From: Greg Kroah-Hartman Date: Tue, 18 Apr 2017 18:56:57 +0000 (+0200) Subject: 3.18 patches X-Git-Tag: v4.4.63~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82459926357565bc508a441c7d87cd04b678971a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18 patches --- diff --git a/mbox_todo-3.18 b/mbox_todo-3.18 index f07b14661d8..f132fdc66ae 100644 --- a/mbox_todo-3.18 +++ b/mbox_todo-3.18 @@ -747,6 +747,7 @@ From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Mar 2017 12:17:51 +0100 Subject: [PATCH 102/251] Linux 4.4.56 +Status: RO Content-Length: 301 Lines: 18 @@ -769,91 +770,6 @@ index d9cc21df444d..cf9303a5d621 100644 -- 2.12.2 -From e2d9577854f5a5469bcf7a3d1b17ca5e9b9ba673 Mon Sep 17 00:00:00 2001 -From: Ross Lagerwall -Date: Fri, 22 Apr 2016 13:05:31 +0100 -Subject: [PATCH 113/251] xen/qspinlock: Don't kick CPU if IRQ is not - initialized -Content-Length: 2791 -Lines: 76 - -commit 707e59ba494372a90d245f18b0c78982caa88e48 upstream. - -The following commit: - - 1fb3a8b2cfb2 ("xen/spinlock: Fix locking path engaging too soon under PVHVM.") - -... moved the initalization of the kicker interrupt until after -native_cpu_up() is called. - -However, when using qspinlocks, a CPU may try to kick another CPU that is -spinning (because it has not yet initialized its kicker interrupt), resulting -in the following crash during boot: - - kernel BUG at /build/linux-Ay7j_C/linux-4.4.0/drivers/xen/events/events_base.c:1210! - invalid opcode: 0000 [#1] SMP - ... - RIP: 0010:[] [] xen_send_IPI_one+0x59/0x60 - ... - Call Trace: - [] xen_qlock_kick+0xe/0x10 - [] __pv_queued_spin_unlock+0xb2/0xf0 - [] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20 - [] ? check_tsc_warp+0x76/0x150 - [] check_tsc_sync_source+0x96/0x160 - [] native_cpu_up+0x3d8/0x9f0 - [] xen_hvm_cpu_up+0x35/0x80 - [] _cpu_up+0x13c/0x180 - [] cpu_up+0x7a/0xa0 - [] smp_init+0x7f/0x81 - [] kernel_init_freeable+0xef/0x212 - [] ? rest_init+0x80/0x80 - [] kernel_init+0xe/0xe0 - [] ret_from_fork+0x3f/0x70 - [] ? rest_init+0x80/0x80 - -To fix this, only send the kick if the target CPU's interrupt has been -initialized. This check isn't racy, because the target is waiting for -the spinlock, so it won't have initialized the interrupt in the -meantime. - -Signed-off-by: Ross Lagerwall -Reviewed-by: Boris Ostrovsky -Cc: David Vrabel -Cc: Juergen Gross -Cc: Konrad Rzeszutek Wilk -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: linux-kernel@vger.kernel.org -Cc: xen-devel@lists.xenproject.org -Signed-off-by: Ingo Molnar -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/xen/spinlock.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c -index 9e2ba5c6e1dd..f42e78de1e10 100644 ---- a/arch/x86/xen/spinlock.c -+++ b/arch/x86/xen/spinlock.c -@@ -27,6 +27,12 @@ static bool xen_pvspin = true; - - static void xen_qlock_kick(int cpu) - { -+ int irq = per_cpu(lock_kicker_irq, cpu); -+ -+ /* Don't kick if the target's kicker interrupt is not initialized. */ -+ if (irq == -1) -+ return; -+ - xen_send_IPI_one(cpu, XEN_SPIN_UNLOCK_VECTOR); - } - --- -2.12.2 - From 50730d7f361f9915ec7063a629500119b0e8c3b6 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Wed, 18 May 2016 21:01:20 +0200 @@ -1536,383 +1452,6 @@ index ebb0dd612ebd..122af340a531 100644 -- 2.12.2 -From 0a621633cdfa780c50907506457798c907cb8110 Mon Sep 17 00:00:00 2001 -From: Nicholas Bellinger -Date: Thu, 3 Nov 2016 23:06:53 -0700 -Subject: [PATCH 125/251] target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER - export -Content-Length: 4575 -Lines: 144 - -commit a04e54f2c35823ca32d56afcd5cea5b783e2f51a upstream. - -The following fixes a divide by zero OOPs with TYPE_TAPE -due to pscsi_tape_read_blocksize() failing causing a zero -sd->sector_size being propigated up via dev_attrib.hw_block_size. - -It also fixes another long-standing bug where TYPE_TAPE and -TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(), -which does not call scsi_device_get() to take the device -reference. Instead, rename pscsi_create_type_rom() to -pscsi_create_type_nondisk() and use it for all cases. - -Finally, also drop a dump_stack() in pscsi_get_blocks() for -non TYPE_DISK, which in modern target-core can get invoked -via target_sense_desc_format() during CHECK_CONDITION. - -Reported-by: Malcolm Haak -Signed-off-by: Nicholas Bellinger -Signed-off-by: Greg Kroah-Hartman ---- - drivers/target/target_core_pscsi.c | 47 ++++++++++---------------------------- - 1 file changed, 12 insertions(+), 35 deletions(-) - -diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c -index de18790eb21c..d72a4058fd08 100644 ---- a/drivers/target/target_core_pscsi.c -+++ b/drivers/target/target_core_pscsi.c -@@ -154,7 +154,7 @@ static void pscsi_tape_read_blocksize(struct se_device *dev, - - buf = kzalloc(12, GFP_KERNEL); - if (!buf) -- return; -+ goto out_free; - - memset(cdb, 0, MAX_COMMAND_SIZE); - cdb[0] = MODE_SENSE; -@@ -169,9 +169,10 @@ static void pscsi_tape_read_blocksize(struct se_device *dev, - * If MODE_SENSE still returns zero, set the default value to 1024. - */ - sdev->sector_size = (buf[9] << 16) | (buf[10] << 8) | (buf[11]); -+out_free: - if (!sdev->sector_size) - sdev->sector_size = 1024; --out_free: -+ - kfree(buf); - } - -@@ -314,9 +315,10 @@ static int pscsi_add_device_to_list(struct se_device *dev, - sd->lun, sd->queue_depth); - } - -- dev->dev_attrib.hw_block_size = sd->sector_size; -+ dev->dev_attrib.hw_block_size = -+ min_not_zero((int)sd->sector_size, 512); - dev->dev_attrib.hw_max_sectors = -- min_t(int, sd->host->max_sectors, queue_max_hw_sectors(q)); -+ min_not_zero(sd->host->max_sectors, queue_max_hw_sectors(q)); - dev->dev_attrib.hw_queue_depth = sd->queue_depth; - - /* -@@ -339,8 +341,10 @@ static int pscsi_add_device_to_list(struct se_device *dev, - /* - * For TYPE_TAPE, attempt to determine blocksize with MODE_SENSE. - */ -- if (sd->type == TYPE_TAPE) -+ if (sd->type == TYPE_TAPE) { - pscsi_tape_read_blocksize(dev, sd); -+ dev->dev_attrib.hw_block_size = sd->sector_size; -+ } - return 0; - } - -@@ -406,7 +410,7 @@ static int pscsi_create_type_disk(struct se_device *dev, struct scsi_device *sd) - /* - * Called with struct Scsi_Host->host_lock called. - */ --static int pscsi_create_type_rom(struct se_device *dev, struct scsi_device *sd) -+static int pscsi_create_type_nondisk(struct se_device *dev, struct scsi_device *sd) - __releases(sh->host_lock) - { - struct pscsi_hba_virt *phv = dev->se_hba->hba_ptr; -@@ -433,28 +437,6 @@ static int pscsi_create_type_rom(struct se_device *dev, struct scsi_device *sd) - return 0; - } - --/* -- * Called with struct Scsi_Host->host_lock called. -- */ --static int pscsi_create_type_other(struct se_device *dev, -- struct scsi_device *sd) -- __releases(sh->host_lock) --{ -- struct pscsi_hba_virt *phv = dev->se_hba->hba_ptr; -- struct Scsi_Host *sh = sd->host; -- int ret; -- -- spin_unlock_irq(sh->host_lock); -- ret = pscsi_add_device_to_list(dev, sd); -- if (ret) -- return ret; -- -- pr_debug("CORE_PSCSI[%d] - Added Type: %s for %d:%d:%d:%llu\n", -- phv->phv_host_id, scsi_device_type(sd->type), sh->host_no, -- sd->channel, sd->id, sd->lun); -- return 0; --} -- - static int pscsi_configure_device(struct se_device *dev) - { - struct se_hba *hba = dev->se_hba; -@@ -542,11 +524,8 @@ static int pscsi_configure_device(struct se_device *dev) - case TYPE_DISK: - ret = pscsi_create_type_disk(dev, sd); - break; -- case TYPE_ROM: -- ret = pscsi_create_type_rom(dev, sd); -- break; - default: -- ret = pscsi_create_type_other(dev, sd); -+ ret = pscsi_create_type_nondisk(dev, sd); - break; - } - -@@ -611,8 +590,7 @@ static void pscsi_free_device(struct se_device *dev) - else if (pdv->pdv_lld_host) - scsi_host_put(pdv->pdv_lld_host); - -- if ((sd->type == TYPE_DISK) || (sd->type == TYPE_ROM)) -- scsi_device_put(sd); -+ scsi_device_put(sd); - - pdv->pdv_sd = NULL; - } -@@ -1088,7 +1066,6 @@ static sector_t pscsi_get_blocks(struct se_device *dev) - if (pdv->pdv_bd && pdv->pdv_bd->bd_part) - return pdv->pdv_bd->bd_part->nr_sects; - -- dump_stack(); - return 0; - } - --- -2.12.2 - -From 82bd06aba880215dadd3e33dc3d583d32df9dbbb Mon Sep 17 00:00:00 2001 -From: Anton Blanchard -Date: Mon, 13 Feb 2017 08:49:20 +1100 -Subject: [PATCH 126/251] scsi: lpfc: Add shutdown method for kexec -Content-Length: 1074 -Lines: 28 - -commit 85e8a23936ab3442de0c42da97d53b29f004ece1 upstream. - -We see lpfc devices regularly fail during kexec. Fix this by adding a -shutdown method which mirrors the remove method. - -Signed-off-by: Anton Blanchard -Reviewed-by: Mauricio Faria de Oliveira -Tested-by: Mauricio Faria de Oliveira -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/lpfc/lpfc_init.