From: Greg Kroah-Hartman Date: Sun, 1 Apr 2018 08:55:01 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.103~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e14cf98c06c2db2218b1016aa28bab8231b155b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-pcm-potential-uninitialized-return-values.patch alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch arm-dts-sun6i-a31s-bpi-m2-add-missing-regulators.patch arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch arm-omap-fix-sram-w-x-mapping.patch ceph-only-dirty-iter_iovec-pages-for-direct-read.patch i2c-i2c-stm32f7-fix-no-check-on-returned-setup.patch ipc-shm.c-add-split-function-to-shm_vm_ops.patch mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch mtd-nand-atmel-fix-get_sectorsize-function.patch perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch powerpc-64s-fix-i-side-slb-miss-bad-address-handler-saving-nonvolatile-gprs.patch powerpc-64s-fix-lost-pending-interrupt-due-to-race-causing-lost-update-to-irq_happened.patch x86-platform-uv-bau-add-apic-idt-entry.patch --- diff --git a/queue-4.14/alsa-pcm-potential-uninitialized-return-values.patch b/queue-4.14/alsa-pcm-potential-uninitialized-return-values.patch new file mode 100644 index 00000000000..d65a3388c58 --- /dev/null +++ b/queue-4.14/alsa-pcm-potential-uninitialized-return-values.patch @@ -0,0 +1,42 @@ +From 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 27 Mar 2018 16:07:52 +0300 +Subject: ALSA: pcm: potential uninitialized return values + +From: Dan Carpenter + +commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream. + +Smatch complains that "tmp" can be uninitialized if we do a zero size +write. + +Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write") +Signed-off-by: Dan Carpenter +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1326,7 +1326,7 @@ static ssize_t snd_pcm_oss_write2(struct + static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes) + { + size_t xfer = 0; +- ssize_t tmp; ++ ssize_t tmp = 0; + struct snd_pcm_runtime *runtime = substream->runtime; + + if (atomic_read(&substream->mmap_count)) +@@ -1433,7 +1433,7 @@ static ssize_t snd_pcm_oss_read2(struct + static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes) + { + size_t xfer = 0; +- ssize_t tmp; ++ ssize_t tmp = 0; + struct snd_pcm_runtime *runtime = substream->runtime; + + if (atomic_read(&substream->mmap_count)) diff --git a/queue-4.14/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch b/queue-4.14/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch new file mode 100644 index 00000000000..e93eaa9178f --- /dev/null +++ b/queue-4.14/alsa-pcm-use-dma_bytes-as-size-parameter-in-dma_mmap_coherent.patch @@ -0,0 +1,40 @@ +From 9066ae7ff5d89c0b5daa271e2d573540097a94fa Mon Sep 17 00:00:00 2001 +From: Stefan Roese +Date: Mon, 26 Mar 2018 16:10:21 +0200 +Subject: ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() + +From: Stefan Roese + +commit 9066ae7ff5d89c0b5daa271e2d573540097a94fa upstream. + +When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer +will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB +area, as the page offset is outside of the VMA range (size), which is +currently used as size parameter in snd_pcm_lib_default_mmap(). By +using the DMA buffer size (dma_bytes) instead, the complete DMA buffer +can be mmapp'ed and the issue is fixed. + +This issue was detected on an ARM platform (TI AM57xx) using the RME +HDSP MADI PCIe soundcard. + +Fixes: 657b1989dacf ("ALSA: pcm - Use dma_mmap_coherent() if available") +Signed-off-by: Stefan Roese +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_native.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -3424,7 +3424,7 @@ int snd_pcm_lib_default_mmap(struct snd_ + area, + substream->runtime->dma_area, + substream->runtime->dma_addr, +- area->vm_end - area->vm_start); ++ substream->runtime->dma_bytes); + #endif /* CONFIG_X86 */ + /* mmap with fault handler */ + area->vm_ops = &snd_pcm_vm_ops_data_fault; diff --git a/queue-4.14/alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch b/queue-4.14/alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch new file mode 100644 index 00000000000..21a66cb795b --- /dev/null +++ b/queue-4.14/alsa-usb-audio-add-native-dsd-support-for-teac-ud-301.patch @@ -0,0 +1,31 @@ +From b00214865d65100163574ba250008f182cf90869 Mon Sep 17 00:00:00 2001 +From: Nobutaka Okabe +Date: Fri, 