From: Greg Kroah-Hartman Date: Mon, 30 Oct 2017 09:28:57 +0000 (+0100) Subject: 4.13-stable patches X-Git-Tag: v3.18.79~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=81d4a5f3eea801f499b7cb56f2745364ded1a64a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.13-stable patches added patches: assoc_array-fix-a-buggy-node-splitting-case.patch can-kvaser_usb-correct-return-value-in-printout.patch can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch can-sun4i-fix-loopback-mode.patch cfg80211-fix-connect-disconnect-edge-cases.patch cifs-fix-null-pointer-deref-on-smb2_tcon-failure.patch cifs-select-all-required-crypto-modules.patch drm-amd-powerplay-fix-uninitialized-variable.patch drm-i915-perf-fix-perf-enable-disable-ioctls-with-32bits-userspace.patch fix-encryption-labels-and-lengths-for-smb3.1.1.patch fuse-fix-readdirplus-skipping-an-entry.patch input-elan_i2c-add-elan0611-to-the-acpi-table.patch input-gtco-fix-potential-out-of-bound-access.patch kvm-ppc-book3s-hv-power9-more-doorbell-fixes.patch kvm-ppc-book3s-protect-kvmppc_gpa_to_ua-with-srcu.patch kvm-ppc-fix-oops-when-checking-kvm_cap_ppc_htm.patch nbd-handle-interrupted-sendmsg-with-a-sndtimeo-set.patch ovl-add-null-check-in-ovl_alloc_inode.patch ovl-do-not-cleanup-unsupported-index-entries.patch ovl-fix-eio-from-lookup-of-non-indexed-upper.patch ovl-handle-enoent-on-index-lookup.patch pm-qos-fix-device-resume-latency-pm-qos.patch s390-kvm-fix-detection-of-guest-machine-checks.patch scsi-aacraid-fix-controller-initialization-failure.patch scsi-qla2xxx-initialize-work-element-before-requesting-irqs.patch scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch smb3-validate-negotiate-request-must-always-be-signed.patch spi-a3700-return-correct-value-on-timeout-detection.patch spi-armada-3700-fix-failing-commands-with-quad-spi.patch spi-bcm-qspi-fix-use-after-free-in-bcm_qspi_probe-in-error-path.patch spi-uapi-spidev-add-missing-ioctl-header.patch x86-cpu-amd-apply-the-erratum-688-fix-when-the-bios-doesn-t.patch xen-fix-booting-ballooned-down-hvm-guest.patch xen-gntdev-avoid-out-of-bounds-access-in-case-of-partial-gntdev_mmap.patch --- diff --git a/queue-4.13/assoc_array-fix-a-buggy-node-splitting-case.patch b/queue-4.13/assoc_array-fix-a-buggy-node-splitting-case.patch new file mode 100644 index 00000000000..729fca2dd92 --- /dev/null +++ b/queue-4.13/assoc_array-fix-a-buggy-node-splitting-case.patch @@ -0,0 +1,122 @@ +From ea6789980fdaa610d7eb63602c746bf6ec70cd2b Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 11 Oct 2017 23:32:27 +0100 +Subject: assoc_array: Fix a buggy node-splitting case + +From: David Howells + +commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream. + +This fixes CVE-2017-12193. + +Fix a case in the assoc_array implementation in which a new leaf is +added that needs to go into a node that happens to be full, where the +existing leaves in that node cluster together at that level to the +exclusion of new leaf. + +What needs to happen is that the existing leaves get moved out to a new +node, N1, at level + 1 and the existing node needs replacing with one, +N0, that has pointers to the new leaf and to N1. + +The code that tries to do this gets this wrong in two ways: + + (1) The pointer that should've pointed from N0 to N1 is set to point + recursively to N0 instead. + + (2) The backpointer from N0 needs to be set correctly in the case N0 is + either the root node or reached through a shortcut. + +Fix this by removing this path and using the split_node path instead, +which achieves the same end, but in a more general way (thanks to Eric +Biggers for spotting the redundancy). + +The problem manifests itself as: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 + IP: assoc_array_apply_edit+0x59/0xe5 + +Fixes: 3cb989501c26 ("Add a generic associative array implementation.") +Reported-and-tested-by: WU Fan +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/assoc_array.c | 51 +++++++++++++++++---------------------------------- + 1 file changed, 17 insertions(+), 34 deletions(-) + +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -598,21 +598,31 @@ static bool assoc_array_insert_into_term + if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0) + goto all_leaves_cluster_together; + +- /* Otherwise we can just insert a new node ahead of the old +- * one. ++ /* Otherwise all the old leaves cluster in the same slot, but ++ * the new leaf wants to go into a different slot - so we ++ * create a new node (n0) to hold the new leaf and a pointer to ++ * a new node (n1) holding all the old leaves. ++ * ++ * This can be done by falling through to the node splitting ++ * path. + */ +- goto present_leaves_cluster_but_not_new_leaf; ++ pr_devel("present leaves cluster but not new leaf\n"); + } + + split_node: + pr_devel("split node\n"); + +- /* We need to split the current node; we know that the node doesn't +- * simply contain a full set of leaves that cluster together (it +- * contains meta pointers and/or non-clustering leaves). ++ /* We need to split the current node. The node must contain anything ++ * from a single leaf (in the one leaf case, this leaf will cluster ++ * with the new leaf) and the rest meta-pointers, to all leaves, some ++ * of which may cluster. ++ * ++ * It won't contain the case in which all the current leaves plus the ++ * new leaves want to cluster in the same slot. + * + * We need to expel at least two leaves out of a set consisting of the +- * leaves in the node and the new leaf. ++ * leaves in the node and the new leaf. The current meta pointers can ++ * just be copied as they shouldn't cluster with any of the leaves. + * + * We need a new node (n0) to replace the current one and a new node to + * take the expelled nodes (n1). +@@ -717,33 +727,6 @@ found_slot_for_multiple_occupancy: + pr_devel("<--%s() = ok [split node]\n", __func__); + return true; + +-present_leaves_cluster_but_not_new_leaf: +- /* All the old leaves cluster in the same slot, but the new leaf wants +- * to go into a different slot, so we create a new node to hold the new +- * leaf and a pointer to a new node holding all the old leaves. +- */ +- pr_devel("present leaves cluster but not new leaf\n"); +- +- new_n0->back_pointer = node->back_pointer; +- new_n0->parent_slot = node->parent_slot; +- new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch; +- new_n1->back_pointer = assoc_array_node_to_ptr(new_n0); +- new_n1->parent_slot = edit->segment_cache[0]; +- new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch; +- edit->adjust_count_on = new_n0; +- +- for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++) +- new_n1->slots[i] = node->slots[i]; +- +- new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0); +- edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]]; +- +- edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot]; +- edit->set[0].to = assoc_array_node_to_ptr(new_n0); +- edit->excised_meta[0] = assoc_array_node_to_ptr(node); +- pr_devel("<--%s() = ok [insert node before]\n", __func__); +- return true; +- + all_leaves_cluster_together: + /* All the leaves, new and old, want to cluster together in this node + * in the same slot, so we have to replace this node with a shortcut to diff --git a/queue-4.13/can-kvaser_usb-correct-return-value-in-printout.patch b/queue-4.13/can-kvaser_usb-correct-return-value-in-printout.patch new file mode 100644 index 00000000000..becc0837686 --- /dev/null +++ b/queue-4.13/can-kvaser_usb-correct-return-value-in-printout.patch @@ -0,0 +1,33 @@ +From 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 24 Oct 2017 12:23:28 +0200 +Subject: can: kvaser_usb: Correct return value in printout + +From: Jimmy Assarsson + +commit 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 upstream. + +If the return value from kvaser_usb_send_simple_msg() was non-zero, the +return value from kvaser_usb_flush_queue() was printed in the kernel +warning. + +Signed-off-by: Jimmy Assarsson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/kvaser_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/kvaser_usb.c ++++ b/drivers/net/can/usb/kvaser_usb.c +@@ -1609,7 +1609,8 @@ static int kvaser_usb_close(struct net_d + if (err) + netdev_warn(netdev, "Cannot flush queue, error %d\n", err); + +- if (kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel)) ++ err = kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel); ++ if (err) + netdev_warn(netdev, "Cannot reset card, error %d\n", err); + + err = kvaser_usb_stop_chip(priv); diff --git a/queue-4.13/can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch b/queue-4.13/can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch new file mode 100644 index 00000000000..22131b5c28f --- /dev/null +++ b/queue-4.13/can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch @@ -0,0 +1,50 @@ +From e1d2d1329a5722dbecc9c278303fcc4aa01f8790 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Tue, 24 Oct 2017 12:23:29 +0200 +Subject: can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages + +From: Jimmy Assarsson + +commit e1d2d1329a5722dbecc9c278303fcc4aa01f8790 upstream. + +To avoid kernel warning "Unhandled message (68)", ignore the +CMD_FLUSH_QUEUE_REPLY message for now. + +As of Leaf v2 firmware version v4.1.844 (2017-02-15), flush tx queue is +synchronous. There is a capability bit indicating whether flushing tx +queue is synchronous or asynchronous. + +A proper solution would be to query the device for capabilities. If the +synchronous tx flush capability bit is set, we should wait for +CMD_FLUSH_QUEUE_REPLY message, while flushing the tx queue. + +Signed-off-by: Jimmy Assarsson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/kvaser_usb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/can/usb/kvaser_usb.c ++++ b/drivers/net/can/usb/kvaser_usb.c +@@ -137,6 +137,7 @@ static inline bool kvaser_is_usbcan(cons + #define CMD_RESET_ERROR_COUNTER 49 + #define CMD_TX_ACKNOWLEDGE 50 + #define CMD_CAN_ERROR_EVENT 51 ++#define CMD_FLUSH_QUEUE_REPLY 68 + + #define CMD_LEAF_USB_THROTTLE 77 + #define CMD_LEAF_LOG_MESSAGE 106 +@@ -1301,6 +1302,11 @@ static void kvaser_usb_handle_message(co + goto warn; + break; + ++ case CMD_FLUSH_QUEUE_REPLY: ++ if (dev->family != KVASER_LEAF) ++ goto warn; ++ break; ++ + default: + warn: dev_warn(dev->udev->dev.parent, + "Unhandled message (%d)\n", msg->id); diff --git a/queue-4.13/can-sun4i-fix-loopback-mode.patch b/queue-4.13/can-sun4i-fix-loopback-mode.patch new file mode 100644 index 00000000000..2ec913be3e0 --- /dev/null +++ b/queue-4.13/can-sun4i-fix-loopback-mode.patch @@ -0,0 +1,38 @@ +From 3a379f5b36ae039dfeb6f73316e47ab1af4945df Mon Sep 17 00:00:00 2001 +From: Gerhard Bertelsmann +Date: Thu, 17 Aug 2017 15:59:49 +0200 +Subject: can: sun4i: fix loopback mode + +From: Gerhard Bertelsmann + +commit 3a379f5b36ae039dfeb6f73316e47ab1af4945df upstream. + +Fix loopback mode by setting the right flag and remove presume mode. + +Signed-off-by: Gerhard Bertelsmann +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/sun4i_can.