off. + +In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the +loop to make sure that allocation limits from one resource group won't +spill over into another resource group. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/file.c | 5 +++-- + fs/gfs2/quota.h | 2 ++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -801,7 +801,7 @@ static long __gfs2_fallocate(struct file + struct gfs2_inode *ip = GFS2_I(inode); + struct gfs2_alloc_parms ap = { .aflags = 0, }; + unsigned int data_blocks = 0, ind_blocks = 0, rblocks; +- loff_t bytes, max_bytes, max_blks = UINT_MAX; ++ loff_t bytes, max_bytes, max_blks; + int error; + const loff_t pos = offset; + const loff_t count = len; +@@ -853,7 +853,8 @@ static long __gfs2_fallocate(struct file + return error; + /* ap.allowed tells us how many blocks quota will allow + * us to write. Check if this reduces max_blks */ +- if (ap.allowed && ap.allowed < max_blks) ++ max_blks = UINT_MAX; ++ if (ap.allowed) + max_blks = ap.allowed; + + error = gfs2_inplace_reserve(ip, &ap); +--- a/fs/gfs2/quota.h ++++ b/fs/gfs2/quota.h +@@ -45,6 +45,8 @@ static inline int gfs2_quota_lock_check( + { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + int ret; ++ ++ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ + if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + return 0; + ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); diff --git a/queue-4.9/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch b/queue-4.9/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch new file mode 100644 index 00000000000..d21dd50b443 --- /dev/null +++ b/queue-4.9/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Claudiu Manoil +Date: Tue, 27 Feb 2018 17:33:10 +0200 +Subject: gianfar: Fix Rx byte accounting for ndev stats + +From: Claudiu Manoil + +[ Upstream commit 590399ddf9561f2ed0839311c8ae1be21597ba68 ] + +Don't include in the Rx bytecount of the packet sent up the stack: +the FCB (frame control block), and the padding bytes inserted by +the controller into the frame payload, nor the FCS. All these are +being pulled out of the skb by gfar_process_frame(). +This issue is old, likely from the driver's beginnings, however +it was amplified by recent: +commit d903ec77118c ("gianfar: simplify FCS handling and fix memory leak") +which basically added the FCS to the Rx bytecount, and so brought +this to my attention. + +Signed-off-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -3075,9 +3075,6 @@ static void gfar_process_frame(struct ne + if (ndev->features & NETIF_F_RXCSUM) + gfar_rx_checksum(skb, fcb); + +- /* Tell the skb what kind of packet this is */ +- skb->protocol = eth_type_trans(skb, ndev); +- + /* There's need to check for NETIF_F_HW_VLAN_CTAG_RX here. + * Even if vlan rx accel is disabled, on some chips + * RXFCB_VLN is pseudo randomly set. +@@ -3148,13 +3145,15 @@ int gfar_clean_rx_ring(struct gfar_priv_ + continue; + } + ++ gfar_process_frame(ndev, skb); ++ + /* Increment the number of packets */ + total_pkts++; + total_bytes += skb->len; + + skb_record_rx_queue(skb, rx_queue->qindex); + +- gfar_process_frame(ndev, skb); ++ skb->protocol = eth_type_trans(skb, ndev); + + /* Send the packet up the stack */ + napi_gro_receive(&rx_queue->grp->napi_rx, skb); diff --git a/queue-4.9/gianfar-prevent-integer-wrapping-in-the-rx-handler.patch b/queue-4.9/gianfar-prevent-integer-wrapping-in-the-rx-handler.patch new file mode 100644 index 00000000000..95371aa1320 --- /dev/null +++ b/queue-4.9/gianfar-prevent-integer-wrapping-in-the-rx-handler.patch @@ -0,0 +1,83 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Andy Spencer +Date: Thu, 25 Jan 2018 19:37:50 -0800 +Subject: gianfar: prevent integer wrapping in the rx handler + +From: Andy Spencer + +[ Upstream commit 202a0a70e445caee1d0ec7aae814e64b1189fa4d ] + +When the frame check sequence (FCS) is split across the last two frames +of a fragmented packet, part of the FCS gets counted twice, once when +subtracting the FCS, and again when subtracting the previously received +data. + +For example, if 1602 bytes are received, and the first fragment contains +the first 1600 bytes (including the first two bytes of the FCS), and the +second fragment contains the last two bytes of the FCS: + + 'skb->len == 1600' from the first fragment + + size = lstatus & BD_LENGTH_MASK; # 1602 + size -= ETH_FCS_LEN; # 1598 + size -= skb->len; # -2 + +Since the size is unsigned, it wraps around and causes a BUG later in +the packet handling, as shown below: + + kernel BUG at ./include/linux/skbuff.h:2068! + Oops: Exception in kernel mode, sig: 5 [#1] + ... + NIP [c021ec60] skb_pull+0x24/0x44 + LR [c01e2fbc] gfar_clean_rx_ring+0x498/0x690 + Call Trace: + [df7edeb0] [c01e2c1c] gfar_clean_rx_ring+0xf8/0x690 (unreliable) + [df7edf20] [c01e33a8] gfar_poll_rx_sq+0x3c/0x9c + [df7edf40] [c023352c] net_rx_action+0x21c/0x274 + [df7edf90] [c0329000] __do_softirq+0xd8/0x240 + [df7edff0] [c000c108] call_do_irq+0x24/0x3c + [c0597e90] [c00041dc] do_IRQ+0x64/0xc4 + [c0597eb0] [c000d920] ret_from_except+0x0/0x18 + --- interrupt: 501 at arch_cpu_idle+0x24/0x5c + +Change the size to a signed integer and then trim off any part of the +FCS that was received prior to the last fragment. + +Fixes: 6c389fc931bc ("gianfar: fix size of scatter-gathered frames") +Signed-off-by: Andy Spencer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2935,7 +2935,7 @@ static irqreturn_t gfar_transmit(int irq + static bool gfar_add_rx_frag(struct gfar_rx_buff *rxb, u32 lstatus, + struct sk_buff *skb, bool first) + { +- unsigned int size = lstatus & BD_LENGTH_MASK; ++ int size = lstatus & BD_LENGTH_MASK; + struct page *page = rxb->page; + bool last = !!(lstatus & BD_LFLAG(RXBD_LAST)); + +@@ -2950,11 +2950,16 @@ static bool gfar_add_rx_frag(struct gfar + if (last) + size -= skb->len; + +- /* in case the last fragment consisted only of the FCS */ ++ /* Add the last fragment if it contains something other than ++ * the FCS, otherwise drop it and trim off any part of the FCS ++ * that was already received. ++ */ + if (size > 0) + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, + rxb->page_offset + RXBUF_ALIGNMENT, + size, GFAR_RXB_TRUESIZE); ++ else if (size < 0) ++ pskb_trim(skb, skb->len + size); + } + + /* try reuse page */ diff --git a/queue-4.9/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch b/queue-4.9/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch new file mode 100644 index 00000000000..8f458b95888 --- /dev/null +++ b/queue-4.9/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Dan Carpenter +Date: Wed, 10 Jan 2018 12:39:03 +0300 +Subject: HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() + +From: Dan Carpenter + +[ Upstream commit 7ad81482cad67cbe1ec808490d1ddfc420c42008 ] + +We get the "new_profile_index" value from the mouse device when we're +handling raw events. Smatch taints it as untrusted data and complains +that we need a bounds check. This seems like a reasonable warning +otherwise there is a small read beyond the end of the array. + +Fixes: 0e70f97f257e ("HID: roccat: Add support for Kova[+] mouse") +Signed-off-by: Dan Carpenter +Acked-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-roccat-kovaplus.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-roccat-kovaplus.c ++++ b/drivers/hid/hid-roccat-kovaplus.c +@@ -37,6 +37,8 @@ static uint kovaplus_convert_event_cpi(u + static void kovaplus_profile_activated(struct kovaplus_device *kovaplus, + uint new_profile_index) + { ++ if (new_profile_index >= ARRAY_SIZE(kovaplus->profile_settings)) ++ return; + kovaplus->actual_profile = new_profile_index; + kovaplus->actual_cpi = kovaplus->profile_settings[new_profile_index].cpi_startup_level; + kovaplus->actual_x_sensitivity = kovaplus->profile_settings[new_profile_index].sensitivity_x; diff --git a/queue-4.9/hwmon-nct6775-fix-writing-pwmx_mode.patch b/queue-4.9/hwmon-nct6775-fix-writing-pwmx_mode.patch new file mode 100644 index 00000000000..7473e293cbe --- /dev/null +++ b/queue-4.9/hwmon-nct6775-fix-writing-pwmx_mode.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Guenter Roeck +Date: Mon, 26 Mar 2018 19:50:31 -0700 +Subject: hwmon: (nct6775) Fix writing pwmX_mode + +From: Guenter Roeck + +[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ] + +pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip +register bit is set to 1 for DC mode. This got mixed up, and writing +1 into pwmX_mode resulted in DC mode enabled. Fix it up by using +the ABI definition throughout the driver for consistency. + +Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/nct6775.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -1393,7 +1393,7 @@ static void nct6775_update_pwm(struct de + duty_is_dc = data->REG_PWM_MODE[i] && + (nct6775_read_value(data, data->REG_PWM_MODE[i]) + & data->PWM_MODE_MASK[i]); +- data->pwm_mode[i] = duty_is_dc; ++ data->pwm_mode[i] = !duty_is_dc; + + fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]); + for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) { +@@ -2270,7 +2270,7 @@ show_pwm_mode(struct device *dev, struct + struct nct6775_data *data = nct6775_update_device(dev); + struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr); + +- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]); ++ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]); + } + + static ssize_t +@@ -2291,9 +2291,9 @@ store_pwm_mode(struct device *dev, struc + if (val > 1) + return -EINVAL; + +- /* Setting DC mode is not supported for all chips/channels */ ++ /* Setting DC mode (0) is not supported for all chips/channels */ + if (data->REG_PWM_MODE[nr] == 0) { +- if (val) ++ if (!val) + return -EINVAL; + return count; + } +@@ -2302,7 +2302,7 @@ store_pwm_mode(struct device *dev, struc + data->pwm_mode[nr] = val; + reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]); + reg &= ~data->PWM_MODE_MASK[nr]; +- if (val) ++ if (!val) + reg |= data->PWM_MODE_MASK[nr]; + nct6775_write_value(data, data->REG_PWM_MODE[nr], reg); + mutex_unlock(&data->update_lock); diff --git a/queue-4.9/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch b/queue-4.9/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..84b36afed10 --- /dev/null +++ b/queue-4.9/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:55:47 -0800 +Subject: hwmon: (pmbus/adm1275) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ] + +A negative page register value means that no page needs to be +selected. This is used by status register read operations and needs +to be accepted. The failure to do so so results in missed status +and limit registers. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/adm1275.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -154,7 +154,7 @@ static int adm1275_read_word_data(struct + const struct adm1275_data *data = to_adm1275_data(info); + int ret = 0; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { +@@ -240,7 +240,7 @@ static int adm1275_write_word_data(struc + const struct adm1275_data *data = to_adm1275_data(info); + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.9/hwmon-pmbus-max8688-accept-negative-page-register-values.patch b/queue-4.9/hwmon-pmbus-max8688-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..aff82772d70 --- /dev/null +++ b/queue-4.9/hwmon-pmbus-max8688-accept-negative-page-register-values.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:49:47 -0800 +Subject: hwmon: (pmbus/max8688) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ] + +A negative page register value means that no page needs to be +selected. This is used by status register evaluations and needs +to be accepted. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/max8688.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/pmbus/max8688.c ++++ b/drivers/hwmon/pmbus/max8688.c +@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct + { + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.9/hwrng-stm32-add-reset-during-probe.patch b/queue-4.9/hwrng-stm32-add-reset-during-probe.patch new file mode 100644 index 00000000000..bc8655de214 --- /dev/null +++ b/queue-4.9/hwrng-stm32-add-reset-during-probe.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "lionel.debieve@st.com" +Date: Thu, 15 Feb 2018 14:03:08 +0100 +Subject: hwrng: stm32 - add reset during probe + +From: "lionel.debieve@st.com" + +[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ] + +Avoid issue when probing the RNG without +reset if bad status has been detected previously + +Signed-off-by: Lionel Debieve +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/stm32-rng.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #define RNG_CR 0x00 +@@ -46,6 +47,7 @@ struct stm32_rng_private { + struct hwrng rng; + void __iomem *base; + struct clk *clk; ++ struct reset_control *rst; + }; + + static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) +@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platfo + if (IS_ERR(priv->clk)) + return PTR_ERR(priv->clk); + ++ priv->rst = devm_reset_control_get(&ofdev->dev, NULL); ++ if (!IS_ERR(priv->rst)) { ++ reset_control_assert(priv->rst); ++ udelay(2); ++ reset_control_deassert(priv->rst); ++ } ++ + dev_set_drvdata(dev, priv); + + priv->rng.name = dev_driver_string(dev), diff --git a/queue-4.9/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch b/queue-4.9/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch new file mode 100644 index 00000000000..05f7e7e98aa --- /dev/null +++ b/queue-4.9/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Gregory CLEMENT +Date: Wed, 14 Mar 2018 18:03:40 +0100 +Subject: i2c: mv64xxx: Apply errata delay only in standard mode + +From: Gregory CLEMENT + +[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ] + +The errata FE-8471889 description has been updated. There is still a +timing violation for repeated start. But the errata now states that it +was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz) +there is no issue. + +This patch limit the errata fix to the Standard mode. + +It has been tesed successfully on the clearfog (Aramda 388 based board). + +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -848,12 +848,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat + */ + if (of_device_is_compatible(np, "marvell,mv78230-i2c")) { + drv_data->offload_enabled = true; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) { + drv_data->offload_enabled = false; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c")) diff --git a/queue-4.9/i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch b/queue-4.9/i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch new file mode 100644 index 00000000000..e0ec60c9406 --- /dev/null +++ b/queue-4.9/i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Shiraz Saleem +Date: Thu, 11 Jan 2018 18:10:51 -0600 +Subject: i40iw: Zero-out consumer key on allocate stag for FMR + +From: Shiraz Saleem + +[ Upstream commit 6376e926af1a8661dd1b2e6d0896e07f84a35844 ] + +If the application invalidates the MR before the FMR WR, HW parses the +consumer key portion of the stag and returns an invalid stag key +Asynchronous Event (AE) that tears down the QP. + +Fix this by zeroing-out the consumer key portion of the allocated stag +returned to application for FMR. + +Fixes: ee855d3b93f3 ("RDMA/i40iw: Add base memory management extensions") +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -1515,6 +1515,7 @@ static struct ib_mr *i40iw_alloc_mr(stru + err_code = -EOVERFLOW; + goto err; + } ++ stag &= ~I40IW_CQPSQ_STAG_KEY_MASK; + iwmr->stag = stag; + iwmr->ibmr.rkey = stag; + iwmr->ibmr.lkey = stag; diff --git a/queue-4.9/ia64-err-inject-use-get_user_pages_fast.patch b/queue-4.9/ia64-err-inject-use-get_user_pages_fast.patch new file mode 100644 index 00000000000..640b48aa707 --- /dev/null +++ b/queue-4.9/ia64-err-inject-use-get_user_pages_fast.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Davidlohr Bueso +Date: Mon, 22 Jan 2018 09:21:37 -0800 +Subject: ia64/err-inject: Use get_user_pages_fast() + +From: Davidlohr Bueso + +[ Upstream commit 69c907022a7d9325cdc5c9dd064571e445df9a47 ] + +At the point of sysfs callback, the call to gup is +done without mmap_sem (or any lock for that matter). +This is racy. As such, use the get_user_pages_fast() +alternative and safely avoid taking the lock, if possible. + +Signed-off-by: Davidlohr Bueso +Signed-off-by: Tony Luck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/err_inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/ia64/kernel/err_inject.c ++++ b/arch/ia64/kernel/err_inject.c +@@ -142,7 +142,7 @@ store_virtual_to_phys(struct device *dev + u64 virt_addr=simple_strtoull(buf, NULL, 16); + int ret; + +- ret = get_user_pages(virt_addr, 1, FOLL_WRITE, NULL, NULL); ++ ret = get_user_pages_fast(virt_addr, 1, FOLL_WRITE, NULL); + if (ret<=0) { + #ifdef ERR_INJ_DEBUG + printk("Virtual address %lx is not existing.\n",virt_addr); diff --git a/queue-4.9/ib-core-fix-possible-crash-to-access-null-netdev.patch b/queue-4.9/ib-core-fix-possible-crash-to-access-null-netdev.patch new file mode 100644 index 00000000000..f017f188170 --- /dev/null +++ b/queue-4.9/ib-core-fix-possible-crash-to-access-null-netdev.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Parav Pandit +Date: Wed, 7 Mar 2018 08:07:41 +0200 +Subject: IB/core: Fix possible crash to access NULL netdev + +From: Parav Pandit + +[ Upstream commit bb7f8f199c354c4cf155b1d6d55f86eaaed7fa5a ] + +resolved_dev returned might be NULL as ifindex is transient number. +Ignoring NULL check of resolved_dev might crash the kernel. +Therefore perform NULL check before accessing resolved_dev. + +Additionally rdma_resolve_ip_route() invokes addr_resolve() which +performs check and address translation for loopback ifindex. +Therefore, checking it again in rdma_resolve_ip_route() is not helpful. +Therefore, the code is simplified to avoid IFF_LOOPBACK check. + +Fixes: 200298326b27 ("IB/core: Validate route when we init ah") +Reviewed-by: Daniel Jurgens +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/sa_query.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -1137,10 +1137,9 @@ int ib_init_ah_from_path(struct ib_devic + + resolved_dev = dev_get_by_index(dev_addr.net, + dev_addr.bound_dev_if); +- if (resolved_dev->flags & IFF_LOOPBACK) { +- dev_put(resolved_dev); +- resolved_dev = idev; +- dev_hold(resolved_dev); ++ if (!resolved_dev) { ++ dev_put(idev); ++ return -ENODEV; + } + ndev = ib_get_ndev_from_path(rec); + rcu_read_lock(); diff --git a/queue-4.9/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch b/queue-4.9/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch new file mode 100644 index 00000000000..1ed7197d49f --- /dev/null +++ b/queue-4.9/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch @@ -0,0 +1,61 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Parav Pandit +Date: Tue, 13 Mar 2018 16:06:14 +0200 +Subject: IB/core: Honor port_num while resolving GID for IB link layer + +From: Parav Pandit + +[ Upstream commit 563c4ba3bd2b8b0b21c65669ec2226b1cfa1138b ] + +ah_attr contains the port number to which cm_id is bound. However, while +searching for GID table for matching GID entry, the port number is +ignored. + +This could cause the wrong GID to be used when the ah_attr is converted to +an AH. + +Reviewed-by: Daniel Jurgens +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/multicast.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/core/multicast.c ++++ b/drivers/infiniband/core/multicast.c +@@ -724,21 +724,19 @@ int ib_init_ah_from_mcmember(struct ib_d + { + int ret; + u16 gid_index; +- u8 p; + +- if (rdma_protocol_roce(device, port_num)) { +- ret = ib_find_cached_gid_by_port(device, &rec->port_gid, +- gid_type, port_num, +- ndev, +- &gid_index); +- } else if (rdma_protocol_ib(device, port_num)) { +- ret = ib_find_cached_gid(device, &rec->port_gid, +- IB_GID_TYPE_IB, NULL, &p, +- &gid_index); +- } else { +- ret = -EINVAL; +- } ++ /* GID table is not based on the netdevice for IB link layer, ++ * so ignore ndev during search. ++ */ ++ if (rdma_protocol_ib(device, port_num)) ++ ndev = NULL; ++ else if (!rdma_protocol_roce(device, port_num)) ++ return -EINVAL; + ++ ret = ib_find_cached_gid_by_port(device, &rec->port_gid, ++ gid_type, port_num, ++ ndev, ++ &gid_index); + if (ret) + return ret; + diff --git a/queue-4.9/ib-ipoib-fix-for-potential-no-carrier-state.patch b/queue-4.9/ib-ipoib-fix-for-potential-no-carrier-state.patch new file mode 100644 index 00000000000..f02bcaecb2c --- /dev/null +++ b/queue-4.9/ib-ipoib-fix-for-potential-no-carrier-state.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Alex Estrin +Date: Thu, 1 Feb 2018 10:55:41 -0800 +Subject: IB/ipoib: Fix for potential no-carrier state + +From: Alex Estrin + +[ Upstream commit 1029361084d18cc270f64dfd39529fafa10cfe01 ] + +On reboot SM can program port pkey table before ipoib registered its +event handler, which could result in missing pkey event and leave root +interface with initial pkey value from index 0. + +Since OPA port starts with invalid pkey in index 0, root interface will +fail to initialize and stay down with no-carrier flag. + +For IB ipoib interface may end up with pkey different from value +opensm put in pkey table idx 0, resulting in connectivity issues +(different mcast groups, for example). + +Close the window by calling event handler after registration +to make sure ipoib pkey is in sync with port pkey table. + +Reviewed-by: Mike Marciniszyn +Reviewed-by: Ira Weiny +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -2119,6 +2119,9 @@ static struct net_device *ipoib_add_port + goto event_failed; + } + ++ /* call event handler to ensure pkey in sync */ ++ queue_work(ipoib_workqueue, &priv->flush_heavy); ++ + result = register_netdev(priv->dev); + if (result) { + printk(KERN_WARNING "%s: couldn't register ipoib port %d; error %d\n", diff --git a/queue-4.9/ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch b/queue-4.9/ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch new file mode 100644 index 00000000000..7d8166adee3 --- /dev/null +++ b/queue-4.9/ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jack Morgenstein +Date: Mon, 5 Mar 2018 20:09:45 +0200 +Subject: IB/mlx4: Fix corruption of RoCEv2 IPv4 GIDs + +From: Jack Morgenstein + +[ Upstream commit 0077416a3d529baccbe07ab3242e8db541cfadf6 ] + +When using IPv4 addresses in RoCEv2, the GID format for the mapped +IPv4 address should be: ::ffff:<4-byte IPv4 address>. + +In the cited commit, IPv4 mapped IPV6 addresses had the 3 upper dwords +zeroed out by memset, which resulted in deleting the ffff field. + +However, since procedure ipv6_addr_v4mapped() already verifies that the +gid has format ::ffff:, no change is needed for the gid, +and the memset can simply be removed. + +Fixes: 7e57b85c444c ("IB/mlx4: Add support for setting RoCEv2 gids in hardware") +Reviewed-by: Moni Shoua +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -216,8 +216,6 @@ static int mlx4_ib_update_gids_v1_v2(str + gid_tbl[i].version = 2; + if (!ipv6_addr_v4mapped((struct in6_addr *)&gids[i].gid)) + gid_tbl[i].type = 1; +- else +- memset(&gid_tbl[i].gid, 0, 12); + } + } + diff --git a/queue-4.9/ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch b/queue-4.9/ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch new file mode 100644 index 00000000000..80817a3d67e --- /dev/null +++ b/queue-4.9/ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jack M +Date: Mon, 5 Mar 2018 20:09:46 +0200 +Subject: IB/mlx4: Include GID type when deleting GIDs from HW table under RoCE + +From: Jack M + +[ Upstream commit a18177925c252da7801149abe217c05b80884798 ] + +The commit cited below added a gid_type field (RoCEv1 or RoCEv2) +to GID properties. + +When adding GIDs, this gid_type field was copied over to the +hardware gid table. However, when deleting GIDs, the gid_type field +was not copied over to the hardware gid table. + +As a result, when running RoCEv2, all RoCEv2 gids in the +hardware gid table were set to type RoCEv1 when any gid was deleted. + +This problem would persist until the next gid was added (which would again +restore the gid_type field for all the gids in the hardware gid table). + +Fix this by copying over the gid_type field to the hardware gid table +when deleting gids, so that the gid_type of all remaining gids is +preserved when a gid is deleted. + +Fixes: b699a859d17b ("IB/mlx4: Add gid_type to GID properties") +Reviewed-by: Moni Shoua +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -361,8 +361,13 @@ static int mlx4_ib_del_gid(struct ib_dev + if (!gids) { + ret = -ENOMEM; + } else { +- for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) +- memcpy(&gids[i].gid, &port_gid_table->gids[i].gid, sizeof(union ib_gid)); ++ for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) { ++ memcpy(&gids[i].gid, ++ &port_gid_table->gids[i].gid, ++ sizeof(union ib_gid)); ++ gids[i].gid_type = ++ port_gid_table->gids[i].gid_type; ++ } + } + } + spin_unlock_bh(&iboe->lock); diff --git a/queue-4.9/ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch b/queue-4.9/ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch new file mode 100644 index 00000000000..66a96449ee1 --- /dev/null +++ b/queue-4.9/ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Dan Carpenter +Date: Tue, 6 Mar 2018 13:00:31 +0300 +Subject: IB/mlx5: Fix an error code in __mlx5_ib_modify_qp() + +From: Dan Carpenter + +[ Upstream commit 5d414b178e950ce9685c253994cc730893d5d887 ] + +"err" is either zero or possibly uninitialized here. It should be +-EINVAL. + +Fixes: 427c1e7bcd7e ("{IB, net}/mlx5: Move the modify QP operation table to mlx5_ib") +Signed-off-by: Dan Carpenter +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -2809,8 +2809,10 @@ static int __mlx5_ib_modify_qp(struct ib + mlx5_ib_qp_disable_pagefaults(qp); + + if (mlx5_cur >= MLX5_QP_NUM_STATE || mlx5_new >= MLX5_QP_NUM_STATE || +- !optab[mlx5_cur][mlx5_new]) ++ !optab[mlx5_cur][mlx5_new]) { ++ err = -EINVAL; + goto out; ++ } + + op = optab[mlx5_cur][mlx5_new]; + optpar = ib_mask_to_mlx5_opt(attr_mask); diff --git a/queue-4.9/ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch b/queue-4.9/ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch new file mode 100644 index 00000000000..ece3b549406 --- /dev/null +++ b/queue-4.9/ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch @@ -0,0 +1,30 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Thomas Falcon +Date: Tue, 13 Feb 2018 18:23:42 -0600 +Subject: ibmvnic: Free RX socket buffer in case of adapter error + +From: Thomas Falcon + +[ Upstream commit 4b9b0f01350500173f17e2b2e65beb4df4ef99c7 ] + +If a RX buffer is returned to the client driver with an error, free the +corresponding socket buffer before continuing. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -994,6 +994,7 @@ restart_poll: + netdev_err(netdev, "rx error %x\n", next->rx_comp.rc); + /* free the entry */ + next->rx_comp.first = 0; ++ dev_kfree_skb_any(rx_buff->skb); + remove_buff_from_pool(adapter, rx_buff); + break; + } diff --git a/queue-4.9/ima-fallback-to-the-builtin-hash-algorithm.patch b/queue-4.9/ima-fallback-to-the-builtin-hash-algorithm.patch new file mode 100644 index 00000000000..00f46d115b2 --- /dev/null +++ b/queue-4.9/ima-fallback-to-the-builtin-hash-algorithm.patch @@ -0,0 +1,119 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Petr Vorel +Date: Fri, 23 Mar 2018 14:41:08 +0100 +Subject: ima: Fallback to the builtin hash algorithm + +From: Petr Vorel + +[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ] + +IMA requires having it's hash algorithm be compiled-in due to it's +early use. The default IMA algorithm is protected by Kconfig to be +compiled-in. + +The ima_hash kernel parameter allows to choose the hash algorithm. When +the specified algorithm is not available or available as a module, IMA +initialization fails, which leads to a kernel panic (mknodat syscall calls +ima_post_path_mknod()). Therefore as fallback we force IMA to use +the default builtin Kconfig hash algorithm. + +Fixed crash: + +$ grep CONFIG_CRYPTO_MD4 .config +CONFIG_CRYPTO_MD4=m + +[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4 +... +[ 1.545190] ima: Can not allocate md4 (reason: -2) +... +[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 2.611903] IP: ima_match_policy+0x23/0x390 +[ 2.612967] PGD 0 P4D 0 +[ 2.613080] Oops: 0000 [#1] SMP +[ 2.613080] Modules linked in: autofs4 +[ 2.613080] Supported: Yes +[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1 +[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000 +[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390 +[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296 +[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004 +[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728 +[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000 +[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000 +[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 +[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0 +[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2.613080] Call Trace: +[ 2.613080] ? shmem_mknod+0xbf/0xd0 +[ 2.613080] ima_post_path_mknod+0x1c/0x40 +[ 2.613080] SyS_mknod+0x210/0x220 +[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5 +[ 2.613080] RIP: 0033:0x7f5c1bfde570 +[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 +[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570 +[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f +[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000 +[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660 +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002 +[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20 +[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88 +[ 2.613080] CR2: 0000000000000000 +[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]--- +[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 2.673052] +[ 2.675337] Kernel Offset: disabled +[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 + +Signed-off-by: Petr Vorel +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_crypto.c | 2 ++ + security/integrity/ima/ima_main.c | 13 +++++++++++++ + 2 files changed, 15 insertions(+) + +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -78,6 +78,8 @@ int __init ima_init_crypto(void) + hash_algo_name[ima_hash_algo], rc); + return rc; + } ++ pr_info("Allocated hash algorithm: %s\n", ++ hash_algo_name[ima_hash_algo]); + return 0; + } + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -16,6 +16,9 @@ + * implements the IMA hooks: ima_bprm_check, ima_file_mmap, + * and ima_file_check. + */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include + #include + #include +@@ -426,6 +429,16 @@ static int __init init_ima(void) + + hash_setup(CONFIG_IMA_DEFAULT_HASH); + error = ima_init(); ++ ++ if (error && strcmp(hash_algo_name[ima_hash_algo], ++ CONFIG_IMA_DEFAULT_HASH) != 0) { ++ pr_info("Allocating %s failed, going to use default hash algorithm %s\n", ++ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); ++ hash_setup_done = 0; ++ hash_setup(CONFIG_IMA_DEFAULT_HASH); ++ error = ima_init(); ++ } ++ + if (!error) { + ima_initialized = 1; + ima_update_policy_flag(); diff --git a/queue-4.9/input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch b/queue-4.9/input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch new file mode 100644 index 00000000000..2bdbdfe2d1b --- /dev/null +++ b/queue-4.9/input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Dmitry Torokhov +Date: Tue, 9 Jan 2018 13:44:46 -0800 +Subject: Input: psmouse - fix Synaptics detection when protocol is disabled + +From: Dmitry Torokhov + +[ Upstream commit 2bc4298f59d2f15175bb568e2d356b5912d0cdd9 ] + +When Synaptics protocol is disabled, we still need to try and detect the +hardware, so we can switch to SMBus device if SMbus is detected, or we know +that it is Synaptics device and reset it properly for the bare PS/2 +protocol. + +Fixes: c378b5119eb0 ("Input: psmouse - factor out common protocol probing code") +Reported-by: Matteo Croce +Tested-by: Matteo Croce +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/psmouse-base.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +--- a/drivers/input/mouse/psmouse-base.c ++++ b/drivers/input/mouse/psmouse-base.c +@@ -937,6 +937,21 @@ static void psmouse_apply_defaults(struc + psmouse->pt_deactivate = NULL; + } + ++static bool psmouse_do_detect(int (*detect)(struct psmouse *, bool), ++ struct psmouse *psmouse, bool allow_passthrough, ++ bool set_properties) ++{ ++ if (psmouse->ps2dev.serio->id.type == SERIO_PS_PSTHRU && ++ !allow_passthrough) { ++ return false; ++ } ++ ++ if (set_properties) ++ psmouse_apply_defaults(psmouse); ++ ++ return detect(psmouse, set_properties) == 0; ++} ++ + static bool psmouse_try_protocol(struct psmouse *psmouse, + enum psmouse_type type, + unsigned int *max_proto, +@@ -948,15 +963,8 @@ static bool psmouse_try_protocol(struct + if (!proto) + return false; + +- if (psmouse->ps2dev.serio->id.type == SERIO_PS_PSTHRU && +- !proto->try_passthru) { +- return false; +- } +- +- if (set_properties) +- psmouse_apply_defaults(psmouse); +- +- if (proto->detect(psmouse, set_properties) != 0) ++ if (!psmouse_do_detect(proto->detect, psmouse, proto->try_passthru, ++ set_properties)) + return false; + + if (set_properties && proto->init && init_allowed) { +@@ -988,8 +996,8 @@ static int psmouse_extensions(struct psm + * Always check for focaltech, this is safe as it uses pnp-id + * matching. + */ +- if (psmouse_try_protocol(psmouse, PSMOUSE_FOCALTECH, +- &max_proto, set_properties, false)) { ++ if (psmouse_do_detect(focaltech_detect, ++ psmouse, false, set_properties)) { + if (max_proto > PSMOUSE_IMEX && + IS_ENABLED(CONFIG_MOUSE_PS2_FOCALTECH) && + (!set_properties || focaltech_init(psmouse) == 0)) { +@@ -1035,8 +1043,8 @@ static int psmouse_extensions(struct psm + * probing for IntelliMouse. + */ + if (max_proto > PSMOUSE_PS2 && +- psmouse_try_protocol(psmouse, PSMOUSE_SYNAPTICS, &max_proto, +- set_properties, false)) { ++ psmouse_do_detect(synaptics_detect, ++ psmouse, false, set_properties)) { + synaptics_hardware = true; + + if (max_proto > PSMOUSE_IMEX) { diff --git a/queue-4.9/integrity-security-fix-digsig.c-build-error-with-header-file.patch b/queue-4.9/integrity-security-fix-digsig.c-build-error-with-header-file.patch new file mode 100644 index 00000000000..41a5eb6df56 --- /dev/null +++ b/queue-4.9/integrity-security-fix-digsig.c-build-error-with-header-file.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Randy Dunlap +Date: Mon, 12 Feb 2018 17:26:20 -0800 +Subject: integrity/security: fix digsig.c build error with header file + +From: Randy Dunlap + +[ Upstream commit 120f3b11ef88fc38ce1d0ff9c9a4b37860ad3140 ] + +security/integrity/digsig.c has build errors on some $ARCH due to a +missing header file, so add it. + + security/integrity/digsig.c:146:2: error: implicit declaration of function 'vfree' [-Werror=implicit-function-declaration] + +Reported-by: Michael Ellerman +Signed-off-by: Randy Dunlap +Cc: Mimi Zohar +Cc: linux-integrity@vger.kernel.org +Link: http://kisskb.ellerman.id.au/kisskb/head/13396/ +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/digsig.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + diff --git a/queue-4.9/iommu-vt-d-use-domain-instead-of-cache-fetching.patch b/queue-4.9/iommu-vt-d-use-domain-instead-of-cache-fetching.patch new file mode 100644 index 00000000000..699ac2a7156 --- /dev/null +++ b/queue-4.9/iommu-vt-d-use-domain-instead-of-cache-fetching.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Peter Xu +Date: Wed, 10 Jan 2018 13:51:37 +0800 +Subject: iommu/vt-d: Use domain instead of cache fetching + +From: Peter Xu + +[ Upstream commit 9d2e6505f6d6934e681aed502f566198cb25c74a ] + +after commit a1ddcbe93010 ("iommu/vt-d: Pass dmar_domain directly into +iommu_flush_iotlb_psi", 2015-08-12), we have domain pointer as parameter +to iommu_flush_iotlb_psi(), so no need to fetch it from cache again. + +More importantly, a NULL reference pointer bug is reported on RHEL7 (and +it can be reproduced on some old upstream kernels too, e.g., v4.13) by +unplugging an 40g nic from a VM (hard to test unplug on real host, but +it should be the same): + +https://bugzilla.redhat.com/show_bug.cgi?id=1531367 + +[ 24.391863] pciehp 0000:00:03.0:pcie004: Slot(0): Attention button pressed +[ 24.393442] pciehp 0000:00:03.0:pcie004: Slot(0): Powering off due to button press +[ 29.721068] i40evf 0000:01:00.0: Unable to send opcode 2 to PF, err I40E_ERR_QUEUE_EMPTY, aq_err OK +[ 29.783557] iommu: Removing device 0000:01:00.0 from group 3 +[ 29.784662] BUG: unable to handle kernel NULL pointer dereference at 0000000000000304 +[ 29.785817] IP: iommu_flush_iotlb_psi+0xcf/0x120 +[ 29.786486] PGD 0 +[ 29.786487] P4D 0 +[ 29.786812] +[ 29.787390] Oops: 0000 [#1] SMP +[ 29.787876] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_ng +[ 29.795371] CPU: 0 PID: 156 Comm: kworker/0:2 Not tainted 4.13.0 #14 +[ 29.796366] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.11.0-1.el7 04/01/2014 +[ 29.797593] Workqueue: pciehp-0 pciehp_power_thread +[ 29.798328] task: ffff94f5745b4a00 task.stack: ffffb326805ac000 +[ 29.799178] RIP: 0010:iommu_flush_iotlb_psi+0xcf/0x120 +[ 29.799919] RSP: 0018:ffffb326805afbd0 EFLAGS: 00010086 +[ 29.800666] RAX: ffff94f5bc56e800 RBX: 0000000000000000 RCX: 0000000200000025 +[ 29.801667] RDX: ffff94f5bc56e000 RSI: 0000000000000082 RDI: 0000000000000000 +[ 29.802755] RBP: ffffb326805afbf8 R08: 0000000000000000 R09: ffff94f5bc86bbf0 +[ 29.803772] R10: ffffb326805afba8 R11: 00000000000ffdc4 R12: ffff94f5bc86a400 +[ 29.804789] R13: 0000000000000000 R14: 00000000ffdc4000 R15: 0000000000000000 +[ 29.805792] FS: 0000000000000000(0000) GS:ffff94f5bfc00000(0000) knlGS:0000000000000000 +[ 29.806923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.807736] CR2: 0000000000000304 CR3: 000000003499d000 CR4: 00000000000006f0 +[ 29.808747] Call Trace: +[ 29.809156] flush_unmaps_timeout+0x126/0x1c0 +[ 29.809800] domain_exit+0xd6/0x100 +[ 29.810322] device_notifier+0x6b/0x70 +[ 29.810902] notifier_call_chain+0x4a/0x70 +[ 29.812822] __blocking_notifier_call_chain+0x47/0x60 +[ 29.814499] blocking_notifier_call_chain+0x16/0x20 +[ 29.816137] device_del+0x233/0x320 +[ 29.817588] pci_remove_bus_device+0x6f/0x110 +[ 29.819133] pci_stop_and_remove_bus_device+0x1a/0x20 +[ 29.820817] pciehp_unconfigure_device+0x7a/0x1d0 +[ 29.822434] pciehp_disable_slot+0x52/0xe0 +[ 29.823931] pciehp_power_thread+0x8a/0xa0 +[ 29.825411] process_one_work+0x18c/0x3a0 +[ 29.826875] worker_thread+0x4e/0x3b0 +[ 29.828263] kthread+0x109/0x140 +[ 29.829564] ? process_one_work+0x3a0/0x3a0 +[ 29.831081] ? kthread_park+0x60/0x60 +[ 29.832464] ret_from_fork+0x25/0x30 +[ 29.833794] Code: 85 ed 74 0b 5b 41 5c 41 5d 41 5e 41 5f 5d c3 49 8b 54 24 60 44 89 f8 0f b6 c4 48 8b 04 c2 48 85 c0 74 49 45 0f b6 ff 4a 8b 3c f8 <80> bf +[ 29.838514] RIP: iommu_flush_iotlb_psi+0xcf/0x120 RSP: ffffb326805afbd0 +[ 29.840362] CR2: 0000000000000304 +[ 29.841716] ---[ end trace b10ec0d6900868d3 ]--- + +This patch fixes that problem if applied to v4.13 kernel. + +The bug does not exist on latest upstream kernel since it's fixed as a +side effect of commit 13cf01744608 ("iommu/vt-d: Make use of iova +deferred flushing", 2017-08-15). But IMHO it's still good to have this +patch upstream. + +CC: Alex Williamson +Signed-off-by: Peter Xu +Fixes: a1ddcbe93010 ("iommu/vt-d: Pass dmar_domain directly into iommu_flush_iotlb_psi") +Reviewed-by: Alex Williamson +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel-iommu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1612,8 +1612,7 @@ static void iommu_flush_iotlb_psi(struct + * flush. However, device IOTLB doesn't need to be flushed in this case. + */ + if (!cap_caching_mode(iommu->cap) || !map) +- iommu_flush_dev_iotlb(get_iommu_domain(iommu, did), +- addr, mask); ++ iommu_flush_dev_iotlb(domain, addr, mask); + } + + static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu) diff --git a/queue-4.9/ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch b/queue-4.9/ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch new file mode 100644 index 00000000000..0e4834d076f --- /dev/null +++ b/queue-4.9/ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Xin Long +Date: Tue, 27 Feb 2018 19:19:40 +0800 +Subject: ip6_tunnel: fix IFLA_MTU ignored on NEWLINK + +From: Xin Long + +[ Upstream commit a6aa80446234ec0ad38eecdb8efc59e91daae565 ] + +Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len +correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same +mtu fix is also needed for ip6_tunnel. + +Note that dev->hard_header_len setting for ip6_tunnel works fine, +no need to fix it. + +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1972,14 +1972,14 @@ static int ip6_tnl_newlink(struct net *s + { + struct net *net = dev_net(dev); + struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id); +- struct ip6_tnl *nt, *t; + struct ip_tunnel_encap ipencap; ++ struct ip6_tnl *nt, *t; ++ int err; + + nt = netdev_priv(dev); + + if (ip6_tnl_netlink_encap_parms(data, &ipencap)) { +- int err = ip6_tnl_encap_setup(nt, &ipencap); +- ++ err = ip6_tnl_encap_setup(nt, &ipencap); + if (err < 0) + return err; + } +@@ -1995,7 +1995,11 @@ static int ip6_tnl_newlink(struct net *s + return -EEXIST; + } + +- return ip6_tnl_create2(dev); ++ err = ip6_tnl_create2(dev); ++ if (!err && tb[IFLA_MTU]) ++ ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU])); ++ ++ return err; + } + + static int ip6_tnl_changelink(struct net_device *dev, struct nlattr *tb[], diff --git a/queue-4.9/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch b/queue-4.9/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch new file mode 100644 index 00000000000..be1fc530609 --- /dev/null +++ b/queue-4.9/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Wei Yongjun +Date: Thu, 18 Jan 2018 01:43:19 +0000 +Subject: ipmi/powernv: Fix error return code in ipmi_powernv_probe() + +From: Wei Yongjun + +[ Upstream commit e749d328b0b450aa78d562fa26a0cd8872325dd9 ] + +Fix to return a negative error code from the request_irq() error +handling case instead of 0, as done elsewhere in this function. + +Fixes: dce143c3381c ("ipmi/powernv: Convert to irq event interface") +Signed-off-by: Wei Yongjun +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_powernv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_powernv.c ++++ b/drivers/char/ipmi/ipmi_powernv.c +@@ -251,8 +251,9 @@ static int ipmi_powernv_probe(struct pla + ipmi->irq = opal_event_request(prop); + } + +- if (request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, +- "opal-ipmi", ipmi)) { ++ rc = request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, ++ "opal-ipmi", ipmi); ++ if (rc) { + dev_warn(dev, "Unable to request irq\n"); + goto err_dispose; + } diff --git a/queue-4.9/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch b/queue-4.9/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch new file mode 100644 index 00000000000..0e752da869c --- /dev/null +++ b/queue-4.9/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Kamlakant Patel +Date: Tue, 13 Mar 2018 16:32:27 +0530 +Subject: ipmi_ssif: Fix kernel panic at msg_done_handler + +From: Kamlakant Patel + +[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ] + +This happens when BMC doesn't return any data and the code is trying +to print the value of data[2]. + +Getting following crash: +[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002 +[ 484.736496] pgd = ffff0000094a2000 +[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000 +[ 484.748158] Internal error: Oops: 96000005 [#1] SMP +[...] +[ 485.101451] Call trace: +[...] +[ 485.188473] [] msg_done_handler+0x668/0x700 [ipmi_ssif] +[ 485.195249] [] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif] +[ 485.202038] [] kthread+0x108/0x138 +[ 485.206994] [] ret_from_fork+0x10/0x30 +[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3) + +Adding a check to validate the data len before printing data[2] to fix this issue. + +Signed-off-by: Kamlakant Patel +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -761,7 +761,7 @@ static void msg_done_handler(struct ssif + ssif_info->ssif_state = SSIF_NORMAL; + ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Error getting flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +@@ -783,7 +783,7 @@ static void msg_done_handler(struct ssif + if ((result < 0) || (len < 3) || (data[2] != 0)) { + /* Error clearing flags */ + pr_warn(PFX "Error clearing flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) { + pr_warn(PFX "Invalid response clearing flags: %x %x\n", diff --git a/queue-4.9/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch b/queue-4.9/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch new file mode 100644 index 00000000000..781a41210f5 --- /dev/null +++ b/queue-4.9/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch @@ -0,0 +1,221 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sabrina Dubroca +Date: Wed, 14 Mar 2018 10:21:14 +0100 +Subject: ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu + +From: Sabrina Dubroca + +[ Upstream commit d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 ] + +Prior to the rework of PMTU information storage in commit +2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer."), +when a PMTU event advertising a PMTU smaller than +net.ipv4.route.min_pmtu was received, we would disable setting the DF +flag on packets by locking the MTU metric, and set the PMTU to +net.ipv4.route.min_pmtu. + +Since then, we don't disable DF, and set PMTU to +net.ipv4.route.min_pmtu, so the intermediate router that has this link +with a small MTU will have to drop the packets. + +This patch reestablishes pre-2.6.39 behavior by splitting +rtable->rt_pmtu into a bitfield with rt_mtu_locked and rt_pmtu. +rt_mtu_locked indicates that we shouldn't set the DF bit on that path, +and is checked in ip_dont_fragment(). + +One possible workaround is to set net.ipv4.route.min_pmtu to a value low +enough to accommodate the lowest MTU encountered. + +Fixes: 2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer.") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 11 +++++++++-- + include/net/ip_fib.h | 1 + + include/net/route.h | 3 ++- + net/ipv4/route.c | 26 +++++++++++++++++++------- + net/ipv4/xfrm4_policy.c | 1 + + 5 files changed, 32 insertions(+), 10 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -304,6 +304,13 @@ int ip_decrease_ttl(struct iphdr *iph) + return --iph->ttl; + } + ++static inline int ip_mtu_locked(const struct dst_entry *dst) ++{ ++ const struct rtable *rt = (const struct rtable *)dst; ++ ++ return rt->rt_mtu_locked || dst_metric_locked(dst, RTAX_MTU); ++} ++ + static inline + int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst) + { +@@ -311,7 +318,7 @@ int ip_dont_fragment(const struct sock * + + return pmtudisc == IP_PMTUDISC_DO || + (pmtudisc == IP_PMTUDISC_WANT && +- !(dst_metric_locked(dst, RTAX_MTU))); ++ !ip_mtu_locked(dst)); + } + + static inline bool ip_sk_accept_pmtu(const struct sock *sk) +@@ -337,7 +344,7 @@ static inline unsigned int ip_dst_mtu_ma + struct net *net = dev_net(dst->dev); + + if (net->ipv4.sysctl_ip_fwd_use_pmtu || +- dst_metric_locked(dst, RTAX_MTU) || ++ ip_mtu_locked(dst) || + !forwarding) + return dst_mtu(dst); + +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -57,6 +57,7 @@ struct fib_nh_exception { + int fnhe_genid; + __be32 fnhe_daddr; + u32 fnhe_pmtu; ++ bool fnhe_mtu_locked; + __be32 fnhe_gw; + unsigned long fnhe_expires; + struct rtable __rcu *fnhe_rth_input; +--- a/include/net/route.h ++++ b/include/net/route.h +@@ -63,7 +63,8 @@ struct rtable { + __be32 rt_gateway; + + /* Miscellaneous cached information */ +- u32 rt_pmtu; ++ u32 rt_mtu_locked:1, ++ rt_pmtu:31; + + u32 rt_table_id; + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -618,6 +618,7 @@ static inline u32 fnhe_hashfun(__be32 da + static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe) + { + rt->rt_pmtu = fnhe->fnhe_pmtu; ++ rt->rt_mtu_locked = fnhe->fnhe_mtu_locked; + rt->dst.expires = fnhe->fnhe_expires; + + if (fnhe->fnhe_gw) { +@@ -628,7 +629,7 @@ static void fill_route_from_fnhe(struct + } + + static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, +- u32 pmtu, unsigned long expires) ++ u32 pmtu, bool lock, unsigned long expires) + { + struct fnhe_hash_bucket *hash; + struct fib_nh_exception *fnhe; +@@ -665,8 +666,10 @@ static void update_or_create_fnhe(struct + fnhe->fnhe_genid = genid; + if (gw) + fnhe->fnhe_gw = gw; +- if (pmtu) ++ if (pmtu) { + fnhe->fnhe_pmtu = pmtu; ++ fnhe->fnhe_mtu_locked = lock; ++ } + fnhe->fnhe_expires = max(1UL, expires); + /* Update all cached dsts too */ + rt = rcu_dereference(fnhe->fnhe_rth_input); +@@ -690,6 +693,7 @@ static void update_or_create_fnhe(struct + fnhe->fnhe_daddr = daddr; + fnhe->fnhe_gw = gw; + fnhe->fnhe_pmtu = pmtu; ++ fnhe->fnhe_mtu_locked = lock; + fnhe->fnhe_expires = expires; + + /* Exception created; mark the cached routes for the nexthop +@@ -771,7 +775,8 @@ static void __ip_do_redirect(struct rtab + struct fib_nh *nh = &FIB_RES_NH(res); + + update_or_create_fnhe(nh, fl4->daddr, new_gw, +- 0, jiffies + ip_rt_gc_timeout); ++ 0, false, ++ jiffies + ip_rt_gc_timeout); + } + if (kill_route) + rt->dst.obsolete = DST_OBSOLETE_KILL; +@@ -983,15 +988,18 @@ static void __ip_rt_update_pmtu(struct r + { + struct dst_entry *dst = &rt->dst; + struct fib_result res; ++ bool lock = false; + +- if (dst_metric_locked(dst, RTAX_MTU)) ++ if (ip_mtu_locked(dst)) + return; + + if (ipv4_mtu(dst) < mtu) + return; + +- if (mtu < ip_rt_min_pmtu) ++ if (mtu < ip_rt_min_pmtu) { ++ lock = true; + mtu = ip_rt_min_pmtu; ++ } + + if (rt->rt_pmtu == mtu && + time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2)) +@@ -1001,7 +1009,7 @@ static void __ip_rt_update_pmtu(struct r + if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { + struct fib_nh *nh = &FIB_RES_NH(res); + +- update_or_create_fnhe(nh, fl4->daddr, 0, mtu, ++ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock, + jiffies + ip_rt_mtu_expires); + } + rcu_read_unlock(); +@@ -1256,7 +1264,7 @@ static unsigned int ipv4_mtu(const struc + + mtu = READ_ONCE(dst->dev->mtu); + +- if (unlikely(dst_metric_locked(dst, RTAX_MTU))) { ++ if (unlikely(ip_mtu_locked(dst))) { + if (rt->rt_uses_gateway && mtu > 576) + mtu = 576; + } +@@ -1481,6 +1489,7 @@ struct rtable *rt_dst_alloc(struct net_d + rt->rt_is_input = 0; + rt->rt_iif = 0; + rt->rt_pmtu = 0; ++ rt->rt_mtu_locked = 0; + rt->rt_gateway = 0; + rt->rt_uses_gateway = 0; + rt->rt_table_id = 0; +@@ -2403,6 +2412,7 @@ struct dst_entry *ipv4_blackhole_route(s + rt->rt_is_input = ort->rt_is_input; + rt->rt_iif = ort->rt_iif; + rt->rt_pmtu = ort->rt_pmtu; ++ rt->rt_mtu_locked = ort->rt_mtu_locked; + + rt->rt_genid = rt_genid_ipv4(net); + rt->rt_flags = ort->rt_flags; +@@ -2505,6 +2515,8 @@ static int rt_fill_info(struct net *net, + memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics)); + if (rt->rt_pmtu && expires) + metrics[RTAX_MTU - 1] = rt->rt_pmtu; ++ if (rt->rt_mtu_locked && expires) ++ metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU); + if (rtnetlink_put_metrics(skb, metrics) < 0) + goto nla_put_failure; + +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -97,6 +97,7 @@ static int xfrm4_fill_dst(struct xfrm_ds + xdst->u.rt.rt_gateway = rt->rt_gateway; + xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway; + xdst->u.rt.rt_pmtu = rt->rt_pmtu; ++ xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked; + xdst->u.rt.rt_table_id = rt->rt_table_id; + INIT_LIST_HEAD(&xdst->u.rt.rt_uncached); + diff --git a/queue-4.9/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch b/queue-4.9/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch new file mode 100644 index 00000000000..39618d340e5 --- /dev/null +++ b/queue-4.9/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch @@ -0,0 +1,161 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Mark Salter +Date: Fri, 2 Feb 2018 09:20:29 -0500 +Subject: irqchip/gic-v3: Change pr_debug message to pr_devel + +From: Mark Salter + +[ Upstream commit b6dd4d83dc2f78cebc9a7e6e7e4bc2be4d29b94d ] + +The pr_debug() in gic-v3 gic_send_sgi() can trigger a circular locking +warning: + + GICv3: CPU10: ICC_SGI1R_EL1 5000400 + ====================================================== + WARNING: possible circular locking dependency detected + 4.15.0+ #1 Tainted: G W + ------------------------------------------------------ + dynamic_debug01/1873 is trying to acquire lock: + ((console_sem).lock){-...}, at: [<0000000099c891ec>] down_trylock+0x20/0x4c + + but task is already holding lock: + (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (&rq->lock){-.-.}: + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock+0x4c/0x60 + task_fork_fair+0x3c/0x148 + sched_fork+0x10c/0x214 + copy_process.isra.32.part.33+0x4e8/0x14f0 + _do_fork+0xe8/0x78c + kernel_thread+0x48/0x54 + rest_init+0x34/0x2a4 + start_kernel+0x45c/0x488 + + -> #1 (&p->pi_lock){-.-.}: + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock_irqsave+0x58/0x70 + try_to_wake_up+0x48/0x600 + wake_up_process+0x28/0x34 + __up.isra.0+0x60/0x6c + up+0x60/0x68 + __up_console_sem+0x4c/0x7c + console_unlock+0x328/0x634 + vprintk_emit+0x25c/0x390 + dev_vprintk_emit+0xc4/0x1fc + dev_printk_emit+0x88/0xa8 + __dev_printk+0x58/0x9c + _dev_info+0x84/0xa8 + usb_new_device+0x100/0x474 + hub_port_connect+0x280/0x92c + hub_event+0x740/0xa84 + process_one_work+0x240/0x70c + worker_thread+0x60/0x400 + kthread+0x110/0x13c + ret_from_fork+0x10/0x18 + + -> #0 ((console_sem).lock){-...}: + validate_chain.isra.34+0x6e4/0xa20 + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock_irqsave+0x58/0x70 + down_trylock+0x20/0x4c + __down_trylock_console_sem+0x3c/0x9c + console_trylock+0x20/0xb0 + vprintk_emit+0x254/0x390 + vprintk_default+0x58/0x90 + vprintk_func+0xbc/0x164 + printk+0x80/0xa0 + __dynamic_pr_debug+0x84/0xac + gic_raise_softirq+0x184/0x18c + smp_cross_call+0xac/0x218 + smp_send_reschedule+0x3c/0x48 + resched_curr+0x60/0x9c + check_preempt_curr+0x70/0xdc + wake_up_new_task+0x310/0x470 + _do_fork+0x188/0x78c + SyS_clone+0x44/0x50 + __sys_trace_return+0x0/0x4 + + other info that might help us debug this: + + Chain exists of: + (console_sem).lock --> &p->pi_lock --> &rq->lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&rq->lock); + lock(&p->pi_lock); + lock(&rq->lock); + lock((console_sem).lock); + + *** DEADLOCK *** + + 2 locks held by dynamic_debug01/1873: + #0: (&p->pi_lock){-.-.}, at: [<000000001366df53>] wake_up_new_task+0x40/0x470 + #1: (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc + + stack backtrace: + CPU: 10 PID: 1873 Comm: dynamic_debug01 Tainted: G W 4.15.0+ #1 + Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS T48 10/02/2017 + Call trace: + dump_backtrace+0x0/0x188 + show_stack+0x24/0x2c + dump_stack+0xa4/0xe0 + print_circular_bug.isra.31+0x29c/0x2b8 + check_prev_add.constprop.39+0x6c8/0x6dc + validate_chain.isra.34+0x6e4/0xa20 + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock_irqsave+0x58/0x70 + down_trylock+0x20/0x4c + __down_trylock_console_sem+0x3c/0x9c + console_trylock+0x20/0xb0 + vprintk_emit+0x254/0x390 + vprintk_default+0x58/0x90 + vprintk_func+0xbc/0x164 + printk+0x80/0xa0 + __dynamic_pr_debug+0x84/0xac + gic_raise_softirq+0x184/0x18c + smp_cross_call+0xac/0x218 + smp_send_reschedule+0x3c/0x48 + resched_curr+0x60/0x9c + check_preempt_curr+0x70/0xdc + wake_up_new_task+0x310/0x470 + _do_fork+0x188/0x78c + SyS_clone+0x44/0x50 + __sys_trace_return+0x0/0x4 + GICv3: CPU0: ICC_SGI1R_EL1 12000 + +This could be fixed with printk_deferred() but that might lessen its +usefulness for debugging. So change it to pr_devel to keep it out of +production kernels. Developers working on gic-v3 can enable it as +needed in their kernels. + +Signed-off-by: Mark Salter +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -601,7 +601,7 @@ static void gic_send_sgi(u64 cluster_id, + MPIDR_TO_SGI_AFFINITY(cluster_id, 1) | + tlist << ICC_SGI1R_TARGET_LIST_SHIFT); + +- pr_debug("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); ++ pr_devel("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); + gic_write_sgi1r(val); + } + diff --git a/queue-4.9/irqchip-gic-v3-ignore-disabled-its-nodes.patch b/queue-4.9/irqchip-gic-v3-ignore-disabled-its-nodes.patch new file mode 100644 index 00000000000..c1ab6df7dcf --- /dev/null +++ b/queue-4.9/irqchip-gic-v3-ignore-disabled-its-nodes.patch @@ -0,0 +1,77 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Stephen Boyd +Date: Thu, 1 Feb 2018 09:03:29 -0800 +Subject: irqchip/gic-v3: Ignore disabled ITS nodes + +From: Stephen Boyd + +[ Upstream commit 95a2562590c2f64a0398183f978d5cf3db6d0284 ] + +On some platforms there's an ITS available but it's not enabled +because reading or writing the registers is denied by the +firmware. In fact, reading or writing them will cause the system +to reset. We could remove the node from DT in such a case, but +it's better to skip nodes that are marked as "disabled" in DT so +that we can describe the hardware that exists and use the status +property to indicate how the firmware has configured things. + +Cc: Stuart Yoder +Cc: Laurentiu Tudor +Cc: Greg Kroah-Hartman +Cc: Marc Zyngier +Cc: Rajendra Nayak +Signed-off-by: Stephen Boyd +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its-pci-msi.c | 2 ++ + drivers/irqchip/irq-gic-v3-its-platform-msi.c | 2 ++ + drivers/irqchip/irq-gic-v3-its.c | 2 ++ + drivers/staging/fsl-mc/bus/irq-gic-v3-its-fsl-mc-msi.c | 2 ++ + 4 files changed, 8 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3-its-pci-msi.c ++++ b/drivers/irqchip/irq-gic-v3-its-pci-msi.c +@@ -133,6 +133,8 @@ static int __init its_pci_of_msi_init(vo + + for (np = of_find_matching_node(NULL, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) + continue; + +--- a/drivers/irqchip/irq-gic-v3-its-platform-msi.c ++++ b/drivers/irqchip/irq-gic-v3-its-platform-msi.c +@@ -80,6 +80,8 @@ static int __init its_pmsi_init(void) + + for (np = of_find_matching_node(NULL, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) + continue; + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -1807,6 +1807,8 @@ static int __init its_of_probe(struct de + + for (np = of_find_matching_node(node, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) { + pr_warn("%s: no msi-controller property, ITS ignored\n", + np->full_name); +--- a/drivers/staging/fsl-mc/bus/irq-gic-v3-its-fsl-mc-msi.c ++++ b/drivers/staging/fsl-mc/bus/irq-gic-v3-its-fsl-mc-msi.c +@@ -75,6 +75,8 @@ int __init its_fsl_mc_msi_init(void) + + for (np = of_find_matching_node(NULL, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) + continue; + diff --git a/queue-4.9/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch b/queue-4.9/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch new file mode 100644 index 00000000000..0c3ec6a38dc --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch @@ -0,0 +1,100 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Naftali Goldstein +Date: Thu, 28 Dec 2017 15:53:04 +0200 +Subject: iwlwifi: mvm: always init rs with 20mhz bandwidth rates + +From: Naftali Goldstein + +[ Upstream commit 6b7a5aea71b342ec0593d23b08383e1f33da4c9a ] + +In AP mode, when a new station associates, rs is initialized immediately +upon association completion, before the phy context is updated with the +association parameters, so the sta bandwidth might be wider than the phy +context allows. +To avoid this issue, always initialize rs with 20mhz bandwidth rate, and +after authorization, when the phy context is already up-to-date, re-init +rs with the correct bw. + +Signed-off-by: Naftali Goldstein +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 +++ + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 28 +++++++++++++++------- + 2 files changed, 24 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -2585,6 +2585,10 @@ static int iwl_mvm_mac_sta_state(struct + + /* enable beacon filtering */ + WARN_ON(iwl_mvm_enable_beacon_filter(mvm, vif, 0)); ++ ++ iwl_mvm_rs_rate_init(mvm, sta, mvmvif->phy_ctxt->channel->band, ++ false); ++ + ret = 0; + } else if (old_state == IEEE80211_STA_AUTHORIZED && + new_state == IEEE80211_STA_ASSOC) { +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -2709,7 +2709,8 @@ static void rs_get_initial_rate(struct i + struct ieee80211_sta *sta, + struct iwl_lq_sta *lq_sta, + enum nl80211_band band, +- struct rs_rate *rate) ++ struct rs_rate *rate, ++ bool init) + { + int i, nentries; + unsigned long active_rate; +@@ -2763,14 +2764,25 @@ static void rs_get_initial_rate(struct i + */ + if (sta->vht_cap.vht_supported && + best_rssi > IWL_RS_LOW_RSSI_THRESHOLD) { +- switch (sta->bandwidth) { +- case IEEE80211_STA_RX_BW_160: +- case IEEE80211_STA_RX_BW_80: +- case IEEE80211_STA_RX_BW_40: ++ /* ++ * In AP mode, when a new station associates, rs is initialized ++ * immediately upon association completion, before the phy ++ * context is updated with the association parameters, so the ++ * sta bandwidth might be wider than the phy context allows. ++ * To avoid this issue, always initialize rs with 20mhz ++ * bandwidth rate, and after authorization, when the phy context ++ * is already up-to-date, re-init rs with the correct bw. ++ */ ++ u32 bw = init ? RATE_MCS_CHAN_WIDTH_20 : rs_bw_from_sta_bw(sta); ++ ++ switch (bw) { ++ case RATE_MCS_CHAN_WIDTH_40: ++ case RATE_MCS_CHAN_WIDTH_80: ++ case RATE_MCS_CHAN_WIDTH_160: + initial_rates = rs_optimal_rates_vht; + nentries = ARRAY_SIZE(rs_optimal_rates_vht); + break; +- case IEEE80211_STA_RX_BW_20: ++ case RATE_MCS_CHAN_WIDTH_20: + initial_rates = rs_optimal_rates_vht_20mhz; + nentries = ARRAY_SIZE(rs_optimal_rates_vht_20mhz); + break; +@@ -2781,7 +2793,7 @@ static void rs_get_initial_rate(struct i + + active_rate = lq_sta->active_siso_rate; + rate->type = LQ_VHT_SISO; +- rate->bw = rs_bw_from_sta_bw(sta); ++ rate->bw = bw; + } else if (sta->ht_cap.ht_supported && + best_rssi > IWL_RS_LOW_RSSI_THRESHOLD) { + initial_rates = rs_optimal_rates_ht; +@@ -2863,7 +2875,7 @@ static void rs_initialize_lq(struct iwl_ + tbl = &(lq_sta->lq_info[active_tbl]); + rate = &tbl->rate; + +- rs_get_initial_rate(mvm, sta, lq_sta, band, rate); ++ rs_get_initial_rate(mvm, sta, lq_sta, band, rate, init); + rs_init_optimal_rate(mvm, sta, lq_sta); + + WARN_ON_ONCE(rate->ant != ANT_A && rate->ant != ANT_B); diff --git a/queue-4.9/iwlwifi-mvm-fix-security-bug-in-pn-checking.patch b/queue-4.9/iwlwifi-mvm-fix-security-bug-in-pn-checking.patch new file mode 100644 index 00000000000..6940826204d --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-security-bug-in-pn-checking.patch @@ -0,0 +1,116 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sara Sharon +Date: Tue, 29 Mar 2016 10:56:57 +0300 +Subject: iwlwifi: mvm: fix security bug in PN checking + +From: Sara Sharon + +[ Upstream commit 5ab2ba931255d8bf03009c06d58dce97de32797c ] + +A previous patch allowed the same PN for packets originating from the +same AMSDU by copying PN only for the last packet in the series. + +This however is bogus since we cannot assume the last frame will be +received on the same queue, and if it is received on a different ueue +we will end up not incrementing the PN and possibly let the next +packet to have the same PN and pass through. + +Change the logic instead to driver explicitly indicate for the second +sub frame and on to be allowed to have the same PN as the first +subframe. Indicate it to mac80211 as well for the fallback queue. + +Fixes: f1ae02b186d9 ("iwlwifi: mvm: allow same PN for de-aggregated AMSDU") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 39 +++++++++++++------------- + 1 file changed, 20 insertions(+), 19 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -72,6 +72,7 @@ static inline int iwl_mvm_check_pn(struc + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; + struct ieee80211_rx_status *stats = IEEE80211_SKB_RXCB(skb); + struct iwl_mvm_key_pn *ptk_pn; ++ int res; + u8 tid, keyidx; + u8 pn[IEEE80211_CCMP_PN_LEN]; + u8 *extiv; +@@ -128,12 +129,13 @@ static inline int iwl_mvm_check_pn(struc + pn[4] = extiv[1]; + pn[5] = extiv[0]; + +- if (memcmp(pn, ptk_pn->q[queue].pn[tid], +- IEEE80211_CCMP_PN_LEN) <= 0) ++ res = memcmp(pn, ptk_pn->q[queue].pn[tid], IEEE80211_CCMP_PN_LEN); ++ if (res < 0) ++ return -1; ++ if (!res && !