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c -index c14ab6c3ae40..60c21093f865 100644 ---- a/drivers/scsi/lpfc/lpfc_init.c -+++ b/drivers/scsi/lpfc/lpfc_init.c -@@ -11387,6 +11387,7 @@ static struct pci_driver lpfc_driver = { - .id_table = lpfc_id_table, - .probe = lpfc_pci_probe_one, - .remove = lpfc_pci_remove_one, -+ .shutdown = lpfc_pci_remove_one, - .suspend = lpfc_pci_suspend_one, - .resume = lpfc_pci_resume_one, - .err_handler = &lpfc_err_handler, --- -2.12.2 - -From 246760c61d9c4c0114ba5bd324df4ae17468e238 Mon Sep 17 00:00:00 2001 -From: Chris Leech -Date: Mon, 27 Feb 2017 16:58:36 -0800 -Subject: [PATCH 127/251] scsi: libiscsi: add lock around task lists to fix - list corruption regression -Content-Length: 6411 -Lines: 179 - -commit 6f8830f5bbab16e54f261de187f3df4644a5b977 upstream. - -There's a rather long standing regression from the commit "libiscsi: -Reduce locking contention in fast path" - -Depending on iSCSI target behavior, it's possible to hit the case in -iscsi_complete_task where the task is still on a pending list -(!list_empty(&task->running)). When that happens the task is removed -from the list while holding the session back_lock, but other task list -modification occur under the frwd_lock. That leads to linked list -corruption and eventually a panicked system. - -Rather than back out the session lock split entirely, in order to try -and keep some of the performance gains this patch adds another lock to -maintain the task lists integrity. - -Major enterprise supported kernels have been backing out the lock split -for while now, thanks to the efforts at IBM where a lab setup has the -most reliable reproducer I've seen on this issue. This patch has been -tested there successfully. - -Signed-off-by: Chris Leech -Fixes: 659743b02c41 ("[SCSI] libiscsi: Reduce locking contention in fast path") -Reported-by: Prashantha Subbarao -Reviewed-by: Guilherme G. Piccoli -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/libiscsi.c | 26 +++++++++++++++++++++++++- - include/scsi/libiscsi.h | 1 + - 2 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c -index 6bffd91b973a..c1ccf1ee99ea 100644 ---- a/drivers/scsi/libiscsi.c -+++ b/drivers/scsi/libiscsi.c -@@ -560,8 +560,12 @@ static void iscsi_complete_task(struct iscsi_task *task, int state) - WARN_ON_ONCE(task->state == ISCSI_TASK_FREE); - task->state = state; - -- if (!list_empty(&task->running)) -+ spin_lock_bh(&conn->taskqueuelock); -+ if (!list_empty(&task->running)) { -+ pr_debug_once("%s while task on list", __func__); - list_del_init(&task->running); -+ } -+ spin_unlock_bh(&conn->taskqueuelock); - - if (conn->task == task) - conn->task = NULL; -@@ -783,7 +787,9 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct iscsi_hdr *hdr, - if (session->tt->xmit_task(task)) - goto free_task; - } else { -+ spin_lock_bh(&conn->taskqueuelock); - list_add_tail(&task->running, &conn->mgmtqueue); -+ spin_unlock_bh(&conn->taskqueuelock); - iscsi_conn_queue_work(conn); - } - -@@ -1474,8 +1480,10 @@ void iscsi_requeue_task(struct iscsi_task *task) - * this may be on the requeue list already if the xmit_task callout - * is handling the r2ts while we are adding new ones - */ -+ spin_lock_bh(&conn->taskqueuelock); - if (list_empty(&task->running)) - list_add_tail(&task->running, &conn->requeue); -+ spin_unlock_bh(&conn->taskqueuelock); - iscsi_conn_queue_work(conn); - } - EXPORT_SYMBOL_GPL(iscsi_requeue_task); -@@ -1512,22 +1520,26 @@ static int iscsi_data_xmit(struct iscsi_conn *conn) - * only have one nop-out as a ping from us and targets should not - * overflow us with nop-ins - */ -+ spin_lock_bh(&conn->taskqueuelock); - check_mgmt: - while (!list_empty(&conn->mgmtqueue)) { - conn->task = list_entry(conn->mgmtqueue.next, - struct iscsi_task, running); - list_del_init(&conn->task->running); -+ spin_unlock_bh(&conn->taskqueuelock); - if (iscsi_prep_mgmt_task(conn, conn->task)) { - /* regular RX path uses back_lock */ - spin_lock_bh(&conn->session->back_lock); - __iscsi_put_task(conn->task); - spin_unlock_bh(&conn->session->back_lock); - conn->task = NULL; -+ spin_lock_bh(&conn->taskqueuelock); - continue; - } - rc = iscsi_xmit_task(conn); - if (rc) - goto done; -+ spin_lock_bh(&conn->taskqueuelock); - } - - /* process pending command queue */ -@@ -1535,19 +1547,24 @@ check_mgmt: - conn->task = list_entry(conn->cmdqueue.next, struct iscsi_task, - running); - list_del_init(&conn->task->running); -+ spin_unlock_bh(&conn->taskqueuelock); - if (conn->session->state == ISCSI_STATE_LOGGING_OUT) { - fail_scsi_task(conn->task, DID_IMM_RETRY); -+ spin_lock_bh(&conn->taskqueuelock); - continue; - } - rc = iscsi_prep_scsi_cmd_pdu(conn->task); - if (rc) { - if (rc == -ENOMEM || rc == -EACCES) { -+ spin_lock_bh(&conn->taskqueuelock); - list_add_tail(&conn->task->running, - &conn->cmdqueue); - conn->task = NULL; -+ spin_unlock_bh(&conn->taskqueuelock); - goto done; - } else - fail_scsi_task(conn->task, DID_ABORT); -+ spin_lock_bh(&conn->taskqueuelock); - continue; - } - rc = iscsi_xmit_task(conn); -@@ -1558,6 +1575,7 @@ check_mgmt: - * we need to check the mgmt queue for nops that need to - * be sent to aviod starvation - */ -+ spin_lock_bh(&conn->taskqueuelock); - if (!list_empty(&conn->mgmtqueue)) - goto check_mgmt; - } -@@ -1577,12 +1595,15 @@ check_mgmt: - conn->task = task; - list_del_init(&conn->task->running); - conn->task->state = ISCSI_TASK_RUNNING; -+ spin_unlock_bh(&conn->taskqueuelock); - rc = iscsi_xmit_task(conn); - if (rc) - goto done; -+ spin_lock_bh(&conn->taskqueuelock); - if (!list_empty(&conn->mgmtqueue)) - goto check_mgmt; - } -+ spin_unlock_bh(&conn->taskqueuelock); - spin_unlock_bh(&conn->session->frwd_lock); - return -ENODATA; - -@@ -1738,7 +1759,9 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc) - goto prepd_reject; - } - } else { -+ spin_lock_bh(&conn->taskqueuelock); - list_add_tail(&task->running, &conn->cmdqueue); -+ spin_unlock_bh(&conn->taskqueuelock); - iscsi_conn_queue_work(conn); - } - -@@ -2900,6 +2923,7 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size, - INIT_LIST_HEAD(&conn->mgmtqueue); - INIT_LIST_HEAD(&conn->cmdqueue); - INIT_LIST_HEAD(&conn->requeue); -+ spin_lock_init(&conn->taskqueuelock); - INIT_WORK(&conn->xmitwork, iscsi_xmitworker); - - /* allocate login_task used for the login/text sequences */ -diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h -index 4d1c46aac331..c7b1dc713cdd 100644 ---- a/include/scsi/libiscsi.h -+++ b/include/scsi/libiscsi.h -@@ -196,6 +196,7 @@ struct iscsi_conn { - struct iscsi_task *task; /* xmit task in progress */ - - /* xmit */ -+ spinlock_t taskqueuelock; /* protects the next three lists */ - struct list_head mgmtqueue; /* mgmt (control) xmit queue */ - struct list_head cmdqueue; /* data-path cmd queue */ - struct list_head requeue; /* tasks needing another run */ --- -2.12.2 - From d267ecbdfdb4199c0e3a967ecc17a6b80d95209a Mon Sep 17 00:00:00 2001 From: Max Lohrmann Date: Tue, 7 Mar 2017 22:09:56 -0800 @@ -2124,6 +1663,7 @@ From a5c3f390eb7799c3d1d92121382372b1fd365fa3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 26 Mar 2017 12:13:55 +0200 Subject: [PATCH 133/251] Linux 4.4.57 +Status: RO Content-Length: 301 Lines: 18 @@ -3940,112 +3480,6 @@ index bda164089904..62d37d2ac557 100644 -- 2.12.2 -From c856b66c8aac95c74c0ddad4ce1d55a6741e23db Mon Sep 17 00:00:00 2001 -From: Ankur Arora -Date: Tue, 21 Mar 2017 15:43:38 -0700 -Subject: [PATCH 176/251] xen/acpi: upload PM state from init-domain to Xen -Content-Length: 3186 -Lines: 98 - -commit 1914f0cd203c941bba72f9452c8290324f1ef3dc upstream. - -This was broken in commit cd979883b9ed ("xen/acpi-processor: -fix enabling interrupts on syscore_resume"). do_suspend (from -xen/manage.c) and thus xen_resume_notifier never get called on -the initial-domain at resume (it is if running as guest.) - -The rationale for the breaking change was that upload_pm_data() -potentially does blocking work in syscore_resume(). This patch -addresses the original issue by scheduling upload_pm_data() to -execute in workqueue context. - -Cc: Stanislaw Gruszka -Based-on-patch-by: Konrad Wilk -Reviewed-by: Konrad Rzeszutek Wilk -Reviewed-by: Stanislaw Gruszka -Signed-off-by: Ankur Arora -Signed-off-by: Boris Ostrovsky -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/xen-acpi-processor.c | 34 ++++++++++++++++++++++++++-------- - 1 file changed, 26 insertions(+), 8 deletions(-) - -diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c -index 611f9c11da85..2e319d0c395d 100644 ---- a/drivers/xen/xen-acpi-processor.c -+++ b/drivers/xen/xen-acpi-processor.c -@@ -27,10 +27,10 @@ - #include - #include - #include -+#include - #include - #include - #include --#include - #include - #include - -@@ -466,15 +466,33 @@ static int xen_upload_processor_pm_data(void) - return rc; - } - --static int xen_acpi_processor_resume(struct notifier_block *nb, -- unsigned long action, void *data) -+static void xen_acpi_processor_resume_worker(struct work_struct *dummy) - { -+ int rc; -+ - bitmap_zero(acpi_ids_done, nr_acpi_bits); -- return xen_upload_processor_pm_data(); -+ -+ rc = xen_upload_processor_pm_data(); -+ if (rc != 0) -+ pr_info("ACPI data upload failed, error = %d\n", rc); -+} -+ -+static void xen_acpi_processor_resume(void) -+{ -+ static DECLARE_WORK(wq, xen_acpi_processor_resume_worker); -+ -+ /* -+ * xen_upload_processor_pm_data() calls non-atomic code. -+ * However, the context for xen_acpi_processor_resume is syscore -+ * with only the boot CPU online and in an atomic context. -+ * -+ * So defer the upload for some point safer. -+ */ -+ schedule_work(&wq); - } - --struct notifier_block xen_acpi_processor_resume_nb = { -- .notifier_call = xen_acpi_processor_resume, -+static struct syscore_ops xap_syscore_ops = { -+ .resume = xen_acpi_processor_resume, - }; - - static int __init xen_acpi_processor_init(void) -@@ -527,7 +545,7 @@ static int __init xen_acpi_processor_init(void) - if (rc) - goto err_unregister; - -- xen_resume_notifier_register(&xen_acpi_processor_resume_nb); -+ register_syscore_ops(&xap_syscore_ops); - - return 0; - err_unregister: -@@ -544,7 +562,7 @@ static void __exit xen_acpi_processor_exit(void) - { - int i; - -- xen_resume_notifier_unregister(&xen_acpi_processor_resume_nb); -+ unregister_syscore_ops(&xap_syscore_ops); - kfree(acpi_ids_done); - kfree(acpi_id_present); - kfree(acpi_id_cst_present); --- -2.12.2 - From 55b6c187cf9d12d8e667ccfa5386bd162fc7ae2b Mon Sep 17 00:00:00 2001 From: Koos Vriezen Date: Wed, 1 Mar 2017 21:02:50 +0100 @@ -4827,98 +4261,6 @@ index eb1b8c8acfcb..8146b0cf20ce 100644 -- 2.12.2 -From ec52364445a497a0045c61145f0d795b606c23bb Mon Sep 17 00:00:00 2001 -From: Sumit Semwal -Date: Sat, 25 Mar 2017 21:48:01 +0530 -Subject: [PATCH 188/251] xen: do not re-use pirq number cached in pci device - msi msg data -Content-Length: 3533 -Lines: 83 - -From: Dan Streetman - -[ Upstream commit c74fd80f2f41d05f350bb478151021f88551afe8 ] - -Revert the main part of commit: -af42b8d12f8a ("xen: fix MSI setup and teardown for PV on HVM guests") - -That commit introduced reading the pci device's msi message data to see -if a pirq was previously configured for the device's msi/msix, and re-use -that pirq. At the time, that was the correct behavior. However, a -later change to Qemu caused it to call into the Xen hypervisor to unmap -all pirqs for a pci device, when the pci device disables its MSI/MSIX -vectors; specifically the Qemu commit: -c976437c7dba9c7444fb41df45468968aaa326ad -("qemu-xen: free all the pirqs for msi/msix when driver unload") - -Once Qemu added this pirq unmapping, it was no longer correct for the -kernel to re-use the pirq number cached in the pci device msi message -data. All Qemu releases since 2.1.0 contain the patch that unmaps the -pirqs when the pci device disables its MSI/MSIX vectors. - -This bug is causing failures to initialize multiple NVMe controllers -under Xen, because the NVMe driver sets up a single MSIX vector for -each controller (concurrently), and then after using that to talk to -the controller for some configuration data, it disables the single MSIX -vector and re-configures all the MSIX vectors it needs. So the MSIX -setup code tries to re-use the cached pirq from the first vector -for each controller, but the hypervisor has already given away that -pirq to another controller, and its initialization fails. - -This is discussed in more detail at: -https://lists.xen.org/archives/html/xen-devel/2017-01/msg00447.html - -Fixes: af42b8d12f8a ("xen: fix MSI setup and teardown for PV on HVM guests") -Signed-off-by: Dan Streetman -Reviewed-by: Stefano Stabellini -Acked-by: Konrad Rzeszutek Wilk -Signed-off-by: Boris Ostrovsky -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/pci/xen.c | 23 +++++++---------------- - 1 file changed, 7 insertions(+), 16 deletions(-) - -diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c -index c6d6efed392a..7575f0798194 100644 ---- a/arch/x86/pci/xen.c -+++ b/arch/x86/pci/xen.c -@@ -231,23 +231,14 @@ static int xen_hvm_setup_msi_irqs(struct pci_dev *dev, int nvec, int type) - return 1; - - for_each_pci_msi_entry(msidesc, dev) { -- __pci_read_msi_msg(msidesc, &msg); -- pirq = MSI_ADDR_EXT_DEST_ID(msg.address_hi) | -- ((msg.address_lo >> MSI_ADDR_DEST_ID_SHIFT) & 0xff); -- if (msg.data != XEN_PIRQ_MSI_DATA || -- xen_irq_from_pirq(pirq) < 0) { -- pirq = xen_allocate_pirq_msi(dev, msidesc); -- if (pirq < 0) { -- irq = -ENODEV; -- goto error; -- } -- xen_msi_compose_msg(dev, pirq, &msg); -- __pci_write_msi_msg(msidesc, &msg); -- dev_dbg(&dev->dev, "xen: msi bound to pirq=%d\n", pirq); -- } else { -- dev_dbg(&dev->dev, -- "xen: msi already bound to pirq=%d\n", pirq); -+ pirq = xen_allocate_pirq_msi(dev, msidesc); -+ if (pirq < 0) { -+ irq = -ENODEV; -+ goto error; - } -+ xen_msi_compose_msg(dev, pirq, &msg); -+ __pci_write_msi_msg(msidesc, &msg); -+ dev_dbg(&dev->dev, "xen: msi bound to pirq=%d\n", pirq); - irq = xen_bind_pirq_msi_to_irq(dev, msidesc, pirq, - (type == PCI_CAP_ID_MSI) ? nvec : 1, - (type == PCI_CAP_ID_MSIX) ? --- -2.12.2 - From 4db313df49466185211ea7d6d675f8c4f6724e23 Mon Sep 17 00:00:00 2001 From: Sumit Semwal Date: Sat, 25 Mar 2017 21:48:02 +0530 @@ -6573,6 +5915,7 @@ From 0a5766a6a73b1eb6a0dfa74adc40272e555ac2f0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 30 Mar 2017 09:36:33 +0200 Subject: [PATCH 209/251] Linux 4.4.58 +Status: RO Content-Length: 301 Lines: 18 @@ -7254,6 +6597,7 @@ From 61a4577c9a4419b99e647744923517d47255da35 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 31 Mar 2017 10:17:09 +0200 Subject: [PATCH 224/251] Linux 4.4.59 +Status: RO Content-Length: 301 Lines: 18 @@ -7389,296 +6733,6 @@ index b8d927c56494..a6b2f2138c9d 100644 -- 2.12.2 -From 1eed198ce16b6e05c05ee381e5d90fac35ea67a7 Mon Sep 17 00:00:00 2001 -From: Ross Lagerwall -Date: Mon, 12 Dec 2016 14:35:13 +0000 -Subject: [PATCH 226/251] xen/setup: Don't relocate p2m over existing one -Content-Length: 1354 -Lines: 45 - -commit 7ecec8503af37de6be4f96b53828d640a968705f upstream. - -When relocating the p2m, take special care not to relocate it so -that is overlaps with the current location of the p2m/initrd. This is -needed since the full extent of the current location is not marked as a -reserved region in the e820. - -This was seen to happen to a dom0 with a large initial p2m and a small -reserved region in the middle of the initial p2m. - -Signed-off-by: Ross Lagerwall -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/xen/setup.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c -index e345891450c3..df8844a1853a 100644 ---- a/arch/x86/xen/setup.c -+++ b/arch/x86/xen/setup.c -@@ -713,10 +713,9 @@ static void __init xen_reserve_xen_mfnlist(void) - size = PFN_PHYS(xen_start_info->nr_p2m_frames); - } - -- if (!xen_is_e820_reserved(start, size)) { -- memblock_reserve(start, size); -+ memblock_reserve(start, size); -+ if (!xen_is_e820_reserved(start, size)) - return; -- } - - #ifdef CONFIG_X86_32 - /* -@@ -727,6 +726,7 @@ static void __init xen_reserve_xen_mfnlist(void) - BUG(); - #else - xen_relocate_p2m(); -+ memblock_free(start, size); - #endif - } - --- -2.12.2 - -From 18639c4bad72218954e728e9ca65c33b13ba673a Mon Sep 17 00:00:00 2001 -From: James Bottomley -Date: Sun, 1 Jan 2017 09:39:24 -0800 -Subject: [PATCH 227/251] scsi: mpt3sas: fix hang on ata passthrough commands -Content-Length: 5334 -Lines: 148 - -commit ffb58456589443ca572221fabbdef3db8483a779 upstream. - -mpt3sas has a firmware failure where it can only handle one pass through -ATA command at a time. If another comes in, contrary to the SAT -standard, it will hang until the first one completes (causing long -commands like secure erase to timeout). The original fix was to block -the device when an ATA command came in, but this caused a regression -with - -commit 669f044170d8933c3d66d231b69ea97cb8447338 -Author: Bart Van Assche -Date: Tue Nov 22 16:17:13 2016 -0800 - - scsi: srp_transport: Move queuecommand() wait code to SCSI core - -So fix the original fix of the secure erase timeout by properly -returning SAM_STAT_BUSY like the SAT recommends. The original patch -also had a concurrency problem since scsih_qcmd is lockless at that -point (this is fixed by using atomic bitops to set and test the flag). - -[mkp: addressed feedback wrt. test_bit and fixed whitespace] - -Fixes: 18f6084a989ba1b (mpt3sas: Fix secure erase premature termination) -Signed-off-by: James Bottomley -Acked-by: Sreekanth Reddy -Reviewed-by: Christoph Hellwig -Reported-by: Ingo Molnar -Tested-by: Ingo Molnar -Signed-off-by: Martin K. Petersen -Cc: Joe Korty -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/mpt3sas/mpt3sas_base.h | 12 +++++++++++ - drivers/scsi/mpt3sas/mpt3sas_scsih.c | 40 +++++++++++++++++++++++------------- - 2 files changed, 38 insertions(+), 14 deletions(-) - -diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.h b/drivers/scsi/mpt3sas/mpt3sas_base.h -index 92648a5ea2d2..63f5965acc89 100644 ---- a/drivers/scsi/mpt3sas/mpt3sas_base.h -+++ b/drivers/scsi/mpt3sas/mpt3sas_base.h -@@ -390,6 +390,7 @@ struct MPT3SAS_TARGET { - * @eedp_enable: eedp support enable bit - * @eedp_type: 0(type_1), 1(type_2), 2(type_3) - * @eedp_block_length: block size -+ * @ata_command_pending: SATL passthrough outstanding for device - */ - struct MPT3SAS_DEVICE { - struct MPT3SAS_TARGET *sas_target; -@@ -398,6 +399,17 @@ struct MPT3SAS_DEVICE { - u8 configured_lun; - u8 block; - u8 tlr_snoop_check; -+ /* -+ * Bug workaround for SATL handling: the mpt2/3sas firmware -+ * doesn't return BUSY or TASK_SET_FULL for subsequent -+ * commands while a SATL pass through is in operation as the -+ * spec requires, it simply does nothing with them until the -+ * pass through completes, causing them possibly to timeout if -+ * the passthrough is a long executing command (like format or -+ * secure erase). This variable allows us to do the right -+ * thing while a SATL command is pending. -+ */ -+ unsigned long ata_command_pending; - }; - - #define MPT3_CMD_NOT_USED 0x8000 /* free */ -diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -index f6a8e9958e75..8a5fbdb45cfd 100644 ---- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c -+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c -@@ -3707,9 +3707,18 @@ _scsih_temp_threshold_events(struct MPT3SAS_ADAPTER *ioc, - } - } - --static inline bool ata_12_16_cmd(struct scsi_cmnd *scmd) -+static int _scsih_set_satl_pending(struct scsi_cmnd *scmd, bool pending) - { -- return (scmd->cmnd[0] == ATA_12 || scmd->cmnd[0] == ATA_16); -+ struct MPT3SAS_DEVICE *priv = scmd->device->hostdata; -+ -+ if (scmd->cmnd[0] != ATA_12 && scmd->cmnd[0] != ATA_16) -+ return 0; -+ -+ if (pending) -+ return test_and_set_bit(0, &priv->ata_command_pending); -+ -+ clear_bit(0, &priv->ata_command_pending); -+ return 0; - } - - /** -@@ -3733,9 +3742,7 @@ _scsih_flush_running_cmds(struct MPT3SAS_ADAPTER *ioc) - if (!scmd) - continue; - count++; -- if (ata_12_16_cmd(scmd)) -- scsi_internal_device_unblock(scmd->device, -- SDEV_RUNNING); -+ _scsih_set_satl_pending(scmd, false); - mpt3sas_base_free_smid(ioc, smid); - scsi_dma_unmap(scmd); - if (ioc->pci_error_recovery) -@@ -3866,13 +3873,6 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd) - if (ioc->logging_level & MPT_DEBUG_SCSI) - scsi_print_command(scmd); - -- /* -- * Lock the device for any subsequent command until command is -- * done. -- */ -- if (ata_12_16_cmd(scmd)) -- scsi_internal_device_block(scmd->device); -- - sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { - scmd->result = DID_NO_CONNECT << 16; -@@ -3886,6 +3886,19 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd) - return 0; - } - -+ /* -+ * Bug work around for firmware SATL handling. The loop -+ * is based on atomic operations and ensures consistency -+ * since we're lockless at this point -+ */ -+ do { -+ if (test_bit(0, &sas_device_priv_data->ata_command_pending)) { -+ scmd->result = SAM_STAT_BUSY; -+ scmd->scsi_done(scmd); -+ return 0; -+ } -+ } while (_scsih_set_satl_pending(scmd, true)); -+ - sas_target_priv_data = sas_device_priv_data->sas_target; - - /* invalid device handle */ -@@ -4445,8 +4458,7 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply) - if (scmd == NULL) - return 1; - -- if (ata_12_16_cmd(scmd)) -- scsi_internal_device_unblock(scmd->device, SDEV_RUNNING); -+ _scsih_set_satl_pending(scmd, false); - - mpi_request = mpt3sas_base_get_msg_frame(ioc, smid); - --- -2.12.2 - -From a92f411914cad6532e82e4607bc4075a5ffaa366 Mon Sep 17 00:00:00 2001 -From: peter chang -Date: Wed, 15 Feb 2017 14:11:54 -0800 -Subject: [PATCH 228/251] scsi: sg: check length passed to SG_NEXT_CMD_LEN -Content-Length: 932 -Lines: 29 - -commit bf33f87dd04c371ea33feb821b60d63d754e3124 upstream. - -The user can control the size of the next command passed along, but the -value passed to the ioctl isn't checked against the usable max command -size. - -Signed-off-by: Peter Chang -Acked-by: Douglas Gilbert -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/sg.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index dedcff9cabb5..6514636431ab 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -1008,6 +1008,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg) - result = get_user(val, ip); - if (result) - return result; -+ if (val > SG_MAX_CDB_SIZE) -+ return -ENOMEM; - sfp->next_cmd_len = (val > 0) ? val : 0; - return 0; - case SG_GET_VERSION_NUM: --- -2.12.2 - -From 75a03869c93a443ae068eae9aca0c0df8b33dff5 Mon Sep 17 00:00:00 2001 -From: John Garry -Date: Thu, 16 Mar 2017 23:07:28 +0800 -Subject: [PATCH 229/251] scsi: libsas: fix ata xfer length -Content-Length: 1328 -Lines: 36 - -commit 9702c67c6066f583b629cf037d2056245bb7a8e6 upstream. - -The total ata xfer length may not be calculated properly, in that we do -not use the proper method to get an sg element dma length. - -According to the code comment, sg_dma_len() should be used after -dma_map_sg() is called. - -This issue was found by turning on the SMMUv3 in front of the hisi_sas -controller in hip07. Multiple sg elements were being combined into a -single element, but the original first element length was being use as -the total xfer length. - -Fixes: ff2aeb1eb64c8a4770a6 ("libata: convert to chained sg") -Signed-off-by: John Garry -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/libsas/sas_ata.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c -index 9c706d8c1441..6f5e2720ffad 100644 ---- a/drivers/scsi/libsas/sas_ata.c -+++ b/drivers/scsi/libsas/sas_ata.c -@@ -218,7 +218,7 @@ static unsigned int sas_ata_qc_issue(struct ata_queued_cmd *qc) - task->num_scatter = qc->n_elem; - } else { - for_each_sg(qc->sg, sg, qc->n_elem, si) -- xfer += sg->length; -+ xfer += sg_dma_len(sg); - - task->total_xfer_len = xfer; - task->num_scatter = si; --- -2.12.2 - From 3342857ac074768e14e361392ac09fbbd70d840e Mon Sep 17 00:00:00 2001 From: Josh Poimboeuf Date: Thu, 16 Mar 2017 08:56:28 -0500 @@ -7784,87 +6838,6 @@ index 296b7a14893a..5365ff6e69c1 100644 -- 2.12.2 -From 74b8fc017d7689d1a60c9e234b2cfe3550b7f414 Mon Sep 17 00:00:00 2001 -From: Richard Genoud -Date: Mon, 20 Mar 2017 11:52:41 +0100 -Subject: [PATCH 235/251] tty/serial: atmel: fix race condition (TX+DMA) -Content-Length: 1106 -Lines: 33 - -commit 31ca2c63fdc0aee725cbd4f207c1256f5deaabde upstream. - -If uart_flush_buffer() is called between atmel_tx_dma() and -atmel_complete_tx_dma(), the circular buffer has been cleared, but not -atmel_port->tx_len. -That leads to a circular buffer overflow (dumping (UART_XMIT_SIZE - -atmel_port->tx_len) bytes). - -Tested-by: Nicolas Ferre -Signed-off-by: Richard Genoud -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/atmel_serial.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c -index a0f911641b04..156a262b6b65 100644 ---- a/drivers/tty/serial/atmel_serial.c -+++ b/drivers/tty/serial/atmel_serial.c -@@ -1987,6 +1987,11 @@ static void atmel_flush_buffer(struct uart_port *port) - atmel_uart_writel(port, ATMEL_PDC_TCR, 0); - atmel_port->pdc_tx.ofs = 0; - } -+ /* -+ * in uart_flush_buffer(), the xmit circular buffer has just -+ * been cleared, so we have to reset tx_len accordingly. -+ */ -+ atmel_port->tx_len = 0; - } - - /* --- -2.12.2 - -From 0a1757cfa5ba3b46f6ee7a74ddb7a5c0bd5d7c2f Mon Sep 17 00:00:00 2001 -From: Nicolas Ferre -Date: Mon, 20 Mar 2017 16:38:57 +0100 -Subject: [PATCH 236/251] tty/serial: atmel: fix TX path in - atmel_console_write() -Content-Length: 1304 -Lines: 31 - -commit 497e1e16f45c70574dc9922c7f75c642c2162119 upstream. - -A side effect of 89d8232411a8 ("tty/serial: atmel_serial: BUG: stop DMA -from transmitting in stop_tx") is that the console can be called with -TX path disabled. Then the system would hang trying to push charecters -out in atmel_console_putchar(). - -Signed-off-by: Nicolas Ferre -Fixes: 89d8232411a8 ("tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx") -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/atmel_serial.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c -index 156a262b6b65..a15070a7fcd6 100644 ---- a/drivers/tty/serial/atmel_serial.c -+++ b/drivers/tty/serial/atmel_serial.c -@@ -2504,6 +2504,9 @@ static void atmel_console_write(struct console *co, const char *s, u_int count) - pdc_tx = atmel_uart_readl(port, ATMEL_PDC_PTSR) & ATMEL_PDC_TXTEN; - atmel_uart_writel(port, ATMEL_PDC_PTCR, ATMEL_PDC_TXTDIS); - -+ /* Make sure that tx path is actually able to send characters */ -+ atmel_uart_writel(port, ATMEL_US_CR, ATMEL_US_TXEN); -+ - uart_console_write(port, s, count, atmel_console_putchar); - - /* --- -2.12.2 - From 3eb392056aeb4a0beca5fcead9ad3d6b6ff0816e Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Wed, 15 Mar 2017 16:01:17 +0800 @@ -8851,6 +7824,7 @@ From 8f8ee9706b0a64a3506b9d9789ace7c44f3d817d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 8 Apr 2017 09:53:53 +0200 Subject: [PATCH 251/251] Linux 4.4.60 +Status: RO Content-Length: 301 Lines: 18 @@ -8877,6 +7851,7 @@ From a80c068fbf43e22f099c0587b9e1a2337378a505 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 18 Apr 2017 07:15:37 +0200 Subject: [PATCH 52/52] Linux 4.4.62 +Status: RO Content-Length: 301 Lines: 18 @@ -8899,184 +7874,6 @@ index ef5045b8201d..0309acc34472 100644 -- 2.12.2 -From 7d170f270a95639192cfd53dcb15e6d8530b4577 Mon Sep 17 00:00:00 2001 -From: Thomas Falcon -Date: Thu, 8 Dec 2016 16:40:03 -0600 -Subject: [PATCH 51/52] ibmveth: set correct gso_size and gso_type -Content-Length: 5980 -Lines: 170 - -commit 7b5967389f5a8dfb9d32843830f5e2717e20995d upstream. - -This patch is based on an earlier one submitted -by Jon Maxwell with the following commit message: - -"We recently encountered a bug where a few customers using ibmveth on the -same LPAR hit an issue where a TCP session hung when large receive was -enabled. Closer analysis revealed that the session was stuck because the -one side was advertising a zero window repeatedly. - -We narrowed this down to the fact the ibmveth driver did not set gso_size -which is translated by TCP into the MSS later up the stack. The MSS is -used to calculate the TCP window size and as that was abnormally large, -it was calculating a zero window, even although the sockets receive buffer -was completely empty." - -We rely on the Virtual I/O Server partition in a pseries -environment to provide the MSS through the TCP header checksum -field. The stipulation is that users should not disable checksum -offloading if rx packet aggregation is enabled through VIOS. - -Some firmware offerings provide the MSS in the RX buffer. -This is signalled by a bit in the RX queue descriptor. - -Reviewed-by: Brian King -Reviewed-by: Pradeep Satyanarayana -Reviewed-by: Marcelo Ricardo Leitner -Reviewed-by: Jonathan Maxwell -Reviewed-by: David Dai -Signed-off-by: Thomas Falcon -Signed-off-by: David S. Miller -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/ibm/ibmveth.c | 65 ++++++++++++++++++++++++++++++++++++-- - drivers/net/ethernet/ibm/ibmveth.h | 1 + - 2 files changed, 64 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c -index 7af870a3c549..855c43d8f7e0 100644 ---- a/drivers/net/ethernet/ibm/ibmveth.c -+++ b/drivers/net/ethernet/ibm/ibmveth.c -@@ -58,7 +58,7 @@ static struct kobj_type ktype_veth_pool; - - static const