From: Greg Kroah-Hartman Date: Sun, 25 Mar 2018 09:38:42 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.15.14~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8126353baa69178cc15c98da1ff8233adf66eed5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch libata-enable-queued-trim-for-samsung-ssd-860.patch libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch libata-remove-warn-for-dma-or-pio-command-without-data.patch nfsd-remove-blocked-locks-on-client-teardown.patch --- diff --git a/queue-4.9/bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch b/queue-4.9/bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch new file mode 100644 index 00000000000..d86b080cfd3 --- /dev/null +++ b/queue-4.9/bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch @@ -0,0 +1,75 @@ +From f44cb4b19ed40b655c2d422c9021ab2c2625adb6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 15 Mar 2018 17:02:34 +0100 +Subject: Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174 + +From: Takashi Iwai + +commit f44cb4b19ed40b655c2d422c9021ab2c2625adb6 upstream. + +The Atheros 1525/QCA6174 BT doesn't seem working properly on the +recent kernels, as it tries to load a wrong firmware +ar3k/AthrBT_0x00000200.dfu and it fails. + +This seems to have been a problem for some time, and the known +workaround is to apply BTUSB_QCA_ROM quirk instead of BTUSB_ATH3012. + +The device in question is: + +T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0cf3 ProdID=3004 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1082504 +Reported-by: Ivan Levshin +Tested-by: Ivan Levshin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -217,7 +217,6 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, +- { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, +@@ -250,6 +249,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, + + /* QCA ROME chipset */ ++ { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe009), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, diff --git a/queue-4.9/libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch b/queue-4.9/libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch new file mode 100644 index 00000000000..c514fa7e0a1 --- /dev/null +++ b/queue-4.9/libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch @@ -0,0 +1,51 @@ +From 62ac3f7305470e3f52f159de448bc1a771717e88 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Mar 2018 16:33:58 +0100 +Subject: libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs + +From: Hans de Goede + +commit 62ac3f7305470e3f52f159de448bc1a771717e88 upstream. + +There have been reports of the Crucial M500 480GB model not working +with LPM set to min_power / med_power_with_dipm level. + +It has not been tested with medium_power, but that typically has no +measurable power-savings. + +Note the reporters Crucial_CT480M500SSD3 has a firmware version of MU03 +and there is a MU05 update available, but that update does not mention any +LPM fixes in its changelog, so the quirk matches all firmware versions. + +In my experience the LPM problems with (older) Crucial SSDs seem to be +limited to higher capacity versions of the SSDs (different firmware?), +so this commit adds a NOLPM quirk for the 480 and 960GB versions of the +M500, to avoid LPM causing issues with these SSDs. + +Cc: stable@vger.kernel.org +Reported-and-tested-by: Martin Steigerwald +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4411,6 +4411,14 @@ static const struct ata_blacklist_entry + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, + ++ /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */ ++ { "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ { "Crucial_CT960M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.9/libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch b/queue-4.9/libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch new file mode 100644 index 00000000000..b5b5cfe1067 --- /dev/null +++ b/queue-4.9/libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch @@ -0,0 +1,46 @@ +From 9c7be59fc519af9081c46c48f06f2b8fadf55ad8 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 16 Feb 2018 10:48:20 +0100 +Subject: libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs + +From: Hans de Goede + +commit 9c7be59fc519af9081c46c48f06f2b8fadf55ad8 upstream. + +Various people have reported the Crucial MX100 512GB model not working +with LPM set to min_power. I've now received a report that it also does +not work with the new med_power_with_dipm level. + +It does work with medium_power, but that has no measurable power-savings +and given the amount of people being bitten by the other levels not +working, this commit just disables LPM altogether. + +Note all reporters of this have either the 512GB model (max capacity), or +are not specifying their SSD's size. So for now this quirk assumes this is +a problem with the 512GB model only. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=89261 +Buglink: https://github.com/linrunner/TLP/issues/84 +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4403,6 +4403,11 @@ static const struct ata_blacklist_entry + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER }, + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + ++ /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ ++ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.9/libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch b/queue-4.9/libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch new file mode 100644 index 00000000000..d03d9e28e81 --- /dev/null +++ b/queue-4.9/libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch @@ -0,0 +1,39 @@ +From b17e5729a630d8326a48ec34ef02e6b4464a6aef Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sun, 18 Feb 2018 22:17:09 +0800 +Subject: libata: disable LPM for Crucial BX100 SSD 500GB drive + +From: Kai-Heng Feng + +commit b17e5729a630d8326a48ec34ef02e6b4464a6aef upstream. + +After Laptop Mode Tools starts to use min_power for LPM, a user found +out Crucial BX100 SSD can't get mounted. + +Crucial BX100 SSD 500GB drive don't work well with min_power. This also +happens to med_power_with_dipm. + +So let's disable LPM for Crucial BX100 SSD 500GB drive. + +BugLink: https://bugs.launchpad.net/bugs/1726930 +Signed-off-by: Kai-Heng Feng +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4403,6 +4403,9 @@ static const struct ata_blacklist_entry + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER }, + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + ++ /* Crucial BX100 SSD 500GB has broken LPM support */ ++ { "CT500BX100SSD1", "MU02", ATA_HORKAGE_NOLPM }, ++ + /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ + { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM | diff --git a/queue-4.9/libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch b/queue-4.9/libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch new file mode 100644 index 00000000000..23b2822f51d --- /dev/null +++ b/queue-4.9/libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch @@ -0,0 +1,63 @@ +From 2c1ec6fda2d07044cda922ee25337cf5d4b429b3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 3 Feb 2018 20:33:51 -0800 +Subject: libata: don't try to pass through NCQ commands to non-NCQ devices + +From: Eric Biggers + +commit 2c1ec6fda2d07044cda922ee25337cf5d4b429b3 upstream. + +syzkaller hit a WARN() in ata_bmdma_qc_issue() when writing to /dev/sg0. +This happened because it issued an ATA pass-through command (ATA_16) +where the protocol field indicated that NCQ should be used -- but the +device did not support NCQ. + +We could just remove the WARN() from libata-sff.c, but the real problem +seems to be that the SCSI -> ATA translation code passes through NCQ +commands without verifying that the device actually supports NCQ. + +Fix this by adding the appropriate check to ata_scsi_pass_thru(). + +Here's reproducer that works in QEMU when /dev/sg0 refers to a disk of +the default type ("82371SB