From: Greg Kroah-Hartman Date: Fri, 9 Sep 2016 16:07:20 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v3.14.79~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82e4b65430478c5ce7d04928bb5a179a0835a2c1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: asoc-atmel_ssc_dai-don-t-unconditionally-reset-ssc-on-stream-startup.patch drm-atomic-don-t-potentially-reset-color_mgmt_changed-on-successive-property-updates.patch drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch drm-radeon-only-apply-the-ss-fractional-workaround-to-rs80.patch drm-reject-page_flip-for-driver_modeset.patch drm-vc4-fix-oops-when-userspace-hands-in-a-bad-bo.patch drm-vc4-fix-overflow-mem-unreferencing-when-the-binner-runs-dry.patch drm-vc4-use-drm_free_large-on-handles-to-match-its-allocation.patch timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch timekeeping-cap-array-access-in-timekeeping_debug.patch xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch xfs-fix-superblock-inprogress-check.patch --- diff --git a/queue-4.7/asoc-atmel_ssc_dai-don-t-unconditionally-reset-ssc-on-stream-startup.patch b/queue-4.7/asoc-atmel_ssc_dai-don-t-unconditionally-reset-ssc-on-stream-startup.patch new file mode 100644 index 00000000000..4495b965951 --- /dev/null +++ b/queue-4.7/asoc-atmel_ssc_dai-don-t-unconditionally-reset-ssc-on-stream-startup.patch @@ -0,0 +1,38 @@ +From 3e103a65514c2947e53f3171b21255fbde8b60c6 Mon Sep 17 00:00:00 2001 +From: Christoph Huber +Date: Mon, 15 Aug 2016 18:59:25 +0200 +Subject: ASoC: atmel_ssc_dai: Don't unconditionally reset SSC on stream startup + +From: Christoph Huber + +commit 3e103a65514c2947e53f3171b21255fbde8b60c6 upstream. + +commit cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and +shutdown") refactored code such that the SSC is reset on every +startup; this breaks duplex audio (e.g. first start audio playback, +then start record, causing the playback to stop/hang) + +Fixes: cbaadf0f90d6 (ASoC: atmel_ssc_dai: refactor the startup and shutdown) +Signed-off-by: Christoph Huber +Signed-off-by: Peter Meerwald-Stadler +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/atmel/atmel_ssc_dai.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/atmel/atmel_ssc_dai.c ++++ b/sound/soc/atmel/atmel_ssc_dai.c +@@ -299,8 +299,9 @@ static int atmel_ssc_startup(struct snd_ + clk_enable(ssc_p->ssc->clk); + ssc_p->mck_rate = clk_get_rate(ssc_p->ssc->clk); + +- /* Reset the SSC to keep it at a clean status */ +- ssc_writel(ssc_p->ssc->regs, CR, SSC_BIT(CR_SWRST)); ++ /* Reset the SSC unless initialized to keep it in a clean state */ ++ if (!ssc_p->initialized) ++ ssc_writel(ssc_p->ssc->regs, CR, SSC_BIT(CR_SWRST)); + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { + dir = 0; diff --git a/queue-4.7/drm-atomic-don-t-potentially-reset-color_mgmt_changed-on-successive-property-updates.patch b/queue-4.7/drm-atomic-don-t-potentially-reset-color_mgmt_changed-on-successive-property-updates.patch new file mode 100644 index 00000000000..1acd2f9428c --- /dev/null +++ b/queue-4.7/drm-atomic-don-t-potentially-reset-color_mgmt_changed-on-successive-property-updates.patch @@ -0,0 +1,55 @@ +From add1fa75101263ab4d74240f93000998d4325624 Mon Sep 17 00:00:00 2001 +From: Mario Kleiner +Date: Sat, 27 Aug 2016 01:02:28 +0200 +Subject: drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates. + +From: Mario Kleiner + +commit add1fa75101263ab4d74240f93000998d4325624 upstream. + +Due to assigning the 'replaced' value instead of or'ing it, +if drm_atomic_crtc_set_property() gets called multiple times, +the last call will define the color_mgmt_changed flag, so +a non-updating call to a property can reset the flag and +prevent actual hw state updates required by preceding +property updates. + +Signed-off-by: Mario Kleiner +Cc: Daniel Vetter +Reviewed-by: Daniel Vetter +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_atomic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -465,7 +465,7 @@ int drm_atomic_crtc_set_property(struct + val, + -1, + &replaced); +- state->color_mgmt_changed = replaced; ++ state->color_mgmt_changed |= replaced; + return ret; + } else if (property == config->ctm_property) { + ret = drm_atomic_replace_property_blob_from_id(crtc, +@@ -473,7 +473,7 @@ int drm_atomic_crtc_set_property(struct + val, + sizeof(struct drm_color_ctm), + &replaced); +- state->color_mgmt_changed = replaced; ++ state->color_mgmt_changed |= replaced; + return ret; + } else if (property == config->gamma_lut_property) { + ret = drm_atomic_replace_property_blob_from_id(crtc, +@@ -481,7 +481,7 @@ int drm_atomic_crtc_set_property(struct + val, + -1, + &replaced); +- state->color_mgmt_changed = replaced; ++ state->color_mgmt_changed |= replaced; + return ret; + } else if (crtc->funcs->atomic_set_property) + return crtc->funcs->atomic_set_property(crtc, state, property, val); diff --git a/queue-4.7/drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch b/queue-4.7/drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch new file mode 100644 index 00000000000..ddbec5df314 --- /dev/null +++ b/queue-4.7/drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch @@ -0,0 +1,79 @@ +From 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Mon, 22 Aug 2016 15:15:23 -0400 +Subject: drm/msm: fix use of copy_from_user() while holding spinlock + +From: Rob Clark + +commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 upstream. + +Use instead __copy_from_user_inatomic() and fallback to slow-path where +we drop and re-aquire the lock in case of fault. + +Reported-by: Vaishali Thakkar +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -62,6 +62,14 @@ void msm_gem_submit_free(struct msm_gem_ + kfree(submit); + } + ++static inline unsigned long __must_check ++copy_from_user_inatomic(void *to, const void __user *from, unsigned long n) ++{ ++ if (access_ok(VERIFY_READ, from, n)) ++ return __copy_from_user_inatomic(to, from, n); ++ return -EFAULT; ++} ++ + static int submit_lookup_objects(struct msm_gem_submit *submit, + struct drm_msm_gem_submit *args, struct drm_file *file) + { +@@ -69,6 +77,7 @@ static int submit_lookup_objects(struct + int ret = 0; + + spin_lock(&file->table_lock); ++ pagefault_disable(); + + for (i = 0; i < args->nr_bos; i++) { + struct drm_msm_gem_submit_bo submit_bo; +@@ -82,10 +91,15 @@ static int submit_lookup_objects(struct + */ + submit->bos[i].flags = 0; + +- ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo)); +- if (ret) { +- ret = -EFAULT; +- goto out_unlock; ++ ret = copy_from_user_inatomic(&submit_bo, userptr, sizeof(submit_bo)); ++ if (unlikely(ret)) { ++ pagefault_enable(); ++ spin_unlock(&file->table_lock); ++ ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo)); ++ if (ret) ++ goto out; ++ spin_lock(&file->table_lock); ++ pagefault_disable(); + } + + if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) { +@@ -125,9 +139,12 @@ static int submit_lookup_objects(struct + } + + out_unlock: +- submit->nr_bos = i; ++ pagefault_enable(); + spin_unlock(&file->table_lock); + ++out: ++ submit->nr_bos = i; ++ + return ret; + } + diff --git a/queue-4.7/drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch b/queue-4.7/drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch new file mode 100644 index 00000000000..8be29b9f555 --- /dev/null +++ b/queue-4.7/drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch @@ -0,0 +1,36 @@ +From 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Wed, 17 Aug 2016 09:46:42 +0200 +Subject: drm/radeon: fix radeon_move_blit on 32bit systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 upstream. + +This bug seems to be present for a very long time. + +Signed-off-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_ttm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_ttm.c ++++ b/drivers/gpu/drm/radeon/radeon_ttm.c +@@ -263,8 +263,8 @@ static int radeon_move_blit(struct ttm_b + + rdev = radeon_get_rdev(bo->bdev); + ridx = radeon_copy_ring_index(rdev); +- old_start = old_mem->start << PAGE_SHIFT; +- new_start = new_mem->start << PAGE_SHIFT; ++ old_start = (u64)old_mem->start << PAGE_SHIFT; ++ new_start = (u64)new_mem->start << PAGE_SHIFT; + + switch (old_mem->mem_type) { + case TTM_PL_VRAM: diff --git a/queue-4.7/drm-radeon-only-apply-the-ss-fractional-workaround-to-rs80.patch b/queue-4.7/drm-radeon-only-apply-the-ss-fractional-workaround-to-rs80.patch new file mode 100644 index 00000000000..985570c360d --- /dev/null +++ b/queue-4.7/drm-radeon-only-apply-the-ss-fractional-workaround-to-rs80.patch @@ -0,0 +1,39 @@ +From ae5b80d2b68eac945b124227dea34462118a6f01 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Thu, 18 Aug 2016 11:51:14 +0200 +Subject: drm/radeon: only apply the SS fractional workaround to RS[78]80 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit ae5b80d2b68eac945b124227dea34462118a6f01 upstream. + +Looks like some RV6xx have problems with that. + +bug: +https://bugs.freedesktop.org/show_bug.cgi?id=97099 + +Reviewed-by: Alex Deucher +Signed-off-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_crtc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -627,7 +627,9 @@ static u32 atombios_adjust_pll(struct dr + if (radeon_crtc->ss.refdiv) { + radeon_crtc->pll_flags |= RADEON_PLL_USE_REF_DIV; + radeon_crtc->pll_reference_div = radeon_crtc->ss.refdiv; +- if (rdev->family >= CHIP_RV770) ++ if (ASIC_IS_AVIVO(rdev) && ++ rdev->family != CHIP_RS780 && ++ rdev->family != CHIP_RS880) + radeon_crtc->pll_flags |= RADEON_PLL_USE_FRAC_FB_DIV; + } + } diff --git a/queue-4.7/drm-reject-page_flip-for-driver_modeset.patch b/queue-4.7/drm-reject-page_flip-for-driver_modeset.patch new file mode 100644 index 00000000000..985fda1e1c5 --- /dev/null +++ b/queue-4.7/drm-reject-page_flip-for-driver_modeset.patch @@ -0,0 +1,37 @@ +From 6f00975c619064a18c23fd3aced325ae165a73b9 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sat, 20 Aug 2016 12:22:11 +0200 +Subject: drm: Reject page_flip for !DRIVER_MODESET + +From: Daniel Vetter + +commit 6f00975c619064a18c23fd3aced325ae165a73b9 upstream. + +Somehow this one slipped through, which means drivers without modeset +support can be oopsed (since those also don't call +drm_mode_config_init, which means the crtc lookup will chase an +uninitalized idr). + +Reported-by: Alexander Potapenko +Cc: Alexander Potapenko +Signed-off-by: Daniel Vetter +Reviewed-by: Chris Wilson +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_crtc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -5312,6 +5312,9 @@ int drm_mode_page_flip_ioctl(struct drm_ + struct drm_pending_vblank_event *e = NULL; + int ret = -EINVAL; + ++ if (!drm_core_check_feature(dev, DRIVER_MODESET)) ++ return -EINVAL; ++ + if (page_flip->flags & ~DRM_MODE_PAGE_FLIP_FLAGS || + page_flip->reserved != 0) + return -EINVAL; diff --git a/queue-4.7/drm-vc4-fix-oops-when-userspace-hands-in-a-bad-bo.patch b/queue-4.7/drm-vc4-fix-oops-when-userspace-hands-in-a-bad-bo.patch new file mode 100644 index 00000000000..42b6aa3044a --- /dev/null +++ b/queue-4.7/drm-vc4-fix-oops-when-userspace-hands-in-a-bad-bo.patch @@ -0,0 +1,31 @@ +From 552416c146fadc67cd9b53ef7adf88d3381c43a6 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Tue, 26 Jul 2016 13:47:15 -0700 +Subject: drm/vc4: Fix oops when userspace hands in a bad BO. + +From: Eric Anholt + +commit 552416c146fadc67cd9b53ef7adf88d3381c43a6 upstream. + +We'd end up NULL pointer dereferencing because we didn't take the +error path out in the parent. Fixes igt vc4_lookup_fail test. + +Signed-off-by: Eric Anholt +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -575,7 +575,7 @@ vc4_cl_lookup_bos(struct drm_device *dev + + fail: + drm_free_large(handles); +- return 0; ++ return ret; + } + + static int diff --git a/queue-4.7/drm-vc4-fix-overflow-mem-unreferencing-when-the-binner-runs-dry.patch b/queue-4.7/drm-vc4-fix-overflow-mem-unreferencing-when-the-binner-runs-dry.patch new file mode 100644 index 00000000000..df237f629a3 --- /dev/null +++ b/queue-4.7/drm-vc4-fix-overflow-mem-unreferencing-when-the-binner-runs-dry.patch @@ -0,0 +1,61 @@ +From 9326e6f25574bbb8bd48206d245654780e3fd665 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Tue, 26 Jul 2016 13:47:14 -0700 +Subject: drm/vc4: Fix overflow mem unreferencing when the binner runs dry. + +From: Eric Anholt + +commit 9326e6f25574bbb8bd48206d245654780e3fd665 upstream. + +Overflow memory handling is tricky: While it's still referenced by the +BPO registers, we want to keep it from being freed. When we are +putting a new set of overflow memory in the registers, we need to +assign the old one to the last rendering job using it. + +We were looking at "what's currently running in the binner", but since +the bin/render submission split, we may end up with the binner +completing and having no new job while the renderer is still +processing. So, if we don't find a bin job at all, look at the +highest-seqno (last) render job to attach our overflow to. + +Signed-off-by: Eric Anholt +Fixes: ca26d28bbaa3 ("drm/vc4: improve throughput by pipelining binning and rendering jobs") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_drv.h | 9 +++++++++ + drivers/gpu/drm/vc4/vc4_irq.c | 4 +++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vc4/vc4_drv.h ++++ b/drivers/gpu/drm/vc4/vc4_drv.h +@@ -321,6 +321,15 @@ vc4_first_render_job(struct vc4_dev *vc4 + struct vc4_exec_info, head); + } + ++static inline struct vc4_exec_info * ++vc4_last_render_job(struct vc4_dev *vc4) ++{ ++ if (list_empty(&vc4->render_job_list)) ++ return NULL; ++ return list_last_entry(&vc4->render_job_list, ++ struct vc4_exec_info, head); ++} ++ + /** + * struct vc4_texture_sample_info - saves the offsets into the UBO for texture + * setup parameters. +--- a/drivers/gpu/drm/vc4/vc4_irq.c ++++ b/drivers/gpu/drm/vc4/vc4_irq.c +@@ -83,8 +83,10 @@ vc4_overflow_mem_work(struct work_struct + + spin_lock_irqsave(&vc4->job_lock, irqflags); + current_exec = vc4_first_bin_job(vc4); ++ if (!current_exec) ++ current_exec = vc4_last_render_job(vc4); + if (current_exec) { +- vc4->overflow_mem->seqno = vc4->finished_seqno + 1; ++ vc4->overflow_mem->seqno = current_exec->seqno; + list_add_tail(&vc4->overflow_mem->unref_head, + ¤t_exec->unref_list); + vc4->overflow_mem = NULL; diff --git a/queue-4.7/drm-vc4-use-drm_free_large-on-handles-to-match-its-allocation.patch b/queue-4.7/drm-vc4-use-drm_free_large-on-handles-to-match-its-allocation.patch new file mode 100644 index 00000000000..4033306959e --- /dev/null +++ b/queue-4.7/drm-vc4-use-drm_free_large-on-handles-to-match-its-allocation.patch @@ -0,0 +1,31 @@ +From d5fb46e0e3b7e49ee83ba92efc3ab4e1a545ecc1 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Tue, 26 Jul 2016 13:47:10 -0700 +Subject: drm/vc4: Use drm_free_large() on handles to match its allocation. + +From: Eric Anholt + +commit d5fb46e0e3b7e49ee83ba92efc3ab4e1a545ecc1 upstream. + +If you managed to exceed the limit to switch to vmalloc, we'd use the +wrong free. + +Signed-off-by: Eric Anholt +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -574,7 +574,7 @@ vc4_cl_lookup_bos(struct drm_device *dev + spin_unlock(&file_priv->table_lock); + + fail: +- kfree(handles); ++ drm_free_large(handles); + return 0; + } + diff --git a/queue-4.7/series b/queue-4.7/series index c44cffba8a0..b9fab80b7e1 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -15,3 +15,16 @@ block-fix-race-triggered-by-blk_set_queue_dying.patch block-make-sure-a-big-bio-is-split-into-at-most-256-bvecs.patch cgroup-reduce-read-locked-section-of-cgroup_threadgroup_rwsem-during-fork.patch cdc-acm-added-sanity-checking-for-probe.patch +drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch +drm-radeon-only-apply-the-ss-fractional-workaround-to-rs80.patch +drm-atomic-don-t-potentially-reset-color_mgmt_changed-on-successive-property-updates.patch +drm-reject-page_flip-for-driver_modeset.patch +drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch +drm-vc4-use-drm_free_large-on-handles-to-match-its-allocation.patch +drm-vc4-fix-overflow-mem-unreferencing-when-the-binner-runs-dry.patch +drm-vc4-fix-oops-when-userspace-hands-in-a-bad-bo.patch +asoc-atmel_ssc_dai-don-t-unconditionally-reset-ssc-on-stream-startup.patch +xfs-fix-superblock-inprogress-check.patch +timekeeping-cap-array-access-in-timekeeping_debug.patch +timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch +xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch diff --git a/queue-4.7/timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch b/queue-4.7/timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch new file mode 100644 index 00000000000..8bade409d04 --- /dev/null +++ b/queue-4.7/timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch @@ -0,0 +1,45 @@ +From 27727df240c7cc84f2ba6047c6f18d5addfd25ef Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Tue, 23 Aug 2016 16:08:21 -0700 +Subject: timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING + +From: John Stultz + +commit 27727df240c7cc84f2ba6047c6f18d5addfd25ef upstream. + +When I added some extra sanity checking in timekeeping_get_ns() under +CONFIG_DEBUG_TIMEKEEPING, I missed that the NMI safe __ktime_get_fast_ns() +method was using timekeeping_get_ns(). + +Thus the locking added to the debug checks broke the NMI-safety of +__ktime_get_fast_ns(). + +This patch open-codes the timekeeping_get_ns() logic for +__ktime_get_fast_ns(), so can avoid any deadlocks in NMI. + +Fixes: 4ca22c2648f9 "timekeeping: Add warnings when overflows or underflows are observed" +Reported-by: Steven Rostedt +Reported-by: Peter Zijlstra +Signed-off-by: John Stultz +Link: http://lkml.kernel.org/r/1471993702-29148-2-git-send-email-john.stultz@linaro.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timekeeping.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -401,7 +401,10 @@ static __always_inline u64 __ktime_get_f + do { + seq = raw_read_seqcount_latch(&tkf->seq); + tkr = tkf->base + (seq & 0x01); +- now = ktime_to_ns(tkr->base) + timekeeping_get_ns(tkr); ++ now = ktime_to_ns(tkr->base); ++ ++ now += clocksource_delta(tkr->read(tkr->clock), ++ tkr->cycle_last, tkr->mask); + } while (read_seqcount_retry(&tkf->seq, seq)); + + return now; diff --git a/queue-4.7/timekeeping-cap-array-access-in-timekeeping_debug.patch b/queue-4.7/timekeeping-cap-array-access-in-timekeeping_debug.patch new file mode 100644 index 00000000000..9faefd8523e --- /dev/null +++ b/queue-4.7/timekeeping-cap-array-access-in-timekeeping_debug.patch @@ -0,0 +1,83 @@ +From a4f8f6667f099036c88f231dcad4cf233652c824 Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Tue, 23 Aug 2016 16:08:22 -0700 +Subject: timekeeping: Cap array access in timekeeping_debug + +From: John Stultz + +commit a4f8f6667f099036c88f231dcad4cf233652c824 upstream. + +It was reported that hibernation could fail on the 2nd attempt, where the +system hangs at hibernate() -> syscore_resume() -> i8237A_resume() -> +claim_dma_lock(), because the lock has already been taken. + +However there is actually no other process would like to grab this lock on +that problematic platform. + +Further investigation showed that the problem is triggered by setting +/sys/power/pm_trace to 1 before the 1st hibernation. + +Since once pm_trace is enabled, the rtc becomes unmeaningful after suspend, +and meanwhile some BIOSes would like to adjust the 'invalid' RTC (e.g, smaller +than 1970) to the release date of that motherboard during POST stage, thus +after resumed, it may seem that the system had a significant long sleep time +which is a completely meaningless value. + +Then in timekeeping_resume -> tk_debug_account_sleep_time, if the bit31 of the +sleep time happened to be set to 1, fls() returns 32 and we add 1 to +sleep_time_bin[32], which causes an out of bounds array access and therefor +memory being overwritten. + +As depicted by System.map: +0xffffffff81c9d080 b sleep_time_bin +0xffffffff81c9d100 B dma_spin_lock +the dma_spin_lock.val is set to 1, which caused this problem. + +This patch adds a sanity check in tk_debug_account_sleep_time() +to ensure we don't index past the sleep_time_bin array. + +[jstultz: Problem diagnosed and original patch by Chen Yu, I've solved the + issue slightly differently, but borrowed his excelent explanation of the + issue here.] + +Fixes: 5c83545f24ab "power: Add option to log time spent in suspend" +Reported-by: Janek Kozicki +Reported-by: Chen Yu +Signed-off-by: John Stultz +Cc: linux-pm@vger.kernel.org +Cc: Peter Zijlstra +Cc: Xunlei Pang +Cc: "Rafael J. Wysocki" +Cc: Zhang Rui +Link: http://lkml.kernel.org/r/1471993702-29148-3-git-send-email-john.stultz@linaro.