char ibmveth_driver_name[] = "ibmveth"; - static const char ibmveth_driver_string[] = "IBM Power Virtual Ethernet Driver"; --#define ibmveth_driver_version "1.05" -+#define ibmveth_driver_version "1.06" - - MODULE_AUTHOR("Santiago Leon "); - MODULE_DESCRIPTION("IBM Power Virtual Ethernet Driver"); -@@ -137,6 +137,11 @@ static inline int ibmveth_rxq_frame_offset(struct ibmveth_adapter *adapter) - return ibmveth_rxq_flags(adapter) & IBMVETH_RXQ_OFF_MASK; - } - -+static inline int ibmveth_rxq_large_packet(struct ibmveth_adapter *adapter) -+{ -+ return ibmveth_rxq_flags(adapter) & IBMVETH_RXQ_LRG_PKT; -+} -+ - static inline int ibmveth_rxq_frame_length(struct ibmveth_adapter *adapter) - { - return be32_to_cpu(adapter->rx_queue.queue_addr[adapter->rx_queue.index].length); -@@ -1172,6 +1177,45 @@ map_failed: - goto retry_bounce; - } - -+static void ibmveth_rx_mss_helper(struct sk_buff *skb, u16 mss, int lrg_pkt) -+{ -+ int offset = 0; -+ -+ /* only TCP packets will be aggregated */ -+ if (skb->protocol == htons(ETH_P_IP)) { -+ struct iphdr *iph = (struct iphdr *)skb->data; -+ -+ if (iph->protocol == IPPROTO_TCP) { -+ offset = iph->ihl * 4; -+ skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4; -+ } else { -+ return; -+ } -+ } else if (skb->protocol == htons(ETH_P_IPV6)) { -+ struct ipv6hdr *iph6 = (struct ipv6hdr *)skb->data; -+ -+ if (iph6->nexthdr == IPPROTO_TCP) { -+ offset = sizeof(struct ipv6hdr); -+ skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6; -+ } else { -+ return; -+ } -+ } else { -+ return; -+ } -+ /* if mss is not set through Large Packet bit/mss in rx buffer, -+ * expect that the mss will be written to the tcp header checksum. -+ */ -+ if (lrg_pkt) { -+ skb_shinfo(skb)->gso_size = mss; -+ } else if (offset) { -+ struct tcphdr *tcph = (struct tcphdr *)(skb->data + offset); -+ -+ skb_shinfo(skb)->gso_size = ntohs(tcph->check); -+ tcph->check = 0; -+ } -+} -+ - static int ibmveth_poll(struct napi_struct *napi, int budget) - { - struct ibmveth_adapter *adapter = -@@ -1180,6 +1224,7 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) - int frames_processed = 0; - unsigned long lpar_rc; - struct iphdr *iph; -+ u16 mss = 0; - - restart_poll: - while (frames_processed < budget) { -@@ -1197,9 +1242,21 @@ restart_poll: - int length = ibmveth_rxq_frame_length(adapter); - int offset = ibmveth_rxq_frame_offset(adapter); - int csum_good = ibmveth_rxq_csum_good(adapter); -+ int lrg_pkt = ibmveth_rxq_large_packet(adapter); - - skb = ibmveth_rxq_get_buffer(adapter); - -+ /* if the large packet bit is set in the rx queue -+ * descriptor, the mss will be written by PHYP eight -+ * bytes from the start of the rx buffer, which is -+ * skb->data at this stage -+ */ -+ if (lrg_pkt) { -+ __be64 *rxmss = (__be64 *)(skb->data + 8); -+ -+ mss = (u16)be64_to_cpu(*rxmss); -+ } -+ - new_skb = NULL; - if (length < rx_copybreak) - new_skb = netdev_alloc_skb(netdev, length); -@@ -1233,11 +1290,15 @@ restart_poll: - if (iph->check == 0xffff) { - iph->check = 0; - iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); -- adapter->rx_large_packets++; - } - } - } - -+ if (length > netdev->mtu + ETH_HLEN) { -+ ibmveth_rx_mss_helper(skb, mss, lrg_pkt); -+ adapter->rx_large_packets++; -+ } -+ - napi_gro_receive(napi, skb); /* send it up */ - - netdev->stats.rx_packets++; -diff --git a/drivers/net/ethernet/ibm/ibmveth.h b/drivers/net/ethernet/ibm/ibmveth.h -index 4eade67fe30c..7acda04d034e 100644 ---- a/drivers/net/ethernet/ibm/ibmveth.h -+++ b/drivers/net/ethernet/ibm/ibmveth.h -@@ -209,6 +209,7 @@ struct ibmveth_rx_q_entry { - #define IBMVETH_RXQ_TOGGLE 0x80000000 - #define IBMVETH_RXQ_TOGGLE_SHIFT 31 - #define IBMVETH_RXQ_VALID 0x40000000 -+#define IBMVETH_RXQ_LRG_PKT 0x04000000 - #define IBMVETH_RXQ_NO_CSUM 0x02000000 - #define IBMVETH_RXQ_CSUM_GOOD 0x01000000 - #define IBMVETH_RXQ_OFF_MASK 0x0000FFFF --- -2.12.2 - From ac0cbfbb1e4b84d426f210849492afadbc4b6bb9 Mon Sep 17 00:00:00 2001 From: Jack Morgenstein Date: Mon, 16 Jan 2017 18:31:38 +0200 @@ -9340,189 +8137,6 @@ index 28a4b34310b2..82bf1b539d87 100644 -- 2.12.2 -From 0a007f74b826836074de8bfcb1e197cada993718 Mon Sep 17 00:00:00 2001 -From: Guenter Roeck -Date: Thu, 1 Dec 2016 13:49:59 -0800 -Subject: [PATCH 47/52] usb: hub: Wait for connection to be reestablished after - port reset -Content-Length: 2521 -Lines: 61 - -commit 22547c4cc4fe20698a6a85a55b8788859134b8e4 upstream. - -On a system with a defective USB device connected to an USB hub, -an endless sequence of port connect events was observed. The sequence -of events as observed is as follows: - -- Port reports connected event (port status=USB_PORT_STAT_CONNECTION). -- Event handler debounces port and resets it by calling hub_port_reset(). -- hub_port_reset() calls hub_port_wait_reset() to wait for the reset - to complete. -- The reset completes, but USB_PORT_STAT_CONNECTION is not immediately - set in the port status register. -- hub_port_wait_reset() returns -ENOTCONN. -- Port initialization sequence is aborted. -- A few milliseconds later, the port again reports a connected event, - and the sequence repeats. - -This continues either forever or, randomly, stops if the connection -is already re-established when the port status is read. It results in -a high rate of udev events. This in turn destabilizes userspace since -the above sequence holds the device mutex pretty much continuously -and prevents userspace from actually reading the device status. - -To prevent the problem from happening, let's wait for the connection -to be re-established after a port reset. If the device was actually -disconnected, the code will still return an error, but it will do so -only after the long reset timeout. - -Cc: Douglas Anderson -Signed-off-by: Guenter Roeck -Acked-by: Alan Stern -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/core/hub.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 9e62c93af96e..7c2d87befb51 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -2602,8 +2602,15 @@ static int hub_port_wait_reset(struct usb_hub *hub, int port1, - if (ret < 0) - return ret; - -- /* The port state is unknown until the reset completes. */ -- if (!(portstatus & USB_PORT_STAT_RESET)) -+ /* -+ * The port state is unknown until the reset completes. -+ * -+ * On top of that, some chips may require additional time -+ * to re-establish a connection after the reset is complete, -+ * so also wait for the connection to be re-established. -+ */ -+ if (!(portstatus & USB_PORT_STAT_RESET) && -+ (portstatus & USB_PORT_STAT_CONNECTION)) - break; - - /* switch to the long delay after two short delay failures */ --- -2.12.2 - -From f4522e36edaa9ec0cada0daa5c2628db762dd3d9 Mon Sep 17 00:00:00 2001 -From: Gabriel Krisman Bertazi -Date: Tue, 6 Dec 2016 13:31:44 -0200 -Subject: [PATCH 46/52] blk-mq: Avoid memory reclaim when remapping queues -Content-Length: 5065 -Lines: 105 - -commit 36e1f3d107867b25c616c2fd294f5a1c9d4e5d09 upstream. - -While stressing memory and IO at the same time we changed SMT settings, -we were able to consistently trigger deadlocks in the mm system, which -froze the entire machine. - -I think that under memory stress conditions, the large allocations -performed by blk_mq_init_rq_map may trigger a reclaim, which stalls -waiting on the block layer remmaping completion, thus deadlocking the -system. The trace below was collected after the machine stalled, -waiting for the hotplug event completion. - -The simplest fix for this is to make allocations in this path -non-reclaimable, with GFP_NOIO. With this patch, We couldn't hit the -issue anymore. - -This should apply on top of Jens's for-next branch cleanly. - -Changes since v1: - - Use GFP_NOIO instead of GFP_NOWAIT. - - Call Trace: -[c000000f0160aaf0] [c000000f0160ab50] 0xc000000f0160ab50 (unreliable) -[c000000f0160acc0] [c000000000016624] __switch_to+0x2e4/0x430 -[c000000f0160ad20] [c000000000b1a880] __schedule+0x310/0x9b0 -[c000000f0160ae00] [c000000000b1af68] schedule+0x48/0xc0 -[c000000f0160ae30] [c000000000b1b4b0] schedule_preempt_disabled+0x20/0x30 -[c000000f0160ae50] [c000000000b1d4fc] __mutex_lock_slowpath+0xec/0x1f0 -[c000000f0160aed0] [c000000000b1d678] mutex_lock+0x78/0xa0 -[c000000f0160af00] [d000000019413cac] xfs_reclaim_inodes_ag+0x33c/0x380 [xfs] -[c000000f0160b0b0] [d000000019415164] xfs_reclaim_inodes_nr+0x54/0x70 [xfs] -[c000000f0160b0f0] [d0000000194297f8] xfs_fs_free_cached_objects+0x38/0x60 [xfs] -[c000000f0160b120] [c0000000003172c8] super_cache_scan+0x1f8/0x210 -[c000000f0160b190] [c00000000026301c] shrink_slab.part.13+0x21c/0x4c0 -[c000000f0160b2d0] [c000000000268088] shrink_zone+0x2d8/0x3c0 -[c000000f0160b380] [c00000000026834c] do_try_to_free_pages+0x1dc/0x520 -[c000000f0160b450] [c00000000026876c] try_to_free_pages+0xdc/0x250 -[c000000f0160b4e0] [c000000000251978] __alloc_pages_nodemask+0x868/0x10d0 -[c000000f0160b6f0] [c000000000567030] blk_mq_init_rq_map+0x160/0x380 -[c000000f0160b7a0] [c00000000056758c] blk_mq_map_swqueue+0x33c/0x360 -[c000000f0160b820] [c000000000567904] blk_mq_queue_reinit+0x64/0xb0 -[c000000f0160b850] [c00000000056a16c] blk_mq_queue_reinit_notify+0x19c/0x250 -[c000000f0160b8a0] [c0000000000f5d38] notifier_call_chain+0x98/0x100 -[c000000f0160b8f0] [c0000000000c5fb0] __cpu_notify+0x70/0xe0 -[c000000f0160b930] [c0000000000c63c4] notify_prepare+0x44/0xb0 -[c000000f0160b9b0] [c0000000000c52f4] cpuhp_invoke_callback+0x84/0x250 -[c000000f0160ba10] [c0000000000c570c] cpuhp_up_callbacks+0x5c/0x120 -[c000000f0160ba60] [c0000000000c7cb8] _cpu_up+0xf8/0x1d0 -[c000000f0160bac0] [c0000000000c7eb0] do_cpu_up+0x120/0x150 -[c000000f0160bb40] [c0000000006fe024] cpu_subsys_online+0x64/0xe0 -[c000000f0160bb90] [c0000000006f5124] device_online+0xb4/0x120 -[c000000f0160bbd0] [c0000000006f5244] online_store+0xb4/0xc0 -[c000000f0160bc20] [c0000000006f0a68] dev_attr_store+0x68/0xa0 -[c000000f0160bc60] [c0000000003ccc30] sysfs_kf_write+0x80/0xb0 -[c000000f0160bca0] [c0000000003cbabc] kernfs_fop_write+0x17c/0x250 -[c000000f0160bcf0] [c00000000030fe6c] __vfs_write+0x6c/0x1e0 -[c000000f0160bd90] [c000000000311490] vfs_write+0xd0/0x270 -[c000000f0160bde0] [c0000000003131fc] SyS_write+0x6c/0x110 -[c000000f0160be30] [c000000000009204] system_call+0x38/0xec - -Signed-off-by: Gabriel Krisman Bertazi -Cc: Brian King -Cc: Douglas Miller -Cc: linux-block@vger.kernel.org -Cc: linux-scsi@vger.kernel.org -Signed-off-by: Jens Axboe -Signed-off-by: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - block/blk-mq.