23 Mar 2018 19:49:44 +0900 +Subject: ALSA: usb-audio: Add native DSD support for TEAC UD-301 + +From: Nobutaka Okabe + +commit b00214865d65100163574ba250008f182cf90869 upstream. + +Add native DSD support quirk for TEAC UD-301 DAC, +by adding the PID/VID 0644:804a. + +Signed-off-by: Nobutaka Okabe +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1177,6 +1177,7 @@ static bool is_teac_dsd_dac(unsigned int + switch (id) { + case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */ + case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */ ++ case USB_ID(0x0644, 0x804a): /* TEAC UD-301 */ + return true; + } + return false; diff --git a/queue-4.14/arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch b/queue-4.14/arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch new file mode 100644 index 00000000000..df40d0e8141 --- /dev/null +++ b/queue-4.14/arm-8746-1-vfp-go-back-to-clearing-vfp_current_hw_state.patch @@ -0,0 +1,39 @@ +From 1328f02005bbbaed15b9d5b7f3ab5ec9d4d5268a Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Mon, 22 Jan 2018 12:20:26 +0100 +Subject: ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[] + +From: Fabio Estevam + +commit 1328f02005bbbaed15b9d5b7f3ab5ec9d4d5268a upstream. + +Commit 384b38b66947 ("ARM: 7873/1: vfp: clear vfp_current_hw_state +for dying cpu") fixed the cpu dying notifier by clearing +vfp_current_hw_state[]. However commit e5b61bafe704 ("arm: Convert VFP +hotplug notifiers to state machine") incorrectly used the original +vfp_force_reload() function in the cpu dying notifier. + +Fix it by going back to clearing vfp_current_hw_state[]. + +Fixes: e5b61bafe704 ("arm: Convert VFP hotplug notifiers to state machine") +Cc: linux-stable +Reported-by: Kohji Okuno +Signed-off-by: Fabio Estevam +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/vfp/vfpmodule.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/vfp/vfpmodule.c ++++ b/arch/arm/vfp/vfpmodule.c +@@ -648,7 +648,7 @@ int vfp_restore_user_hwstate(struct user + */ + static int vfp_dying_cpu(unsigned int cpu) + { +- vfp_force_reload(cpu, current_thread_info()); ++ vfp_current_hw_state[cpu] = NULL; + return 0; + } + diff --git a/queue-4.14/arm-dts-sun6i-a31s-bpi-m2-add-missing-regulators.patch b/queue-4.14/arm-dts-sun6i-a31s-bpi-m2-add-missing-regulators.patch new file mode 100644 index 00000000000..e353e1fa1ca --- /dev/null +++ b/queue-4.14/arm-dts-sun6i-a31s-bpi-m2-add-missing-regulators.patch @@ -0,0 +1,146 @@ +From 70b8d21496758dd7ff600ec9de0ee3812fac7a40 Mon Sep 17 00:00:00 2001 +From: Philipp Rossak +Date: Wed, 14 Feb 2018 15:10:25 +0100 +Subject: ARM: dts: sun6i: a31s: bpi-m2: add missing regulators + +From: Philipp Rossak + +commit 70b8d21496758dd7ff600ec9de0ee3812fac7a40 upstream. + +This patch fixes a bootproblem with the Bananapi M2 board. Since there +are some regulators missing we add them right now. Those values come +from the schematic, below you can find a small overview: + +* reg_aldo1: 3,3V, powers the wifi +* reg_aldo2: 2,5V, powers the IO of the RTL8211E +* reg_aldo3: 3,3V, powers the audio + +* reg_dldo1: 3,0V, powers the RTL8211E +* reg_dldo2: 2,8V, powers the analog part of the csi +* reg_dldo3: 3,3V, powers misc +* reg_eldo1: 1,8V, powers the csi +* reg_ldo_io1:1,8V, powers the gpio + +* reg_dc5ldo: needs to be always on + +This patch updates also the vmmc-supply properties on the mmc0 and mmc2 +node to use the allready existent regulators. +We can now remove the sunxi-common-regulators.dtsi include since we +don't need it anymore. + +Fixes: 7daa21370075 ("ARM: dts: sunxi: Add regulators for Sinovoip BPI-M2") +Cc: +Signed-off-by: Philipp Rossak +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 61 +++++++++++++++++++++-- + 1 file changed, 58 insertions(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts ++++ b/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts +@@ -42,7 +42,6 @@ + + /dts-v1/; + #include "sun6i-a31s.dtsi" +-#include "sunxi-common-regulators.dtsi" + #include + + / { +@@ -99,6 +98,7 @@ + pinctrl-0 = <&gmac_pins_rgmii_a>, <&gmac_phy_reset_pin_bpi_m2>; + phy = <&phy1>; + phy-mode = "rgmii"; ++ phy-supply = <®_dldo1>; + snps,reset-gpio = <&pio 0 21 GPIO_ACTIVE_HIGH>; /* PA21 */ + snps,reset-active-low; + snps,reset-delays-us = <0 10000 30000>; +@@ -118,7 +118,7 @@ + &mmc0 { + pinctrl-names = "default"; + pinctrl-0 = <&mmc0_pins_a>, <&mmc0_cd_pin_bpi_m2>; +- vmmc-supply = <®_vcc3v0>; ++ vmmc-supply = <®_dcdc1>; + bus-width = <4>; + cd-gpios = <&pio 0 4 GPIO_ACTIVE_HIGH>; /* PA4 */ + cd-inverted; +@@ -132,7 +132,7 @@ + &mmc2 { + pinctrl-names = "default"; + pinctrl-0 = <&mmc2_pins_a>; +- vmmc-supply = <®_vcc3v0>; ++ vmmc-supply = <®_aldo1>; + mmc-pwrseq = <&mmc2_pwrseq>; + bus-width = <4>; + non-removable; +@@ -195,7 +195,28 @@ + + #include "axp22x.dtsi" + ++®_aldo1 { ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-wifi"; ++}; ++ ++®_aldo2 { ++ regulator-always-on; ++ regulator-min-microvolt = <2500000>; ++ regulator-max-microvolt = <2500000>; ++ regulator-name = "vcc-gmac"; ++}; ++ ++®_aldo3 { ++ regulator-always-on; ++ regulator-min-microvolt = <3000000>; ++ regulator-max-microvolt = <3000000>; ++ regulator-name = "avcc"; ++}; ++ + ®_dc5ldo { ++ regulator-always-on; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1320000>; + regulator-name = "vdd-cpus"; +@@ -235,6 +256,40 @@ + regulator-name = "vcc-dram"; + }; + ++®_dldo1 { ++ regulator-min-microvolt = <3000000>; ++ regulator-max-microvolt = <3000000>; ++ regulator-name = "vcc-mac"; ++}; ++ ++®_dldo2 { ++ regulator-min-microvolt = <2800000>; ++ regulator-max-microvolt = <2800000>; ++ regulator-name = "avdd-csi"; ++}; ++ ++®_dldo3 { ++ regulator-always-on; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-pb"; ++}; ++ ++®_eldo1 { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-name = "vdd-csi"; ++ status = "okay"; ++}; ++ ++®_ldo_io1 { ++ regulator-always-on; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-name = "vcc-pm-cpus"; ++ status = "okay"; ++}; ++ + &uart0 { + pinctrl-names = "default"; + pinctrl-0 = <&uart0_pins_a>; diff --git a/queue-4.14/arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch b/queue-4.14/arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch new file mode 100644 index 00000000000..1afa5a9a408 --- /dev/null +++ b/queue-4.14/arm-dts-sun6i-a31s-bpi-m2-improve-pmic-properties.patch @@ -0,0 +1,35 @@ +From b23af6ad8d2f708c4c3f92dd8f82c233247ba8bf Mon Sep 17 00:00:00 2001 +From: Philipp Rossak +Date: Wed, 14 Feb 2018 15:10:24 +0100 +Subject: ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties + +From: Philipp Rossak + +commit b23af6ad8d2f708c4c3f92dd8f82c233247ba8bf upstream. + +The eldoin is supplied from the dcdc1 regulator. The N_VBUSEN pin is +connected to an external power regulator (SY6280AAC). +With this commit we update the pmic binding properties to support +those features. + +Fixes: 7daa21370075 ("ARM: dts: sunxi: Add regulators for Sinovoip BPI-M2") +Cc: +Signed-off-by: Philipp Rossak +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts ++++ b/arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts +@@ -163,6 +163,8 @@ + reg = <0x68>; + interrupt-parent = <&nmi_intc>; + interrupts = <0 IRQ_TYPE_LEVEL_LOW>; ++ eldoin-supply = <®_dcdc1>; ++ x-powers,drive-vbus-en; + }; + }; + diff --git a/queue-4.14/arm-omap-fix-sram-w-x-mapping.patch b/queue-4.14/arm-omap-fix-sram-w-x-mapping.patch new file mode 100644 index 00000000000..8c7a4115c5e --- /dev/null +++ b/queue-4.14/arm-omap-fix-sram-w-x-mapping.patch @@ -0,0 +1,125 @@ +From eb85a355c3afd9379f5953cfe2df73632d14c884 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Wed, 21 Mar 2018 08:16:29 -0700 +Subject: ARM: OMAP: Fix SRAM W+X mapping + +From: Tony Lindgren + +commit eb85a355c3afd9379f5953cfe2df73632d14c884 upstream. + +We are still using custom SRAM code for some SoCs and are not marking +the PM code mapped to SRAM as read-only and executable after we're +done. With CONFIG_DEBUG_WX=y, we will get "Found insecure W+X mapping +at address" warning. + +Let's fix this issue the same way as commit 728bbe75c82f ("misc: sram: +Introduce support code for protect-exec sram type") is doing for +drivers/misc/sram-exec.c. + +On omap3, we need to restore SRAM when returning from off mode after +idle, so init time configuration is not enough. + +And as we no longer have users for omap_sram_push_address() we can +make it static while at it. + +Note that eventually we should be using sram-exec.c for all SoCs. + +Cc: stable@vger.kernel.org # v4.12+ +Cc: Dave Gerlach +Reported-by: Pavel Machek +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/plat-omap/include/plat/sram.h | 11 ---------- + arch/arm/plat-omap/sram.c | 36 ++++++++++++++++++++++++++++++++- + 2 files changed, 36 insertions(+), 11 deletions(-) + +--- a/arch/arm/plat-omap/include/plat/sram.h ++++ b/arch/arm/plat-omap/include/plat/sram.h +@@ -5,13 +5,4 @@ void omap_map_sram(unsigned long start, + unsigned long skip, int cached); + void omap_sram_reset(void); + +-extern void *omap_sram_push_address(unsigned long size); +- +-/* Macro to push a function to the internal SRAM, using the fncpy API */ +-#define omap_sram_push(funcp, size) ({ \ +- typeof(&(funcp)) _res = NULL; \ +- void *_sram_address = omap_sram_push_address(size); \ +- if (_sram_address) \ +- _res = fncpy(_sram_address, &(funcp), size); \ +- _res; \ +-}) ++extern void *omap_sram_push(void *funcp, unsigned long size); +--- a/arch/arm/plat-omap/sram.c ++++ b/arch/arm/plat-omap/sram.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include + +@@ -42,7 +43,7 @@ static void __iomem *omap_sram_ceil; + * Note that fncpy requires the returned address to be aligned + * to an 8-byte boundary. + */ +-void *omap_sram_push_address(unsigned long size) ++static void *omap_sram_push_address(unsigned long size) + { + unsigned long available, new_ceil = (unsigned long)omap_sram_ceil; + +@@ -60,6 +61,30 @@ void *omap_sram_push_address(unsigned lo + return (void *)omap_sram_ceil; + } + ++void *omap_sram_push(void *funcp, unsigned long size) ++{ ++ void *sram; ++ unsigned long base; ++ int pages; ++ void *dst = NULL; ++ ++ sram = omap_sram_push_address(size); ++ if (!sram) ++ return NULL; ++ ++ base = (unsigned long)sram & PAGE_MASK; ++ pages = PAGE_ALIGN(size) / PAGE_SIZE; ++ ++ set_memory_rw(base, pages); ++ ++ dst = fncpy(sram, funcp, size); ++ ++ set_memory_ro(base, pages); ++ set_memory_x(base, pages); ++ ++ return dst; ++} ++ + /* + * The SRAM context is lost during off-idle and stack + * needs to be reset. +@@ -75,6 +100,9 @@ void omap_sram_reset(void) + void __init omap_map_sram(unsigned long start, unsigned long size, + unsigned long skip, int cached) + { ++ unsigned long base; ++ int pages; ++ + if (size == 0) + return; + +@@ -95,4 +123,10 @@ void __init omap_map_sram(unsigned long + */ + memset_io(omap_sram_base + omap_sram_skip, 0, + omap_sram_size - omap_sram_skip); ++ ++ base = (unsigned long)omap_sram_base; ++ pages = PAGE_ALIGN(omap_sram_size) / PAGE_SIZE; ++ ++ set_memory_ro(base, pages); ++ set_memory_x(base, pages); + } diff --git a/queue-4.14/ceph-only-dirty-iter_iovec-pages-for-direct-read.patch b/queue-4.14/ceph-only-dirty-iter_iovec-pages-for-direct-read.patch new file mode 100644 index 00000000000..a85a13bdfa0 --- /dev/null +++ b/queue-4.14/ceph-only-dirty-iter_iovec-pages-for-direct-read.patch @@ -0,0 +1,74 @@ +From 85784f9395987a422fa04263e7c0fb13da11eb5c Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Fri, 16 Mar 2018 11:22:29 +0800 +Subject: ceph: only dirty ITER_IOVEC pages for direct read + +From: Yan, Zheng + +commit 85784f9395987a422fa04263e7c0fb13da11eb5c upstream. + +If a page is already locked, attempting to dirty it leads to a deadlock +in lock_page(). This is what currently happens to ITER_BVEC pages when +a dio-enabled loop device is backed by ceph: + + $ losetup --direct-io /dev/loop0 /mnt/cephfs/img + $ xfs_io -c 'pread 0 4k' /dev/loop0 + +Follow other file systems and only dirty ITER_IOVEC pages. + +Cc: stable@kernel.org +Signed-off-by: "Yan, Zheng" +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/file.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -635,7 +635,8 @@ static ssize_t ceph_sync_read(struct kio + struct ceph_aio_request { + struct kiocb *iocb; + size_t total_len; +- int write; ++ bool write; ++ bool should_dirty; + int error; + struct list_head osd_reqs; + unsigned num_reqs; +@@ -745,7 +746,7 @@ static void ceph_aio_complete_req(struct + } + } + +- ceph_put_page_vector(osd_data->pages, num_pages, !aio_req->write); ++ ceph_put_page_vector(osd_data->pages, num_pages, aio_req->should_dirty); + ceph_osdc_put_request(req); + + if (rc < 0) +@@ -842,6 +843,7 @@ ceph_direct_read_write(struct kiocb *ioc + size_t count = iov_iter_count(iter); + loff_t pos = iocb->ki_pos; + bool write = iov_iter_rw(iter) == WRITE; ++ bool should_dirty = !write && iter_is_iovec(iter); + + if (write && ceph_snap(file_inode(file)) != CEPH_NOSNAP) + return -EROFS; +@@ -909,6 +911,7 @@ ceph_direct_read_write(struct kiocb *ioc + if (aio_req) { + aio_req->iocb = iocb; + aio_req->write = write; ++ aio_req->should_dirty = should_dirty; + INIT_LIST_HEAD(&aio_req->osd_reqs); + if (write) { + aio_req->mtime = mtime; +@@ -966,7 +969,7 @@ ceph_direct_read_write(struct kiocb *ioc + len = ret; + } + +- ceph_put_page_vector(pages, num_pages, !write); ++ ceph_put_page_vector(pages, num_pages, should_dirty); + + ceph_osdc_put_request(req); + if (ret < 0) diff --git a/queue-4.14/i2c-i2c-stm32f7-fix-no-check-on-returned-setup.patch b/queue-4.14/i2c-i2c-stm32f7-fix-no-check-on-returned-setup.patch new file mode 100644 index 00000000000..b10a044d736 --- /dev/null +++ b/queue-4.14/i2c-i2c-stm32f7-fix-no-check-on-returned-setup.patch @@ -0,0 +1,36 @@ +From 771b7bf05339081019d22452ebcab6929372e13e Mon Sep 17 00:00:00 2001 +From: Pierre-Yves MORDRET +Date: Wed, 21 Mar 2018 17:48:40 +0100 +Subject: i2c: i2c-stm32f7: fix no check on returned setup + +From: Pierre-Yves MORDRET + +commit 771b7bf05339081019d22452ebcab6929372e13e upstream. + +Before assigning returned setup structure check if not null + +Fixes: 463a9215f3ca7600b5ff ("i2c: stm32f7: fix setup structure") +Signed-off-by: Pierre-Yves MORDRET +Acked-by: Alexandre TORGUE +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-stm32f7.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -887,6 +887,11 @@ static int stm32f7_i2c_probe(struct plat + } + + setup = of_device_get_match_data(&pdev->dev); ++ if (!setup) { ++ dev_err(&pdev->dev, "Can't get device data\n"); ++ ret = -ENODEV; ++ goto clk_free; ++ } + i2c_dev->setup = *setup; + + ret = device_property_read_u32(i2c_dev->dev, "i2c-scl-rising-time-ns", diff --git a/queue-4.14/ipc-shm.c-add-split-function-to-shm_vm_ops.patch b/queue-4.14/ipc-shm.c-add-split-function-to-shm_vm_ops.patch new file mode 100644 index 00000000000..4c3ce2bac8b --- /dev/null +++ b/queue-4.14/ipc-shm.c-add-split-function-to-shm_vm_ops.patch @@ -0,0 +1,95 @@ +From 3d942ee079b917b24e2a0c5f18d35ac8ec9fee48 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 28 Mar 2018 16:01:01 -0700 +Subject: ipc/shm.c: add split function to shm_vm_ops + +From: Mike Kravetz + +commit 3d942ee079b917b24e2a0c5f18d35ac8ec9fee48 upstream. + +If System V shmget/shmat operations are used to create a hugetlbfs +backed mapping, it is possible to munmap part of the mapping and split +the underlying vma such that it is not huge page aligned. This will +untimately result in the following BUG: + + kernel BUG at /build/linux-jWa1Fv/linux-4.15.0/mm/hugetlb.c:3310! + Oops: Exception in kernel mode, sig: 5 [#1] + LE SMP NR_CPUS=2048 NUMA PowerNV + Modules linked in: kcm nfc af_alg caif_socket caif phonet fcrypt + CPU: 18 PID: 43243 Comm: trinity-subchil Tainted: G C E 4.15.0-10-generic #11-Ubuntu + NIP: c00000000036e764 LR: c00000000036ee48 CTR: 0000000000000009 + REGS: c000003fbcdcf810 TRAP: 0700 Tainted: G C E (4.15.0-10-generic) + MSR: 9000000000029033 CR: 24002222 XER: 20040000 + CFAR: c00000000036ee44 SOFTE: 1 + NIP __unmap_hugepage_range+0xa4/0x760 + LR __unmap_hugepage_range_final+0x28/0x50 + Call Trace: + 0x7115e4e00000 (unreliable) + __unmap_hugepage_range_final+0x28/0x50 + unmap_single_vma+0x11c/0x190 + unmap_vmas+0x94/0x140 + exit_mmap+0x9c/0x1d0 + mmput+0xa8/0x1d0 + do_exit+0x360/0xc80 + do_group_exit+0x60/0x100 + SyS_exit_group+0x24/0x30 + system_call+0x58/0x6c + ---[ end trace ee88f958a1c62605 ]--- + +This bug was introduced by commit 31383c6865a5 ("mm, hugetlbfs: +introduce ->split() to vm_operations_struct"). A split function was +added to vm_operations_struct to determine if a mapping can be split. +This was mostly for device-dax and hugetlbfs mappings which have +specific alignment constraints. + +Mappings initiated via shmget/shmat have their original vm_ops +overwritten with shm_vm_ops. shm_vm_ops functions will call back to the +original vm_ops if needed. Add such a split function to shm_vm_ops. + +Link: http://lkml.kernel.org/r/20180321161314.7711-1-mike.kravetz@oracle.com +Fixes: 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct") +Signed-off-by: Mike Kravetz +Reported-by: Laurent Dufour +Reviewed-by: Laurent Dufour +Tested-by: Laurent Dufour +Reviewed-by: Dan Williams +Acked-by: Michal Hocko +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -386,6 +386,17 @@ static int shm_fault(struct vm_fault *vm + return sfd->vm_ops->fault(vmf); + } + ++static int shm_split(struct vm_area_struct *vma, unsigned long addr) ++{ ++ struct file *file = vma->vm_file; ++ struct shm_file_data *sfd = shm_file_data(file); ++ ++ if (sfd->vm_ops && sfd->vm_ops->split) ++ return sfd->vm_ops->split(vma, addr); ++ ++ return 0; ++} ++ + #ifdef CONFIG_NUMA + static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new) + { +@@ -510,6 +521,7 @@ static const struct vm_operations_struct + .open = shm_open, /* callback for a new vm-area open */ + .close = shm_close, /* callback for when the vm-area is released */ + .fault = shm_fault, ++ .split = shm_split, + #if defined(CONFIG_NUMA) + .set_policy = shm_set_policy, + .get_policy = shm_get_policy, diff --git a/queue-4.14/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch b/queue-4.14/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch new file mode 100644 index 00000000000..1a7e906d5c6 --- /dev/null +++ b/queue-4.14/mtd-jedec_probe-fix-crash-in-jedec_read_mfr.patch @@ -0,0 +1,56 @@ +From 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Sat, 3 Mar 2018 23:29:03 +0100 +Subject: mtd: jedec_probe: Fix crash in jedec_read_mfr() + +From: Linus Walleij + +commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream. + +It turns out that the loop where we read manufacturer +jedec_read_mfd() can under some circumstances get a +CFI_MFR_CONTINUATION repeatedly, making the loop go +over all banks and eventually hit the end of the +map and crash because of an access violation: + +Unable to handle kernel paging request at virtual address c4980000 +pgd = (ptrval) +[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000 +Internal error: Oops: 7 [#1] PREEMPT ARM +CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150 +Hardware name: Gemini (Device Tree) +PC is at jedec_probe_chip+0x6ec/0xcd0 +LR is at 0x4 +pc : [] lr : [<00000004>] psr: 60000013 +sp : c382dd18 ip : 0000ffff fp : 00000000 +r10: c0626388 r9 : 00020000 r8 : c0626340 +r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70 +r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 0000397f Table: 00004000 DAC: 00000053 +Process swapper (pid: 1, stack limit = 0x(ptrval)) + +Fix this by breaking the loop with a return 0 if +the offset exceeds the map size. + +Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0") +Cc: +Signed-off-by: Linus Walleij +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/jedec_probe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/chips/jedec_probe.c ++++ b/drivers/mtd/chips/jedec_probe.c +@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct + do { + uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); + mask = (1 << (cfi->device_type * 8)) - 1; ++ if (ofs >= map->size) ++ return 0; + result = map_read(map, base + ofs); + bank++; + } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION); diff --git a/queue-4.14/mtd-nand-atmel-fix-get_sectorsize-function.patch b/queue-4.14/mtd-nand-atmel-fix-get_sectorsize-function.patch new file mode 100644 index 00000000000..0cc4069689c --- /dev/null +++ b/queue-4.14/mtd-nand-atmel-fix-get_sectorsize-function.patch @@ -0,0 +1,37 @@ +From 2b1b1b4ac716fd929a2d221bd4ade62263bed915 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 27 Mar 2018 19:01:58 +0200 +Subject: mtd: nand: atmel: Fix get_sectorsize() function + +From: Boris Brezillon + +commit 2b1b1b4ac716fd929a2d221bd4ade62263bed915 upstream. + +get_sectorsize() was not using the appropriate macro to extract the +ECC sector size from the config cache, which led to buggy ECC when +using 1024 byte sectors. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Cc: +Reported-by: Olivier Schonken +Signed-off-by: Boris Brezillon +Reviewed-by: Richard Weinberger +Acked-by: Nicolas Ferre +Tested-by: Olivier Schonken +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/atmel/pmecc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/atmel/pmecc.c ++++ b/drivers/mtd/nand/atmel/pmecc.c +@@ -426,7 +426,7 @@ static int get_strength(struct atmel_pme + + static int get_sectorsize(struct atmel_pmecc_user *user) + { +- return user->cache.cfg & PMECC_LOOKUP_TABLE_SIZE_1024 ? 1024 : 512; ++ return user->cache.cfg & PMECC_CFG_SECTOR1024 ? 