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/can/sun4i_can.c ++++ b/drivers/net/can/sun4i_can.c +@@ -342,7 +342,7 @@ static int sun4i_can_start(struct net_de + + /* enter the selected mode */ + mod_reg_val = readl(priv->base + SUN4I_REG_MSEL_ADDR); +- if (priv->can.ctrlmode & CAN_CTRLMODE_PRESUME_ACK) ++ if (priv->can.ctrlmode & CAN_CTRLMODE_LOOPBACK) + mod_reg_val |= SUN4I_MSEL_LOOPBACK_MODE; + else if (priv->can.ctrlmode & CAN_CTRLMODE_LISTENONLY) + mod_reg_val |= SUN4I_MSEL_LISTEN_ONLY_MODE; +@@ -811,7 +811,6 @@ static int sun4ican_probe(struct platfor + priv->can.ctrlmode_supported = CAN_CTRLMODE_BERR_REPORTING | + CAN_CTRLMODE_LISTENONLY | + CAN_CTRLMODE_LOOPBACK | +- CAN_CTRLMODE_PRESUME_ACK | + CAN_CTRLMODE_3_SAMPLES; + priv->base = addr; + priv->clk = clk; diff --git a/queue-4.13/cfg80211-fix-connect-disconnect-edge-cases.patch b/queue-4.13/cfg80211-fix-connect-disconnect-edge-cases.patch new file mode 100644 index 00000000000..41e35f89904 --- /dev/null +++ b/queue-4.13/cfg80211-fix-connect-disconnect-edge-cases.patch @@ -0,0 +1,112 @@ +From 51e13359cd5ea34acc62c90627603352956380af Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 Oct 2017 21:56:20 +0200 +Subject: cfg80211: fix connect/disconnect edge cases + +From: Johannes Berg + +commit 51e13359cd5ea34acc62c90627603352956380af upstream. + +If we try to connect while already connected/connecting, but +this fails, we set ssid_len=0 but leave current_bss hanging, +leading to errors. + +Check all of this better, first of all ensuring that we can't +try to connect to a different SSID while connected/ing; ensure +that prev_bssid is set for re-association attempts even in the +case of the driver supporting the connect() method, and don't +reset ssid_len in the failure cases. + +While at it, also reset ssid_len while disconnecting unless we +were connected and expect a disconnected event, and warn on a +successful connection without ssid_len being set. + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/sme.c | 50 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 41 insertions(+), 9 deletions(-) + +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -522,11 +522,6 @@ static int cfg80211_sme_connect(struct w + return -EOPNOTSUPP; + + if (wdev->current_bss) { +- if (!prev_bssid) +- return -EALREADY; +- if (prev_bssid && +- !ether_addr_equal(prev_bssid, wdev->current_bss->pub.bssid)) +- return -ENOTCONN; + cfg80211_unhold_bss(wdev->current_bss); + cfg80211_put_bss(wdev->wiphy, &wdev->current_bss->pub); + wdev->current_bss = NULL; +@@ -1063,11 +1058,35 @@ int cfg80211_connect(struct cfg80211_reg + + ASSERT_WDEV_LOCK(wdev); + +- if (WARN_ON(wdev->connect_keys)) { +- kzfree(wdev->connect_keys); +- wdev->connect_keys = NULL; ++ /* ++ * If we have an ssid_len, we're trying to connect or are ++ * already connected, so reject a new SSID unless it's the ++ * same (which is the case for re-association.) ++ */ ++ if (wdev->ssid_len && ++ (wdev->ssid_len != connect->ssid_len || ++ memcmp(wdev->ssid, connect->ssid, wdev->ssid_len))) ++ return -EALREADY; ++ ++ /* ++ * If connected, reject (re-)association unless prev_bssid ++ * matches the current BSSID. ++ */ ++ if (wdev->current_bss) { ++ if (!prev_bssid) ++ return -EALREADY; ++ if (!ether_addr_equal(prev_bssid, wdev->current_bss->pub.bssid)) ++ return -ENOTCONN; + } + ++ /* ++ * Reject if we're in the process of connecting with WEP, ++ * this case isn't very interesting and trying to handle ++ * it would make the code much more complex. ++ */ ++ if (wdev->connect_keys) ++ return -EINPROGRESS; ++ + cfg80211_oper_and_ht_capa(&connect->ht_capa_mask, + rdev->wiphy.ht_capa_mod_mask); + +@@ -1118,7 +1137,12 @@ int cfg80211_connect(struct cfg80211_reg + + if (err) { + wdev->connect_keys = NULL; +- wdev->ssid_len = 0; ++ /* ++ * This could be reassoc getting refused, don't clear ++ * ssid_len in that case. ++ */ ++ if (!wdev->current_bss) ++ wdev->ssid_len = 0; + return err; + } + +@@ -1145,6 +1169,14 @@ int cfg80211_disconnect(struct cfg80211_ + else if (wdev->ssid_len) + err = rdev_disconnect(rdev, dev, reason); + ++ /* ++ * Clear ssid_len unless we actually were fully connected, ++ * in which case cfg80211_disconnected() will take care of ++ * this later. ++ */ ++ if (!wdev->current_bss) ++ wdev->ssid_len = 0; ++ + return err; + } + diff --git a/queue-4.13/cifs-fix-null-pointer-deref-on-smb2_tcon-failure.patch b/queue-4.13/cifs-fix-null-pointer-deref-on-smb2_tcon-failure.patch new file mode 100644 index 00000000000..41ecd9a3573 --- /dev/null +++ b/queue-4.13/cifs-fix-null-pointer-deref-on-smb2_tcon-failure.patch @@ -0,0 +1,41 @@ +From db3b5474f462e77b82ca1e27627f03c47b622c99 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Aur=C3=A9lien=20Aptel?= +Date: Wed, 11 Oct 2017 13:23:36 +0200 +Subject: CIFS: Fix NULL pointer deref on SMB2_tcon() failure + +From: Aurélien Aptel + +commit db3b5474f462e77b82ca1e27627f03c47b622c99 upstream. + +If SendReceive2() fails rsp is set to NULL but is dereferenced in the +error handling code. + +Signed-off-by: Aurelien Aptel +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1243,7 +1243,7 @@ SMB2_tcon(const unsigned int xid, struct + struct smb2_tree_connect_req *req; + struct smb2_tree_connect_rsp *rsp = NULL; + struct kvec iov[2]; +- struct kvec rsp_iov; ++ struct kvec rsp_iov = { NULL, 0 }; + int rc = 0; + int resp_buftype; + int unc_path_len; +@@ -1360,7 +1360,7 @@ tcon_exit: + return rc; + + tcon_error_exit: +- if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { ++ if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) { + cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree); + } + goto tcon_exit; diff --git a/queue-4.13/cifs-select-all-required-crypto-modules.patch b/queue-4.13/cifs-select-all-required-crypto-modules.patch new file mode 100644 index 00000000000..d03334a0fcd --- /dev/null +++ b/queue-4.13/cifs-select-all-required-crypto-modules.patch @@ -0,0 +1,38 @@ +From 5b454a64555055aaa5769b3ba877bd911d375d5a Mon Sep 17 00:00:00 2001 +From: Benjamin Gilbert +Date: Thu, 19 Oct 2017 13:09:29 -0700 +Subject: cifs: Select all required crypto modules + +From: Benjamin Gilbert + +commit 5b454a64555055aaa5769b3ba877bd911d375d5a upstream. + +Some dependencies were lost when CIFS_SMB2 was merged into CIFS. + +Fixes: 2a38e12053b7 ("[SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred") +Signed-off-by: Benjamin Gilbert +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/Kconfig | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/Kconfig ++++ b/fs/cifs/Kconfig +@@ -5,9 +5,14 @@ config CIFS + select CRYPTO + select CRYPTO_MD4 + select CRYPTO_MD5 ++ select CRYPTO_SHA256 ++ select CRYPTO_CMAC + select CRYPTO_HMAC + select CRYPTO_ARC4 ++ select CRYPTO_AEAD2 ++ select CRYPTO_CCM + select CRYPTO_ECB ++ select CRYPTO_AES + select CRYPTO_DES + help + This is the client VFS module for the SMB3 family of NAS protocols, diff --git a/queue-4.13/drm-amd-powerplay-fix-uninitialized-variable.patch b/queue-4.13/drm-amd-powerplay-fix-uninitialized-variable.patch new file mode 100644 index 00000000000..028d1260c29 --- /dev/null +++ b/queue-4.13/drm-amd-powerplay-fix-uninitialized-variable.patch @@ -0,0 +1,56 @@ +From 8b95f4f730cba02ef6febbdc4ca7e55ca045b00e Mon Sep 17 00:00:00 2001 +From: Rex Zhu +Date: Fri, 20 Oct 2017 15:07:41 +0800 +Subject: drm/amd/powerplay: fix uninitialized variable + +From: Rex Zhu + +commit 8b95f4f730cba02ef6febbdc4ca7e55ca045b00e upstream. + +refresh_rate was not initialized when program +display gap. +this patch can fix vce ring test failed +when do S3 on Polaris10. + +bug: https://bugs.freedesktop.org/show_bug.cgi?id=103102 +bug: https://bugzilla.kernel.org/show_bug.cgi?id=196615 +Reviewed-by: Alex Deucher +Signed-off-by: Rex Zhu +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c +@@ -830,7 +830,7 @@ uint32_t smu7_get_xclk(struct pp_hwmgr * + { + uint32_t reference_clock, tmp; + struct cgs_display_info info = {0}; +- struct cgs_mode_info mode_info; ++ struct cgs_mode_info mode_info = {0}; + + info.mode_info = &mode_info; + +@@ -3951,10 +3951,9 @@ static int smu7_program_display_gap(stru + uint32_t ref_clock; + uint32_t refresh_rate = 0; + struct cgs_display_info info = {0}; +- struct cgs_mode_info mode_info; ++ struct cgs_mode_info mode_info = {0}; + + info.mode_info = &mode_info; +- + cgs_get_active_displays_info(hwmgr->device, &info); + num_active_displays = info.display_count; + +@@ -3970,6 +3969,7 @@ static int smu7_program_display_gap(stru + frame_time_in_us = 1000000 / refresh_rate; + + pre_vbi_time_in_us = frame_time_in_us - 200 - mode_info.vblank_time_us; ++ + data->frame_time_x2 = frame_time_in_us * 2 / 100; + + display_gap2 = pre_vbi_time_in_us * (ref_clock / 100); diff --git a/queue-4.13/drm-i915-perf-fix-perf-enable-disable-ioctls-with-32bits-userspace.patch b/queue-4.13/drm-i915-perf-fix-perf-enable-disable-ioctls-with-32bits-userspace.patch new file mode 100644 index 00000000000..f581b708fbe --- /dev/null +++ b/queue-4.13/drm-i915-perf-fix-perf-enable-disable-ioctls-with-32bits-userspace.patch @@ -0,0 +1,38 @@ +From 7277f755048da562eb2489becacd38d0d05e1e06 Mon Sep 17 00:00:00 2001 +From: Lionel Landwerlin +Date: Tue, 24 Oct 2017 16:27:28 +0100 +Subject: drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace + +From: Lionel Landwerlin + +commit 7277f755048da562eb2489becacd38d0d05e1e06 upstream. + +The compat callback was missing and triggered failures in 32bits +userspace when enabling/disable the perf stream. We don't require any +particular processing here as these ioctls don't take any argument. + +Signed-off-by: Lionel Landwerlin +Fixes: eec688e1420 ("drm/i915: Add i915 perf infrastructure") +Reviewed-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20171024152728.4873-1-lionel.g.landwerlin@intel.com +(cherry picked from commit 191f896085cf3b5d85920d58a759da4eea141721) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_perf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -2480,6 +2480,10 @@ static const struct file_operations fops + .poll = i915_perf_poll, + .read = i915_perf_read, + .unlocked_ioctl = i915_perf_ioctl, ++ /* Our ioctl have no arguments, so it's safe to use the same function ++ * to handle 32bits compatibility. ++ */ ++ .compat_ioctl = i915_perf_ioctl, + }; + + diff --git a/queue-4.13/fix-encryption-labels-and-lengths-for-smb3.1.1.patch b/queue-4.13/fix-encryption-labels-and-lengths-for-smb3.1.1.patch new file mode 100644 index 00000000000..c59c07b8bba --- /dev/null +++ b/queue-4.13/fix-encryption-labels-and-lengths-for-smb3.1.1.patch @@ -0,0 +1,93 @@ +From 06e2290844fa408d3295ac03a1647f0798518ebe Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 25 Sep 2017 20:11:58 -0500 +Subject: Fix encryption labels and lengths for SMB3.1.1 + +From: Steve French + +commit 06e2290844fa408d3295ac03a1647f0798518ebe upstream. + +SMB3.1.1 is most secure and recent dialect. Fixup labels and lengths +for sMB3.1.1 signing and encryption. + +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsglob.h | 8 ++++++-- + fs/cifs/smb2transport.c | 26 ++++++++++++++------------ + 2 files changed, 20 insertions(+), 14 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -661,7 +661,9 @@ struct TCP_Server_Info { + #endif + unsigned int max_read; + unsigned int max_write; +- __u8 preauth_hash[512]; ++#ifdef CONFIG_CIFS_SMB311 ++ __u8 preauth_sha_hash[64]; /* save initital negprot hash */ ++#endif /* 3.1.1 */ + struct delayed_work reconnect; /* reconnect workqueue job */ + struct mutex reconnect_mutex; /* prevent simultaneous reconnects */ + unsigned long echo_interval; +@@ -849,7 +851,9 @@ struct cifs_ses { + __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE]; + __u8 smb3encryptionkey[SMB3_SIGN_KEY_SIZE]; + __u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE]; +- __u8 preauth_hash[512]; ++#ifdef CONFIG_CIFS_SMB311 ++ __u8 preauth_sha_hash[64]; ++#endif /* 3.1.1 */ + }; + + static inline bool +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -390,6 +390,7 @@ generate_smb30signingkey(struct cifs_ses + return generate_smb3signingkey(ses, &triplet); + } + ++#ifdef CONFIG_CIFS_SMB311 + int + generate_smb311signingkey(struct cifs_ses *ses) + +@@ -398,25 +399,26 @@ generate_smb311signingkey(struct cifs_se + struct derivation *d; + + d = &triplet.signing; +- d->label.iov_base = "SMB2AESCMAC"; +- d->label.iov_len = 12; +- d->context.iov_base = "SmbSign"; +- d->context.iov_len = 8; ++ d->label.iov_base = "SMBSigningKey"; ++ d->label.iov_len = 14; ++ d->context.iov_base = ses->preauth_sha_hash; ++ d->context.iov_len = 64; + + d = &triplet.encryption; +- d->label.iov_base = "SMB2AESCCM"; +- d->label.iov_len = 11; +- d->context.iov_base = "ServerIn "; +- d->context.iov_len = 10; ++ d->label.iov_base = "SMBC2SCipherKey"; ++ d->label.iov_len = 16; ++ d->context.iov_base = ses->preauth_sha_hash; ++ d->context.iov_len = 64; + + d = &triplet.decryption; +- d->label.iov_base = "SMB2AESCCM"; +- d->label.iov_len = 11; +- d->context.iov_base = "ServerOut"; +- d->context.iov_len = 10; ++ d->label.iov_base = "SMBS2CCipherKey"; ++ d->label.iov_len = 16; ++ d->context.iov_base = ses->preauth_sha_hash; ++ d->context.iov_len = 64; + + return generate_smb3signingkey(ses, &triplet); + } ++#endif /* 311 */ + + int + smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server) diff --git a/queue-4.13/fuse-fix-readdirplus-skipping-an-entry.patch b/queue-4.13/fuse-fix-readdirplus-skipping-an-entry.patch new file mode 100644 index 00000000000..e727925db4a --- /dev/null +++ b/queue-4.13/fuse-fix-readdirplus-skipping-an-entry.patch @@ -0,0 +1,40 @@ +From c6cdd51404b7ac12dd95173ddfc548c59ecf037f Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 25 Oct 2017 16:34:27 +0200 +Subject: fuse: fix READDIRPLUS skipping an entry + +From: Miklos Szeredi + +commit c6cdd51404b7ac12dd95173ddfc548c59ecf037f upstream. + +Marios Titas running a Haskell program noticed a problem with fuse's +readdirplus: when it is interrupted by a signal, it skips one directory +entry. + +The reason is that fuse erronously updates ctx->pos after a failed +dir_emit(). + +The issue originates from the patch adding readdirplus support. + +Reported-by: Jakob Unterwurzacher +Tested-by: Marios Titas +Signed-off-by: Miklos Szeredi +Fixes: 0b05b18381ee ("fuse: implement NFS-like readdirplus support") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1312,7 +1312,8 @@ static int parse_dirplusfile(char *buf, + */ + over = !dir_emit(ctx, dirent->name, dirent->namelen, + dirent->ino, dirent->type); +- ctx->pos = dirent->off; ++ if (!over) ++ ctx->pos = dirent->off; + } + + buf += reclen; diff --git a/queue-4.13/input-elan_i2c-add-elan0611-to-the-acpi-table.patch b/queue-4.13/input-elan_i2c-add-elan0611-to-the-acpi-table.patch new file mode 100644 index 00000000000..bf73107a542 --- /dev/null +++ b/queue-4.13/input-elan_i2c-add-elan0611-to-the-acpi-table.patch @@ -0,0 +1,36 @@ +From 57a95b41869b8f0d1949c24df2a9dac1ca7082ee Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 24 Oct 2017 11:08:18 -0700 +Subject: Input: elan_i2c - add ELAN0611 to the ACPI table + +From: Kai-Heng Feng + +commit 57a95b41869b8f0d1949c24df2a9dac1ca7082ee upstream. + +ELAN0611 touchpad uses elan_i2c as its driver. It can be found +on Lenovo ideapad 320-15IKB. + +So add it to ACPI table to enable the touchpad. + +[Ido Adiv reports that the same ACPI ID is used for +Elan touchpad in ideapad 520]. + +BugLink: https://bugs.launchpad.net/bugs/1723736 +Signed-off-by: Kai-Heng Feng +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1253,6 +1253,7 @@ static const struct acpi_device_id elan_ + { "ELAN0605", 0 }, + { "ELAN0609", 0 }, + { "ELAN060B", 0 }, ++ { "ELAN0611", 0 }, + { "ELAN1000", 0 }, + { } + }; diff --git a/queue-4.13/input-gtco-fix-potential-out-of-bound-access.patch b/queue-4.13/input-gtco-fix-potential-out-of-bound-access.patch new file mode 100644 index 00000000000..81b2df8e367 --- /dev/null +++ b/queue-4.13/input-gtco-fix-potential-out-of-bound-access.patch @@ -0,0 +1,57 @@ +From a50829479f58416a013a4ccca791336af3c584c7 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 23 Oct 2017 16:46:00 -0700 +Subject: Input: gtco - fix potential out-of-bound access + +From: Dmitry Torokhov + +commit a50829479f58416a013a4ccca791336af3c584c7 upstream. + +parse_hid_report_descriptor() has a while (i < length) loop, which +only guarantees that there's at least 1 byte in the buffer, but the +loop body can read multiple bytes which causes out-of-bounds access. + +Reported-by: Andrey Konovalov +Reviewed-by: Andrey Konovalov +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/gtco.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -230,13 +230,17 @@ static void parse_hid_report_descriptor( + + /* Walk this report and pull out the info we need */ + while (i < length) { +- prefix = report[i]; +- +- /* Skip over prefix */ +- i++; ++ prefix = report[i++]; + + /* Determine data size and save the data in the proper variable */ +- size = PREF_SIZE(prefix); ++ size = (1U << PREF_SIZE(prefix)) >> 1; ++ if (i + size > length) { ++ dev_err(ddev, ++ "Not enough data (need %d, have %d)\n", ++ i + size, length); ++ break; ++ } ++ + switch (size) { + case 1: + data = report[i]; +@@ -244,8 +248,7 @@ static void parse_hid_report_descriptor( + case 2: + data16 = get_unaligned_le16(&report[i]); + break; +- case 3: +- size = 4; ++ case 4: + data32 = get_unaligned_le32(&report[i]); + break; + } diff --git a/queue-4.13/kvm-ppc-book3s-hv-power9-more-doorbell-fixes.patch b/queue-4.13/kvm-ppc-book3s-hv-power9-more-doorbell-fixes.patch new file mode 100644 index 00000000000..3dc5d8b0d06 --- /dev/null +++ b/queue-4.13/kvm-ppc-book3s-hv-power9-more-doorbell-fixes.patch @@ -0,0 +1,46 @@ +From 2cde3716321ec64a1faeaf567bd94100c7b4160f Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 10 Oct 2017 20:18:28 +1000 +Subject: KVM: PPC: Book3S HV: POWER9 more doorbell fixes + +From: Nicholas Piggin + +commit 2cde3716321ec64a1faeaf567bd94100c7b4160f upstream. + +- Add another case where msgsync is required. +- Required barrier sequence for global doorbells is msgsync ; lwsync + +When msgsnd is used for IPIs to other cores, msgsync must be executed by +the target to order stores performed on the source before its msgsnd +(provided the source executes the appropriate sync). + +Fixes: 1704a81ccebc ("KVM: PPC: Book3S HV: Use msgsnd for IPIs to other cores on POWER9") +Signed-off-by: Nicholas Piggin +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1296,6 +1296,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) + bne 3f + BEGIN_FTR_SECTION + PPC_MSGSYNC ++ lwsync + END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + lbz r0, HSTATE_HOST_IPI(r13) + cmpwi r0, 0 +@@ -2767,6 +2768,10 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) + PPC_MSGCLR(6) + /* see if it's a host IPI */ + li r3, 1 ++BEGIN_FTR_SECTION ++ PPC_MSGSYNC ++ lwsync ++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + lbz r0, HSTATE_HOST_IPI(r13) + cmpwi r0, 0 + bnelr diff --git a/queue-4.13/kvm-ppc-book3s-protect-kvmppc_gpa_to_ua-with-srcu.patch b/queue-4.13/kvm-ppc-book3s-protect-kvmppc_gpa_to_ua-with-srcu.patch new file mode 100644 index 00000000000..ef8fac4b255 --- /dev/null +++ b/queue-4.13/kvm-ppc-book3s-protect-kvmppc_gpa_to_ua-with-srcu.patch @@ -0,0 +1,99 @@ +From 8f6a9f0d0604817f7c8d4376fd51718f1bf192ee Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 11 Oct 2017 16:00:34 +1100 +Subject: KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU + +From: Alexey Kardashevskiy + +commit 8f6a9f0d0604817f7c8d4376fd51718f1bf192ee upstream. + +kvmppc_gpa_to_ua() accesses KVM memory slot array via +srcu_dereference_check() and this produces warnings from RCU like below. + +This extends the existing srcu_read_lock/unlock to cover that +kvmppc_gpa_to_ua() as well. + +We did not hit this before as this lock is not needed for the realmode +handlers and hash guests would use the realmode path all the time; +however the radix guests are always redirected to the virtual mode +handlers and hence the warning. + +[ 68.253798] ./include/linux/kvm_host.h:575 suspicious rcu_dereference_check() usage! +[ 68.253799] + other info that might help us debug this: + +[ 68.253802] + rcu_scheduler_active = 2, debug_locks = 1 +[ 68.253804] 1 lock held by qemu-system-ppc/6413: +[ 68.253806] #0: (&vcpu->mutex){+.+.}, at: [] vcpu_load+0x3c/0xc0 [kvm] +[ 68.253826] + stack backtrace: +[ 68.253830] CPU: 92 PID: 6413 Comm: qemu-system-ppc Tainted: G W 4.14.0-rc3-00553-g432dcba58e9c-dirty #72 +[ 68.253833] Call Trace: +[ 68.253839] [c000000fd3d9f790] [c000000000b7fcc8] dump_stack+0xe8/0x160 (unreliable) +[ 68.253845] [c000000fd3d9f7d0] [c0000000001924c0] lockdep_rcu_suspicious+0x110/0x180 +[ 68.253851] [c000000fd3d9f850] [c0000000000e825c] kvmppc_gpa_to_ua+0x26c/0x2b0 +[ 68.253858] [c000000fd3d9f8b0] [c00800000e3e1984] kvmppc_h_put_tce+0x12c/0x2a0 [kvm] + +Fixes: 121f80ba68f1 ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO") +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_64_vio.