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/block/blk-mq.c b/block/blk-mq.c -index d8d63c38bf29..0d1af3e44efb 100644 ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -1470,7 +1470,7 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set, - INIT_LIST_HEAD(&tags->page_list); - - tags->rqs = kzalloc_node(set->queue_depth * sizeof(struct request *), -- GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY, -+ GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY, - set->numa_node); - if (!tags->rqs) { - blk_mq_free_tags(tags); -@@ -1496,7 +1496,7 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set, - - do { - page = alloc_pages_node(set->numa_node, -- GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY | __GFP_ZERO, -+ GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY | __GFP_ZERO, - this_order); - if (page) - break; -@@ -1517,7 +1517,7 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set, - * Allow kmemleak to scan these pages as they contain pointers - * to additional allocations like via ops->init_request(). - */ -- kmemleak_alloc(p, order_to_size(this_order), 1, GFP_KERNEL); -+ kmemleak_alloc(p, order_to_size(this_order), 1, GFP_NOIO); - entries_per_page = order_to_size(this_order) / rq_size; - to_do = min(entries_per_page, set->queue_depth - i); - left -= to_do * rq_size; --- -2.12.2 - From d35f8fa0b93e61dd95b8f86928a783c4d8a32d3e Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Wed, 29 Mar 2017 16:11:20 +0200 @@ -9567,51 +8181,6 @@ index 3975ac809934..d76800108ddb 100644 -- 2.12.2 -From fd8bae310684b557c0b30ae9105420956a41494f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Horia=20Geant=C4=83?= -Date: Wed, 5 Apr 2017 11:41:03 +0300 -Subject: [PATCH 44/52] crypto: caam - fix RNG deinstantiation error checking -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 1333 -Lines: 34 - -commit 40c98cb57cdbc377456116ad4582c89e329721b0 upstream. - -RNG instantiation was previously fixed by -commit 62743a4145bb9 ("crypto: caam - fix RNG init descriptor ret. code checking") -while deinstantiation was not addressed. - -Since the descriptors used are similar, in the sense that they both end -with a JUMP HALT command, checking for errors should be similar too, -i.e. status code 7000_0000h should be considered successful. - -Fixes: 1005bccd7a4a6 ("crypto: caam - enable instantiation of all RNG4 state handles") -Signed-off-by: Horia Geantă -Signed-off-by: Herbert Xu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/crypto/caam/ctrl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c -index 69d4a1326fee..53e61459c69f 100644 ---- a/drivers/crypto/caam/ctrl.c -+++ b/drivers/crypto/caam/ctrl.c -@@ -278,7 +278,8 @@ static int deinstantiate_rng(struct device *ctrldev, int state_handle_mask) - /* Try to run it through DECO0 */ - ret = run_descriptor_deco0(ctrldev, desc, &status); - -- if (ret || status) { -+ if (ret || -+ (status && status != JRSTA_SSRC_JUMP_HALT_CC)) { - dev_err(ctrldev, - "Failed to deinstantiate RNG4 SH%d\n", - sh_idx); --- -2.12.2 - From ba7681e4eee6739e4f23a1ba21fb7737fe4ce4f4 Mon Sep 17 00:00:00 2001 From: Matt Redfearn Date: Wed, 25 Jan 2017 17:00:25 +0000 @@ -10131,77 +8700,6 @@ index c0720c1ee4c9..5abab8800891 100644 -- 2.12.2 -From 297f55bcb62ad0b6b290b01177d9395305d57020 Mon Sep 17 00:00:00 2001 -From: Janusz Dziedzic -Date: Mon, 13 Mar 2017 14:11:32 +0200 -Subject: [PATCH 36/52] usb: dwc3: gadget: delay unmap of bounced requests -Content-Length: 2203 -Lines: 63 - -commit de288e36fe33f7e06fa272bc8e2f85aa386d99aa upstream. - -In the case of bounced ep0 requests, we must delay DMA operation until -after ->complete() otherwise we might overwrite contents of req->buf. - -This caused problems with RNDIS gadget. - -Signed-off-by: Janusz Dziedzic -Signed-off-by: Felipe Balbi -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/dwc3/gadget.c | 21 +++++++++++++++++---- - 1 file changed, 17 insertions(+), 4 deletions(-) - -diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c -index 210ff64857e1..ec7a50f98f57 100644 ---- a/drivers/usb/dwc3/gadget.c -+++ b/drivers/usb/dwc3/gadget.c -@@ -235,6 +235,7 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req, - int status) - { - struct dwc3 *dwc = dep->dwc; -+ unsigned int unmap_after_complete = false; - int i; - - if (req->queued) { -@@ -259,11 +260,19 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req, - if (req->request.status == -EINPROGRESS) - req->request.status = status; - -- if (dwc->ep0_bounced && dep->number <= 1) -+ /* -+ * NOTICE we don't want to unmap before calling ->complete() if we're -+ * dealing with a bounced ep0 request. If we unmap it here, we would end -+ * up overwritting the contents of req->buf and this could confuse the -+ * gadget driver. -+ */ -+ if (dwc->ep0_bounced && dep->number <= 1) { - dwc->ep0_bounced = false; -- -- usb_gadget_unmap_request(&dwc->gadget, &req->request, -- req->direction); -+ unmap_after_complete = true; -+ } else { -+ usb_gadget_unmap_request(&dwc->gadget, -+ &req->request, req->direction); -+ } - - dev_dbg(dwc->dev, "request %p from %s completed %d/%d ===> %d\n", - req, dep->name, req->request.actual, -@@ -273,6 +282,10 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req, - spin_unlock(&dwc->lock); - usb_gadget_giveback_request(&dep->endpoint, &req->request); - spin_lock(&dwc->lock); -+ -+ if (unmap_after_complete) -+ usb_gadget_unmap_request(&dwc->gadget, -+ &req->request, req->direction); - } - - int dwc3_send_gadget_generic_command(struct dwc3 *dwc, unsigned cmd, u32 param) --- -2.12.2 - From 8cfaf0ae1f566ddfcda661bd81b625a71b16459a Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Mon, 13 Mar 2017 17:06:17 +0000 @@ -10491,6 +8989,7 @@ From ec5e61608ad1919c1ff3cc0369dbf1b1ede9eb88 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 12 Apr 2017 12:38:50 +0200 Subject: [PATCH 33/52] Linux 4.4.61 +Status: RO Content-Length: 301 Lines: 18 diff --git a/queue-3.18/crypto-caam-fix-rng-deinstantiation-error-checking.patch b/queue-3.18/crypto-caam-fix-rng-deinstantiation-error-checking.patch new file mode 100644 index 00000000000..3295b23346c --- /dev/null +++ b/queue-3.18/crypto-caam-fix-rng-deinstantiation-error-checking.patch @@ -0,0 +1,41 @@ +From 40c98cb57cdbc377456116ad4582c89e329721b0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Wed, 5 Apr 2017 11:41:03 +0300 +Subject: crypto: caam - fix RNG deinstantiation error checking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 40c98cb57cdbc377456116ad4582c89e329721b0 upstream. + +RNG instantiation was previously fixed by +commit 62743a4145bb9 ("crypto: caam - fix RNG init descriptor ret. code checking") +while deinstantiation was not addressed. + +Since the descriptors used are similar, in the sense that they both end +with a JUMP HALT command, checking for errors should be similar too, +i.e. status code 7000_0000h should be considered successful. + +Fixes: 1005bccd7a4a6 ("crypto: caam - enable instantiation of all RNG4 state handles") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/ctrl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/caam/ctrl.c ++++ b/drivers/crypto/caam/ctrl.c +@@ -263,7 +263,8 @@ static int deinstantiate_rng(struct devi + /* Try to run it through DECO0 */ + ret = run_descriptor_deco0(ctrldev, desc, &status); + +- if (ret || status) { ++ if (ret || ++ (status && status != JRSTA_SSRC_JUMP_HALT_CC)) { + dev_err(ctrldev, + "Failed to deinstantiate RNG4 SH%d\n", + sh_idx); diff --git a/queue-3.18/scsi-libiscsi-add-lock-around-task-lists-to-fix-list-corruption-regression.patch b/queue-3.18/scsi-libiscsi-add-lock-around-task-lists-to-fix-list-corruption-regression.patch new file mode 100644 index 00000000000..e74534d3085 --- /dev/null +++ b/queue-3.18/scsi-libiscsi-add-lock-around-task-lists-to-fix-list-corruption-regression.patch @@ -0,0 +1,181 @@ +From 6f8830f5bbab16e54f261de187f3df4644a5b977 Mon Sep 17 00:00:00 2001 +From: Chris Leech +Date: Mon, 27 Feb 2017 16:58:36 -0800 +Subject: scsi: libiscsi: add lock around task lists to fix list corruption regression + +From: Chris Leech + +commit 6f8830f5bbab16e54f261de187f3df4644a5b977 upstream. + +There's a rather long standing regression from the commit "libiscsi: +Reduce locking contention in fast path" + +Depending on iSCSI target behavior, it's possible to hit the case in +iscsi_complete_task where the task is still on a pending list +(!list_empty(&task->running)). When that happens the task is removed +from the list while