PIIX3 IDE"): + + #include + #include + + int main() + { + char buf[53] = { 0 }; + + buf[36] = 0x85; /* ATA_16 */ + buf[37] = (12 << 1); /* FPDMA */ + buf[38] = 0x1; /* Has data */ + buf[51] = 0xC8; /* ATA_CMD_READ */ + write(open("/dev/sg0", O_RDWR), buf, sizeof(buf)); + } + +Fixes: ee7fb331c3ac ("libata: add support for NCQ commands for SG interface") +Reported-by: syzbot+2f69ca28df61bdfc77cd36af2e789850355a221e@syzkaller.appspotmail.com +Cc: # v4.4+ +Signed-off-by: Eric Biggers +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3226,6 +3226,12 @@ static unsigned int ata_scsi_pass_thru(s + goto invalid_fld; + } + ++ /* We may not issue NCQ commands to devices not supporting NCQ */ ++ if (ata_is_ncq(tf->protocol) && !ata_ncq_enabled(dev)) { ++ fp = 1; ++ goto invalid_fld; ++ } ++ + /* sanity check for pio multi commands */ + if ((cdb[1] & 0xe0) && !is_multi_taskfile(tf)) { + fp = 1; diff --git a/queue-4.9/libata-enable-queued-trim-for-samsung-ssd-860.patch b/queue-4.9/libata-enable-queued-trim-for-samsung-ssd-860.patch new file mode 100644 index 00000000000..b050238004e --- /dev/null +++ b/queue-4.9/libata-enable-queued-trim-for-samsung-ssd-860.patch @@ -0,0 +1,37 @@ +From ca6bfcb2f6d9deab3924bf901e73622a94900473 Mon Sep 17 00:00:00 2001 +From: Ju Hyung Park +Date: Sun, 11 Mar 2018 02:28:35 +0900 +Subject: libata: Enable queued TRIM for Samsung SSD 860 + +From: Ju Hyung Park + +commit ca6bfcb2f6d9deab3924bf901e73622a94900473 upstream. + +Samsung explicitly states that queued TRIM is supported for Linux with +860 PRO and 860 EVO. + +Make the previous blacklist to cover only 840 and 850 series. + +Signed-off-by: Park Ju Hyung +Reviewed-by: Martin K. Petersen +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4422,7 +4422,9 @@ static const struct ata_blacklist_entry + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, +- { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ { "Samsung SSD 840*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM, }, ++ { "Samsung SSD 850*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.9/libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch b/queue-4.9/libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch new file mode 100644 index 00000000000..af9300c741b --- /dev/null +++ b/queue-4.9/libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch @@ -0,0 +1,102 @@ +From 058f58e235cbe03e923b30ea7c49995a46a8725f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 3 Feb 2018 20:30:56 -0800 +Subject: libata: fix length validation of ATAPI-relayed SCSI commands + +From: Eric Biggers + +commit 058f58e235cbe03e923b30ea7c49995a46a8725f upstream. + +syzkaller reported a crash in ata_bmdma_fill_sg() when writing to +/dev/sg1. The immediate cause was that the ATA command's scatterlist +was not DMA-mapped, which causes 'pi - 1' to underflow, resulting in a +write to 'qc->ap->bmdma_prd[0xffffffff]'. + +Strangely though, the flag ATA_QCFLAG_DMAMAP was set in qc->flags. The +root cause is that when __ata_scsi_queuecmd() is preparing to relay a +SCSI command to an ATAPI device, it doesn't correctly validate the CDB +length before copying it into the 16-byte buffer 'cdb' in 'struct +ata_queued_cmd'. Namely, it validates the fixed CDB length expected +based on the SCSI opcode but not the actual CDB length, which can be +larger due to the use of the SG_NEXT_CMD_LEN ioctl. Since 'flags' is +the next member in ata_queued_cmd, a buffer overflow corrupts it. + +Fix it by requiring that the actual CDB length be <= 16 (ATAPI_CDB_LEN). + +[Really it seems the length should be required to be <= dev->cdb_len, +but the current behavior seems to have been intentionally introduced by +commit 607126c2a21c ("libata-scsi: be tolerant of 12-byte ATAPI commands +in 16-byte CDBs") to work around a userspace bug in mplayer. Probably +the workaround is no longer needed (mplayer was fixed in 2007), but +continuing to allow lengths to up 16 appears harmless for now.] + +Here's a reproducer that