1024 : 512; + } + + static void atmel_pmecc_gen_syndrome(struct atmel_pmecc_user *user, int sector) diff --git a/queue-4.14/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch b/queue-4.14/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch new file mode 100644 index 00000000000..627fa6cfd29 --- /dev/null +++ b/queue-4.14/perf-hwbp-simplify-the-perf-hwbp-code-fix-documentation.patch @@ -0,0 +1,87 @@ +From f67b15037a7a50c57f72e69a6d59941ad90a0f0f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 26 Mar 2018 15:39:07 -1000 +Subject: perf/hwbp: Simplify the perf-hwbp code, fix documentation + +From: Linus Torvalds + +commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f upstream. + +Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the +modification of a breakpoint - simplify it and remove the pointless +local variables. + +Also update the stale Docbook while at it. + +Signed-off-by: Linus Torvalds +Acked-by: Thomas Gleixner +Cc: +Cc: Alexander Shishkin +Cc: Andy Lutomirski +Cc: Arnaldo Carvalho de Melo +Cc: Frederic Weisbecker +Cc: Jiri Olsa +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Vince Weaver +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/hw_breakpoint.c | 30 +++++++----------------------- + 1 file changed, 7 insertions(+), 23 deletions(-) + +--- a/kernel/events/hw_breakpoint.c ++++ b/kernel/events/hw_breakpoint.c +@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_break + * modify_user_hw_breakpoint - modify a user-space hardware breakpoint + * @bp: the breakpoint structure to modify + * @attr: new breakpoint attributes +- * @triggered: callback to trigger when we hit the breakpoint +- * @tsk: pointer to 'task_struct' of the process to which the address belongs + */ + int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr) + { +- u64 old_addr = bp->attr.bp_addr; +- u64 old_len = bp->attr.bp_len; +- int old_type = bp->attr.bp_type; +- int err = 0; +- + /* + * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it + * will not be possible to raise IPIs that invoke __perf_event_disable. +@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct per + bp->attr.bp_addr = attr->bp_addr; + bp->attr.bp_type = attr->bp_type; + bp->attr.bp_len = attr->bp_len; ++ bp->attr.disabled = 1; + +- if (attr->disabled) +- goto end; +- +- err = validate_hw_breakpoint(bp); +- if (!err) +- perf_event_enable(bp); ++ if (!attr->disabled) { ++ int err = validate_hw_breakpoint(bp); + +- if (err) { +- bp->attr.bp_addr = old_addr; +- bp->attr.bp_type = old_type; +- bp->attr.bp_len = old_len; +- if (!bp->attr.disabled) +- perf_event_enable(bp); ++ if (err) ++ return err; + +- return err; ++ perf_event_enable(bp); ++ bp->attr.disabled = 0; + } + +-end: +- bp->attr.disabled = attr->disabled; +- + return 0; + } + EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint); diff --git a/queue-4.14/powerpc-64s-fix-i-side-slb-miss-bad-address-handler-saving-nonvolatile-gprs.patch b/queue-4.14/powerpc-64s-fix-i-side-slb-miss-bad-address-handler-saving-nonvolatile-gprs.patch new file mode 100644 index 00000000000..6c5180592f4 --- /dev/null +++ b/queue-4.14/powerpc-64s-fix-i-side-slb-miss-bad-address-handler-saving-nonvolatile-gprs.patch @@ -0,0 +1,39 @@ +From 52396500f97c53860164debc7d4f759077853423 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 23 Mar 2018 15:53:38 +1000 +Subject: powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs + +From: Nicholas Piggin + +commit 52396500f97c53860164debc7d4f759077853423 upstream. + +The SLB bad address handler's trap number fixup does not preserve the +low bit that indicates nonvolatile GPRs have not been saved. This +leads save_nvgprs to skip saving them, and subsequent functions and +return from interrupt will think they are saved. + +This causes kernel branch-to-garbage debugging to not have correct +registers, can also cause userspace to have its registers clobbered +after a segfault. + +Fixes: f0f558b131db ("powerpc/mm: Preserve CFAR value on SLB miss caused by access to bogus address") +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -704,7 +704,7 @@ EXC_COMMON_BEGIN(bad_addr_slb) + ld r3, PACA_EXSLB+EX_DAR(r13) + std r3, _DAR(r1) + beq cr6, 2f +- li r10, 0x480 /* fix trap number for I-SLB miss */ ++ li r10, 0x481 /* fix trap number for I-SLB miss */ + std r10, _TRAP(r1) + 2: bl save_nvgprs + addi r3, r1, STACK_FRAME_OVERHEAD diff --git a/queue-4.14/powerpc-64s-fix-lost-pending-interrupt-due-to-race-causing-lost-update-to-irq_happened.patch b/queue-4.14/powerpc-64s-fix-lost-pending-interrupt-due-to-race-causing-lost-update-to-irq_happened.patch new file mode 100644 index 00000000000..1ae215ab6b8 --- /dev/null +++ b/queue-4.14/powerpc-64s-fix-lost-pending-interrupt-due-to-race-causing-lost-update-to-irq_happened.patch @@ -0,0 +1,56 @@ +From ff6781fd1bb404d8a551c02c35c70cec1da17ff1 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Wed, 21 