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/kvm/book3s_64_vio.c ++++ b/arch/powerpc/kvm/book3s_64_vio.c +@@ -479,28 +479,30 @@ long kvmppc_h_put_tce(struct kvm_vcpu *v + return ret; + + dir = iommu_tce_direction(tce); ++ ++ idx = srcu_read_lock(&vcpu->kvm->srcu); ++ + if ((dir != DMA_NONE) && kvmppc_gpa_to_ua(vcpu->kvm, +- tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL)) +- return H_PARAMETER; ++ tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL)) { ++ ret = H_PARAMETER; ++ goto unlock_exit; ++ } + + entry = ioba >> stt->page_shift; + + list_for_each_entry_lockless(stit, &stt->iommu_tables, next) { +- if (dir == DMA_NONE) { ++ if (dir == DMA_NONE) + ret = kvmppc_tce_iommu_unmap(vcpu->kvm, + stit->tbl, entry); +- } else { +- idx = srcu_read_lock(&vcpu->kvm->srcu); ++ else + ret = kvmppc_tce_iommu_map(vcpu->kvm, stit->tbl, + entry, ua, dir); +- srcu_read_unlock(&vcpu->kvm->srcu, idx); +- } + + if (ret == H_SUCCESS) + continue; + + if (ret == H_TOO_HARD) +- return ret; ++ goto unlock_exit; + + WARN_ON_ONCE(1); + kvmppc_clear_tce(stit->tbl, entry); +@@ -508,7 +510,10 @@ long kvmppc_h_put_tce(struct kvm_vcpu *v + + kvmppc_tce_put(stt, entry, tce); + +- return H_SUCCESS; ++unlock_exit: ++ srcu_read_unlock(&vcpu->kvm->srcu, idx); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(kvmppc_h_put_tce); + diff --git a/queue-4.13/kvm-ppc-fix-oops-when-checking-kvm_cap_ppc_htm.patch b/queue-4.13/kvm-ppc-fix-oops-when-checking-kvm_cap_ppc_htm.patch new file mode 100644 index 00000000000..c8b673159f1 --- /dev/null +++ b/queue-4.13/kvm-ppc-fix-oops-when-checking-kvm_cap_ppc_htm.patch @@ -0,0 +1,54 @@ +From ac64115a66c18c01745bbd3c47a36b124e5fd8c0 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Thu, 14 Sep 2017 23:56:25 +0200 +Subject: KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM + +From: Greg Kurz + +commit ac64115a66c18c01745bbd3c47a36b124e5fd8c0 upstream. + +The following program causes a kernel oops: + +#include +#include +#include +#include +#include + +main() +{ + int fd = open("/dev/kvm", O_RDWR); + ioctl(fd, KVM_CHECK_EXTENSION, KVM_CAP_PPC_HTM); +} + +This happens because when using the global KVM fd with +KVM_CHECK_EXTENSION, kvm_vm_ioctl_check_extension() gets +called with a NULL kvm argument, which gets dereferenced +in is_kvmppc_hv_enabled(). Spotted while reading the code. + +Let's use the hv_enabled fallback variable, like everywhere +else in this function. + +Fixes: 23528bb21ee2 ("KVM: PPC: Introduce KVM_CAP_PPC_HTM") +Signed-off-by: Greg Kurz +Reviewed-by: David Gibson +Reviewed-by: Thomas Huth +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/powerpc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -639,8 +639,7 @@ int kvm_vm_ioctl_check_extension(struct + break; + #endif + case KVM_CAP_PPC_HTM: +- r = cpu_has_feature(CPU_FTR_TM_COMP) && +- is_kvmppc_hv_enabled(kvm); ++ r = cpu_has_feature(CPU_FTR_TM_COMP) && hv_enabled; + break; + default: + r = 0; diff --git a/queue-4.13/nbd-handle-interrupted-sendmsg-with-a-sndtimeo-set.patch b/queue-4.13/nbd-handle-interrupted-sendmsg-with-a-sndtimeo-set.patch new file mode 100644 index 00000000000..88bcd330199 --- /dev/null +++ b/queue-4.13/nbd-handle-interrupted-sendmsg-with-a-sndtimeo-set.patch @@ -0,0 +1,62 @@ +From 32e67a3a06b88904155170560b7a63d372b320bd Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 24 Oct 2017 15:57:18 -0400 +Subject: nbd: handle interrupted sendmsg with a sndtimeo set + +From: Josef Bacik + +commit 32e67a3a06b88904155170560b7a63d372b320bd upstream. + +If you do not set sk_sndtimeo you will get -ERESTARTSYS if there is a +pending signal when you enter sendmsg, which we handle properly. +However if you set a timeout for your commands we'll set sk_sndtimeo to +that timeout, which means that sendmsg will start returning -EINTR +instead of -ERESTARTSYS. Fix this by checking either cases and doing +the correct thing. + +Fixes: dc88e34d69d8 ("nbd: set sk->sk_sndtimeo for our sockets") +Reported-and-tested-by: Daniel Xu +Signed-off-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/nbd.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -386,6 +386,15 @@ static int sock_xmit(struct nbd_device * + return result; + } + ++/* ++ * Different settings for sk->sk_sndtimeo can result in different return values ++ * if there is a signal pending when we enter sendmsg, because reasons? ++ */ ++static inline int was_interrupted(int result) ++{ ++ return result == -ERESTARTSYS || result == -EINTR; ++} ++ + /* always call with the tx_lock held */ + static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd, int index) + { +@@ -458,7 +467,7 @@ static int nbd_send_cmd(struct nbd_devic + result = sock_xmit(nbd, index, 1, &from, + (type == NBD_CMD_WRITE) ? MSG_MORE : 0, &sent); + if (result <= 0) { +- if (result == -ERESTARTSYS) { ++ if (was_interrupted(result)) { + /* If we havne't sent anything we can just return BUSY, + * however if we have sent something we need to make + * sure we only allow this req to be sent until we are +@@ -502,7 +511,7 @@ send_pages: + } + result = sock_xmit(nbd, index, 1, &from, flags, &sent); + if (result <= 0) { +- if (result == -ERESTARTSYS) { ++ if (was_interrupted(result)) { + /* We've already sent the header, we + * have no choice but to set pending and + * return BUSY. diff --git a/queue-4.13/ovl-add-null-check-in-ovl_alloc_inode.patch b/queue-4.13/ovl-add-null-check-in-ovl_alloc_inode.patch new file mode 100644 index 00000000000..331d026b0c0 --- /dev/null +++ b/queue-4.13/ovl-add-null-check-in-ovl_alloc_inode.patch @@ -0,0 +1,31 @@ +From b3885bd6edb41b91a0e3976469f72ae31bfb8d95 Mon Sep 17 00:00:00 2001 +From: Hirofumi Nakagawa +Date: Tue, 26 Sep 2017 03:09:53 +0900 +Subject: ovl: add NULL check in ovl_alloc_inode + +From: Hirofumi Nakagawa + +commit b3885bd6edb41b91a0e3976469f72ae31bfb8d95 upstream. + +This was detected by fault injection test + +Signed-off-by: Hirofumi Nakagawa +Fixes: 13cf199d0088 ("ovl: allocate an ovl_inode struct") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -174,6 +174,9 @@ static struct inode *ovl_alloc_inode(str + { + struct ovl_inode *oi = kmem_cache_alloc(ovl_inode_cachep, GFP_KERNEL); + ++ if (!oi) ++ return NULL; ++ + oi->cache = NULL; + oi->redirect = NULL; + oi->version = 0; diff --git a/queue-4.13/ovl-do-not-cleanup-unsupported-index-entries.patch b/queue-4.13/ovl-do-not-cleanup-unsupported-index-entries.patch new file mode 100644 index 00000000000..f4cb943329c --- /dev/null +++ b/queue-4.13/ovl-do-not-cleanup-unsupported-index-entries.patch @@ -0,0 +1,74 @@ +From fa0096e3bad69ed6f34843fd7ae1c45ca987012a Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 24 Oct 2017 12:24:11 +0300 +Subject: ovl: do not cleanup unsupported index entries + +From: Amir Goldstein + +commit fa0096e3bad69ed6f34843fd7ae1c45ca987012a upstream. + +With index=on, ovl_indexdir_cleanup() tries to cleanup invalid index +entries (e.g. bad index name). This behavior could result in cleaning of +entries created by newer kernels and is therefore undesirable. +Instead, abort mount if such entries are encountered. We still cleanup +'stale' entries and 'orphan' entries, both those cases can be a result +of offline changes to lower and upper dirs. + +When encoutering an index entry of type directory or whiteout, kernel +was supposed to fallback to read-only mount, but the fill_super() +operation returns EROFS in this case instead of returning success with +read-only mount flag, so mount fails when encoutering directory or +whiteout index entries. Bless this behavior by returning -EINVAL on +directory and whiteout index entries as we do for all unsupported index +entries. + +Fixes: 61b674710cd9 ("ovl: do not cleanup directory and whiteout index..") +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/namei.c | 7 +++---- + fs/overlayfs/readdir.c | 11 +++++------ + 2 files changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -405,14 +405,13 @@ int ovl_verify_index(struct dentry *inde + * be treated as stale (i.e. after unlink of the overlay inode). + * We don't know the verification rules for directory and whiteout + * index entries, because they have not been implemented yet, so return +- * EROFS if those entries are found to avoid corrupting an index that +- * was created by a newer kernel. ++ * EINVAL if those entries are found to abort the mount to avoid ++ * corrupting an index that was created by a newer kernel. + */ +- err = -EROFS; ++ err = -EINVAL; + if (d_is_dir(index) || ovl_is_whiteout(index)) + goto fail; + +- err = -EINVAL; + if (index->d_name.len < sizeof(struct ovl_fh)*2) + goto fail; + +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -704,13 +704,12 @@ int ovl_indexdir_cleanup(struct dentry * + break; + } + err = ovl_verify_index(index, lowerstack, numlower); +- if (err) { +- if (err == -EROFS) +- break; ++ /* Cleanup stale and orphan index entries */ ++ if (err && (err == -ESTALE || err == -ENOENT)) + err = ovl_cleanup(dir, index); +- if (err) +- break; +- } ++ if (err) ++ break; ++ + dput(index); + index = NULL; + } diff --git a/queue-4.13/ovl-fix-eio-from-lookup-of-non-indexed-upper.patch b/queue-4.13/ovl-fix-eio-from-lookup-of-non-indexed-upper.patch new file mode 100644 index 00000000000..15766061b0f --- /dev/null +++ b/queue-4.13/ovl-fix-eio-from-lookup-of-non-indexed-upper.patch @@ -0,0 +1,130 @@ +From 6eaf011144af10cad34c0d46f82e50d382c8e926 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 12 Oct 2017 19:03:04 +0300 +Subject: ovl: fix EIO from lookup of non-indexed upper + +From: Amir Goldstein + +commit 6eaf011144af10cad34c0d46f82e50d382c8e926 upstream. + +Commit fbaf94ee3cd5 ("ovl: don't set origin on broken lower hardlink") +attempt to avoid the condition of non-indexed upper inode with lower +hardlink as origin. If this condition is found, lookup returns EIO. + +The protection of commit mentioned above does not cover the case of lower +that is not a hardlink when it is copied up (with either index=off/on) +and then lower is hardlinked while overlay is offline. + +Changes to lower layer while overlayfs is offline should not result in +unexpected behavior, so a permanent EIO error after creating a link in +lower layer should not be considered as correct behavior. + +This fix replaces EIO error with success in cases where upper has origin +but no index is found, or index is found that does not match upper +inode. In those cases, lookup will not fail and the returned overlay inode +will be hashed by upper inode instead of by lower origin inode. + +Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/inode.c | 20 ++++++++++++++++---- + fs/overlayfs/namei.c | 20 ++++++++------------ + fs/overlayfs/overlayfs.h | 3 ++- + 3 files changed, 26 insertions(+), 17 deletions(-) + +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -595,18 +595,30 @@ static bool ovl_verify_inode(struct inod + return true; + } + +-struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry) ++struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry, ++ struct dentry *index) + { + struct dentry *lowerdentry = ovl_dentry_lower(dentry); + struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL; + struct inode *inode; ++ /* Already indexed or could be indexed on copy up? */ ++ bool indexed = (index || (ovl_indexdir(dentry->d_sb) && !upperdentry)); ++ ++ if (WARN_ON(upperdentry && indexed && !lowerdentry)) ++ return ERR_PTR(-EIO); + + if (!realinode) + realinode = d_inode(lowerdentry); + +- if (!S_ISDIR(realinode->i_mode) && +- (upperdentry || (lowerdentry && ovl_indexdir(dentry->d_sb)))) { +- struct inode *key = d_inode(lowerdentry ?: upperdentry); ++ /* ++ * Copy up origin (lower) may exist for non-indexed upper, but we must ++ * not use lower as hash key in that case. ++ * Hash inodes that are or could be indexed by origin inode and ++ * non-indexed upper inodes that could be hard linked by upper inode. ++ */ ++ if (!S_ISDIR(realinode->i_mode) && (upperdentry || indexed)) { ++ struct inode *key = d_inode(indexed ? lowerdentry : ++ upperdentry); + unsigned int nlink; + + inode = iget5_locked(dentry->d_sb, (unsigned long) key, +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -516,18 +516,9 @@ static struct dentry *ovl_lookup_index(s + + inode = d_inode(index); + if (d_is_negative(index)) { +- if (upper && d_inode(origin)->i_nlink > 1) { +- pr_warn_ratelimited("overlayfs: hard link with origin but no index (ino=%lu).