(stats->flag & RX_FLAG_ALLOW_SAME_PN)) + return -1; + +- if (!(stats->flag & RX_FLAG_AMSDU_MORE)) +- memcpy(ptk_pn->q[queue].pn[tid], pn, IEEE80211_CCMP_PN_LEN); ++ memcpy(ptk_pn->q[queue].pn[tid], pn, IEEE80211_CCMP_PN_LEN); + stats->flag |= RX_FLAG_PN_VALIDATED; + + return 0; +@@ -295,28 +297,21 @@ static void iwl_mvm_rx_csum(struct ieee8 + } + + /* +- * returns true if a packet outside BA session is a duplicate and +- * should be dropped ++ * returns true if a packet is a duplicate and should be dropped. ++ * Updates AMSDU PN tracking info + */ +-static bool iwl_mvm_is_nonagg_dup(struct ieee80211_sta *sta, int queue, +- struct ieee80211_rx_status *rx_status, +- struct ieee80211_hdr *hdr, +- struct iwl_rx_mpdu_desc *desc) ++static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue, ++ struct ieee80211_rx_status *rx_status, ++ struct ieee80211_hdr *hdr, ++ struct iwl_rx_mpdu_desc *desc) + { + struct iwl_mvm_sta *mvm_sta; + struct iwl_mvm_rxq_dup_data *dup_data; +- u8 baid, tid, sub_frame_idx; ++ u8 tid, sub_frame_idx; + + if (WARN_ON(IS_ERR_OR_NULL(sta))) + return false; + +- baid = (le32_to_cpu(desc->reorder_data) & +- IWL_RX_MPDU_REORDER_BAID_MASK) >> +- IWL_RX_MPDU_REORDER_BAID_SHIFT; +- +- if (baid != IWL_RX_REORDER_DATA_INVALID_BAID) +- return false; +- + mvm_sta = iwl_mvm_sta_from_mac80211(sta); + dup_data = &mvm_sta->dup_data[queue]; + +@@ -346,6 +341,12 @@ static bool iwl_mvm_is_nonagg_dup(struct + dup_data->last_sub_frame[tid] >= sub_frame_idx)) + return true; + ++ /* Allow same PN as the first subframe for following sub frames */ ++ if (dup_data->last_seq[tid] == hdr->seq_ctrl && ++ sub_frame_idx > dup_data->last_sub_frame[tid] && ++ desc->mac_flags2 & IWL_RX_MPDU_MFLG2_AMSDU) ++ rx_status->flag |= RX_FLAG_ALLOW_SAME_PN; ++ + dup_data->last_seq[tid] = hdr->seq_ctrl; + dup_data->last_sub_frame[tid] = sub_frame_idx; + +@@ -882,7 +883,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm * + if (ieee80211_is_data(hdr->frame_control)) + iwl_mvm_rx_csum(sta, skb, desc); + +- if (iwl_mvm_is_nonagg_dup(sta, queue, rx_status, hdr, desc)) { ++ if (iwl_mvm_is_dup(sta, queue, rx_status, hdr, desc)) { + kfree_skb(skb); + rcu_read_unlock(); + return; diff --git a/queue-4.9/iwlwifi-mvm-fix-tx-of-ccmp-256.patch b/queue-4.9/iwlwifi-mvm-fix-tx-of-ccmp-256.patch new file mode 100644 index 00000000000..01e667003aa --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-tx-of-ccmp-256.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sara Sharon +Date: Tue, 2 Jan 2018 11:40:15 +0200 +Subject: iwlwifi: mvm: fix TX of CCMP 256 + +From: Sara Sharon + +[ Upstream commit de04d4fbf87b769ab18c480e4f020c53e74bbdd2 ] + +We don't have enough room in the TX command for a CCMP 256 +key, and need to use key from table. + +Fixes: 3264bf032bd9 ("[BUGFIX] iwlwifi: mvm: Fix CCMP IV setting") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -406,11 +406,11 @@ static void iwl_mvm_set_tx_cmd_crypto(st + { + struct ieee80211_key_conf *keyconf = info->control.hw_key; + u8 *crypto_hdr = skb_frag->data + hdrlen; ++ enum iwl_tx_cmd_sec_ctrl type = TX_CMD_SEC_CCM; + u64 pn; + + switch (keyconf->cipher) { + case WLAN_CIPHER_SUITE_CCMP: +- case WLAN_CIPHER_SUITE_CCMP_256: + iwl_mvm_set_tx_cmd_ccmp(info, tx_cmd); + iwl_mvm_set_tx_cmd_pn(info, crypto_hdr); + break; +@@ -434,13 +434,16 @@ static void iwl_mvm_set_tx_cmd_crypto(st + break; + case WLAN_CIPHER_SUITE_GCMP: + case WLAN_CIPHER_SUITE_GCMP_256: ++ type = TX_CMD_SEC_GCMP; ++ /* Fall through */ ++ case WLAN_CIPHER_SUITE_CCMP_256: + /* TODO: Taking the key from the table might introduce a race + * when PTK rekeying is done, having an old packets with a PN + * based on the old key but the message encrypted with a new + * one. + * Need to handle this. + */ +- tx_cmd->sec_ctl |= TX_CMD_SEC_GCMP | TX_CMD_SEC_KEY_FROM_TABLE; ++ tx_cmd->sec_ctl |= type | TX_CMD_SEC_KEY_FROM_TABLE; + tx_cmd->key[0] = keyconf->hw_key_idx; + iwl_mvm_set_tx_cmd_pn(info, crypto_hdr); + break; diff --git a/queue-4.9/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch b/queue-4.9/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch new file mode 100644 index 00000000000..b92e7500736 --- /dev/null +++ b/queue-4.9/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch @@ -0,0 +1,85 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jake Daryll Obina +Date: Fri, 22 Sep 2017 00:00:14 +0800 +Subject: jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path + +From: Jake Daryll Obina + +[ Upstream commit 5bdd0c6f89fba430e18d636493398389dadc3b17 ] + +If jffs2_iget() fails for a newly-allocated inode, jffs2_do_clear_inode() +can get called twice in the error handling path, the first call in +jffs2_iget() itself and the second through iget_failed(). This can result +to a use-after-free error in the second jffs2_do_clear_inode() call, such +as shown by the oops below wherein the second jffs2_do_clear_inode() call +was trying to free node fragments that were already freed in the first +jffs2_do_clear_inode() call. + +[ 78.178860] jffs2: error: (1904) jffs2_do_read_inode_internal: CRC failed for read_inode of inode 24 at physical location 0x1fc00c +[ 78.178914] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b7b +[ 78.185871] pgd = ffffffc03a567000 +[ 78.188794] [6b6b6b6b6b6b6b7b] *pgd=0000000000000000, *pud=0000000000000000 +[ 78.194968] Internal error: Oops: 96000004 [#1] PREEMPT SMP +... +[ 78.513147] PC is at rb_first_postorder+0xc/0x28 +[ 78.516503] LR is at jffs2_kill_fragtree+0x28/0x90 [jffs2] +[ 78.520672] pc : [] lr : [] pstate: 60000105 +[ 78.526757] sp : ffffff800cea38f0 +[ 78.528753] x29: ffffff800cea38f0 x28: ffffffc01f3f8e80 +[ 78.532754] x27: 0000000000000000 x26: ffffff800cea3c70 +[ 78.536756] x25: 00000000dc67c8ae x24: ffffffc033d6945d +[ 78.540759] x23: ffffffc036811740 x22: ffffff800891a5b8 +[ 78.544760] x21: 0000000000000000 x20: 0000000000000000 +[ 78.548762] x19: ffffffc037d48910 x18: ffffff800891a588 +[ 78.552764] x17: 0000000000000800 x16: 0000000000000c00 +[ 78.556766] x15: 0000000000000010 x14: 6f2065646f6e695f +[ 78.560767] x13: 6461657220726f66 x12: 2064656c69616620 +[ 78.564769] x11: 435243203a6c616e x10: 7265746e695f6564 +[ 78.568771] x9 : 6f6e695f64616572 x8 : ffffffc037974038 +[ 78.572774] x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008 +[ 78.576775] x5 : 002f91d85bd44a2f x4 : 0000000000000000 +[ 78.580777] x3 : 0000000000000000 x2 : 000000403755e000 +[ 78.584779] x1 : 6b6b6b6b6b6b6b6b x0 : 6b6b6b6b6b6b6b6b +... +[ 79.038551] [] rb_first_postorder+0xc/0x28 +[ 79.042962] [] jffs2_do_clear_inode+0x88/0x100 [jffs2] +[ 79.048395] [] jffs2_evict_inode+0x3c/0x48 [jffs2] +[ 79.053443] [] evict+0xb0/0x168 +[ 79.056835] [] iput+0x1c0/0x200 +[ 79.060228] [] iget_failed+0x30/0x3c +[ 79.064097] [] jffs2_iget+0x2d8/0x360 [jffs2] +[ 79.068740] [] jffs2_lookup+0xe8/0x130 [jffs2] +[ 79.073434] [] lookup_slow+0x118/0x190 +[ 79.077435] [] walk_component+0xfc/0x28c +[ 79.081610] [] path_lookupat+0x84/0x108 +[ 79.085699] [] filename_lookup+0x88/0x100 +[ 79.089960] [] user_path_at_empty+0x58/0x6c +[ 79.094396] [] vfs_statx+0xa4/0x114 +[ 79.098138] [] SyS_newfstatat+0x58/0x98 +[ 79.102227] [] __sys_trace_return+0x0/0x4 +[ 79.106489] Code: d65f03c0 f9400001 b40000e1 aa0103e0 (f9400821) + +The jffs2_do_clear_inode() call in jffs2_iget() is unnecessary since +iget_failed() will eventually call jffs2_do_clear_inode() if needed, so +just remove it. + +Fixes: 5451f79f5f81 ("iget: stop JFFS2 from using iget() and read_inode()") +Reviewed-by: Richard Weinberger +Signed-off-by: Jake Daryll Obina +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/fs.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/jffs2/fs.c ++++ b/fs/jffs2/fs.c +@@ -361,7 +361,6 @@ error_io: + ret = -EIO; + error: + mutex_unlock(&f->sem); +- jffs2_do_clear_inode(c, f); + iget_failed(inode); + return ERR_PTR(ret); + } diff --git a/queue-4.9/kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch b/queue-4.9/kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch new file mode 100644 index 00000000000..3fc54f8cae8 --- /dev/null +++ b/queue-4.9/kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Nicolas Pitre +Date: Thu, 15 Mar 2018 16:56:20 -0400 +Subject: kbuild: make scripts/adjust_autoksyms.sh robust against timestamp races + +From: Nicolas Pitre + +[ Upstream commit 825d487583089f9a33d31650c9c41f6474aab7fc ] + +Some filesystems have timestamps with coarse precision that may allow +for a recently built object file to have the same timestamp as the +updated time on one of its dependency files. When that happens, the +object file doesn't get rebuilt as it should. + +This is especially the case on filesystems that don't have sub-second +time precision, such as ext3 or Ext4 with 128B inodes. + +Let's prevent that by making sure updated dependency files have a newer +timestamp than the first file we created (i.e. autoksyms.h.tmpnew). + +Reported-by: Thomas Lindroth +Signed-off-by: Nicolas Pitre +Tested-by: Thomas Lindroth +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/adjust_autoksyms.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/scripts/adjust_autoksyms.sh ++++ b/scripts/adjust_autoksyms.sh +@@ -83,6 +83,13 @@ while read sympath; do + depfile="include/config/ksym/${sympath}.h" + mkdir -p "$(dirname "$depfile")" + touch "$depfile" ++ # Filesystems with coarse time precision may create timestamps ++ # equal to the one from a file that was very recently built and that ++ # needs to be rebuild. Let's guard against that by making sure our ++ # dep files are always newer than the first file we created here. ++ while [ ! "$depfile" -nt "$new_ksyms_file" ]; do ++ touch "$depfile" ++ done + echo $((count += 1)) + done | tail -1 ) + changed=${changed:-0} diff --git a/queue-4.9/kconfig-don-t-leak-main-menus-during-parsing.patch b/queue-4.9/kconfig-don-t-leak-main-menus-during-parsing.patch new file mode 100644 index 00000000000..964ccf8c024 --- /dev/null +++ b/queue-4.9/kconfig-don-t-leak-main-menus-during-parsing.patch @@ -0,0 +1,115 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ulf Magnusson +Date: Sun, 8 Oct 2017 19:11:21 +0200 +Subject: kconfig: Don't leak main menus during parsing + +From: Ulf Magnusson + +[ Upstream commit 0724a7c32a54e3e50d28e19e30c59014f61d4e2c ] + +If a 'mainmenu' entry appeared in the Kconfig files, two things would +leak: + + - The 'struct property' allocated for the default "Linux Kernel + Configuration" prompt. + + - The string for the T_WORD/T_WORD_QUOTE prompt after the + T_MAINMENU token, allocated on the heap in zconf.l. + +To fix it, introduce a new 'no_mainmenu_stmt' nonterminal that matches +if there's no 'mainmenu' and adds the default prompt. That means the +prompt only gets allocated once regardless of whether there's a +'mainmenu' statement or not, and managing it becomes simple. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 344,568 bytes in 14,352 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 344,440 bytes in 14,350 blocks + ... + +Signed-off-by: Ulf Magnusson +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kconfig/zconf.y | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +--- a/scripts/kconfig/zconf.y ++++ b/scripts/kconfig/zconf.y +@@ -107,7 +107,27 @@ static struct menu *current_menu, *curre + %% + input: nl start | start; + +-start: mainmenu_stmt stmt_list | stmt_list; ++start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list; ++ ++/* mainmenu entry */ ++ ++mainmenu_stmt: T_MAINMENU prompt nl ++{ ++ menu_add_prompt(P_MENU, $2, NULL); ++}; ++ ++/* Default main menu, if there's no mainmenu entry */ ++ ++no_mainmenu_stmt: /* empty */ ++{ ++ /* ++ * Hack: Keep the main menu title on the heap so we can safely free it ++ * later regardless of whether it comes from the 'prompt' in ++ * mainmenu_stmt or here ++ */ ++ menu_add_prompt(P_MENU, strdup("Linux Kernel Configuration"), NULL); ++}; ++ + + stmt_list: + /* empty */ +@@ -344,13 +364,6 @@ if_block: + | if_block choice_stmt + ; + +-/* mainmenu entry */ +- +-mainmenu_stmt: T_MAINMENU prompt nl +-{ +- menu_add_prompt(P_MENU, $2, NULL); +-}; +- + /* menu entry */ + + menu: T_MENU prompt T_EOL +@@ -495,6 +508,7 @@ word_opt: /* empty */ { $$ = NULL; } + + void conf_parse(const char *name) + { ++ const char *tmp; + struct symbol *sym; + int i; + +@@ -502,7 +516,6 @@ void conf_parse(const char *name) + + sym_init(); + _menu_init(); +- rootmenu.prompt = menu_add_prompt(P_MENU, "Linux Kernel Configuration", NULL); + + if (getenv("ZCONF_DEBUG")) + zconfdebug = 1; +@@ -512,8 +525,10 @@ void conf_parse(const char *name) + if (!modules_sym) + modules_sym = sym_find( "n" ); + ++ tmp = rootmenu.prompt->text; + rootmenu.prompt->text = _(rootmenu.prompt->text); + rootmenu.prompt->text = sym_expand_string_value(rootmenu.prompt->text); ++ free((char*)tmp); + + menu_finalize(&rootmenu); + for_all_symbols(i, sym) { diff --git a/queue-4.9/kconfig-fix-automatic-menu-creation-mem-leak.patch b/queue-4.9/kconfig-fix-automatic-menu-creation-mem-leak.patch new file mode 100644 index 00000000000..978744e2493 --- /dev/null +++ b/queue-4.9/kconfig-fix-automatic-menu-creation-mem-leak.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ulf Magnusson +Date: Sun, 8 Oct 2017 19:35:44 +0200 +Subject: kconfig: Fix automatic menu creation mem leak + +From: Ulf Magnusson + +[ Upstream commit ae7440ef0c8013d68c00dad6900e7cce5311bb1c ] + +expr_trans_compare() always allocates and returns a new expression, +giving the following leak outline: + + ... + *Allocate* + basedep = expr_trans_compare(basedep, E_UNEQUAL, &symbol_no); + ... + for (menu = parent->next; menu; menu = menu->next) { + ... + *Copy* + dep2 = expr_copy(basedep); + ... + *Free copy* + expr_free(dep2); + } + *basedep lost!* + +Fix by freeing 'basedep' after the loop. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 344,376 bytes in 14,349 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 44,448 bytes in 1,852 blocks + ... + +Signed-off-by: Ulf Magnusson +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kconfig/menu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/kconfig/menu.c ++++ b/scripts/kconfig/menu.c +@@ -364,6 +364,7 @@ void menu_finalize(struct menu *parent) + menu->parent = parent; + last_menu = menu; + } ++ expr_free(basedep); + if (last_menu) { + parent->list = parent->next; + parent->next = last_menu->next; diff --git a/queue-4.9/kconfig-fix-expr_free-e_not-leak.patch b/queue-4.9/kconfig-fix-expr_free-e_not-leak.patch new file mode 100644 index 00000000000..43da4929699 --- /dev/null +++ b/queue-4.9/kconfig-fix-expr_free-e_not-leak.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ulf Magnusson +Date: Sun, 8 Oct 2017 19:35:45 +0200 +Subject: kconfig: Fix expr_free() E_NOT leak + +From: Ulf Magnusson + +[ Upstream commit 5b1374b3b3c2fc4f63a398adfa446fb8eff791a4 ] + +Only the E_NOT operand and not the E_NOT node itself was freed, due to +accidentally returning too early in expr_free(). Outline of leak: + + switch (e->type) { + ... + case E_NOT: + expr_free(e->left.expr); + return; + ... + } + *Never reached, 'e' leaked* + free(e); + +Fix by changing the 'return' to a 'break'. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 44,448 bytes in 1,852 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 1,608 bytes in 67 blocks + ... + +Signed-off-by: Ulf Magnusson +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kconfig/expr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/kconfig/expr.c ++++ b/scripts/kconfig/expr.c +@@ -113,7 +113,7 @@ void expr_free(struct expr *e) + break; + case E_NOT: + expr_free(e->left.expr); +- return; ++ break; + case E_EQUAL: + case E_GEQ: + case E_GTH: diff --git a/queue-4.9/kdb-make-mdr-command-repeat.patch b/queue-4.9/kdb-make-mdr-command-repeat.patch new file mode 100644 index 00000000000..5d226bd7c2d --- /dev/null +++ b/queue-4.9/kdb-make-mdr-command-repeat.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Randy Dunlap +Date: Fri, 8 Dec 2017 10:19:19 -0800 +Subject: kdb: make "mdr" command repeat + +From: Randy Dunlap + +[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ] + +The "mdr" command should repeat (continue) when only Enter/Return +is pressed, so make it do so. + +Signed-off-by: Randy Dunlap +Cc: Daniel Thompson +Cc: Jason Wessel +Cc: kgdb-bugreport@lists.sourceforge.net +Signed-off-by: Jason Wessel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1564,6 +1564,7 @@ static int kdb_md(int argc, const char * + int symbolic = 0; + int valid = 0; + int phys = 0; ++ int raw = 0; + + kdbgetintenv("MDCOUNT", &mdcount); + kdbgetintenv("RADIX", &radix); +@@ -1573,9 +1574,10 @@ static int kdb_md(int argc, const char * + repeat = mdcount * 16 / bytesperword; + + if (strcmp(argv[0], "mdr") == 0) { +- if (argc != 2) ++ if (argc == 2 || (argc == 0 && last_addr != 0)) ++ valid = raw = 1; ++ else + return KDB_ARGCOUNT; +- valid = 1; + } else if (isdigit(argv[0][2])) { + bytesperword = (int)(argv[0][2] - '0'); + if (bytesperword == 0) { +@@ -1611,7 +1613,10 @@ static int kdb_md(int argc, const char * + radix = last_radix; + bytesperword = last_bytesperword; + repeat = last_repeat; +- mdcount = ((repeat * bytesperword) + 15) / 16; ++ if (raw) ++ mdcount = repeat; ++ else ++ mdcount = ((repeat * bytesperword) + 15) / 16; + } + + if (argc) { +@@ -1628,7 +1633,10 @@ static int kdb_md(int argc, const char * + diag = kdbgetularg(argv[nextarg], &val); + if (!diag) { + mdcount = (int) val; +- repeat = mdcount * 16 / bytesperword; ++ if (raw) ++ repeat = mdcount; ++ else ++ repeat = mdcount * 16 / bytesperword; + } + } + if (argc >= nextarg+1) { +@@ -1638,8 +1646,15 @@ static int kdb_md(int argc, const char * + } + } + +- if (strcmp(argv[0], "mdr") == 0) +- return kdb_mdr(addr, mdcount); ++ if (strcmp(argv[0], "mdr") == 0) { ++ int ret; ++ last_addr = addr; ++ ret = kdb_mdr(addr, mdcount); ++ last_addr += mdcount; ++ last_repeat = mdcount; ++ last_bytesperword = bytesperword; // to make REPEAT happy ++ return ret; ++ } + + switch (radix) { + case 10: diff --git a/queue-4.9/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch b/queue-4.9/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch new file mode 100644 index 00000000000..0b06dcaba20 --- /dev/null +++ b/queue-4.9/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: David Rientjes +Date: Wed, 21 Feb 2018 14:45:32 -0800 +Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE + +From: David Rientjes + +[ Upstream commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e ] + +chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc() +of chan->n_subbufs * sizeof(size_t *). + +kmalloc_slab() will generate a warning when this fails if +chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE. + +Limit chan->n_subbufs to the maximum allowed kmalloc() size. + +Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com +Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()") +Signed-off-by: David Rientjes +Reviewed-by: Andrew Morton +Cc: Jens Axboe +Cc: Dave Jiang +Cc: Al Viro +Cc: Dan Carpenter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/relay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu + { + struct rchan_buf *buf; + +- if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) ++ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *)) + return NULL; + + buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); diff --git a/queue-4.9/kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch b/queue-4.9/kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch new file mode 100644 index 00000000000..a146472ec8c --- /dev/null +++ b/queue-4.9/kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sebastian Ott +Date: Thu, 22 Feb 2018 13:05:41 +0100 +Subject: kvm: fix warning for CONFIG_HAVE_KVM_EVENTFD builds + +From: Sebastian Ott + +[ Upstream commit 076467490b8176eb96eddc548a14d4135c7b5852 ] + +Move the kvm_arch_irq_routing_update() prototype outside of +ifdef CONFIG_HAVE_KVM_EVENTFD guards to fix the following sparse warning: + +arch/s390/kvm/../../../virt/kvm/irqchip.c:171:28: warning: symbol 'kvm_arch_irq_routing_update' was not declared. Should it be static? + +Signed-off-by: Sebastian Ott +Acked-by: Christian Borntraeger +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1070,7 +1070,6 @@ static inline void kvm_irq_routing_updat + { + } + #endif +-void kvm_arch_irq_routing_update(struct kvm *kvm); + + static inline int kvm_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { +@@ -1079,6 +1078,8 @@ static inline int kvm_ioeventfd(struct k + + #endif /* CONFIG_HAVE_KVM_EVENTFD */ + ++void kvm_arch_irq_routing_update(struct kvm *kvm); ++ + static inline void kvm_make_request(int req, struct kvm_vcpu *vcpu) + { + /* diff --git a/queue-4.9/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch b/queue-4.9/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch new file mode 100644 index 00000000000..d297da8b3bf --- /dev/null +++ b/queue-4.9/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Vitaly Kuznetsov +Date: Fri, 9 Feb 2018 14:01:33 +0100 +Subject: KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use + +From: Vitaly Kuznetsov + +[ Upstream commit 0bcc3fb95b97ac2ca223a5a870287b37f56265ac ] + +Devices which use level-triggered interrupts under Windows 2016 with +Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV +unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC +version which has no EOI register so EOI never happens. + +The issue was discovered and discussed a while ago: +https://www.spinics.net/lists/kvm/msg148098.html + +While this is a guest OS bug (it should check that IOAPIC has the required +capabilities before disabling EOI broadcast) we can workaround it in KVM: +advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -299,8 +299,16 @@ void kvm_apic_set_version(struct kvm_vcp + if (!lapic_in_kernel(vcpu)) + return; + ++ /* ++ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) ++ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with ++ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC ++ * version first and level-triggered interrupts never get EOIed in ++ * IOAPIC. ++ */ + feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); +- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31)))) ++ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && ++ !ioapic_in_kernel(vcpu->kvm)) + v |= APIC_LVR_DIRECTED_EOI; + kvm_lapic_set_reg(apic, APIC_LVR, v); + } diff --git a/queue-4.9/kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch b/queue-4.9/kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch new file mode 100644 index 00000000000..814325eb6b5 --- /dev/null +++ b/queue-4.9/kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: KarimAllah Ahmed +Date: Wed, 17 Jan 2018 19:18:56 +0100 +Subject: kvm: Map PFN-type memory regions as writable (if possible) + +From: KarimAllah Ahmed + +[ Upstream commit a340b3e229b24a56f1c7f5826b15a3af0f4b13e5 ] + +For EPT-violations that are triggered by a read, the pages are also mapped with +write permissions (if their memory region is also writable). That would avoid +getting yet another fault on the same page when a write occurs. + +This optimization only happens when you have a "struct page" backing the memory +region. So also enable it for memory regions that do not have a "struct page". + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: KarimAllah Ahmed +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1466,7 +1466,8 @@ static bool vma_is_valid(struct vm_area_ + + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, +- bool write_fault, kvm_pfn_t *p_pfn) ++ bool write_fault, bool *writable, ++ kvm_pfn_t *p_pfn) + { + unsigned long pfn; + int r; +@@ -1492,6 +1493,8 @@ static int hva_to_pfn_remapped(struct vm + + } + ++ if (writable) ++ *writable = true; + + /* + * Get a reference here because callers of *hva_to_pfn* and +@@ -1557,7 +1560,7 @@ retry: + if (vma == NULL) + pfn = KVM_PFN_ERR_FAULT; + else if (vma->vm_flags & (VM_IO | VM_PFNMAP)) { +- r = hva_to_pfn_remapped(vma, addr, async, write_fault, &pfn); ++ r = hva_to_pfn_remapped(vma, addr, async, write_fault, writable, &pfn); + if (r == -EAGAIN) + goto retry; + if (r < 0) diff --git a/queue-4.9/kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch b/queue-4.9/kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch new file mode 100644 index 00000000000..3175e5ccd98 --- /dev/null +++ b/queue-4.9/kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Paul Mackerras +Date: Fri, 2 Mar 2018 15:38:04 +1100 +Subject: KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing + +From: Paul Mackerras + +[ Upstream commit debd574f4195e205ba505b25e19b2b797f4bcd94 ] + +The current code for initializing the VRMA (virtual real memory area) +for HPT guests requires the page size of the backing memory to be one +of 4kB, 64kB or 16MB. With a radix host we have the possibility that +the backing memory page size can be 2MB or 1GB. In these cases, if the +guest switches to HPT mode, KVM will not initialize the VRMA and the +guest will fail to run. + +In fact it is not necessary that the VRMA page size is the same as the +backing memory page size; any VRMA page size less than or equal to the +backing memory page size is acceptable. Therefore we now choose the +largest page size out of the set {4k, 64k, 16M} which is not larger +than the backing memory page size. + +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_hv.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3107,15 +3107,17 @@ static int kvmppc_hv_setup_htab_rma(stru + goto up_out; + + psize = vma_kernel_pagesize(vma); +- porder = __ilog2(psize); + + up_read(¤t->mm->mmap_sem); + + /* We can handle 4k, 64k or 16M pages in the VRMA */ +- err = -EINVAL; +- if (!(psize == 0x1000 || psize == 0x10000 || +- psize == 0x1000000)) +- goto out_srcu; ++ if (psize >= 0x1000000) ++ psize = 0x1000000; ++ else if (psize >= 0x10000) ++ psize = 0x10000; ++ else ++ psize = 0x1000; ++ porder = __ilog2(psize); + + /* Update VRMASD field in the LPCR */ + senc = slb_pgsize_encoding(psize); diff --git a/queue-4.9/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch b/queue-4.9/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch new file mode 100644 index 00000000000..4d2842ab529 --- /dev/null +++ b/queue-4.9/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch @@ -0,0 +1,83 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sean Christopherson +Date: Fri, 23 Mar 2018 09:34:00 -0700 +Subject: KVM: VMX: raise internal error for exception during invalid protected mode state + +From: Sean Christopherson + +[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ] + +Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter +an exception in Protected Mode while emulating guest due to invalid +guest state. Unlike Big RM, KVM doesn't support emulating exceptions +in PM, i.e. PM exceptions are always injected via the VMCS. Because +we will never do VMRESUME due to emulation_required, the exception is +never realized and we'll keep emulating the faulting instruction over +and over until we receive a signal. + +Exit to userspace iff there is a pending exception, i.e. don't exit +simply on a requested event. The purpose of this check and exit is to +aid in debugging a guest that is in all likelihood already doomed. +Invalid guest state in PM is extremely limited in normal operation, +e.g. it generally only occurs for a few instructions early in BIOS, +and any exception at this time is all but guaranteed to be fatal. +Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly +handled/emulated, while checking for vectored interrupts, e.g. INTR +and NMI, without hitting false positives would add a fair amount of +complexity for almost no benefit (getting hit by lightning seems +more likely than encountering this specific scenario). + +Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an +exception via the VMCS and emulation_required is true. + +Signed-off-by: Sean Christopherson +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2558,6 +2558,8 @@ static void vmx_queue_exception(struct k + return; + } + ++ WARN_ON_ONCE(vmx->emulation_required); ++ + if (kvm_exception_is_soft(nr)) { + vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, + vmx->vcpu.arch.event_exit_inst_len); +@@ -6430,12 +6432,12 @@ static int handle_invalid_guest_state(st + goto out; + } + +- if (err != EMULATE_DONE) { +- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; +- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; +- vcpu->run->internal.ndata = 0; +- return 0; +- } ++ if (err != EMULATE_DONE) ++ goto emulation_error; ++ ++ if (vmx->emulation_required && !vmx->rmode.vm86_active && ++ vcpu->arch.exception.pending) ++ goto emulation_error; + + if (vcpu->arch.halt_request) { + vcpu->arch.halt_request = 0; +@@ -6451,6 +6453,12 @@ static int handle_invalid_guest_state(st + + out: + return ret; ++ ++emulation_error: ++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; ++ vcpu->run->internal.ndata = 0; ++ return 0; + } + + static int __grow_ple_window(int val) diff --git a/queue-4.9/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch b/queue-4.9/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch new file mode 100644 index 00000000000..5f32f4d1fff --- /dev/null +++ b/queue-4.9/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Paolo Bonzini +Date: Thu, 26 Oct 2017 15:45:47 +0200 +Subject: kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl + +From: Paolo Bonzini + +[ Upstream commit 51776043afa415435c7e4636204fbe4f7edc4501 ] + +This ioctl is obsolete (it was used by Xenner as far as I know) but +still let's not break it gratuitously... Its handler is copying +directly into struct kvm. Go through a bounce buffer instead, with +the added benefit that we can actually do something useful with the +flags argument---the previous code was exiting with -EINVAL but still +doing the copy. + +This technically is a userspace ABI breakage, but since no one should be +using the ioctl, it's a good occasion to see if someone actually +complains. + +Cc: kernel-hardening@lists.openwall.com +Cc: Kees Cook +Cc: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4131,13 +4131,14 @@ long kvm_arch_vm_ioctl(struct file *filp + mutex_unlock(&kvm->lock); + break; + case KVM_XEN_HVM_CONFIG: { ++ struct kvm_xen_hvm_config xhc; + r = -EFAULT; +- if (copy_from_user(&kvm->arch.xen_hvm_config, argp, +- sizeof(struct kvm_xen_hvm_config))) ++ if (copy_from_user(&xhc, argp, sizeof(xhc))) + goto out; + r = -EINVAL; +- if (kvm->arch.xen_hvm_config.flags) ++ if (xhc.flags) + goto out; ++ memcpy(&kvm->arch.xen_hvm_config, &xhc, sizeof(xhc)); + r = 0; + break; + } diff --git a/queue-4.9/libata-fix-compile-warning-with-ata_debug-enabled.patch b/queue-4.9/libata-fix-compile-warning-with-ata_debug-enabled.patch new file mode 100644 index 00000000000..f7267e4cbef --- /dev/null +++ b/queue-4.9/libata-fix-compile-warning-with-ata_debug-enabled.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Dong Bo +Date: Fri, 26 Jan 2018 11:21:49 +0800 +Subject: libata: Fix compile warning with ATA_DEBUG enabled + +From: Dong Bo + +[ Upstream commit 0d3e45bc6507bd1f8728bf586ebd16c2d9e40613 ] + +This fixs the following comile warnings with ATA_DEBUG enabled, +which detected by Linaro GCC 5.2-2015.11: + + drivers/ata/libata-scsi.c: In function 'ata_scsi_dump_cdb': + ./include/linux/kern_levels.h:5:18: warning: format '%d' expects + argument of type 'int', but argument 6 has type 'u64 {aka long + long unsigned int}' [-Wformat=] + +tj: Patch hand-applied and description trimmed. + +Signed-off-by: Dong Bo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4156,7 +4156,7 @@ static inline void ata_scsi_dump_cdb(str + #ifdef ATA_DEBUG + struct scsi_device *scsidev = cmd->device; + +- DPRINTK("CDB (%u:%d,%d,%d) %9ph\n", ++ DPRINTK("CDB (%u:%d,%d,%lld) %9ph\n", + ap->print_id, + scsidev->channel, scsidev->id, scsidev->lun, + cmd->cmnd); diff --git a/queue-4.9/llc-properly-handle-dev_queue_xmit-return-value.patch b/queue-4.9/llc-properly-handle-dev_queue_xmit-return-value.patch new file mode 100644 index 00000000000..f95787a1ca6 --- /dev/null +++ b/queue-4.9/llc-properly-handle-dev_queue_xmit-return-value.patch @@ -0,0 +1,171 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Cong Wang +Date: Mon, 26 Mar 2018 15:08:33 -0700 +Subject: llc: properly handle dev_queue_xmit() return value + +From: Cong Wang + +[ Upstream commit b85ab56c3f81c5a24b5a5213374f549df06430da ] + +llc_conn_send_pdu() pushes the skb into write queue and +calls llc_conn_send_pdus() to flush them out. However, the +status of dev_queue_xmit() is not returned to caller, +in this case, llc_conn_state_process(). + +llc_conn_state_process() needs hold the skb no matter +success or failure, because it still uses it after that, +therefore we should hold skb before dev_queue_xmit() when +that skb is the one being processed by llc_conn_state_process(). + +For other callers, they can just pass NULL and ignore +the return value as they are. + +Reported-by: Noam Rathaus +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/llc_conn.h | 2 +- + net/llc/llc_c_ac.c | 15 +++++++++------ + net/llc/llc_conn.c | 32 +++++++++++++++++++++++--------- + 3 files changed, 33 insertions(+), 16 deletions(-) + +--- a/include/net/llc_conn.h ++++ b/include/net/llc_conn.h +@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk); + + /* Access to a connection */ + int llc_conn_state_process(struct sock *sk, struct sk_buff *skb); +-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); ++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit); + void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit); +--- a/net/llc/llc_c_ac.c ++++ b/net/llc/llc_c_ac.c +@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_ + llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- llc_conn_send_pdu(sk, skb); ++ rc = llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_ + llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- llc_conn_send_pdu(sk, skb); ++ rc = llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_ + int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb) + { + struct llc_sock *llc = llc_sk(sk); ++ int ret; + + if (llc->ack_must_be_send) { +- llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); ++ ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); + llc->ack_must_be_send = 0 ; + llc->ack_pf = 0; +- } else +- llc_conn_ac_send_i_cmd_p_set_0(sk, skb); +- return 0; ++ } else { ++ ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb); ++ } ++ ++ return ret; + } + + /** +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -30,7 +30,7 @@ + #endif + + static int llc_find_offset(int state, int ev_type); +-static void llc_conn_send_pdus(struct sock *sk); ++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb); + static int llc_conn_service(struct sock *sk, struct sk_buff *skb); + static int llc_exec_conn_trans_actions(struct sock *sk, + struct llc_conn_state_trans *trans, +@@ -193,11 +193,11 @@ out_skb_put: + return rc; + } + +-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) ++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) + { + /* queue PDU to send to MAC layer */ + skb_queue_tail(&sk->sk_write_queue, skb); +- llc_conn_send_pdus(sk); ++ return llc_conn_send_pdus(sk, skb); + } + + /** +@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk); ++ llc_conn_send_pdus(sk, NULL); + out:; + } + +@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk); ++ llc_conn_send_pdus(sk, NULL); + out:; + } + +@@ -340,12 +340,16 @@ out: + /** + * llc_conn_send_pdus - Sends queued PDUs + * @sk: active connection ++ * @hold_skb: the skb held by caller, or NULL if does not care + * +- * Sends queued pdus to MAC layer for transmission. ++ * Sends queued pdus to MAC layer for transmission. When @hold_skb is ++ * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent ++ * successfully, or 1 for failure. + */ +-static void llc_conn_send_pdus(struct sock *sk) ++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb) + { + struct sk_buff *skb; ++ int ret = 0; + + while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) { + struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb); +@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct so + skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb); + if (!skb2) + break; +- skb = skb2; ++ dev_queue_xmit(skb2); ++ } else { ++ bool is_target = skb == hold_skb; ++ int rc; ++ ++ if (is_target) ++ skb_get(skb); ++ rc = dev_queue_xmit(skb); ++ if (is_target) ++ ret = rc; + } +- dev_queue_xmit(skb); + } ++ ++ return ret; + } + + /** diff --git a/queue-4.9/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch b/queue-4.9/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch new file mode 100644 index 00000000000..50815299f94 --- /dev/null +++ b/queue-4.9/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Will Deacon +Date: Tue, 13 Feb 2018 13:22:57 +0000 +Subject: locking/qspinlock: Ensure node->count is updated before initialising node + +From: Will Deacon + +[ Upstream commit 11dc13224c975efcec96647a4768a6f1bb7a19a8 ] + +When queuing on the qspinlock, the count field for the current CPU's head +node is incremented. This needn't be atomic because locking in e.g. IRQ +context is balanced and so an IRQ will return with node->count as it +found it. + +However, the compiler could in theory reorder the initialisation of +node[idx] before the increment of the head node->count, causing an +IRQ to overwrite the initialised node and potentially corrupt the lock +state. + +Avoid the potential for this harmful compiler reordering by placing a +barrier() between the increment of the head node->count and the subsequent +node initialisation. + +Signed-off-by: Will Deacon +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1518528177-19169-3-git-send-email-will.deacon@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/qspinlock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/locking/qspinlock.c ++++ b/kernel/locking/qspinlock.c +@@ -495,6 +495,14 @@ queue: + tail = encode_tail(smp_processor_id(), idx); + + node += idx; ++ ++ /* ++ * Ensure that we increment the head node->count before initialising ++ * the actual node. If the compiler is kind enough to reorder these ++ * stores, then an IRQ could overwrite our assignments. ++ */ ++ barrier(); ++ + node->locked = 0; + node->next = NULL; + pv_init_node(node); diff --git a/queue-4.9/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch b/queue-4.9/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch new file mode 100644 index 00000000000..60e83da81fb --- /dev/null +++ b/queue-4.9/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch @@ -0,0 +1,97 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Andrea Parri +Date: Tue, 20 Feb 2018 19:45:56 +0100 +Subject: locking/xchg/alpha: Add unconditional memory barrier to cmpxchg() + +From: Andrea Parri + +[ Upstream commit cb13b424e986aed68d74cbaec3449ea23c50e167 ] + +Continuing along with the fight against smp_read_barrier_depends() [1] +(or rather, against its improper use), add an unconditional barrier to +cmpxchg. This guarantees that dependency ordering is preserved when a +dependency is headed by an unsuccessful cmpxchg. As it turns out, the +change could enable further simplification of LKMM as proposed in [2]. + +[1] https://marc.info/?l=linux-kernel&m=150884953419377&w=2 + https://marc.info/?l=linux-kernel&m=150884946319353&w=2 + https://marc.info/?l=linux-kernel&m=151215810824468&w=2 + https://marc.info/?l=linux-kernel&m=151215816324484&w=2 + +[2] https://marc.info/?l=linux-kernel&m=151881978314872&w=2 + +Signed-off-by: Andrea Parri +Acked-by: Peter Zijlstra +Acked-by: Paul E. McKenney +Cc: Alan Stern +Cc: Ivan Kokshaysky +Cc: Linus Torvalds +Cc: Matt Turner +Cc: Richard Henderson +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-alpha@vger.kernel.org +Link: http://lkml.kernel.org/r/1519152356-4804-1-git-send-email-parri.andrea@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/include/asm/xchg.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/arch/alpha/include/asm/xchg.h ++++ b/arch/alpha/include/asm/xchg.h +@@ -127,10 +127,9 @@ ____xchg(, volatile void *ptr, unsigned + * store NEW in MEM. Return the initial value in MEM. Success is + * indicated by comparing RETURN with OLD. + * +- * The memory barrier should be placed in SMP only when we actually +- * make the change. If we don't change anything (so if the returned +- * prev is equal to old) then we aren't acquiring anything new and +- * we don't need any memory barrier as far I can tell. ++ * The memory barrier is placed in SMP unconditionally, in order to ++ * guarantee that dependency ordering is preserved when a dependency ++ * is headed by an unsuccessful operation. + */ + + static inline unsigned long +@@ -149,8 +148,8 @@ ____cmpxchg(_u8, volatile char *m, unsig + " or %1,%2,%2\n" + " stq_c %2,0(%4)\n" + " beq %2,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -176,8 +175,8 @@ ____cmpxchg(_u16, volatile short *m, uns + " or %1,%2,%2\n" + " stq_c %2,0(%4)\n" + " beq %2,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -199,8 +198,8 @@ ____cmpxchg(_u32, volatile int *m, int o + " mov %4,%1\n" + " stl_c %1,%2\n" + " beq %1,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -222,8 +221,8 @@ ____cmpxchg(_u64, volatile long *m, unsi + " mov %4,%1\n" + " stq_c %1,%2\n" + " beq %1,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" diff --git a/queue-4.9/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch b/queue-4.9/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch new file mode 100644 index 00000000000..a8c0f436a01 --- /dev/null +++ b/queue-4.9/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch @@ -0,0 +1,141 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Andrea Parri +Date: Thu, 22 Feb 2018 10:24:48 +0100 +Subject: locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs + +From: Andrea Parri + +[ Upstream commit 472e8c55cf6622d1c112dc2bc777f68bbd4189db ] + +Successful RMW operations are supposed to be fully ordered, but +Alpha's xchg() and cmpxchg() do not meet this requirement. + +Will Deacon noticed the bug: + + > So MP using xchg: + > + > WRITE_ONCE(x, 1) + > xchg(y, 1) + > + > smp_load_acquire(y) == 1 + > READ_ONCE(x) == 0 + > + > would be allowed. + +... which thus violates the above requirement. + +Fix it by adding a leading smp_mb() to the xchg() and cmpxchg() implementations. + +Reported-by: Will Deacon +Signed-off-by: Andrea Parri +Acked-by: Paul E. McKenney +Cc: Alan Stern +Cc: Andrew Morton +Cc: Ivan Kokshaysky +Cc: Linus Torvalds +Cc: Matt Turner +Cc: Peter Zijlstra +Cc: Richard Henderson +Cc: Thomas Gleixner +Cc: linux-alpha@vger.kernel.org +Link: http://lkml.kernel.org/r/1519291488-5752-1-git-send-email-parri.andrea@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/include/asm/xchg.h | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/alpha/include/asm/xchg.h ++++ b/arch/alpha/include/asm/xchg.h +@@ -11,6 +11,10 @@ + * Atomic exchange. + * Since it can be used to implement critical sections + * it must clobber "memory" (also for interrupts in UP). ++ * ++ * The leading and the trailing memory barriers guarantee that these ++ * operations are fully ordered. ++ * + */ + + static inline unsigned long +@@ -18,6 +22,7 @@ ____xchg(_u8, volatile char *m, unsigned + { + unsigned long ret, tmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %4,7,%3\n" + " insbl %1,%4,%1\n" +@@ -42,6 +47,7 @@ ____xchg(_u16, volatile short *m, unsign + { + unsigned long ret, tmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %4,7,%3\n" + " inswl %1,%4,%1\n" +@@ -66,6 +72,7 @@ ____xchg(_u32, volatile int *m, unsigned + { + unsigned long dummy; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldl_l %0,%4\n" + " bis $31,%3,%1\n" +@@ -86,6 +93,7 @@ ____xchg(_u64, volatile long *m, unsigne + { + unsigned long dummy; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldq_l %0,%4\n" + " bis $31,%3,%1\n" +@@ -127,9 +135,12 @@ ____xchg(, volatile void *ptr, unsigned + * store NEW in MEM. Return the initial value in MEM. Success is + * indicated by comparing RETURN with OLD. + * +- * The memory barrier is placed in SMP unconditionally, in order to +- * guarantee that dependency ordering is preserved when a dependency +- * is headed by an unsuccessful operation. ++ * The leading and the trailing memory barriers guarantee that these ++ * operations are fully ordered. ++ * ++ * The trailing memory barrier is placed in SMP unconditionally, in ++ * order to guarantee that dependency ordering is preserved when a ++ * dependency is headed by an unsuccessful operation. + */ + + static inline unsigned long +@@ -137,6 +148,7 @@ ____cmpxchg(_u8, volatile char *m, unsig + { + unsigned long prev, tmp, cmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %5,7,%4\n" + " insbl %1,%5,%1\n" +@@ -164,6 +176,7 @@ ____cmpxchg(_u16, volatile short *m, uns + { + unsigned long prev, tmp, cmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %5,7,%4\n" + " inswl %1,%5,%1\n" +@@ -191,6 +204,7 @@ ____cmpxchg(_u32, volatile int *m, int o + { + unsigned long prev, cmp; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldl_l %0,%5\n" + " cmpeq %0,%3,%1\n" +@@ -214,6 +228,7 @@ ____cmpxchg(_u64, volatile long *m, unsi + { + unsigned long prev, cmp; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldq_l %0,%5\n" + " cmpeq %0,%3,%1\n" diff --git a/queue-4.9/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch b/queue-4.9/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch new file mode 100644 index 00000000000..c887bfc5d80 --- /dev/null +++ b/queue-4.9/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Greg Ungerer +Date: Wed, 28 Mar 2018 17:12:18 +1000 +Subject: m68k: set dma and coherent masks for platform FEC ethernets + +From: Greg Ungerer + +[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ] + +As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no +coherent_dma_mask") the Freescale FEC driver is issuing the following +warning on driver initialization on ColdFire systems: + +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4 +Stack from 41833dd8: + 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000 + 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d + 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000 + 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8 + 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c + 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000 +Call Trace: + [<40025534>] 0x40025534 + [<4004e514>] 0x4004e514 + [<400255de>] 0x400255de + [<40159e20>] 0x40159e20 + [<40159e20>] 0x40159e20 + +It is not fatal, the driver and the system continue to function normally. + +As per the warning the coherent_dma_mask is not set on this device. +There is nothing special about the DMA memory coherency on this hardware +so we can just set the mask to 32bits in the platform data for the FEC +ethernet devices. + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/coldfire/device.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/m68k/coldfire/device.c ++++ b/arch/m68k/coldfire/device.c +@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 = + .id = 0, + .num_resources = ARRAY_SIZE(mcf_fec0_resources), + .resource = mcf_fec0_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec0.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + + #ifdef MCFFEC_BASE1 +@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 = + .id = 1, + .num_resources = ARRAY_SIZE(mcf_fec1_resources), + .resource = mcf_fec1_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec1.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + #endif /* MCFFEC_BASE1 */ + #endif /* CONFIG_FEC */ diff --git a/queue-4.9/mac80211-do-not-disconnect-on-invalid-operating-class.patch b/queue-4.9/mac80211-do-not-disconnect-on-invalid-operating-class.patch new file mode 100644 index 00000000000..2615069df56 --- /dev/null +++ b/queue-4.9/mac80211-do-not-disconnect-on-invalid-operating-class.patch @@ -0,0 +1,66 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ilan Peer +Date: Mon, 19 Feb 2018 14:48:42 +0200 +Subject: mac80211: Do not disconnect on invalid operating class + +From: Ilan Peer + +[ Upstream commit 191da271ac260700db3e5b4bb982a17ca78769d6 ] + +Some APs include a non global operating class in their extended channel +switch information element. In such a case, as the operating class is not +known, mac80211 would decide to disconnect. + +However the specification states that the operating class needs to be +taken from Annex E, but it does not specify from which table it should be +taken, so it is valid for an AP to use a non global operating class. + +To avoid possibly unneeded disconnection, in such a case ignore the +operating class and assume that the current band is used, and if the +resulting channel and band configuration is invalid disconnect. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/spectmgmt.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/mac80211/spectmgmt.c ++++ b/net/mac80211/spectmgmt.c +@@ -8,6 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2008, Intel Corporation + * Copyright 2008, Johannes Berg ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -27,7 +28,7 @@ int ieee80211_parse_ch_switch_ie(struct + u32 sta_flags, u8 *bssid, + struct ieee80211_csa_ie *csa_ie) + { +- enum nl80211_band new_band; ++ enum nl80211_band new_band = current_band; + int new_freq; + u8 new_chan_no; + struct ieee80211_channel *new_chan; +@@ -53,15 +54,13 @@ int ieee80211_parse_ch_switch_ie(struct + elems->ext_chansw_ie->new_operating_class, + &new_band)) { + sdata_info(sdata, +- "cannot understand ECSA IE operating class %d, disconnecting\n", ++ "cannot understand ECSA IE operating class, %d, ignoring\n", + elems->ext_chansw_ie->new_operating_class); +- return -EINVAL; + } + new_chan_no = elems->ext_chansw_ie->new_ch_num; + csa_ie->count = elems->ext_chansw_ie->count; + csa_ie->mode = elems->ext_chansw_ie->mode; + } else if (elems->ch_switch_ie) { +- new_band = current_band; + new_chan_no = elems->ch_switch_ie->new_ch_num; + csa_ie->count = elems->ch_switch_ie->count; + csa_ie->mode = elems->ch_switch_ie->mode; diff --git a/queue-4.9/mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch b/queue-4.9/mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch new file mode 100644 index 00000000000..1d80e7cfb91 --- /dev/null +++ b/queue-4.9/mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Felix Fietkau +Date: Fri, 23 Feb 2018 10:06:03 +0100 +Subject: mac80211: drop frames with unexpected DS bits from fast-rx to slow path + +From: Felix Fietkau + +[ Upstream commit b323ac19b7734a1c464b2785a082ee50bccd3b91 ] + +Fixes rx for 4-addr packets in AP mode. These may be used for setting +up a 4-addr link for stations that are allowed to do so. + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -3907,7 +3907,7 @@ static bool ieee80211_invoke_fast_rx(str + if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS | + IEEE80211_FCTL_TODS)) != + fast_rx->expected_ds_bits) +- goto drop; ++ return false; + + /* assign the key to drop unencrypted frames (later) + * and strip the IV/MIC if necessary diff --git a/queue-4.9/mac80211-fix-a-possible-leak-of-station-stats.patch b/queue-4.9/mac80211-fix-a-possible-leak-of-station-stats.patch new file mode 100644 index 00000000000..b223b2c36d1 --- /dev/null +++ b/queue-4.9/mac80211-fix-a-possible-leak-of-station-stats.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sara Sharon +Date: Mon, 19 Feb 2018 14:48:35 +0200 +Subject: mac80211: fix a possible leak of station stats + +From: Sara Sharon + +[ Upstream commit d78d9ee9d40aca4781d2c5334972544601a4c3a2 ] + +If sta_info_alloc fails after allocating the per CPU statistics, +they are not properly freed. + +Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -433,6 +433,7 @@ free_txq: + if (sta->sta.txq[0]) + kfree(to_txq_info(sta->sta.txq[0])); + free: ++ free_percpu(sta->pcpu_rx_stats); + #ifdef CONFIG_MAC80211_MESH + kfree(sta->mesh); + #endif diff --git a/queue-4.9/mac80211-fix-calling-sleeping-function-in-atomic-context.patch b/queue-4.9/mac80211-fix-calling-sleeping-function-in-atomic-context.patch new file mode 100644 index 00000000000..b5071f77cc3 --- /dev/null +++ b/queue-4.9/mac80211-fix-calling-sleeping-function-in-atomic-context.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sara Sharon +Date: Mon, 19 Feb 2018 14:48:37 +0200 +Subject: mac80211: fix calling sleeping function in atomic context + +From: Sara Sharon + +[ Upstream commit 95f3ce6a77893ac828ba841df44421620de4314b ] + +sta_info_alloc can be called from atomic paths (such as RX path) +so we need to call pcpu_alloc with the correct gfp. + +Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -313,7 +313,7 @@ struct sta_info *sta_info_alloc(struct i + + if (ieee80211_hw_check(hw, USES_RSS)) { + sta->pcpu_rx_stats = +- alloc_percpu(struct ieee80211_sta_rx_stats); ++ alloc_percpu_gfp(struct ieee80211_sta_rx_stats, gfp); + if (!sta->pcpu_rx_stats) + goto free; + } diff --git a/queue-4.9/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch b/queue-4.9/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch new file mode 100644 index 00000000000..4f6f3fee146 --- /dev/null +++ b/queue-4.9/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Felix Fietkau +Date: Sat, 10 Feb 2018 13:20:34 +0100 +Subject: mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 + +From: Felix Fietkau + +[ Upstream commit 651b9920d7a694ffb1f885aef2bbb068a25d9d66 ] + +This ensures that mac80211 allocated management frames are properly +aligned, which makes copying them more efficient. +For instance, mt76 uses iowrite32_copy to copy beacon frames to beacon +template memory on the chip. +Misaligned 32-bit accesses cause CPU exceptions on MIPS and should be +avoided. + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/mac80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -4091,7 +4091,7 @@ void ieee80211_sta_uapsd_trigger(struct + * The TX headroom reserved by mac80211 for its own tx_status functions. + * This is enough for the radiotap header. + */ +-#define IEEE80211_TX_STATUS_HEADROOM 14 ++#define IEEE80211_TX_STATUS_HEADROOM ALIGN(14, 4) + + /** + * ieee80211_sta_set_buffered - inform mac80211 about driver-buffered frames diff --git a/queue-4.9/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch b/queue-4.9/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch new file mode 100644 index 00000000000..7859ea1e87f --- /dev/null +++ b/queue-4.9/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "weiyongjun (A)" +Date: Thu, 18 Jan 2018 02:23:34 +0000 +Subject: mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl() + +From: "weiyongjun (A)" + +[ Upstream commit 0ddcff49b672239dda94d70d0fcf50317a9f4b51 ] + +'hwname' is malloced in hwsim_new_radio_nl() and should be freed +before leaving from the error handling cases, otherwise it will cause +memory leak. + +Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length") +Signed-off-by: Wei Yongjun +Reviewed-by: Ben Hutchings +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3084,8 +3084,10 @@ static int hwsim_new_radio_nl(struct sk_ + if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) { + u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]); + +- if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) ++ if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) { ++ kfree(hwname); + return -EINVAL; ++ } + param.regd = hwsim_world_regdom_custom[idx]; + } + diff --git a/queue-4.9/macsec-missing-dev_put-on-error-in-macsec_newlink.patch b/queue-4.9/macsec-missing-dev_put-on-error-in-macsec_newlink.patch new file mode 100644 index 00000000000..771c2b7ed7a --- /dev/null +++ b/queue-4.9/macsec-missing-dev_put-on-error-in-macsec_newlink.