holding the session back_lock, but other task list +modification occur under the frwd_lock. That leads to linked list +corruption and eventually a panicked system. + +Rather than back out the session lock split entirely, in order to try +and keep some of the performance gains this patch adds another lock to +maintain the task lists integrity. + +Major enterprise supported kernels have been backing out the lock split +for while now, thanks to the efforts at IBM where a lab setup has the +most reliable reproducer I've seen on this issue. This patch has been +tested there successfully. + +Signed-off-by: Chris Leech +Fixes: 659743b02c41 ("[SCSI] libiscsi: Reduce locking contention in fast path") +Reported-by: Prashantha Subbarao +Reviewed-by: Guilherme G. Piccoli +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libiscsi.c | 26 +++++++++++++++++++++++++- + include/scsi/libiscsi.h | 1 + + 2 files changed, 26 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -560,8 +560,12 @@ static void iscsi_complete_task(struct i + WARN_ON_ONCE(task->state == ISCSI_TASK_FREE); + task->state = state; + +- if (!list_empty(&task->running)) ++ spin_lock_bh(&conn->taskqueuelock); ++ if (!list_empty(&task->running)) { ++ pr_debug_once("%s while task on list", __func__); + list_del_init(&task->running); ++ } ++ spin_unlock_bh(&conn->taskqueuelock); + + if (conn->task == task) + conn->task = NULL; +@@ -783,7 +787,9 @@ __iscsi_conn_send_pdu(struct iscsi_conn + if (session->tt->xmit_task(task)) + goto free_task; + } else { ++ spin_lock_bh(&conn->taskqueuelock); + list_add_tail(&task->running, &conn->mgmtqueue); ++ spin_unlock_bh(&conn->taskqueuelock); + iscsi_conn_queue_work(conn); + } + +@@ -1474,8 +1480,10 @@ void iscsi_requeue_task(struct iscsi_tas + * this may be on the requeue list already if the xmit_task callout + * is handling the r2ts while we are adding new ones + */ ++ spin_lock_bh(&conn->taskqueuelock); + if (list_empty(&task->running)) + list_add_tail(&task->running, &conn->requeue); ++ spin_unlock_bh(&conn->taskqueuelock); + iscsi_conn_queue_work(conn); + } + EXPORT_SYMBOL_GPL(iscsi_requeue_task); +@@ -1512,22 +1520,26 @@ static int iscsi_data_xmit(struct iscsi_ + * only have one nop-out as a ping from us and targets should not + * overflow us with nop-ins + */ ++ spin_lock_bh(&conn->taskqueuelock); + check_mgmt: + while (!list_empty(&conn->mgmtqueue)) { + conn->task = list_entry(conn->mgmtqueue.next, + struct iscsi_task, running); + list_del_init(&conn->task->running); ++ spin_unlock_bh(&conn->taskqueuelock); + if (iscsi_prep_mgmt_task(conn, conn->task)) { + /* regular RX path uses back_lock */ + spin_lock_bh(&conn->session->back_lock); + __iscsi_put_task(conn->task); + spin_unlock_bh(&conn->session->back_lock); + conn->task = NULL; ++ spin_lock_bh(&conn->taskqueuelock); + continue; + } + rc = iscsi_xmit_task(conn); + if (rc) + goto done; ++ spin_lock_bh(&conn->taskqueuelock); + } + + /* process pending command queue */ +@@ -1535,19 +1547,24 @@ check_mgmt: + conn->task = list_entry(conn->cmdqueue.next, struct iscsi_task, + running); + list_del_init(&conn->task->running); ++ spin_unlock_bh(&conn->taskqueuelock); + if (conn->session->state == ISCSI_STATE_LOGGING_OUT) { + fail_scsi_task(conn->task, DID_IMM_RETRY); ++ spin_lock_bh(&conn->taskqueuelock); + continue; + } + rc = iscsi_prep_scsi_cmd_pdu(conn->task); + if (rc) { + if (rc == -ENOMEM || rc == -EACCES) { ++ spin_lock_bh(&conn->taskqueuelock); + list_add_tail(&conn->task->running, + &conn->cmdqueue); + conn->task = NULL; ++ spin_unlock_bh(&conn->taskqueuelock); + goto done; + } else + fail_scsi_task(conn->task, DID_ABORT); ++ spin_lock_bh(&conn->taskqueuelock); + continue; + } + rc = iscsi_xmit_task(conn); +@@ -1558,6 +1575,7 @@ check_mgmt: + * we need to check the mgmt queue for nops that need to + * be sent to aviod starvation + */ ++ spin_lock_bh(&conn->taskqueuelock); + if (!list_empty(&conn->mgmtqueue)) + goto check_mgmt; + } +@@ -1577,12 +1595,15 @@ check_mgmt: + conn->task = task; + list_del_init(&conn->task->running); + conn->task->state = ISCSI_TASK_RUNNING; ++ spin_unlock_bh(&conn->taskqueuelock); + rc = iscsi_xmit_task(conn); + if (rc) + goto done; ++ spin_lock_bh(&conn->taskqueuelock); + if (!list_empty(&conn->mgmtqueue)) + goto check_mgmt; + } ++ spin_unlock_bh(&conn->taskqueuelock); + spin_unlock_bh(&conn->session->frwd_lock); + return -ENODATA; + +@@ -1738,7 +1759,9 @@ int iscsi_queuecommand(struct Scsi_Host + goto prepd_reject; + } + } else { ++ spin_lock_bh(&conn->taskqueuelock); + list_add_tail(&task->running, &conn->cmdqueue); ++ spin_unlock_bh(&conn->taskqueuelock); + iscsi_conn_queue_work(conn); + } + +@@ -2917,6 +2940,7 @@ iscsi_conn_setup(struct iscsi_cls_sessio + INIT_LIST_HEAD(&conn->mgmtqueue); + INIT_LIST_HEAD(&conn->cmdqueue); + INIT_LIST_HEAD(&conn->requeue); ++ spin_lock_init(&conn->taskqueuelock); + INIT_WORK(&conn->xmitwork, iscsi_xmitworker); + + /* allocate login_task used for the login/text sequences */ +--- a/include/scsi/libiscsi.h ++++ b/include/scsi/libiscsi.h +@@ -196,6 +196,7 @@ struct iscsi_conn { + struct iscsi_task *task; /* xmit task in progress */ + + /* xmit */ ++ spinlock_t taskqueuelock; /* protects the next three lists */ + struct list_head mgmtqueue; /* mgmt (control) xmit queue */ + struct list_head cmdqueue; /* data-path cmd queue */ + struct list_head requeue; /* tasks needing another run */ diff --git a/queue-3.18/scsi-libsas-fix-ata-xfer-length.patch b/queue-3.18/scsi-libsas-fix-ata-xfer-length.patch new file mode 100644 index 00000000000..ac63a7c1919 --- /dev/null +++ b/queue-3.18/scsi-libsas-fix-ata-xfer-length.patch @@ -0,0 +1,40 @@ +From 9702c67c6066f583b629cf037d2056245bb7a8e6 Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Thu, 16 Mar 2017 23:07:28 +0800 +Subject: scsi: libsas: fix ata xfer length + +From: John Garry + +commit 9702c67c6066f583b629cf037d2056245bb7a8e6 upstream. + +The total ata xfer length may not be calculated properly, in that we do +not use the proper method to get an sg element dma length. + +According to the code comment, sg_dma_len() should be used after +dma_map_sg() is called. + +This issue was found by turning on the SMMUv3 in front of the hisi_sas +controller in hip07. Multiple sg elements were being combined into a +single element, but the original first element length was being use as +the total xfer length. + +Fixes: ff2aeb1eb64c8a4770a6 ("libata: convert to chained sg") +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libsas/sas_ata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/libsas/sas_ata.c ++++ b/drivers/scsi/libsas/sas_ata.c +@@ -219,7 +219,7 @@ static unsigned int sas_ata_qc_issue(str + task->num_scatter = qc->n_elem; + } else { + for_each_sg(qc->sg, sg, qc->n_elem, si) +- xfer += sg->length; ++ xfer += sg_dma_len(sg); + + task->total_xfer_len = xfer; + task->num_scatter = si; diff --git a/queue-3.18/scsi-lpfc-add-shutdown-method-for-kexec.patch b/queue-3.18/scsi-lpfc-add-shutdown-method-for-kexec.patch new file mode 100644 index 00000000000..43bea63e002 --- /dev/null +++ b/queue-3.18/scsi-lpfc-add-shutdown-method-for-kexec.patch @@ -0,0 +1,32 @@ +From 85e8a23936ab3442de0c42da97d53b29f004ece1 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Mon, 13 Feb 2017 08:49:20 +1100 +Subject: scsi: lpfc: Add shutdown method for kexec + +From: Anton Blanchard + +commit 85e8a23936ab3442de0c42da97d53b29f004ece1 upstream. + +We see lpfc devices regularly fail during kexec. Fix this by adding a +shutdown method which mirrors the remove method. + +Signed-off-by: Anton Blanchard +Reviewed-by: Mauricio Faria de Oliveira +Tested-by: Mauricio Faria de Oliveira +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -11249,6 +11249,7 @@ static struct pci_driver lpfc_driver = { + .id_table = lpfc_id_table, + .probe = lpfc_pci_probe_one, + .remove = lpfc_pci_remove_one, ++ .shutdown = lpfc_pci_remove_one, + .suspend = lpfc_pci_suspend_one, + .resume = lpfc_pci_resume_one, + .err_handler = &lpfc_err_handler, diff --git a/queue-3.18/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch b/queue-3.18/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch new file mode 100644 index 00000000000..5c487e60079 --- /dev/null +++ b/queue-3.18/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch @@ -0,0 +1,33 @@ +From bf33f87dd04c371ea33feb821b60d63d754e3124 Mon Sep 17 00:00:00 2001 +From: peter chang +Date: Wed, 15 Feb 2017 14:11:54 -0800 +Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN + +From: peter chang + +commit bf33f87dd04c371ea33feb821b60d63d754e3124 upstream. + +The user can control the size of the next command passed along, but the +value passed to the ioctl isn't checked against the usable max command +size. + +Signed-off-by: Peter Chang +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1017,6 +1017,8 @@ sg_ioctl(struct file *filp, unsigned int + result = get_user(val, ip); + if (result) + return result; ++ if (val > SG_MAX_CDB_SIZE) ++ return -ENOMEM; + sfp->next_cmd_len = (val > 0) ? val : 0; + return 0; + case SG_GET_VERSION_NUM: diff --git a/queue-3.18/series b/queue-3.18/series index ac4fe785b8c..c833184519f 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -40,3 +40,11 @@ alsa-seq-fix-race-during-fifo-resize.patch powerpc-mm-add-missing-global-tlb-invalidate-if-cxl-is-active.patch powerpc-don-t-try-to-fix-up-misaligned-load-with-reservation-instructions.patch powerpc-boot-fix-zimage-toc-alignment.patch +target-pscsi-fix-type_tape-type_medimum_changer-export.patch +scsi-lpfc-add-shutdown-method-for-kexec.patch +scsi-libiscsi-add-lock-around-task-lists-to-fix-list-corruption-regression.patch +scsi-sg-check-length-passed-to-sg_next_cmd_len.patch +scsi-libsas-fix-ata-xfer-length.patch +xen-acpi-upload-pm-state-from-init-domain-to-xen.patch +crypto-caam-fix-rng-deinstantiation-error-checking.patch +tty-serial-atmel-fix-race-condition-tx-dma.patch diff --git a/queue-3.18/target-pscsi-fix-type_tape-type_medimum_changer-export.patch b/queue-3.18/target-pscsi-fix-type_tape-type_medimum_changer-export.patch new file mode 100644 index 00000000000..d24e0c8c0b9 --- /dev/null +++ b/queue-3.18/target-pscsi-fix-type_tape-type_medimum_changer-export.patch @@ -0,0 +1,148 @@ +From a04e54f2c35823ca32d56afcd5cea5b783e2f51a Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 3 Nov 2016 23:06:53 -0700 +Subject: target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export + +From: Nicholas Bellinger + +commit a04e54f2c35823ca32d56afcd5cea5b783e2f51a upstream. + +The following fixes a divide by zero OOPs with TYPE_TAPE +due to pscsi_tape_read_blocksize() failing causing a zero +sd->sector_size being propigated up via dev_attrib.hw_block_size. + +It also fixes another long-standing bug where TYPE_TAPE and +TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(), +which does not call scsi_device_get() to take the device +reference. Instead, rename pscsi_create_type_rom() to +pscsi_create_type_nondisk() and use it for all cases. + +Finally, also drop a dump_stack() in pscsi_get_blocks() for +non TYPE_DISK, which in modern target-core can get invoked +via target_sense_desc_format() during CHECK_CONDITION. + +Reported-by: Malcolm Haak +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_pscsi.c | 47 +++++++++---------------------------- + 1 file changed, 12 insertions(+), 35 deletions(-) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -157,7 +157,7 @@ static void pscsi_tape_read_blocksize(st + + buf = kzalloc(12, GFP_KERNEL); + if (!buf) +- return; ++ goto out_free; + + memset(cdb, 0, MAX_COMMAND_SIZE); + cdb[0] = MODE_SENSE; +@@ -172,9 +172,10 @@ static void pscsi_tape_read_blocksize(st + * If MODE_SENSE still returns zero, set the default value to 1024. + */ + sdev->sector_size = (buf[9] << 16) | (buf[10] << 8) | (buf[11]); ++out_free: + if (!sdev->sector_size) + sdev->sector_size = 1024; +-out_free: ++ + kfree(buf); + } + +@@ -317,9 +318,10 @@ static int pscsi_add_device_to_list(stru + sd->lun, sd->queue_depth); + } + +- dev->dev_attrib.hw_block_size = sd->sector_size; ++ dev->dev_attrib.hw_block_size = ++ min_not_zero((int)sd->sector_size, 512); + dev->dev_attrib.hw_max_sectors = +- min_t(int, sd->host->max_sectors, queue_max_hw_sectors(q)); ++ min_not_zero(sd->host->max_sectors, queue_max_hw_sectors(q)); + dev->dev_attrib.hw_queue_depth = sd->queue_depth; + + /* +@@ -342,8 +344,10 @@ static int pscsi_add_device_to_list(stru + /* + * For TYPE_TAPE, attempt to determine blocksize with MODE_SENSE. + */ +- if (sd->type == TYPE_TAPE) ++ if (sd->type == TYPE_TAPE) { + pscsi_tape_read_blocksize(dev, sd); ++ dev->dev_attrib.hw_block_size = sd->sector_size; ++ } + return 0; + } + +@@ -409,7 +413,7 @@ static int pscsi_create_type_disk(struct + /* + * Called with struct Scsi_Host->host_lock called. + */ +-static int pscsi_create_type_rom(struct se_device *dev, struct scsi_device *sd) ++static int pscsi_create_type_nondisk(struct se_device *dev, struct scsi_device *sd) + __releases(sh->host_lock) + { + struct pscsi_hba_virt *phv = dev->se_hba->hba_ptr; +@@ -436,28 +440,6 @@ static int pscsi_create_type_rom(struct + return 0; + } + +-/* +- * Called with struct Scsi_Host->host_lock called. +- */ +-static int pscsi_create_type_other(struct se_device *dev, +- struct scsi_device *sd) +- __releases(sh->host_lock) +-{ +- struct pscsi_hba_virt *phv = dev->se_hba->hba_ptr; +- struct Scsi_Host *sh = sd->host; +- int ret; +- +- spin_unlock_irq(sh->host_lock); +- ret = pscsi_add_device_to_list(dev, sd); +- if (ret) +- return ret; +- +- pr_debug("CORE_PSCSI[%d] - Added Type: %s for %d:%d:%d:%llu\n", +- phv->phv_host_id, scsi_device_type(sd->type), sh->host_no, +- sd->channel, sd->id, sd->lun); +- return 0; +-} +- + static int pscsi_configure_device(struct se_device *dev) + { + struct se_hba *hba = dev->se_hba; +@@ -545,11 +527,8 @@ static int pscsi_configure_device(struct + case TYPE_DISK: + ret = pscsi_create_type_disk(dev, sd); + break; +- case TYPE_ROM: +- ret = pscsi_create_type_rom(dev, sd); +- break; + default: +- ret = pscsi_create_type_other(dev, sd); ++ ret = pscsi_create_type_nondisk(dev, sd); + break; + } + +@@ -606,8 +585,7 @@ static void pscsi_free_device(struct se_ + else if (pdv->pdv_lld_host) + scsi_host_put(pdv->pdv_lld_host); + +- if ((sd->type == TYPE_DISK) || (sd->type == TYPE_ROM)) +- scsi_device_put(sd); ++ scsi_device_put(sd); + + pdv->pdv_sd = NULL; + } +@@ -1133,7 +1111,6 @@ static sector_t pscsi_get_blocks(struct + if (pdv->pdv_bd && pdv->pdv_bd->bd_part) + return pdv->pdv_bd->bd_part->nr_sects; + +- dump_stack(); + return 0; + } + diff --git a/queue-3.18/tty-serial-atmel-fix-race-condition-tx-dma.patch b/queue-3.18/tty-serial-atmel-fix-race-condition-tx-dma.patch new file mode 100644 index 00000000000..a0e5f7cce5c --- /dev/null +++ b/queue-3.18/tty-serial-atmel-fix-race-condition-tx-dma.patch @@ -0,0 +1,37 @@ +From 31ca2c63fdc0aee725cbd4f207c1256f5deaabde Mon Sep 17 00:00:00 2001 +From: Richard Genoud +Date: Mon, 20 Mar 2017 11:52:41 +0100 +Subject: tty/serial: atmel: fix race condition (TX+DMA) + +From: Richard Genoud + +commit 31ca2c63fdc0aee725cbd4f207c1256f5deaabde upstream. + +If uart_flush_buffer() is called between atmel_tx_dma() and +atmel_complete_tx_dma(), the circular buffer has been cleared, but not +atmel_port->tx_len. +That leads to a circular buffer overflow (dumping (UART_XMIT_SIZE - +atmel_port->tx_len) bytes). + +Tested-by: Nicolas Ferre +Signed-off-by: Richard Genoud +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1867,6 +1867,11 @@ static void atmel_flush_buffer(struct ua + UART_PUT_TCR(port, 0); + atmel_port->pdc_tx.ofs = 0; + } ++ /* ++ * in uart_flush_buffer(), the xmit circular buffer has just ++ * been cleared, so we have to reset tx_len accordingly. ++ */ ++ atmel_port->tx_len = 0; + } + + /* diff --git a/queue-3.18/xen-acpi-upload-pm-state-from-init-domain-to-xen.patch b/queue-3.18/xen-acpi-upload-pm-state-from-init-domain-to-xen.patch new file mode 100644 index 00000000000..079b53467be --- /dev/null +++ b/queue-3.18/xen-acpi-upload-pm-state-from-init-domain-to-xen.patch @@ -0,0 +1,102 @@ +From 1914f0cd203c941bba72f9452c8290324f1ef3dc Mon Sep 17 00:00:00 2001 +From: Ankur Arora +Date: Tue, 21 Mar 2017 15:43:38 -0700 +Subject: xen/acpi: upload PM state from init-domain to Xen + +From: Ankur Arora + +commit 1914f0cd203c941bba72f9452c8290324f1ef3dc upstream. + +This was broken in commit cd979883b9ed ("xen/acpi-processor: +fix enabling interrupts on syscore_resume"). do_suspend (from +xen/manage.c) and thus xen_resume_notifier never get called on +the initial-domain at resume (it is if running as guest.) + +The rationale for the breaking change was that upload_pm_data() +potentially does blocking work in syscore_resume(). This patch +addresses the original issue by scheduling upload_pm_data() to +execute in workqueue context. + +Cc: Stanislaw Gruszka +Based-on-patch-by: Konrad Wilk +Reviewed-by: Konrad Rzeszutek Wilk +Reviewed-by: Stanislaw Gruszka +Signed-off-by: Ankur Arora +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-acpi-processor.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +--- a/drivers/xen/xen-acpi-processor.c ++++ b/drivers/xen/xen-acpi-processor.c +@@ -27,10 +27,10 @@ + #include + #include + #include ++#include + #include + #include + #include +-#include + #include + #include + +@@ -466,15 +466,33 @@ static int xen_upload_processor_pm_data( + return rc; + } + +-static int xen_acpi_processor_resume(struct notifier_block *nb, +- unsigned long action, void *data) ++static void xen_acpi_processor_resume_worker(struct work_struct *dummy) + { ++ int rc; ++ + bitmap_zero(acpi_ids_done, nr_acpi_bits); +- return xen_upload_processor_pm_data(); ++ ++ rc = xen_upload_processor_pm_data(); ++ if (rc != 0) ++ pr_info("ACPI data upload failed, error = %d\n", rc); ++} ++ ++static void xen_acpi_processor_resume(void) ++{ ++ static DECLARE_WORK(wq, xen_acpi_processor_resume_worker); ++ ++ /* ++ * xen_upload_processor_pm_data() calls non-atomic code. ++ * However, the context for xen_acpi_processor_resume is syscore ++ * with only the boot CPU online and in an atomic context. ++ * ++ * So defer the upload for some point safer. ++ */ ++ schedule_work(&wq); + } + +-struct notifier_block xen_acpi_processor_resume_nb = { +- .notifier_call = xen_acpi_processor_resume, ++static struct syscore_ops xap_syscore_ops = { ++ .resume = xen_acpi_processor_resume, + }; + + static int __init xen_acpi_processor_init(void) +@@ -527,7 +545,7 @@ static int __init xen_acpi_processor_ini + if (rc) + goto err_unregister; + +- xen_resume_notifier_register(&xen_acpi_processor_resume_nb); ++ register_syscore_ops(&xap_syscore_ops); + + return 0; + err_unregister: +@@ -546,7 +564,7 @@ static void __exit xen_acpi_processor_ex + { + int i; + +- xen_resume_notifier_unregister(&xen_acpi_processor_resume_nb); ++ unregister_syscore_ops(&xap_syscore_ops); + kfree(acpi_ids_done); + kfree(acpi_id_present); + kfree(acpi_id_cst_present);