\n", +- d_inode(origin)->i_ino); +- goto fail; +- } +- +- dput(index); +- index = NULL; ++ goto out_dput; + } else if (upper && d_inode(upper) != inode) { +- pr_warn_ratelimited("overlayfs: wrong index found (index=%pd2, ino=%lu, upper ino=%lu).\n", +- index, inode->i_ino, d_inode(upper)->i_ino); +- goto fail; ++ goto out_dput; + } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || + ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) { + /* +@@ -547,6 +538,11 @@ out: + kfree(name.name); + return index; + ++out_dput: ++ dput(index); ++ index = NULL; ++ goto out; ++ + fail: + dput(index); + index = ERR_PTR(-EIO); +@@ -709,7 +705,7 @@ struct dentry *ovl_lookup(struct inode * + upperdentry = dget(index); + + if (upperdentry || ctr) { +- inode = ovl_get_inode(dentry, upperdentry); ++ inode = ovl_get_inode(dentry, upperdentry, index); + err = PTR_ERR(inode); + if (IS_ERR(inode)) + goto out_free_oe; +--- a/fs/overlayfs/overlayfs.h ++++ b/fs/overlayfs/overlayfs.h +@@ -284,7 +284,8 @@ int ovl_update_time(struct inode *inode, + bool ovl_is_private_xattr(const char *name); + + struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev); +-struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry); ++struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry, ++ struct dentry *index); + static inline void ovl_copyattr(struct inode *from, struct inode *to) + { + to->i_uid = from->i_uid; diff --git a/queue-4.13/ovl-handle-enoent-on-index-lookup.patch b/queue-4.13/ovl-handle-enoent-on-index-lookup.patch new file mode 100644 index 00000000000..8a67a272dac --- /dev/null +++ b/queue-4.13/ovl-handle-enoent-on-index-lookup.patch @@ -0,0 +1,34 @@ +From 7937a56fdf0b064c2ffa33025210f725a4ebc822 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Fri, 20 Oct 2017 17:19:06 +0300 +Subject: ovl: handle ENOENT on index lookup + +From: Amir Goldstein + +commit 7937a56fdf0b064c2ffa33025210f725a4ebc822 upstream. + +Treat ENOENT from index entry lookup the same way as treating a returned +negative dentry. Apparently, either could be returned if file is not +found, depending on the underlying file system. + +Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin") +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -507,6 +507,10 @@ static struct dentry *ovl_lookup_index(s + index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); + if (IS_ERR(index)) { + err = PTR_ERR(index); ++ if (err == -ENOENT) { ++ index = NULL; ++ goto out; ++ } + pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n" + "overlayfs: mount with '-o index=off' to disable inodes index.\n", + d_inode(origin)->i_ino, name.len, name.name, diff --git a/queue-4.13/pm-qos-fix-device-resume-latency-pm-qos.patch b/queue-4.13/pm-qos-fix-device-resume-latency-pm-qos.patch new file mode 100644 index 00000000000..a6ff8d5540f --- /dev/null +++ b/queue-4.13/pm-qos-fix-device-resume-latency-pm-qos.patch @@ -0,0 +1,274 @@ +From 0cc2b4e5a020fc7f4d1795741c116c983e9467d7 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 24 Oct 2017 15:20:45 +0200 +Subject: PM / QoS: Fix device resume latency PM QoS + +From: Rafael J. Wysocki + +commit 0cc2b4e5a020fc7f4d1795741c116c983e9467d7 upstream. + +The special value of 0 for device resume latency PM QoS means +"no restriction", but there are two problems with that. + +First, device resume latency PM QoS requests with 0 as the +value are always put in front of requests with positive +values in the priority lists used internally by the PM QoS +framework, causing 0 to be chosen as an effective constraint +value. However, that 0 is then interpreted as "no restriction" +effectively overriding the other requests with specific +restrictions which is incorrect. + +Second, the users of device resume latency PM QoS have no +way to specify that *any* resume latency at all should be +avoided, which is an artificial limitation in general. + +To address these issues, modify device resume latency PM QoS to +use S32_MAX as the "no constraint" value and 0 as the "no +latency at all" one and rework its users (the cpuidle menu +governor, the genpd QoS governor and the runtime PM framework) +to follow these changes. + +Also add a special "n/a" value to the corresponding user space I/F +to allow user space to indicate that it cannot accept any resume +latencies at all for the given device. + +Fixes: 85dc0b8a4019 (PM / QoS: Make it possible to expose PM QoS latency constraints) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=197323 +Reported-by: Reinette Chatre +Tested-by: Reinette Chatre +Signed-off-by: Rafael J. Wysocki +Acked-by: Alex Shi +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/sysfs-devices-power | 4 + + drivers/base/cpu.c | 3 - + drivers/base/power/domain_governor.c | 53 ++++++++++++++------------ + drivers/base/power/qos.c | 2 + drivers/base/power/runtime.c | 2 + drivers/base/power/sysfs.c | 25 ++++++++++-- + drivers/cpuidle/governors/menu.c | 4 - + include/linux/pm_qos.h | 5 +- + 8 files changed, 63 insertions(+), 35 deletions(-) + +--- a/Documentation/ABI/testing/sysfs-devices-power ++++ b/Documentation/ABI/testing/sysfs-devices-power +@@ -211,7 +211,9 @@ Description: + device, after it has been suspended at run time, from a resume + request to the moment the device will be ready to process I/O, + in microseconds. If it is equal to 0, however, this means that +- the PM QoS resume latency may be arbitrary. ++ the PM QoS resume latency may be arbitrary and the special value ++ "n/a" means that user space cannot accept any resume latency at ++ all for the given device. + + Not all drivers support this attribute. If it isn't supported, + it is not present. +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -377,7 +377,8 @@ int register_cpu(struct cpu *cpu, int nu + + per_cpu(cpu_sys_devices, num) = &cpu->dev; + register_cpu_under_node(num, cpu_to_node(num)); +- dev_pm_qos_expose_latency_limit(&cpu->dev, 0); ++ dev_pm_qos_expose_latency_limit(&cpu->dev, ++ PM_QOS_RESUME_LATENCY_NO_CONSTRAINT); + + return 0; + } +--- a/drivers/base/power/domain_governor.c ++++ b/drivers/base/power/domain_governor.c +@@ -14,23 +14,20 @@ + static int dev_update_qos_constraint(struct device *dev, void *data) + { + s64 *constraint_ns_p = data; +- s32 constraint_ns = -1; ++ s64 constraint_ns = -1; + + if (dev->power.subsys_data && dev->power.subsys_data->domain_data) + constraint_ns = dev_gpd_data(dev)->td.effective_constraint_ns; + +- if (constraint_ns < 0) { ++ if (constraint_ns < 0) + constraint_ns = dev_pm_qos_read_value(dev); +- constraint_ns *= NSEC_PER_USEC; +- } +- if (constraint_ns == 0) ++ ++ if (constraint_ns == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT) + return 0; + +- /* +- * constraint_ns cannot be negative here, because the device has been +- * suspended. +- */ +- if (constraint_ns < *constraint_ns_p || *constraint_ns_p == 0) ++ constraint_ns *= NSEC_PER_USEC; ++ ++ if (constraint_ns < *constraint_ns_p || *constraint_ns_p < 0) + *constraint_ns_p = constraint_ns; + + return 0; +@@ -63,10 +60,14 @@ static bool default_suspend_ok(struct de + + spin_unlock_irqrestore(&dev->power.lock, flags); + +- if (constraint_ns < 0) ++ if (constraint_ns == 0) + return false; + +- constraint_ns *= NSEC_PER_USEC; ++ if (constraint_ns == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT) ++ constraint_ns = -1; ++ else ++ constraint_ns *= NSEC_PER_USEC; ++ + /* + * We can walk the children without any additional locking, because + * they all have been suspended at this point and their +@@ -76,14 +77,19 @@ static bool default_suspend_ok(struct de + device_for_each_child(dev, &constraint_ns, + dev_update_qos_constraint); + +- if (constraint_ns > 0) { +- constraint_ns -= td->suspend_latency_ns + +- td->resume_latency_ns; +- if (constraint_ns == 0) +- return false; ++ if (constraint_ns < 0) { ++ /* The children have no constraints. */ ++ td->effective_constraint_ns = PM_QOS_RESUME_LATENCY_NO_CONSTRAINT; ++ td->cached_suspend_ok = true; ++ } else { ++ constraint_ns -= td->suspend_latency_ns + td->resume_latency_ns; ++ if (constraint_ns > 0) { ++ td->effective_constraint_ns = constraint_ns; ++ td->cached_suspend_ok = true; ++ } else { ++ td->effective_constraint_ns = 0; ++ } + } +- td->effective_constraint_ns = constraint_ns; +- td->cached_suspend_ok = constraint_ns >= 0; + + /* + * The children have been suspended already, so we don't need to take +@@ -145,13 +151,14 @@ static bool __default_power_down_ok(stru + td = &to_gpd_data(pdd)->td; + constraint_ns = td->effective_constraint_ns; + /* default_suspend_ok() need not be called before us. */ +- if (constraint_ns < 0) { ++ if (constraint_ns < 0) + constraint_ns = dev_pm_qos_read_value(pdd->dev); +- constraint_ns *= NSEC_PER_USEC; +- } +- if (constraint_ns == 0) ++ ++ if (constraint_ns == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT) + continue; + ++ constraint_ns *= NSEC_PER_USEC; ++ + /* + * constraint_ns cannot be negative here, because the device has + * been suspended. +--- a/drivers/base/power/qos.c ++++ b/drivers/base/power/qos.c +@@ -189,7 +189,7 @@ static int dev_pm_qos_constraints_alloca + plist_head_init(&c->list); + c->target_value = PM_QOS_RESUME_LATENCY_DEFAULT_VALUE; + c->default_value = PM_QOS_RESUME_LATENCY_DEFAULT_VALUE; +- c->no_constraint_value = PM_QOS_RESUME_LATENCY_DEFAULT_VALUE; ++ c->no_constraint_value = PM_QOS_RESUME_LATENCY_NO_CONSTRAINT; + c->type = PM_QOS_MIN; + c->notifiers = n; + +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -253,7 +253,7 @@ static int rpm_check_suspend_allowed(str + || (dev->power.request_pending + && dev->power.request == RPM_REQ_RESUME)) + retval = -EAGAIN; +- else if (__dev_pm_qos_read_value(dev) < 0) ++ else if (__dev_pm_qos_read_value(dev) == 0) + retval = -EPERM; + else if (dev->power.runtime_status == RPM_SUSPENDED) + retval = 1; +--- a/drivers/base/power/sysfs.c ++++ b/drivers/base/power/sysfs.c +@@ -218,7 +218,14 @@ static ssize_t pm_qos_resume_latency_sho + struct device_attribute *attr, + char *buf) + { +- return sprintf(buf, "%d\n", dev_pm_qos_requested_resume_latency(dev)); ++ s32 value = dev_pm_qos_requested_resume_latency(dev); ++ ++ if (value == 0) ++ return sprintf(buf, "n/a\n"); ++ else if (value == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT) ++ value = 0; ++ ++ return sprintf(buf, "%d\n", value); + } + + static ssize_t pm_qos_resume_latency_store(struct device *dev, +@@ -228,11 +235,21 @@ static ssize_t pm_qos_resume_latency_sto + s32 value; + int ret; + +- if (kstrtos32(buf, 0, &value)) +- return -EINVAL; ++ if (!kstrtos32(buf, 0, &value)) { ++ /* ++ * Prevent users from writing negative or "no constraint" values ++ * directly. ++ */ ++ if (value < 0 || value == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT) ++ return -EINVAL; + +- if (value < 0) ++ if (value == 0) ++ value = PM_QOS_RESUME_LATENCY_NO_CONSTRAINT; ++ } else if (!strcmp(buf, "n/a") || !strcmp(buf, "n/a\n")) { ++ value = 0; ++ } else { + return -EINVAL; ++ } + + ret = dev_pm_qos_update_request(dev->power.qos->resume_latency_req, + value); +--- a/drivers/cpuidle/governors/menu.c ++++ b/drivers/cpuidle/governors/menu.c +@@ -298,8 +298,8 @@ static int menu_select(struct cpuidle_dr + data->needs_update = 0; + } + +- /* resume_latency is 0 means no restriction */ +- if (resume_latency && resume_latency < latency_req) ++ if (resume_latency < latency_req && ++ resume_latency != PM_QOS_RESUME_LATENCY_NO_CONSTRAINT) + latency_req = resume_latency; + + /* Special case when user has set very strict latency requirement */ +--- a/include/linux/pm_qos.h ++++ b/include/linux/pm_qos.h +@@ -27,16 +27,17 @@ enum pm_qos_flags_status { + PM_QOS_FLAGS_ALL, + }; + +-#define PM_QOS_DEFAULT_VALUE -1 ++#define PM_QOS_DEFAULT_VALUE (-1) ++#define PM_QOS_LATENCY_ANY S32_MAX + + #define PM_QOS_CPU_DMA_LAT_DEFAULT_VALUE (2000 * USEC_PER_SEC) + #define PM_QOS_NETWORK_LAT_DEFAULT_VALUE (2000 * USEC_PER_SEC) + #define PM_QOS_NETWORK_THROUGHPUT_DEFAULT_VALUE 0 + #define PM_QOS_MEMORY_BANDWIDTH_DEFAULT_VALUE 0 + #define PM_QOS_RESUME_LATENCY_DEFAULT_VALUE 0 ++#define PM_QOS_RESUME_LATENCY_NO_CONSTRAINT PM_QOS_LATENCY_ANY + #define PM_QOS_LATENCY_TOLERANCE_DEFAULT_VALUE 0 + #define PM_QOS_LATENCY_TOLERANCE_NO_CONSTRAINT (-1) +-#define PM_QOS_LATENCY_ANY ((s32)(~(__u32)0 >> 1)) + + #define PM_QOS_FLAG_NO_POWER_OFF (1 << 0) + #define PM_QOS_FLAG_REMOTE_WAKEUP (1 << 1) diff --git a/queue-4.13/s390-kvm-fix-detection-of-guest-machine-checks.patch b/queue-4.13/s390-kvm-fix-detection-of-guest-machine-checks.patch new file mode 100644 index 00000000000..53c18bae385 --- /dev/null +++ b/queue-4.13/s390-kvm-fix-detection-of-guest-machine-checks.patch @@ -0,0 +1,51 @@ +From 0a5e2ec2647737907d267c09dc9a25fab1468865 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Thu, 5 Oct 2017 08:29:47 +0200 +Subject: s390/kvm: fix detection of guest machine checks + +From: Martin Schwidefsky + +commit 0a5e2ec2647737907d267c09dc9a25fab1468865 upstream. + +The new detection code for guest machine checks added a check based +on %r11 to .Lcleanup_sie to distinguish between normal asynchronous +interrupts and machine checks. But the funtion is called from the +program check handler as well with an undefined value in %r11. + +The effect is that all program exceptions pointing to the SIE instruction +will set the CIF_MCCK_GUEST bit. The bit stays set for the CPU until the + next machine check comes in which will incorrectly be interpreted as a +guest machine check. + +The simplest fix is to stop using .Lcleanup_sie in the program check +handler and duplicate a few instructions. + +Fixes: c929500d7a5a ("s390/nmi: s390: New low level handling for machine check happening in guest") +Reviewed-by: Christian Borntraeger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/entry.S | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -521,12 +521,15 @@ ENTRY(pgm_check_handler) + tmhh %r8,0x0001 # test problem state bit + jnz 2f # -> fault in user space + #if IS_ENABLED(CONFIG_KVM) +- # cleanup critical section for sie64a ++ # cleanup critical section for program checks in sie64a + lgr %r14,%r9 + slg %r14,BASED(.Lsie_critical_start) + clg %r14,BASED(.Lsie_critical_length) + jhe 0f +- brasl %r14,.Lcleanup_sie ++ lg %r14,__SF_EMPTY(%r15) # get control block pointer ++ ni __SIE_PROG0C+3(%r14),0xfe # no longer in SIE ++ lctlg %c1,%c1,__LC_USER_ASCE # load primary asce ++ larl %r9,sie_exit # skip forward to sie_exit + #endif + 0: tmhh %r8,0x4000 # PER bit set in old PSW ? + jnz 1f # -> enabled, can't be a double fault diff --git a/queue-4.13/scsi-aacraid-fix-controller-initialization-failure.patch b/queue-4.13/scsi-aacraid-fix-controller-initialization-failure.patch new file mode 100644 index 00000000000..f96357a4417 --- /dev/null +++ b/queue-4.13/scsi-aacraid-fix-controller-initialization-failure.patch @@ -0,0 +1,67 @@ +From 45348de2c8a7a1e64c5be27b22c9786b4152dd41 Mon Sep 17 00:00:00 2001 +From: Raghava Aditya Renukunta +Date: Mon, 16 Oct 2017 17:22:31 -0700 +Subject: scsi: aacraid: Fix controller initialization failure + +From: Raghava Aditya Renukunta + +commit 45348de2c8a7a1e64c5be27b22c9786b4152dd41 upstream. + +This is a fix to an issue where the driver sends its periodic WELLNESS +command to the controller after the driver shut it down.This causes the +controller to crash. The window where this can happen is small, but it +can be hit at around 4 hours of constant resets. + +Fixes: fbd185986eba (aacraid: Fix AIF triggered IOP_RESET) +Signed-off-by: Raghava Aditya Renukunta +Reviewed-by: Dave Carroll +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/comminit.c | 8 +++++--- + drivers/scsi/aacraid/linit.c | 7 ++++++- + 2 files changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/aacraid/comminit.c ++++ b/drivers/scsi/aacraid/comminit.c +@@ -302,9 +302,11 @@ int aac_send_shutdown(struct aac_dev * d + return -ENOMEM; + aac_fib_init(fibctx); + +- mutex_lock(&dev->ioctl_mutex); +- dev->adapter_shutdown = 1; +- mutex_unlock(&dev->ioctl_mutex); ++ if (!dev->adapter_shutdown) { ++ mutex_lock(&dev->ioctl_mutex); ++ dev->adapter_shutdown = 1; ++ mutex_unlock(&dev->ioctl_mutex); ++ } + + cmd = (struct aac_close *) fib_data(fibctx); + cmd->command = cpu_to_le32(VM_CloseAll); +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -1401,8 +1401,9 @@ static void __aac_shutdown(struct aac_de + { + int i; + ++ mutex_lock(&aac->ioctl_mutex); + aac->adapter_shutdown = 1; +- aac_send_shutdown(aac); ++ mutex_unlock(&aac->ioctl_mutex); + + if (aac->aif_thread) { + int i; +@@ -1415,7 +1416,11 @@ static void __aac_shutdown(struct aac_de + } + kthread_stop(aac->thread); + } ++ ++ aac_send_shutdown(aac); ++ + aac_adapter_disable_int(aac); ++ + if (aac_is_src(aac)) { + if (aac->max_msix > 1) { + for (i = 0; i < aac->max_msix; i++) { diff --git a/queue-4.13/scsi-qla2xxx-initialize-work-element-before-requesting-irqs.patch b/queue-4.13/scsi-qla2xxx-initialize-work-element-before-requesting-irqs.patch new file mode 100644 index 00000000000..c4a32afc142 --- /dev/null +++ b/queue-4.13/scsi-qla2xxx-initialize-work-element-before-requesting-irqs.patch @@ -0,0 +1,47 @@ +From 1010f21ecf8ac43be676d498742de18fa6c20987 Mon Sep 17 00:00:00 2001 +From: Himanshu Madhani +Date: Mon, 16 Oct 2017 11:26:05 -0700 +Subject: scsi: qla2xxx: Initialize Work element before requesting IRQs + +From: Himanshu Madhani + +commit 1010f21ecf8ac43be676d498742de18fa6c20987 upstream. + +commit a9e170e28636 ("scsi: qla2xxx: Fix uninitialized work element") +moved initializiation of work element earlier in the probe to fix call +stack. However, it still leaves a window where interrupt can be +generated before work element is initialized. Fix that window by +initializing work element before we are requesting IRQs. + +[mkp: fixed typos] + +Fixes: a9e170e28636 ("scsi: qla2xxx: Fix uninitialized work element") +Signed-off-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3051,6 +3051,8 @@ qla2x00_probe_one(struct pci_dev *pdev, + host->max_cmd_len, host->max_channel, host->max_lun, + host->transportt, sht->vendor_id); + ++ INIT_WORK(&base_vha->iocb_work, qla2x00_iocb_work_fn); ++ + /* Set up the irqs */ + ret = qla2x00_request_irqs(ha, rsp); + if (ret) +@@ -3165,8 +3167,6 @@ qla2x00_probe_one(struct pci_dev *pdev, + host->can_queue, base_vha->req, + base_vha->mgmt_svr_loop_id, host->sg_tablesize); + +- INIT_WORK(&base_vha->iocb_work, qla2x00_iocb_work_fn); +- + if (ha->mqenable) { + bool mq = false; + bool startit = false; diff --git a/queue-4.13/scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch b/queue-4.13/scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch new file mode 100644 index 00000000000..baa48719098 --- /dev/null +++ b/queue-4.13/scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch @@ -0,0 +1,38 @@ +From 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 15 Oct 2017 18:16:33 +0100 +Subject: scsi: sg: Re-fix off by one in sg_fill_request_table() + +From: Ben Hutchings + +commit 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b upstream. + +Commit 109bade9c625 ("scsi: sg: use standard lists for sg_requests") +introduced an off-by-one error in sg_ioctl(), which was fixed by commit +bd46fc406b30 ("scsi: sg: off by one in sg_ioctl()"). + +Unfortunately commit 4759df905a47 ("scsi: sg: factor out +sg_fill_request_table()") moved that code, and reintroduced the +bug (perhaps due to a botched rebase). Fix it again. + +Fixes: 4759df905a47 ("scsi: sg: factor out sg_fill_request_table()") +Signed-off-by: Ben Hutchings +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -837,7 +837,7 @@ sg_fill_request_table(Sg_fd *sfp, sg_req + + val = 0; + list_for_each_entry(srp, &sfp->rq_list, entry) { +- if (val > SG_MAX_QUEUE) ++ if (val >= SG_MAX_QUEUE) + break; + rinfo[val].req_state = srp->done + 1; + rinfo[val].problem = diff --git a/queue-4.13/scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch b/queue-4.13/scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch new file mode 100644 index 00000000000..947e6a5ce44 --- /dev/null +++ b/queue-4.13/scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch @@ -0,0 +1,170 @@ +From ab31fd0ce65ec93828b617123792c1bb7c6dcc42 Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Fri, 13 Oct 2017 15:40:07 +0200 +Subject: scsi: zfcp: fix erp_action use-before-initialize in REC action trace + +From: Steffen Maier + +commit ab31fd0ce65ec93828b617123792c1bb7c6dcc42 upstream. + +v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN +recovery") extended accessing parent pointer fields of struct +zfcp_erp_action for tracing. If an erp_action has never been enqueued +before, these parent pointer fields are uninitialized and NULL. Examples +are zfcp objects freshly added to the parent object's children list, +before enqueueing their first recovery subsequently. In +zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action +fields can cause a NULL pointer dereference. Since the kernel can read +from lowcore on s390, it does not immediately cause a kernel page +fault. Instead it can cause hangs on trying to acquire the wrong +erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl() + ^bogus^ +while holding already other locks with IRQs disabled. + +Real life example from attaching lots of LUNs in parallel on many CPUs: + +crash> bt 17723 +PID: 17723 TASK: ... CPU: 25 COMMAND: "zfcperp0.0.1800" + LOWCORE INFO: + -psw : 0x0404300180000000 0x000000000038e424 + -function : _raw_spin_lock_wait_flags at 38e424 +... + #0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp] + #1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp] + #2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp] + #3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp] + #4 [fdde8fe60] kthread at 173550 + #5 [fdde8feb8] kernel_thread_starter at 10add2 + +zfcp_adapter + zfcp_port + zfcp_unit