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Dan Carpenter +Date: Wed, 21 Mar 2018 11:09:01 +0300 +Subject: macsec: missing dev_put() on error in macsec_newlink() + +From: Dan Carpenter + +[ Upstream commit 5dcd8400884cc4a043a6d4617e042489e5d566a9 ] + +We moved the dev_hold(real_dev); call earlier in the function but forgot +to update the error paths. + +Fixes: 0759e552bce7 ("macsec: fix negative refcnt on parent link") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3244,7 +3244,7 @@ static int macsec_newlink(struct net *ne + + err = netdev_upper_dev_link(real_dev, dev); + if (err < 0) +- goto unregister; ++ goto put_dev; + + /* need to be already registered so that ->init has run and + * the MAC addr is set +@@ -3280,7 +3280,8 @@ del_dev: + macsec_del_dev(macsec); + unlink: + netdev_upper_dev_unlink(real_dev, dev); +-unregister: ++put_dev: ++ dev_put(real_dev); + unregister_netdevice(dev); + return err; + } diff --git a/queue-4.9/macvlan-fix-use-after-free-in-macvlan_common_newlink.patch b/queue-4.9/macvlan-fix-use-after-free-in-macvlan_common_newlink.patch new file mode 100644 index 00000000000..ade19b25f48 --- /dev/null +++ b/queue-4.9/macvlan-fix-use-after-free-in-macvlan_common_newlink.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Alexey Kodanev +Date: Thu, 22 Feb 2018 18:20:30 +0300 +Subject: macvlan: fix use-after-free in macvlan_common_newlink() + +From: Alexey Kodanev + +[ Upstream commit 4e14bf4236490306004782813b8b4494b18f5e60 ] + +The following use-after-free was reported by KASan when running +LTP macvtap01 test on 4.16-rc2: + +[10642.528443] BUG: KASAN: use-after-free in + macvlan_common_newlink+0x12ef/0x14a0 [macvlan] +[10642.626607] Read of size 8 at addr ffff880ba49f2100 by task ip/18450 +... +[10642.963873] Call Trace: +[10642.994352] dump_stack+0x5c/0x7c +[10643.035325] print_address_description+0x75/0x290 +[10643.092938] kasan_report+0x28d/0x390 +[10643.137971] ? macvlan_common_newlink+0x12ef/0x14a0 [macvlan] +[10643.207963] macvlan_common_newlink+0x12ef/0x14a0 [macvlan] +[10643.275978] macvtap_newlink+0x171/0x260 [macvtap] +[10643.334532] rtnl_newlink+0xd4f/0x1300 +... +[10646.256176] Allocated by task 18450: +[10646.299964] kasan_kmalloc+0xa6/0xd0 +[10646.343746] kmem_cache_alloc_trace+0xf1/0x210 +[10646.397826] macvlan_common_newlink+0x6de/0x14a0 [macvlan] +[10646.464386] macvtap_newlink+0x171/0x260 [macvtap] +[10646.522728] rtnl_newlink+0xd4f/0x1300 +... +[10647.022028] Freed by task 18450: +[10647.061549] __kasan_slab_free+0x138/0x180 +[10647.111468] kfree+0x9e/0x1c0 +[10647.147869] macvlan_port_destroy+0x3db/0x650 [macvlan] +[10647.211411] rollback_registered_many+0x5b9/0xb10 +[10647.268715] rollback_registered+0xd9/0x190 +[10647.319675] register_netdevice+0x8eb/0xc70 +[10647.370635] macvlan_common_newlink+0xe58/0x14a0 [macvlan] +[10647.437195] macvtap_newlink+0x171/0x260 [macvtap] + +Commit d02fd6e7d293 ("macvlan: Fix one possible double free") handles +the case when register_netdevice() invokes ndo_uninit() on error and +as a result free the port. But 'macvlan_port_get_rtnl(dev))' check +(returns dev->rx_handler_data), which was added by this commit in order +to prevent double free, is not quite correct: + +* for macvlan it always returns NULL because 'lowerdev' is the one that + was used to register rx handler (port) in macvlan_port_create() as + well as to unregister it in macvlan_port_destroy(). +* for macvtap it always returns a valid pointer because macvtap registers + its own rx handler before macvlan_common_newlink(). + +Fixes: d02fd6e7d293 ("macvlan: Fix one possible double free") +Signed-off-by: Alexey Kodanev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1384,7 +1384,7 @@ destroy_macvlan_port: + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(dev)) ++ if (create && macvlan_port_get_rtnl(lowerdev)) + macvlan_port_destroy(port->dev); + return err; + } diff --git a/queue-4.9/md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch b/queue-4.9/md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch new file mode 100644 index 00000000000..5feae847c93 --- /dev/null +++ b/queue-4.9/md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch @@ -0,0 +1,117 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: BingJing Chang +Date: Thu, 22 Feb 2018 13:34:46 +0800 +Subject: md: fix a potential deadlock of raid5/raid10 reshape + +From: BingJing Chang + +[ Upstream commit 8876391e440ba615b10eef729576e111f0315f87 ] + +There is a potential deadlock if mount/umount happens when +raid5_finish_reshape() tries to grow the size of emulated disk. + +How the deadlock happens? +1) The raid5 resync thread finished reshape (expanding array). +2) The mount or umount thread holds VFS sb->s_umount lock and tries to + write through critical data into raid5 emulated block device. So it + waits for raid5 kernel thread handling stripes in order to finish it + I/Os. +3) In the routine of raid5 kernel thread, md_check_recovery() will be + called first in order to reap the raid5 resync thread. That is, + raid5_finish_reshape() will be called. In this function, it will try + to update conf and call VFS revalidate_disk() to grow the raid5 + emulated block device. It will try to acquire VFS sb->s_umount lock. +The raid5 kernel thread cannot continue, so no one can handle mount/ +umount I/Os (stripes). Once the write-through I/Os cannot be finished, +mount/umount will not release sb->s_umount lock. The deadlock happens. + +The raid5 kernel thread is an emulated block device. It is responible to +handle I/Os (stripes) from upper layers. The emulated block device +should not request any I/Os on itself. That is, it should not call VFS +layer functions. (If it did, it will try to acquire VFS locks to +guarantee the I/Os sequence.) So we have the resync thread to send +resync I/O requests and to wait for the results. + +For solving this potential deadlock, we can put the size growth of the +emulated block device as the final step of reshape thread. + +2017/12/29: +Thanks to Guoqing Jiang , +we confirmed that there is the same deadlock issue in raid10. It's +reproducible and can be fixed by this patch. For raid10.c, we can remove +the similar code to prevent deadlock as well since they has been called +before. + +Reported-by: Alex Wu +Reviewed-by: Alex Wu +Reviewed-by: Chung-Chiang Cheng +Signed-off-by: BingJing Chang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 13 +++++++++++++ + drivers/md/raid10.c | 8 +------- + drivers/md/raid5.c | 8 +------- + 3 files changed, 15 insertions(+), 14 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8200,6 +8200,19 @@ void md_do_sync(struct md_thread *thread + set_mask_bits(&mddev->flags, 0, + BIT(MD_CHANGE_PENDING) | BIT(MD_CHANGE_DEVS)); + ++ if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery) && ++ !test_bit(MD_RECOVERY_INTR, &mddev->recovery) && ++ mddev->delta_disks > 0 && ++ mddev->pers->finish_reshape && ++ mddev->pers->size && ++ mddev->queue) { ++ mddev_lock_nointr(mddev); ++ md_set_array_sectors(mddev, mddev->pers->size(mddev, 0, 0)); ++ mddev_unlock(mddev); ++ set_capacity(mddev->gendisk, mddev->array_sectors); ++ revalidate_disk(mddev->gendisk); ++ } ++ + spin_lock(&mddev->lock); + if (!test_bit(MD_RECOVERY_INTR, &mddev->recovery)) { + /* We completed so min/max setting can be forgotten if used. */ +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -4684,17 +4684,11 @@ static void raid10_finish_reshape(struct + return; + + if (mddev->delta_disks > 0) { +- sector_t size = raid10_size(mddev, 0, 0); +- md_set_array_sectors(mddev, size); + if (mddev->recovery_cp > mddev->resync_max_sectors) { + mddev->recovery_cp = mddev->resync_max_sectors; + set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); + } +- mddev->resync_max_sectors = size; +- if (mddev->queue) { +- set_capacity(mddev->gendisk, mddev->array_sectors); +- revalidate_disk(mddev->gendisk); +- } ++ mddev->resync_max_sectors = mddev->array_sectors; + } else { + int d; + rcu_read_lock(); +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7615,13 +7615,7 @@ static void raid5_finish_reshape(struct + + if (!test_bit(MD_RECOVERY_INTR, &mddev->recovery)) { + +- if (mddev->delta_disks > 0) { +- md_set_array_sectors(mddev, raid5_size(mddev, 0, 0)); +- if (mddev->queue) { +- set_capacity(mddev->gendisk, mddev->array_sectors); +- revalidate_disk(mddev->gendisk); +- } +- } else { ++ if (mddev->delta_disks <= 0) { + int d; + spin_lock_irq(&conf->device_lock); + mddev->degraded = calc_degraded(conf); diff --git a/queue-4.9/md-raid1-fix-null-pointer-dereference.patch b/queue-4.9/md-raid1-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..b1a138f4a11 --- /dev/null +++ b/queue-4.9/md-raid1-fix-null-pointer-dereference.patch @@ -0,0 +1,90 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yufen Yu +Date: Sat, 24 Feb 2018 12:05:56 +0800 +Subject: md/raid1: fix NULL pointer dereference + +From: Yufen Yu + +[ Upstream commit 3de59bb9d551428cbdc76a9ea57883f82e350b4d ] + +In handle_write_finished(), if r1_bio->bios[m] != NULL, it thinks +the corresponding conf->mirrors[m].rdev is also not NULL. But, it +is not always true. + +Even if some io hold replacement rdev(i.e. rdev->nr_pending.count > 0), +raid1_remove_disk() can also set the rdev as NULL. That means, +bios[m] != NULL, but mirrors[m].rdev is NULL, resulting in NULL +pointer dereference in handle_write_finished and sync_request_write. + +This patch can fix BUGs as follows: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000140 + IP: [] raid1d+0x2bd/0xfc0 + PGD 12ab52067 PUD 12f587067 PMD 0 + Oops: 0000 [#1] SMP + CPU: 1 PID: 2008 Comm: md3_raid1 Not tainted 4.1.44+ #130 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 + Call Trace: + ? schedule+0x37/0x90 + ? prepare_to_wait_event+0x83/0xf0 + md_thread+0x144/0x150 + ? wake_atomic_t_function+0x70/0x70 + ? md_start_sync+0xf0/0xf0 + kthread+0xd8/0xf0 + ? kthread_worker_fn+0x160/0x160 + ret_from_fork+0x42/0x70 + ? kthread_worker_fn+0x160/0x160 + + BUG: unable to handle kernel NULL pointer dereference at 00000000000000b8 + IP: sync_request_write+0x9e/0x980 + PGD 800000007c518067 P4D 800000007c518067 PUD 8002b067 PMD 0 + Oops: 0000 [#1] SMP PTI + CPU: 24 PID: 2549 Comm: md3_raid1 Not tainted 4.15.0+ #118 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 + Call Trace: + ? sched_clock+0x5/0x10 + ? sched_clock_cpu+0xc/0xb0 + ? flush_pending_writes+0x3a/0xd0 + ? pick_next_task_fair+0x4d5/0x5f0 + ? __switch_to+0xa2/0x430 + raid1d+0x65a/0x870 + ? find_pers+0x70/0x70 + ? find_pers+0x70/0x70 + ? md_thread+0x11c/0x160 + md_thread+0x11c/0x160 + ? finish_wait+0x80/0x80 + kthread+0x111/0x130 + ? kthread_create_worker_on_cpu+0x70/0x70 + ? do_syscall_64+0x6f/0x190 + ? SyS_exit_group+0x10/0x10 + ret_from_fork+0x35/0x40 + +Reviewed-by: NeilBrown +Signed-off-by: Yufen Yu +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid1.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1673,6 +1673,17 @@ static int raid1_remove_disk(struct mdde + struct md_rdev *repl = + conf->mirrors[conf->raid_disks + number].rdev; + freeze_array(conf, 0); ++ if (atomic_read(&repl->nr_pending)) { ++ /* It means that some queued IO of retry_list ++ * hold repl. Thus, we cannot set replacement ++ * as NULL, avoiding rdev NULL pointer ++ * dereference in sync_request_write and ++ * handle_write_finished. ++ */ ++ err = -EBUSY; ++ unfreeze_array(conf); ++ goto abort; ++ } + clear_bit(Replacement, &repl->flags); + p->rdev = repl; + conf->mirrors[conf->raid_disks + number].rdev = NULL; diff --git a/queue-4.9/md-raid10-fix-null-deference-in-handle_write_completed.patch b/queue-4.9/md-raid10-fix-null-deference-in-handle_write_completed.patch new file mode 100644 index 00000000000..f942c75cfcb --- /dev/null +++ b/queue-4.9/md-raid10-fix-null-deference-in-handle_write_completed.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yufen Yu +Date: Tue, 6 Feb 2018 17:39:15 +0800 +Subject: md raid10: fix NULL deference in handle_write_completed() + +From: Yufen Yu + +[ Upstream commit 01a69cab01c184d3786af09e9339311123d63d22 ] + +In the case of 'recover', an r10bio with R10BIO_WriteError & +R10BIO_IsRecover will be progressed by handle_write_completed(). +This function traverses all r10bio->devs[copies]. +If devs[m].repl_bio != NULL, it thinks conf->mirrors[dev].replacement +is also not NULL. However, this is not always true. + +When there is an rdev of raid10 has replacement, then each r10bio +->devs[m].repl_bio != NULL in conf->r10buf_pool. However, in 'recover', +even if corresponded replacement is NULL, it doesn't clear r10bio +->devs[m].repl_bio, resulting in replacement NULL deference. + +This bug was introduced when replacement support for raid10 was +added in Linux 3.3. + +As NeilBrown suggested: + Elsewhere the determination of "is this device part of the + resync/recovery" is made by resting bio->bi_end_io. + If this is end_sync_write, then we tried to write here. + If it is NULL, then we didn't try to write. + +Fixes: 9ad1aefc8ae8 ("md/raid10: Handle replacement devices during resync.") +Cc: stable (V3.3+) +Suggested-by: NeilBrown +Signed-off-by: Yufen Yu +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2636,7 +2636,8 @@ static void handle_write_completed(struc + for (m = 0; m < conf->copies; m++) { + int dev = r10_bio->devs[m].devnum; + rdev = conf->mirrors[dev].rdev; +- if (r10_bio->devs[m].bio == NULL) ++ if (r10_bio->devs[m].bio == NULL || ++ r10_bio->devs[m].bio->bi_end_io == NULL) + continue; + if (!r10_bio->devs[m].bio->bi_error) { + rdev_clear_badblocks( +@@ -2651,7 +2652,8 @@ static void handle_write_completed(struc + md_error(conf->mddev, rdev); + } + rdev = conf->mirrors[dev].replacement; +- if (r10_bio->devs[m].repl_bio == NULL) ++ if (r10_bio->devs[m].repl_bio == NULL || ++ r10_bio->devs[m].repl_bio->bi_end_io == NULL) + continue; + + if (!r10_bio->devs[m].repl_bio->bi_error) { diff --git a/queue-4.9/md-raid5-avoid-string-overflow-warning.patch b/queue-4.9/md-raid5-avoid-string-overflow-warning.patch new file mode 100644 index 00000000000..167a7f59515 --- /dev/null +++ b/queue-4.9/md-raid5-avoid-string-overflow-warning.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arnd Bergmann +Date: Tue, 20 Feb 2018 14:09:11 +0100 +Subject: md: raid5: avoid string overflow warning + +From: Arnd Bergmann + +[ Upstream commit 53b8d89ddbdbb0e4625a46d2cdbb6f106c52f801 ] + +gcc warns about a possible overflow of the kmem_cache string, when adding +four characters to a string of the same length: + +drivers/md/raid5.c: In function 'setup_conf': +drivers/md/raid5.c:2207:34: error: '-alt' directive writing 4 bytes into a region of size between 1 and 32 [-Werror=format-overflow=] + sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); + ^~~~ +drivers/md/raid5.c:2207:2: note: 'sprintf' output between 5 and 36 bytes into a destination of size 32 + sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If I'm counting correctly, we need 11 characters for the fixed part +of the string and 18 characters for a 64-bit pointer (when no gendisk +is used), so that leaves three characters for conf->level, which should +always be sufficient. + +This makes the code use snprintf() with the correct length, to +make the code more robust against changes, and to get the compiler +to shut up. + +In commit f4be6b43f1ac ("md/raid5: ensure we create a unique name for +kmem_cache when mddev has no gendisk") from 2010, Neil said that +the pointer could be removed "shortly" once devices without gendisk +are disallowed. I have no idea if that happened, but if it did, that +should probably be changed as well. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2049,15 +2049,16 @@ static int grow_one_stripe(struct r5conf + static int grow_stripes(struct r5conf *conf, int num) + { + struct kmem_cache *sc; ++ size_t namelen = sizeof(conf->cache_name[0]); + int devs = max(conf->raid_disks, conf->previous_raid_disks); + + if (conf->mddev->gendisk) +- sprintf(conf->cache_name[0], ++ snprintf(conf->cache_name[0], namelen, + "raid%d-%s", conf->level, mdname(conf->mddev)); + else +- sprintf(conf->cache_name[0], ++ snprintf(conf->cache_name[0], namelen, + "raid%d-%p", conf->level, conf->mddev); +- sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); ++ snprintf(conf->cache_name[1], namelen, "%.27s-alt", conf->cache_name[0]); + + conf->active_name = 0; + sc = kmem_cache_create(conf->cache_name[conf->active_name], diff --git a/queue-4.9/microblaze-switch-to-no_bootmem.patch b/queue-4.9/microblaze-switch-to-no_bootmem.patch new file mode 100644 index 00000000000..2d9fa8d30e3 --- /dev/null +++ b/queue-4.9/microblaze-switch-to-no_bootmem.patch @@ -0,0 +1,155 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Rob Herring +Date: Fri, 9 Mar 2018 09:54:07 -0600 +Subject: microblaze: switch to NO_BOOTMEM + +From: Rob Herring + +[ Upstream commit 101646a24a2f9cdb61d7732459fbf068a7bbb542 ] + +Microblaze doesn't set CONFIG_NO_BOOTMEM and so memblock_virt_alloc() +doesn't work for CONFIG_HAVE_MEMBLOCK && !CONFIG_NO_BOOTMEM. + +Similar change was already done by others architectures +"ARM: mm: Remove bootmem code and switch to NO_BOOTMEM" +(sha1: 84f452b1e8fc73ac0e31254c66e3e2260ce5263d) +or +"openrisc: Consolidate setup to use memblock instead of bootmem" +(sha1: 266c7fad157265bb54d17db1c9545f2aaa488643) +or +"parisc: Drop bootmem and switch to memblock" +(sha1: 4fe9e1d957e45ad8eba9885ee860a0e93d13a7c7) +or +"powerpc: Remove bootmem allocator" +(sha1: 10239733ee8617bac3f1c1769af43a88ed979324) +or +"s390/mm: Convert bootmem to memblock" +(sha1: 50be634507284eea38df78154d22615d21200b42) +or +"sparc64: Convert over to NO_BOOTMEM." +(sha1: 625d693e9784f988371e69c2b41a2172c0be6c11) +or +"xtensa: drop sysmem and switch to memblock" +(sha1: 0e46c1115f5816949220d62dd3ff04aa68e7ac6b) + +Issue was introduced by: +"of/fdt: use memblock_virt_alloc for early alloc" +(sha1: 0fa1c579349fdd90173381712ad78aa99c09d38b) + +Signed-off-by: Rob Herring +Tested-by: Alvaro Gamez Machado +Tested-by: Michal Simek +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/microblaze/Kconfig | 1 + arch/microblaze/mm/init.c | 56 ++++------------------------------------------ + 2 files changed, 7 insertions(+), 50 deletions(-) + +--- a/arch/microblaze/Kconfig ++++ b/arch/microblaze/Kconfig +@@ -23,6 +23,7 @@ config MICROBLAZE + select HAVE_FTRACE_MCOUNT_RECORD + select HAVE_FUNCTION_GRAPH_TRACER + select HAVE_FUNCTION_TRACER ++ select NO_BOOTMEM + select HAVE_MEMBLOCK + select HAVE_MEMBLOCK_NODE_MAP + select HAVE_OPROFILE +--- a/arch/microblaze/mm/init.c ++++ b/arch/microblaze/mm/init.c +@@ -32,9 +32,6 @@ int mem_init_done; + #ifndef CONFIG_MMU + unsigned int __page_offset; + EXPORT_SYMBOL(__page_offset); +- +-#else +-static int init_bootmem_done; + #endif /* CONFIG_MMU */ + + char *klimit = _end; +@@ -117,7 +114,6 @@ static void __init paging_init(void) + + void __init setup_memory(void) + { +- unsigned long map_size; + struct memblock_region *reg; + + #ifndef CONFIG_MMU +@@ -174,17 +170,6 @@ void __init setup_memory(void) + pr_info("%s: max_low_pfn: %#lx\n", __func__, max_low_pfn); + pr_info("%s: max_pfn: %#lx\n", __func__, max_pfn); + +- /* +- * Find an area to use for the bootmem bitmap. +- * We look for the first area which is at least +- * 128kB in length (128kB is enough for a bitmap +- * for 4GB of memory, using 4kB pages), plus 1 page +- * (in case the address isn't page-aligned). +- */ +- map_size = init_bootmem_node(NODE_DATA(0), +- PFN_UP(TOPHYS((u32)klimit)), min_low_pfn, max_low_pfn); +- memblock_reserve(PFN_UP(TOPHYS((u32)klimit)) << PAGE_SHIFT, map_size); +- + /* Add active regions with valid PFNs */ + for_each_memblock(memory, reg) { + unsigned long start_pfn, end_pfn; +@@ -196,32 +181,9 @@ void __init setup_memory(void) + &memblock.memory, 0); + } + +- /* free bootmem is whole main memory */ +- free_bootmem_with_active_regions(0, max_low_pfn); +- +- /* reserve allocate blocks */ +- for_each_memblock(reserved, reg) { +- unsigned long top = reg->base + reg->size - 1; +- +- pr_debug("reserved - 0x%08x-0x%08x, %lx, %lx\n", +- (u32) reg->base, (u32) reg->size, top, +- memory_start + lowmem_size - 1); +- +- if (top <= (memory_start + lowmem_size - 1)) { +- reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT); +- } else if (reg->base < (memory_start + lowmem_size - 1)) { +- unsigned long trunc_size = memory_start + lowmem_size - +- reg->base; +- reserve_bootmem(reg->base, trunc_size, BOOTMEM_DEFAULT); +- } +- } +- + /* XXX need to clip this if using highmem? */ + sparse_memory_present_with_active_regions(0); + +-#ifdef CONFIG_MMU +- init_bootmem_done = 1; +-#endif + paging_init(); + } + +@@ -398,18 +360,12 @@ asmlinkage void __init mmu_init(void) + /* This is only called until mem_init is done. */ + void __init *early_get_page(void) + { +- void *p; +- if (init_bootmem_done) { +- p = alloc_bootmem_pages(PAGE_SIZE); +- } else { +- /* +- * Mem start + kernel_tlb -> here is limit +- * because of mem mapping from head.S +- */ +- p = __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE, +- memory_start + kernel_tlb)); +- } +- return p; ++ /* ++ * Mem start + kernel_tlb -> here is limit ++ * because of mem mapping from head.S ++ */ ++ return __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE, ++ memory_start + kernel_tlb)); + } + + #endif /* CONFIG_MMU */ diff --git a/queue-4.9/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch b/queue-4.9/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch new file mode 100644 index 00000000000..c873f4e9124 --- /dev/null +++ b/queue-4.9/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Mathias Kresin +Date: Thu, 11 May 2017 08:18:24 +0200 +Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset + +From: Mathias Kresin + +[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ] + +According to the QCA u-boot source the "PCIE Phase Lock Loop +Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the +QCA955X and QCA956X at offset 0x10. + +Since the PCIE PLL config register is only defined for the AR724x fix +only this value. The value is wrong since the day it was added and isn't +used by any driver yet. + +Signed-off-by: Mathias Kresin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16048/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h ++++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h +@@ -167,7 +167,7 @@ + #define AR71XX_AHB_DIV_MASK 0x7 + + #define AR724X_PLL_REG_CPU_CONFIG 0x00 +-#define AR724X_PLL_REG_PCIE_CONFIG 0x18 ++#define AR724X_PLL_REG_PCIE_CONFIG 0x10 + + #define AR724X_PLL_FB_SHIFT 0 + #define AR724X_PLL_FB_MASK 0x3ff diff --git a/queue-4.9/mips-generic-fix-machine-compatible-matching.patch b/queue-4.9/mips-generic-fix-machine-compatible-matching.patch new file mode 100644 index 00000000000..0ec5563ea28 --- /dev/null +++ b/queue-4.9/mips-generic-fix-machine-compatible-matching.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: James Hogan +Date: Fri, 2 Feb 2018 22:14:09 +0000 +Subject: MIPS: generic: Fix machine compatible matching + +From: James Hogan + +[ Upstream commit 9a9ab3078e2744a1a55163cfaec73a5798aae33e ] + +We now have a platform (Ranchu) in the "generic" platform which matches +based on the FDT compatible string using mips_machine_is_compatible(), +however that function doesn't stop at a blank struct +of_device_id::compatible as that is an array in the struct, not a +pointer to a string. + +Fix the loop completion to check the first byte of the compatible array +rather than the address of the compatible array in the struct. + +Fixes: eed0eabd12ef ("MIPS: generic: Introduce generic DT-based board support") +Signed-off-by: James Hogan +Reviewed-by: Paul Burton +Reviewed-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18580/ +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/machine.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/machine.h ++++ b/arch/mips/include/asm/machine.h +@@ -52,7 +52,7 @@ mips_machine_is_compatible(const struct + if (!mach->matches) + return NULL; + +- for (match = mach->matches; match->compatible; match++) { ++ for (match = mach->matches; match->compatible[0]; match++) { + if (fdt_node_check_compatible(fdt, 0, match->compatible) == 0) + return match; + } diff --git a/queue-4.9/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch b/queue-4.9/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch new file mode 100644 index 00000000000..1a9dcaee769 --- /dev/null +++ b/queue-4.9/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch @@ -0,0 +1,70 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Joe Perches +Date: Tue, 5 Dec 2017 23:04:58 -0800 +Subject: MIPS: Octeon: Fix logging messages with spurious periods after newlines + +From: Joe Perches + +[ Upstream commit db6775ca6e0353d2618ca7d5e210fc36ad43bbd4 ] + +Using a period after a newline causes bad output. + +Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") +Signed-off-by: Joe Perches +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17886/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/cavium-octeon/octeon-irq.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2271,7 +2271,7 @@ static int __init octeon_irq_init_cib(st + + parent_irq = irq_of_parse_and_map(ciu_node, 0); + if (!parent_irq) { +- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.", ++ pr_err("ERROR: Couldn't acquire parent_irq for %s\n", + ciu_node->name); + return -EINVAL; + } +@@ -2283,7 +2283,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 0, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->raw_reg = (u64)phys_to_virt( +@@ -2291,7 +2291,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 1, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->en_reg = (u64)phys_to_virt( +@@ -2299,7 +2299,7 @@ static int __init octeon_irq_init_cib(st + + r = of_property_read_u32(ciu_node, "cavium,max-bits", &val); + if (r) { +- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.", ++ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n", + ciu_node->name); + return r; + } +@@ -2309,7 +2309,7 @@ static int __init octeon_irq_init_cib(st + &octeon_irq_domain_cib_ops, + host_data); + if (!cib_domain) { +- pr_err("ERROR: Couldn't irq_domain_add_linear()\n."); ++ pr_err("ERROR: Couldn't irq_domain_add_linear()\n"); + return -ENOMEM; + } + diff --git a/queue-4.9/mips-txx9-use-is_builtin-for-config_leds_class.patch b/queue-4.9/mips-txx9-use-is_builtin-for-config_leds_class.patch new file mode 100644 index 00000000000..2bcfd515449 --- /dev/null +++ b/queue-4.9/mips-txx9-use-is_builtin-for-config_leds_class.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Matt Redfearn +Date: Mon, 29 Jan 2018 11:26:45 +0000 +Subject: MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS + +From: Matt Redfearn + +[ Upstream commit 0cde5b44a30f1daaef1c34e08191239dc63271c4 ] + +When commit b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support") +added board support for the RBTX4939, it added a call to +led_classdev_register even if the LED class is built as a module. +Built-in arch code cannot call module code directly like this. Commit +b33b44073734 ("MIPS: TXX9: use IS_ENABLED() macro") subsequently +changed the inclusion of this code to a single check that +CONFIG_LEDS_CLASS is either builtin or a module, but the same issue +remains. + +This leads to MIPS allmodconfig builds failing when CONFIG_MACH_TX49XX=y +is set: + +arch/mips/txx9/rbtx4939/setup.o: In function `rbtx4939_led_probe': +setup.c:(.init.text+0xc0): undefined reference to `of_led_classdev_register' +make: *** [Makefile:999: vmlinux] Error 1 + +Fix this by using the IS_BUILTIN() macro instead. + +Fixes: b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support") +Signed-off-by: Matt Redfearn +Reviewed-by: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18544/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/txx9/rbtx4939/setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/txx9/rbtx4939/setup.c ++++ b/arch/mips/txx9/rbtx4939/setup.c +@@ -186,7 +186,7 @@ static void __init rbtx4939_update_ioc_p + + #define RBTX4939_MAX_7SEGLEDS 8 + +-#if IS_ENABLED(CONFIG_LEDS_CLASS) ++#if IS_BUILTIN(CONFIG_LEDS_CLASS) + static u8 led_val[RBTX4939_MAX_7SEGLEDS]; + struct rbtx4939_led_data { + struct led_classdev cdev; +@@ -261,7 +261,7 @@ static inline void rbtx4939_led_setup(vo + + static void __rbtx4939_7segled_putc(unsigned int pos, unsigned char val) + { +-#if IS_ENABLED(CONFIG_LEDS_CLASS) ++#if IS_BUILTIN(CONFIG_LEDS_CLASS) + unsigned long flags; + local_irq_save(flags); + /* bit7: reserved for LED class */ diff --git a/queue-4.9/mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch b/queue-4.9/mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch new file mode 100644 index 00000000000..5afd04f98ba --- /dev/null +++ b/queue-4.9/mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch @@ -0,0 +1,217 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "shidao.ytt" +Date: Wed, 31 Jan 2018 16:19:55 -0800 +Subject: mm/fadvise: discard partial page if endbyte is also EOF + +From: "shidao.ytt" + +[ Upstream commit a7ab400d6fe73d0119fdc234e9982a6f80faea9f ] + +During our recent testing with fadvise(FADV_DONTNEED), we find that if +given offset/length is not page-aligned, the last page will not be +discarded. The tool we use is vmtouch (https://hoytech.com/vmtouch/), +we map a 10KB-sized file into memory and then try to run this tool to +evict the whole file mapping, but the last single page always remains +staying in the memory: + +$./vmtouch -e test_10K + Files: 1 + Directories: 0 + Evicted Pages: 3 (12K) + Elapsed: 2.1e-05 seconds + +$./vmtouch test_10K + Files: 1 + Directories: 0 + Resident Pages: 1/3 4K/12K 33.3% + Elapsed: 5.5e-05 seconds + +However when we test with an older kernel, say 3.10, this problem is +gone. So we wonder if this is a regression: + +$./vmtouch -e test_10K + Files: 1 + Directories: 0 + Evicted Pages: 3 (12K) + Elapsed: 8.2e-05 seconds + +$./vmtouch test_10K + Files: 1 + Directories: 0 + Resident Pages: 0/3 0/12K 0% <-- partial page also discarded + Elapsed: 5e-05 seconds + +After digging a little bit into this problem, we find it seems not a +regression. Not discarding partial page is likely to be on purpose +according to commit 441c228f817f ("mm: fadvise: document the +fadvise(FADV_DONTNEED) behaviour for partial pages") written by Mel +Gorman. He explained why partial pages should be preserved instead of +being discarded when using fadvise(FADV_DONTNEED). + +However, the interesting part is that the actual code did NOT work as +the same as it was described, the partial page was still discarded +anyway, due to a calculation mistake of `end_index' passed to +invalidate_mapping_pages(). This mistake has not been fixed until +recently, that's why we fail to reproduce our problem in old kernels. +The fix is done in commit 18aba41cbf ("mm/fadvise.c: do not discard +partial pages with POSIX_FADV_DONTNEED") by Oleg Drokin. + +Back to the original testing, our problem becomes that there is a +special case that, if the page-unaligned `endbyte' is also the end of +file, it is not necessary at all to preserve the last partial page, as +we all know no one else will use the rest of it. It should be safe +enough if we just discard the whole page. So we add an EOF check in +this patch. + +We also find a poosbile real world issue in mainline kernel. Assume +such scenario: A userspace backup application want to backup a huge +amount of small files (<4k) at once, the developer might (I guess) want +to use fadvise(FADV_DONTNEED) to save memory. However, FADV_DONTNEED +won't really happen since the only page mapped is a partial page, and +kernel will preserve it. Our patch also fixes this problem, since we +know the endbyte is EOF, so we discard it. + +Here is a simple reproducer to reproduce and verify each scenario we +described above: + + test_fadvise.c + ============================== + #include + #include + #include + #include + #include + #include + #include + + int main(int argc, char **argv) + { + int i, fd, ret, len; + struct stat buf; + void *addr; + unsigned char *vec; + char *strbuf; + ssize_t pagesize = getpagesize(); + ssize_t filesize; + + fd = open(argv[1], O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); + if (fd < 0) + return -1; + filesize = strtoul(argv[2], NULL, 10); + + strbuf = malloc(filesize); + memset(strbuf, 42, filesize); + write(fd, strbuf, filesize); + free(strbuf); + fsync(fd); + + len = (filesize + pagesize - 1) / pagesize; + printf("length of pages: %d\n", len); + + addr = mmap(NULL, filesize, PROT_READ, MAP_SHARED, fd, 0); + if (addr == MAP_FAILED) + return -1; + + ret = posix_fadvise(fd, 0, filesize, POSIX_FADV_DONTNEED); + if (ret < 0) + return -1; + + vec = malloc(len); + ret = mincore(addr, filesize, (void *)vec); + if (ret < 0) + return -1; + + for (i = 0; i < len; i++) + printf("pages[%d]: %x\n", i, vec[i] & 0x1); + + free(vec); + close(fd); + + return 0; + } + ============================== + +Test 1: running on kernel with commit 18aba41cbf reverted: + + [root@caspar ~]# uname -r + 4.15.0-rc6.revert+ + [root@caspar ~]# ./test_fadvise file1 1024 + length of pages: 1 + pages[0]: 0 # <-- partial page discarded + [root@caspar ~]# ./test_fadvise file2 8192 + length of pages: 2 + pages[0]: 0 + pages[1]: 0 + [root@caspar ~]# ./test_fadvise file3 10240 + length of pages: 3 + pages[0]: 0 + pages[1]: 0 + pages[2]: 0 # <-- partial page discarded + +Test 2: running on mainline kernel: + + [root@caspar ~]# uname -r + 4.15.0-rc6+ + [root@caspar ~]# ./test_fadvise test1 1024 + length of pages: 1 + pages[0]: 1 # <-- partial and the only page not discarded + [root@caspar ~]# ./test_fadvise test2 8192 + length of pages: 2 + pages[0]: 0 + pages[1]: 0 + [root@caspar ~]# ./test_fadvise test3 10240 + length of pages: 3 + pages[0]: 0 + pages[1]: 0 + pages[2]: 1 # <-- partial page not discarded + +Test 3: running on kernel with this patch: + + [root@caspar ~]# uname -r + 4.15.0-rc6.patched+ + [root@caspar ~]# ./test_fadvise test1 1024 + length of pages: 1 + pages[0]: 0 # <-- partial page and EOF, discarded + [root@caspar ~]# ./test_fadvise test2 8192 + length of pages: 2 + pages[0]: 0 + pages[1]: 0 + [root@caspar ~]# ./test_fadvise test3 10240 + length of pages: 3 + pages[0]: 0 + pages[1]: 0 + pages[2]: 0 # <-- partial page and EOF, discarded + +[akpm@linux-foundation.org: tweak code comment] +Link: http://lkml.kernel.org/r/5222da9ee20e1695eaabb69f631f200d6e6b8876.1515132470.git.jinli.zjl@alibaba-inc.com +Signed-off-by: shidao.ytt +Signed-off-by: Caspar Zhang +Reviewed-by: Oliver Yang +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/fadvise.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/mm/fadvise.c ++++ b/mm/fadvise.c +@@ -126,7 +126,15 @@ SYSCALL_DEFINE4(fadvise64_64, int, fd, l + */ + start_index = (offset+(PAGE_SIZE-1)) >> PAGE_SHIFT; + end_index = (endbyte >> PAGE_SHIFT); +- if ((endbyte & ~PAGE_MASK) != ~PAGE_MASK) { ++ /* ++ * The page at end_index will be inclusively discarded according ++ * by invalidate_mapping_pages(), so subtracting 1 from ++ * end_index means we will skip the last page. But if endbyte ++ * is page aligned or is at the end of file, we should not skip ++ * that page - discarding the last page is safe enough. ++ */ ++ if ((endbyte & ~PAGE_MASK) != ~PAGE_MASK && ++ endbyte != inode->i_size - 1) { + /* First page is tricky as 0 - 1 = -1, but pgoff_t + * is unsigned, so the end_index >= start_index + * check below would be true and we'll discard the whole diff --git a/queue-4.9/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch b/queue-4.9/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch new file mode 100644 index 00000000000..97095a349ab --- /dev/null +++ b/queue-4.9/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch @@ -0,0 +1,78 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Huang Ying +Date: Thu, 5 Apr 2018 16:23:20 -0700 +Subject: mm: fix races between address_space dereference and free in page_evicatable + +From: Huang Ying + +[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ] + +When page_mapping() is called and the mapping is dereferenced in +page_evicatable() through shrink_active_list(), it is possible for the +inode to be truncated and the embedded address space to be freed at the +same time. This may lead to the following race. + +CPU1 CPU2 + +truncate(inode) shrink_active_list() + ... page_evictable(page) + truncate_inode_page(mapping, page); + delete_from_page_cache(page) + spin_lock_irqsave(&mapping->tree_lock, flags); + __delete_from_page_cache(page, NULL) + page_cache_tree_delete(..) + ... mapping = page_mapping(page); + page->mapping = NULL; + ... + spin_unlock_irqrestore(&mapping->tree_lock, flags); + page_cache_free_page(mapping, page) + put_page(page) + if (put_page_testzero(page)) -> false +- inode now has no pages and can be freed including embedded address_space + + mapping_unevictable(mapping) + test_bit(AS_UNEVICTABLE, &mapping->flags); +- we've dereferenced mapping which is potentially already free. + +Similar race exists between swap cache freeing and page_evicatable() +too. + +The address_space in inode and swap cache will be freed after a RCU +grace period. So the races are fixed via enclosing the page_mapping() +and address_space usage in rcu_read_lock/unlock(). Some comments are +added in code to make it clear what is protected by the RCU read lock. + +Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Reviewed-by: Jan Kara +Reviewed-by: Andrew Morton +Cc: Mel Gorman +Cc: Minchan Kim +Cc: "Huang, Ying" +Cc: Johannes Weiner +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -3857,7 +3857,13 @@ int node_reclaim(struct pglist_data *pgd + */ + int page_evictable(struct page *page) + { +- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ int ret; ++ ++ /* Prevent address_space of inode and swap cache from being freed */ ++ rcu_read_lock(); ++ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ rcu_read_unlock(); ++ return ret; + } + + #ifdef CONFIG_SHMEM diff --git a/queue-4.9/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch b/queue-4.9/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch new file mode 100644 index 00000000000..34394614fe1 --- /dev/null +++ b/queue-4.9/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Vinayak Menon +Date: Wed, 28 Mar 2018 16:01:16 -0700 +Subject: mm/kmemleak.c: wait for scan completion before disabling free + +From: Vinayak Menon + +[ Upstream commit 914b6dfff790544d9b77dfd1723adb3745ec9700 ] + +A crash is observed when kmemleak_scan accesses the object->pointer, +likely due to the following race. + + TASK A TASK B TASK C + kmemleak_write + (with "scan" and + NOT "scan=on") + kmemleak_scan() + create_object + kmem_cache_alloc fails + kmemleak_disable + kmemleak_do_cleanup + kmemleak_free_enabled = 0 + kfree + kmemleak_free bails out + (kmemleak_free_enabled is 0) + slub frees object->pointer + update_checksum + crash - object->pointer + freed (DEBUG_PAGEALLOC) + +kmemleak_do_cleanup waits for the scan thread to complete, but not for +direct call to kmemleak_scan via kmemleak_write. So add a wait for +kmemleak_scan completion before disabling kmemleak_free, and while at it +fix the comment on stop_scan_thread. + +[vinmenon@codeaurora.org: fix stop_scan_thread comment] + Link: http://lkml.kernel.org/r/1522219972-22809-1-git-send-email-vinmenon@codeaurora.org +Link: http://lkml.kernel.org/r/1522063429-18992-1-git-send-email-vinmenon@codeaurora.org +Signed-off-by: Vinayak Menon +Reviewed-by: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1577,8 +1577,7 @@ static void start_scan_thread(void) + } + + /* +- * Stop the automatic memory scanning thread. This function must be called +- * with the scan_mutex held. ++ * Stop the automatic memory scanning thread. + */ + static void stop_scan_thread(void) + { +@@ -1841,12 +1840,15 @@ static void kmemleak_do_cleanup(struct w + { + stop_scan_thread(); + ++ mutex_lock(&scan_mutex); + /* +- * Once the scan thread has stopped, it is safe to no longer track +- * object freeing. Ordering of the scan thread stopping and the memory +- * accesses below is guaranteed by the kthread_stop() function. ++ * Once it is made sure that kmemleak_scan has stopped, it is safe to no ++ * longer track object freeing. Ordering of the scan thread stopping and ++ * the memory accesses below is guaranteed by the kthread_stop() ++ * function. + */ + kmemleak_free_enabled = 0; ++ mutex_unlock(&scan_mutex); + + if (!kmemleak_found_leaks) + __kmemleak_do_cleanup(); diff --git a/queue-4.9/mm-ksm-fix-interaction-with-thp.patch b/queue-4.9/mm-ksm-fix-interaction-with-thp.patch new file mode 100644 index 00000000000..ae195d7a54c --- /dev/null +++ b/queue-4.9/mm-ksm-fix-interaction-with-thp.patch @@ -0,0 +1,103 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Claudio Imbrenda +Date: Thu, 5 Apr 2018 16:25:41 -0700 +Subject: mm/ksm: fix interaction with THP + +From: Claudio Imbrenda + +[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ] + +This patch fixes a corner case for KSM. When two pages belong or +belonged to the same transparent hugepage, and they should be merged, +KSM fails to split the page, and therefore no merging happens. + +This bug can be reproduced by: +* making sure ksm is running (in case disabling ksmtuned) +* enabling transparent hugepages +* allocating a THP-aligned 1-THP-sized buffer + e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21) +* filling it with the same values + e.g. memset(p, 42, 1<<21) +* performing madvise to make it mergeable + e.g. madvise(p, 1<<21, MADV_MERGEABLE) +* waiting for KSM to perform a few scans + +The expected outcome is that the all the pages get merged (1 shared and +the rest sharing); the actual outcome is that no pages get merged (1 +unshared and the rest volatile) + +The reason of this behaviour is that we increase the reference count +once for both pages we want to merge, but if they belong to the same +hugepage (or compound page), the reference counter used in both cases is +the one of the head of the compound page. This means that +split_huge_page will find a value of the reference counter too high and +will fail. + +This patch solves this problem by testing if the two pages to merge +belong to the same hugepage when attempting to merge them. If so, the +hugepage is split safely. This means that the hugepage is not split if +not necessary. + +Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com +Signed-off-by: Claudio Imbrenda +Co-authored-by: Gerald Schaefer +Reviewed-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Minchan Kim +Cc: Kirill A. Shutemov +Cc: Hugh Dickins +Cc: Christian Borntraeger +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/ksm.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -1469,8 +1469,22 @@ static void cmp_and_merge_page(struct pa + tree_rmap_item = + unstable_tree_search_insert(rmap_item, page, &tree_page); + if (tree_rmap_item) { ++ bool split; ++ + kpage = try_to_merge_two_pages(rmap_item, page, + tree_rmap_item, tree_page); ++ /* ++ * If both pages we tried to merge belong to the same compound ++ * page, then we actually ended up increasing the reference ++ * count of the same compound page twice, and split_huge_page ++ * failed. ++ * Here we set a flag if that happened, and we use it later to ++ * try split_huge_page again. Since we call put_page right ++ * afterwards, the reference count will be correct and ++ * split_huge_page should succeed. ++ */ ++ split = PageTransCompound(page) ++ && compound_head(page) == compound_head(tree_page); + put_page(tree_page); + if (kpage) { + /* +@@ -1495,6 +1509,20 @@ static void cmp_and_merge_page(struct pa + break_cow(tree_rmap_item); + break_cow(rmap_item); + } ++ } else if (split) { ++ /* ++ * We are here if we tried to merge two pages and ++ * failed because they both belonged to the same ++ * compound page. We will split the page now, but no ++ * merging will take place. ++ * We do not want to add the cost of a full lock; if ++ * the page is locked, it is better to skip it and ++ * perhaps try again later. ++ */ ++ if (!trylock_page(page)) ++ return; ++ split_huge_page(page); ++ unlock_page(page); + } + } + } diff --git a/queue-4.9/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch b/queue-4.9/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch new file mode 100644 index 00000000000..522d38e3c24 --- /dev/null +++ b/queue-4.9/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yisheng Xie +Date: Wed, 31 Jan 2018 16:16:15 -0800 +Subject: mm/mempolicy: add nodes_empty check in SYSC_migrate_pages + +From: Yisheng Xie + +[ Upstream commit 0486a38bcc4749808edbc848f1bcf232042770fc ] + +As in manpage of migrate_pages, the errno should be set to EINVAL when +none of the node IDs specified by new_nodes are on-line and allowed by +the process's current cpuset context, or none of the specified nodes +contain memory. However, when test by following case: + + new_nodes = 0; + old_nodes = 0xf; + ret = migrate_pages(pid, old_nodes, new_nodes, MAX); + +The ret will be 0 and no errno is set. As the new_nodes is empty, we +should expect EINVAL as documented. + +To fix the case like above, this patch check whether target nodes AND +current task_nodes is empty, and then check whether AND +node_states[N_MEMORY] is empty. + +Link: http://lkml.kernel.org/r/1510882624-44342-4-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Yisheng Xie +Acked-by: Vlastimil Babka +Cc: Andi Kleen +Cc: Chris Salls +Cc: Christopher Lameter +Cc: David Rientjes +Cc: Ingo Molnar +Cc: Naoya Horiguchi +Cc: Tan Xiaojun +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1442,10 +1442,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi + goto out_put; + } + +- if (!nodes_subset(*new, node_states[N_MEMORY])) { +- err = -EINVAL; ++ task_nodes = cpuset_mems_allowed(current); ++ nodes_and(*new, *new, task_nodes); ++ if (nodes_empty(*new)) ++ goto out_put; ++ ++ nodes_and(*new, *new, node_states[N_MEMORY]); ++ if (nodes_empty(*new)) + goto out_put; +- } + + err = security_task_movememory(task); + if (err) diff --git a/queue-4.9/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch b/queue-4.9/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch new file mode 100644 index 00000000000..9e42bf0a3a2 --- /dev/null +++ b/queue-4.9/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch @@ -0,0 +1,110 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yisheng Xie +Date: Wed, 31 Jan 2018 16:16:11 -0800 +Subject: mm/mempolicy: fix the check of nodemask from user + +From: Yisheng Xie + +[ Upstream commit 56521e7a02b7b84a5e72691a1fb15570e6055545 ] + +As Xiaojun reported the ltp of migrate_pages01 will fail on arm64 system +which has 4 nodes[0...3], all have memory and CONFIG_NODES_SHIFT=2: + + migrate_pages01 0 TINFO : test_invalid_nodes + migrate_pages01 14 TFAIL : migrate_pages_common.c:45: unexpected failure - returned value = 0, expected: -1 + migrate_pages01 15 TFAIL : migrate_pages_common.c:55: call succeeded unexpectedly + +In this case the test_invalid_nodes of migrate_pages01 will call: +SYSC_migrate_pages as: + + migrate_pages(0, , {0x0000000000000001}, 64, , {0x0000000000000010}, 64) = 0 + +The new nodes specifies one or more node IDs that are greater than the +maximum supported node ID, however, the errno is not set to EINVAL as +expected. + +As man pages of set_mempolicy[1], mbind[2], and migrate_pages[3] +mentioned, when nodemask specifies one or more node IDs that are greater +than the maximum supported node ID, the errno should set to EINVAL. +However, get_nodes only check whether the part of bits +[BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES), maxnode) is zero or not, and +remain [MAX_NUMNODES, BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES) +unchecked. + +This patch is to check the bits of [MAX_NUMNODES, maxnode) in get_nodes +to let migrate_pages set the errno to EINVAL when nodemask specifies one +or more node IDs that are greater than the maximum supported node ID, +which follows the manpage's guide. + +[1] http://man7.org/linux/man-pages/man2/set_mempolicy.2.html +[2] http://man7.org/linux/man-pages/man2/mbind.2.html +[3] http://man7.org/linux/man-pages/man2/migrate_pages.2.html + +Link: http://lkml.kernel.org/r/1510882624-44342-3-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Yisheng Xie +Reported-by: Tan Xiaojun +Acked-by: Vlastimil Babka +Cc: Andi Kleen +Cc: Chris Salls +Cc: Christopher Lameter +Cc: David Rientjes +Cc: Ingo Molnar +Cc: Naoya Horiguchi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1264,6 +1264,7 @@ static int get_nodes(nodemask_t *nodes, + unsigned long maxnode) + { + unsigned long k; ++ unsigned long t; + unsigned long nlongs; + unsigned long endmask; + +@@ -1280,13 +1281,19 @@ static int get_nodes(nodemask_t *nodes, + else + endmask = (1UL << (maxnode % BITS_PER_LONG)) - 1; + +- /* When the user specified more nodes than supported just check +- if the non supported part is all zero. */ ++ /* ++ * When the user specified more nodes than supported just check ++ * if the non supported part is all zero. ++ * ++ * If maxnode have more longs than MAX_NUMNODES, check ++ * the bits in that area first. And then go through to ++ * check the rest bits which equal or bigger than MAX_NUMNODES. ++ * Otherwise, just check bits [MAX_NUMNODES, maxnode). ++ */ + if (nlongs > BITS_TO_LONGS(MAX_NUMNODES)) { + if (nlongs > PAGE_SIZE/sizeof(long)) + return -EINVAL; + for (k = BITS_TO_LONGS(MAX_NUMNODES); k < nlongs; k++) { +- unsigned long t; + if (get_user(t, nmask + k)) + return -EFAULT; + if (k == nlongs - 1) { +@@ -1299,6 +1306,16 @@ static int get_nodes(nodemask_t *nodes, + endmask = ~0UL; + } + ++ if (maxnode > MAX_NUMNODES && MAX_NUMNODES % BITS_PER_LONG != 0) { ++ unsigned long valid_mask = endmask; ++ ++ valid_mask &= ~((1UL << (MAX_NUMNODES % BITS_PER_LONG)) - 1); ++ if (get_user(t, nmask + nlongs - 1)) ++ return -EFAULT; ++ if (t & valid_mask) ++ return -EINVAL; ++ } ++ + if (copy_from_user(nodes_addr(*nodes), nmask, nlongs*sizeof(unsigned long))) + return -EFAULT; + nodes_addr(*nodes)[nlongs-1] &= endmask; diff --git a/queue-4.9/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch b/queue-4.9/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch new file mode 100644 index 00000000000..eaa04ef8870 --- /dev/null +++ b/queue-4.9/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yisheng Xie +Date: Thu, 22 Mar 2018 16:17:02 -0700 +Subject: mm/mempolicy.c: avoid use uninitialized preferred_node + +From: Yisheng Xie + +[ Upstream commit 8970a63e965b43288c4f5f40efbc2bbf80de7f16 ] + +Alexander reported a use of uninitialized memory in __mpol_equal(), +which is caused by incorrect use of preferred_node. + +When mempolicy in mode MPOL_PREFERRED with flags MPOL_F_LOCAL, it uses +numa_node_id() instead of preferred_node, however, __mpol_equal() uses +preferred_node without checking whether it is MPOL_F_LOCAL or not. + +[akpm@linux-foundation.org: slight comment tweak] +Link: http://lkml.kernel.org/r/4ebee1c2-57f6-bcb8-0e2d-1833d1ee0bb7@huawei.com +Fixes: fc36b8d3d819 ("mempolicy: use MPOL_F_LOCAL to Indicate Preferred Local Policy") +Signed-off-by: Yisheng Xie +Reported-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Reviewed-by: Andrew Morton +Cc: Dmitriy Vyukov +Cc: Vlastimil Babka +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2159,6 +2159,9 @@ bool __mpol_equal(struct mempolicy *a, s + case MPOL_INTERLEAVE: + return !!nodes_equal(a->v.nodes, b->v.nodes); + case MPOL_PREFERRED: ++ /* a's ->flags is the same as b's */ ++ if (a->flags & MPOL_F_LOCAL) ++ return true; + return a->v.preferred_node == b->v.preferred_node; + default: + BUG(); diff --git a/queue-4.9/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch b/queue-4.9/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch new file mode 100644 index 00000000000..a80d0556c2c --- /dev/null +++ b/queue-4.9/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch @@ -0,0 +1,96 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Mel Gorman +Date: Wed, 31 Jan 2018 16:19:52 -0800 +Subject: mm: pin address_space before dereferencing it while isolating an LRU page + +From: Mel Gorman + +[ Upstream commit 69d763fc6d3aee787a3e8c8c35092b4f4960fa5d ] + +Minchan Kim asked the following question -- what locks protects +address_space destroying when race happens between inode trauncation and +__isolate_lru_page? Jan Kara clarified by describing the race as follows + +CPU1 CPU2 + +truncate(inode) __isolate_lru_page() + ... + truncate_inode_page(mapping, page); + delete_from_page_cache(page) + spin_lock_irqsave(&mapping->tree_lock, flags); + __delete_from_page_cache(page, NULL) + page_cache_tree_delete(..) + ... mapping = page_mapping(page); + page->mapping = NULL; + ... + spin_unlock_irqrestore(&mapping->tree_lock, flags); + page_cache_free_page(mapping, page) + put_page(page) + if (put_page_testzero(page)) -> false +- inode now has no pages and can be freed including embedded address_space + + if (mapping && !mapping->a_ops->migratepage) +- we've dereferenced mapping which is potentially already free. + +The race is theoretically possible but unlikely. Before the +delete_from_page_cache, truncate_cleanup_page is called so the page is +likely to be !PageDirty or PageWriteback which gets skipped by the only +caller that checks the mappping in __isolate_lru_page. Even if the race +occurs, a substantial amount of work has to happen during a tiny window +with no preemption but it could potentially be done using a virtual +machine to artifically slow one CPU or halt it during the critical +window. + +This patch should eliminate the race with truncation by try-locking the +page before derefencing mapping and aborting if the lock was not +acquired. There was a suggestion from Huang Ying to use RCU as a +side-effect to prevent mapping being freed. However, I do not like the +solution as it's an unconventional means of preserving a mapping and +it's not a context where rcu_read_lock is obviously protecting rcu data. + +Link: http://lkml.kernel.org/r/20180104102512.2qos3h5vqzeisrek@techsingularity.net +Fixes: c82449352854 ("mm: compaction: make isolate_lru_page() filter-aware again") +Signed-off-by: Mel Gorman +Acked-by: Minchan Kim +Cc: "Huang, Ying" +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -1374,6 +1374,7 @@ int __isolate_lru_page(struct page *page + + if (PageDirty(page)) { + struct address_space *mapping; ++ bool migrate_dirty; + + /* ISOLATE_CLEAN means only clean pages */ + if (mode & ISOLATE_CLEAN) +@@ -1382,10 +1383,19 @@ int __isolate_lru_page(struct page *page + /* + * Only pages without mappings or that have a + * ->migratepage callback are possible to migrate +- * without blocking ++ * without blocking. However, we can be racing with ++ * truncation so it's necessary to lock the page ++ * to stabilise the mapping as truncation holds ++ * the page lock until after the page is removed ++ * from the page cache. + */ ++ if (!trylock_page(page)) ++ return ret; ++ + mapping = page_mapping(page); +- if (mapping && !mapping->a_ops->migratepage) ++ migrate_dirty = mapping && mapping->a_ops->migratepage; ++ unlock_page(page); ++ if (!migrate_dirty) + return ret; + } + } diff --git a/queue-4.9/mm-thp-do-not-cause-memcg-oom-for-thp.patch b/queue-4.9/mm-thp-do-not-cause-memcg-oom-for-thp.patch new file mode 100644 index 00000000000..8a5f72982ba --- /dev/null +++ b/queue-4.9/mm-thp-do-not-cause-memcg-oom-for-thp.patch @@ -0,0 +1,80 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: David Rientjes +Date: Thu, 22 Mar 2018 16:17:45 -0700 +Subject: mm, thp: do not cause memcg oom for thp + +From: David Rientjes + +[ Upstream commit 9d3c3354bb85bab4d865fe95039443f09a4c8394 ] + +Commit 2516035499b9 ("mm, thp: remove __GFP_NORETRY from khugepaged and +madvised allocations") changed the page allocator to no longer detect +thp allocations based on __GFP_NORETRY. + +It did not, however, modify the mem cgroup try_charge() path to avoid +oom kill for either khugepaged collapsing or thp faulting. It is never +expected to oom kill a process to allocate a hugepage for thp; reclaim +is governed by the thp defrag mode and MADV_HUGEPAGE, but allocations +(and charging) should fallback instead of oom killing processes. + +Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1803191409420.124411@chino.kir.corp.google.com +Fixes: 2516035499b9 ("mm, thp: remove __GFP_NORETRY from khugepaged and madvised allocations") +Signed-off-by: David Rientjes +Cc: "Kirill A. Shutemov" +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 5 +++-- + mm/khugepaged.c | 8 ++++++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -542,7 +542,8 @@ static int __do_huge_pmd_anonymous_page( + + VM_BUG_ON_PAGE(!PageCompound(page), page); + +- if (mem_cgroup_try_charge(page, vma->vm_mm, gfp, &memcg, true)) { ++ if (mem_cgroup_try_charge(page, vma->vm_mm, gfp | __GFP_NORETRY, &memcg, ++ true)) { + put_page(page); + count_vm_event(THP_FAULT_FALLBACK); + return VM_FAULT_FALLBACK; +@@ -1060,7 +1061,7 @@ alloc: + } + + if (unlikely(mem_cgroup_try_charge(new_page, vma->vm_mm, +- huge_gfp, &memcg, true))) { ++ huge_gfp | __GFP_NORETRY, &memcg, true))) { + put_page(new_page); + split_huge_pmd(vma, fe->pmd, fe->address); + if (page) +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -963,7 +963,9 @@ static void collapse_huge_page(struct mm + goto out_nolock; + } + +- if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { ++ /* Do not oom kill for khugepaged charges */ ++ if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp | __GFP_NORETRY, ++ &memcg, true))) { + result = SCAN_CGROUP_CHARGE_FAIL; + goto out_nolock; + } +@@ -1323,7 +1325,9 @@ static void collapse_shmem(struct mm_str + goto out; + } + +- if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { ++ /* Do not oom kill for khugepaged charges */ ++ if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp | __GFP_NORETRY, ++ &memcg, true))) { + result = SCAN_CGROUP_CHARGE_FAIL; + goto out; + } diff --git a/queue-4.9/mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch b/queue-4.9/mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch new file mode 100644 index 00000000000..d37c155f586 --- /dev/null +++ b/queue-4.9/mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch @@ -0,0 +1,94 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yang Shi +Date: Wed, 31 Jan 2018 16:18:28 -0800 +Subject: mm: thp: use down_read_trylock() in khugepaged to avoid long block + +From: Yang Shi + +[ Upstream commit 3b454ad35043dfbd3b5d2bb92b0991d6342afb44 ] + +In the current design, khugepaged needs to acquire mmap_sem before +scanning an mm. But in some corner cases, khugepaged may scan a process +which is modifying its memory mapping, so khugepaged blocks in +uninterruptible state. But the process might hold the mmap_sem for a +long time when modifying a huge memory space and it may trigger the +below khugepaged hung issue: + + INFO: task khugepaged:270 blocked for more than 120 seconds. + Tainted: G E 4.9.65-006.ali3000.alios7.x86_64 #1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + khugepaged D 0 270 2 0x00000000  + ffff883f3deae4c0 0000000000000000 ffff883f610596c0 ffff883f7d359440 + ffff883f63818000 ffffc90019adfc78 ffffffff817079a5 d67e5aa8c1860a64 + 0000000000000246 ffff883f7d359440 ffffc90019adfc88 ffff883f610596c0 + Call Trace: + schedule+0x36/0x80 + rwsem_down_read_failed+0xf0/0x150 + call_rwsem_down_read_failed+0x18/0x30 + down_read+0x20/0x40 + khugepaged+0x476/0x11d0 + kthread+0xe6/0x100 + ret_from_fork+0x25/0x30 + +So it sounds pointless to just block khugepaged waiting for the +semaphore so replace down_read() with down_read_trylock() to move to +scan the next mm quickly instead of just blocking on the semaphore so +that other processes can get more chances to install THP. Then +khugepaged can come back to scan the skipped mm when it has finished the +current round full_scan. + +And it appears that the change can improve khugepaged efficiency a +little bit. + +Below is the test result when running LTP on a 24 cores 4GB memory 2 +nodes NUMA VM: + + pristine w/ trylock + full_scan 197 187 + pages_collapsed 21 26 + thp_fault_alloc 40818 44466 + thp_fault_fallback 18413 16679 + thp_collapse_alloc 21 150 + thp_collapse_alloc_failed 14 16 + thp_file_alloc 369 369 + +[akpm@linux-foundation.org: coding-style fixes] +[akpm@linux-foundation.org: tweak comment] +[arnd@arndb.de: avoid uninitialized variable use] + Link: http://lkml.kernel.org/r/20171215125129.2948634-1-arnd@arndb.de +Link: http://lkml.kernel.org/r/1513281203-54878-1-git-send-email-yang.s@alibaba-inc.com +Signed-off-by: Yang Shi +Acked-by: Kirill A. Shutemov +Acked-by: Michal Hocko +Cc: Hugh Dickins +Cc: Andrea Arcangeli +Signed-off-by: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/khugepaged.