works in QEMU when /dev/sg1 refers to the +CD-ROM drive that qemu-system-x86_64 creates by default: + + #include + #include + #include + + #define SG_NEXT_CMD_LEN 0x2283 + + int main() + { + char buf[53] = { [36] = 0x7e, [52] = 0x02 }; + int fd = open("/dev/sg1", O_RDWR); + ioctl(fd, SG_NEXT_CMD_LEN, &(int){ 17 }); + write(fd, buf, sizeof(buf)); + } + +The crash was: + + BUG: unable to handle kernel paging request at ffff8cb97db37ffc + IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2623 [inline] + IP: ata_bmdma_qc_prep+0xa4/0xc0 drivers/ata/libata-sff.c:2727 + PGD fb6c067 P4D fb6c067 PUD 0 + Oops: 0002 [#1] SMP + CPU: 1 PID: 150 Comm: syz_ata_bmdma_q Not tainted 4.15.0-next-20180202 #99 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 + [...] + Call Trace: + ata_qc_issue+0x100/0x1d0 drivers/ata/libata-core.c:5421 + ata_scsi_translate+0xc9/0x1a0 drivers/ata/libata-scsi.c:2024 + __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4326 [inline] + ata_scsi_queuecmd+0x8c/0x210 drivers/ata/libata-scsi.c:4375 + scsi_dispatch_cmd+0xa2/0xe0 drivers/scsi/scsi_lib.c:1727 + scsi_request_fn+0x24c/0x530 drivers/scsi/scsi_lib.c:1865 + __blk_run_queue_uncond block/blk-core.c:412 [inline] + __blk_run_queue+0x3a/0x60 block/blk-core.c:432 + blk_execute_rq_nowait+0x93/0xc0 block/blk-exec.c:78 + sg_common_write.isra.7+0x272/0x5a0 drivers/scsi/sg.c:806 + sg_write+0x1ef/0x340 drivers/scsi/sg.c:677 + __vfs_write+0x31/0x160 fs/read_write.c:480 + vfs_write+0xa7/0x160 fs/read_write.c:544 + SYSC_write fs/read_write.c:589 [inline] + SyS_write+0x4d/0xc0 fs/read_write.c:581 + do_syscall_64+0x5e/0x110 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x21/0x86 + +Fixes: 607126c2a21c ("libata-scsi: be tolerant of 12-byte ATAPI commands in 16-byte CDBs") +Reported-by: syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da@syzkaller.appspotmail.com +Cc: # v2.6.24+ +Signed-off-by: Eric Biggers +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4177,7 +4177,9 @@ static inline int __ata_scsi_queuecmd(st + if (likely((scsi_op != ATA_16) || !atapi_passthru16)) { + /* relay SCSI command to ATAPI device */ + int len = COMMAND_SIZE(scsi_op); +- if (unlikely(len > scmd->cmd_len || len > dev->cdb_len)) ++ if (unlikely(len > scmd->cmd_len || ++ len > dev->cdb_len || ++ scmd->cmd_len > ATAPI_CDB_LEN)) + goto bad_cdb_len; + + xlat_func = atapi_xlat; diff --git a/queue-4.9/libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch b/queue-4.9/libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch new file mode 100644 index 00000000000..3c85b7f4c3f --- /dev/null +++ b/queue-4.9/libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch @@ -0,0 +1,41 @@ +From 3bf7b5d6d017c27e0d3b160aafb35a8e7cfeda1f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Mar 2018 16:33:59 +0100 +Subject: libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions + +From: Hans de Goede + +commit 3bf7b5d6d017c27e0d3b160aafb35a8e7cfeda1f upstream. + +Commit b17e5729a630 ("libata: disable LPM for Crucial BX100 SSD 500GB +drive"), introduced a ATA_HORKAGE_NOLPM quirk for Crucial BX100 500GB SSDs +but limited this to the MU02 firmware version, according to: +http://www.crucial.com/usa/en/support-ssd-firmware + +MU02 is the last version, so there are no newer possibly fixed versions +and if the MU02 version has broken LPM then the MU01 almost certainly +also has broken LPM, so this commit changes the quirk to apply to all +firmware versions. + +Fixes: b17e5729a630 ("libata: disable LPM for Crucial BX100 SSD 500GB...") +Cc: stable@vger.kernel.org +Cc: Kai-Heng Feng +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4404,7 +4404,7 @@ static const struct ata_blacklist_entry + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + + /* Crucial BX100 SSD 500GB has broken LPM support */ +- { "CT500BX100SSD1", "MU02", ATA_HORKAGE_NOLPM }, ++ { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM }, + + /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ + { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | diff --git a/queue-4.9/libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch b/queue-4.9/libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch new file mode 100644 index 00000000000..7332049694c --- /dev/null +++ b/queue-4.9/libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch @@ -0,0 +1,49 @@ +From d418ff56b8f2d2b296daafa8da151fe27689b757 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Mar 2018 16:34:00 +0100 +Subject: libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version + +From: Hans de Goede + +commit d418ff56b8f2d2b296daafa8da151fe27689b757 upstream. + +When commit 9c7be59fc519af ("libata: Apply NOLPM quirk to Crucial MX100 +512GB SSDs") was added it inherited the ATA_HORKAGE_NO_NCQ_TRIM quirk +from the existing "Crucial_CT*MX100*" entry, but that entry sets model_rev +to "MU01", where as the entry adding the NOLPM quirk sets it to NULL. + +This means that after this commit we no apply the NO_NCQ_TRIM quirk to +all "Crucial_CT512MX100*" SSDs even if they have the fixed "MU02" +firmware. This commit splits the "Crucial_CT512MX100*" quirk into 2 +quirks, one for the "MU01" firmware and one for all other firmware +versions, so that we once again only apply the NO_NCQ_TRIM quirk to the +"MU01" firmware version. + +Fixes: 9c7be59fc519af ("libata: Apply NOLPM quirk to ... MX100 512GB SSDs") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4406,10 +4406,13 @@ static const struct ata_blacklist_entry + /* Crucial BX100 SSD 500GB has broken LPM support */ + { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM }, + +- /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ +- { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ /* 512GB MX100 with MU01 firmware has both queued TRIM and LPM issues */ ++ { "Crucial_CT512MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, ++ /* 512GB MX100 with newer firmware has only LPM issues */ ++ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, + + /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */ + { "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | diff --git a/queue-4.9/libata-remove-warn-for-dma-or-pio-command-without-data.patch b/queue-4.9/libata-remove-warn-for-dma-or-pio-command-without-data.patch new file mode 100644 index 00000000000..f856cc71aae --- /dev/null +++ b/queue-4.9/libata-remove-warn-for-dma-or-pio-command-without-data.patch @@ -0,0 +1,51 @@ +From 9173e5e80729c8434b8d27531527c5245f4a5594 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 3 Feb 2018 20:33:27 -0800 +Subject: libata: remove WARN() for DMA or PIO command without data + +From: Eric Biggers + +commit 9173e5e80729c8434b8d27531527c5245f4a5594 upstream. + +syzkaller hit a WARN() in ata_qc_issue() when writing to /dev/sg0. This +happened because it issued a READ_6 command with no data buffer. + +Just remove the WARN(), as it doesn't appear indicate a kernel bug. The +expected behavior is to fail the command, which the code does. + +Here's a reproducer that works in QEMU when /dev/sg0 refers to a disk of +the default type ("82371SB PIIX3 IDE"): + + #include + #include + + int main() + { + char buf[42] = { [36] = 0x8 /* READ_6 */ }; + + write(open("/dev/sg0", O_RDWR), buf, sizeof(buf)); + } + +Fixes: f92a26365a72 ("libata: change ATA_QCFLAG_DMAMAP semantics") +Reported-by: syzbot+f7b556d1766502a69d85071d2ff08bd87be53d0f@syzkaller.appspotmail.com +Cc: # v2.6.25+ +Signed-off-by: Eric Biggers +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -5265,8 +5265,7 @@ void ata_qc_issue(struct ata_queued_cmd + * We guarantee to LLDs that they will have at least one + * non-zero sg if the command is a data command. + */ +- if (WARN_ON_ONCE(ata_is_data(prot) && +- (!qc->sg || !qc->n_elem || !qc->nbytes))) ++ if (ata_is_data(prot) && (!qc->sg || !qc->n_elem || !qc->nbytes)) + goto sys_err; + + if (ata_is_dma(prot) || (ata_is_pio(prot) && diff --git a/queue-4.9/mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch b/queue-4.9/mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch deleted file mode 100644 index d250db040a4..00000000000 --- a/queue-4.9/mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch +++ /dev/null @@ -1,65 +0,0 @@ -From dbe7dc6b9b28f5b012b0bedc372aa0c52521f3e4 Mon Sep 17 00:00:00 2001 -From: Dirk Behme -Date: Wed, 14 Mar 2018 14:50:09 +0000 -Subject: mmc: core: Disable HPI for certain Micron (Numonyx) eMMC cards - -From: Dirk Behme - -commit dbe7dc6b9b28f5b012b0bedc372aa0c52521f3e4 upstream. - -Certain Micron eMMC v4.5 cards might get broken when HPI feature is used -and hence this patch disables the HPI feature for such buggy cards. - -In U-Boot, these cards are reported as - -Manufacturer: Micron (ID: 0xFE) -OEM: 0x4E -Name: MMC32G -Revision: 19 (0x13) -Serial: 959241022 Manufact. date: 8/2015 (0x82) CRC: 0x00 -Tran Speed: 52000000 -Rd Block Len: 512 -MMC version 4.5 -High Capacity: Yes -Capacity: 29.1 GiB -Boot Partition Size: 16 MiB -Bus Width: 8-bit - -According to JEDEC JEP106 manufacturer 0xFE is Numonyx, which was bought by -Micron. - -Signed-off-by: Dirk Behme -Signed-off-by: Mark Craske -Cc: # 4.8+ -Signed-off-by: Ulf Hansson -Signed-off-by: Greg Kroah-Hartman - -diff --git a/drivers/mmc/core/card.h b/drivers/mmc/core/card.h -index 79a5b985ccf5..9c821eedd156 100644 ---- a/drivers/mmc/core/card.h -+++ b/drivers/mmc/core/card.h -@@ -82,6 +82,7 @@ struct mmc_fixup { - #define CID_MANFID_APACER 0x27 - #define CID_MANFID_KINGSTON 0x70 - #define CID_MANFID_HYNIX 0x90 -+#define CID_MANFID_NUMONYX 0xFE - - #define END_FIXUP { NULL } - -diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h -index 75d317623852..5153577754f0 100644 ---- a/drivers/mmc/core/quirks.h -+++ b/drivers/mmc/core/quirks.h -@@ -109,6 +109,12 @@ static const struct mmc_fixup mmc_ext_csd_fixups[] = { - */ - MMC_FIXUP_EXT_CSD_REV(CID_NAME_ANY, CID_MANFID_HYNIX, - 0x014a, add_quirk, MMC_QUIRK_BROKEN_HPI, 5), -+ /* -+ * Certain Micron (Numonyx) eMMC 4.5 cards might get broken when HPI -+ * feature is used so disable the HPI feature for such buggy cards. -+ */ -+ MMC_FIXUP_EXT_CSD_REV(CID_NAME_ANY, CID_MANFID_NUMONYX, -+ 0x014e, add_quirk, MMC_QUIRK_BROKEN_HPI, 6), - - END_FIXUP - }; diff --git a/queue-4.9/nfsd-remove-blocked-locks-on-client-teardown.patch b/queue-4.9/nfsd-remove-blocked-locks-on-client-teardown.patch new file mode 100644 index 00000000000..00e75d04408 --- /dev/null +++ b/queue-4.9/nfsd-remove-blocked-locks-on-client-teardown.patch @@ -0,0 +1,142 @@ +From 68ef3bc3166468678d5e1fdd216628c35bd1186f Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Fri, 16 Mar 2018 11:32:02 -0400 +Subject: nfsd: remove blocked locks on client teardown + +From: Jeff Layton + +commit 68ef3bc3166468678d5e1fdd216628c35bd1186f upstream. + +We had some reports of panics in nfsd4_lm_notify, and that showed a +nfs4_lockowner that had outlived its so_client. + +Ensure that we walk any leftover lockowners after tearing down all of +the stateids, and remove any blocked locks that they hold. + +With this change, we also don't need to walk the nbl_lru on nfsd_net +shutdown, as that will happen naturally when we tear down the clients. + +Fixes: 76d348fadff5 (nfsd: have nfsd4_lock use blocking locks for v4.1+ locks) +Reported-by: Frank Sorenson +Signed-off-by: Jeff Layton +Cc: stable@vger.kernel.org # 4.9 +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 62 ++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 43 insertions(+), 19 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -263,6 +263,35 @@ free_blocked_lock(struct nfsd4_blocked_l + kfree(nbl); + } + ++static void ++remove_blocked_locks(struct nfs4_lockowner *lo) ++{ ++ struct nfs4_client *clp = lo->lo_owner.so_client; ++ struct nfsd_net *nn = net_generic(clp->net, nfsd_net_id); ++ struct nfsd4_blocked_lock *nbl; ++ LIST_HEAD(reaplist); ++ ++ /* Dequeue all blocked locks */ ++ spin_lock(&nn->blocked_locks_lock); ++ while (!list_empty(&lo->lo_blocked)) { ++ nbl = list_first_entry(&lo->lo_blocked, ++ struct nfsd4_blocked_lock, ++ nbl_list); ++ list_del_init(&nbl->nbl_list); ++ list_move(&nbl->nbl_lru, &reaplist); ++ } ++ spin_unlock(&nn->blocked_locks_lock); ++ ++ /* Now free them */ ++ while (!list_empty(&reaplist)) { ++ nbl = list_first_entry(&reaplist, struct nfsd4_blocked_lock, ++ nbl_lru); ++ list_del_init(&nbl->nbl_lru); ++ posix_unblock_lock(&nbl->nbl_lock); ++ free_blocked_lock(nbl); ++ } ++} ++ + static int + nfsd4_cb_notify_lock_done(struct nfsd4_callback *cb, struct rpc_task *task) + { +@@ -1854,6 +1883,7 @@ static __be32 mark_client_expired_locked + static void + __destroy_client(struct nfs4_client *clp) + { ++ int i; + struct nfs4_openowner *oo; + struct nfs4_delegation *dp; + struct list_head reaplist; +@@ -1883,6 +1913,16 @@ __destroy_client(struct nfs4_client *clp + nfs4_get_stateowner(&oo->oo_owner); + release_openowner(oo); + } ++ for (i = 0; i < OWNER_HASH_SIZE; i++) { ++ struct nfs4_stateowner *so, *tmp; ++ ++ list_for_each_entry_safe(so, tmp, &clp->cl_ownerstr_hashtbl[i], ++ so_strhash) { ++ /* Should be no openowners at this point */ ++ WARN_ON_ONCE(so->so_is_open_owner); ++ remove_blocked_locks(lockowner(so)); ++ } ++ } + nfsd4_return_all_client_layouts(clp); + nfsd4_shutdown_callback(clp); + if (clp->cl_cb_conn.cb_xprt) +@@ -6266,6 +6306,7 @@ nfsd4_release_lockowner(struct svc_rqst + } + spin_unlock(&clp->cl_lock); + free_ol_stateid_reaplist(&reaplist); ++ remove_blocked_locks(lo); + nfs4_put_stateowner(&lo->lo_owner); + + return status; +@@ -7051,6 +7092,8 @@ nfs4_state_destroy_net(struct net *net) + } + } + ++ WARN_ON(!list_empty(&nn->blocked_locks_lru)); ++ + for (i = 0; i < CLIENT_HASH_SIZE; i++) { + while (!list_empty(&nn->unconf_id_hashtbl[i])) { + clp = list_entry(nn->unconf_id_hashtbl[i].next, struct nfs4_client, cl_idhash); +@@ -7117,7 +7160,6 @@ nfs4_state_shutdown_net(struct net *net) + struct nfs4_delegation *dp = NULL; + struct list_head *pos, *next, reaplist; + struct nfsd_net *nn = net_generic(net, nfsd_net_id); +- struct nfsd4_blocked_lock *nbl; + + cancel_delayed_work_sync(&nn->laundromat_work); + locks_end_grace(&nn->nfsd4_manager); +@@ -7138,24 +7180,6 @@ nfs4_state_shutdown_net(struct net *net) + nfs4_put_stid(&dp->dl_stid); + } + +- BUG_ON(!list_empty(&reaplist)); +- spin_lock(&nn->blocked_locks_lock); +- while (!list_empty(&nn->blocked_locks_lru)) { +- nbl = list_first_entry(&nn->blocked_locks_lru, +- struct nfsd4_blocked_lock, nbl_lru); +- list_move(&nbl->nbl_lru, &reaplist); +- list_del_init(&nbl->nbl_list); +- } +- spin_unlock(&nn->blocked_locks_lock); +- +- while (!list_empty(&reaplist)) { +- nbl = list_first_entry(&reaplist, +- struct nfsd4_blocked_lock, nbl_lru); +- list_del_init(&nbl->nbl_lru); +- posix_unblock_lock(&nbl->nbl_lock); +- free_blocked_lock(nbl); +- } +- + nfsd4_client_tracking_exit(net); + nfs4_state_destroy_net(net); + } diff --git a/queue-4.9/series b/queue-4.9/series index f64e5677aa7..845c4d5a118 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,4 +10,14 @@ ahci-add-pci-id-for-the-highpoint-rocketraid-644l-card.patch clk-bcm2835-fix-ana-maskx-definitions.patch clk-bcm2835-protect-sections-updating-shared-registers.patch clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch -mmc-core-disable-hpi-for-certain-micron-numonyx-emmc-cards.patch +bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch +libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch +libata-remove-warn-for-dma-or-pio-command-without-data.patch +libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch +libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch +libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch +libata-enable-queued-trim-for-samsung-ssd-860.patch +libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch +libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch +libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch +nfsd-remove-blocked-locks-on-client-teardown.patch