, 0x404040d600000000 + scsi_device NULL, returning early! +zfcp_scsi_dev.status = 0x40000000 +0x40000000 ZFCP_STATUS_COMMON_RUNNING + +crash> zfcp_unit
+struct zfcp_unit { + erp_action = { + adapter = 0x0, + port = 0x0, + unit = 0x0, + }, +} + +zfcp_erp_action is always fully embedded into its container object. Such +container object is never moved in its object tree (only add or delete). +Hence, erp_action parent pointers can never change. + +To fix the issue, initialize the erp_action parent pointers before +adding the erp_action container to any list and thus before it becomes +accessible from outside of its initializing function. + +In order to also close the time window between zfcp_erp_setup_act() +memsetting the entire erp_action to zero and setting the parent pointers +again, drop the memset and instead explicitly initialize individually +all erp_action fields except for parent pointers. To be extra careful +not to introduce any other unintended side effect, even keep zeroing the +erp_action fields for list and timer. Also double-check with +WARN_ON_ONCE that erp_action parent pointers never change, so we get to +know when we would deviate from previous behavior. + +Signed-off-by: Steffen Maier +Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery") +Reviewed-by: Benjamin Block +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_aux.c | 5 +++++ + drivers/s390/scsi/zfcp_erp.c | 18 +++++++++++------- + drivers/s390/scsi/zfcp_scsi.c | 5 +++++ + 3 files changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/s390/scsi/zfcp_aux.c ++++ b/drivers/s390/scsi/zfcp_aux.c +@@ -358,6 +358,8 @@ struct zfcp_adapter *zfcp_adapter_enqueu + + adapter->next_port_scan = jiffies; + ++ adapter->erp_action.adapter = adapter; ++ + if (zfcp_qdio_setup(adapter)) + goto failed; + +@@ -514,6 +516,9 @@ struct zfcp_port *zfcp_port_enqueue(stru + port->dev.groups = zfcp_port_attr_groups; + port->dev.release = zfcp_port_release; + ++ port->erp_action.adapter = adapter; ++ port->erp_action.port = port; ++ + if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) { + kfree(port); + goto err_out; +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -193,9 +193,8 @@ static struct zfcp_erp_action *zfcp_erp_ + atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, + &zfcp_sdev->status); + erp_action = &zfcp_sdev->erp_action; +- memset(erp_action, 0, sizeof(struct zfcp_erp_action)); +- erp_action->port = port; +- erp_action->sdev = sdev; ++ WARN_ON_ONCE(erp_action->port != port); ++ WARN_ON_ONCE(erp_action->sdev != sdev); + if (!(atomic_read(&zfcp_sdev->status) & + ZFCP_STATUS_COMMON_RUNNING)) + act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY; +@@ -208,8 +207,8 @@ static struct zfcp_erp_action *zfcp_erp_ + zfcp_erp_action_dismiss_port(port); + atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &port->status); + erp_action = &port->erp_action; +- memset(erp_action, 0, sizeof(struct zfcp_erp_action)); +- erp_action->port = port; ++ WARN_ON_ONCE(erp_action->port != port); ++ WARN_ON_ONCE(erp_action->sdev != NULL); + if (!(atomic_read(&port->status) & ZFCP_STATUS_COMMON_RUNNING)) + act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY; + break; +@@ -219,7 +218,8 @@ static struct zfcp_erp_action *zfcp_erp_ + zfcp_erp_action_dismiss_adapter(adapter); + atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &adapter->status); + erp_action = &adapter->erp_action; +- memset(erp_action, 0, sizeof(struct zfcp_erp_action)); ++ WARN_ON_ONCE(erp_action->port != NULL); ++ WARN_ON_ONCE(erp_action->sdev != NULL); + if (!(atomic_read(&adapter->status) & + ZFCP_STATUS_COMMON_RUNNING)) + act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY; +@@ -229,7 +229,11 @@ static struct zfcp_erp_action *zfcp_erp_ + return NULL; + } + +- erp_action->adapter = adapter; ++ WARN_ON_ONCE(erp_action->adapter != adapter); ++ memset(&erp_action->list, 0, sizeof(erp_action->list)); ++ memset(&erp_action->timer, 0, sizeof(erp_action->timer)); ++ erp_action->step = ZFCP_ERP_STEP_UNINITIALIZED; ++ erp_action->fsf_req_id = 0; + erp_action->action = need; + erp_action->status = act_status; + +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -115,10 +115,15 @@ static int zfcp_scsi_slave_alloc(struct + struct zfcp_unit *unit; + int npiv = adapter->connection_features & FSF_FEATURE_NPIV_MODE; + ++ zfcp_sdev->erp_action.adapter = adapter; ++ zfcp_sdev->erp_action.sdev = sdev; ++ + port = zfcp_get_port_by_wwpn(adapter, rport->port_name); + if (!port) + return -ENXIO; + ++ zfcp_sdev->erp_action.port = port; ++ + unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev)); + if (unit) + put_device(&unit->dev); diff --git a/queue-4.13/series b/queue-4.13/series index 7b212523f99..ee887918ea2 100644 --- a/queue-4.13/series +++ b/queue-4.13/series @@ -4,3 +4,38 @@ alsa-hda-realtek-add-support-for-alc236-alc3204.patch alsa-hda-fix-headset-mic-problem-for-dell-machines-with-alc236.patch ceph-unlock-dangling-spinlock-in-try_flush_caps.patch fix-tracing-sample-code-warning.patch +kvm-ppc-fix-oops-when-checking-kvm_cap_ppc_htm.patch +kvm-ppc-book3s-hv-power9-more-doorbell-fixes.patch +kvm-ppc-book3s-protect-kvmppc_gpa_to_ua-with-srcu.patch +s390-kvm-fix-detection-of-guest-machine-checks.patch +nbd-handle-interrupted-sendmsg-with-a-sndtimeo-set.patch +spi-uapi-spidev-add-missing-ioctl-header.patch +spi-a3700-return-correct-value-on-timeout-detection.patch +spi-bcm-qspi-fix-use-after-free-in-bcm_qspi_probe-in-error-path.patch +spi-armada-3700-fix-failing-commands-with-quad-spi.patch +ovl-add-null-check-in-ovl_alloc_inode.patch +ovl-fix-eio-from-lookup-of-non-indexed-upper.patch +ovl-handle-enoent-on-index-lookup.patch +ovl-do-not-cleanup-unsupported-index-entries.patch +fuse-fix-readdirplus-skipping-an-entry.patch +xen-gntdev-avoid-out-of-bounds-access-in-case-of-partial-gntdev_mmap.patch +xen-fix-booting-ballooned-down-hvm-guest.patch +cifs-select-all-required-crypto-modules.patch +cifs-fix-null-pointer-deref-on-smb2_tcon-failure.patch +input-elan_i2c-add-elan0611-to-the-acpi-table.patch +input-gtco-fix-potential-out-of-bound-access.patch +fix-encryption-labels-and-lengths-for-smb3.1.1.patch +smb3-validate-negotiate-request-must-always-be-signed.patch +assoc_array-fix-a-buggy-node-splitting-case.patch +scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch +scsi-aacraid-fix-controller-initialization-failure.patch +scsi-qla2xxx-initialize-work-element-before-requesting-irqs.patch +scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch +x86-cpu-amd-apply-the-erratum-688-fix-when-the-bios-doesn-t.patch +drm-amd-powerplay-fix-uninitialized-variable.patch +pm-qos-fix-device-resume-latency-pm-qos.patch +drm-i915-perf-fix-perf-enable-disable-ioctls-with-32bits-userspace.patch +can-sun4i-fix-loopback-mode.patch +can-kvaser_usb-correct-return-value-in-printout.patch +can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch +cfg80211-fix-connect-disconnect-edge-cases.patch diff --git a/queue-4.13/smb3-validate-negotiate-request-must-always-be-signed.patch b/queue-4.13/smb3-validate-negotiate-request-must-always-be-signed.patch new file mode 100644 index 00000000000..debba6914ac --- /dev/null +++ b/queue-4.13/smb3-validate-negotiate-request-must-always-be-signed.patch @@ -0,0 +1,34 @@ +From 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 25 Oct 2017 15:58:31 -0500 +Subject: SMB3: Validate negotiate request must always be signed + +From: Steve French + +commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream. + +According to MS-SMB2 3.2.55 validate_negotiate request must +always be signed. Some Windows can fail the request if you send it unsigned + +See kernel bugzilla bug 197311 + +Acked-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc + } else + iov[0].iov_len = get_rfc1002_length(req) + 4; + ++ /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ ++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) ++ req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED; + + rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov); + cifs_small_buf_release(req); diff --git a/queue-4.13/spi-a3700-return-correct-value-on-timeout-detection.patch b/queue-4.13/spi-a3700-return-correct-value-on-timeout-detection.patch new file mode 100644 index 00000000000..3495f5ea5db --- /dev/null +++ b/queue-4.13/spi-a3700-return-correct-value-on-timeout-detection.patch @@ -0,0 +1,37 @@ +From 5a866ec0014b2baa4ecbb1eaa19c835482829d08 Mon Sep 17 00:00:00 2001 +From: Maxime Chevallier +Date: Tue, 10 Oct 2017 10:43:17 +0200 +Subject: spi: a3700: Return correct value on timeout detection + +From: Maxime Chevallier + +commit 5a866ec0014b2baa4ecbb1eaa19c835482829d08 upstream. + +When waiting for transfer completion, a3700_spi_wait_completion +returns a boolean indicating if a timeout occurred. + +The function was returning 'true' everytime, failing to detect any +timeout. + +This patch makes it return 'false' when a timeout is reached. + +Signed-off-by: Maxime Chevallier +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-armada-3700.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-armada-3700.c ++++ b/drivers/spi/spi-armada-3700.c +@@ -392,7 +392,8 @@ static bool a3700_spi_wait_completion(st + + spireg_write(a3700_spi, A3700_SPI_INT_MASK_REG, 0); + +- return true; ++ /* Timeout was reached */ ++ return false; + } + + static bool a3700_spi_transfer_wait(struct spi_device *spi, diff --git a/queue-4.13/spi-armada-3700-fix-failing-commands-with-quad-spi.patch b/queue-4.13/spi-armada-3700-fix-failing-commands-with-quad-spi.patch new file mode 100644 index 00000000000..510460ba750 --- /dev/null +++ b/queue-4.13/spi-armada-3700-fix-failing-commands-with-quad-spi.patch @@ -0,0 +1,62 @@ +From 747e1f60470b975363cbbfcde0c41a3166391be5 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 13 Sep 2017 18:21:38 +0200 +Subject: spi: armada-3700: Fix failing commands with quad-SPI + +From: Miquel Raynal + +commit 747e1f60470b975363cbbfcde0c41a3166391be5 upstream. + +A3700 SPI controller datasheet states that only the first line (IO0) is +used to receive and send instructions, addresses and dummy bytes, +unless for addresses during an RX operation in a quad SPI configuration +(see p.821 of the Armada-3720-DB datasheet). Otherwise, some commands +such as SPI NOR commands like READ_FROM_CACHE_DUAL_IO(0xeb) and +READ_FROM_CACHE_DUAL_IO(0xbb) will fail because these commands must send +address bytes through the four pins. Data transfer always use the four +bytes with this setup. + +Thus, in quad SPI configuration, the A3700_SPI_ADDR_PIN bit must be set +only in this case to inform the controller that it must use the number +of pins indicated in the {A3700_SPI_DATA_PIN1,A3700_SPI_DATA_PIN0} field +during the address cycles of an RX operation. + +Suggested-by: Ken Ma +Signed-off-by: Miquel Raynal +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-armada-3700.