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1678,10 +1678,14 @@ static unsigned int khugepaged_scan_mm_s + spin_unlock(&khugepaged_mm_lock); + + mm = mm_slot->mm; +- down_read(&mm->mmap_sem); +- if (unlikely(khugepaged_test_exit(mm))) +- vma = NULL; +- else ++ /* ++ * Don't wait for semaphore (to avoid long wait times). Just move to ++ * the next mm on the list. ++ */ ++ vma = NULL; ++ if (unlikely(!down_read_trylock(&mm->mmap_sem))) ++ goto breakouterloop_mmap_sem; ++ if (likely(!khugepaged_test_exit(mm))) + vma = find_vma(mm, khugepaged_scan.address); + + progress++; diff --git a/queue-4.9/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch b/queue-4.9/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch new file mode 100644 index 00000000000..bdd02234110 --- /dev/null +++ b/queue-4.9/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 10:26:30 -0700 +Subject: net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() + +From: Florian Fainelli + +[ Upstream commit 60d6e6f0b9e422dd01aeda39257ee0428e5e2a3f ] + +bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian +32-bit word without using proper accessors, fix this, and because a +length cannot be negative, use unsigned int while at it. + +Fixes: 9cde94506eac ("bgmac: implement scatter/gather support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -529,7 +529,8 @@ static void bgmac_dma_tx_ring_free(struc + int i; + + for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) { +- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN; ++ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1); ++ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN; + + slot = &ring->slots[i]; + dev_kfree_skb(slot->skb); diff --git a/queue-4.9/net-fix-untag-for-vlan-packets-without-ethernet-header.patch b/queue-4.9/net-fix-untag-for-vlan-packets-without-ethernet-header.patch new file mode 100644 index 00000000000..a3b9b0b5d57 --- /dev/null +++ b/queue-4.9/net-fix-untag-for-vlan-packets-without-ethernet-header.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Toshiaki Makita +Date: Thu, 29 Mar 2018 19:05:29 +0900 +Subject: net: Fix untag for vlan packets without ethernet header + +From: Toshiaki Makita + +[ Upstream commit ae4745730cf8e693d354ccd4dbaf59ea440c09a9 ] + +In some situation vlan packets do not have ethernet headers. One example +is packets from tun devices. Users can specify vlan protocol in tun_pi +field instead of IP protocol, and skb_vlan_untag() attempts to untag such +packets. + +skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it) +however did not expect packets without ethernet headers, so in such a case +size argument for memmove() underflowed and triggered crash. + +==== +BUG: unable to handle kernel paging request at ffff8801cccb8000 +IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 +PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101 +Oops: 000b [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 +RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287 +RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2 +RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000 +RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899 +R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4 +R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40 +FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0 +DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Call Trace: + memmove include/linux/string.h:360 [inline] + skb_reorder_vlan_header net/core/skbuff.c:5031 [inline] + skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061 + __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460 + __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627 + netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701 + netif_receive_skb+0xae/0x390 net/core/dev.c:4725 + tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555 + tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962 + tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990 + call_write_iter include/linux/fs.h:1782 [inline] + new_sync_write fs/read_write.c:469 [inline] + __vfs_write+0x684/0x970 fs/read_write.c:482 + vfs_write+0x189/0x510 fs/read_write.c:544 + SYSC_write fs/read_write.c:589 [inline] + SyS_write+0xef/0x220 fs/read_write.c:581 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x454879 +RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879 +RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014 +RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000 +Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 +RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28 +CR2: ffff8801cccb8000 +==== + +We don't need to copy headers for packets which do not have preceding +headers of vlan headers, so skip memmove() in that case. + +Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off") +Reported-by: Eric Dumazet +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4483,8 +4483,10 @@ static struct sk_buff *skb_reorder_vlan_ + } + + mac_len = skb->data - skb_mac_header(skb); +- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), +- mac_len - VLAN_HLEN - ETH_TLEN); ++ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) { ++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), ++ mac_len - VLAN_HLEN - ETH_TLEN); ++ } + skb->mac_header += VLAN_HLEN; + return skb; + } diff --git a/queue-4.9/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch b/queue-4.9/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch new file mode 100644 index 00000000000..0279acc066e --- /dev/null +++ b/queue-4.9/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch @@ -0,0 +1,120 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Toshiaki Makita +Date: Tue, 13 Mar 2018 14:51:27 +0900 +Subject: net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off + +From: Toshiaki Makita + +[ Upstream commit 4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61 ] + +When we have a bridge with vlan_filtering on and a vlan device on top of +it, packets would be corrupted in skb_vlan_untag() called from +br_dev_xmit(). + +The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(), +which makes use of skb->mac_len. In this function mac_len is meant for +handling rx path with vlan devices with reorder_header disabled, but in +tx path mac_len is typically 0 and cannot be used, which is the problem +in this case. + +The current code even does not properly handle rx path (skb_vlan_untag() +called from __netif_receive_skb_core()) with reorder_header off actually. + +In rx path single tag case, it works as follows: + +- Before skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+-------------+------+---- + | ETH | VLAN | ETH | + | ADDRS | TPID | TCI | TYPE | + +-------------------+-------------+------+---- + <-------- mac_len ---------> + <-------------> + to be removed + +- After skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+------+---- + | ETH | ETH | + | ADDRS | TYPE | + +-------------------+------+---- + <-------- mac_len ---------> + +This is ok, but in rx double tag case, it corrupts packets: + +- Before skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+-------------+-------------+------+---- + | ETH | VLAN | VLAN | ETH | + | ADDRS | TPID | TCI | TPID | TCI | TYPE | + +-------------------+-------------+-------------+------+---- + <--------------- mac_len ----------------> + <-------------> + should be removed + <---------------------------> + actually will be removed + +- After skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+------+---- + | ETH | ETH | + | ADDRS | TYPE | + +-------------------+------+---- + <--------------- mac_len ----------------> + +So, two of vlan tags are both removed while only inner one should be +removed and mac_header (and mac_len) is broken. + +skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2), +so use skb->data and skb->mac_header to calculate the right offset. + +Reported-by: Brandon Carpenter +Fixes: a6e18ff11170 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off") +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/if_ether.h | 1 + + net/core/skbuff.c | 7 +++++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/if_ether.h ++++ b/include/uapi/linux/if_ether.h +@@ -29,6 +29,7 @@ + */ + + #define ETH_ALEN 6 /* Octets in one ethernet addr */ ++#define ETH_TLEN 2 /* Octets in ethernet type field */ + #define ETH_HLEN 14 /* Total octets in header. */ + #define ETH_ZLEN 60 /* Min. octets in frame sans FCS */ + #define ETH_DATA_LEN 1500 /* Max. octets in payload */ +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4475,13 +4475,16 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mtu); + + static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + { ++ int mac_len; ++ + if (skb_cow(skb, skb_headroom(skb)) < 0) { + kfree_skb(skb); + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, +- 2 * ETH_ALEN); ++ mac_len = skb->data - skb_mac_header(skb); ++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), ++ mac_len - VLAN_HLEN - ETH_TLEN); + skb->mac_header += VLAN_HLEN; + return skb; + } diff --git a/queue-4.9/net-mlx5-protect-from-command-bit-overflow.patch b/queue-4.9/net-mlx5-protect-from-command-bit-overflow.patch new file mode 100644 index 00000000000..bfeea598f04 --- /dev/null +++ b/queue-4.9/net-mlx5-protect-from-command-bit-overflow.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Leon Romanovsky +Date: Tue, 2 Jan 2018 16:49:56 +0200 +Subject: net/mlx5: Protect from command bit overflow + +From: Leon Romanovsky + +[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ] + +The system with CONFIG_UBSAN enabled on produces the following error +during driver initialization. The reason to it that max_reg_cmds can be +larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long. + +================================================================================ +UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42 +signed integer overflow: +-2147483648 - 1 cannot be represented in type 'int' +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xe9/0x18f + ? dma_virt_alloc+0x81/0x81 + ubsan_epilogue+0xe/0x4e + handle_overflow+0x187/0x20c + mlx5_cmd_init+0x73a/0x12b0 + mlx5_load_one+0x1c3d/0x1d30 + init_one+0xd02/0xf10 + pci_device_probe+0x26c/0x3b0 + driver_probe_device+0x622/0xb40 + __driver_attach+0x175/0x1b0 + bus_for_each_dev+0xef/0x190 + bus_add_driver+0x2db/0x490 + driver_register+0x16b/0x1e0 + __pci_register_driver+0x177/0x1b0 + init+0x6d/0x92 + do_one_initcall+0x15b/0x270 + kernel_init_freeable+0x2d8/0x3d0 + kernel_init+0x14/0x190 + ret_from_fork+0x24/0x30 +================================================================================ + +Signed-off-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1765,7 +1765,7 @@ int mlx5_cmd_init(struct mlx5_core_dev * + + cmd->checksum_disabled = 1; + cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; +- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1; ++ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; + + cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; + if (cmd->cmdif_rev > CMD_IF_REV) { diff --git a/queue-4.9/net-mvneta-fix-enable-of-all-initialized-rxqs.patch b/queue-4.9/net-mvneta-fix-enable-of-all-initialized-rxqs.patch new file mode 100644 index 00000000000..cf038744215 --- /dev/null +++ b/queue-4.9/net-mvneta-fix-enable-of-all-initialized-rxqs.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yelena Krivosheev +Date: Fri, 30 Mar 2018 12:05:31 +0200 +Subject: net: mvneta: fix enable of all initialized RXQs + +From: Yelena Krivosheev + +[ Upstream commit e81b5e01c14add8395dfba7130f8829206bb507d ] + +In mvneta_port_up() we enable relevant RX and TX port queues by write +queues bit map to an appropriate register. + +q_map must be ZERO in the beginning of this process. + +Signed-off-by: Yelena Krivosheev +Acked-by: Thomas Petazzoni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1080,6 +1080,7 @@ static void mvneta_port_up(struct mvneta + } + mvreg_write(pp, MVNETA_TXQ_CMD, q_map); + ++ q_map = 0; + /* Enable all initialized RXQs. */ + for (queue = 0; queue < rxq_number; queue++) { + struct mvneta_rx_queue *rxq = &pp->rxqs[queue]; diff --git a/queue-4.9/net-qcom-emac-use-proper-free-methods-during-tx.patch b/queue-4.9/net-qcom-emac-use-proper-free-methods-during-tx.patch new file mode 100644 index 00000000000..6e3d70dfa52 --- /dev/null +++ b/queue-4.9/net-qcom-emac-use-proper-free-methods-during-tx.patch @@ -0,0 +1,70 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Hemanth Puranik +Date: Tue, 6 Mar 2018 08:18:06 +0530 +Subject: net: qcom/emac: Use proper free methods during TX + +From: Hemanth Puranik + +[ Upstream commit cc5db3150e87fe7f7e947bf333b6c1c97f848ecb ] + +This patch fixes the warning messages/call traces seen if DMA debug is +enabled, In case of fragmented skb's memory was allocated using +dma_map_page but freed using dma_unmap_single. This patch modifies buffer +allocations in TX path to use dma_map_page in all the places and +dma_unmap_page while freeing the buffers. + +Signed-off-by: Hemanth Puranik +Acked-by: Timur Tabi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/emac/emac-mac.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c +@@ -1250,9 +1250,9 @@ void emac_mac_tx_process(struct emac_ada + while (tx_q->tpd.consume_idx != hw_consume_idx) { + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.consume_idx); + if (tpbuf->dma_addr) { +- dma_unmap_single(adpt->netdev->dev.parent, +- tpbuf->dma_addr, tpbuf->length, +- DMA_TO_DEVICE); ++ dma_unmap_page(adpt->netdev->dev.parent, ++ tpbuf->dma_addr, tpbuf->length, ++ DMA_TO_DEVICE); + tpbuf->dma_addr = 0; + } + +@@ -1409,9 +1409,11 @@ static void emac_tx_fill_tpd(struct emac + + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx); + tpbuf->length = mapped_len; +- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent, +- skb->data, tpbuf->length, +- DMA_TO_DEVICE); ++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent, ++ virt_to_page(skb->data), ++ offset_in_page(skb->data), ++ tpbuf->length, ++ DMA_TO_DEVICE); + ret = dma_mapping_error(adpt->netdev->dev.parent, + tpbuf->dma_addr); + if (ret) +@@ -1427,9 +1429,12 @@ static void emac_tx_fill_tpd(struct emac + if (mapped_len < len) { + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx); + tpbuf->length = len - mapped_len; +- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent, +- skb->data + mapped_len, +- tpbuf->length, DMA_TO_DEVICE); ++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent, ++ virt_to_page(skb->data + ++ mapped_len), ++ offset_in_page(skb->data + ++ mapped_len), ++ tpbuf->length, DMA_TO_DEVICE); + ret = dma_mapping_error(adpt->netdev->dev.parent, + tpbuf->dma_addr); + if (ret) diff --git a/queue-4.9/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch b/queue-4.9/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch new file mode 100644 index 00000000000..b07a2673824 --- /dev/null +++ b/queue-4.9/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Pawel Dembicki +Date: Sat, 24 Mar 2018 22:08:14 +0100 +Subject: net: qmi_wwan: add BroadMobi BM806U 2020:2033 + +From: Pawel Dembicki + +[ Upstream commit 743989254ea9f132517806d8893ca9b6cf9dc86b ] + +BroadMobi BM806U is an Qualcomm MDM9225 based 3G/4G modem. +Tested hardware BM806U is mounted on D-Link DWR-921-C3 router. +The USB id is added to qmi_wwan.c to allow QMI communication with +the BM806U. + +Tested on 4.14 kernel and OpenWRT. + +Signed-off-by: Pawel Dembicki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -889,6 +889,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ ++ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ diff --git a/queue-4.9/net-smsc911x-fix-unload-crash-when-link-is-up.patch b/queue-4.9/net-smsc911x-fix-unload-crash-when-link-is-up.patch new file mode 100644 index 00000000000..547c4abc267 --- /dev/null +++ b/queue-4.9/net-smsc911x-fix-unload-crash-when-link-is-up.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jeremy Linton +Date: Tue, 6 Mar 2018 09:00:06 -0600 +Subject: net: smsc911x: Fix unload crash when link is up + +From: Jeremy Linton + +[ Upstream commit e06513d78d54e6c7026c9043a39e2c01ee25bdbe ] + +The smsc911x driver will crash if it is rmmod'ed while the netdev +is up like: + +Call trace: + phy_detach+0x94/0x150 + phy_disconnect+0x40/0x50 + smsc911x_stop+0x104/0x128 [smsc911x] + __dev_close_many+0xb4/0x138 + dev_close_many+0xbc/0x190 + rollback_registered_many+0x140/0x460 + rollback_registered+0x68/0xb0 + unregister_netdevice_queue+0x100/0x118 + unregister_netdev+0x28/0x38 + smsc911x_drv_remove+0x58/0x130 [smsc911x] + platform_drv_remove+0x30/0x50 + device_release_driver_internal+0x15c/0x1f8 + driver_detach+0x54/0x98 + bus_remove_driver+0x64/0xe8 + driver_unregister+0x34/0x60 + platform_driver_unregister+0x20/0x30 + smsc911x_cleanup_module+0x14/0xbca8 [smsc911x] + SyS_delete_module+0x1e8/0x238 + __sys_trace_return+0x0/0x4 + +This is caused by the mdiobus being unregistered/free'd +and the code in phy_detach() attempting to manipulate mdio +related structures from unregister_netdev() calling close() + +To fix this, we delay the mdiobus teardown until after +the netdev is deregistered. + +Reported-by: Matt Sealey +Signed-off-by: Jeremy Linton +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/smsc/smsc911x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/smsc/smsc911x.c ++++ b/drivers/net/ethernet/smsc/smsc911x.c +@@ -2330,14 +2330,14 @@ static int smsc911x_drv_remove(struct pl + pdata = netdev_priv(dev); + BUG_ON(!pdata); + BUG_ON(!pdata->ioaddr); +- WARN_ON(dev->phydev); + + SMSC_TRACE(pdata, ifdown, "Stopping driver"); + ++ unregister_netdev(dev); ++ + mdiobus_unregister(pdata->mii_bus); + mdiobus_free(pdata->mii_bus); + +- unregister_netdev(dev); + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "smsc911x-memory"); + if (!res) diff --git a/queue-4.9/net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch b/queue-4.9/net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch new file mode 100644 index 00000000000..3705086fb67 --- /dev/null +++ b/queue-4.9/net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch @@ -0,0 +1,61 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 15 Jan 2018 18:10:14 +0100 +Subject: net: stmmac: dwmac-meson8b: fix setting the RGMII TX clock on Meson8b + +From: Martin Blumenstingl + +[ Upstream commit 433c6cab9d298687c097f6ee82e49157044dc7c6 ] + +Meson8b only supports MPLL2 as clock input. The rate of the MPLL2 clock +set by Odroid-C1's u-boot is close to (but not exactly) 500MHz. The +exact rate is 500002394Hz, which is calculated in +drivers/clk/meson/clk-mpll.c using the following formula: +DIV_ROUND_UP_ULL((u64)parent_rate * SDM_DEN, (SDM_DEN * n2) + sdm) +Odroid-C1's u-boot configures MPLL2 with the following values: +- SDM_DEN = 16384 +- SDM = 1638 +- N2 = 5 + +The 250MHz clock (m250_div) inside dwmac-meson8b driver is derived from +the MPLL2 clock. Due to MPLL2 running slightly faster than 500MHz the +common clock framework chooses a divider which is too big to generate +the 250MHz clock (a divider of 2 would be needed, but this is rounded up +to a divider of 3). This breaks the RTL8211F RGMII PHY on Odroid-C1 +because it requires a (close to) 125MHz RGMII TX clock (on Gbit speeds, +the IP block internally divides that down to 25MHz on 100Mbit/s +connections and 2.5MHz on 10Mbit/s connections - we don't need any +special configuration for that). + +Round the divider to the closest value to prevent this issue on Meson8b. +This means we'll now end up with a clock rate for the RGMII TX clock of +125001197Hz (= 125MHz plus 1197Hz), which is close-enough to 125MHz. +This has no effect on the Meson GX SoCs since there fclk_div2 is used as +input clock, which has a rate of 1000MHz (and thus is divisible cleanly +to 250MHz and 125MHz). + +Fixes: 566e8251625304 ("net: stmmac: add a glue driver for the Amlogic Meson 8b / GXBB DWMAC") +Reported-by: Emiliano Ingrassia +Signed-off-by: Martin Blumenstingl +Reviewed-by: Jerome Brunet +Tested-by: Jerome Brunet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c +@@ -146,7 +146,9 @@ static int meson8b_init_clk(struct meson + dwmac->m250_div.shift = PRG_ETH0_CLK_M250_DIV_SHIFT; + dwmac->m250_div.width = PRG_ETH0_CLK_M250_DIV_WIDTH; + dwmac->m250_div.hw.init = &init; +- dwmac->m250_div.flags = CLK_DIVIDER_ONE_BASED | CLK_DIVIDER_ALLOW_ZERO; ++ dwmac->m250_div.flags = CLK_DIVIDER_ONE_BASED | ++ CLK_DIVIDER_ALLOW_ZERO | ++ CLK_DIVIDER_ROUND_CLOSEST; + + dwmac->m250_div_clk = devm_clk_register(dev, &dwmac->m250_div.hw); + if (WARN_ON(IS_ERR(dwmac->m250_div_clk))) diff --git a/queue-4.9/net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch b/queue-4.9/net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch new file mode 100644 index 00000000000..13518c7e39d --- /dev/null +++ b/queue-4.9/net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 15 Jan 2018 18:10:15 +0100 +Subject: net: stmmac: dwmac-meson8b: propagate rate changes to the parent clock + +From: Martin Blumenstingl + +[ Upstream commit fb7d38a70e1d8ffd54f7a7464dcc4889d7e490ad ] + +On Meson8b the only valid input clock is MPLL2. The bootloader +configures that to run at 500002394Hz which cannot be divided evenly +down to 125MHz using the m250_div clock. Currently the common clock +framework chooses a m250_div of 2 - with the internal fixed +"divide by 10" this results in a RGMII TX clock of 125001197Hz (120Hz +above the requested 125MHz). + +Letting the common clock framework propagate the rate changes up to the +parent of m250_mux allows us to get the best possible clock rate. With +this patch the common clock framework calculates a rate of +very-close-to-250MHz (249999701Hz to be exact) for the MPLL2 clock +(which is the mux input). Dividing that by 2 (which is an internal, +fixed divider for the RGMII TX clock) gives us an RGMII TX clock of +124999850Hz (which is only 150Hz off the requested 125MHz, compared to +1197Hz based on the MPLL2 rate set by u-boot and the Amlogic GPL kernel +sources). + +SoCs from the Meson GX series are not affected by this change because +the input clock is FCLK_DIV2 whose rate cannot be changed (which is fine +since it's running at 1GHz, so it's already a multiple of 250MHz and +125MHz). + +Fixes: 566e8251625304 ("net: stmmac: add a glue driver for the Amlogic Meson 8b / GXBB DWMAC") +Suggested-by: Jerome Brunet +Signed-off-by: Martin Blumenstingl +Reviewed-by: Jerome Brunet +Tested-by: Jerome Brunet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c +@@ -118,7 +118,7 @@ static int meson8b_init_clk(struct meson + snprintf(clk_name, sizeof(clk_name), "%s#m250_sel", dev_name(dev)); + init.name = clk_name; + init.ops = &clk_mux_ops; +- init.flags = 0; ++ init.flags = CLK_SET_RATE_PARENT; + init.parent_names = mux_parent_names; + init.num_parents = MUX_CLK_NUM_PARENTS; + diff --git a/queue-4.9/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch b/queue-4.9/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch new file mode 100644 index 00000000000..37813d26c08 --- /dev/null +++ b/queue-4.9/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:08 +0100 +Subject: net: stmmac: ensure that the device has released ownership before reading data + +From: Niklas Cassel + +[ Upstream commit a6b25da5e7ba212af5826a662e6a035a79bffabd ] + +According to Documentation/memory-barriers.txt, we need to use a +dma_rmb() after reading the status/own bit, to ensure that all +descriptor fields are read after reading the own bit. + +This way, we ensure that the DMA engine is done with the DMA +descriptor before we read the other descriptor fields, e.g. reading +the tx hardware timestamp (if PTP is enabled). + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1343,6 +1343,11 @@ static void stmmac_tx_clean(struct stmma + if (unlikely(status & tx_dma_own)) + break; + ++ /* Make sure descriptor fields are read after reading ++ * the own bit. ++ */ ++ dma_rmb(); ++ + /* Just consider the last segment and ...*/ + if (likely(!(status & tx_not_ls))) { + /* ... verify the status error condition */ diff --git a/queue-4.9/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch b/queue-4.9/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch new file mode 100644 index 00000000000..d1a70a614fc --- /dev/null +++ b/queue-4.9/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:06 +0100 +Subject: net: stmmac: ensure that the MSS desc is the last desc to set the own bit + +From: Niklas Cassel + +[ Upstream commit 15d2ee42a3087089e73ad52fd8c1b37ab496b87c ] + +A dma_wmb() is used to guarantee the ordering, with respect to +other writes, to cache coherent DMA memory. + +There is a dma_wmb() in prepare_tx_desc()/prepare_tso_tx_desc() which +ensures that TDES0/1/2 is written before TDES3 (which contains the own +bit), for First Desc. + +However, in the rare case that MSS changes, there will be a MSS +context descriptor in front of the regular DMA descriptors: + + <- DMA Next Descriptor + + + + +Thus, for this special case, we need a dma_wmb() +after prepare_tso_tx_desc()/before writing the own bit to the MSS desc, +so that we flush the write to TDES3 for First Desc, +in order to ensure that the MSS descriptor is the last descriptor to +set the own bit. + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2141,8 +2141,15 @@ static netdev_tx_t stmmac_tso_xmit(struc + tcp_hdrlen(skb) / 4, (skb->len - proto_hdr_len)); + + /* If context desc is used to change MSS */ +- if (mss_desc) ++ if (mss_desc) { ++ /* Make sure that first descriptor has been completely ++ * written, including its own bit. This is because MSS is ++ * actually before first descriptor, so we need to make ++ * sure that MSS's own bit is the last thing written. ++ */ ++ dma_wmb(); + priv->hw->desc->set_tx_owner(mss_desc); ++ } + + /* The own bit must be the latest setting done when prepare the + * descriptor and then barrier is needed to make sure that diff --git a/queue-4.9/net-tcp-illinois-replace-broken-algorithm-reference-link.patch b/queue-4.9/net-tcp-illinois-replace-broken-algorithm-reference-link.patch new file mode 100644 index 00000000000..8ad5f6c78ab --- /dev/null +++ b/queue-4.9/net-tcp-illinois-replace-broken-algorithm-reference-link.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Joey Pabalinas +Date: Tue, 27 Feb 2018 22:05:53 -1000 +Subject: net/tcp/illinois: replace broken algorithm reference link + +From: Joey Pabalinas + +[ Upstream commit ecc832758a654e375924ebf06a4ac971acb5ce60 ] + +The link to the pdf containing the algorithm description is now a +dead link; it seems http://www.ifp.illinois.edu/~srikant/ has been +moved to https://sites.google.com/a/illinois.edu/srikant/ and none of +the original papers can be found there... + +I have replaced it with the only working copy I was able to find. + +n.b. there is also a copy available at: + +http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.296.6350&rep=rep1&type=pdf + +However, this seems to only be a *cached* version, so I am unsure +exactly how reliable that link can be expected to remain over time +and have decided against using that one. + +Signed-off-by: Joey Pabalinas + + net/ipv4/tcp_illinois.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_illinois.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -6,7 +6,7 @@ + * The algorithm is described in: + * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm + * for High-Speed Networks" +- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf ++ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf + * + * Implemented from description in paper and ns-2 simulation. + * Copyright (C) 2007 Stephen Hemminger diff --git a/queue-4.9/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch b/queue-4.9/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch new file mode 100644 index 00000000000..16e397d3cec --- /dev/null +++ b/queue-4.9/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch @@ -0,0 +1,107 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Florian Westphal +Date: Mon, 19 Feb 2018 01:24:53 +0100 +Subject: netfilter: ebtables: convert BUG_ONs to WARN_ONs + +From: Florian Westphal + +[ Upstream commit fc6a5d0601c5ac1d02f283a46f60b87b2033e5ca ] + +All of these conditions are not fatal and should have +been WARN_ONs from the get-go. + +Convert them to WARN_ONs and bail out. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1625,7 +1625,8 @@ static int compat_match_to_user(struct e + int off = ebt_compat_match_offset(match, m->match_size); + compat_uint_t msize = m->match_size - off; + +- BUG_ON(off >= m->match_size); ++ if (WARN_ON(off >= m->match_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, match->name, + strlen(match->name) + 1) || put_user(msize, &cm->match_size)) +@@ -1652,7 +1653,8 @@ static int compat_target_to_user(struct + int off = xt_compat_target_offset(target); + compat_uint_t tsize = t->target_size - off; + +- BUG_ON(off >= t->target_size); ++ if (WARN_ON(off >= t->target_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, target->name, + strlen(target->name) + 1) || put_user(tsize, &cm->match_size)) +@@ -1880,7 +1882,8 @@ static int ebt_buf_add(struct ebt_entrie + if (state->buf_kern_start == NULL) + goto count_only; + +- BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len); ++ if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len)) ++ return -EINVAL; + + memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz); + +@@ -1893,7 +1896,8 @@ static int ebt_buf_add_pad(struct ebt_en + { + char *b = state->buf_kern_start; + +- BUG_ON(b && state->buf_kern_offset > state->buf_kern_len); ++ if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len)) ++ return -EINVAL; + + if (b != NULL && sz > 0) + memset(b + state->buf_kern_offset, 0, sz); +@@ -1970,8 +1974,10 @@ static int compat_mtw_from_user(struct c + pad = XT_ALIGN(size_kern) - size_kern; + + if (pad > 0 && dst) { +- BUG_ON(state->buf_kern_len <= pad); +- BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad); ++ if (WARN_ON(state->buf_kern_len <= pad)) ++ return -EINVAL; ++ if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad)) ++ return -EINVAL; + memset(dst + size_kern, 0, pad); + } + return off + match_size; +@@ -2021,7 +2027,8 @@ static int ebt_size_mwt(struct compat_eb + if (ret < 0) + return ret; + +- BUG_ON(ret < match32->match_size); ++ if (WARN_ON(ret < match32->match_size)) ++ return -EINVAL; + growth += ret - match32->match_size; + growth += ebt_compat_entry_padsize(); + +@@ -2130,7 +2137,8 @@ static int size_entry_mwt(struct ebt_ent + + startoff = state->buf_user_offset - startoff; + +- BUG_ON(*total < startoff); ++ if (WARN_ON(*total < startoff)) ++ return -EINVAL; + *total -= startoff; + return 0; + } +@@ -2257,7 +2265,8 @@ static int compat_do_replace(struct net + state.buf_kern_len = size64; + + ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); +- BUG_ON(ret < 0); /* parses same data again */ ++ if (WARN_ON(ret < 0)) ++ goto out_unlock; + + vfree(entries_tmp); + tmp.entries_size = size64; diff --git a/queue-4.9/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch b/queue-4.9/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch new file mode 100644 index 00000000000..4e043342ba3 --- /dev/null +++ b/queue-4.9/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Florian Westphal +Date: Thu, 8 Mar 2018 12:54:19 +0100 +Subject: netfilter: ebtables: fix erroneous reject of last rule + +From: Florian Westphal + +[ Upstream commit 932909d9b28d27e807ff8eecb68c7748f6701628 ] + +The last rule in the blob has next_entry offset that is same as total size. +This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel. + +Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2097,8 +2097,12 @@ static int size_entry_mwt(struct ebt_ent + * offsets are relative to beginning of struct ebt_entry (i.e., 0). + */ + for (i = 0; i < 4 ; ++i) { +- if (offsets[i] >= *total) ++ if (offsets[i] > *total) + return -EINVAL; ++ ++ if (i < 3 && offsets[i] == *total) ++ return -EINVAL; ++ + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) diff --git a/queue-4.9/netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch b/queue-4.9/netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch new file mode 100644 index 00000000000..a59c9c18ca4 --- /dev/null +++ b/queue-4.9/netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Subash Abhinov Kasiviswanathan +Date: Wed, 31 Jan 2018 04:50:01 -0700 +Subject: netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit ea23d5e3bf340e413b8e05c13da233c99c64142b ] + +Failures were seen in ICMPv6 fragmentation timeout tests if they were +run after the RFC2460 failure tests. Kernel was not sending out the +ICMPv6 fragment reassembly time exceeded packet after the fragmentation +reassembly timeout of 1 minute had elapsed. + +This happened because the frag queue was not released if an error in +IPv6 fragmentation header was detected by RFC2460. + +Fixes: 83f1999caeb1 ("netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460") +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -263,6 +263,7 @@ static int nf_ct_frag6_queue(struct frag + * this case. -DaveM + */ + pr_debug("end of fragment not rounded to 8 bytes.\n"); ++ inet_frag_kill(&fq->q, &nf_frags); + return -EPROTO; + } + if (end > fq->q.len) { diff --git a/queue-4.9/netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch b/queue-4.9/netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch new file mode 100644 index 00000000000..1b9b5846d6a --- /dev/null +++ b/queue-4.9/netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch @@ -0,0 +1,102 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Subash Abhinov Kasiviswanathan +Date: Fri, 12 Jan 2018 17:36:27 -0700 +Subject: netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460 + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit 83f1999caeb14e15df205e80d210699951733287 ] + +ipv6_defrag pulls network headers before fragment header. In case of +an error, the netfilter layer is currently dropping these packets. +This results in failure of some IPv6 standards tests which passed on +older kernels due to the netfilter framework using cloning. + +The test case run here is a check for ICMPv6 error message replies +when some invalid IPv6 fragments are sent. This specific test case is +listed in https://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf +in the Extension Header Processing Order section. + +A packet with unrecognized option Type 11 is sent and the test expects +an ICMP error in line with RFC2460 section 4.2 - + +11 - discard the packet and, only if the packet's Destination + Address was not a multicast address, send an ICMP Parameter + Problem, Code 2, message to the packet's Source Address, + pointing to the unrecognized Option Type. + +Since netfilter layer now drops all invalid IPv6 frag packets, we no +longer see the ICMP error message and fail the test case. + +To fix this, save the transport header. If defrag is unable to process +the packet due to RFC2460, restore the transport header and allow packet +to be processed by stack. There is no change for other packet +processing paths. + +Tested by confirming that stack sends an ICMP error when it receives +these packets. Also tested that fragmented ICMP pings succeed. + +v1->v2: Instead of cloning always, save the transport_header and +restore it in case of this specific error. Update the title and +commit message accordingly. + +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -230,7 +230,7 @@ static int nf_ct_frag6_queue(struct frag + + if ((unsigned int)end > IPV6_MAXPLEN) { + pr_debug("offset is too large.\n"); +- return -1; ++ return -EINVAL; + } + + ecn = ip6_frag_ecn(ipv6_hdr(skb)); +@@ -263,7 +263,7 @@ static int nf_ct_frag6_queue(struct frag + * this case. -DaveM + */ + pr_debug("end of fragment not rounded to 8 bytes.\n"); +- return -1; ++ return -EPROTO; + } + if (end > fq->q.len) { + /* Some bits beyond end -> corruption. */ +@@ -357,7 +357,7 @@ found: + discard_fq: + inet_frag_kill(&fq->q, &nf_frags); + err: +- return -1; ++ return -EINVAL; + } + + /* +@@ -566,6 +566,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 * + + int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + { ++ u16 savethdr = skb->transport_header; + struct net_device *dev = skb->dev; + int fhoff, nhoff, ret; + struct frag_hdr *fhdr; +@@ -599,8 +600,12 @@ int nf_ct_frag6_gather(struct net *net, + + spin_lock_bh(&fq->q.lock); + +- if (nf_ct_frag6_queue(fq, skb, fhdr, nhoff) < 0) { +- ret = -EINVAL; ++ ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff); ++ if (ret < 0) { ++ if (ret == -EPROTO) { ++ skb->transport_header = savethdr; ++ ret = 0; ++ } + goto out_unlock; + } + diff --git a/queue-4.9/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch b/queue-4.9/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch new file mode 100644 index 00000000000..00430654a71 --- /dev/null +++ b/queue-4.9/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Richard Haines +Date: Mon, 13 Nov 2017 20:54:22 +0000 +Subject: netlabel: If PF_INET6, check sk_buff ip header version + +From: Richard Haines + +[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ] + +When resolving a fallback label, check the sk_buff version as it +is possible (e.g. SCTP) to have family = PF_INET6 while +receiving ip_hdr(skb)->version = 4. + +Signed-off-by: Richard Haines +Acked-by: Paul Moore +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netlabel/netlabel_unlabeled.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1469,6 +1469,16 @@ int netlbl_unlabel_getattr(const struct + iface = rcu_dereference(netlbl_unlhsh_def); + if (iface == NULL || !iface->valid) + goto unlabel_getattr_nolabel; ++ ++#if IS_ENABLED(CONFIG_IPV6) ++ /* When resolving a fallback label, check the sk_buff version as ++ * it is possible (e.g. SCTP) to have family = PF_INET6 while ++ * receiving ip_hdr(skb)->version = 4. ++ */ ++ if (family == PF_INET6 && ip_hdr(skb)->version == 4) ++ family = PF_INET; ++#endif /* IPv6 */ ++ + switch (family) { + case PF_INET: { + struct iphdr *hdr4; diff --git a/queue-4.9/nfc-llcp-limit-size-of-sdp-uri.patch b/queue-4.9/nfc-llcp-limit-size-of-sdp-uri.patch new file mode 100644 index 00000000000..49b83486977 --- /dev/null +++ b/queue-4.9/nfc-llcp-limit-size-of-sdp-uri.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Kees Cook +Date: Wed, 14 Feb 2018 15:45:07 -0800 +Subject: NFC: llcp: Limit size of SDP URI + +From: Kees Cook + +[ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ] + +The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce +this both in the NLA policy and in the code that performs the allocation +and copy, to avoid writing past the end of the allocated buffer. + +Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface") +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_commands.c | 4 ++++ + net/nfc/netlink.c | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_ + + pr_debug("uri: %s, len: %zu\n", uri, uri_len); + ++ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */ ++ if (WARN_ON_ONCE(uri_len > U8_MAX - 4)) ++ return NULL; ++ + sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL); + if (sdreq == NULL) + return NULL; +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -68,7 +68,8 @@ static const struct nla_policy nfc_genl_ + }; + + static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = { +- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING }, ++ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING, ++ .len = U8_MAX - 4 }, + [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 }, + }; + diff --git a/queue-4.9/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch b/queue-4.9/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch new file mode 100644 index 00000000000..865d0710c70 --- /dev/null +++ b/queue-4.9/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jan Chochol +Date: Fri, 5 Jan 2018 08:39:12 +0100 +Subject: nfs: Do not convert nfs_idmap_cache_timeout to jiffies + +From: Jan Chochol + +[ Upstream commit cbebc6ef4fc830f4040d4140bf53484812d5d5d9 ] + +Since commit 57e62324e469 ("NFS: Store the legacy idmapper result in the +keyring") nfs_idmap_cache_timeout changed units from jiffies to seconds. +Unfortunately sysctl interface was not updated accordingly. + +As a effect updating /proc/sys/fs/nfs/idmap_cache_timeout with some +value will incorrectly multiply this value by HZ. +Also reading /proc/sys/fs/nfs/idmap_cache_timeout will show real value +divided by HZ. + +Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring") +Signed-off-by: Jan Chochol +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4sysctl.c ++++ b/fs/nfs/nfs4sysctl.c +@@ -31,7 +31,7 @@ static struct ctl_table nfs4_cb_sysctls[ + .data = &nfs_idmap_cache_timeout, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec_jiffies, ++ .proc_handler = proc_dointvec, + }, + { } + }; diff --git a/queue-4.9/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch b/queue-4.9/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch new file mode 100644 index 00000000000..eb7c07e2d4d --- /dev/null +++ b/queue-4.9/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch @@ -0,0 +1,104 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: NeilBrown +Date: Wed, 13 Dec 2017 09:57:09 +1100 +Subject: NFSv4: always set NFS_LOCK_LOST when a lock is lost. + +From: NeilBrown + +[ Upstream commit dce2630c7da73b0634686bca557cc8945cc450c8 ] + +There are 2 comments in the NFSv4 code which suggest that +SIGLOST should possibly be sent to a process. In these +cases a lock has been lost. +The current practice is to set NFS_LOCK_LOST so that +read/write returns EIO when a lock is lost. +So change these comments to code when sets NFS_LOCK_LOST. + +One case is when lock recovery after apparent server restart +fails with NFS4ERR_DENIED, NFS4ERR_RECLAIM_BAD, or +NFS4ERRO_RECLAIM_CONFLICT. The other case is when a lock +attempt as part of lease recovery fails with NFS4ERR_DENIED. + +In an ideal world, these should not happen. However I have +a packet trace showing an NFSv4.1 session getting +NFS4ERR_BADSESSION after an extended network parition. The +NFSv4.1 client treats this like server reboot until/unless +it get NFS4ERR_NO_GRACE, in which case it switches over to +"nograce" recovery mode. In this network trace, the client +attempts to recover a lock and the server (incorrectly) +reports NFS4ERR_DENIED rather than NFS4ERR_NO_GRACE. This +leads to the ineffective comment and the client then +continues to write using the OPEN stateid. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 12 ++++++++---- + fs/nfs/nfs4state.c | 5 ++++- + 2 files changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1934,7 +1934,7 @@ static int nfs4_open_reclaim(struct nfs4 + return ret; + } + +-static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, int err) ++static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, struct file_lock *fl, int err) + { + switch (err) { + default: +@@ -1981,7 +1981,11 @@ static int nfs4_handle_delegation_recall + return -EAGAIN; + case -ENOMEM: + case -NFS4ERR_DENIED: +- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ ++ if (fl) { ++ struct nfs4_lock_state *lsp = fl->fl_u.nfs4_fl.owner; ++ if (lsp) ++ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); ++ } + return 0; + } + return err; +@@ -2017,7 +2021,7 @@ int nfs4_open_delegation_recall(struct n + err = nfs4_open_recover_helper(opendata, FMODE_READ); + } + nfs4_opendata_put(opendata); +- return nfs4_handle_delegation_recall_error(server, state, stateid, err); ++ return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err); + } + + static void nfs4_open_confirm_prepare(struct rpc_task *task, void *calldata) +@@ -6499,7 +6503,7 @@ int nfs4_lock_delegation_recall(struct f + if (err != 0) + return err; + err = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW); +- return nfs4_handle_delegation_recall_error(server, state, stateid, err); ++ return nfs4_handle_delegation_recall_error(server, state, stateid, fl, err); + } + + struct nfs_release_lockowner_data { +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1429,6 +1429,7 @@ static int nfs4_reclaim_locks(struct nfs + struct inode *inode = state->inode; + struct nfs_inode *nfsi = NFS_I(inode); + struct file_lock *fl; ++ struct nfs4_lock_state *lsp; + int status = 0; + struct file_lock_context *flctx = inode->i_flctx; + struct list_head *list; +@@ -1469,7 +1470,9 @@ restart: + case -NFS4ERR_DENIED: + case -NFS4ERR_RECLAIM_BAD: + case -NFS4ERR_RECLAIM_CONFLICT: +- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ ++ lsp = fl->fl_u.nfs4_fl.owner; ++ if (lsp) ++ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); + status = 0; + } + spin_lock(&flctx->flc_lock); diff --git a/queue-4.9/ntb_transport-fix-bug-with-max_mw_size-parameter.patch b/queue-4.9/ntb_transport-fix-bug-with-max_mw_size-parameter.patch new file mode 100644 index 00000000000..32899b2560c --- /dev/null +++ b/queue-4.9/ntb_transport-fix-bug-with-max_mw_size-parameter.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Logan Gunthorpe +Date: Mon, 18 Dec 2017 11:25:05 -0700 +Subject: ntb_transport: Fix bug with max_mw_size parameter + +From: Logan Gunthorpe + +[ Upstream commit cbd27448faff4843ac4b66cc71445a10623ff48d ] + +When using the max_mw_size parameter of ntb_transport to limit the size of +the Memory windows, communication cannot be established and the queues +freeze. + +This is because the mw_size that's reported to the peer is correctly +limited but the size used locally is not. So the MW is initialized +with a buffer smaller than the window but the TX side is using the +full window. This means the TX side will be writing to a region of the +window that points nowhere. + +This is easily fixed by applying the same limit to tx_size in +ntb_transport_init_queue(). + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Logan Gunthorpe +Acked-by: Allen Hubbe +Cc: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/ntb_transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -996,6 +996,9 @@ static int ntb_transport_init_queue(stru + mw_base = nt->mw_vec[mw_num].phys_addr; + mw_size = nt->mw_vec[mw_num].phys_size; + ++ if (max_mw_size && mw_size > max_mw_size) ++ mw_size = max_mw_size; ++ + tx_size = (unsigned int)mw_size / num_qps_mw; + qp_offset = tx_size * (qp_num / mw_count); + diff --git a/queue-4.9/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch b/queue-4.9/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch new file mode 100644 index 00000000000..d08eddc005e --- /dev/null +++ b/queue-4.9/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Johannes Thumshirn +Date: Thu, 12 Apr 2018 09:16:06 -0600 +Subject: nvme: don't send keep-alives to the discovery controller + +From: Johannes Thumshirn + +[ Upstream commit 74c6c71530847808d4e3be7b205719270efee80c ] + +NVMe over Fabrics 1.0 Section 5.2 "Discovery Controller Properties and +Command Support" Figure 31 "Discovery Controller – Admin Commands" +explicitly listst all commands but "Get Log Page" and "Identify" as +reserved, but NetApp report the Linux host is sending Keep Alive +commands to the discovery controller, which is a violation of the +Spec. + +We're already checking for discovery controllers when configuring the +keep alive timeout but when creating a discovery controller we're not +hard wiring the keep alive timeout to 0 and thus remain on +NVME_DEFAULT_KATO for the discovery controller. + +This can be easily remproduced when issuing a direct connect to the +discovery susbsystem using: +'nvme connect [...] --nqn=nqn.2014-08.org.nvmexpress.discovery' + +Signed-off-by: Johannes Thumshirn +Fixes: 07bfcd09a288 ("nvme-fabrics: add a generic NVMe over Fabrics library") +Reported-by: Martin George +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -583,8 +583,10 @@ static int nvmf_parse_options(struct nvm + opts->discovery_nqn = + !(strcmp(opts->subsysnqn, + NVME_DISC_SUBSYS_NAME)); +- if (opts->discovery_nqn) ++ if (opts->discovery_nqn) { ++ opts->kato = 0; + opts->nr_io_queues = 0; ++ } + break; + case NVMF_OPT_TRADDR: + p = match_strdup(args); diff --git a/queue-4.9/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch b/queue-4.9/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch new file mode 100644 index 00000000000..6285a87c81c --- /dev/null +++ b/queue-4.9/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jianchao Wang +Date: Thu, 15 Feb 2018 19:13:41 +0800 +Subject: nvme-pci: Fix nvme queue cleanup if IRQ setup fails + +From: Jianchao Wang + +[ Upstream commit f25a2dfc20e3a3ed8fe6618c331799dd7bd01190 ] + +This patch fixes nvme queue cleanup if requesting an IRQ handler for +the queue's vector fails. It does this by resetting the cq_vector to +the uninitialized value of -1 so it is ignored for a controller reset. + +Signed-off-by: Jianchao Wang +[changelog updates, removed misc whitespace changes] +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1120,7 +1120,7 @@ static int nvme_create_queue(struct nvme + nvmeq->cq_vector = qid - 1; + result = adapter_alloc_cq(dev, qid, nvmeq); + if (result < 0) +- return result; ++ goto release_vector; + + result = adapter_alloc_sq(dev, qid, nvmeq); + if (result < 0) +@@ -1134,9 +1134,12 @@ static int nvme_create_queue(struct nvme + return result; + + release_sq: ++ dev->online_queues--; + adapter_delete_sq(dev, qid); + release_cq: + adapter_delete_cq(dev, qid); ++ release_vector: ++ nvmeq->cq_vector = -1; + return result; + } + diff --git a/queue-4.9/nvmet-fix-psdt-field-check-in-command-format.patch b/queue-4.9/nvmet-fix-psdt-field-check-in-command-format.patch new file mode 100644 index 00000000000..11169c6d49e --- /dev/null +++ b/queue-4.9/nvmet-fix-psdt-field-check-in-command-format.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Max Gurtovoy +Date: Wed, 24 Jan 2018 17:31:45 +0200 +Subject: nvmet: fix PSDT field check in command format + +From: Max Gurtovoy + +[ Upstream commit bffd2b61670feef18d2535e9b53364d270a1c991 ] + +PSDT field section according to NVM_Express-1.3: +"This field specifies whether PRPs or SGLs are used for any data +transfer associated with the command. PRPs shall be used for all +Admin commands for NVMe over PCIe. SGLs shall be used for all Admin +and I/O commands for NVMe over Fabrics. This field shall be set to +01b for NVMe over Fabrics 1.0 implementations. + +Suggested-by: Idan Burstein +Signed-off-by: Max Gurtovoy +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -491,9 +491,12 @@ bool nvmet_req_init(struct nvmet_req *re + goto fail; + } + +- /* either variant of SGLs is fine, as we don't support metadata */ +- if (unlikely((flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METABUF && +- (flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METASEG)) { ++ /* ++ * For fabrics, PSDT field shall describe metadata pointer (MPTR) that ++ * contains an address of a single contiguous physical buffer that is ++ * byte aligned. ++ */ ++ if (unlikely((flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METABUF)) { + status = NVME_SC_INVALID_FIELD | NVME_SC_DNR; + goto fail; + } diff --git a/queue-4.9/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch b/queue-4.9/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch new file mode 100644 index 00000000000..6f087d0f4b4 --- /dev/null +++ b/queue-4.9/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: piaojun +Date: Wed, 31 Jan 2018 16:14:59 -0800 +Subject: ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute + +From: piaojun + +[ Upstream commit 16c8d569f5704a84164f30ff01b29879f3438065 ] + +The race between *set_acl and *get_acl will cause getting incomplete +xattr data as below: + + processA processB + + ocfs2_set_acl + ocfs2_xattr_set + __ocfs2_xattr_set_handle + + ocfs2_get_acl_nolock + ocfs2_xattr_get_nolock: + +processB may get incomplete xattr data if processA hasn't set_acl done. + +So we should use 'ip_xattr_sem' to protect getting extended attribute in +ocfs2_get_acl_nolock(), as other processes could be changing it +concurrently. + +Link: http://lkml.kernel.org/r/5A5DDCFF.7030001@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Alex Chen +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/acl.c | 6 ++++++ + fs/ocfs2/xattr.c | 2 ++ + 2 files changed, 8 insertions(+) + +--- a/fs/ocfs2/acl.c ++++ b/fs/ocfs2/acl.c +@@ -314,7 +314,9 @@ struct posix_acl *ocfs2_iop_get_acl(stru + return ERR_PTR(ret); + } + ++ down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, type, di_bh); ++ up_read(&OCFS2_I(inode)->ip_xattr_sem); + + ocfs2_inode_unlock(inode, 0); + brelse(di_bh); +@@ -333,7 +335,9 @@ int ocfs2_acl_chmod(struct inode *inode, + if (!(osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL)) + return 0; + ++ down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh); ++ up_read(&OCFS2_I(inode)->ip_xattr_sem); + if (IS_ERR(acl) || !acl) + return PTR_ERR(acl); + ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); +@@ -364,8 +368,10 @@ int ocfs2_init_acl(handle_t *handle, + + if (!S_ISLNK(inode->i_mode)) { + if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { ++ down_read(&OCFS2_I(dir)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(dir, ACL_TYPE_DEFAULT, + dir_bh); ++ up_read(&OCFS2_I(dir)->ip_xattr_sem); + if (IS_ERR(acl)) + return PTR_ERR(acl); + } +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -638,9 +638,11 @@ int ocfs2_calc_xattr_init(struct inode * + si->value_len); + + if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { ++ down_read(&OCFS2_I(dir)->ip_xattr_sem); + acl_len = ocfs2_xattr_get_nolock(dir, dir_bh, + OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT, + "", NULL, 0); ++ up_read(&OCFS2_I(dir)->ip_xattr_sem); + if (acl_len > 0) { + a_size = ocfs2_xattr_entry_real_size(0, acl_len); + if (S_ISDIR(mode)) diff --git a/queue-4.9/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch b/queue-4.9/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch new file mode 100644 index 00000000000..059a765f3c3 --- /dev/null +++ b/queue-4.9/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch @@ -0,0 +1,133 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jun Piao +Date: Thu, 5 Apr 2018 16:18:48 -0700 +Subject: ocfs2/dlm: don't handle migrate lockres if already in shutdown + +From: Jun Piao + +[ Upstream commit bb34f24c7d2c98d0c81838a7700e6068325b17a0 ] + +We should not handle migrate lockres if we are already in +'DLM_CTXT_IN_SHUTDOWN', as that will cause lockres remains after leaving +dlm domain. At last other nodes will get stuck into infinite loop when +requsting lock from us. + +The problem is caused by concurrency umount between nodes. Before +receiveing N1's DLM_BEGIN_EXIT_DOMAIN_MSG, N2 has picked up N1 as the +migrate target. So N2 will continue sending lockres to N1 even though +N1 has left domain. + + N1 N2 (owner) + touch file + + access the file, + and get pr lock + + begin leave domain and + pick up N1 as new owner + + begin leave domain and + migrate all lockres done + + begin migrate lockres to N1 + + end leave domain, but + the lockres left + unexpectedly, because + migrate task has passed + +[piaojun@huawei.com: v3] + Link: http://lkml.kernel.org/r/5A9CBD19.5020107@huawei.com +Link: http://lkml.kernel.org/r/5A99F028.2090902@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Yiwen Jiang +Reviewed-by: Joseph Qi +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dlm/dlmdomain.c | 14 -------------- + fs/ocfs2/dlm/dlmdomain.h | 25 ++++++++++++++++++++++++- + fs/ocfs2/dlm/dlmrecovery.c | 9 +++++++++ + 3 files changed, 33 insertions(+), 15 deletions(-) + +--- a/fs/ocfs2/dlm/dlmdomain.c ++++ b/fs/ocfs2/dlm/dlmdomain.c +@@ -675,20 +675,6 @@ static void dlm_leave_domain(struct dlm_ + spin_unlock(&dlm->spinlock); + } + +-int dlm_shutting_down(struct dlm_ctxt *dlm) +-{ +- int ret = 0; +- +- spin_lock(&dlm_domain_lock); +- +- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) +- ret = 1; +- +- spin_unlock(&dlm_domain_lock); +- +- return ret; +-} +- + void dlm_unregister_domain(struct dlm_ctxt *dlm) + { + int leave = 0; +--- a/fs/ocfs2/dlm/dlmdomain.h ++++ b/fs/ocfs2/dlm/dlmdomain.h +@@ -28,7 +28,30 @@ + extern spinlock_t dlm_domain_lock; + extern struct list_head dlm_domains; + +-int dlm_shutting_down(struct dlm_ctxt *dlm); ++static inline int dlm_joined(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_JOINED) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ ++static inline int dlm_shutting_down(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ + void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm, + int node_num); + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1378,6 +1378,15 @@ int dlm_mig_lockres_handler(struct o2net + if (!dlm_grab(dlm)) + return -EINVAL; + ++ if (!dlm_joined(dlm)) { ++ mlog(ML_ERROR, "Domain %s not joined! " ++ "lockres %.