Mar 2018 12:22:28 +1000 +Subject: powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened + +From: Nicholas Piggin + +commit ff6781fd1bb404d8a551c02c35c70cec1da17ff1 upstream. + +force_external_irq_replay() can be called in the do_IRQ path with +interrupts hard enabled and soft disabled if may_hard_irq_enable() set +MSR[EE]=1. It updates local_paca->irq_happened with a load, modify, +store sequence. If a maskable interrupt hits during this sequence, it +will go to the masked handler to be marked pending in irq_happened. +This update will be lost when the interrupt returns and the store +instruction executes. This can result in unpredictable latencies, +timeouts, lockups, etc. + +Fix this by ensuring hard interrupts are disabled before modifying +irq_happened. + +This could cause any maskable asynchronous interrupt to get lost, but +it was noticed on P9 SMP system doing RDMA NVMe target over 100GbE, +so very high external interrupt rate and high IPI rate. The hang was +bisected down to enabling doorbell interrupts for IPIs. These provided +an interrupt type that could run at high rates in the do_IRQ path, +stressing the race. + +Fixes: 1d607bb3bd60 ("powerpc/irq: Add mechanism to force a replay of interrupts") +Cc: stable@vger.kernel.org # v4.8+ +Reported-by: Carol L. Soto +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/irq.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -430,6 +430,14 @@ void force_external_irq_replay(void) + */ + WARN_ON(!arch_irqs_disabled()); + ++ /* ++ * Interrupts must always be hard disabled before irq_happened is ++ * modified (to prevent lost update in case of interrupt between ++ * load and store). ++ */ ++ __hard_irq_disable(); ++ local_paca->irq_happened |= PACA_IRQ_HARD_DIS; ++ + /* Indicate in the PACA that we have an interrupt to replay */ + local_paca->irq_happened |= PACA_IRQ_EE; + } diff --git a/queue-4.14/x86-platform-uv-bau-add-apic-idt-entry.patch b/queue-4.14/x86-platform-uv-bau-add-apic-idt-entry.patch new file mode 100644 index 00000000000..60b5e2e7789 --- /dev/null +++ b/queue-4.14/x86-platform-uv-bau-add-apic-idt-entry.patch @@ -0,0 +1,66 @@ +From 151ad17fbe5e56afa59709f41980508672c777ce Mon Sep 17 00:00:00 2001 +From: Andrew Banman +Date: Tue, 27 Mar 2018 17:09:06 -0500 +Subject: x86/platform/uv/BAU: Add APIC idt entry + +From: Andrew Banman + +commit 151ad17fbe5e56afa59709f41980508672c777ce upstream. + +BAU uses the old alloc_initr_gate90 method to setup its interrupt. This +fails silently as the BAU vector is in the range of APIC vectors that are +registered to the spurious interrupt handler. As a consequence BAU +broadcasts are not handled, and the broadcast source CPU hangs. + +Update BAU to use new idt structure. + +Fixes: dc20b2d52653 ("x86/idt: Move interrupt gate initialization to IDT code") +Signed-off-by: Andrew Banman +Signed-off-by: Thomas Gleixner +Acked-by: Mike Travis +Cc: Dimitri Sivanich +Cc: Russ Anderson +Cc: stable@vger.kernel.org +Cc: "H. Peter Anvin" +Link: https://lkml.kernel.org/r/1522188546-196177-1-git-send-email-abanman@hpe.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/hw_irq.h | 1 + + arch/x86/kernel/idt.c | 3 +++ + arch/x86/platform/uv/tlb_uv.c | 2 -- + 3 files changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/hw_irq.h ++++ b/arch/x86/include/asm/hw_irq.h +@@ -34,6 +34,7 @@ extern asmlinkage void kvm_posted_intr_w + extern asmlinkage void kvm_posted_intr_nested_ipi(void); + extern asmlinkage void error_interrupt(void); + extern asmlinkage void irq_work_interrupt(void); ++extern asmlinkage void uv_bau_message_intr1(void); + + extern asmlinkage void spurious_interrupt(void); + extern asmlinkage void thermal_interrupt(void); +--- a/arch/x86/kernel/idt.c ++++ b/arch/x86/kernel/idt.c +@@ -140,6 +140,9 @@ static const __initconst struct idt_data + # ifdef CONFIG_IRQ_WORK + INTG(IRQ_WORK_VECTOR, irq_work_interrupt), + # endif ++#ifdef CONFIG_X86_UV ++ INTG(UV_BAU_MESSAGE, uv_bau_message_intr1), ++#endif + INTG(SPURIOUS_APIC_VECTOR, spurious_interrupt), + INTG(ERROR_APIC_VECTOR, error_interrupt), + #endif +--- a/arch/x86/platform/uv/tlb_uv.c ++++ b/arch/x86/platform/uv/tlb_uv.c +@@ -2254,8 +2254,6 @@ static int __init uv_bau_init(void) + init_uvhub(uvhub, vector, uv_base_pnode); + } + +- alloc_intr_gate(vector, uv_bau_message_intr1); +- + for_each_possible_blade(uvhub) { + if (uv_blade_nr_possible_cpus(uvhub)) { + unsigned long val;