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timekeeping_debug.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/kernel/time/timekeeping_debug.c ++++ b/kernel/time/timekeeping_debug.c +@@ -23,7 +23,9 @@ + + #include "timekeeping_internal.h" + +-static unsigned int sleep_time_bin[32] = {0}; ++#define NUM_BINS 32 ++ ++static unsigned int sleep_time_bin[NUM_BINS] = {0}; + + static int tk_debug_show_sleep_time(struct seq_file *s, void *data) + { +@@ -69,6 +71,9 @@ late_initcall(tk_debug_sleep_time_init); + + void tk_debug_account_sleep_time(struct timespec64 *t) + { +- sleep_time_bin[fls(t->tv_sec)]++; ++ /* Cap bin index so we don't overflow the array */ ++ int bin = min(fls(t->tv_sec), NUM_BINS-1); ++ ++ sleep_time_bin[bin]++; + } + diff --git a/queue-4.7/xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch b/queue-4.7/xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch new file mode 100644 index 00000000000..5fb5491992d --- /dev/null +++ b/queue-4.7/xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch @@ -0,0 +1,37 @@ +From 9a035a40f7f3f6708b79224b86c5777a3334f7ea Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 15 Aug 2016 09:02:38 -0600 +Subject: xenbus: don't look up transaction IDs for ordinary writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Beulich + +commit 9a035a40f7f3f6708b79224b86c5777a3334f7ea upstream. + +This should really only be done for XS_TRANSACTION_END messages, or +else at least some of the xenstore-* tools don't work anymore. + +Fixes: 0beef634b8 ("xenbus: don't BUG() on user mode induced condition") +Reported-by: Richard Schütz +Signed-off-by: Jan Beulich +Tested-by: Richard Schütz +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi + rc = -ENOMEM; + goto out; + } +- } else { ++ } else if (msg_type == XS_TRANSACTION_END) { + list_for_each_entry(trans, &u->transactions, list) + if (trans->handle.id == u->u.msg.tx_id) + break; diff --git a/queue-4.7/xfs-fix-superblock-inprogress-check.patch b/queue-4.7/xfs-fix-superblock-inprogress-check.patch new file mode 100644 index 00000000000..f40f8821d03 --- /dev/null +++ b/queue-4.7/xfs-fix-superblock-inprogress-check.patch @@ -0,0 +1,42 @@ +From f3d7ebdeb2c297bd26272384e955033493ca291c Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Fri, 26 Aug 2016 16:01:30 +1000 +Subject: xfs: fix superblock inprogress check + +From: Dave Chinner + +commit f3d7ebdeb2c297bd26272384e955033493ca291c upstream. + +From inspection, the superblock sb_inprogress check is done in the +verifier and triggered only for the primary superblock via a +"bp->b_bn == XFS_SB_DADDR" check. + +Unfortunately, the primary superblock is an uncached buffer, and +hence it is configured by xfs_buf_read_uncached() with: + + bp->b_bn = XFS_BUF_DADDR_NULL; /* always null for uncached buffers */ + +And so this check never triggers. Fix it. + +Signed-off-by: Dave Chinner +Reviewed-by: Brian Foster +Reviewed-by: Christoph Hellwig +Signed-off-by: Dave Chinner +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/libxfs/xfs_sb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/xfs/libxfs/xfs_sb.c ++++ b/fs/xfs/libxfs/xfs_sb.c +@@ -581,7 +581,8 @@ xfs_sb_verify( + * Only check the in progress field for the primary superblock as + * mkfs.xfs doesn't clear it from secondary superblocks. + */ +- return xfs_mount_validate_sb(mp, &sb, bp->b_bn == XFS_SB_DADDR, ++ return xfs_mount_validate_sb(mp, &sb, ++ bp->b_maps[0].bm_bn == XFS_SB_DADDR, + check_version); + } +