*s, master %u\n", ++ dlm->name, mres->lockname_len, ++ mres->lockname, mres->master); ++ dlm_put(dlm); ++ return -EINVAL; ++ } ++ + BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION))); + + real_master = mres->master; diff --git a/queue-4.9/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch b/queue-4.9/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch new file mode 100644 index 00000000000..4c6392f4d1f --- /dev/null +++ b/queue-4.9/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch @@ -0,0 +1,66 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: piaojun +Date: Wed, 31 Jan 2018 16:14:44 -0800 +Subject: ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid + +From: piaojun + +[ Upstream commit 025bcbde3634b2c9b316f227fed13ad6ad6817fb ] + +If metadata is corrupted such as 'invalid inode block', we will get +failed by calling 'mount()' and then set filesystem readonly as below: + + ocfs2_mount + ocfs2_initialize_super + ocfs2_init_global_system_inodes + ocfs2_iget + ocfs2_read_locked_inode + ocfs2_validate_inode_block + ocfs2_error + ocfs2_handle_error + ocfs2_set_ro_flag(osb, 0); // set readonly + +In this situation we need return -EROFS to 'mount.ocfs2', so that user +can fix it by fsck. And then mount again. In addition, 'mount.ocfs2' +should be updated correspondingly as it only return 1 for all errno. +And I will post a patch for 'mount.ocfs2' too. + +Link: http://lkml.kernel.org/r/5A4302FA.2010606@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Alex Chen +Reviewed-by: Joseph Qi +Reviewed-by: Changwei Ge +Reviewed-by: Gang He +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -473,9 +473,8 @@ static int ocfs2_init_global_system_inod + new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); + if (!new) { + ocfs2_release_system_inodes(osb); +- status = -EINVAL; ++ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; + mlog_errno(status); +- /* FIXME: Should ERROR_RO_FS */ + mlog(ML_ERROR, "Unable to load system inode %d, " + "possibly corrupt fs?", i); + goto bail; +@@ -504,7 +503,7 @@ static int ocfs2_init_local_system_inode + new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); + if (!new) { + ocfs2_release_system_inodes(osb); +- status = -EINVAL; ++ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; + mlog(ML_ERROR, "status=%d, sysfile=%d, slot=%d\n", + status, i, osb->slot_num); + goto bail; diff --git a/queue-4.9/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch b/queue-4.9/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch new file mode 100644 index 00000000000..5a22be9cb55 --- /dev/null +++ b/queue-4.9/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch @@ -0,0 +1,98 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: piaojun +Date: Wed, 31 Jan 2018 16:15:32 -0800 +Subject: ocfs2: return error when we attempt to access a dirty bh in jbd2 + +From: piaojun + +[ Upstream commit d984187e3a1ad7d12447a7ab2c43ce3717a2b5b3 ] + +We should not reuse the dirty bh in jbd2 directly due to the following +situation: + +1. When removing extent rec, we will dirty the bhs of extent rec and + truncate log at the same time, and hand them over to jbd2. + +2. The bhs are submitted to jbd2 area successfully. + +3. The write-back thread of device help flush the bhs to disk but + encounter write error due to abnormal storage link. + +4. After a while the storage link become normal. Truncate log flush + worker triggered by the next space reclaiming found the dirty bh of + truncate log and clear its 'BH_Write_EIO' and then set it uptodate in + __ocfs2_journal_access(): + + ocfs2_truncate_log_worker + ocfs2_flush_truncate_log + __ocfs2_flush_truncate_log + ocfs2_replay_truncate_records + ocfs2_journal_access_di + __ocfs2_journal_access // here we clear io_error and set 'tl_bh' uptodata. + +5. Then jbd2 will flush the bh of truncate log to disk, but the bh of + extent rec is still in error state, and unfortunately nobody will + take care of it. + +6. At last the space of extent rec was not reduced, but truncate log + flush worker have given it back to globalalloc. That will cause + duplicate cluster problem which could be identified by fsck.ocfs2. + +Sadly we can hardly revert this but set fs read-only in case of ruining +atomicity and consistency of space reclaim. + +Link: http://lkml.kernel.org/r/5A6E8092.8090701@huawei.com +Fixes: acf8fdbe6afb ("ocfs2: do not BUG if buffer not uptodate in __ocfs2_journal_access") +Signed-off-by: Jun Piao +Reviewed-by: Yiwen Jiang +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -666,23 +666,24 @@ static int __ocfs2_journal_access(handle + /* we can safely remove this assertion after testing. */ + if (!buffer_uptodate(bh)) { + mlog(ML_ERROR, "giving me a buffer that's not uptodate!\n"); +- mlog(ML_ERROR, "b_blocknr=%llu\n", +- (unsigned long long)bh->b_blocknr); ++ mlog(ML_ERROR, "b_blocknr=%llu, b_state=0x%lx\n", ++ (unsigned long long)bh->b_blocknr, bh->b_state); + + lock_buffer(bh); + /* +- * A previous attempt to write this buffer head failed. +- * Nothing we can do but to retry the write and hope for +- * the best. ++ * A previous transaction with a couple of buffer heads fail ++ * to checkpoint, so all the bhs are marked as BH_Write_EIO. ++ * For current transaction, the bh is just among those error ++ * bhs which previous transaction handle. We can't just clear ++ * its BH_Write_EIO and reuse directly, since other bhs are ++ * not written to disk yet and that will cause metadata ++ * inconsistency. So we should set fs read-only to avoid ++ * further damage. + */ + if (buffer_write_io_error(bh) && !buffer_uptodate(bh)) { +- clear_buffer_write_io_error(bh); +- set_buffer_uptodate(bh); +- } +- +- if (!buffer_uptodate(bh)) { + unlock_buffer(bh); +- return -EIO; ++ return ocfs2_error(osb->sb, "A previous attempt to " ++ "write this buffer head failed\n"); + } + unlock_buffer(bh); + } diff --git a/queue-4.9/openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch b/queue-4.9/openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch new file mode 100644 index 00000000000..b7d31c0c11b --- /dev/null +++ b/queue-4.9/openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ed Swierk +Date: Wed, 31 Jan 2018 18:48:02 -0800 +Subject: openvswitch: Remove padding from packet before L3+ conntrack processing + +From: Ed Swierk + +[ Upstream commit 9382fe71c0058465e942a633869629929102843d ] + +IPv4 and IPv6 packets may arrive with lower-layer padding that is not +included in the L3 length. For example, a short IPv4 packet may have +up to 6 bytes of padding following the IP payload when received on an +Ethernet device with a minimum packet length of 64 bytes. + +Higher-layer processing functions in netfilter (e.g. nf_ip_checksum(), +and help() in nf_conntrack_ftp) assume skb->len reflects the length of +the L3 header and payload, rather than referring back to +ip_hdr->tot_len or ipv6_hdr->payload_len, and get confused by +lower-layer padding. + +In the normal IPv4 receive path, ip_rcv() trims the packet to +ip_hdr->tot_len before invoking netfilter hooks. In the IPv6 receive +path, ip6_rcv() does the same using ipv6_hdr->payload_len. Similarly +in the br_netfilter receive path, br_validate_ipv4() and +br_validate_ipv6() trim the packet to the L3 length before invoking +netfilter hooks. + +Currently in the OVS conntrack receive path, ovs_ct_execute() pulls +the skb to the L3 header but does not trim it to the L3 length before +calling nf_conntrack_in(NF_INET_PRE_ROUTING). When +nf_conntrack_proto_tcp encounters a packet with lower-layer padding, +nf_ip_checksum() fails causing a "nf_ct_tcp: bad TCP checksum" log +message. While extra zero bytes don't affect the checksum, the length +in the IP pseudoheader does. That length is based on skb->len, and +without trimming, it doesn't match the length the sender used when +computing the checksum. + +In ovs_ct_execute(), trim the skb to the L3 length before higher-layer +processing. + +Signed-off-by: Ed Swierk +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/conntrack.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -906,6 +906,36 @@ static int ovs_ct_commit(struct net *net + return 0; + } + ++/* Trim the skb to the length specified by the IP/IPv6 header, ++ * removing any trailing lower-layer padding. This prepares the skb ++ * for higher-layer processing that assumes skb->len excludes padding ++ * (such as nf_ip_checksum). The caller needs to pull the skb to the ++ * network header, and ensure ip_hdr/ipv6_hdr points to valid data. ++ */ ++static int ovs_skb_network_trim(struct sk_buff *skb) ++{ ++ unsigned int len; ++ int err; ++ ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): ++ len = ntohs(ip_hdr(skb)->tot_len); ++ break; ++ case htons(ETH_P_IPV6): ++ len = sizeof(struct ipv6hdr) ++ + ntohs(ipv6_hdr(skb)->payload_len); ++ break; ++ default: ++ len = skb->len; ++ } ++ ++ err = pskb_trim_rcsum(skb, len); ++ if (err) ++ kfree_skb(skb); ++ ++ return err; ++} ++ + /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero + * value if 'skb' is freed. + */ +@@ -920,6 +950,10 @@ int ovs_ct_execute(struct net *net, stru + nh_ofs = skb_network_offset(skb); + skb_pull_rcsum(skb, nh_ofs); + ++ err = ovs_skb_network_trim(skb); ++ if (err) ++ return err; ++ + if (key->ip.frag != OVS_FRAG_TYPE_NONE) { + err = handle_fragments(net, key, info->zone.id, skb); + if (err) diff --git a/queue-4.9/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch b/queue-4.9/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch new file mode 100644 index 00000000000..8b9ceb1919c --- /dev/null +++ b/queue-4.9/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Helge Deller +Date: Sun, 25 Mar 2018 14:04:22 +0200 +Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode + +From: Helge Deller + +[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ] + +Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy +I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card. + +To avoid such instability, this patch switches the LBA PCI bus from Hard Fail +mode into Soft Fail mode. In this mode the bus will return -1UL for timed out +MMIO transactions, which is exactly how the x86 (and most other architectures) +PCI busses behave. + +This patch is based on a proposal by Grant Grundler and Kyle McMartin 10 +years ago: +https://www.spinics.net/lists/linux-parisc/msg01027.html + +Cc: Carlo Pisani +Cc: Kyle McMartin +Reviewed-by: Grant Grundler +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/lba_pci.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -1367,9 +1367,27 @@ lba_hw_init(struct lba_device *d) + WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG); + } + +- /* Set HF mode as the default (vs. -1 mode). */ ++ ++ /* ++ * Hard Fail vs. Soft Fail on PCI "Master Abort". ++ * ++ * "Master Abort" means the MMIO transaction timed out - usually due to ++ * the device not responding to an MMIO read. We would like HF to be ++ * enabled to find driver problems, though it means the system will ++ * crash with a HPMC. ++ * ++ * In SoftFail mode "~0L" is returned as a result of a timeout on the ++ * pci bus. This is like how PCI busses on x86 and most other ++ * architectures behave. In order to increase compatibility with ++ * existing (x86) PCI hardware and existing Linux drivers we enable ++ * Soft Faul mode on PA-RISC now too. ++ */ + stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL); ++#if defined(ENABLE_HARDFAIL) + WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#else ++ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#endif + + /* + ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal diff --git a/queue-4.9/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch b/queue-4.9/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch new file mode 100644 index 00000000000..0b8d4bd6fe8 --- /dev/null +++ b/queue-4.9/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Thomas Vincent-Cross +Date: Tue, 27 Feb 2018 20:20:36 +1100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 + +From: Thomas Vincent-Cross + +[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ] + +Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 +Signed-off-by: Thomas Vincent-Cross +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3874,6 +3874,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); diff --git a/queue-4.9/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch b/queue-4.9/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch new file mode 100644 index 00000000000..6cd3fcd2e16 --- /dev/null +++ b/queue-4.9/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Alex Williamson +Date: Tue, 16 Jan 2018 10:05:26 -0700 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 9128 + +From: Alex Williamson + +[ Upstream commit aa008206634363ef800fbd5f0262016c9ff81dea ] + +The Marvell 9128 is the original device generating bug 42679, from which +many other Marvell DMA alias quirks have been sourced, but we didn't have +positive confirmation of the fix on 9128 until now. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 +Link: https://www.spinics.net/lists/kvm/msg161459.html +Reported-by: Binarus +Tested-by: Binarus +Signed-off-by: Alex Williamson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3857,6 +3857,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, + quirk_dma_func1_alias); diff --git a/queue-4.9/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch b/queue-4.9/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch new file mode 100644 index 00000000000..efa6283c423 --- /dev/null +++ b/queue-4.9/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Rafael J. Wysocki" +Date: Sat, 3 Mar 2018 10:53:24 +0100 +Subject: PCI: Restore config space on runtime resume despite being unbound + +From: "Rafael J. Wysocki" + +[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ] + +We leave PCI devices not bound to a driver in D0 during runtime suspend. +But they may have a parent which is bound and can be transitioned to +D3cold at runtime. Once the parent goes to D3cold, the unbound child +may go to D3cold as well. When the child goes to D3cold, its internal +state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost. + +One example are recent hybrid graphics laptops which cut power to the +discrete GPU when the root port above it goes to ACPI power state D3. +Users may provoke this by unbinding the GPU driver and allowing runtime +PM on the GPU via sysfs: The PM core will then treat the GPU as +"suspended", which in turn allows the root port to runtime suspend, +causing the power resources listed in its _PR3 object to be powered off. +The GPU's BARs will be uninitialized when a driver later probes it. + +Another example are hybrid graphics laptops where the GPU itself (rather +than the root port) is capable of runtime suspending to D3cold. If the +GPU's integrated HDA controller is not bound and the GPU's driver +decides to runtime suspend to D3cold, the HDA controller's BARs will be +uninitialized when a driver later probes it. + +Fix by saving and restoring config space over a runtime suspend cycle +even if the device is not bound. + +Acked-by: Bjorn Helgaas +Tested-by: Peter Wu # Nvidia Optimus +Tested-by: Lukas Wunner # MacBook Pro +Signed-off-by: Rafael J. Wysocki +[lukas: add commit message, bikeshed code comments for clarity] +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-driver.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1147,11 +1147,14 @@ static int pci_pm_runtime_suspend(struct + int error; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * If pci_dev->driver is not set (unbound), we leave the device in D0, ++ * but it may go to D3cold when the bridge above it runtime suspends. ++ * Save its config space in case that happens. + */ +- if (!pci_dev->driver) ++ if (!pci_dev->driver) { ++ pci_save_state(pci_dev); + return 0; ++ } + + if (!pm || !pm->runtime_suspend) + return -ENOSYS; +@@ -1199,16 +1202,18 @@ static int pci_pm_runtime_resume(struct + const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * Restoring config space is necessary even if the device is not bound ++ * to a driver because although we left it in D0, it may have gone to ++ * D3cold when the bridge above it runtime suspended. + */ ++ pci_restore_standard_config(pci_dev); ++ + if (!pci_dev->driver) + return 0; + + if (!pm || !pm->runtime_resume) + return -ENOSYS; + +- pci_restore_standard_config(pci_dev); + pci_fixup_device(pci_fixup_resume_early, pci_dev); + __pci_enable_wake(pci_dev, PCI_D0, true, false); + pci_fixup_device(pci_fixup_resume, pci_dev); diff --git a/queue-4.9/perf-callchain-fix-attr.sample_max_stack-setting.patch b/queue-4.9/perf-callchain-fix-attr.sample_max_stack-setting.patch new file mode 100644 index 00000000000..8b0b4141466 --- /dev/null +++ b/queue-4.9/perf-callchain-fix-attr.sample_max_stack-setting.patch @@ -0,0 +1,102 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Arnaldo Carvalho de Melo +Date: Mon, 15 Jan 2018 11:07:58 -0300 +Subject: perf callchain: Fix attr.sample_max_stack setting + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 249d98e567e25dd03e015e2d31e1b7b9648f34df ] + +When setting the "dwarf" unwinder for a specific event and not +specifying the max-stack, the attr.sample_max_stack ended up using an +uninitialized callchain_param.max_stack, fix it by using designated +initializers for that callchain_param variable, zeroing all non +explicitely initialized struct members. + +Here is what happened: + + # perf trace -vv --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + callchain: type DWARF + callchain: stack dump size 8192 + perf_event_attr: + type 2 + size 112 + config 0x730 + { sample_period, sample_freq } 1 + sample_type IP|TID|TIME|ADDR|CALLCHAIN|CPU|PERIOD|RAW|REGS_USER|STACK_USER|DATA_SRC + exclude_callchain_user 1 + { wakeup_events, wakeup_watermark } 1 + sample_regs_user 0xff0fff + sample_stack_user 8192 + sample_max_stack 50656 + sys_perf_event_open failed, error -75 + Value too large for defined data type + # perf trace -vv --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + callchain: type DWARF + callchain: stack dump size 8192 + perf_event_attr: + type 2 + size 112 + config 0x730 + sample_type IP|TID|TIME|ADDR|CALLCHAIN|CPU|PERIOD|RAW|REGS_USER|STACK_USER|DATA_SRC + exclude_callchain_user 1 + sample_regs_user 0xff0fff + sample_stack_user 8192 + sample_max_stack 30448 + sys_perf_event_open failed, error -75 + Value too large for defined data type + # + +Now the attr.sample_max_stack is set to zero and the above works as +expected: + + # perf trace --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + PING ::1(::1) 56 data bytes + 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.072 ms + + --- ::1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.072/0.072/0.072/0.000 ms + 0.000 probe_libc:inet_pton:(7feb7a998350)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + __GI_getaddrinfo (inlined) + [0xffffaa39b6108f3f] (/usr/bin/ping) + # + +Cc: Adrian Hunter +Cc: David Ahern +Cc: Hendrick Brueckner +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Thomas Richter +Cc: Wang Nan +Link: https://lkml.kernel.org/n/tip-is9tramondqa9jlxxsgcm9iz@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/evsel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -681,14 +681,14 @@ static void apply_config_terms(struct pe + struct perf_evsel_config_term *term; + struct list_head *config_terms = &evsel->config_terms; + struct perf_event_attr *attr = &evsel->attr; +- struct callchain_param param; ++ /* callgraph default */ ++ struct callchain_param param = { ++ .record_mode = callchain_param.record_mode, ++ }; + u32 dump_size = 0; + int max_stack = 0; + const char *callgraph_buf = NULL; + +- /* callgraph default */ +- param.record_mode = callchain_param.record_mode; +- + list_for_each_entry(term, config_terms, list) { + switch (term->type) { + case PERF_EVSEL__CONFIG_TERM_PERIOD: diff --git a/queue-4.9/perf-cgroup-fix-child-event-counting-bug.patch b/queue-4.9/perf-cgroup-fix-child-event-counting-bug.patch new file mode 100644 index 00000000000..240ea1a2211 --- /dev/null +++ b/queue-4.9/perf-cgroup-fix-child-event-counting-bug.patch @@ -0,0 +1,105 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Song Liu +Date: Mon, 12 Mar 2018 09:59:43 -0700 +Subject: perf/cgroup: Fix child event counting bug + +From: Song Liu + +[ Upstream commit c917e0f259908e75bd2a65877e25f9d90c22c848 ] + +When a perf_event is attached to parent cgroup, it should count events +for all children cgroups: + + parent_group <---- perf_event + \ + - child_group <---- process(es) + +However, in our tests, we found this perf_event cannot report reliable +results. Here is an example case: + + # create cgroups + mkdir -p /sys/fs/cgroup/p/c + # start perf for parent group + perf stat -e instructions -G "p" + + # on another console, run test process in child cgroup: + stressapptest -s 2 -M 1000 & echo $! > /sys/fs/cgroup/p/c/cgroup.procs + + # after the test process is done, stop perf in the first console shows + + instructions p + +The instruction should not be "not counted" as the process runs in the +child cgroup. + +We found this is because perf_event->cgrp and cpuctx->cgrp are not +identical, thus perf_event->cgrp are not updated properly. + +This patch fixes this by updating perf_cgroup properly for ancestor +cgroup(s). + +Reported-by: Ephraim Park +Signed-off-by: Song Liu +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Link: http://lkml.kernel.org/r/20180312165943.1057894-1-songliubraving@fb.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -634,9 +634,15 @@ static inline void __update_cgrp_time(st + + static inline void update_cgrp_time_from_cpuctx(struct perf_cpu_context *cpuctx) + { +- struct perf_cgroup *cgrp_out = cpuctx->cgrp; +- if (cgrp_out) +- __update_cgrp_time(cgrp_out); ++ struct perf_cgroup *cgrp = cpuctx->cgrp; ++ struct cgroup_subsys_state *css; ++ ++ if (cgrp) { ++ for (css = &cgrp->css; css; css = css->parent) { ++ cgrp = container_of(css, struct perf_cgroup, css); ++ __update_cgrp_time(cgrp); ++ } ++ } + } + + static inline void update_cgrp_time_from_event(struct perf_event *event) +@@ -664,6 +670,7 @@ perf_cgroup_set_timestamp(struct task_st + { + struct perf_cgroup *cgrp; + struct perf_cgroup_info *info; ++ struct cgroup_subsys_state *css; + + /* + * ctx->lock held by caller +@@ -674,8 +681,12 @@ perf_cgroup_set_timestamp(struct task_st + return; + + cgrp = perf_cgroup_from_task(task, ctx); +- info = this_cpu_ptr(cgrp->info); +- info->timestamp = ctx->timestamp; ++ ++ for (css = &cgrp->css; css; css = css->parent) { ++ cgrp = container_of(css, struct perf_cgroup, css); ++ info = this_cpu_ptr(cgrp->info); ++ info->timestamp = ctx->timestamp; ++ } + } + + #define PERF_CGROUP_SWOUT 0x1 /* cgroup switch out every event */ diff --git a/queue-4.9/perf-core-fix-perf_output_read_group.patch b/queue-4.9/perf-core-fix-perf_output_read_group.patch new file mode 100644 index 00000000000..a1daafad914 --- /dev/null +++ b/queue-4.9/perf-core-fix-perf_output_read_group.patch @@ -0,0 +1,78 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Peter Zijlstra +Date: Fri, 9 Mar 2018 12:52:04 +0100 +Subject: perf/core: Fix perf_output_read_group() + +From: Peter Zijlstra + +[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ] + +Mark reported his arm64 perf fuzzer runs sometimes splat like: + + armv8pmu_read_counter+0x1e8/0x2d8 + armpmu_event_update+0x8c/0x188 + armpmu_read+0xc/0x18 + perf_output_read+0x550/0x11e8 + perf_event_read_event+0x1d0/0x248 + perf_event_exit_task+0x468/0xbb8 + do_exit+0x690/0x1310 + do_group_exit+0xd0/0x2b0 + get_signal+0x2e8/0x17a8 + do_signal+0x144/0x4f8 + do_notify_resume+0x148/0x1e8 + work_pending+0x8/0x14 + +which asserts that we only call pmu::read() on ACTIVE events. + +The above callchain does: + + perf_event_exit_task() + perf_event_exit_task_context() + task_ctx_sched_out() // INACTIVE + perf_event_exit_event() + perf_event_set_state(EXIT) // EXIT + sync_child_event() + perf_event_read_event() + perf_output_read() + perf_output_read_group() + leader->pmu->read() + +Which results in doing a pmu::read() on an !ACTIVE event. + +I _think_ this is 'new' since we added attr.inherit_stat, which added +the perf_event_read_event() to the exit path, without that +perf_event_read_output() would only trigger from samples and for +@event to trigger a sample, it's leader _must_ be ACTIVE too. + +Still, adding this check makes it consistent with the @sub case for +the siblings. + +Reported-and-Tested-by: Mark Rutland +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5700,7 +5700,8 @@ static void perf_output_read_group(struc + if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) + values[n++] = running; + +- if (leader != event) ++ if ((leader != event) && ++ (leader->state == PERF_EVENT_STATE_ACTIVE)) + leader->pmu->read(leader); + + values[n++] = perf_event_count(leader); diff --git a/queue-4.9/perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch b/queue-4.9/perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch new file mode 100644 index 00000000000..3b8a543a38e --- /dev/null +++ b/queue-4.9/perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Thomas Richter +Date: Wed, 17 Jan 2018 14:16:11 +0100 +Subject: perf record: Fix failed memory allocation for get_cpuid_str + +From: Thomas Richter + +[ Upstream commit 81fccd6ca507d3b2012eaf1edeb9b1dbf4bd22db ] + +In x86 architecture dependend part function get_cpuid_str() mallocs a +128 byte buffer, but does not check if the memory allocation succeeded +or not. + +When the memory allocation fails, function __get_cpuid() is called with +first parameter being a NULL pointer. However this function references +its first parameter and operates on a NULL pointer which might cause +core dumps. + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180117131611.34319-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/x86/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/arch/x86/util/header.c ++++ b/tools/perf/arch/x86/util/header.c +@@ -69,7 +69,7 @@ get_cpuid_str(void) + { + char *buf = malloc(128); + +- if (__get_cpuid(buf, 128, "%s-%u-%X$") < 0) { ++ if (buf && __get_cpuid(buf, 128, "%s-%u-%X$") < 0) { + free(buf); + return NULL; + } diff --git a/queue-4.9/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch b/queue-4.9/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch new file mode 100644 index 00000000000..9ed637ef80e --- /dev/null +++ b/queue-4.9/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch @@ -0,0 +1,101 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jiri Olsa +Date: Fri, 16 Feb 2018 13:36:19 +0100 +Subject: perf report: Fix memory corruption in --branch-history mode --branch-history + +From: Jiri Olsa + +[ Upstream commit e3ebaa465136ecfedf9c6f4671df02bf625f8125 ] + +Jin Yao reported memory corrupton in perf report with +branch info used for stack trace: + + > Following command lines will cause perf crash. + + > perf record -j call -g -a + > perf report --branch-history + > + > *** Error in `perf': double free or corruption (!prev): 0x00000000104aa040 *** + > ======= Backtrace: ========= + > /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f6b37254725] + > /lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7f6b3725cf4a] + > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f6b37260abc] + > perf[0x51b914] + > perf(hist_entry_iter__add+0x1e5)[0x51f305] + > perf[0x43cf01] + > perf[0x4fa3bf] + > perf[0x4fa923] + > perf[0x4fd396] + > perf[0x4f9614] + > perf(perf_session__process_events+0x89e)[0x4fc38e] + > perf(cmd_report+0x15d2)[0x43f202] + > perf[0x4a059f] + > perf(main+0x631)[0x427b71] + > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6b371fd830] + > perf(_start+0x29)[0x427d89] + +For the cumulative output, we allocate the he_cache array based on the +--max-stack option value and populate it with data from 'callchain_cursor'. + +The --max-stack option value does not ensure now the limit for number of +callchain_cursor nodes, so the cumulative iter code will allocate smaller array +than it's actually needed and cause above corruption. + +I think the --max-stack limit does not apply here anyway, because we add +callchain data as normal hist entries, while the --max-stack control the limit +of single entry callchain depth. + +Using the callchain_cursor.nr as he_cache array count to fix this. Also +removing struct hist_entry_iter::max_stack, because there's no longer any use +for it. + +We need more fixes to ensure that the branch stack code follows properly the +logic of --max-stack, which is not the case at the moment. + +Original-patch-by: Jin Yao +Signed-off-by: Jiri Olsa +Reported-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180216123619.GA9945@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/hist.c | 4 +--- + tools/perf/util/hist.h | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -865,7 +865,7 @@ iter_prepare_cumulative_entry(struct his + * cumulated only one time to prevent entries more than 100% + * overhead. + */ +- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1)); ++ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1)); + if (he_cache == NULL) + return -ENOMEM; + +@@ -1030,8 +1030,6 @@ int hist_entry_iter__add(struct hist_ent + if (err) + return err; + +- iter->max_stack = max_stack_depth; +- + err = iter->ops->prepare_entry(iter, al); + if (err) + goto out; +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -102,7 +102,6 @@ struct hist_entry_iter { + int curr; + + bool hide_unresolved; +- int max_stack; + + struct perf_evsel *evsel; + struct perf_sample *sample; diff --git a/queue-4.9/perf-stat-fix-core-dump-when-flag-t-is-used.patch b/queue-4.9/perf-stat-fix-core-dump-when-flag-t-is-used.patch new file mode 100644 index 00000000000..dea1702e916 --- /dev/null +++ b/queue-4.9/perf-stat-fix-core-dump-when-flag-t-is-used.patch @@ -0,0 +1,116 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Thomas Richter +Date: Thu, 8 Mar 2018 15:57:35 +0100 +Subject: perf stat: Fix core dump when flag T is used + +From: Thomas Richter + +[ Upstream commit fca32340a5e8b896f57d41fd94b8b1701df25eb1 ] + +Executing command 'perf stat -T -- ls' dumps core on x86 and s390. + +Here is the call back chain (done on x86): + + # gdb ./perf + .... + (gdb) r stat -T -- ls +... +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 +(gdb) where + #0 0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 + #1 0x00007ffff56ae484 in asprintf () from /lib64/libc.so.6 + #2 0x00000000004f1982 in __parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930, auto_merge_stats=false) at util/parse-events.c:1233 + #3 0x00000000004f1c8e in parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930) at util/parse-events.c:1288 + #4 0x0000000000537ce3 in parse_events_parse (_parse_state=0x7fffffffd580, + scanner=0xbf4210) at util/parse-events.y:234 + #5 0x00000000004f2c7a in parse_events__scanner (str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", + parse_state=0x7fffffffd580, start_token=258) at util/parse-events.c:1673 + #6 0x00000000004f2e23 in parse_events (evlist=0xbe9990, str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", err=0x0) + at util/parse-events.c:1713 + #7 0x000000000044e137 in add_default_attributes () at builtin-stat.c:2281 + #8 0x000000000044f7b5 in cmd_stat (argc=1, argv=0x7fffffffe3b0) at + builtin-stat.c:2828 + #9 0x00000000004c8b0f in run_builtin (p=0xab01a0 , argc=4, + argv=0x7fffffffe3b0) at perf.c:297 + #10 0x00000000004c8d7c in handle_internal_command (argc=4, + argv=0x7fffffffe3b0) at perf.c:349 + #11 0x00000000004c8ece in run_argv (argcp=0x7fffffffe20c, + argv=0x7fffffffe200) at perf.c:393 + #12 0x00000000004c929c in main (argc=4, argv=0x7fffffffe3b0) at perf.c:537 +(gdb) + +It turns out that a NULL pointer is referenced. Here are the +function calls: + + ... + cmd_stat() + +---> add_default_attributes() + +---> parse_events(evsel_list, transaction_attrs, NULL); + 3rd parameter set to NULL + +Function parse_events(xx, xx, struct parse_events_error *err) dives +into a bison generated scanner and creates +parser state information for it first: + + struct parse_events_state parse_state = { + .list = LIST_HEAD_INIT(parse_state.list), + .idx = evlist->nr_entries, + .error = err, <--- NULL POINTER !!! + .evlist = evlist, + }; + +Now various functions inside the bison scanner are called to end up in +__parse_events_add_pmu(struct parse_events_state *parse_state, ..) with +first parameter being a pointer to above structure definition. + +Now the PMU event name is not found (because being executed in a VM) and +this function tries to create an error message with + + asprintf(&parse_state->error.str, ....) + +which references a NULL pointer and dumps core. + +Fix this by providing a pointer to the necessary error information +instead of NULL. Technically only the else part is needed to avoid the +core dump, just lets be safe... + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180308145735.64717-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-stat.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -2042,11 +2042,16 @@ static int add_default_attributes(void) + return 0; + + if (transaction_run) { ++ struct parse_events_error errinfo; ++ + if (pmu_have_event("cpu", "cycles-ct") && + pmu_have_event("cpu", "el-start")) +- err = parse_events(evsel_list, transaction_attrs, NULL); ++ err = parse_events(evsel_list, transaction_attrs, ++ &errinfo); + else +- err = parse_events(evsel_list, transaction_limited_attrs, NULL); ++ err = parse_events(evsel_list, ++ transaction_limited_attrs, ++ &errinfo); + if (err) { + fprintf(stderr, "Cannot set up transaction events\n"); + return -1; diff --git a/queue-4.9/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch b/queue-4.9/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch new file mode 100644 index 00000000000..68da4026f1c --- /dev/null +++ b/queue-4.9/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jiri Olsa +Date: Thu, 15 Feb 2018 13:26:35 +0100 +Subject: perf tests: Use arch__compare_symbol_names to compare symbols + +From: Jiri Olsa + +[ Upstream commit ab6e9a99345131cd8e54268d1d0dc04a33f7ed11 ] + +The symbol search called by machine__find_kernel_symbol_by_name is using +internally arch__compare_symbol_names function to compare 2 symbol +names, because different archs have different ways of comparing symbols. +Mostly for skipping '.' prefixes and similar. + +In test 1 when we try to find matching symbols in kallsyms and vmlinux, +by address and by symbol name. When either is found we compare the pair +symbol names by simple strcmp, which is not good enough for reasons +explained in previous paragraph. + +On powerpc this can cause lockup, because even thought we found the +pair, the compared names are different and don't match simple strcmp. +Following code path is executed, that leads to lockup: + + - we find the pair in kallsyms by sym->start +next_pair: + - we compare the names and it fails + - we find the pair by sym->name + - the pair addresses match so we call goto next_pair + because we assume the names match in this case + +Signed-off-by: Jiri Olsa +Tested-by: Naveen N. Rao +Acked-by: Naveen N. Rao +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 031b84c407c3 ("perf probe ppc: Enable matching against dot symbols automatically") +Link: http://lkml.kernel.org/r/20180215122635.24029-10-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/vmlinux-kallsyms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/vmlinux-kallsyms.c ++++ b/tools/perf/tests/vmlinux-kallsyms.c +@@ -123,7 +123,7 @@ int test__vmlinux_matches_kallsyms(int s + + if (pair && UM(pair->start) == mem_start) { + next_pair: +- if (strcmp(sym->name, pair->name) == 0) { ++ if (arch__compare_symbol_names(sym->name, pair->name) == 0) { + /* + * kallsyms don't have the symbol end, so we + * set that by using the next symbol start - 1, diff --git a/queue-4.9/perf-top-fix-top.call-graph-config-option-reading.patch b/queue-4.9/perf-top-fix-top.call-graph-config-option-reading.patch new file mode 100644 index 00000000000..771079cd169 --- /dev/null +++ b/queue-4.9/perf-top-fix-top.call-graph-config-option-reading.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Yisheng Xie +Date: Mon, 12 Mar 2018 19:25:56 +0800 +Subject: perf top: Fix top.call-graph config option reading + +From: Yisheng Xie + +[ Upstream commit a3a4a3b37c9b911af4c375b2475cea0fd2b84d38 ] + +When trying to add the "call-graph" variable for top into the +.perfconfig file, like: + + [top] + call-graph = fp + +I that perf_top_config() do not parse this variable. + +Fix it by calling perf_default_config() when the top.call-graph variable +is set. + +Signed-off-by: Yisheng Xie +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Fixes: b8cbb349061e ("perf config: Bring perf_default_config to the very beginning at main()") +Link: http://lkml.kernel.org/r/1520853957-36106-1-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-top.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1061,8 +1061,10 @@ parse_callchain_opt(const struct option + + static int perf_top_config(const char *var, const char *value, void *cb __maybe_unused) + { +- if (!strcmp(var, "top.call-graph")) +- var = "call-graph.record-mode"; /* fall-through */ ++ if (!strcmp(var, "top.call-graph")) { ++ var = "call-graph.record-mode"; ++ return perf_default_config(var, value, cb); ++ } + if (!strcmp(var, "top.children")) { + symbol_conf.cumulate_callchain = perf_config_bool(var, value); + return 0; diff --git a/queue-4.9/perf-x86-intel-fix-event-update-for-auto-reload.patch b/queue-4.9/perf-x86-intel-fix-event-update-for-auto-reload.patch new file mode 100644 index 00000000000..34398694106 --- /dev/null +++ b/queue-4.9/perf-x86-intel-fix-event-update-for-auto-reload.patch @@ -0,0 +1,238 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Kan Liang +Date: Mon, 12 Feb 2018 14:20:31 -0800 +Subject: perf/x86/intel: Fix event update for auto-reload + +From: Kan Liang + +[ Upstream commit d31fc13fdcb20e1c317f9a7dd6273c18fbd58308 ] + +There is a bug when reading event->count with large PEBS enabled. + +Here is an example: + + # ./read_count + 0x71f0 + 0x122c0 + 0x1000000001c54 + 0x100000001257d + 0x200000000bdc5 + +In fixed period mode, the auto-reload mechanism could be enabled for +PEBS events, but the calculation of event->count does not take the +auto-reload values into account. + +Anyone who reads event->count will get the wrong result, e.g x86_pmu_read(). + +This bug was introduced with the auto-reload mechanism enabled since +commit: + + 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") + +Introduce intel_pmu_save_and_restart_reload() to calculate the +event->count only for auto-reload. + +Since the counter increments a negative counter value and overflows on +the sign switch, giving the interval: + + [-period, 0] + +the difference between two consequtive reads is: + + A) value2 - value1; + when no overflows have happened in between, + B) (0 - value1) + (value2 - (-period)); + when one overflow happened in between, + C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); + when @n overflows happened in between. + +Here A) is the obvious difference, B) is the extension to the discrete +interval, where the first term is to the top of the interval and the +second term is from the bottom of the next interval and C) the extension +to multiple intervals, where the middle term is the whole intervals +covered. + +The equation for all cases is: + + value2 - value1 + n * period + +Previously the event->count is updated right before the sample output. +But for case A, there is no PEBS record ready. It needs to be specially +handled. + +Remove the auto-reload code from x86_perf_event_set_period() since +we'll not longer call that function in this case. + +Based-on-code-from: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Fixes: 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") +Link: http://lkml.kernel.org/r/1518474035-21006-2-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 15 ++----- + arch/x86/events/intel/ds.c | 92 +++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 94 insertions(+), 13 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1155,16 +1155,13 @@ int x86_perf_event_set_period(struct per + + per_cpu(pmc_prev_left[idx], smp_processor_id()) = left; + +- if (!(hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) || +- local64_read(&hwc->prev_count) != (u64)-left) { +- /* +- * The hw event starts counting from this event offset, +- * mark it to be able to extra future deltas: +- */ +- local64_set(&hwc->prev_count, (u64)-left); ++ /* ++ * The hw event starts counting from this event offset, ++ * mark it to be able to extra future deltas: ++ */ ++ local64_set(&hwc->prev_count, (u64)-left); + +- wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); +- } ++ wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); + + /* + * Due to erratum on certan cpu we need +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1272,17 +1272,84 @@ get_next_pebs_record_by_bit(void *base, + return NULL; + } + ++/* ++ * Special variant of intel_pmu_save_and_restart() for auto-reload. ++ */ ++static int ++intel_pmu_save_and_restart_reload(struct perf_event *event, int count) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ int shift = 64 - x86_pmu.cntval_bits; ++ u64 period = hwc->sample_period; ++ u64 prev_raw_count, new_raw_count; ++ s64 new, old; ++ ++ WARN_ON(!period); ++ ++ /* ++ * drain_pebs() only happens when the PMU is disabled. ++ */ ++ WARN_ON(this_cpu_read(cpu_hw_events.enabled)); ++ ++ prev_raw_count = local64_read(&hwc->prev_count); ++ rdpmcl(hwc->event_base_rdpmc, new_raw_count); ++ local64_set(&hwc->prev_count, new_raw_count); ++ ++ /* ++ * Since the counter increments a negative counter value and ++ * overflows on the sign switch, giving the interval: ++ * ++ * [-period, 0] ++ * ++ * the difference between two consequtive reads is: ++ * ++ * A) value2 - value1; ++ * when no overflows have happened in between, ++ * ++ * B) (0 - value1) + (value2 - (-period)); ++ * when one overflow happened in between, ++ * ++ * C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); ++ * when @n overflows happened in between. ++ * ++ * Here A) is the obvious difference, B) is the extension to the ++ * discrete interval, where the first term is to the top of the ++ * interval and the second term is from the bottom of the next ++ * interval and C) the extension to multiple intervals, where the ++ * middle term is the whole intervals covered. ++ * ++ * An equivalent of C, by reduction, is: ++ * ++ * value2 - value1 + n * period ++ */ ++ new = ((s64)(new_raw_count << shift) >> shift); ++ old = ((s64)(prev_raw_count << shift) >> shift); ++ local64_add(new - old + count * period, &event->count); ++ ++ perf_event_update_userpage(event); ++ ++ return 0; ++} ++ + static void __intel_pmu_pebs_event(struct perf_event *event, + struct pt_regs *iregs, + void *base, void *top, + int bit, int count) + { ++ struct hw_perf_event *hwc = &event->hw; + struct perf_sample_data data; + struct pt_regs regs; + void *at = get_next_pebs_record_by_bit(base, top, bit); + +- if (!intel_pmu_save_and_restart(event) && +- !(event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)) ++ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) { ++ /* ++ * Now, auto-reload is only enabled in fixed period mode. ++ * The reload value is always hwc->sample_period. ++ * May need to change it, if auto-reload is enabled in ++ * freq mode later. ++ */ ++ intel_pmu_save_and_restart_reload(event, count); ++ } else if (!intel_pmu_save_and_restart(event)) + return; + + while (count > 1) { +@@ -1334,8 +1401,11 @@ static void intel_pmu_drain_pebs_core(st + return; + + n = top - at; +- if (n <= 0) ++ if (n <= 0) { ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); + return; ++ } + + __intel_pmu_pebs_event(event, iregs, at, top, 0, n); + } +@@ -1358,8 +1428,22 @@ static void intel_pmu_drain_pebs_nhm(str + + ds->pebs_index = ds->pebs_buffer_base; + +- if (unlikely(base >= top)) ++ if (unlikely(base >= top)) { ++ /* ++ * The drain_pebs() could be called twice in a short period ++ * for auto-reload event in pmu::read(). There are no ++ * overflows have happened in between. ++ * It needs to call intel_pmu_save_and_restart_reload() to ++ * update the event->count for this case. ++ */ ++ for_each_set_bit(bit, (unsigned long *)&cpuc->pebs_enabled, ++ x86_pmu.max_pebs_events) { ++ event = cpuc->events[bit]; ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); ++ } + return; ++ } + + for (at = base; at < top; at += x86_pmu.pebs_record_size) { + struct pebs_record_nhm *p = at; diff --git a/queue-4.9/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch b/queue-4.9/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch new file mode 100644 index 00000000000..eae936fddde --- /dev/null +++ b/queue-4.9/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Kan Liang +Date: Thu, 1 Mar 2018 12:54:54 -0500 +Subject: perf/x86/intel: Fix large period handling on Broadwell CPUs + +From: Kan Liang + +[ Upstream commit f605cfca8c39ffa2b98c06d2b9f30ba64f1e54e3 ] + +Large fixed period values could be truncated on Broadwell, for example: + + perf record -e cycles -c 10000000000 + +Here the fixed period is 0x2540BE400, but the period which finally applied is +0x540BE400 - which is wrong. + +The reason is that x86_pmu::limit_period() uses an u32 parameter, so the +high 32 bits of 'period' get truncated. + +This bug was introduced in: + + commit 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") + +It's safe to use u64 instead of u32: + + - Although the 'left' is s64, the value of 'left' must be positive when + calling limit_period(). + + - bdw_limit_period() only modifies the lowest 6 bits, it doesn't touch + the higher 32 bits. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") +Link: http://lkml.kernel.org/r/1519926894-3520-1-git-send-email-kan.liang@linux.intel.com +[ Rewrote unacceptably bad changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 2 +- + arch/x86/events/perf_event.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3027,7 +3027,7 @@ hsw_get_event_constraints(struct cpu_hw_ + * Therefore the effective (average) period matches the requested period, + * despite coarser hardware granularity. + */ +-static unsigned bdw_limit_period(struct perf_event *event, unsigned left) ++static u64 bdw_limit_period(struct perf_event *event, u64 left) + { + if ((event->hw.config & INTEL_ARCH_EVENT_MASK) == + X86_CONFIG(.event=0xc0, .umask=0x01)) { +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -548,7 +548,7 @@ struct x86_pmu { + struct x86_pmu_quirk *quirks; + int perfctr_second_write; + bool late_ack; +- unsigned (*limit_period)(struct perf_event *event, unsigned l); ++ u64 (*limit_period)(struct perf_event *event, u64 l); + + /* + * sysfs attrs diff --git a/queue-4.9/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch b/queue-4.9/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch new file mode 100644 index 00000000000..9653723bc75 --- /dev/null +++ b/queue-4.9/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch @@ -0,0 +1,123 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Stephane Eranian +Date: Fri, 23 Mar 2018 00:01:47 -0700 +Subject: perf/x86/intel: Fix linear IP of PEBS real_ip on Haswell and later CPUs + +From: Stephane Eranian + +[ Upstream commit 71eb9ee9596d8df3d5723c3cfc18774c6235e8b1 ] + +this patch fix a bug in how the pebs->real_ip is handled in the PEBS +handler. real_ip only exists in Haswell and later processor. It is +actually the eventing IP, i.e., where the event occurred. As opposed +to the pebs->ip which is the PEBS interrupt IP which is always off +by one. + +The problem is that the real_ip just like the IP needs to be fixed up +because PEBS does not record all the machine state registers, and +in particular the code segement (cs). This is why we have the set_linear_ip() +function. The problem was that set_linear_ip() was only used on the pebs->ip +and not the pebs->real_ip. + +We have profiles which ran into invalid callstacks because of this. +Here is an example: + + ..... 0: ffffffffffffff80 recent entry, marker kernel v + ..... 1: 000000000040044d <= user address in kernel space! + ..... 2: fffffffffffffe00 marker enter user v + ..... 3: 000000000040044d + ..... 4: 00000000004004b6 oldest entry + +Debugging output in get_perf_callchain(): + + [ 857.769909] CALLCHAIN: CPU8 ip=40044d regs->cs=10 user_mode(regs)=0 + +The problem is that the kernel entry in 1: points to a user level +address. How can that be? + +The reason is that with PEBS sampling the instruction that caused the event +to occur and the instruction where the CPU was when the interrupt was posted +may be far apart. And sometime during that time window, the privilege level may +change. This happens, for instance, when the PEBS sample is taken close to a +kernel entry point. Here PEBS, eventing IP (real_ip) captured a user level +instruction. But by the time the PMU interrupt fired, the processor had already +entered kernel space. This is why the debug output shows a user address with +user_mode() false. + +The problem comes from PEBS not recording the code segment (cs) register. +The register is used in x86_64 to determine if executing in kernel vs user +space. This is okay because the kernel has a software workaround called +set_linear_ip(). But the issue in setup_pebs_sample_data() is that +set_linear_ip() is never called on the real_ip value when it is available +(Haswell and later) and precise_ip > 1. + +This patch fixes this problem and eliminates the callchain discrepancy. + +The patch restructures the code around set_linear_ip() to minimize the number +of times the IP has to be set. + +Signed-off-by: Stephane Eranian +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: kan.liang@intel.com +Link: http://lkml.kernel.org/r/1521788507-10231-1-git-send-email-eranian@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/ds.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1110,6 +1110,7 @@ static void setup_pebs_sample_data(struc + if (pebs == NULL) + return; + ++ regs->flags &= ~PERF_EFLAGS_EXACT; + sample_type = event->attr.sample_type; + dsrc = sample_type & PERF_SAMPLE_DATA_SRC; + +@@ -1154,7 +1155,6 @@ static void setup_pebs_sample_data(struc + */ + *regs = *iregs; + regs->flags = pebs->flags; +- set_linear_ip(regs, pebs->ip); + + if (sample_type & PERF_SAMPLE_REGS_INTR) { + regs->ax = pebs->ax; +@@ -1190,13 +1190,22 @@ static void setup_pebs_sample_data(struc + #endif + } + +- if (event->attr.precise_ip > 1 && x86_pmu.intel_cap.pebs_format >= 2) { +- regs->ip = pebs->real_ip; +- regs->flags |= PERF_EFLAGS_EXACT; +- } else if (event->attr.precise_ip > 1 && intel_pmu_pebs_fixup_ip(regs)) +- regs->flags |= PERF_EFLAGS_EXACT; +- else +- regs->flags &= ~PERF_EFLAGS_EXACT; ++ if (event->attr.precise_ip > 1) { ++ /* Haswell and later have the eventing IP, so use it: */ ++ if (x86_pmu.intel_cap.pebs_format >= 2) { ++ set_linear_ip(regs, pebs->real_ip); ++ regs->flags |= PERF_EFLAGS_EXACT; ++ } else { ++ /* Otherwise use PEBS off-by-1 IP: */ ++ set_linear_ip(regs, pebs->ip); ++ ++ /* ... and try to fix it up using the LBR entries: */ ++ if (intel_pmu_pebs_fixup_ip(regs)) ++ regs->flags |= PERF_EFLAGS_EXACT; ++ } ++ } else ++ set_linear_ip(regs, pebs->ip); ++ + + if ((sample_type & PERF_SAMPLE_ADDR) && + x86_pmu.intel_cap.pebs_format >= 1) diff --git a/queue-4.9/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch b/queue-4.9/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch new file mode 100644 index 00000000000..10d1f75ea3d --- /dev/null +++ b/queue-4.9/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Kan Liang +Date: Tue, 20 Feb 2018 02:11:50 -0800 +Subject: perf/x86/intel: Properly save/restore the PMU state in the NMI handler + +From: Kan Liang + +[ Upstream commit 82d71ed0277efc45360828af8c4e4d40e1b45352 ] + +The PMU is disabled in intel_pmu_handle_irq(), but cpuc->enabled is not updated +accordingly. + +This is fine in current usage because no-one checks it - but fix it +for future code: for example, the drain_pebs() will be modified to +fix an auto-reload bug. + +Properly save/restore the old PMU state. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: kernel test robot +Link: http://lkml.kernel.org/r/6f44ee84-56f8-79f1-559b-08e371eaeb78@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2066,16 +2066,23 @@ static int intel_pmu_handle_irq(struct p + int bit, loops; + u64 status; + int handled; ++ int pmu_enabled; + + cpuc = this_cpu_ptr(&cpu_hw_events); + + /* ++ * Save the PMU state. ++ * It needs to be restored when leaving the handler. ++ */ ++ pmu_enabled = cpuc->enabled; ++ /* + * No known reason to not always do late ACK, + * but just in case do it opt-in. + */ + if (!x86_pmu.late_ack) + apic_write(APIC_LVTPC, APIC_DM_NMI); + intel_bts_disable_local(); ++ cpuc->enabled = 0; + __intel_pmu_disable_all(); + handled = intel_pmu_drain_bts_buffer(); + handled += intel_bts_interrupt(); +@@ -2173,7 +2180,8 @@ again: + + done: + /* Only restore PMU state when it's active. See x86_pmu_disable(). */ +- if (cpuc->enabled) ++ cpuc->enabled = pmu_enabled; ++ if (pmu_enabled) + __intel_pmu_enable_all(0, true); + intel_bts_enable_local(); + diff --git a/queue-4.9/pinctrl-msm-use-dynamic-gpio-numbering.patch b/queue-4.9/pinctrl-msm-use-dynamic-gpio-numbering.patch new file mode 100644 index 00000000000..63bebae0080 --- /dev/null +++ b/queue-4.9/pinctrl-msm-use-dynamic-gpio-numbering.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Bjorn Andersson +Date: Sun, 28 Jan 2018 16:59:48 -0800 +Subject: pinctrl: msm: Use dynamic GPIO numbering + +From: Bjorn Andersson + +[ Upstream commit a7aa75a2a7dba32594291a71c3704000a2fd7089 ] + +The base of the TLMM gpiochip should not be statically defined as 0, fix +this to not artificially restrict the existence of multiple pinctrl-msm +devices. + +Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver") +Reported-by: Timur Tabi +Signed-off-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -790,7 +790,7 @@ static int msm_gpio_init(struct msm_pinc + return -EINVAL; + + chip = &pctrl->chip; +- chip->base = 0; ++ chip->base = -1; + chip->ngpio = ngpio; + chip->label = dev_name(pctrl->dev); + chip->parent = pctrl->dev; diff --git a/queue-4.9/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch b/queue-4.9/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch new file mode 100644 index 00000000000..1be9d1c0d38 --- /dev/null +++ b/queue-4.9/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch @@ -0,0 +1,191 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Takeshi Kihara +Date: Fri, 16 Feb 2018 15:25:03 +0100 +Subject: pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group + +From: Takeshi Kihara + +[ Upstream commit b418c4609d5052d174668ad6d13efe023c45c595 ] + +This patch fixes MOD_SEL1 bit20 and MOD_SEL2 bit20, bit21 pin assignment +for SSI pins group. + +This is a correction to the incorrect implementation of MOD_SEL register +pin assignment for R8A7796 SoC specification of R-Car Gen3 Hardware +User's Manual Rev.0.51E or later. + +Fixes: f9aece7344bd ("pinctrl: sh-pfc: Initial R8A7796 PFC support") +Signed-off-by: Takeshi Kihara +Signed-off-by: Ulrich Hecht +Reviewed-by: Simon Horman +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 40 +++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c ++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c +@@ -1,7 +1,7 @@ + /* + * R8A7796 processor support - PFC hardware block. + * +- * Copyright (C) 2016 Renesas Electronics Corp. ++ * Copyright (C) 2016-2017 Renesas Electronics Corp. + * + * This file is based on the drivers/pinctrl/sh-pfc/pfc-r8a7795.c + * +@@ -476,7 +476,7 @@ FM(IP16_31_28) IP16_31_28 FM(IP17_31_28) + #define MOD_SEL1_26 FM(SEL_TIMER_TMU_0) FM(SEL_TIMER_TMU_1) + #define MOD_SEL1_25_24 FM(SEL_SSP1_1_0) FM(SEL_SSP1_1_1) FM(SEL_SSP1_1_2) FM(SEL_SSP1_1_3) + #define MOD_SEL1_23_22_21 FM(SEL_SSP1_0_0) FM(SEL_SSP1_0_1) FM(SEL_SSP1_0_2) FM(SEL_SSP1_0_3) FM(SEL_SSP1_0_4) F_(0, 0) F_(0, 0) F_(0, 0) +-#define MOD_SEL1_20 FM(SEL_SSI_0) FM(SEL_SSI_1) ++#define MOD_SEL1_20 FM(SEL_SSI1_0) FM(SEL_SSI1_1) + #define MOD_SEL1_19 FM(SEL_SPEED_PULSE_0) FM(SEL_SPEED_PULSE_1) + #define MOD_SEL1_18_17 FM(SEL_SIMCARD_0) FM(SEL_SIMCARD_1) FM(SEL_SIMCARD_2) FM(SEL_SIMCARD_3) + #define MOD_SEL1_16 FM(SEL_SDHI2_0) FM(SEL_SDHI2_1) +@@ -1208,7 +1208,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_11_8, HSCK0), + PINMUX_IPSR_MSEL(IP13_11_8, MSIOF1_SCK_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP13_11_8, AUDIO_CLKB_A, SEL_ADG_B_0), +- PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI1_1), + PINMUX_IPSR_MSEL(IP13_11_8, TS_SCK0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_11_8, STP_ISCLK_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_11_8, RIF0_CLK_C, SEL_DRIF0_2), +@@ -1216,14 +1216,14 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP13_15_12, HRX0), + PINMUX_IPSR_MSEL(IP13_15_12, MSIOF1_RXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP13_15_12, TS_SDEN0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_15_12, STP_ISEN_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_15_12, RIF0_D0_C, SEL_DRIF0_2), + + PINMUX_IPSR_GPSR(IP13_19_16, HTX0), + PINMUX_IPSR_MSEL(IP13_19_16, MSIOF1_TXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP13_19_16, TS_SDAT0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_19_16, STP_ISD_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_19_16, RIF0_D1_C, SEL_DRIF0_2), +@@ -1231,7 +1231,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_23_20, HCTS0_N), + PINMUX_IPSR_MSEL(IP13_23_20, RX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_23_20, MSIOF1_SYNC_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_23_20, TS_SPSYNC0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_23_20, STP_ISSYNC_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_23_20, RIF0_SYNC_C, SEL_DRIF0_2), +@@ -1240,7 +1240,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_27_24, HRTS0_N), + PINMUX_IPSR_MSEL(IP13_27_24, TX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_27_24, MSIOF1_SS1_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_27_24, STP_IVCXO27_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_27_24, BPFCLK_A, SEL_FM_0), + PINMUX_IPSR_GPSR(IP13_27_24, AUDIO_CLKOUT2_A), +@@ -1255,7 +1255,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_3_0, RX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_3_0, NFWP_N_A, SEL_NDF_0), + PINMUX_IPSR_MSEL(IP14_3_0, AUDIO_CLKA_C, SEL_ADG_A_2), +- PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_3_0, STP_IVCXO27_0_C, SEL_SSP1_0_2), + PINMUX_IPSR_GPSR(IP14_3_0, AUDIO_CLKOUT3_A), + PINMUX_IPSR_MSEL(IP14_3_0, TCLK1_B, SEL_TIMER_TMU_1), +@@ -1264,7 +1264,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_7_4, TX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_7_4, MSIOF1_SS2_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP14_7_4, AUDIO_CLKC_A, SEL_ADG_C_0), +- PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_7_4, STP_OPWM_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_GPSR(IP14_7_4, AUDIO_CLKOUT_D), + PINMUX_IPSR_MSEL(IP14_7_4, SPEEDIN_B, SEL_SPEED_PULSE_1), +@@ -1292,10 +1292,10 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_31_28, MSIOF1_SS2_F, SEL_MSIOF1_5), + + /* IPSR15 */ +- PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI1_0), + +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI_0), +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI2_0), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI1_1), + + PINMUX_IPSR_GPSR(IP15_11_8, SSI_SCK34), + PINMUX_IPSR_MSEL(IP15_11_8, MSIOF1_SS1_A, SEL_MSIOF1_0), +@@ -1381,11 +1381,11 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP16_27_24, RIF1_D1_A, SEL_DRIF1_0), + PINMUX_IPSR_MSEL(IP16_27_24, RIF3_D1_A, SEL_DRIF3_0), + +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK2_B, SEL_HSCIF2_1), + PINMUX_IPSR_MSEL(IP16_31_28, MSIOF1_SS1_C, SEL_MSIOF1_2), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK1_A, SEL_HSCIF1_0), +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI1_1), + PINMUX_IPSR_GPSR(IP16_31_28, SCK1), + PINMUX_IPSR_MSEL(IP16_31_28, STP_IVCXO27_1_A, SEL_SSP1_1_0), + PINMUX_IPSR_GPSR(IP16_31_28, SCK5_A), +@@ -1417,7 +1417,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_19_16, USB1_PWEN), + PINMUX_IPSR_MSEL(IP17_19_16, SIM0_CLK_C, SEL_SIMCARD_2), +- PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_19_16, TS_SCK0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_19_16, STP_ISCLK_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_19_16, FMCLK_B, SEL_FM_1), +@@ -1427,7 +1427,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_23_20, USB1_OVC), + PINMUX_IPSR_MSEL(IP17_23_20, MSIOF1_SS2_C, SEL_MSIOF1_2), +- PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_23_20, TS_SDAT0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_23_20, STP_ISD_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_23_20, FMIN_B, SEL_FM_1), +@@ -1437,7 +1437,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_27_24, USB30_PWEN), + PINMUX_IPSR_GPSR(IP17_27_24, AUDIO_CLKOUT_B), +- PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_27_24, TS_SDEN1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_27_24, STP_ISEN_1_D, SEL_SSP1_1_2), + PINMUX_IPSR_MSEL(IP17_27_24, STP_OPWM_0_E, SEL_SSP1_0_4), +@@ -1449,7 +1449,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_31_28, USB30_OVC), + PINMUX_IPSR_GPSR(IP17_31_28, AUDIO_CLKOUT1_B), +- PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_31_28, TS_SPSYNC1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_ISSYNC_1_D, SEL_SSP1_1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_IVCXO27_0_E, SEL_SSP1_0_4), +@@ -1460,7 +1460,7 @@ static const u16 pinmux_data[] = { + /* IPSR18 */ + PINMUX_IPSR_GPSR(IP18_3_0, GP6_30), + PINMUX_IPSR_GPSR(IP18_3_0, AUDIO_CLKOUT2_B), +- PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_3_0, TS_SDEN0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_3_0, STP_ISEN_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_3_0, RIF2_D0_B, SEL_DRIF2_1), +@@ -1471,7 +1471,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP18_7_4, GP6_31), + PINMUX_IPSR_GPSR(IP18_7_4, AUDIO_CLKOUT3_B), +- PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_7_4, TS_SPSYNC0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_7_4, STP_ISSYNC_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_7_4, RIF2_D1_B, SEL_DRIF2_1), diff --git a/queue-4.9/pkcs-7-fix-direct-verification-of-signerinfo-signature.patch b/queue-4.9/pkcs-7-fix-direct-verification-of-signerinfo-signature.patch new file mode 100644 index 00000000000..9df8d9f456c --- /dev/null +++ b/queue-4.9/pkcs-7-fix-direct-verification-of-signerinfo-signature.