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-armada-3700.c ++++ b/drivers/spi/spi-armada-3700.c +@@ -161,7 +161,7 @@ static void a3700_spi_deactivate_cs(stru + } + + static int a3700_spi_pin_mode_set(struct a3700_spi *a3700_spi, +- unsigned int pin_mode) ++ unsigned int pin_mode, bool receiving) + { + u32 val; + +@@ -177,6 +177,9 @@ static int a3700_spi_pin_mode_set(struct + break; + case SPI_NBITS_QUAD: + val |= A3700_SPI_DATA_PIN1; ++ /* RX during address reception uses 4-pin */ ++ if (receiving) ++ val |= A3700_SPI_ADDR_PIN; + break; + default: + dev_err(&a3700_spi->master->dev, "wrong pin mode %u", pin_mode); +@@ -654,7 +657,7 @@ static int a3700_spi_transfer_one(struct + else if (xfer->rx_buf) + nbits = xfer->rx_nbits; + +- a3700_spi_pin_mode_set(a3700_spi, nbits); ++ a3700_spi_pin_mode_set(a3700_spi, nbits, xfer->rx_buf ? true : false); + + if (xfer->rx_buf) { + /* Set read data length */ diff --git a/queue-4.13/spi-bcm-qspi-fix-use-after-free-in-bcm_qspi_probe-in-error-path.patch b/queue-4.13/spi-bcm-qspi-fix-use-after-free-in-bcm_qspi_probe-in-error-path.patch new file mode 100644 index 00000000000..340e1262d60 --- /dev/null +++ b/queue-4.13/spi-bcm-qspi-fix-use-after-free-in-bcm_qspi_probe-in-error-path.patch @@ -0,0 +1,64 @@ +From c0368e4db4a3e8a3dce40f3f621c06e14c560d79 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Wed, 11 Oct 2017 14:59:22 -0700 +Subject: spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path + +From: Florian Fainelli + +commit c0368e4db4a3e8a3dce40f3f621c06e14c560d79 upstream. + +There was an inversion in how the error path in bcm_qspi_probe() is done +which would make us trip over a KASAN use-after-free report. Turns out +that qspi->dev_ids does not get allocated until later in the probe +process. Fix this by introducing a new lable: qspi_resource_err which +takes care of cleaning up the SPI master instance. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Florian Fainelli +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-bcm-qspi.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1278,7 +1278,7 @@ int bcm_qspi_probe(struct platform_devic + goto qspi_probe_err; + } + } else { +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); +@@ -1300,7 +1300,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[CHIP_SELECT] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[CHIP_SELECT])) { + ret = PTR_ERR(qspi->base[CHIP_SELECT]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + } + +@@ -1308,7 +1308,7 @@ int bcm_qspi_probe(struct platform_devic + GFP_KERNEL); + if (!qspi->dev_ids) { + ret = -ENOMEM; +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + + for (val = 0; val < num_irqs; val++) { +@@ -1397,8 +1397,9 @@ qspi_reg_err: + bcm_qspi_hw_uninit(qspi); + clk_disable_unprepare(qspi->clk); + qspi_probe_err: +- spi_master_put(master); + kfree(qspi->dev_ids); ++qspi_resource_err: ++ spi_master_put(master); + return ret; + } + /* probe function to be called by SoC specific platform driver probe */ diff --git a/queue-4.13/spi-uapi-spidev-add-missing-ioctl-header.patch b/queue-4.13/spi-uapi-spidev-add-missing-ioctl-header.patch new file mode 100644 index 00000000000..e5140d4ec14 --- /dev/null +++ b/queue-4.13/spi-uapi-spidev-add-missing-ioctl-header.patch @@ -0,0 +1,38 @@ +From a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Sun, 10 Sep 2017 20:29:45 +0300 +Subject: spi: uapi: spidev: add missing ioctl header + +From: Baruch Siach + +commit a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 upstream. + +The SPI_IOC_MESSAGE() macro references _IOC_SIZEBITS. Add linux/ioctl.h +to make sure this macro is defined. This fixes the following build +failure of lcdproc with the musl libc: + +In file included from .../sysroot/usr/include/sys/ioctl.h:7:0, + from hd44780-spi.c:31: +hd44780-spi.c: In function 'spi_transfer': +hd44780-spi.c:89:24: error: '_IOC_SIZEBITS' undeclared (first use in this function) + status = ioctl(p->fd, SPI_IOC_MESSAGE(1), &xfer); + ^ + +Signed-off-by: Baruch Siach +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/spi/spidev.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/uapi/linux/spi/spidev.h ++++ b/include/uapi/linux/spi/spidev.h +@@ -23,6 +23,7 @@ + #define SPIDEV_H + + #include ++#include + + /* User space versions of kernel symbols for SPI clocking modes, + * matching diff --git a/queue-4.13/x86-cpu-amd-apply-the-erratum-688-fix-when-the-bios-doesn-t.patch b/queue-4.13/x86-cpu-amd-apply-the-erratum-688-fix-when-the-bios-doesn-t.patch new file mode 100644 index 00000000000..7789075392a --- /dev/null +++ b/queue-4.13/x86-cpu-amd-apply-the-erratum-688-fix-when-the-bios-doesn-t.patch @@ -0,0 +1,109 @@ +From bfc1168de949cd3e9ca18c3480b5085deff1ea7c Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Sun, 22 Oct 2017 12:47:31 +0200 +Subject: x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't + +From: Borislav Petkov + +commit bfc1168de949cd3e9ca18c3480b5085deff1ea7c upstream. + +Some F14h machines have an erratum which, "under a highly specific +and detailed set of internal timing conditions" can lead to skipping +instructions and RIP corruption. + +Add the fix for those machines when their BIOS doesn't apply it or +there simply isn't BIOS update for them. + +Tested-by: +Signed-off-by: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Sherry Hurwitz +Cc: Thomas Gleixner +Cc: Yazen Ghannam +Link: http://lkml.kernel.org/r/20171022104731.28249-1-bp@alien8.de +Link: https://bugzilla.kernel.org/show_bug.cgi?id=197285 +[ Added pr_info() that we activated the workaround. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/amd_nb.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -27,6 +27,8 @@ static const struct pci_device_id amd_ro + {} + }; + ++#define PCI_DEVICE_ID_AMD_CNB17H_F4 0x1704 ++ + const struct pci_device_id amd_nb_misc_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_10H_NB_MISC) }, +@@ -37,6 +39,7 @@ const struct pci_device_id amd_nb_misc_i + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F3) }, + {} + }; + EXPORT_SYMBOL_GPL(amd_nb_misc_ids); +@@ -48,6 +51,7 @@ static const struct pci_device_id amd_nb + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F4) }, + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F4) }, ++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F4) }, + {} + }; + +@@ -402,11 +406,48 @@ void amd_flush_garts(void) + } + EXPORT_SYMBOL_GPL(amd_flush_garts); + ++static void __fix_erratum_688(void *info) ++{ ++#define MSR_AMD64_IC_CFG 0xC0011021 ++ ++ msr_set_bit(MSR_AMD64_IC_CFG, 3); ++ msr_set_bit(MSR_AMD64_IC_CFG, 14); ++} ++ ++/* Apply erratum 688 fix so machines without a BIOS fix work. */ ++static __init void fix_erratum_688(void) ++{ ++ struct pci_dev *F4; ++ u32 val; ++ ++ if (boot_cpu_data.x86 != 0x14) ++ return; ++ ++ if (!amd_northbridges.num) ++ return; ++ ++ F4 = node_to_amd_nb(0)->link; ++ if (!F4) ++ return; ++ ++ if (pci_read_config_dword(F4, 0x164, &val)) ++ return; ++ ++ if (val & BIT(2)) ++ return; ++ ++ on_each_cpu(__fix_erratum_688, NULL, 0); ++ ++ pr_info("x86/cpu/AMD: CPU erratum 688 worked around\n"); ++} ++ + static __init int init_amd_nbs(void) + { + amd_cache_northbridges(); + amd_cache_gart(); + ++ fix_erratum_688(); ++ + return 0; + } + diff --git a/queue-4.13/xen-fix-booting-ballooned-down-hvm-guest.patch b/queue-4.13/xen-fix-booting-ballooned-down-hvm-guest.patch new file mode 100644 index 00000000000..2918040aae3 --- /dev/null +++ b/queue-4.13/xen-fix-booting-ballooned-down-hvm-guest.patch @@ -0,0 +1,69 @@ +From 5266b8e4445cc836c46689d80a9ff539fa3bfbda Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 26 Oct 2017 11:50:56 +0200 +Subject: xen: fix booting ballooned down hvm guest + +From: Juergen Gross + +commit 5266b8e4445cc836c46689d80a9ff539fa3bfbda upstream. + +Commit 96edd61dcf44362d3ef0bed1a5361e0ac7886a63 ("xen/balloon: don't +online new memory initially") introduced a regression when booting a +HVM domain with memory less than mem-max: instead of ballooning down +immediately the system would try to use the memory up to mem-max +resulting in Xen crashing the domain. + +For HVM domains the current size will be reflected in Xenstore node +memory/static-max instead of memory/target. + +Additionally we have to trigger the ballooning process at once. + +Fixes: 96edd61dcf44362d3ef0bed1a5361e0ac7886a63 ("xen/balloon: don't online new memory initially") +Reported-by: Simon Gaiser +Suggested-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-balloon.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/xen/xen-balloon.c ++++ b/drivers/xen/xen-balloon.c +@@ -57,7 +57,7 @@ static int register_balloon(struct devic + static void watch_target(struct xenbus_watch *watch, + const char *path, const char *token) + { +- unsigned long long new_target; ++ unsigned long long new_target, static_max; + int err; + static bool watch_fired; + static long target_diff; +@@ -72,13 +72,20 @@ static void watch_target(struct xenbus_w + * pages. PAGE_SHIFT converts bytes to pages, hence PAGE_SHIFT - 10. + */ + new_target >>= PAGE_SHIFT - 10; +- if (watch_fired) { +- balloon_set_new_target(new_target - target_diff); +- return; ++ ++ if (!watch_fired) { ++ watch_fired = true; ++ err = xenbus_scanf(XBT_NIL, "memory", "static-max", "%llu", ++ &static_max); ++ if (err != 1) ++ static_max = new_target; ++ else ++ static_max >>= PAGE_SHIFT - 10; ++ target_diff = xen_pv_domain() ? 0 ++ : static_max - balloon_stats.target_pages; + } + +- watch_fired = true; +- target_diff = new_target - balloon_stats.target_pages; ++ balloon_set_new_target(new_target - target_diff); + } + static struct xenbus_watch target_watch = { + .node = "memory/target", diff --git a/queue-4.13/xen-gntdev-avoid-out-of-bounds-access-in-case-of-partial-gntdev_mmap.patch b/queue-4.13/xen-gntdev-avoid-out-of-bounds-access-in-case-of-partial-gntdev_mmap.patch new file mode 100644 index 00000000000..3d9696f0825 --- /dev/null +++ b/queue-4.13/xen-gntdev-avoid-out-of-bounds-access-in-case-of-partial-gntdev_mmap.patch @@ -0,0 +1,45 @@ +From 298d275d4d9bea3524ff4bc76678c140611d8a8d Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Wed, 25 Oct 2017 17:08:07 +0200 +Subject: xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() + +From: Juergen Gross + +commit 298d275d4d9bea3524ff4bc76678c140611d8a8d upstream. + +In case gntdev_mmap() succeeds only partially in mapping grant pages +it will leave some vital information uninitialized needed later for +cleanup. This will lead to an out of bounds array access when unmapping +the already mapped pages. + +So just initialize the data needed for unmapping the pages a little bit +earlier. + +Reported-by: Arthur Borsboom +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/gntdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -1024,6 +1024,7 @@ static int gntdev_mmap(struct file *flip + mutex_unlock(&priv->lock); + + if (use_ptemod) { ++ map->pages_vm_start = vma->vm_start; + err = apply_to_page_range(vma->vm_mm, vma->vm_start, + vma->vm_end - vma->vm_start, + find_grant_ptes, map); +@@ -1061,7 +1062,6 @@ static int gntdev_mmap(struct file *flip + set_grant_ptes_as_special, NULL); + } + #endif +- map->pages_vm_start = vma->vm_start; + } + + return 0;