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Eric Biggers +Date: Thu, 22 Feb 2018 14:38:33 +0000 +Subject: PKCS#7: fix direct verification of SignerInfo signature + +From: Eric Biggers + +[ Upstream commit 6459ae386699a5fe0dc52cf30255f75274fa43a4 ] + +If none of the certificates in a SignerInfo's certificate chain match a +trusted key, nor is the last certificate signed by a trusted key, then +pkcs7_validate_trust_one() tries to check whether the SignerInfo's +signature was made directly by a trusted key. But, it actually fails to +set the 'sig' variable correctly, so it actually verifies the last +signature seen. That will only be the SignerInfo's signature if the +certificate chain is empty; otherwise it will actually be the last +certificate's signature. + +This is not by itself a security problem, since verifying any of the +certificates in the chain should be sufficient to verify the SignerInfo. +Still, it's not working as intended so it should be fixed. + +Fix it by setting 'sig' correctly for the direct verification case. + +Fixes: 757932e6da6d ("PKCS#7: Handle PKCS#7 messages that contain no X.509 certs") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/pkcs7_trust.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/asymmetric_keys/pkcs7_trust.c ++++ b/crypto/asymmetric_keys/pkcs7_trust.c +@@ -106,6 +106,7 @@ static int pkcs7_validate_trust_one(stru + pr_devel("sinfo %u: Direct signer is key %x\n", + sinfo->index, key_serial(key)); + x509 = NULL; ++ sig = sinfo->sig; + goto matched; + } + if (PTR_ERR(key) != -ENOKEY) diff --git a/queue-4.9/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch b/queue-4.9/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch new file mode 100644 index 00000000000..daabcfd58b0 --- /dev/null +++ b/queue-4.9/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Mathieu Malaterre +Date: Sun, 25 Feb 2018 18:22:29 +0100 +Subject: powerpc: Add missing prototype for arch_irq_work_raise() + +From: Mathieu Malaterre + +[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ] + +In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new +function arch_irq_work_raise() was added without a prototype in header +irq_work.h. + +Fix the following warning (treated as error in W=1): + arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’ + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/irq_work.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/include/asm/irq_work.h ++++ b/arch/powerpc/include/asm/irq_work.h +@@ -5,5 +5,6 @@ static inline bool arch_irq_work_has_int + { + return true; + } ++extern void arch_irq_work_raise(void); + + #endif /* _ASM_POWERPC_IRQ_WORK_H */ diff --git a/queue-4.9/powerpc-boot-fix-random-libfdt-related-build-errors.patch b/queue-4.9/powerpc-boot-fix-random-libfdt-related-build-errors.patch new file mode 100644 index 00000000000..bfc9484d18c --- /dev/null +++ b/queue-4.9/powerpc-boot-fix-random-libfdt-related-build-errors.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Guenter Roeck +Date: Fri, 23 Feb 2018 12:55:59 -0800 +Subject: powerpc/boot: Fix random libfdt related build errors + +From: Guenter Roeck + +[ Upstream commit 64c3f648c25d108f346fdc96c15180c6b7d250e9 ] + +Once in a while I see build errors similar to the following +when building images from a clean tree. + + Building powerpc:virtex-ml507:44x/virtex5_defconfig ... failed + ------------ + Error log: + arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error: + libfdt.h: No such file or directory + + Building powerpc:bamboo:smpdev:44x/bamboo_defconfig ... failed + ------------ + Error log: + arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error: + libfdt.h: No such file or directory + + arch/powerpc/boot/treeboot-currituck.c:35:20: fatal error: + libfdt.h: No such file or directory + +Rebuilds will succeed. + +Turns out that several source files in arch/powerpc/boot/ include +libfdt.h, but Makefile dependencies are incomplete. Let's fix that. + +Signed-off-by: Guenter Roeck +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/boot/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -92,7 +92,8 @@ $(addprefix $(obj)/,$(zlib-y)): \ + libfdt := fdt.c fdt_ro.c fdt_wip.c fdt_sw.c fdt_rw.c fdt_strerror.c + libfdtheader := fdt.h libfdt.h libfdt_internal.h + +-$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o opal.o): \ ++$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o opal.o \ ++ treeboot-akebono.o treeboot-currituck.o treeboot-iss4xx.o): \ + $(addprefix $(obj)/,$(libfdtheader)) + + src-wlib-y := string.S crt0.S crtsavres.S stdio.c decompress.c main.c \ diff --git a/queue-4.9/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch b/queue-4.9/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch new file mode 100644 index 00000000000..4f298183ebd --- /dev/null +++ b/queue-4.9/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Mark Lord +Date: Tue, 20 Feb 2018 14:49:20 -0500 +Subject: powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access + +From: Mark Lord + +[ Upstream commit 083b20907185b076f21c265b30fe5b5f24c03d8c ] + +I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed +that the JIT compiler was failing on the BPF even though the +interpreter was working fine. + +The issue was that the compiler was missing one of the instructions +used by SECCOMP, so here is a patch to enable JIT for that +instruction. + +Fixes: eb84bab0fb38 ("ppc: Kconfig: Enable BPF JIT on ppc32") +Signed-off-by: Mark Lord +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf + BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); + PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); + break; ++ case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ ++ PPC_LWZ_OFFS(r_A, r_skb, K); ++ break; + case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ + PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); + break; diff --git a/queue-4.9/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch b/queue-4.9/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch new file mode 100644 index 00000000000..dd9e197f17d --- /dev/null +++ b/queue-4.9/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Ellerman +Date: Fri, 30 Mar 2018 23:27:25 +1100 +Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask() + +From: Michael Ellerman + +[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ] + +In mpic_physmask() we loop over all CPUs up to 32, then get the hard +SMP processor id of that CPU. + +Currently that's possibly walking off the end of the paca array, but +in a future patch we will change the paca array to be an array of +pointers, and in that case we will get a NULL for missing CPUs and +oops. eg: + + Unable to handle kernel paging request for data at address 0x88888888888888b8 + Faulting instruction address: 0xc00000000004e380 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP .mpic_set_affinity+0x60/0x1a0 + LR .irq_do_set_affinity+0x48/0x100 + +Fix it by checking the CPU is possible, this also fixes the code if +there are gaps in the CPU numbering which probably never happens on +mpic systems but who knows. + +Debugged-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/mpic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/mpic.c ++++ b/arch/powerpc/sysdev/mpic.c +@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpum + int i; + u32 mask = 0; + +- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1) ++ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1) + mask |= (cpumask & 1) << get_hard_smp_processor_id(i); + return mask; + } diff --git a/queue-4.9/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch b/queue-4.9/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch new file mode 100644 index 00000000000..1ee3584d9b1 --- /dev/null +++ b/queue-4.9/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch @@ -0,0 +1,136 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Bringmann +Date: Tue, 28 Nov 2017 16:58:40 -0600 +Subject: powerpc/numa: Ensure nodes initialized for hotplug + +From: Michael Bringmann + +[ Upstream commit ea05ba7c559c8e5a5946c3a94a2a266e9a6680a6 ] + +This patch fixes some problems encountered at runtime with +configurations that support memory-less nodes, or that hot-add CPUs +into nodes that are memoryless during system execution after boot. The +problems of interest include: + +* Nodes known to powerpc to be memoryless at boot, but to have CPUs in + them are allowed to be 'possible' and 'online'. Memory allocations + for those nodes are taken from another node that does have memory + until and if memory is hot-added to the node. + +* Nodes which have no resources assigned at boot, but which may still + be referenced subsequently by affinity or associativity attributes, + are kept in the list of 'possible' nodes for powerpc. Hot-add of + memory or CPUs to the system can reference these nodes and bring + them online instead of redirecting the references to one of the set + of nodes known to have memory at boot. + +Note that this software operates under the context of CPU hotplug. We +are not doing memory hotplug in this code, but rather updating the +kernel's CPU topology (i.e. arch_update_cpu_topology / +numa_update_cpu_topology). We are initializing a node that may be used +by CPUs or memory before it can be referenced as invalid by a CPU +hotplug operation. CPU hotplug operations are protected by a range of +APIs including cpu_maps_update_begin/cpu_maps_update_done, +cpus_read/write_lock / cpus_read/write_unlock, device locks, and more. +Memory hotplug operations, including try_online_node, are protected by +mem_hotplug_begin/mem_hotplug_done, device locks, and more. In the +case of CPUs being hot-added to a previously memoryless node, the +try_online_node operation occurs wholly within the CPU locks with no +overlap. Using HMC hot-add/hot-remove operations, we have been able to +add and remove CPUs to any possible node without failures. HMC +operations involve a degree self-serialization, though. + +Signed-off-by: Michael Bringmann +Reviewed-by: Nathan Fontenot +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/numa.c | 47 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 37 insertions(+), 10 deletions(-) + +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -551,7 +551,7 @@ static int numa_setup_cpu(unsigned long + nid = of_node_to_nid_single(cpu); + + out_present: +- if (nid < 0 || !node_online(nid)) ++ if (nid < 0 || !node_possible(nid)) + nid = first_online_node; + + map_cpu_to_node(lcpu, nid); +@@ -922,10 +922,8 @@ static void __init find_possible_nodes(v + goto out; + + for (i = 0; i < numnodes; i++) { +- if (!node_possible(i)) { +- setup_node_data(i, 0, 0); ++ if (!node_possible(i)) + node_set(i, node_possible_map); +- } + } + + out: +@@ -1305,6 +1303,40 @@ static long vphn_get_associativity(unsig + return rc; + } + ++static inline int find_and_online_cpu_nid(int cpu) ++{ ++ __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; ++ int new_nid; ++ ++ /* Use associativity from first thread for all siblings */ ++ vphn_get_associativity(cpu, associativity); ++ new_nid = associativity_to_nid(associativity); ++ if (new_nid < 0 || !node_possible(new_nid)) ++ new_nid = first_online_node; ++ ++ if (NODE_DATA(new_nid) == NULL) { ++#ifdef CONFIG_MEMORY_HOTPLUG ++ /* ++ * Need to ensure that NODE_DATA is initialized for a node from ++ * available memory (see memblock_alloc_try_nid). If unable to ++ * init the node, then default to nearest node that has memory ++ * installed. ++ */ ++ if (try_online_node(new_nid)) ++ new_nid = first_online_node; ++#else ++ /* ++ * Default to using the nearest node that has memory installed. ++ * Otherwise, it would be necessary to patch the kernel MM code ++ * to deal with more memoryless-node error conditions. ++ */ ++ new_nid = first_online_node; ++#endif ++ } ++ ++ return new_nid; ++} ++ + /* + * Update the CPU maps and sysfs entries for a single CPU when its NUMA + * characteristics change. This function doesn't perform any locking and is +@@ -1370,7 +1402,6 @@ int arch_update_cpu_topology(void) + { + unsigned int cpu, sibling, changed = 0; + struct topology_update_data *updates, *ud; +- __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; + cpumask_t updated_cpus; + struct device *dev; + int weight, new_nid, i = 0; +@@ -1405,11 +1436,7 @@ int arch_update_cpu_topology(void) + continue; + } + +- /* Use associativity from first thread for all siblings */ +- vphn_get_associativity(cpu, associativity); +- new_nid = associativity_to_nid(associativity); +- if (new_nid < 0 || !node_online(new_nid)) +- new_nid = first_online_node; ++ new_nid = find_and_online_cpu_nid(cpu); + + if (new_nid == numa_cpu_lookup_table[cpu]) { + cpumask_andnot(&cpu_associativity_changes_mask, diff --git a/queue-4.9/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch b/queue-4.9/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch new file mode 100644 index 00000000000..7bbc4e82924 --- /dev/null +++ b/queue-4.9/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch @@ -0,0 +1,131 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Bringmann +Date: Tue, 28 Nov 2017 16:58:36 -0600 +Subject: powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes + +From: Michael Bringmann + +[ Upstream commit a346137e9142b039fd13af2e59696e3d40c487ef ] + +On powerpc systems which allow 'hot-add' of CPU or memory resources, +it may occur that the new resources are to be inserted into nodes that +were not used for these resources at bootup. In the kernel, any node +that is used must be defined and initialized. These empty nodes may +occur when, + +* Dedicated vs. shared resources. Shared resources require information + such as the VPHN hcall for CPU assignment to nodes. Associativity + decisions made based on dedicated resource rules, such as + associativity properties in the device tree, may vary from decisions + made using the values returned by the VPHN hcall. + +* memoryless nodes at boot. Nodes need to be defined as 'possible' at + boot for operation with other code modules. Previously, the powerpc + code would limit the set of possible nodes to those which have + memory assigned at boot, and were thus online. Subsequent add/remove + of CPUs or memory would only work with this subset of possible + nodes. + +* memoryless nodes with CPUs at boot. Due to the previous restriction + on nodes, nodes that had CPUs but no memory were being collapsed + into other nodes that did have memory at boot. In practice this + meant that the node assignment presented by the runtime kernel + differed from the affinity and associativity attributes presented by + the device tree or VPHN hcalls. Nodes that might be known to the + pHyp were not 'possible' in the runtime kernel because they did not + have memory at boot. + +This patch ensures that sufficient nodes are defined to support +configuration requirements after boot, as well as at boot. This patch +set fixes a couple of problems. + +* Nodes known to powerpc to be memoryless at boot, but to have CPUs in + them are allowed to be 'possible' and 'online'. Memory allocations + for those nodes are taken from another node that does have memory + until and if memory is hot-added to the node. * Nodes which have no + resources assigned at boot, but which may still be referenced + subsequently by affinity or associativity attributes, are kept in + the list of 'possible' nodes for powerpc. Hot-add of memory or CPUs + to the system can reference these nodes and bring them online + instead of redirecting to one of the set of nodes that were known to + have memory at boot. + +This patch extracts the value of the lowest domain level (number of +allocable resources) from the device tree property +"ibm,max-associativity-domains" to use as the maximum number of nodes +to setup as possibly available in the system. This new setting will +override the instruction: + + nodes_and(node_possible_map, node_possible_map, node_online_map); + +presently seen in the function arch/powerpc/mm/numa.c:initmem_init(). + +If the "ibm,max-associativity-domains" property is not present at +boot, no operation will be performed to define or enable additional +nodes, or enable the above 'nodes_and()'. + +Signed-off-by: Michael Bringmann +Reviewed-by: Nathan Fontenot +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/numa.c | 37 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 34 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -904,6 +904,34 @@ static void __init setup_node_data(int n + NODE_DATA(nid)->node_spanned_pages = spanned_pages; + } + ++static void __init find_possible_nodes(void) ++{ ++ struct device_node *rtas; ++ u32 numnodes, i; ++ ++ if (min_common_depth <= 0) ++ return; ++ ++ rtas = of_find_node_by_path("/rtas"); ++ if (!rtas) ++ return; ++ ++ if (of_property_read_u32_index(rtas, ++ "ibm,max-associativity-domains", ++ min_common_depth, &numnodes)) ++ goto out; ++ ++ for (i = 0; i < numnodes; i++) { ++ if (!node_possible(i)) { ++ setup_node_data(i, 0, 0); ++ node_set(i, node_possible_map); ++ } ++ } ++ ++out: ++ of_node_put(rtas); ++} ++ + void __init initmem_init(void) + { + int nid, cpu; +@@ -917,12 +945,15 @@ void __init initmem_init(void) + memblock_dump_all(); + + /* +- * Reduce the possible NUMA nodes to the online NUMA nodes, +- * since we do not support node hotplug. This ensures that we +- * lower the maximum NUMA node ID to what is actually present. ++ * Modify the set of possible NUMA nodes to reflect information ++ * available about the set of online nodes, and the set of nodes ++ * that we expect to make use of for this platform's affinity ++ * calculations. + */ + nodes_and(node_possible_map, node_possible_map, node_online_map); + ++ find_possible_nodes(); ++ + for_each_online_node(nid) { + unsigned long start_pfn, end_pfn; + diff --git a/queue-4.9/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch b/queue-4.9/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch new file mode 100644 index 00000000000..6d207247388 --- /dev/null +++ b/queue-4.9/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch @@ -0,0 +1,72 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Ellerman +Date: Wed, 21 Mar 2018 17:10:24 +0530 +Subject: powerpc/perf: Fix kernel address leak via sampling registers + +From: Michael Ellerman + +[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ] + +Current code in power_pmu_disable() does not clear the sampling +registers like Sampling Instruction Address Register (SIAR) and +Sampling Data Address Register (SDAR) after disabling the PMU. Since +these are userspace readable and could contain kernel addresses, add +code to explicitly clear the content of these registers. + +Also add a "context synchronizing instruction" to enforce no further +updates to these registers as suggested by Power ISA v3.0B. From +section 9.4, on page 1108: + + "If an mtspr instruction is executed that changes the value of a + Performance Monitor register other than SIAR, SDAR, and SIER, the + change is not guaranteed to have taken effect until after a + subsequent context synchronizing instruction has been executed (see + Chapter 11. "Synchronization Requirements for Context Alterations" + on page 1133)." + +Signed-off-by: Madhavan Srinivasan +[mpe: Massage change log and add ISA reference] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1198,6 +1198,7 @@ static void power_pmu_disable(struct pmu + */ + write_mmcr0(cpuhw, val); + mb(); ++ isync(); + + /* + * Disable instruction sampling if it was enabled +@@ -1206,12 +1207,26 @@ static void power_pmu_disable(struct pmu + mtspr(SPRN_MMCRA, + cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE); + mb(); ++ isync(); + } + + cpuhw->disabled = 1; + cpuhw->n_added = 0; + + ebb_switch_out(mmcr0); ++ ++#ifdef CONFIG_PPC64 ++ /* ++ * These are readable by userspace, may contain kernel ++ * addresses and are not switched by context switch, so clear ++ * them now to avoid leaking anything to userspace in general ++ * including to another process. ++ */ ++ if (ppmu->flags & PPMU_ARCH_207S) { ++ mtspr(SPRN_SDAR, 0); ++ mtspr(SPRN_SIAR, 0); ++ } ++#endif + } + + local_irq_restore(flags); diff --git a/queue-4.9/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch b/queue-4.9/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch new file mode 100644 index 00000000000..6b0fc1576f8 --- /dev/null +++ b/queue-4.9/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Madhavan Srinivasan +Date: Wed, 21 Mar 2018 17:10:25 +0530 +Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer + +From: Madhavan Srinivasan + +[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] + +The current Branch History Rolling Buffer (BHRB) code does not check +for any privilege levels before updating the data from BHRB. This +could leak kernel addresses to userspace even when profiling only with +userspace privileges. Add proper checks to prevent it. + +Acked-by: Balbir Singh +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -448,6 +448,16 @@ static void power_pmu_bhrb_read(struct c + /* invalid entry */ + continue; + ++ /* ++ * BHRB rolling buffer could very much contain the kernel ++ * addresses at this point. Check the privileges before ++ * exporting it to userspace (avoid exposure of regions ++ * where we could have speculative execution) ++ */ ++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && ++ is_kernel_addr(addr)) ++ continue; ++ + /* Branches are read most recent first (ie. mfbhrb 0 is + * the most recent branch). + * There are two types of valid entries: diff --git a/queue-4.9/proc-fix-proc-map_files-lookup.patch b/queue-4.9/proc-fix-proc-map_files-lookup.patch new file mode 100644 index 00000000000..66eb7adcecf --- /dev/null +++ b/queue-4.9/proc-fix-proc-map_files-lookup.patch @@ -0,0 +1,105 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Alexey Dobriyan +Date: Tue, 6 Feb 2018 15:36:59 -0800 +Subject: proc: fix /proc/*/map_files lookup + +From: Alexey Dobriyan + +[ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] + +Current code does: + + if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) + +However sscanf() is broken garbage. + +It silently accepts whitespace between format specifiers +(did you know that?). + +It silently accepts valid strings which result in integer overflow. + +Do not use sscanf() for any even remotely reliable parsing code. + + OK + # readlink '/proc/1/map_files/55a23af39000-55a23b05b000' + /lib/systemd/systemd + + broken + # readlink '/proc/1/map_files/ 55a23af39000-55a23b05b000' + /lib/systemd/systemd + + broken + # readlink '/proc/1/map_files/55a23af39000-55a23b05b000 ' + /lib/systemd/systemd + + very broken + # readlink '/proc/1/map_files/1000000000000000055a23af39000-55a23b05b000' + /lib/systemd/systemd + +Andrei said: + +: This patch breaks criu. It was a bug in criu. And this bug is on a minor +: path, which works when memfd_create() isn't available. It is a reason why +: I ask to not backport this patch to stable kernels. +: +: In CRIU this bug can be triggered, only if this patch will be backported +: to a kernel which version is lower than v3.16. + +Link: http://lkml.kernel.org/r/20171120212706.GA14325@avx2 +Signed-off-by: Alexey Dobriyan +Cc: Pavel Emelyanov +Cc: Andrei Vagin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/base.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -94,6 +94,8 @@ + #include "internal.h" + #include "fd.h" + ++#include "../../lib/kstrtox.h" ++ + /* NOTE: + * Implementing inode permission operations in /proc is almost + * certainly an error. Permission checks need to happen during +@@ -1864,8 +1866,33 @@ end_instantiate: + static int dname_to_vma_addr(struct dentry *dentry, + unsigned long *start, unsigned long *end) + { +- if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) ++ const char *str = dentry->d_name.name; ++ unsigned long long sval, eval; ++ unsigned int len; ++ ++ len = _parse_integer(str, 16, &sval); ++ if (len & KSTRTOX_OVERFLOW) ++ return -EINVAL; ++ if (sval != (unsigned long)sval) + return -EINVAL; ++ str += len; ++ ++ if (*str != '-') ++ return -EINVAL; ++ str++; ++ ++ len = _parse_integer(str, 16, &eval); ++ if (len & KSTRTOX_OVERFLOW) ++ return -EINVAL; ++ if (eval != (unsigned long)eval) ++ return -EINVAL; ++ str += len; ++ ++ if (*str != '\0') ++ return -EINVAL; ++ ++ *start = sval; ++ *end = eval; + + return 0; + } diff --git a/queue-4.9/ptr_ring-prevent-integer-overflow-when-calculating-size.patch b/queue-4.9/ptr_ring-prevent-integer-overflow-when-calculating-size.patch new file mode 100644 index 00000000000..37fffb5a4a8 --- /dev/null +++ b/queue-4.9/ptr_ring-prevent-integer-overflow-when-calculating-size.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jason Wang +Date: Sun, 11 Feb 2018 11:28:12 +0800 +Subject: ptr_ring: prevent integer overflow when calculating size + +From: Jason Wang + +[ Upstream commit 54e02162d4454a99227f520948bf4494c3d972d0 ] + +Switch to use dividing to prevent integer overflow when size is too +big to calculate allocation size properly. + +Reported-by: Eric Biggers +Fixes: 6e6e41c31122 ("ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE") +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ptr_ring.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/ptr_ring.h ++++ b/include/linux/ptr_ring.h +@@ -351,7 +351,7 @@ static inline void *ptr_ring_consume_bh( + + static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp) + { +- if (size * sizeof(void *) > KMALLOC_MAX_SIZE) ++ if (size > KMALLOC_MAX_SIZE / sizeof(void *)) + return NULL; + return kcalloc(size, sizeof(void *), gfp); + } diff --git a/queue-4.9/qrtr-add-module_alias-macro-to-smd.patch b/queue-4.9/qrtr-add-module_alias-macro-to-smd.patch new file mode 100644 index 00000000000..8b6b3970094 --- /dev/null +++ b/queue-4.9/qrtr-add-module_alias-macro-to-smd.patch @@ -0,0 +1,29 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ramon Fried +Date: Sun, 25 Feb 2018 09:49:37 +0200 +Subject: qrtr: add MODULE_ALIAS macro to smd + +From: Ramon Fried + +[ Upstream commit c77f5fbbefc04612755117775e8555c2a7006cac ] + +Added MODULE_ALIAS("rpmsg:IPCRTR") to ensure qrtr-smd and qrtr will load +when IPCRTR channel is detected. + +Signed-off-by: Ramon Fried +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/smd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/qrtr/smd.c ++++ b/net/qrtr/smd.c +@@ -116,5 +116,6 @@ static struct qcom_smd_driver qcom_smd_q + + module_qcom_smd_driver(qcom_smd_qrtr_driver); + ++MODULE_ALIAS("rpmsg:IPCRTR"); + MODULE_DESCRIPTION("Qualcomm IPC-Router SMD interface driver"); + MODULE_LICENSE("GPL v2"); diff --git a/queue-4.9/r8152-fix-tx-packets-accounting.patch b/queue-4.9/r8152-fix-tx-packets-accounting.patch new file mode 100644 index 00000000000..a6ecf41135f --- /dev/null +++ b/queue-4.9/r8152-fix-tx-packets-accounting.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Eric Dumazet +Date: Sun, 25 Feb 2018 19:12:10 -0800 +Subject: r8152: fix tx packets accounting + +From: Eric Dumazet + +[ Upstream commit 4c27bf3c5b7434ccb9ab962301da661c26b467a4 ] + +r8152 driver handles TSO packets (limited to ~16KB) quite well, +but pretends each TSO logical packet is a single packet on the wire. + +There is also some error since headers are accounted once, but +error rate is small enough that we do not care. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1693,7 +1693,7 @@ static int r8152_tx_agg_fill(struct r815 + + tx_data += len; + agg->skb_len += len; +- agg->skb_num++; ++ agg->skb_num += skb_shinfo(skb)->gso_segs ?: 1; + + dev_kfree_skb_any(skb); + diff --git a/queue-4.9/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch b/queue-4.9/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch new file mode 100644 index 00000000000..154eb181877 --- /dev/null +++ b/queue-4.9/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tejun Heo +Date: Tue, 9 Jan 2018 10:38:17 -0800 +Subject: rcu: Call touch_nmi_watchdog() while printing stall warnings + +From: Tejun Heo + +[ Upstream commit 3caa973b7a260e7a2a69edc94c300ab9c65148c3 ] + +When RCU stall warning triggers, it can print out a lot of messages +while holding spinlocks. If the console device is slow (e.g. an +actual or IPMI serial console), it may end up triggering NMI hard +lockup watchdog like the following. + +--- + kernel/rcu/tree_plugin.h | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -521,8 +521,14 @@ static void rcu_print_detail_task_stall_ + } + t = list_entry(rnp->gp_tasks->prev, + struct task_struct, rcu_node_entry); +- list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) ++ list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) { ++ /* ++ * We could be printing a lot while holding a spinlock. ++ * Avoid triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); + sched_show_task(t); ++ } + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + } + +@@ -1629,6 +1635,12 @@ static void print_cpu_stall_info(struct + char *ticks_title; + unsigned long ticks_value; + ++ /* ++ * We could be printing a lot while holding a spinlock. Avoid ++ * triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); ++ + if (rsp->gpnum == rdp->gpnum) { + ticks_title = "ticks this GP"; + ticks_value = rdp->ticks_this_gp; diff --git a/queue-4.9/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch b/queue-4.9/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch new file mode 100644 index 00000000000..a28ee2b3b39 --- /dev/null +++ b/queue-4.9/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Leon Romanovsky +Date: Sun, 28 Jan 2018 11:25:30 +0200 +Subject: RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure + +From: Leon Romanovsky + +[ Upstream commit b081808a66345ba725b77ecd8d759bee874cd937 ] + +Failure in XRCD FW deallocation command leaves memory leaked and +returns error to the user which he can't do anything about it. + +This patch changes behavior to always free memory and always return +success to the user. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Reviewed-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Reviewed-by: Yuval Shaia +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/qp.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -4610,13 +4610,10 @@ int mlx5_ib_dealloc_xrcd(struct ib_xrcd + int err; + + err = mlx5_core_xrcd_dealloc(dev->mdev, xrcdn); +- if (err) { ++ if (err) + mlx5_ib_warn(dev, "failed to dealloc xrcdn 0x%x\n", xrcdn); +- return err; +- } + + kfree(xrcd); +- + return 0; + } + diff --git a/queue-4.9/rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch b/queue-4.9/rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch new file mode 100644 index 00000000000..7acdc8189e8 --- /dev/null +++ b/queue-4.9/rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Kalderon, Michal" +Date: Mon, 5 Mar 2018 10:50:11 +0200 +Subject: RDMA/qedr: Fix iWARP write and send with immediate + +From: "Kalderon, Michal" + +[ Upstream commit 551e1c67b4207455375a2e7a285dea1c7e8fc361 ] + +iWARP does not support RDMA WRITE or SEND with immediate data. +Driver should check this before submitting to FW and return an +immediate error + +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2807,6 +2807,11 @@ int __qedr_post_send(struct ib_qp *ibqp, + + switch (wr->opcode) { + case IB_WR_SEND_WITH_IMM: ++ if (unlikely(rdma_protocol_iwarp(&dev->ibdev, 1))) { ++ rc = -EINVAL; ++ *bad_wr = wr; ++ break; ++ } + wqe->req_type = RDMA_SQ_REQ_TYPE_SEND_WITH_IMM; + swqe = (struct rdma_sq_send_wqe_1st *)wqe; + swqe->wqe_size = 2; +@@ -2848,6 +2853,11 @@ int __qedr_post_send(struct ib_qp *ibqp, + break; + + case IB_WR_RDMA_WRITE_WITH_IMM: ++ if (unlikely(rdma_protocol_iwarp(&dev->ibdev, 1))) { ++ rc = -EINVAL; ++ *bad_wr = wr; ++ break; ++ } + wqe->req_type = RDMA_SQ_REQ_TYPE_RDMA_WR_WITH_IMM; + rwqe = (struct rdma_sq_rdma_wqe_1st *)wqe; + diff --git a/queue-4.9/rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch b/queue-4.9/rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch new file mode 100644 index 00000000000..345330fba81 --- /dev/null +++ b/queue-4.9/rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Kalderon, Michal" +Date: Mon, 5 Mar 2018 10:50:10 +0200 +Subject: RDMA/qedr: Fix kernel panic when running fio over NFSoRDMA + +From: "Kalderon, Michal" + +[ Upstream commit e3fd112cbf21d049faf64ba1471d72b93c22109a ] + +Race in qedr_poll_cq, lastest_cqe wasn't protected by lock, +leading to a case where two context's accessing poll_cq at +the same time lead to one of them having a pointer to an old +latest_cqe and reading an invalid cqe element + +Signed-off-by: Amit Radzi +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -3467,7 +3467,7 @@ int qedr_poll_cq(struct ib_cq *ibcq, int + { + struct qedr_dev *dev = get_qedr_dev(ibcq->device); + struct qedr_cq *cq = get_qedr_cq(ibcq); +- union rdma_cqe *cqe = cq->latest_cqe; ++ union rdma_cqe *cqe; + u32 old_cons, new_cons; + unsigned long flags; + int update = 0; +@@ -3477,6 +3477,7 @@ int qedr_poll_cq(struct ib_cq *ibcq, int + return qedr_gsi_poll_cq(ibcq, num_entries, wc); + + spin_lock_irqsave(&cq->cq_lock, flags); ++ cqe = cq->latest_cqe; + old_cons = qed_chain_get_cons_idx_u32(&cq->pbl); + while (num_entries && is_valid_cqe(cq, cqe)) { + struct qedr_qp *qp; diff --git a/queue-4.9/rdma-qedr-fix-qp-s-ack-timeout-configuration.patch b/queue-4.9/rdma-qedr-fix-qp-s-ack-timeout-configuration.patch new file mode 100644 index 00000000000..9ef5be1a455 --- /dev/null +++ b/queue-4.9/rdma-qedr-fix-qp-s-ack-timeout-configuration.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Kalderon, Michal" +Date: Wed, 21 Mar 2018 14:51:50 +0200 +Subject: RDMA/qedr: fix QP's ack timeout configuration + +From: "Kalderon, Michal" + +[ Upstream commit c3594f22302cca5e924e47ec1cc8edd265708f41 ] + +QPs that were configured with ack timeout value lower than 1 +msec will not implement re-transmission timeout. +This means that if a packet / ACK were dropped, the QP +will not retransmit this packet. + +This can lead to an application hang. + +Fixes: cecbcddf6 ("qedr: Add support for QP verbs") +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1888,18 +1888,23 @@ int qedr_modify_qp(struct ib_qp *ibqp, s + SET_FIELD(qp_params.modify_flags, + QED_ROCE_MODIFY_QP_VALID_ACK_TIMEOUT, 1); + +- qp_params.ack_timeout = attr->timeout; +- if (attr->timeout) { +- u32 temp; +- +- temp = 4096 * (1UL << attr->timeout) / 1000 / 1000; +- /* FW requires [msec] */ +- qp_params.ack_timeout = temp; +- } else { +- /* Infinite */ ++ /* The received timeout value is an exponent used like this: ++ * "12.7.34 LOCAL ACK TIMEOUT ++ * Value representing the transport (ACK) timeout for use by ++ * the remote, expressed as: 4.096 * 2^timeout [usec]" ++ * The FW expects timeout in msec so we need to divide the usec ++ * result by 1000. We'll approximate 1000~2^10, and 4.096 ~ 2^2, ++ * so we get: 2^2 * 2^timeout / 2^10 = 2^(timeout - 8). ++ * The value of zero means infinite so we use a 'max_t' to make ++ * sure that sub 1 msec values will be configured as 1 msec. ++ */ ++ if (attr->timeout) ++ qp_params.ack_timeout = ++ 1 << max_t(int, attr->timeout - 8, 0); ++ else + qp_params.ack_timeout = 0; +- } + } ++ + if (attr_mask & IB_QP_RETRY_CNT) { + SET_FIELD(qp_params.modify_flags, + QED_ROCE_MODIFY_QP_VALID_RETRY_CNT, 1); diff --git a/queue-4.9/rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch b/queue-4.9/rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch new file mode 100644 index 00000000000..a7f7d512341 --- /dev/null +++ b/queue-4.9/rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Kalderon, Michal" +Date: Wed, 21 Mar 2018 14:51:51 +0200 +Subject: RDMA/qedr: Fix rc initialization on CNQ allocation failure + +From: "Kalderon, Michal" + +[ Upstream commit b15606f47b89b0b09936d7f45b59ba6275527041 ] + +Return code wasn't set properly when CNQ allocation failed. +This only affect error message logging, currently user will +receive an error message that says the qedr driver load failed +with rc '0', instead of ENOMEM + +Fixes: ec72fce4 ("qedr: Add support for RoCE HW init") +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qedr/main.c ++++ b/drivers/infiniband/hw/qedr/main.c +@@ -762,7 +762,8 @@ static struct qedr_dev *qedr_add(struct + + dev->num_cnq = dev->ops->rdma_get_min_cnq_msix(cdev); + if (!dev->num_cnq) { +- DP_ERR(dev, "not enough CNQ resources.\n"); ++ DP_ERR(dev, "Failed. At least one CNQ is required.\n"); ++ rc = -ENOMEM; + goto init_err; + } + diff --git a/queue-4.9/rdma-ucma-correct-option-size-check-using-optlen.patch b/queue-4.9/rdma-ucma-correct-option-size-check-using-optlen.patch new file mode 100644 index 00000000000..4c41879bfd4 --- /dev/null +++ b/queue-4.9/rdma-ucma-correct-option-size-check-using-optlen.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Chien Tin Tung +Date: Wed, 21 Mar 2018 13:09:25 -0500 +Subject: RDMA/ucma: Correct option size check using optlen + +From: Chien Tin Tung + +[ Upstream commit 5f3e3b85cc0a5eae1c46d72e47d3de7bf208d9e2 ] + +The option size check is using optval instead of optlen +causing the set option call to fail. Use the correct +field, optlen, for size check. + +Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") +Signed-off-by: Chien Tin Tung +Signed-off-by: Shiraz Saleem +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1296,7 +1296,7 @@ static ssize_t ucma_set_option(struct uc + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) + return -EINVAL; + + optval = memdup_user((void __user *) (unsigned long) cmd.optval, diff --git a/queue-4.9/rds-ib-fix-null-pointer-issue.patch b/queue-4.9/rds-ib-fix-null-pointer-issue.patch new file mode 100644 index 00000000000..e7e1d0c2e21 --- /dev/null +++ b/queue-4.9/rds-ib-fix-null-pointer-issue.patch @@ -0,0 +1,84 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Guanglei Li +Date: Tue, 6 Feb 2018 10:43:21 +0800 +Subject: RDS: IB: Fix null pointer issue + +From: Guanglei Li + +[ Upstream commit 2c0aa08631b86a4678dbc93b9caa5248014b4458 ] + +Scenario: +1. Port down and do fail over +2. Ap do rds_bind syscall + +PID: 47039 TASK: ffff89887e2fe640 CPU: 47 COMMAND: "kworker/u:6" + #0 [ffff898e35f159f0] machine_kexec at ffffffff8103abf9 + #1 [ffff898e35f15a60] crash_kexec at ffffffff810b96e3 + #2 [ffff898e35f15b30] oops_end at ffffffff8150f518 + #3 [ffff898e35f15b60] no_context at ffffffff8104854c + #4 [ffff898e35f15ba0] __bad_area_nosemaphore at ffffffff81048675 + #5 [ffff898e35f15bf0] bad_area_nosemaphore at ffffffff810487d3 + #6 [ffff898e35f15c00] do_page_fault at ffffffff815120b8 + #7 [ffff898e35f15d10] page_fault at ffffffff8150ea95 + [exception RIP: unknown or invalid address] + RIP: 0000000000000000 RSP: ffff898e35f15dc8 RFLAGS: 00010282 + RAX: 00000000fffffffe RBX: ffff889b77f6fc00 RCX:ffffffff81c99d88 + RDX: 0000000000000000 RSI: ffff896019ee08e8 RDI:ffff889b77f6fc00 + RBP: ffff898e35f15df0 R8: ffff896019ee08c8 R9:0000000000000000 + R10: 0000000000000400 R11: 0000000000000000 R12:ffff896019ee08c0 + R13: ffff889b77f6fe68 R14: ffffffff81c99d80 R15: ffffffffa022a1e0 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #8 [ffff898e35f15dc8] cma_ndev_work_handler at ffffffffa022a228 [rdma_cm] + #9 [ffff898e35f15df8] process_one_work at ffffffff8108a7c6 + #10 [ffff898e35f15e58] worker_thread at ffffffff8108bda0 + #11 [ffff898e35f15ee8] kthread at ffffffff81090fe6 + +PID: 45659 TASK: ffff880d313d2500 CPU: 31 COMMAND: "oracle_45659_ap" + #0 [ffff881024ccfc98] __schedule at ffffffff8150bac4 + #1 [ffff881024ccfd40] schedule at ffffffff8150c2cf + #2 [ffff881024ccfd50] __mutex_lock_slowpath at ffffffff8150cee7 + #3 [ffff881024ccfdc0] mutex_lock at ffffffff8150cdeb + #4 [ffff881024ccfde0] rdma_destroy_id at ffffffffa022a027 [rdma_cm] + #5 [ffff881024ccfe10] rds_ib_laddr_check at ffffffffa0357857 [rds_rdma] + #6 [ffff881024ccfe50] rds_trans_get_preferred at ffffffffa0324c2a [rds] + #7 [ffff881024ccfe80] rds_bind at ffffffffa031d690 [rds] + #8 [ffff881024ccfeb0] sys_bind at ffffffff8142a670 + +PID: 45659 PID: 47039 +rds_ib_laddr_check + /* create id_priv with a null event_handler */ + rdma_create_id + rdma_bind_addr + cma_acquire_dev + /* add id_priv to cma_dev->id_list */ + cma_attach_to_dev + cma_ndev_work_handler + /* event_hanlder is null */ + id_priv->id.event_handler + +Signed-off-by: Guanglei Li +Signed-off-by: Honglei Wang +Reviewed-by: Junxiao Bi +Reviewed-by: Yanjun Zhu +Reviewed-by: Leon Romanovsky +Acked-by: Santosh Shilimkar +Acked-by: Doug Ledford +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rds/ib.c ++++ b/net/rds/ib.c +@@ -336,7 +336,8 @@ static int rds_ib_laddr_check(struct net + /* Create a CMA ID and try to bind it. This catches both + * IB and iWARP capable NICs. + */ +- cm_id = rdma_create_id(&init_net, NULL, NULL, RDMA_PS_TCP, IB_QPT_RC); ++ cm_id = rdma_create_id(&init_net, rds_rdma_cm_event_handler, ++ NULL, RDMA_PS_TCP, IB_QPT_RC); + if (IS_ERR(cm_id)) + return PTR_ERR(cm_id); + diff --git a/queue-4.9/regmap-correct-comparison-in-regmap_cached.patch b/queue-4.9/regmap-correct-comparison-in-regmap_cached.patch new file mode 100644 index 00000000000..90a8ab0f66f --- /dev/null +++ b/queue-4.9/regmap-correct-comparison-in-regmap_cached.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Charles Keepax +Date: Mon, 12 Feb 2018 18:15:44 +0000 +Subject: regmap: Correct comparison in regmap_cached + +From: Charles Keepax + +[ Upstream commit 71df179363a5a733a8932e9afb869760d7559383 ] + +The cache pointer points to the actual memory used by the cache, as the +comparison here is looking for the type of the cache it should check +against cache_type. + +Fixes: 1ea975cf1ef5 ("regmap: Add a function to check if a regmap register is cached") +Signed-off-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -98,7 +98,7 @@ bool regmap_cached(struct regmap *map, u + int ret; + unsigned int val; + +- if (map->cache == REGCACHE_NONE) ++ if (map->cache_type == REGCACHE_NONE) + return false; + + if (!map->cache_ops) diff --git a/queue-4.9/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch b/queue-4.9/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch new file mode 100644 index 00000000000..3b32c6759a4 --- /dev/null +++ b/queue-4.9/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 21:33:11 +0100 +Subject: regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' + +From: Christophe Jaillet + +[ Upstream commit ed8cffda27dea6fd3dafb3ee881c5a786edac9ca ] + +Re-order error handling code and gotos to avoid leaks in error handling +paths. + +Fixes: 9f946099fe19 ("regulator: gpio: fix parsing of gpio list") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/gpio-regulator.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/regulator/gpio-regulator.c ++++ b/drivers/regulator/gpio-regulator.c +@@ -268,8 +268,7 @@ static int gpio_regulator_probe(struct p + drvdata->desc.name = kstrdup(config->supply_name, GFP_KERNEL); + if (drvdata->desc.name == NULL) { + dev_err(&pdev->dev, "Failed to allocate supply name\n"); +- ret = -ENOMEM; +- goto err; ++ return -ENOMEM; + } + + if (config->nr_gpios != 0) { +@@ -289,7 +288,7 @@ static int gpio_regulator_probe(struct p + dev_err(&pdev->dev, + "Could not obtain regulator setting GPIOs: %d\n", + ret); +- goto err_memstate; ++ goto err_memgpio; + } + } + +@@ -300,7 +299,7 @@ static int gpio_regulator_probe(struct p + if (drvdata->states == NULL) { + dev_err(&pdev->dev, "Failed to allocate state data\n"); + ret = -ENOMEM; +- goto err_memgpio; ++ goto err_stategpio; + } + drvdata->nr_states = config->nr_states; + +@@ -321,7 +320,7 @@ static int gpio_regulator_probe(struct p + default: + dev_err(&pdev->dev, "No regulator type set\n"); + ret = -EINVAL; +- goto err_memgpio; ++ goto err_memstate; + } + + /* build initial state from gpio init data. */ +@@ -358,22 +357,21 @@ static int gpio_regulator_probe(struct p + if (IS_ERR(drvdata->dev)) { + ret = PTR_ERR(drvdata->dev); + dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret); +- goto err_stategpio; ++ goto err_memstate; + } + + platform_set_drvdata(pdev, drvdata); + + return 0; + +-err_stategpio: +- gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memstate: + kfree(drvdata->states); ++err_stategpio: ++ gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memgpio: + kfree(drvdata->gpios); + err_name: + kfree(drvdata->desc.name); +-err: + return ret; + } + diff --git a/queue-4.9/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch b/queue-4.9/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch new file mode 100644 index 00000000000..48a162c9f3a --- /dev/null +++ b/queue-4.9/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch @@ -0,0 +1,30 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Christophe JAILLET +Date: Fri, 26 Jan 2018 23:13:44 +0100 +Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' + +From: Christophe JAILLET + +[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ] + +If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must +release the reference on the current 'child' node before returning. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/of_regulator.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -282,6 +282,7 @@ int of_regulator_match(struct device *de + dev_err(dev, + "failed to parse DT for regulator %s\n", + child->name); ++ of_node_put(child); + return -EINVAL; + } + match->of_node = of_node_get(child); diff --git a/queue-4.9/regulatory-add-nul-to-request-alpha2.patch b/queue-4.9/regulatory-add-nul-to-request-alpha2.patch new file mode 100644 index 00000000000..b3a8938aee7 --- /dev/null +++ b/queue-4.9/regulatory-add-nul-to-request-alpha2.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Johannes Berg +Date: Thu, 22 Feb 2018 20:55:28 +0100 +Subject: regulatory: add NUL to request alpha2 + +From: Johannes Berg + +[ Upstream commit 657308f73e674e86b60509a430a46e569bf02846 ] + +Similar to the ancient commit a5fe8e7695dc ("regulatory: add NUL +to alpha2"), add another byte to alpha2 in the request struct so +that when we use nla_put_string(), we don't overrun anything. + +Fixes: 73d54c9e74c4 ("cfg80211: add regulatory netlink multicast group") +Reported-by: Kees Cook +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/regulatory.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/regulatory.h ++++ b/include/net/regulatory.h +@@ -78,7 +78,7 @@ struct regulatory_request { + int wiphy_idx; + enum nl80211_reg_initiator initiator; + enum nl80211_user_reg_hint_type user_reg_hint_type; +- char alpha2[2]; ++ char alpha2[3]; + enum nl80211_dfs_regions dfs_region; + bool intersect; + bool processed; diff --git a/queue-4.9/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch b/queue-4.9/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch new file mode 100644 index 00000000000..3589beb80d9 --- /dev/null +++ b/queue-4.9/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:44 +0100 +Subject: rxrpc: Don't treat call aborts as conn aborts + +From: David Howells + +[ Upstream commit 57b0c9d49b94bbeb53649b7fbd264603c1ebd585 ] + +If a call-level abort is received for the previous call to complete on a +connection channel, then that abort is queued for the connection processor +to handle. Unfortunately, the connection processor then assumes without +checking that the abort is connection-level (ie. callNumber is 0) and +distributes it over all active calls on that connection, thereby +incorrectly aborting them. + +Fix this by discarding aborts aimed at a completed call. + +Further, discard all packets aimed at a call that's complete if there's +currently an active call on a channel, since the DATA packets associated +with the new call automatically terminate the old call. + +Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -1166,16 +1166,19 @@ void rxrpc_data_ready(struct sock *udp_s + goto discard_unlock; + + if (sp->hdr.callNumber == chan->last_call) { +- /* For the previous service call, if completed successfully, we +- * discard all further packets. ++ if (chan->call || ++ sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) ++ goto discard_unlock; ++ ++ /* For the previous service call, if completed ++ * successfully, we discard all further packets. + */ + if (rxrpc_conn_is_service(conn) && +- (chan->last_type == RXRPC_PACKET_TYPE_ACK || +- sp->hdr.type == RXRPC_PACKET_TYPE_ABORT)) ++ chan->last_type == RXRPC_PACKET_TYPE_ACK) + goto discard_unlock; + +- /* But otherwise we need to retransmit the final packet from +- * data cached in the connection record. ++ /* But otherwise we need to retransmit the final packet ++ * from data cached in the connection record. + */ + rxrpc_post_packet_to_conn(conn, skb); + goto out_unlock; diff --git a/queue-4.9/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch b/queue-4.9/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch new file mode 100644 index 00000000000..13e6442e1b7 --- /dev/null +++ b/queue-4.9/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:43 +0100 +Subject: rxrpc: Fix Tx ring annotation after initial Tx failure + +From: David Howells + +[ Upstream commit 03877bf6a30cca7d4bc3ffabd3c3e9464a7a1a19 ] + +rxrpc calls have a ring of packets that are awaiting ACK or retransmission +and a parallel ring of annotations that tracks the state of those packets. +If the initial transmission of a packet on the underlying UDP socket fails +then the packet annotation is marked for resend - but the setting of this +mark accidentally erases the last-packet mark also stored in the same +annotation slot. If this happens, a call won't switch out of the Tx phase +when all the packets have been transmitted. + +Fix this by retaining the last-packet mark and only altering the packet +state. + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/sendmsg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -78,7 +78,9 @@ static inline void rxrpc_instant_resend( + spin_lock_bh(&call->lock); + + if (call->state < RXRPC_CALL_COMPLETE) { +- call->rxtx_annotations[ix] = RXRPC_TX_ANNO_RETRANS; ++ call->rxtx_annotations[ix] = ++ (call->rxtx_annotations[ix] & RXRPC_TX_ANNO_LAST) | ++ RXRPC_TX_ANNO_RETRANS; + if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events)) + rxrpc_queue_call(call); + } diff --git a/queue-4.9/rxrpc-work-around-usercopy-check.patch b/queue-4.9/rxrpc-work-around-usercopy-check.patch new file mode 100644 index 00000000000..2a535ad6ec5 --- /dev/null +++ b/queue-4.9/rxrpc-work-around-usercopy-check.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: David Howells +Date: Thu, 15 Feb 2018 22:59:00 +0000 +Subject: rxrpc: Work around usercopy check + +From: David Howells + +[ Upstream commit a16b8d0cf2ec1e626d24bc2a7b9e64ace6f7501d ] + +Due to a check recently added to copy_to_user(), it's now not permitted to +copy from slab-held data to userspace unless the slab is whitelisted. This +affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID +control message in the userspace control message buffer. A warning is +generated by usercopy_warn() because the source is the copy of the +user_call_ID retained in the rxrpc_call struct. + +Work around the issue by copying the user_call_ID to a variable on the +stack and passing that to put_cmsg(). + +The warning generated looks like: + + Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)! + WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0 + ... + RIP: 0010:usercopy_warn+0x7e/0xa0 + ... + Call Trace: + __check_object_size+0x9c/0x1a0 + put_cmsg+0x98/0x120 + rxrpc_recvmsg+0x6fc/0x1010 [rxrpc] + ? finish_wait+0x80/0x80 + ___sys_recvmsg+0xf8/0x240 + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? finish_task_switch+0xa6/0x2b0 + ? trace_hardirqs_on_caller+0xed/0x180 + ? _raw_spin_unlock_irq+0x29/0x40 + ? __sys_recvmsg+0x4e/0x90 + __sys_recvmsg+0x4e/0x90 + do_syscall_64+0x7a/0x220 + entry_SYSCALL_64_after_hwframe+0x26/0x9b + +Reported-by: Jonathan Billings +Signed-off-by: David Howells +Acked-by: Kees Cook +Tested-by: Jonathan Billings +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/recvmsg.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -493,9 +493,10 @@ try_again: + ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, + sizeof(unsigned int), &id32); + } else { ++ unsigned long idl = call->user_call_ID; ++ + ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, +- sizeof(unsigned long), +- &call->user_call_ID); ++ sizeof(unsigned long), &idl); + } + if (ret < 0) + goto error; diff --git a/queue-4.9/s390-cio-clear-timer-when-terminating-driver-i-o.patch b/queue-4.9/s390-cio-clear-timer-when-terminating-driver-i-o.patch new file mode 100644 index 00000000000..808fea4473b --- /dev/null +++ b/queue-4.9/s390-cio-clear-timer-when-terminating-driver-i-o.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sebastian Ott +Date: Mon, 12 Feb 2018 12:01:03 +0100 +Subject: s390/cio: clear timer when terminating driver I/O + +From: Sebastian Ott + +[ Upstream commit 410d5e13e7638bc146321671e223d56495fbf3c7 ] + +When we terminate driver I/O (because we need to stop using a certain +channel path) we also need to ensure that a timer (which may have been +set up using ccw_device_start_timeout) is cleared. + +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device_fsm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/cio/device_fsm.c ++++ b/drivers/s390/cio/device_fsm.c +@@ -923,6 +923,7 @@ void ccw_device_kill_io(struct ccw_devic + { + int ret; + ++ ccw_device_set_timeout(cdev, 0); + cdev->private->iretry = 255; + cdev->private->async_kill_io_rc = -EIO; + ret = ccw_device_cancel_halt_clear(cdev); diff --git a/queue-4.9/s390-cio-fix-ccw_device_start_timeout-api.patch b/queue-4.9/s390-cio-fix-ccw_device_start_timeout-api.patch new file mode 100644 index 00000000000..786119187c5 --- /dev/null +++ b/queue-4.9/s390-cio-fix-ccw_device_start_timeout-api.patch @@ -0,0 +1,198 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sebastian Ott +Date: Tue, 6 Feb 2018 14:59:43 +0100 +Subject: s390/cio: fix ccw_device_start_timeout API + +From: Sebastian Ott + +[ Upstream commit f97a6b6c47d2f329a24f92cc0ca3c6df5727ba73 ] + +There are cases a device driver can't start IO because the device is +currently in use by cio. In this case the device driver is notified +when the device is usable again. + +Using ccw_device_start_timeout we would set the timeout (and change +an existing timeout) before we test for internal usage. Worst case +this could lead to an unexpected timer deletion. + +Fix this by setting the timeout after we test for internal usage. + +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device_ops.c | 72 ++++++++++++++++++------------------------ + 1 file changed, 32 insertions(+), 40 deletions(-) + +--- a/drivers/s390/cio/device_ops.c ++++ b/drivers/s390/cio/device_ops.c +@@ -158,7 +158,7 @@ int ccw_device_clear(struct ccw_device * + } + + /** +- * ccw_device_start_key() - start a s390 channel program with key ++ * ccw_device_start_timeout_key() - start a s390 channel program with timeout and key + * @cdev: target ccw device + * @cpa: logical start address of channel program + * @intparm: user specific interruption parameter; will be presented back to +@@ -169,10 +169,15 @@ int ccw_device_clear(struct ccw_device * + * @key: storage key to be used for the I/O + * @flags: additional flags; defines the action to be performed for I/O + * processing. ++ * @expires: timeout value in jiffies + * + * Start a S/390 channel program. When the interrupt arrives, the + * IRQ handler is called, either immediately, delayed (dev-end missing, + * or sense required) or never (no IRQ handler registered). ++ * This function notifies the device driver if the channel program has not ++ * completed during the time specified by @expires. If a timeout occurs, the ++ * channel program is terminated via xsch, hsch or csch, and the device's ++ * interrupt handler will be called with an irb containing ERR_PTR(-%ETIMEDOUT). + * Returns: + * %0, if the operation was successful; + * -%EBUSY, if the device is busy, or status pending; +@@ -181,9 +186,9 @@ int ccw_device_clear(struct ccw_device * + * Context: + * Interrupts disabled, ccw device lock held + */ +-int ccw_device_start_key(struct ccw_device *cdev, struct ccw1 *cpa, +- unsigned long intparm, __u8 lpm, __u8 key, +- unsigned long flags) ++int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa, ++ unsigned long intparm, __u8 lpm, __u8 key, ++ unsigned long flags, int expires) + { + struct subchannel *sch; + int ret; +@@ -223,6 +228,8 @@ int ccw_device_start_key(struct ccw_devi + switch (ret) { + case 0: + cdev->private->intparm = intparm; ++ if (expires) ++ ccw_device_set_timeout(cdev, expires); + break; + case -EACCES: + case -ENODEV: +@@ -233,7 +240,7 @@ int ccw_device_start_key(struct ccw_devi + } + + /** +- * ccw_device_start_timeout_key() - start a s390 channel program with timeout and key ++ * ccw_device_start_key() - start a s390 channel program with key + * @cdev: target ccw device + * @cpa: logical start address of channel program + * @intparm: user specific interruption parameter; will be presented back to +@@ -244,15 +251,10 @@ int ccw_device_start_key(struct ccw_devi + * @key: storage key to be used for the I/O + * @flags: additional flags; defines the action to be performed for I/O + * processing. +- * @expires: timeout value in jiffies + * + * Start a S/390 channel program. When the interrupt arrives, the + * IRQ handler is called, either immediately, delayed (dev-end missing, + * or sense required) or never (no IRQ handler registered). +- * This function notifies the device driver if the channel program has not +- * completed during the time specified by @expires. If a timeout occurs, the +- * channel program is terminated via xsch, hsch or csch, and the device's +- * interrupt handler will be called with an irb containing ERR_PTR(-%ETIMEDOUT). + * Returns: + * %0, if the operation was successful; + * -%EBUSY, if the device is busy, or status pending; +@@ -261,19 +263,12 @@ int ccw_device_start_key(struct ccw_devi + * Context: + * Interrupts disabled, ccw device lock held + */ +-int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa, +- unsigned long intparm, __u8 lpm, __u8 key, +- unsigned long flags, int expires) ++int ccw_device_start_key(struct ccw_device *cdev, struct ccw1 *cpa, ++ unsigned long intparm, __u8 lpm, __u8 key, ++ unsigned long flags) + { +- int ret; +- +- if (!cdev) +- return -ENODEV; +- ccw_device_set_timeout(cdev, expires); +- ret = ccw_device_start_key(cdev, cpa, intparm, lpm, key, flags); +- if (ret != 0) +- ccw_device_set_timeout(cdev, 0); +- return ret; ++ return ccw_device_start_timeout_key(cdev, cpa, intparm, lpm, key, ++ flags, 0); + } + + /** +@@ -488,18 +483,20 @@ void ccw_device_get_id(struct ccw_device + EXPORT_SYMBOL(ccw_device_get_id); + + /** +- * ccw_device_tm_start_key() - perform start function ++ * ccw_device_tm_start_timeout_key() - perform start function + * @cdev: ccw device on which to perform the start function + * @tcw: transport-command word to be started + * @intparm: user defined parameter to be passed to the interrupt handler + * @lpm: mask of paths to use + * @key: storage key to use for storage access ++ * @expires: time span in jiffies after which to abort request + * + * Start the tcw on the given ccw device. Return zero on success, non-zero + * otherwise. + */ +-int ccw_device_tm_start_key(struct ccw_device *cdev, struct tcw *tcw, +- unsigned long intparm, u8 lpm, u8 key) ++int ccw_device_tm_start_timeout_key(struct ccw_device *cdev, struct tcw *tcw, ++ unsigned long intparm, u8 lpm, u8 key, ++ int expires) + { + struct subchannel *sch; + int rc; +@@ -526,37 +523,32 @@ int ccw_device_tm_start_key(struct ccw_d + return -EACCES; + } + rc = cio_tm_start_key(sch, tcw, lpm, key); +- if (rc == 0) ++ if (rc == 0) { + cdev->private->intparm = intparm; ++ if (expires) ++ ccw_device_set_timeout(cdev, expires); ++ } + return rc; + } +-EXPORT_SYMBOL(ccw_device_tm_start_key); ++EXPORT_SYMBOL(ccw_device_tm_start_timeout_key); + + /** +- * ccw_device_tm_start_timeout_key() - perform start function ++ * ccw_device_tm_start_key() - perform start function + * @cdev: ccw device on which to perform the start function + * @tcw: transport-command word to be started + * @intparm: user defined parameter to be passed to the interrupt handler + * @lpm: mask of paths to use + * @key: storage key to use for storage access +- * @expires: time span in jiffies after which to abort request + * + * Start the tcw on the given ccw device. Return zero on success, non-zero + * otherwise. + */ +-int ccw_device_tm_start_timeout_key(struct ccw_device *cdev, struct tcw *tcw, +- unsigned long intparm, u8 lpm, u8 key, +- int expires) ++int ccw_device_tm_start_key(struct ccw_device *cdev, struct tcw *tcw, ++ unsigned long intparm, u8 lpm, u8 key) + { +- int ret; +- +- ccw_device_set_timeout(cdev, expires); +- ret = ccw_device_tm_start_key(cdev, tcw, intparm, lpm, key); +- if (ret != 0) +- ccw_device_set_timeout(cdev, 0); +- return ret; ++ return ccw_device_tm_start_timeout_key(cdev, tcw, intparm, lpm, key, 0); + } +-EXPORT_SYMBOL(ccw_device_tm_start_timeout_key); ++EXPORT_SYMBOL(ccw_device_tm_start_key); + + /** + * ccw_device_tm_start() - perform start function diff --git a/queue-4.9/s390-cio-fix-return-code-after-missing-interrupt.patch b/queue-4.9/s390-cio-fix-return-code-after-missing-interrupt.patch new file mode 100644 index 00000000000..5dc0a643f7f --- /dev/null +++ b/queue-4.9/s390-cio-fix-return-code-after-missing-interrupt.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Sebastian Ott +Date: Wed, 7 Feb 2018 13:18:19 +0100 +Subject: s390/cio: fix return code after missing interrupt + +From: Sebastian Ott + +[ Upstream commit 770b55c995d171f026a9efb85e71e3b1ea47b93d ] + +When a timeout occurs for users of ccw_device_start_timeout +we will stop the IO and call the drivers int handler with +the irb pointer set to ERR_PTR(-ETIMEDOUT). Sometimes +however we'd set the irb pointer to ERR_PTR(-EIO) which is +not intended. Just set the correct value in all codepaths. + +Reported-by: Julian Wiedmann +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device_fsm.c | 6 ++++-- + drivers/s390/cio/io_sch.h | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/s390/cio/device_fsm.c ++++ b/drivers/s390/cio/device_fsm.c +@@ -822,6 +822,7 @@ ccw_device_online_timeout(struct ccw_dev + + ccw_device_set_timeout(cdev, 0); + cdev->private->iretry = 255; ++ cdev->private->async_kill_io_rc = -ETIMEDOUT; + ret = ccw_device_cancel_halt_clear(cdev); + if (ret == -EBUSY) { + ccw_device_set_timeout(cdev, 3*HZ); +@@ -898,7 +899,7 @@ ccw_device_killing_irq(struct ccw_device + /* OK, i/o is dead now. Call interrupt handler. */ + if (cdev->handler) + cdev->handler(cdev, cdev->private->intparm, +- ERR_PTR(-EIO)); ++ ERR_PTR(cdev->private->async_kill_io_rc)); + } + + static void +@@ -915,7 +916,7 @@ ccw_device_killing_timeout(struct ccw_de + ccw_device_online_verify(cdev, 0); + if (cdev->handler) + cdev->handler(cdev, cdev->private->intparm, +- ERR_PTR(-EIO)); ++ ERR_PTR(cdev->private->async_kill_io_rc)); + } + + void ccw_device_kill_io(struct ccw_device *cdev) +@@ -923,6 +924,7 @@ void ccw_device_kill_io(struct ccw_devic + int ret; + + cdev->private->iretry = 255; ++ cdev->private->async_kill_io_rc = -EIO; + ret = ccw_device_cancel_halt_clear(cdev); + if (ret == -EBUSY) { + ccw_device_set_timeout(cdev, 3*HZ); +--- a/drivers/s390/cio/io_sch.h ++++ b/drivers/s390/cio/io_sch.h +@@ -154,6 +154,7 @@ struct ccw_device_private { + unsigned long intparm; /* user interruption parameter */ + struct qdio_irq *qdio_data; + struct irb irb; /* device status */ ++ int async_kill_io_rc; + struct senseid senseid; /* SenseID info */ + struct pgid pgid[8]; /* path group IDs per chpid*/ + struct ccw1 iccws[2]; /* ccws for SNID/SID/SPGID commands */ diff --git a/queue-4.9/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch b/queue-4.9/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch new file mode 100644 index 00000000000..bc7c3083d64 --- /dev/null +++ b/queue-4.9/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Davidlohr Bueso +Date: Mon, 2 Apr 2018 09:49:54 -0700 +Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning + +From: Davidlohr Bueso + +[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ] + +While running rt-tests' pi_stress program I got the following splat: + + rq->clock_update_flags < RQCF_ACT_SKIP + WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20 + + [...] + + + enqueue_top_rt_rq+0xf4/0x150 + ? cpufreq_dbs_governor_start+0x170/0x170 + sched_rt_rq_enqueue+0x65/0x80 + sched_rt_period_timer+0x156/0x360 + ? sched_rt_rq_enqueue+0x80/0x80 + __hrtimer_run_queues+0xfa/0x260 + hrtimer_interrupt+0xcb/0x220 + smp_apic_timer_interrupt+0x62/0x120 + apic_timer_interrupt+0xf/0x20 + + + [...] + + do_idle+0x183/0x1e0 + cpu_startup_entry+0x5f/0x70 + start_secondary+0x192/0x1d0 + secondary_startup_64+0xa5/0xb0 + +We can get rid of it be the "traditional" means of adding an +update_rq_clock() call after acquiring the rq->lock in +do_sched_rt_period_timer(). + +The case for the RT task throttling (which this workload also hits) +can be ignored in that the skip_update call is actually bogus and +quite the contrary (the request bits are removed/reverted). + +By setting RQCF_UPDATED we really don't care if the skip is happening +or not and will therefore make the assert_clock_updated() check happy. + +Signed-off-by: Davidlohr Bueso +Reviewed-by: Matt Fleming +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Thomas Gleixner +Cc: dave@stgolabs.net +Cc: linux-kernel@vger.kernel.org +Cc: rostedt@goodmis.org +Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/rt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -830,6 +830,8 @@ static int do_sched_rt_period_timer(stru + struct rq *rq = rq_of_rt_rq(rt_rq); + + raw_spin_lock(&rq->lock); ++ update_rq_clock(rq); ++ + if (rt_rq->rt_time) { + u64 runtime; + diff --git a/queue-4.9/selftests-ftrace-add-a-testcase-for-probepoint.patch b/queue-4.9/selftests-ftrace-add-a-testcase-for-probepoint.patch new file mode 100644 index 00000000000..03ae90c441a --- /dev/null +++ b/queue-4.9/selftests-ftrace-add-a-testcase-for-probepoint.patch @@ -0,0 +1,70 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 17 Mar 2018 21:40:31 +0900 +Subject: selftests: ftrace: Add a testcase for probepoint + +From: Masami Hiramatsu + +[ Upstream commit dfa453bc90eca0febff33c8d292a656e53702158 ] + +Add a testcase for probe point definition. This tests +symbol, address and symbol+offset syntax. The offset +must be positive and smaller than UINT_MAX. + +Link: http://lkml.kernel.org/r/152129043097.31874.14273580606301767394.stgit@devbox + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc | 43 +++++++++++++ + 1 file changed, 43 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc +@@ -0,0 +1,43 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe events - probe points ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++TARGET_FUNC=create_trace_kprobe ++ ++dec_addr() { # hexaddr ++ printf "%d" "0x"`echo $1 | tail -c 8` ++} ++ ++set_offs() { # prev target next ++ A1=`dec_addr $1` ++ A2=`dec_addr $2` ++ A3=`dec_addr $3` ++ TARGET="0x$2" # an address ++ PREV=`expr $A1 - $A2` # offset to previous symbol ++ NEXT=+`expr $A3 - $A2` # offset to next symbol ++ OVERFLOW=+`printf "0x%x" ${PREV}` # overflow offset to previous symbol ++} ++ ++# We have to decode symbol addresses to get correct offsets. ++# If the offset is not an instruction boundary, it cause -EILSEQ. ++set_offs `grep -A1 -B1 ${TARGET_FUNC} /proc/kallsyms | cut -f 1 -d " " | xargs` ++ ++UINT_TEST=no ++# printf "%x" -1 returns (unsigned long)-1. ++if [ `printf "%x" -1 | wc -c` != 9 ]; then ++ UINT_TEST=yes ++fi ++ ++echo 0 > events/enable ++echo > kprobe_events ++echo "p:testprobe ${TARGET_FUNC}" > kprobe_events ++echo "p:testprobe ${TARGET}" > kprobe_events ++echo "p:testprobe ${TARGET_FUNC}${NEXT}" > kprobe_events ++! echo "p:testprobe ${TARGET_FUNC}${PREV}" > kprobe_events ++if [ "${UINT_TEST}" = yes ]; then ++! echo "p:testprobe ${TARGET_FUNC}${OVERFLOW}" > kprobe_events ++fi ++echo > kprobe_events ++clear_trace diff --git a/queue-4.9/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch b/queue-4.9/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch new file mode 100644 index 00000000000..ec50916570a --- /dev/null +++ b/queue-4.9/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch @@ -0,0 +1,73 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 17 Mar 2018 21:39:44 +0900 +Subject: selftests: ftrace: Add a testcase for string type with kprobe_event + +From: Masami Hiramatsu + +[ Upstream commit 5fbdbed797b6d12d043a5121fdbc8d8b49d10e80 ] + +Add a testcase for string type with kprobe event. +This tests good/bad syntax combinations and also +the traced data is correct in several way. + +Link: http://lkml.kernel.org/r/152129038381.31874.9201387794548737554.stgit@devbox + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 46 ++++++++++ + 1 file changed, 46 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc +@@ -0,0 +1,46 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe event string type argument ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++echo 0 > events/enable ++echo > kprobe_events ++ ++case `uname -m` in ++x86_64) ++ ARG2=%si ++ OFFS=8 ++;; ++i[3456]86) ++ ARG2=%cx ++ OFFS=4 ++;; ++aarch64) ++ ARG2=%x1 ++ OFFS=8 ++;; ++arm*) ++ ARG2=%r1 ++ OFFS=4 ++;; ++*) ++ echo "Please implement other architecture here" ++ exit_untested ++esac ++ ++: "Test get argument (1)" ++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string" > kprobe_events ++echo 1 > events/kprobes/testprobe/enable ++! echo test >> kprobe_events ++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test\"" ++ ++echo 0 > events/kprobes/testprobe/enable ++: "Test get argument (2)" ++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string arg2=+0(+${OFFS}(${ARG2})):string" > kprobe_events ++echo 1 > events/kprobes/testprobe/enable ++! echo test1 test2 >> kprobe_events ++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test1\" arg2=\"test2\"" ++ ++echo 0 > events/enable ++echo > kprobe_events diff --git a/queue-4.9/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch b/queue-4.9/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch new file mode 100644 index 00000000000..53850890a42 --- /dev/null +++ b/queue-4.9/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch @@ -0,0 +1,124 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 17 Mar 2018 21:38:56 +0900 +Subject: selftests: ftrace: Add probe event argument syntax testcase + +From: Masami Hiramatsu + +[ Upstream commit 871bef2000968c312a4000b2f56d370dcedbc93c ] + +Add a testcase for probe event argument syntax which +ensures the kprobe_events interface correctly parses +given event arguments. + +Link: http://lkml.kernel.org/r/152129033679.31874.12705519603869152799.stgit@devbox + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 97 ++++++++++ + 1 file changed, 97 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc +@@ -0,0 +1,97 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe event argument syntax ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++grep "x8/16/32/64" README > /dev/null || exit_unsupported # version issue ++ ++echo 0 > events/enable ++echo > kprobe_events ++ ++PROBEFUNC="vfs_read" ++GOODREG= ++BADREG= ++GOODSYM="_sdata" ++if ! grep -qw ${GOODSYM} /proc/kallsyms ; then ++ GOODSYM=$PROBEFUNC ++fi ++BADSYM="deaqswdefr" ++SYMADDR=0x`grep -w ${GOODSYM} /proc/kallsyms | cut -f 1 -d " "` ++GOODTYPE="x16" ++BADTYPE="y16" ++ ++case `uname -m` in ++x86_64|i[3456]86) ++ GOODREG=%ax ++ BADREG=%ex ++;; ++aarch64) ++ GOODREG=%x0 ++ BADREG=%ax ++;; ++arm*) ++ GOODREG=%r0 ++ BADREG=%ax ++;; ++esac ++ ++test_goodarg() # Good-args ++{ ++ while [ "$1" ]; do ++ echo "p ${PROBEFUNC} $1" > kprobe_events ++ shift 1 ++ done; ++} ++ ++test_badarg() # Bad-args ++{ ++ while [ "$1" ]; do ++ ! echo "p ${PROBEFUNC} $1" > kprobe_events ++ shift 1 ++ done; ++} ++ ++echo > kprobe_events ++ ++: "Register access" ++test_goodarg ${GOODREG} ++test_badarg ${BADREG} ++ ++: "Symbol access" ++test_goodarg "@${GOODSYM}" "@${SYMADDR}" "@${GOODSYM}+10" "@${GOODSYM}-10" ++test_badarg "@" "@${BADSYM}" "@${GOODSYM}*10" "@${GOODSYM}/10" \ ++ "@${GOODSYM}%10" "@${GOODSYM}&10" "@${GOODSYM}|10" ++ ++: "Stack access" ++test_goodarg "\$stack" "\$stack0" "\$stack1" ++test_badarg "\$stackp" "\$stack0+10" "\$stack1-10" ++ ++: "Retval access" ++echo "r ${PROBEFUNC} \$retval" > kprobe_events ++! echo "p ${PROBEFUNC} \$retval" > kprobe_events ++ ++: "Comm access" ++test_goodarg "\$comm" ++ ++: "Indirect memory access" ++test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \ ++ "+0(\$stack1)" "+10(@${GOODSYM}-10)" "+0(+10(+20(\$stack)))" ++test_badarg "+(${GOODREG})" "(${GOODREG}+10)" "-(${GOODREG})" "(${GOODREG})" \ ++ "+10(\$comm)" "+0(${GOODREG})+10" ++ ++: "Name assignment" ++test_goodarg "varname=${GOODREG}" ++test_badarg "varname=varname2=${GOODREG}" ++ ++: "Type syntax" ++test_goodarg "${GOODREG}:${GOODTYPE}" ++test_badarg "${GOODREG}::${GOODTYPE}" "${GOODREG}:${BADTYPE}" \ ++ "${GOODTYPE}:${GOODREG}" ++ ++: "Combination check" ++ ++test_goodarg "\$comm:string" "+0(\$stack):string" ++test_badarg "\$comm:x64" "\$stack:string" "${GOODREG}:string" ++ ++echo > kprobe_events diff --git a/queue-4.9/selftests-memfd-add-config-fragment-for-fuse.patch b/queue-4.9/selftests-memfd-add-config-fragment-for-fuse.patch new file mode 100644 index 00000000000..52d74029641 --- /dev/null +++ b/queue-4.9/selftests-memfd-add-config-fragment-for-fuse.patch @@ -0,0 +1,25 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Anders Roxell +Date: Tue, 6 Feb 2018 16:20:44 -0600 +Subject: selftests: memfd: add config fragment for fuse + +From: Anders Roxell + +[ Upstream commit 9a606f8d55cfc932ec02172aaed4124fdc150047 ] + +The memfd test requires to insert the fuse module (CONFIG_FUSE_FS). + +Signed-off-by: Anders Roxell +Signed-off-by: Daniel Díaz +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/memfd/config | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/memfd/config + +--- /dev/null ++++ b/tools/testing/selftests/memfd/config +@@ -0,0 +1 @@ ++CONFIG_FUSE_FS=m diff --git a/queue-4.9/selftests-net-fixes-psock_fanout-ebpf-test-case.patch b/queue-4.9/selftests-net-fixes-psock_fanout-ebpf-test-case.patch new file mode 100644 index 00000000000..6bef5fbd238 --- /dev/null +++ b/queue-4.9/selftests-net-fixes-psock_fanout-ebpf-test-case.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Prashant Bhole +Date: Thu, 15 Feb 2018 09:19:26 +0900 +Subject: selftests/net: fixes psock_fanout eBPF test case + +From: Prashant Bhole + +[ Upstream commit ddd0010392d9cbcb95b53d11b7cafc67b373ab56 ] + +eBPF test fails due to verifier failure because log_buf is too small. +Fixed by increasing log_buf size + +Signed-off-by: Prashant Bhole +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/psock_fanout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/psock_fanout.c ++++ b/tools/testing/selftests/net/psock_fanout.c +@@ -97,6 +97,8 @@ static int sock_fanout_open(uint16_t typ + + static void sock_fanout_set_ebpf(int fd) + { ++ static char log_buf[65536]; ++ + const int len_off = __builtin_offsetof(struct __sk_buff, len); + struct bpf_insn prog[] = { + { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 }, +@@ -109,7 +111,6 @@ static void sock_fanout_set_ebpf(int fd) + { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 }, + { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 } + }; +- char log_buf[512]; + union bpf_attr attr; + int pfd; + diff --git a/queue-4.9/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch b/queue-4.9/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch new file mode 100644 index 00000000000..585b2563102 --- /dev/null +++ b/queue-4.9/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Ellerman +Date: Mon, 26 Feb 2018 15:22:22 +1100 +Subject: selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable + +From: Michael Ellerman + +[ Upstream commit cd4a6f3ab4d80cb919d15897eb3cbc85c2009d4b ] + +The subpage_prot syscall is only functional when the system is using +the Hash MMU. Since commit 5b2b80714796 ("powerpc/mm: Invalidate +subpage_prot() system call on radix platforms") it returns ENOENT when +the Radix MMU is active. Currently this just makes the test fail. + +Additionally the syscall is not available if the kernel is built with +4K pages, or if CONFIG_PPC_SUBPAGE_PROT=n, in which case it returns +ENOSYS because the syscall is missing entirely. + +So check explicitly for ENOENT and ENOSYS and skip if we see either of +those. + +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/mm/subpage_prot.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/tools/testing/selftests/powerpc/mm/subpage_prot.c ++++ b/tools/testing/selftests/powerpc/mm/subpage_prot.c +@@ -135,6 +135,16 @@ static int run_test(void *addr, unsigned + return 0; + } + ++static int syscall_available(void) ++{ ++ int rc; ++ ++ errno = 0; ++ rc = syscall(__NR_subpage_prot, 0, 0, 0); ++ ++ return rc == 0 || (errno != ENOENT && errno != ENOSYS); ++} ++ + int test_anon(void) + { + unsigned long align; +@@ -145,6 +155,8 @@ int test_anon(void) + void *mallocblock; + unsigned long mallocsize; + ++ SKIP_IF(!syscall_available()); ++ + if (getpagesize() != 0x10000) { + fprintf(stderr, "Kernel page size must be 64K!\n"); + return 1; +@@ -180,6 +192,8 @@ int test_file(void) + off_t filesize; + int fd; + ++ SKIP_IF(!syscall_available()); ++ + fd = open(file_name, O_RDWR); + if (fd == -1) { + perror("failed to open file"); diff --git a/queue-4.9/selftests-print-the-test-we-re-running-to-dev-kmsg.patch b/queue-4.9/selftests-print-the-test-we-re-running-to-dev-kmsg.patch new file mode 100644 index 00000000000..3cc0fc7a7e4 --- /dev/null +++ b/queue-4.9/selftests-print-the-test-we-re-running-to-dev-kmsg.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Ellerman +Date: Fri, 23 Mar 2018 20:44:27 +1100 +Subject: selftests: Print the test we're running to /dev/kmsg + +From: Michael Ellerman + +[ Upstream commit 88893cf787d3062c631cc20b875068eb11756e03 ] + +Some tests cause the kernel to print things to the kernel log +buffer (ie. printk), in particular oops and warnings etc. However when +running all the tests in succession it's not always obvious which +test(s) caused the kernel to print something. + +We can narrow it down by printing which test directory we're running +in to /dev/kmsg, if it's writable. + +Example output: + + [ 170.149149] kselftest: Running tests in powerpc + [ 305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes + left + [ 808.915456] kselftest: Running tests in pstore + +Signed-off-by: Michael Ellerman +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -94,6 +94,7 @@ ifdef INSTALL_PATH + for TARGET in $(TARGETS); do \ + echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \ + echo "echo ========================================" >> $(ALL_SCRIPT); \ ++ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \ + echo "cd $$TARGET" >> $(ALL_SCRIPT); \ + make -s --no-print-directory -C $$TARGET emit_tests >> $(ALL_SCRIPT); \ + echo "cd \$$ROOT" >> $(ALL_SCRIPT); \ diff --git a/queue-4.9/selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch b/queue-4.9/selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch new file mode 100644 index 00000000000..92f3e967320 --- /dev/null +++ b/queue-4.9/selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch @@ -0,0 +1,27 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Naresh Kamboju +Date: Wed, 7 Feb 2018 14:47:20 +0530 +Subject: selftests: pstore: Adding config fragment CONFIG_PSTORE_RAM=m + +From: Naresh Kamboju + +[ Upstream commit 9a379e77033f02c4a071891afdf0f0a01eff8ccb ] + +pstore_tests and pstore_post_reboot_tests need CONFIG_PSTORE_RAM=m + +Signed-off-by: Naresh Kamboju +Acked-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/pstore/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/pstore/config ++++ b/tools/testing/selftests/pstore/config +@@ -2,3 +2,4 @@ CONFIG_MISC_FILESYSTEMS=y + CONFIG_PSTORE=y + CONFIG_PSTORE_PMSG=y + CONFIG_PSTORE_CONSOLE=y ++CONFIG_PSTORE_RAM=m diff --git a/queue-4.9/series b/queue-4.9/series index 6be50a61a57..f35610aace7 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -22,3 +22,309 @@ kvm-vmx-expose-ssbd-properly-to-guests.patch kvm-s390-vsie-fix-8k-check-for-the-itdba.patch kvm-x86-update-cpuid-properly-when-cr4.osxave-or-cr4.pke-is-changed.patch kvm-x86-ia32_arch_capabilities-is-always-supported.patch +firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch +x86-tsc-allow-tsc-calibration-without-pit.patch +nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch +alsa-hda-use-is_reachable-for-dependency-on-input.patch +kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch +netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch +tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch +pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch +input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch +i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch +tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch +perf-callchain-fix-attr.sample_max_stack-setting.patch +tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch +perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch +iommu-vt-d-use-domain-instead-of-cache-fetching.patch +dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch +net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch +net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch +nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch +watchdog-sp5100_tco-fix-watchdog-disable-bit.patch +kconfig-don-t-leak-main-menus-during-parsing.patch +kconfig-fix-automatic-menu-creation-mem-leak.patch +kconfig-fix-expr_free-e_not-leak.patch +mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch +ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch +btrfs-set-plug-for-fsync.patch +btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch +btrfs-fix-scrub-to-repair-raid6-corruption.patch +btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch +hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch +fm10k-fix-failed-to-kill-vid-message-for-vf.patch +device-property-define-type-of-property_enrty_-macros.patch +jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch +powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch +powerpc-numa-ensure-nodes-initialized-for-hotplug.patch +rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch +ntb_transport-fix-bug-with-max_mw_size-parameter.patch +gianfar-prevent-integer-wrapping-in-the-rx-handler.patch +tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch +kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch +ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch +ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch +ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch +mm-mempolicy-fix-the-check-of-nodemask-from-user.patch +mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch +asm-generic-provide-generic_pmdp_establish.patch +sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch +mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch +mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch +mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch +openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch +ib-ipoib-fix-for-potential-no-carrier-state.patch +drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch +netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch +x86-power-fix-swsusp_arch_resume-prototype.patch +firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch +acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch +acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch +bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch +mips-generic-fix-machine-compatible-matching.patch +mips-txx9-use-is_builtin-for-config_leds_class.patch +xen-netfront-fix-race-between-device-setup-and-open.patch +xen-grant-table-use-put_page-instead-of-free_page.patch +rds-ib-fix-null-pointer-issue.patch +arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch +proc-fix-proc-map_files-lookup.patch +cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch +bcache-properly-set-task-state-in-bch_writeback_thread.patch +bcache-fix-for-allocator-and-register-thread-race.patch +bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch +bcache-return-attach-error-when-no-cache-set-exist.patch +tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch +bpf-fix-rlimit-in-reuseport-net-selftest.patch +vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch +locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch +irqchip-gic-v3-ignore-disabled-its-nodes.patch +cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch +irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch +arc-fix-malformed-arc_emul_unaligned-default.patch +ptr_ring-prevent-integer-overflow-when-calculating-size.patch +libata-fix-compile-warning-with-ata_debug-enabled.patch +selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch +selftests-memfd-add-config-fragment-for-fuse.patch +arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch +arm-omap3-fix-prm-wake-interrupt-for-resume.patch +arm-omap1-clock-fix-debugfs_create_-usage.patch +ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch +iwlwifi-mvm-fix-security-bug-in-pn-checking.patch +iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch +nfc-llcp-limit-size-of-sdp-uri.patch +rxrpc-work-around-usercopy-check.patch +mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch +mac80211-fix-a-possible-leak-of-station-stats.patch +mac80211-fix-calling-sleeping-function-in-atomic-context.patch +mac80211-do-not-disconnect-on-invalid-operating-class.patch +md-raid10-fix-null-deference-in-handle_write_completed.patch +drm-exynos-g2d-use-monotonic-timestamps.patch +drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch +drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch +locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch +md-raid5-avoid-string-overflow-warning.patch +kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch +powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch +s390-cio-fix-ccw_device_start_timeout-api.patch +s390-cio-fix-return-code-after-missing-interrupt.patch +s390-cio-clear-timer-when-terminating-driver-i-o.patch +pkcs-7-fix-direct-verification-of-signerinfo-signature.patch +arm-omap-fix-dmtimer-init-for-omap1.patch +smsc75xx-fix-smsc75xx_set_features.patch +regulatory-add-nul-to-request-alpha2.patch +integrity-security-fix-digsig.c-build-error-with-header-file.patch +locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch +x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch +mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch +arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch +macvlan-fix-use-after-free-in-macvlan_common_newlink.patch +kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch +fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch +fs-dcache-use-read_once-when-accessing-i_dir_seq.patch +md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch +md-raid1-fix-null-pointer-dereference.patch +batman-adv-fix-packet-checksum-in-receive-path.patch +batman-adv-invalidate-checksum-on-fragment-reassembly.patch +netfilter-ebtables-convert-bug_ons-to-warn_ons.patch +batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch +batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch +batman-adv-fix-netlink-dumping-of-bla-claims.patch +batman-adv-fix-netlink-dumping-of-bla-backbones.patch +nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch +clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch +ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch +arm-orion5x-revert-commit-4904dbda41c8.patch +qrtr-add-module_alias-macro-to-smd.patch +r8152-fix-tx-packets-accounting.patch +virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch +dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch +bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch +ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch +sit-fix-ifla_mtu-ignored-on-newlink.patch +arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch +powerpc-boot-fix-random-libfdt-related-build-errors.patch +gianfar-fix-rx-byte-accounting-for-ndev-stats.patch +net-tcp-illinois-replace-broken-algorithm-reference-link.patch +nvmet-fix-psdt-field-check-in-command-format.patch +xen-pirq-fix-error-path-cleanup-when-binding-msis.patch +drm-sun4i-fix-dclk_set_phase.patch +btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch +selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch +kvm-ppc-book3s-hv-fix-vrma-initialization-with-2mb-or-1gb-memory-backing.patch +iwlwifi-mvm-fix-tx-of-ccmp-256.patch +watchdog-f71808e_wdt-fix-magic-close-handling.patch +watchdog-sbsa-use-32-bit-read-for-wcv.patch +batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch +e1000e-fix-check_for_link-return-value-with-autoneg-off.patch +e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch +ia64-err-inject-use-get_user_pages_fast.patch +rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch +rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch +ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch +ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch +ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch +fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch +fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch +net-qcom-emac-use-proper-free-methods-during-tx.patch +net-smsc911x-fix-unload-crash-when-link-is-up.patch +ib-core-fix-possible-crash-to-access-null-netdev.patch +xen-xenbus-use-put_device-instead-of-kfree.patch +arm64-relax-arm_smccc_arch_workaround_1-discovery.patch +dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch +netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch +bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch +workqueue-use-put_device-instead-of-kfree.patch +ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch +sunvnet-does-not-support-gso-for-sctp.patch +drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch +microblaze-switch-to-no_bootmem.patch +net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch +batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch +batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch +vti4-don-t-count-header-length-twice-on-tunnel-setup.patch +vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch +perf-cgroup-fix-child-event-counting-bug.patch +brcmfmac-fix-check-for-iso3166-code.patch +kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch +rdma-ucma-correct-option-size-check-using-optlen.patch +rdma-qedr-fix-qp-s-ack-timeout-configuration.patch +rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch +macsec-missing-dev_put-on-error-in-macsec_newlink.patch +mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch +mm-thp-do-not-cause-memcg-oom-for-thp.patch +selftests-ftrace-add-probe-event-argument-syntax-testcase.patch +selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch +selftests-ftrace-add-a-testcase-for-probepoint.patch +batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch +batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch +arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch +net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch +perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch +llc-properly-handle-dev_queue_xmit-return-value.patch +builddeb-fix-header-package-regarding-dtc-source-links.patch +mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch +net-fix-untag-for-vlan-packets-without-ethernet-header.patch +net-mvneta-fix-enable-of-all-initialized-rxqs.patch +sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch +nvme-don-t-send-keep-alives-to-the-discovery-controller.patch +x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch +x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch +fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch +swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch +sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch +force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch +cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch +dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch +arm-dts-ls1021a-specify-tbipa-register-address.patch +mm-ksm-fix-interaction-with-thp.patch +mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch +btrfs-bail-out-on-error-during-replay_dir_deletes.patch +btrfs-fix-null-pointer-dereference-in-log_dir_items.patch +btrfs-fix-possible-softlock-on-single-core-machines.patch +ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch +sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch +kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch +fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch +sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch +net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch +btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch +btrfs-fix-copy_items-return-value-when-logging-an-inode.patch +btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch +rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch +rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch +xen-acpi-off-by-one-in-read_acpi_id.patch +drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch +acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch +powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch +m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch +parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch +hwmon-nct6775-fix-writing-pwmx_mode.patch +powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch +powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch +tools-thermal-tmon-fix-for-segfault.patch +selftests-print-the-test-we-re-running-to-dev-kmsg.patch +net-mlx5-protect-from-command-bit-overflow.patch +ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch +cxgb4-setup-fw-queues-before-registering-netdev.patch +ima-fallback-to-the-builtin-hash-algorithm.patch +virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch +arm-dts-socfpga-fix-gic-ppi-warning.patch +cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch +zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch +bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch +acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch +acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch +cxgb4-fix-queue-free-path-of-uld-drivers.patch +i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch +kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch +perf-top-fix-top.call-graph-config-option-reading.patch +perf-stat-fix-core-dump-when-flag-t-is-used.patch +ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch +regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch +spi-bcm-qspi-fix-some-error-handling-paths.patch +mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch +pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch +ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch +powerpc-add-missing-prototype-for-arch_irq_work_raise.patch +f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch +perf-core-fix-perf_output_read_group.patch +drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch +hwmon-pmbus-max8688-accept-negative-page-register-values.patch +hwmon-pmbus-adm1275-accept-negative-page-register-values.patch +perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch +cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch +perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch +perf-x86-intel-fix-event-update-for-auto-reload.patch +arm64-dts-qcom-fix-spi5-config-on-msm8996.patch +soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch +gfs2-fix-fallocate-chunk-size.patch +x86-devicetree-initialize-device-tree-before-using-it.patch +x86-devicetree-fix-device-irq-settings-in-dt.patch +alsa-vmaster-propagate-slave-error.patch +dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch +dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch +enic-enable-rq-before-updating-rq-descriptors.patch +hwrng-stm32-add-reset-during-probe.patch +dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch +net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch +net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch +cpufreq-reorder-cpufreq_online-error-code-path.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch +udf-provide-saner-default-for-invalid-uid-gid.patch +arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch +audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch +rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch +pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch +mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch +drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch +x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch +perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch +perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch +selftests-net-fixes-psock_fanout-ebpf-test-case.patch +netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch +regmap-correct-comparison-in-regmap_cached.patch +arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch +arm-dts-porter-fix-hdmi-output-routing.patch +regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch +pinctrl-msm-use-dynamic-gpio-numbering.patch +kdb-make-mdr-command-repeat.patch diff --git a/queue-4.9/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch b/queue-4.9/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch new file mode 100644 index 00000000000..a04f8c51932 --- /dev/null +++ b/queue-4.9/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Rich Felker +Date: Thu, 15 Mar 2018 20:01:36 -0400 +Subject: sh: fix debug trap failure to process signals before return to user + +From: Rich Felker + +[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ] + +When responding to a debug trap (breakpoint) in userspace, the +kernel's trap handler raised SIGTRAP but returned from the trap via a +code path that ignored pending signals, resulting in an infinite loop +re-executing the trapping instruction. + +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/entry-common.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -255,7 +255,7 @@ debug_trap: + mov.l @r8, r8 + jsr @r8 + nop +- bra __restore_all ++ bra ret_from_exception + nop + CFI_ENDPROC + diff --git a/queue-4.9/sit-fix-ifla_mtu-ignored-on-newlink.patch b/queue-4.9/sit-fix-ifla_mtu-ignored-on-newlink.patch new file mode 100644 index 00000000000..10c026a96f3 --- /dev/null +++ b/queue-4.9/sit-fix-ifla_mtu-ignored-on-newlink.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Xin Long +Date: Tue, 27 Feb 2018 19:19:41 +0800 +Subject: sit: fix IFLA_MTU ignored on NEWLINK + +From: Xin Long + +[ Upstream commit 2b3957c34b6d7f03544b12ebbf875eee430745db ] + +Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len +correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same +mtu fix is also needed for sit. + +Note that dev->hard_header_len setting for sit works fine, no need to +fix it. sit is actually ipv4 tunnel, it can't call ip6_tnl_change_mtu +to set mtu. + +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1572,6 +1572,13 @@ static int ipip6_newlink(struct net *src + if (err < 0) + return err; + ++ if (tb[IFLA_MTU]) { ++ u32 mtu = nla_get_u32(tb[IFLA_MTU]); ++ ++ if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len) ++ dev->mtu = mtu; ++ } ++ + #ifdef CONFIG_IPV6_SIT_6RD + if (ipip6_netlink_6rd_parms(data, &ip6rd)) + err = ipip6_tunnel_update_6rd(nt, &ip6rd); diff --git a/queue-4.9/smsc75xx-fix-smsc75xx_set_features.patch b/queue-4.9/smsc75xx-fix-smsc75xx_set_features.patch new file mode 100644 index 00000000000..534c0bf32f1 --- /dev/null +++ b/queue-4.9/smsc75xx-fix-smsc75xx_set_features.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Eric Dumazet +Date: Tue, 20 Feb 2018 21:42:26 -0800 +Subject: smsc75xx: fix smsc75xx_set_features() + +From: Eric Dumazet + +[ Upstream commit 88e80c62671ceecdbb77c902731ec95a4bfa62f9 ] + +If an attempt is made to disable RX checksums, USB adapter is changed +but netdev->features is not, because smsc75xx_set_features() returns a +non zero value. + +This throws errors from netdev_rx_csum_fault() : +: hw csum failure + +Signed-off-by: Eric Dumazet +Cc: Steve Glendinning +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/smsc75xx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -957,10 +957,11 @@ static int smsc75xx_set_features(struct + /* it's racing here! */ + + ret = smsc75xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); +- if (ret < 0) ++ if (ret < 0) { + netdev_warn(dev->net, "Error writing RFE_CTL\n"); +- +- return ret; ++ return ret; ++ } ++ return 0; + } + + static int smsc75xx_wait_ready(struct usbnet *dev, int in_pm) diff --git a/queue-4.9/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch b/queue-4.9/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch new file mode 100644 index 00000000000..5d2c58a92fd --- /dev/null +++ b/queue-4.9/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Bjorn Andersson +Date: Tue, 27 Feb 2018 16:45:25 -0800 +Subject: soc: qcom: wcnss_ctrl: Fix increment in NV upload + +From: Bjorn Andersson + +[ Upstream commit 90c29ed7627b6b4aeb603ee197650173c8434512 ] + +hdr.len includes both the size of the header and the fragment, so using +this when stepping through the firmware causes us to skip 16 bytes every +chunk of 3072 bytes; causing only the first fragment to actually be +valid data. + +Instead use fragment size steps through the firmware blob. + +Fixes: ea7a1f275cf0 ("soc: qcom: Introduce WCNSS_CTRL SMD client") +Reported-by: Will Newton +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/wcnss_ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/wcnss_ctrl.c ++++ b/drivers/soc/qcom/wcnss_ctrl.c +@@ -247,7 +247,7 @@ static int wcnss_download_nv(struct wcns + /* Increment for next fragment */ + req->seq++; + +- data += req->hdr.len; ++ data += NV_FRAGMENT_SIZE; + left -= NV_FRAGMENT_SIZE; + } while (left > 0); + diff --git a/queue-4.9/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch b/queue-4.9/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch new file mode 100644 index 00000000000..41f647e714d --- /dev/null +++ b/queue-4.9/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "David S. Miller" +Date: Tue, 3 Apr 2018 08:24:35 -0700 +Subject: sparc64: Make atomic_xchg() an inline function rather than a macro. + +From: "David S. Miller" + +[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ] + +This avoids a lot of -Wunused warnings such as: + +==================== +kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’: +./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value] + #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) + +./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’ + #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) + ^~~~ +kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’ + atomic_xchg(&kgdb_active, cpu); + ^~~~~~~~~~~ +==================== + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/atomic_64.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/sparc/include/asm/atomic_64.h ++++ b/arch/sparc/include/asm/atomic_64.h +@@ -82,7 +82,11 @@ ATOMIC_OPS(xor) + #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0) + + #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) +-#define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++ ++static inline int atomic_xchg(atomic_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline int __atomic_add_unless(atomic_t *v, int a, int u) + { diff --git a/queue-4.9/sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch b/queue-4.9/sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch new file mode 100644 index 00000000000..d560ae216c3 --- /dev/null +++ b/queue-4.9/sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch @@ -0,0 +1,84 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Nitin Gupta +Date: Wed, 31 Jan 2018 16:18:09 -0800 +Subject: sparc64: update pmdp_invalidate() to return old pmd value + +From: Nitin Gupta + +[ Upstream commit a8e654f01cb725d0bfd741ebca1bf4c9337969cc ] + +It's required to avoid losing dirty and accessed bits. + +[akpm@linux-foundation.org: add a `do' to the do-while loop] +Link: http://lkml.kernel.org/r/20171213105756.69879-9-kirill.shutemov@linux.intel.com +Signed-off-by: Nitin Gupta +Signed-off-by: Kirill A. Shutemov +Cc: David Miller +Cc: Vlastimil Babka +Cc: Andrea Arcangeli +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/pgtable_64.h | 2 +- + arch/sparc/mm/tlb.c | 23 ++++++++++++++++++----- + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/arch/sparc/include/asm/pgtable_64.h ++++ b/arch/sparc/include/asm/pgtable_64.h +@@ -952,7 +952,7 @@ void update_mmu_cache_pmd(struct vm_area + pmd_t *pmd); + + #define __HAVE_ARCH_PMDP_INVALIDATE +-extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, ++extern pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp); + + #define __HAVE_ARCH_PGTABLE_DEPOSIT +--- a/arch/sparc/mm/tlb.c ++++ b/arch/sparc/mm/tlb.c +@@ -219,17 +219,28 @@ void set_pmd_at(struct mm_struct *mm, un + } + } + ++static inline pmd_t pmdp_establish(struct vm_area_struct *vma, ++ unsigned long address, pmd_t *pmdp, pmd_t pmd) ++{ ++ pmd_t old; ++ ++ do { ++ old = *pmdp; ++ } while (cmpxchg64(&pmdp->pmd, old.pmd, pmd.pmd) != old.pmd); ++ ++ return old; ++} ++ + /* + * This routine is only called when splitting a THP + */ +-void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, ++pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp) + { +- pmd_t entry = *pmdp; +- +- pmd_val(entry) &= ~_PAGE_VALID; ++ pmd_t old, entry; + +- set_pmd_at(vma->vm_mm, address, pmdp, entry); ++ entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); ++ old = pmdp_establish(vma, address, pmdp, entry); + flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); + + /* +@@ -240,6 +251,8 @@ void pmdp_invalidate(struct vm_area_stru + if ((pmd_val(entry) & _PAGE_PMD_HUGE) && + !is_huge_zero_page(pmd_page(entry))) + (vma->vm_mm)->context.thp_pte_count--; ++ ++ return old; + } + + void pgtable_trans_huge_deposit(struct mm_struct *mm, pmd_t *pmdp, diff --git a/queue-4.9/spi-bcm-qspi-fix-some-error-handling-paths.patch b/queue-4.9/spi-bcm-qspi-fix-some-error-handling-paths.patch new file mode 100644 index 00000000000..76c8debcf2f --- /dev/null +++ b/queue-4.9/spi-bcm-qspi-fix-some-error-handling-paths.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 19:36:58 +0100 +Subject: spi: bcm-qspi: fIX some error handling paths + +From: Christophe Jaillet + +[ Upstream commit bc3cc75281b3c2b1c5355d88d147b66a753bb9a5 ] + +For some reason, commit c0368e4db4a3 ("spi: bcm-qspi: Fix use after free +in bcm_qspi_probe() in error path") has updated some gotos, but not all of +them. + +This looks spurious, so fix it. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm-qspi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1220,7 +1220,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[MSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[MSPI])) { + ret = PTR_ERR(qspi->base[MSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + } else { + goto qspi_resource_err; +@@ -1231,7 +1231,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[BSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[BSPI])) { + ret = PTR_ERR(qspi->base[BSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + qspi->bspi_mode = true; + } else { diff --git a/queue-4.9/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch b/queue-4.9/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch new file mode 100644 index 00000000000..4e024294862 --- /dev/null +++ b/queue-4.9/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch @@ -0,0 +1,119 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jens Axboe +Date: Wed, 11 Apr 2018 11:26:09 -0600 +Subject: sr: get/drop reference to device in revalidate and check_events + +From: Jens Axboe + +[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ] + +We can't just use scsi_cd() to get the scsi_cd structure, we have +to grab a live reference to the device. For both callbacks, we're +not inside an open where we already hold a reference to the device. + +This fixes device removal/addition under concurrent device access, +which otherwise could result in the below oops. + +NULL pointer dereference at 0000000000000010 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: +sr 12:0:0:0: [sr2] scsi-1 drive + scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl +sr 12:0:0:0: Attached scsi CD-ROM sr2 + sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc +sr 12:0:0:0: Attached scsi generic sg7 type 5 + igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif] +CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650 +Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016 +RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod] +RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292 +RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66 +RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000 +RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000 +R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d +R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000 +FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ? __invalidate_device+0x48/0x60 + check_disk_change+0x4c/0x60 + sr_block_open+0x16/0xd0 [sr_mod] + __blkdev_get+0xb9/0x450 + ? iget5_locked+0x1c0/0x1e0 + blkdev_get+0x11e/0x320 + ? bdget+0x11d/0x150 + ? _raw_spin_unlock+0xa/0x20 + ? bd_acquire+0xc0/0xc0 + do_dentry_open+0x1b0/0x320 + ? inode_permission+0x24/0xc0 + path_openat+0x4e6/0x1420 + ? cpumask_any_but+0x1f/0x40 + ? flush_tlb_mm_range+0xa0/0x120 + do_filp_open+0x8c/0xf0 + ? __seccomp_filter+0x28/0x230 + ? _raw_spin_unlock+0xa/0x20 + ? __handle_mm_fault+0x7d6/0x9b0 + ? list_lru_add+0xa8/0xc0 + ? _raw_spin_unlock+0xa/0x20 + ? __alloc_fd+0xaf/0x160 + ? do_sys_open+0x1a6/0x230 + do_sys_open+0x1a6/0x230 + do_syscall_64+0x5a/0x100 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Reviewed-by: Lee Duncan +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sr.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -582,18 +582,28 @@ out: + static unsigned int sr_block_check_events(struct gendisk *disk, + unsigned int clearing) + { +- struct scsi_cd *cd = scsi_cd(disk); ++ unsigned int ret = 0; ++ struct scsi_cd *cd; + +- if (atomic_read(&cd->device->disk_events_disable_depth)) ++ cd = scsi_cd_get(disk); ++ if (!cd) + return 0; + +- return cdrom_check_events(&cd->cdi, clearing); ++ if (!atomic_read(&cd->device->disk_events_disable_depth)) ++ ret = cdrom_check_events(&cd->cdi, clearing); ++ ++ scsi_cd_put(cd); ++ return ret; + } + + static int sr_block_revalidate_disk(struct gendisk *disk) + { +- struct scsi_cd *cd = scsi_cd(disk); + struct scsi_sense_hdr sshdr; ++ struct scsi_cd *cd; ++ ++ cd = scsi_cd_get(disk); ++ if (!cd) ++ return -ENXIO; + + /* if the unit is not ready, nothing more to do */ + if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr)) +@@ -602,6 +612,7 @@ static int sr_block_revalidate_disk(stru + sr_cd_check(&cd->cdi); + get_sectorsize(cd); + out: ++ scsi_cd_put(cd); + return 0; + } + diff --git a/queue-4.9/sunvnet-does-not-support-gso-for-sctp.patch b/queue-4.9/sunvnet-does-not-support-gso-for-sctp.patch new file mode 100644 index 00000000000..8be802b931e --- /dev/null +++ b/queue-4.9/sunvnet-does-not-support-gso-for-sctp.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Cathy Zhou +Date: Wed, 14 Mar 2018 10:56:07 -0700 +Subject: sunvnet: does not support GSO for sctp + +From: Cathy Zhou + +[ Upstream commit cf55612a945039476abfd73e39064b2e721c3272 ] + +The NETIF_F_GSO_SOFTWARE implies support for GSO on SCTP, but the +sunvnet driver does not support GSO for sctp. Here we remove the +NETIF_F_GSO_SOFTWARE feature flag and only report NETIF_F_ALL_TSO +instead. + +Signed-off-by: Cathy Zhou +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sun/sunvnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -198,7 +198,7 @@ static struct vnet *vnet_new(const u64 * + dev->ethtool_ops = &vnet_ethtool_ops; + dev->watchdog_timeo = VNET_TX_TIMEOUT; + +- dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE | ++ dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_ALL_TSO | + NETIF_F_HW_CSUM | NETIF_F_SG; + dev->features = dev->hw_features; + diff --git a/queue-4.9/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch b/queue-4.9/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch new file mode 100644 index 00000000000..e8e5d28485a --- /dev/null +++ b/queue-4.9/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Tom Abraham +Date: Tue, 10 Apr 2018 16:29:48 -0700 +Subject: swap: divide-by-zero when zero length swap file on ssd + +From: Tom Abraham + +[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ] + +Calling swapon() on a zero length swap file on SSD can lead to a +divide-by-zero. + +Although creating such files isn't possible with mkswap and they woud be +considered invalid, it would be better for the swapon code to be more +robust and handle this condition gracefully (return -EINVAL). +Especially since the fix is small and straightforward. + +To help with wear leveling on SSD, the swapon syscall calculates a +random position in the swap file using modulo p->highest_bit, which is +set to maxpages - 1 in read_swap_header. + +If the swap file is zero length, read_swap_header sets maxpages=1 and +last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we +modulo p->highest_bit in swapon syscall. + +This can be prevented by having read_swap_header return zero if +last_page is zero. + +Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com +Signed-off-by: Thomas Abraham +Reported-by: +Reviewed-by: Andrew Morton +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2271,6 +2271,10 @@ static unsigned long read_swap_header(st + maxpages = swp_offset(pte_to_swp_entry( + swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; + last_page = swap_header->info.last_page; ++ if (!last_page) { ++ pr_warn("Empty swap-file\n"); ++ return 0; ++ } + if (last_page > maxpages) { + pr_warn("Truncating oversized swap area, only using %luk out of %luk\n", + maxpages << (PAGE_SHIFT - 10), diff --git a/queue-4.9/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch b/queue-4.9/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch new file mode 100644 index 00000000000..1ddf89e517a --- /dev/null +++ b/queue-4.9/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Tue, 30 Jan 2018 22:21:48 -0600 +Subject: tcp_nv: fix potential integer overflow in tcpnv_acked + +From: "Gustavo A. R. Silva" + +[ Upstream commit e4823fbd229bfbba368b40cdadb8f4eeb20604cc ] + +Add suffix ULL to constant 80000 in order to avoid a potential integer +overflow and give the compiler complete information about the proper +arithmetic to use. Notice that this constant is used in a context that +expects an expression of type u64. + +The current cast to u64 effectively applies to the whole expression +as an argument of type u64 to be passed to div64_u64, but it does +not prevent it from being evaluated using 32-bit arithmetic instead +of 64-bit arithmetic. + +Also, once the expression is properly evaluated using 64-bit arithmentic, +there is no need for the parentheses and the external cast to u64. + +Addresses-Coverity-ID: 1357588 ("Unintentional integer overflow") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_nv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_nv.c ++++ b/net/ipv4/tcp_nv.c +@@ -338,7 +338,7 @@ static void tcpnv_acked(struct sock *sk, + */ + cwnd_by_slope = (u32) + div64_u64(((u64)ca->nv_rtt_max_rate) * ca->nv_min_rtt, +- (u64)(80000 * tp->mss_cache)); ++ 80000ULL * tp->mss_cache); + max_win = cwnd_by_slope + nv_pad; + + /* If cwnd > max_win, decrease cwnd diff --git a/queue-4.9/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch b/queue-4.9/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch new file mode 100644 index 00000000000..7b6fd8c55a0 --- /dev/null +++ b/queue-4.9/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Thu, 11 Jan 2018 19:47:51 -0500 +Subject: tools lib traceevent: Fix get_field_str() for dynamic strings + +From: "Steven Rostedt (VMware)" + +[ Upstream commit d777f8de99b05d399c0e4e51cdce016f26bd971b ] + +If a field is a dynamic string, get_field_str() returned just the +offset/size value and not the string. Have it parse the offset/size +correctly to return the actual string. Otherwise filtering fails when +trying to filter fields that are dynamic strings. + +Reported-by: Gopanapalli Pradeep +Signed-off-by: Steven Rostedt +Acked-by: Namhyung Kim +Cc: Andrew Morton +Link: http://lkml.kernel.org/r/20180112004823.146333275@goodmis.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/traceevent/parse-filter.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/lib/traceevent/parse-filter.c ++++ b/tools/lib/traceevent/parse-filter.c +@@ -1879,17 +1879,25 @@ static const char *get_field_str(struct + struct pevent *pevent; + unsigned long long addr; + const char *val = NULL; ++ unsigned int size; + char hex[64]; + + /* If the field is not a string convert it */ + if (arg->str.field->flags & FIELD_IS_STRING) { + val = record->data + arg->str.field->offset; ++ size = arg->str.field->size; ++ ++ if (arg->str.field->flags & FIELD_IS_DYNAMIC) { ++ addr = *(unsigned int *)val; ++ val = record->data + (addr & 0xffff); ++ size = addr >> 16; ++ } + + /* + * We need to copy the data since we can't be sure the field + * is null terminated. + */ +- if (*(val + arg->str.field->size - 1)) { ++ if (*(val + size - 1)) { + /* copy it */ + memcpy(arg->str.buffer, val, arg->str.field->size); + /* the buffer is already NULL terminated */ diff --git a/queue-4.9/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch b/queue-4.9/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch new file mode 100644 index 00000000000..f1e8ba00eca --- /dev/null +++ b/queue-4.9/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Thu, 11 Jan 2018 19:47:45 -0500 +Subject: tools lib traceevent: Simplify pointer print logic and fix %pF + +From: "Steven Rostedt (VMware)" + +[ Upstream commit 38d70b7ca1769f26c0b79f3c08ff2cc949712b59 ] + +When processing %pX in pretty_print(), simplify the logic slightly by +incrementing the ptr to the format string if isalnum(ptr[1]) is true. +This follows the logic a bit more closely to what is in the kernel. + +Also, this fixes a small bug where %pF was not giving the offset of the +function. + +Signed-off-by: Steven Rostedt +Acked-by: Namhyung Kim +Cc: Andrew Morton +Link: http://lkml.kernel.org/r/20180112004822.260262257@goodmis.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/traceevent/event-parse.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -4927,21 +4927,22 @@ static void pretty_print(struct trace_se + else + ls = 2; + +- if (*(ptr+1) == 'F' || *(ptr+1) == 'f' || +- *(ptr+1) == 'S' || *(ptr+1) == 's') { ++ if (isalnum(ptr[1])) + ptr++; ++ ++ if (*ptr == 'F' || *ptr == 'f' || ++ *ptr == 'S' || *ptr == 's') { + show_func = *ptr; +- } else if (*(ptr+1) == 'M' || *(ptr+1) == 'm') { +- print_mac_arg(s, *(ptr+1), data, size, event, arg); +- ptr++; ++ } else if (*ptr == 'M' || *ptr == 'm') { ++ print_mac_arg(s, *ptr, data, size, event, arg); + arg = arg->next; + break; +- } else if (*(ptr+1) == 'I' || *(ptr+1) == 'i') { ++ } else if (*ptr == 'I' || *ptr == 'i') { + int n; + +- n = print_ip_arg(s, ptr+1, data, size, event, arg); ++ n = print_ip_arg(s, ptr, data, size, event, arg); + if (n > 0) { +- ptr += n; ++ ptr += n - 1; + arg = arg->next; + break; + } diff --git a/queue-4.9/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch b/queue-4.9/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch new file mode 100644 index 00000000000..701c5880dfe --- /dev/null +++ b/queue-4.9/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jesper Dangaard Brouer +Date: Thu, 8 Feb 2018 12:48:32 +0100 +Subject: tools/libbpf: handle issues with bpf ELF objects containing .eh_frames + +From: Jesper Dangaard Brouer + +[ Upstream commit e3d91b0ca523d53158f435a3e13df7f0cb360ea2 ] + +V3: More generic skipping of relo-section (suggested by Daniel) + +If clang >= 4.0.1 is missing the option '-target bpf', it will cause +llc/llvm to create two ELF sections for "Exception Frames", with +section names '.eh_frame' and '.rel.eh_frame'. + +The BPF ELF loader library libbpf fails when loading files with these +sections. The other in-kernel BPF ELF loader in samples/bpf/bpf_load.c, +handle this gracefully. And iproute2 loader also seems to work with these +"eh" sections. + +The issue in libbpf is caused by bpf_object__elf_collect() skipping +some sections, and later when performing relocation it will be +pointing to a skipped section, as these sections cannot be found by +bpf_object__find_prog_by_idx() in bpf_object__collect_reloc(). + +This is a general issue that also occurs for other sections, like +debug sections which are also skipped and can have relo section. + +As suggested by Daniel. To avoid keeping state about all skipped +sections, instead perform a direct qlookup in the ELF object. Lookup +the section that the relo-section points to and check if it contains +executable machine instructions (denoted by the sh_flags +SHF_EXECINSTR). Use this check to also skip irrelevant relo-sections. + +Note, for samples/bpf/ the '-target bpf' parameter to clang cannot be used +due to incompatibility with asm embedded headers, that some of the samples +include. This is explained in more details by Yonghong Song in bpf_devel_QA. + +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/bpf/libbpf.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -590,6 +590,24 @@ bpf_object__init_maps_name(struct bpf_ob + return 0; + } + ++static bool section_have_execinstr(struct bpf_object *obj, int idx) ++{ ++ Elf_Scn *scn; ++ GElf_Shdr sh; ++ ++ scn = elf_getscn(obj->efile.elf, idx); ++ if (!scn) ++ return false; ++ ++ if (gelf_getshdr(scn, &sh) != &sh) ++ return false; ++ ++ if (sh.sh_flags & SHF_EXECINSTR) ++ return true; ++ ++ return false; ++} ++ + static int bpf_object__elf_collect(struct bpf_object *obj) + { + Elf *elf = obj->efile.elf; +@@ -673,6 +691,14 @@ static int bpf_object__elf_collect(struc + } else if (sh.sh_type == SHT_REL) { + void *reloc = obj->efile.reloc; + int nr_reloc = obj->efile.nr_reloc + 1; ++ int sec = sh.sh_info; /* points to other section */ ++ ++ /* Only do relo for section with exec instructions */ ++ if (!section_have_execinstr(obj, sec)) { ++ pr_debug("skip relo %s(%d) for section(%d)\n", ++ name, idx, sec); ++ continue; ++ } + + reloc = realloc(reloc, + sizeof(*obj->efile.reloc) * nr_reloc); diff --git a/queue-4.9/tools-thermal-tmon-fix-for-segfault.patch b/queue-4.9/tools-thermal-tmon-fix-for-segfault.patch new file mode 100644 index 00000000000..9a99cc1bf26 --- /dev/null +++ b/queue-4.9/tools-thermal-tmon-fix-for-segfault.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Frank Asseg +Date: Mon, 12 Mar 2018 19:57:06 +0100 +Subject: tools/thermal: tmon: fix for segfault + +From: Frank Asseg + +[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ] + +Fixes a segfault occurring when e.g. is pressed multiple times in the +ncurses tmon application. The segfault is caused by incrementing +cur_thermal_record in the main function without checking if it's value reached +NR_THERMAL_RECORD immediately. Since the boundary check only occurred in +update_thermal_data a race condition existed, which lead to an attempted read +beyond the last element of the trec array. + +The fix was implemented by moving the cur_thermal_record incrementation to the +update_thermal_data function using a temporary variable on which the boundary +condition is checked before updating cur_thread_record, so that the variable is +never incremented beyond the trec array's boundary. + +It seems the segfault does not occur on every machine: On a HP EliteBook G4 the +segfault happens, while it does not happen on a Thinkpad T540p. + +Signed-off-by: Frank Asseg +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/thermal/tmon/sysfs.c | 12 +++++++----- + tools/thermal/tmon/tmon.c | 1 - + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/tools/thermal/tmon/sysfs.c ++++ b/tools/thermal/tmon/sysfs.c +@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst + int update_thermal_data() + { + int i; ++ int next_thermal_record = cur_thermal_record + 1; + char tz_name[256]; + static unsigned long samples; + +@@ -495,9 +496,9 @@ int update_thermal_data() + } + + /* circular buffer for keeping historic data */ +- if (cur_thermal_record >= NR_THERMAL_RECORDS) +- cur_thermal_record = 0; +- gettimeofday(&trec[cur_thermal_record].tv, NULL); ++ if (next_thermal_record >= NR_THERMAL_RECORDS) ++ next_thermal_record = 0; ++ gettimeofday(&trec[next_thermal_record].tv, NULL); + if (tmon_log) { + fprintf(tmon_log, "%lu ", ++samples); + fprintf(tmon_log, "%3.1f ", p_param.t_target); +@@ -507,11 +508,12 @@ int update_thermal_data() + snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE, + ptdata.tzi[i].instance); + sysfs_get_ulong(tz_name, "temp", +- &trec[cur_thermal_record].temp[i]); ++ &trec[next_thermal_record].temp[i]); + if (tmon_log) + fprintf(tmon_log, "%lu ", +- trec[cur_thermal_record].temp[i]/1000); ++ trec[next_thermal_record].temp[i] / 1000); + } ++ cur_thermal_record = next_thermal_record; + for (i = 0; i < ptdata.nr_cooling_dev; i++) { + char cdev_name[256]; + unsigned long val; +--- a/tools/thermal/tmon/tmon.c ++++ b/tools/thermal/tmon/tmon.c +@@ -336,7 +336,6 @@ int main(int argc, char **argv) + show_data_w(); + show_cooling_device(); + } +- cur_thermal_record++; + time_elapsed += ticktime; + controller_handler(trec[0].temp[target_tz_index] / 1000, + &yk); diff --git a/queue-4.9/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch b/queue-4.9/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch new file mode 100644 index 00000000000..09509fdca32 --- /dev/null +++ b/queue-4.9/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch @@ -0,0 +1,68 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Anna-Maria Gleixner +Date: Thu, 21 Dec 2017 11:41:37 +0100 +Subject: tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account + +From: Anna-Maria Gleixner + +[ Upstream commit 91633eed73a3ac37aaece5c8c1f93a18bae616a9 ] + +So far only CLOCK_MONOTONIC and CLOCK_REALTIME were taken into account as +well as HRTIMER_MODE_ABS/REL in the hrtimer_init tracepoint. The query for +detecting the ABS or REL timer modes is not valid anymore, it got broken +by the introduction of HRTIMER_MODE_PINNED. + +HRTIMER_MODE_PINNED is not evaluated in the hrtimer_init() call, but for the +sake of completeness print all given modes. + +Signed-off-by: Anna-Maria Gleixner +Cc: Christoph Hellwig +Cc: John Stultz +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: keescook@chromium.org +Link: http://lkml.kernel.org/r/20171221104205.7269-9-anna-maria@linutronix.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/timer.h | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -125,6 +125,20 @@ DEFINE_EVENT(timer_class, timer_cancel, + TP_ARGS(timer) + ); + ++#define decode_clockid(type) \ ++ __print_symbolic(type, \ ++ { CLOCK_REALTIME, "CLOCK_REALTIME" }, \ ++ { CLOCK_MONOTONIC, "CLOCK_MONOTONIC" }, \ ++ { CLOCK_BOOTTIME, "CLOCK_BOOTTIME" }, \ ++ { CLOCK_TAI, "CLOCK_TAI" }) ++ ++#define decode_hrtimer_mode(mode) \ ++ __print_symbolic(mode, \ ++ { HRTIMER_MODE_ABS, "ABS" }, \ ++ { HRTIMER_MODE_REL, "REL" }, \ ++ { HRTIMER_MODE_ABS_PINNED, "ABS|PINNED" }, \ ++ { HRTIMER_MODE_REL_PINNED, "REL|PINNED" }) ++ + /** + * hrtimer_init - called when the hrtimer is initialized + * @hrtimer: pointer to struct hrtimer +@@ -151,10 +165,8 @@ TRACE_EVENT(hrtimer_init, + ), + + TP_printk("hrtimer=%p clockid=%s mode=%s", __entry->hrtimer, +- __entry->clockid == CLOCK_REALTIME ? +- "CLOCK_REALTIME" : "CLOCK_MONOTONIC", +- __entry->mode == HRTIMER_MODE_ABS ? +- "HRTIMER_MODE_ABS" : "HRTIMER_MODE_REL") ++ decode_clockid(__entry->clockid), ++ decode_hrtimer_mode(__entry->mode)) + ); + + /** diff --git a/queue-4.9/udf-provide-saner-default-for-invalid-uid-gid.patch b/queue-4.9/udf-provide-saner-default-for-invalid-uid-gid.patch new file mode 100644 index 00000000000..60d9226e3cc --- /dev/null +++ b/queue-4.9/udf-provide-saner-default-for-invalid-uid-gid.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jan Kara +Date: Thu, 22 Feb 2018 10:39:52 +0100 +Subject: udf: Provide saner default for invalid uid / gid + +From: Jan Kara + +[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ] + +Currently when UDF filesystem is recorded without uid / gid (ids are set +to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid= +and gid= mount options. In such case filesystem could not be modified in +any way as VFS refuses to modify files with invalid ids (even by root). +This is confusing to users and not very useful default since such media +mode is generally used for removable media. Use overflow[ug]id instead +so that at least root can modify the filesystem. + +Reported-by: Steve Kenton +Reviewed-by: Pali Rohár +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -2094,8 +2094,9 @@ static int udf_fill_super(struct super_b + bool lvid_open = false; + + uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT); +- uopt.uid = INVALID_UID; +- uopt.gid = INVALID_GID; ++ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */ ++ uopt.uid = make_kuid(current_user_ns(), overflowuid); ++ uopt.gid = make_kgid(current_user_ns(), overflowgid); + uopt.umask = 0; + uopt.fmode = UDF_INVALID_MODE; + uopt.dmode = UDF_INVALID_MODE; diff --git a/queue-4.9/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch b/queue-4.9/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch new file mode 100644 index 00000000000..5baadf8bc7c --- /dev/null +++ b/queue-4.9/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch @@ -0,0 +1,73 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jia Zhang +Date: Mon, 12 Feb 2018 22:44:53 +0800 +Subject: vfs/proc/kcore, x86/mm/kcore: Fix SMAP fault when dumping vsyscall user page + +From: Jia Zhang + +[ Upstream commit 595dd46ebfc10be041a365d0a3fa99df50b6ba73 ] + +Commit: + + df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data") + +... introduced a bounce buffer to work around CONFIG_HARDENED_USERCOPY=y. +However, accessing the vsyscall user page will cause an SMAP fault. + +Replace memcpy() with copy_from_user() to fix this bug works, but adding +a common way to handle this sort of user page may be useful for future. + +Currently, only vsyscall page requires KCORE_USER. + +Signed-off-by: Jia Zhang +Reviewed-by: Jiri Olsa +Cc: Al Viro +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: jolsa@redhat.com +Link: http://lkml.kernel.org/r/1518446694-21124-2-git-send-email-zhang.jia@linux.alibaba.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/init_64.c | 3 +-- + fs/proc/kcore.c | 4 ++++ + include/linux/kcore.h | 1 + + 3 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1014,8 +1014,7 @@ void __init mem_init(void) + after_bootmem = 1; + + /* Register memory areas for /proc/kcore */ +- kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR, +- PAGE_SIZE, KCORE_OTHER); ++ kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR, PAGE_SIZE, KCORE_USER); + + mem_init_print_info(NULL); + } +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -505,6 +505,10 @@ read_kcore(struct file *file, char __use + /* we have to zero-fill user buffer even if no read */ + if (copy_to_user(buffer, buf, tsz)) + return -EFAULT; ++ } else if (m->type == KCORE_USER) { ++ /* User page is handled prior to normal kernel page: */ ++ if (copy_to_user(buffer, (char *)start, tsz)) ++ return -EFAULT; + } else { + if (kern_addr_valid(start)) { + /* +--- a/include/linux/kcore.h ++++ b/include/linux/kcore.h +@@ -9,6 +9,7 @@ enum kcore_type { + KCORE_VMALLOC, + KCORE_RAM, + KCORE_VMEMMAP, ++ KCORE_USER, + KCORE_OTHER, + }; + diff --git a/queue-4.9/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch b/queue-4.9/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch new file mode 100644 index 00000000000..069c9180c76 --- /dev/null +++ b/queue-4.9/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Dave Airlie +Date: Wed, 21 Feb 2018 11:50:03 +1000 +Subject: virtio-gpu: fix ioctl and expose the fixed status to userspace. + +From: Dave Airlie + +[ Upstream commit 9a191b114906457c4b2494c474f58ae4142d4e67 ] + +This exposes to mesa that it can use the fixed ioctl for querying +later cap sets, cap set 1 is forever frozen in time. + +Signed-off-by: Dave Airlie +Link: http://patchwork.freedesktop.org/patch/msgid/20180221015003.22884-1-airlied@gmail.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 17 +++++++++++------ + include/uapi/drm/virtgpu_drm.h | 1 + + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -194,6 +194,9 @@ static int virtio_gpu_getparam_ioctl(str + case VIRTGPU_PARAM_3D_FEATURES: + value = vgdev->has_virgl_3d == true ? 1 : 0; + break; ++ case VIRTGPU_PARAM_CAPSET_QUERY_FIX: ++ value = 1; ++ break; + default: + return -EINVAL; + } +@@ -469,7 +472,7 @@ static int virtio_gpu_get_caps_ioctl(str + { + struct virtio_gpu_device *vgdev = dev->dev_private; + struct drm_virtgpu_get_caps *args = data; +- int size; ++ unsigned size, host_caps_size; + int i; + int found_valid = -1; + int ret; +@@ -478,6 +481,10 @@ static int virtio_gpu_get_caps_ioctl(str + if (vgdev->num_capsets == 0) + return -ENOSYS; + ++ /* don't allow userspace to pass 0 */ ++ if (args->size == 0) ++ return -EINVAL; ++ + spin_lock(&vgdev->display_info_lock); + for (i = 0; i < vgdev->num_capsets; i++) { + if (vgdev->capsets[i].id == args->cap_set_id) { +@@ -493,11 +500,9 @@ static int virtio_gpu_get_caps_ioctl(str + return -EINVAL; + } + +- size = vgdev->capsets[found_valid].max_size; +- if (args->size > size) { +- spin_unlock(&vgdev->display_info_lock); +- return -EINVAL; +- } ++ host_caps_size = vgdev->capsets[found_valid].max_size; ++ /* only copy to user the minimum of the host caps size or the guest caps size */ ++ size = min(args->size, host_caps_size); + + list_for_each_entry(cache_ent, &vgdev->cap_cache, head) { + if (cache_ent->id == args->cap_set_id && +--- a/include/uapi/drm/virtgpu_drm.h ++++ b/include/uapi/drm/virtgpu_drm.h +@@ -63,6 +63,7 @@ struct drm_virtgpu_execbuffer { + }; + + #define VIRTGPU_PARAM_3D_FEATURES 1 /* do we have 3D features in the hw */ ++#define VIRTGPU_PARAM_CAPSET_QUERY_FIX 2 /* do we have the capset fix */ + + struct drm_virtgpu_getparam { + __u64 param; diff --git a/queue-4.9/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch b/queue-4.9/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch new file mode 100644 index 00000000000..7561042f84e --- /dev/null +++ b/queue-4.9/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jay Vosburgh +Date: Thu, 22 Mar 2018 14:42:41 +0000 +Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS + +From: Jay Vosburgh + +[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ] + +The operstate update logic will leave an interface in the +default UNKNOWN operstate if the interface carrier state never changes +from the default carrier up state set at creation. This includes the +case of an explicit call to netif_carrier_on, as the carrier on to on +transition has no effect on operstate. + + This affects virtio-net for the case that the virtio peer does +not support VIRTIO_NET_F_STATUS (the feature that provides carrier state +updates). Without this feature, the virtio specification states that +"the link should be assumed active," so, logically, the operstate should +be UP instead of UNKNOWN. This has impact on user space applications +that use the operstate to make availability decisions for the interface. + + Resolve this by changing the virtio probe logic slightly to call +netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS +cases, and then the existing call to netif_carrier_on for the "without" +case will cause an operstate transition. + +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Ben Hutchings +Signed-off-by: Jay Vosburgh +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1949,8 +1949,8 @@ static int virtnet_probe(struct virtio_d + + /* Assume link up if device can't report link status, + otherwise get link status from config. */ ++ netif_carrier_off(dev); + if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) { +- netif_carrier_off(dev); + schedule_work(&vi->config_work); + } else { + vi->status = VIRTIO_NET_S_LINK_UP; diff --git a/queue-4.9/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch b/queue-4.9/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch new file mode 100644 index 00000000000..4644927e0a1 --- /dev/null +++ b/queue-4.9/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch @@ -0,0 +1,66 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Stefano Brivio +Date: Thu, 15 Mar 2018 17:16:27 +0100 +Subject: vti4: Don't count header length twice on tunnel setup + +From: Stefano Brivio + +[ Upstream commit dd1df24737727e119c263acf1be2a92763938297 ] + +This re-introduces the effect of commit a32452366b72 ("vti4: +Don't count header length twice.") which was accidentally +reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of +git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec"). + +The commit message from Steffen Klassert said: + + We currently count the size of LL_MAX_HEADER and struct iphdr + twice for vti4 devices, this leads to a wrong device mtu. + The size of LL_MAX_HEADER and struct iphdr is already counted in + ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init(). + +And this is still the case now: ip_tunnel_bind_dev() already +accounts for the header length of the link layer (not +necessarily LL_MAX_HEADER, if the output device is found), plus +one IP header. + +For example, with a vti device on top of veth, with MTU of 1500, +the existing implementation would set the initial vti MTU to +1332, accounting once for LL_MAX_HEADER (128, included in +hard_header_len by vti) and twice for the same IP header (once +from hard_header_len, once from ip_tunnel_bind_dev()). + +It should instead be 1480, because ip_tunnel_bind_dev() is able +to figure out that the output device is veth, so no additional +link layer header is attached, and will properly count one +single IP header. + +The existing issue had the side effect of avoiding PMTUD for +most xfrm policies, by arbitrarily lowering the initial MTU. +However, the only way to get a consistent PMTU value is to let +the xfrm PMTU discovery do its course, and commit d6af1a31cc72 +("vti: Add pmtu handling to vti_xmit.") now takes care of local +delivery cases where the application ignores local socket +notifications. + +Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code") +Fixes: f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec") +Signed-off-by: Stefano Brivio +Acked-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_vti.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -396,7 +396,6 @@ static int vti_tunnel_init(struct net_de + memcpy(dev->dev_addr, &iph->saddr, 4); + memcpy(dev->broadcast, &iph->daddr, 4); + +- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr); + dev->mtu = ETH_DATA_LEN; + dev->flags = IFF_NOARP; + dev->addr_len = 4; diff --git a/queue-4.9/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch b/queue-4.9/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch new file mode 100644 index 00000000000..61714e80a24 --- /dev/null +++ b/queue-4.9/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Stefano Brivio +Date: Thu, 15 Mar 2018 17:16:29 +0100 +Subject: vti4: Don't override MTU passed on link creation via IFLA_MTU + +From: Stefano Brivio + +[ Upstream commit 03080e5ec72740c1a62e6730f2a5f3f114f11b19 ] + +Don't hardcode a MTU value on vti tunnel initialization, +ip_tunnel_newlink() is able to deal with this already. See also +commit ffc2b6ee4174 ("ip_gre: fix IFLA_MTU ignored on NEWLINK"). + +Fixes: 1181412c1a67 ("net/ipv4: VTI support new module for ip_vti.") +Signed-off-by: Stefano Brivio +Acked-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_vti.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -396,7 +396,6 @@ static int vti_tunnel_init(struct net_de + memcpy(dev->dev_addr, &iph->saddr, 4); + memcpy(dev->broadcast, &iph->daddr, 4); + +- dev->mtu = ETH_DATA_LEN; + dev->flags = IFF_NOARP; + dev->addr_len = 4; + dev->features |= NETIF_F_LLTX; diff --git a/queue-4.9/watchdog-f71808e_wdt-fix-magic-close-handling.patch b/queue-4.9/watchdog-f71808e_wdt-fix-magic-close-handling.patch new file mode 100644 index 00000000000..98d64ad7e6a --- /dev/null +++ b/queue-4.9/watchdog-f71808e_wdt-fix-magic-close-handling.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Igor Pylypiv +Date: Wed, 28 Feb 2018 00:59:12 -0800 +Subject: watchdog: f71808e_wdt: Fix magic close handling + +From: Igor Pylypiv + +[ Upstream commit 7bd3e7b743956afbec30fb525bc3c5e22e3d475c ] + +Watchdog close is "expected" when any byte is 'V' not just the last one. +Writing "V" to the device fails because the last byte is the end of string. + +$ echo V > /dev/watchdog +f71808e_wdt: Unexpected close, not stopping watchdog! + +Signed-off-by: Igor Pylypiv +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/f71808e_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -566,7 +566,8 @@ static ssize_t watchdog_write(struct fil + char c; + if (get_user(c, buf + i)) + return -EFAULT; +- expect_close = (c == 'V'); ++ if (c == 'V') ++ expect_close = true; + } + + /* Properly order writes across fork()ed processes */ diff --git a/queue-4.9/watchdog-sbsa-use-32-bit-read-for-wcv.patch b/queue-4.9/watchdog-sbsa-use-32-bit-read-for-wcv.patch new file mode 100644 index 00000000000..859e2d9714b --- /dev/null +++ b/queue-4.9/watchdog-sbsa-use-32-bit-read-for-wcv.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Jayachandran C +Date: Wed, 28 Feb 2018 02:52:20 -0800 +Subject: watchdog: sbsa: use 32-bit read for WCV + +From: Jayachandran C + +[ Upstream commit 93ac3deb7c220cbcec032a967220a1f109d58431 ] + +According to SBSA spec v3.1 section 5.3: + All registers are 32 bits in size and should be accessed using + 32-bit reads and writes. If an access size other than 32 bits + is used then the results are IMPLEMENTATION DEFINED. + [...] + The Generic Watchdog is little-endian + +The current code uses readq to read the watchdog compare register +which does a 64-bit access. This fails on ThunderX2 which does not +implement 64-bit access to this register. + +Fix this by using lo_hi_readq() that does two 32-bit reads. + +Signed-off-by: Jayachandran C +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/sbsa_gwdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/sbsa_gwdt.c ++++ b/drivers/watchdog/sbsa_gwdt.c +@@ -50,6 +50,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -159,7 +160,7 @@ static unsigned int sbsa_gwdt_get_timele + !(readl(gwdt->control_base + SBSA_GWDT_WCS) & SBSA_GWDT_WCS_WS0)) + timeleft += readl(gwdt->control_base + SBSA_GWDT_WOR); + +- timeleft += readq(gwdt->control_base + SBSA_GWDT_WCV) - ++ timeleft += lo_hi_readq(gwdt->control_base + SBSA_GWDT_WCV) - + arch_counter_get_cntvct(); + + do_div(timeleft, gwdt->clk); diff --git a/queue-4.9/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch b/queue-4.9/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch new file mode 100644 index 00000000000..75c8b7a8e71 --- /dev/null +++ b/queue-4.9/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Guenter Roeck +Date: Sun, 24 Dec 2017 13:04:07 -0800 +Subject: watchdog: sp5100_tco: Fix watchdog disable bit + +From: Guenter Roeck + +[ Upstream commit f541c09ebfc61697b586b38c9ebaf4b70defb278 ] + +According to all published information, the watchdog disable bit for SB800 +compatible controllers is bit 1 of PM register 0x48, not bit 2. For the +most part that doesn't matter in practice, since the bit has to be cleared +to enable watchdog address decoding, which is the default setting, but it +still needs to be fixed. + +Cc: Zoltán Böszörményi +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/sp5100_tco.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/watchdog/sp5100_tco.h ++++ b/drivers/watchdog/sp5100_tco.h +@@ -54,7 +54,7 @@ + #define SB800_PM_WATCHDOG_CONFIG 0x4C + + #define SB800_PCI_WATCHDOG_DECODE_EN (1 << 0) +-#define SB800_PM_WATCHDOG_DISABLE (1 << 2) ++#define SB800_PM_WATCHDOG_DISABLE (1 << 1) + #define SB800_PM_WATCHDOG_SECOND_RES (3 << 0) + #define SB800_ACPI_MMIO_DECODE_EN (1 << 0) + #define SB800_ACPI_MMIO_SEL (1 << 1) diff --git a/queue-4.9/workqueue-use-put_device-instead-of-kfree.patch b/queue-4.9/workqueue-use-put_device-instead-of-kfree.patch new file mode 100644 index 00000000000..71ff33083c8 --- /dev/null +++ b/queue-4.9/workqueue-use-put_device-instead-of-kfree.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arvind Yadav +Date: Tue, 6 Mar 2018 15:35:43 +0530 +Subject: workqueue: use put_device() instead of kfree() + +From: Arvind Yadav + +[ Upstream commit 537f4146c53c95aac977852b371bafb9c6755ee1 ] + +Never directly free @dev after calling device_register(), even +if it returned an error! Always use put_device() to give up the +reference initialized in this function instead. + +Signed-off-by: Arvind Yadav +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/workqueue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5272,7 +5272,7 @@ int workqueue_sysfs_register(struct work + + ret = device_register(&wq_dev->dev); + if (ret) { +- kfree(wq_dev); ++ put_device(&wq_dev->dev); + wq->wq_dev = NULL; + return ret; + } diff --git a/queue-4.9/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch b/queue-4.9/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch new file mode 100644 index 00000000000..aaa02ae21df --- /dev/null +++ b/queue-4.9/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Baoquan He +Date: Wed, 14 Feb 2018 13:46:56 +0800 +Subject: x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified + +From: Baoquan He + +[ Upstream commit bee3204ec3c49f6f53add9c3962c9012a5c036fa ] + +Currently the kdump kernel becomes very slow if 'noapic' is specified. +Normal kernel doesn't have this bug. + +Kernel parameter 'noapic' is used to disable IO-APIC in system for +testing or special purpose. Here the root cause is that in kdump +kernel LAPIC is disabled since commit: + + 522e664644 ("x86/apic: Disable I/O APIC before shutdown of the local APIC") + +In this case we need set up through-local-APIC on boot CPU in +setup_local_APIC(). + +In normal kernel the legacy irq mode is enabled by the BIOS. If +it is virtual wire mode, the local-APIC has been enabled and set as +through-local-APIC. + +Though we fixed the regression introduced by commit 522e664644, +to further improve robustness set up the through-local-APIC mode +explicitly, do not rely on the default boot IRQ mode. + +Signed-off-by: Baoquan He +Reviewed-by: Eric W. Biederman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: douly.fnst@cn.fujitsu.com +Cc: joro@8bytes.org +Cc: prarit@redhat.com +Cc: uobergfe@redhat.com +Link: http://lkml.kernel.org/r/20180214054656.3780-7-bhe@redhat.com +[ Rewrote the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1403,7 +1403,7 @@ void setup_local_APIC(void) + * TODO: set up through-local-APIC from through-I/O-APIC? --macro + */ + value = apic_read(APIC_LVT0) & APIC_LVT_MASKED; +- if (!cpu && (pic_mode || !value)) { ++ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) { + value = APIC_DM_EXTINT; + apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu); + } else { diff --git a/queue-4.9/x86-devicetree-fix-device-irq-settings-in-dt.patch b/queue-4.9/x86-devicetree-fix-device-irq-settings-in-dt.patch new file mode 100644 index 00000000000..d6d8a0bbced --- /dev/null +++ b/queue-4.9/x86-devicetree-fix-device-irq-settings-in-dt.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:53 -0800 +Subject: x86/devicetree: Fix device IRQ settings in DT + +From: Ivan Gorinov + +[ Upstream commit 0a5169add90e43ab45ab1ba34223b8583fcaf675 ] + +IRQ parameters for the SoC devices connected directly to I/O APIC lines +(without PCI IRQ routing) may be specified in the Device Tree. + +Called from DT IRQ parser, irq_create_fwspec_mapping() calls +irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg. + +But x86-specific DT IRQ allocation code casts @arg to of_phandle_args +structure pointer and crashes trying to read the IRQ parameters. The +function was not converted when the mapping descriptor was changed to +irq_fwspec in the generic irqdomain code. + +Fixes: 11e4438ee330 ("irqdomain: Introduce a firmware-specific IRQ specifier structure") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -200,19 +200,22 @@ static struct of_ioapic_type of_ioapic_t + static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + unsigned int nr_irqs, void *arg) + { +- struct of_phandle_args *irq_data = (void *)arg; ++ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg; + struct of_ioapic_type *it; + struct irq_alloc_info tmp; ++ int type_index; + +- if (WARN_ON(irq_data->args_count < 2)) ++ if (WARN_ON(fwspec->param_count < 2)) + return -EINVAL; +- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type)) ++ ++ type_index = fwspec->param[1]; ++ if (type_index >= ARRAY_SIZE(of_ioapic_type)) + return -EINVAL; + +- it = &of_ioapic_type[irq_data->args[1]]; ++ it = &of_ioapic_type[type_index]; + ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity); + tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain)); +- tmp.ioapic_pin = irq_data->args[0]; ++ tmp.ioapic_pin = fwspec->param[0]; + + return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp); + } diff --git a/queue-4.9/x86-devicetree-initialize-device-tree-before-using-it.patch b/queue-4.9/x86-devicetree-initialize-device-tree-before-using-it.patch new file mode 100644 index 00000000000..cfc4f677e90 --- /dev/null +++ b/queue-4.9/x86-devicetree-initialize-device-tree-before-using-it.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:29 -0800 +Subject: x86/devicetree: Initialize device tree before using it + +From: Ivan Gorinov + +[ Upstream commit 628df9dc5ad886b0a9b33c75a7b09710eb859ca1 ] + +Commit 08d53aa58cb1 added CRC32 calculation in early_init_dt_verify() and +checking in late initcall of_fdt_raw_init(), making early_init_dt_verify() +mandatory. + +The required call to early_init_dt_verify() was not added to the +x86-specific implementation, causing failure to create the sysfs entry in +of_fdt_raw_init(). + +Fixes: 08d53aa58cb1 ("of/fdt: export fdt blob as /sys/firmware/fdt") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -276,14 +277,15 @@ static void __init x86_flattree_get_conf + + map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128); + +- initial_boot_params = dt = early_memremap(initial_dtb, map_len); +- size = of_get_flat_dt_size(); ++ dt = early_memremap(initial_dtb, map_len); ++ size = fdt_totalsize(dt); + if (map_len < size) { + early_memunmap(dt, map_len); +- initial_boot_params = dt = early_memremap(initial_dtb, size); ++ dt = early_memremap(initial_dtb, size); + map_len = size; + } + ++ early_init_dt_verify(dt); + unflatten_and_copy_device_tree(); + early_memunmap(dt, map_len); + } diff --git a/queue-4.9/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch b/queue-4.9/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch new file mode 100644 index 00000000000..ebf51a4d8c6 --- /dev/null +++ b/queue-4.9/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Dave Hansen +Date: Fri, 6 Apr 2018 13:55:14 -0700 +Subject: x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init + +From: Dave Hansen + +[ Upstream commit 639d6aafe437a7464399d2a77d006049053df06f ] + +__ro_after_init data gets stuck in the .rodata section. That's normally +fine because the kernel itself manages the R/W properties. + +But, if we run __change_page_attr() on an area which is __ro_after_init, +the .rodata checks will trigger and force the area to be immediately +read-only, even if it is early-ish in boot. This caused problems when +trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: +it cleared _PAGE_GLOBAL like I asked, but also took it up on itself +to clear _PAGE_RW. The kernel then oopses the next time it wrote to +a __ro_after_init data structure. + +To fix this, add the kernel_set_to_readonly check, just like we have +for kernel text, just a few lines below in this function. + +Signed-off-by: Dave Hansen +Acked-by: Kees Cook +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Hugh Dickins +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Nadav Amit +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180406205514.8D898241@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pageattr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -279,9 +279,11 @@ static inline pgprot_t static_protection + + /* + * The .rodata section needs to be read-only. Using the pfn +- * catches all aliases. ++ * catches all aliases. This also includes __ro_after_init, ++ * so do not enforce until kernel_set_to_readonly is true. + */ +- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, ++ if (kernel_set_to_readonly && ++ within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + __pa_symbol(__end_rodata) >> PAGE_SHIFT)) + pgprot_val(forbidden) |= _PAGE_RW; + diff --git a/queue-4.9/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch b/queue-4.9/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch new file mode 100644 index 00000000000..225a90b9684 --- /dev/null +++ b/queue-4.9/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch @@ -0,0 +1,98 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Joerg Roedel +Date: Wed, 11 Apr 2018 17:24:38 +0200 +Subject: x86/pgtable: Don't set huge PUD/PMD on non-leaf entries + +From: Joerg Roedel + +[ Upstream commit e3e288121408c3abeed5af60b87b95c847143845 ] + +The pmd_set_huge() and pud_set_huge() functions are used from +the generic ioremap() code to establish large mappings where this +is possible. + +But the generic ioremap() code does not check whether the +PMD/PUD entries are already populated with a non-leaf entry, +so that any page-table pages these entries point to will be +lost. + +Further, on x86-32 with SHARED_KERNEL_PMD=0, this causes a +BUG_ON() in vmalloc_sync_one() when PMD entries are synced +from swapper_pg_dir to the current page-table. This happens +because the PMD entry from swapper_pg_dir was promoted to a +huge-page entry while the current PGD still contains the +non-leaf entry. Because both entries are present and point +to a different page, the BUG_ON() triggers. + +This was actually triggered with pti-x32 enabled in a KVM +virtual machine by the graphics driver. + +A real and better fix for that would be to improve the +page-table handling in the generic ioremap() code. But that is +out-of-scope for this patch-set and left for later work. + +Reported-by: David H. Gutteridge +Signed-off-by: Joerg Roedel +Reviewed-by: Thomas Gleixner +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Jiri Kosina +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Pavel Machek +Cc: Peter Zijlstra +Cc: Waiman Long +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180411152437.GC15462@8bytes.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pgtable.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + #include + #include + #include +@@ -577,6 +578,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t + (mtrr != MTRR_TYPE_WRBACK)) + return 0; + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pud_present(*pud) && !pud_huge(*pud)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pud, pfn_pte( +@@ -605,6 +610,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t + return 0; + } + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pmd_present(*pmd) && !pmd_huge(*pmd)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pmd, pfn_pte( diff --git a/queue-4.9/x86-power-fix-swsusp_arch_resume-prototype.patch b/queue-4.9/x86-power-fix-swsusp_arch_resume-prototype.patch new file mode 100644 index 00000000000..d849e9e829c --- /dev/null +++ b/queue-4.9/x86-power-fix-swsusp_arch_resume-prototype.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 15:56:18 +0100 +Subject: x86/power: Fix swsusp_arch_resume prototype + +From: Arnd Bergmann + +[ Upstream commit 328008a72d38b5bde6491e463405c34a81a65d3e ] + +The declaration for swsusp_arch_resume marks it as 'asmlinkage', but the +definition in x86-32 does not, and it fails to include the header with the +declaration. This leads to a warning when building with +link-time-optimizations: + +kernel/power/power.h:108:23: error: type of 'swsusp_arch_resume' does not match original declaration [-Werror=lto-type-mismatch] + extern asmlinkage int swsusp_arch_resume(void); + ^ +arch/x86/power/hibernate_32.c:148:0: note: 'swsusp_arch_resume' was previously declared here + int swsusp_arch_resume(void) + +This moves the declaration into a globally visible header file and fixes up +both x86 definitions to match it. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Cc: Len Brown +Cc: Andi Kleen +Cc: Nicolas Pitre +Cc: linux-pm@vger.kernel.org +Cc: "Rafael J. Wysocki" +Cc: Pavel Machek +Cc: Bart Van Assche +Link: https://lkml.kernel.org/r/20180202145634.200291-2-arnd@arndb.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/power/hibernate_32.c | 2 +- + arch/x86/power/hibernate_64.c | 2 +- + include/linux/suspend.h | 2 ++ + kernel/power/power.h | 3 --- + 4 files changed, 4 insertions(+), 5 deletions(-) + +--- a/arch/x86/power/hibernate_32.c ++++ b/arch/x86/power/hibernate_32.c +@@ -142,7 +142,7 @@ static inline void resume_init_first_lev + #endif + } + +-int swsusp_arch_resume(void) ++asmlinkage int swsusp_arch_resume(void) + { + int error; + +--- a/arch/x86/power/hibernate_64.c ++++ b/arch/x86/power/hibernate_64.c +@@ -149,7 +149,7 @@ static int relocate_restore_code(void) + return 0; + } + +-int swsusp_arch_resume(void) ++asmlinkage int swsusp_arch_resume(void) + { + int error; + +--- a/include/linux/suspend.h ++++ b/include/linux/suspend.h +@@ -378,6 +378,8 @@ extern int swsusp_page_is_forbidden(stru + extern void swsusp_set_page_free(struct page *); + extern void swsusp_unset_page_free(struct page *); + extern unsigned long get_safe_page(gfp_t gfp_mask); ++extern asmlinkage int swsusp_arch_suspend(void); ++extern asmlinkage int swsusp_arch_resume(void); + + extern void hibernation_set_ops(const struct platform_hibernation_ops *ops); + extern int hibernate(void); +--- a/kernel/power/power.h ++++ b/kernel/power/power.h +@@ -103,9 +103,6 @@ extern int in_suspend; + extern dev_t swsusp_resume_device; + extern sector_t swsusp_resume_block; + +-extern asmlinkage int swsusp_arch_suspend(void); +-extern asmlinkage int swsusp_arch_resume(void); +- + extern int create_basic_memory_bitmaps(void); + extern void free_basic_memory_bitmaps(void); + extern int hibernate_preallocate_memory(void); diff --git a/queue-4.9/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch b/queue-4.9/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch new file mode 100644 index 00000000000..73a53b5b3db --- /dev/null +++ b/queue-4.9/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Samuel Neves +Date: Wed, 21 Feb 2018 20:50:36 +0000 +Subject: x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations + +From: Samuel Neves + +[ Upstream commit 4596749339e06dc7a424fc08a15eded850ed78b7 ] + +Without this fix, /proc/cpuinfo will display an incorrect amount +of CPU cores, after bringing them offline and online again, as +exemplified below: + + $ cat /proc/cpuinfo | grep cores + cpu cores : 4 + cpu cores : 8 + cpu cores : 8 + cpu cores : 20 + cpu cores : 4 + cpu cores : 3 + cpu cores : 2 + cpu cores : 2 + +This patch fixes this by always zeroing the booted_cores variable +upon turning off a logical CPU. + +Tested-by: Dou Liyang +Signed-off-by: Samuel Neves +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: jgross@suse.com +Cc: luto@kernel.org +Cc: prarit@redhat.com +Cc: vkuznets@redhat.com +Link: http://lkml.kernel.org/r/20180221205036.5244-1-sneves@dei.uc.pt +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/smpboot.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1497,6 +1497,7 @@ static void remove_siblinginfo(int cpu) + cpumask_clear(topology_core_cpumask(cpu)); + c->phys_proc_id = 0; + c->cpu_core_id = 0; ++ c->booted_cores = 0; + cpumask_clear_cpu(cpu, cpu_sibling_setup_mask); + recompute_smt_state(); + } diff --git a/queue-4.9/x86-tsc-allow-tsc-calibration-without-pit.patch b/queue-4.9/x86-tsc-allow-tsc-calibration-without-pit.patch new file mode 100644 index 00000000000..b0ff494f036 --- /dev/null +++ b/queue-4.9/x86-tsc-allow-tsc-calibration-without-pit.patch @@ -0,0 +1,93 @@ +From foo@baz Sun May 27 17:33:37 CEST 2018 +From: Peter Zijlstra +Date: Fri, 22 Dec 2017 10:20:11 +0100 +Subject: x86/tsc: Allow TSC calibration without PIT + +From: Peter Zijlstra + +[ Upstream commit 30c7e5b123673d5e570e238dbada2fb68a87212c ] + +Zhang Rui reported that a Surface Pro 4 will fail to boot with +lapic=notscdeadline. Part of the problem is that that machine doesn't have +a PIT. + +If, for some reason, the TSC init has to fall back to TSC calibration, it +relies on the PIT to be present. + +Allow TSC calibration to reliably fall back to HPET. + +The below results in an accurate TSC measurement when forced on a IVB: + + tsc: Unable to calibrate against PIT + tsc: No reference (HPET/PMTIMER) available + tsc: Unable to calibrate against PIT + tsc: using HPET reference calibration + tsc: Detected 2792.451 MHz processor + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Thomas Gleixner +Cc: len.brown@intel.com +Cc: rui.zhang@intel.com +Link: https://lkml.kernel.org/r/20171222092243.333145937@infradead.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/i8259.h | 5 +++++ + arch/x86/kernel/tsc.c | 18 ++++++++++++++++++ + 2 files changed, 23 insertions(+) + +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -68,6 +68,11 @@ struct legacy_pic { + extern struct legacy_pic *legacy_pic; + extern struct legacy_pic null_legacy_pic; + ++static inline bool has_legacy_pic(void) ++{ ++ return legacy_pic != &null_legacy_pic; ++} ++ + static inline int nr_legacy_irqs(void) + { + return legacy_pic->nr_legacy_irqs; +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + unsigned int __read_mostly cpu_khz; /* TSC clocks / usec, not used here */ + EXPORT_SYMBOL(cpu_khz); +@@ -456,6 +457,20 @@ static unsigned long pit_calibrate_tsc(u + unsigned long tscmin, tscmax; + int pitcnt; + ++ if (!has_legacy_pic()) { ++ /* ++ * Relies on tsc_early_delay_calibrate() to have given us semi ++ * usable udelay(), wait for the same 50ms we would have with ++ * the PIT loop below. ++ */ ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ return ULONG_MAX; ++ } ++ + /* Set the Gate high, disable speaker */ + outb((inb(0x61) & ~0x02) | 0x01, 0x61); + +@@ -580,6 +595,9 @@ static unsigned long quick_pit_calibrate + u64 tsc, delta; + unsigned long d1, d2; + ++ if (!has_legacy_pic()) ++ return 0; ++ + /* Set the Gate high, disable speaker */ + outb((inb(0x61) & ~0x02) | 0x01, 0x61); + diff --git a/queue-4.9/xen-acpi-off-by-one-in-read_acpi_id.patch b/queue-4.9/xen-acpi-off-by-one-in-read_acpi_id.patch new file mode 100644 index 00000000000..2e8a9c82f44 --- /dev/null +++ b/queue-4.9/xen-acpi-off-by-one-in-read_acpi_id.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Dan Carpenter +Date: Thu, 29 Mar 2018 12:01:53 +0300 +Subject: xen/acpi: off by one in read_acpi_id() + +From: Dan Carpenter + +[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ] + +If acpi_id is == nr_acpi_bits, then we access one element beyond the end +of the acpi_psd[] array or we set one bit beyond the end of the bit map +when we do __set_bit(acpi_id, acpi_id_present); + +Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.") +Signed-off-by: Dan Carpenter +Reviewed-by: Joao Martins +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xen-acpi-processor.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/xen/xen-acpi-processor.c ++++ b/drivers/xen/xen-acpi-processor.c +@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl + } + /* There are more ACPI Processor objects than in x2APIC or MADT. + * This can happen with incorrect ACPI SSDT declerations. */ +- if (acpi_id > nr_acpi_bits) { +- pr_debug("We only have %u, trying to set %u\n", +- nr_acpi_bits, acpi_id); ++ if (acpi_id >= nr_acpi_bits) { ++ pr_debug("max acpi id %u, trying to set %u\n", ++ nr_acpi_bits - 1, acpi_id); + return AE_OK; + } + /* OK, There is a ACPI Processor object */ diff --git a/queue-4.9/xen-grant-table-use-put_page-instead-of-free_page.patch b/queue-4.9/xen-grant-table-use-put_page-instead-of-free_page.patch new file mode 100644 index 00000000000..d88dfa48cb0 --- /dev/null +++ b/queue-4.9/xen-grant-table-use-put_page-instead-of-free_page.patch @@ -0,0 +1,50 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ross Lagerwall +Date: Thu, 11 Jan 2018 09:36:37 +0000 +Subject: xen/grant-table: Use put_page instead of free_page + +From: Ross Lagerwall + +[ Upstream commit 3ac7292a25db1c607a50752055a18aba32ac2176 ] + +The page given to gnttab_end_foreign_access() to free could be a +compound page so use put_page() instead of free_page() since it can +handle both compound and single pages correctly. + +This bug was discovered when migrating a Xen VM with several VIFs and +CONFIG_DEBUG_VM enabled. It hits a BUG usually after fewer than 10 +iterations. All netfront devices disconnect from the backend during a +suspend/resume and this will call gnttab_end_foreign_access() if a +netfront queue has an outstanding skb. The mismatch between calling +get_page() and free_page() on a compound page causes a reference +counting error which is detected when DEBUG_VM is enabled. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/grant-table.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -327,7 +327,7 @@ static void gnttab_handle_deferred(unsig + if (entry->page) { + pr_debug("freeing g.e. %#x (pfn %#lx)\n", + entry->ref, page_to_pfn(entry->page)); +- __free_page(entry->page); ++ put_page(entry->page); + } else + pr_info("freeing g.e. %#x\n", entry->ref); + kfree(entry); +@@ -383,7 +383,7 @@ void gnttab_end_foreign_access(grant_ref + if (gnttab_end_foreign_access_ref(ref, readonly)) { + put_free_entry(ref); + if (page != 0) +- free_page(page); ++ put_page(virt_to_page(page)); + } else + gnttab_add_deferred(ref, readonly, + page ? virt_to_page(page) : NULL); diff --git a/queue-4.9/xen-netfront-fix-race-between-device-setup-and-open.patch b/queue-4.9/xen-netfront-fix-race-between-device-setup-and-open.patch new file mode 100644 index 00000000000..7016eee0a6c --- /dev/null +++ b/queue-4.9/xen-netfront-fix-race-between-device-setup-and-open.patch @@ -0,0 +1,177 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Ross Lagerwall +Date: Thu, 11 Jan 2018 09:36:38 +0000 +Subject: xen-netfront: Fix race between device setup and open + +From: Ross Lagerwall + +[ Upstream commit f599c64fdf7d9c108e8717fb04bc41c680120da4 ] + +When a netfront device is set up it registers a netdev fairly early on, +before it has set up the queues and is actually usable. A userspace tool +like NetworkManager will immediately try to open it and access its state +as soon as it appears. The bug can be reproduced by hotplugging VIFs +until the VM runs out of grant refs. It registers the netdev but fails +to set up any queues (since there are no more grant refs). In the +meantime, NetworkManager opens the device and the kernel crashes trying +to access the queues (of which there are none). + +Fix this in two ways: +* For initial setup, register the netdev much later, after the queues +are setup. This avoids the race entirely. +* During a suspend/resume cycle, the frontend reconnects to the backend +and the queues are recreated. It is possible (though highly unlikely) to +race with something opening the device and accessing the queues after +they have been destroyed but before they have been recreated. Extend the +region covered by the rtnl semaphore to protect against this race. There +is a possibility that we fail to recreate the queues so check for this +in the open function. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 46 +++++++++++++++++++++++---------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -350,6 +350,9 @@ static int xennet_open(struct net_device + unsigned int i = 0; + struct netfront_queue *queue = NULL; + ++ if (!np->queues) ++ return -ENODEV; ++ + for (i = 0; i < num_queues; ++i) { + queue = &np->queues[i]; + napi_enable(&queue->napi); +@@ -1377,18 +1380,8 @@ static int netfront_probe(struct xenbus_ + #ifdef CONFIG_SYSFS + info->netdev->sysfs_groups[0] = &xennet_dev_group; + #endif +- err = register_netdev(info->netdev); +- if (err) { +- pr_warn("%s: register_netdev err=%d\n", __func__, err); +- goto fail; +- } + + return 0; +- +- fail: +- xennet_free_netdev(netdev); +- dev_set_drvdata(&dev->dev, NULL); +- return err; + } + + static void xennet_end_access(int ref, void *page) +@@ -1757,8 +1750,6 @@ static void xennet_destroy_queues(struct + { + unsigned int i; + +- rtnl_lock(); +- + for (i = 0; i < info->netdev->real_num_tx_queues; i++) { + struct netfront_queue *queue = &info->queues[i]; + +@@ -1767,8 +1758,6 @@ static void xennet_destroy_queues(struct + netif_napi_del(&queue->napi); + } + +- rtnl_unlock(); +- + kfree(info->queues); + info->queues = NULL; + } +@@ -1784,8 +1773,6 @@ static int xennet_create_queues(struct n + if (!info->queues) + return -ENOMEM; + +- rtnl_lock(); +- + for (i = 0; i < *num_queues; i++) { + struct netfront_queue *queue = &info->queues[i]; + +@@ -1794,7 +1781,7 @@ static int xennet_create_queues(struct n + + ret = xennet_init_queue(queue); + if (ret < 0) { +- dev_warn(&info->netdev->dev, ++ dev_warn(&info->xbdev->dev, + "only created %d queues\n", i); + *num_queues = i; + break; +@@ -1808,10 +1795,8 @@ static int xennet_create_queues(struct n + + netif_set_real_num_tx_queues(info->netdev, *num_queues); + +- rtnl_unlock(); +- + if (*num_queues == 0) { +- dev_err(&info->netdev->dev, "no queues\n"); ++ dev_err(&info->xbdev->dev, "no queues\n"); + return -EINVAL; + } + return 0; +@@ -1853,6 +1838,7 @@ static int talk_to_netback(struct xenbus + goto out; + } + ++ rtnl_lock(); + if (info->queues) + xennet_destroy_queues(info); + +@@ -1863,6 +1849,7 @@ static int talk_to_netback(struct xenbus + info->queues = NULL; + goto out; + } ++ rtnl_unlock(); + + /* Create shared ring, alloc event channel -- for each queue */ + for (i = 0; i < num_queues; ++i) { +@@ -1959,8 +1946,10 @@ abort_transaction_no_dev_fatal: + xenbus_transaction_end(xbt, 1); + destroy_ring: + xennet_disconnect_backend(info); ++ rtnl_lock(); + xennet_destroy_queues(info); + out: ++ rtnl_unlock(); + device_unregister(&dev->dev); + return err; + } +@@ -1996,6 +1985,15 @@ static int xennet_connect(struct net_dev + netdev_update_features(dev); + rtnl_unlock(); + ++ if (dev->reg_state == NETREG_UNINITIALIZED) { ++ err = register_netdev(dev); ++ if (err) { ++ pr_warn("%s: register_netdev err=%d\n", __func__, err); ++ device_unregister(&np->xbdev->dev); ++ return err; ++ } ++ } ++ + /* + * All public and private state should now be sane. Get + * ready to start sending and receiving packets and give the driver +@@ -2186,10 +2184,14 @@ static int xennet_remove(struct xenbus_d + + xennet_disconnect_backend(info); + +- unregister_netdev(info->netdev); ++ if (info->netdev->reg_state == NETREG_REGISTERED) ++ unregister_netdev(info->netdev); + +- if (info->queues) ++ if (info->queues) { ++ rtnl_lock(); + xennet_destroy_queues(info); ++ rtnl_unlock(); ++ } + xennet_free_netdev(info->netdev); + + return 0; diff --git a/queue-4.9/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch b/queue-4.9/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch new file mode 100644 index 00000000000..4d156ae2a44 --- /dev/null +++ b/queue-4.9/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Roger Pau Monne +Date: Wed, 28 Feb 2018 09:19:03 +0000 +Subject: xen/pirq: fix error path cleanup when binding MSIs + +From: Roger Pau Monne + +[ Upstream commit 910f8befdf5bccf25287d9f1743e3e546bcb7ce0 ] + +Current cleanup in the error path of xen_bind_pirq_msi_to_irq is +wrong. First of all there's an off-by-one in the cleanup loop, which +can lead to unbinding wrong IRQs. + +Secondly IRQs not bound won't be freed, thus leaking IRQ numbers. + +Note that there's no need to differentiate between bound and unbound +IRQs when freeing them, __unbind_from_irq will deal with both of them +correctly. + +Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") +Reported-by: Hooman Mirhadi +Signed-off-by: Roger Pau Monné +Reviewed-by: Amit Shah +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -764,8 +764,8 @@ out: + mutex_unlock(&irq_mapping_update_lock); + return irq; + error_irq: +- for (; i >= 0; i--) +- __unbind_from_irq(irq + i); ++ while (nvec--) ++ __unbind_from_irq(irq + nvec); + mutex_unlock(&irq_mapping_update_lock); + return ret; + } diff --git a/queue-4.9/xen-xenbus-use-put_device-instead-of-kfree.patch b/queue-4.9/xen-xenbus-use-put_device-instead-of-kfree.patch new file mode 100644 index 00000000000..d9fd75a693e --- /dev/null +++ b/queue-4.9/xen-xenbus-use-put_device-instead-of-kfree.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Arvind Yadav +Date: Tue, 6 Mar 2018 15:40:37 +0530 +Subject: xen: xenbus: use put_device() instead of kfree() + +From: Arvind Yadav + +[ Upstream commit 351b2bccede1cb673ec7957b35ea997ea24c8884 ] + +Never directly free @dev after calling device_register(), even +if it returned an error! Always use put_device() to give up the +reference initialized. + +Signed-off-by: Arvind Yadav +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -470,8 +470,11 @@ int xenbus_probe_node(struct xen_bus_typ + + /* Register with generic device framework. */ + err = device_register(&xendev->dev); +- if (err) ++ if (err) { ++ put_device(&xendev->dev); ++ xendev = NULL; + goto fail; ++ } + + return 0; + fail: diff --git a/queue-4.9/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch b/queue-4.9/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch new file mode 100644 index 00000000000..d0f121ba915 --- /dev/null +++ b/queue-4.9/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 17:33:38 CEST 2018 +From: Michael Schmitz +Date: Sat, 3 Mar 2018 12:04:13 +1300 +Subject: zorro: Set up z->dev.dma_mask for the DMA API + +From: Michael Schmitz + +[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ] + +The generic DMA API uses dev->dma_mask to check the DMA addressable +memory bitmask, and warns if no mask is set or even allocated. + +Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask +to point to z->dev.dma_coherent_mask so device drivers that need DMA have +everything set up to avoid warnings from dma_alloc_coherent(). Drivers can +still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask. + +Signed-off-by: Michael Schmitz +[geert: Handle Zorro II with 24-bit address space] +Acked-by: Christoph Hellwig +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/zorro/zorro.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/zorro/zorro.c ++++ b/drivers/zorro/zorro.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru + z->dev.parent = &bus->dev; + z->dev.bus = &zorro_bus_type; + z->dev.id = i; ++ switch (z->rom.er_Type & ERT_TYPEMASK) { ++ case ERT_ZORROIII: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(32); ++ break; ++ ++ case ERT_ZORROII: ++ default: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(24); ++ break; ++ } ++ z->dev.dma_mask = &z->dev.coherent_dma_mask; + } + + /* ... then register them */