From: Greg Kroah-Hartman Date: Thu, 18 Aug 2016 13:14:16 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v3.14.77~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84bd710731c235c8ecb4806d58ed19b3022f6003;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: acpi-ec-work-around-method-reentrancy-limit-in-acpica-for-_qxx.patch input-elan_i2c-properly-wake-up-touchpad-on-asus-laptops.patch input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi-session.patch lpfc-fix-oops-in-lpfc_sli4_scmd_to_wqidx_distr-from-lpfc_send_taskmgmt.patch mips-don-t-register-r4k-sched-clock-when-cpufreq-enabled.patch mips-fix-r4k-clockevents-registration.patch mips-hpet-increase-hpet_min_prog_delta-and-decrease-hpet_min_cycles.patch mips-mm-fix-definition-of-r6-cache-instruction.patch of-fix-memory-leak-related-to-safe_name.patch pci-mark-atheros-ar9485-and-qca9882-to-avoid-bus-reset.patch sunrpc-don-t-allocate-a-full-sockaddr_storage-for-tracing.patch target-fix-max_unmap_lba_count-calc-overflow.patch target-fix-missing-complete-during-abort_task-cmd_t_fabric_stop.patch target-fix-ordered-task-check_condition-early-exception-handling.patch target-fix-ordered-task-target_setup_cmd_from_cdb-exception-hang.patch target-fix-race-between-iscsi-target-connection-shutdown-abort_task.patch ubi-fix-early-logging.patch ubi-fix-race-condition-between-ubi-device-creation-and-udev.patch ubi-make-volume-resize-power-cut-aware.patch um-fix-possible-deadlock-in-sig_handler_common.patch x86-platform-intel_mid_pci-rework-irq0-workaround.patch --- diff --git a/queue-4.7/acpi-ec-work-around-method-reentrancy-limit-in-acpica-for-_qxx.patch b/queue-4.7/acpi-ec-work-around-method-reentrancy-limit-in-acpica-for-_qxx.patch new file mode 100644 index 00000000000..c074f116109 --- /dev/null +++ b/queue-4.7/acpi-ec-work-around-method-reentrancy-limit-in-acpica-for-_qxx.patch @@ -0,0 +1,128 @@ +From e1191bd4f62d9086a1a47adc286e7fcffc1fa55c Mon Sep 17 00:00:00 2001 +From: Lv Zheng +Date: Wed, 3 Aug 2016 09:00:14 +0800 +Subject: ACPI / EC: Work around method reentrancy limit in ACPICA for _Qxx + +From: Lv Zheng + +commit e1191bd4f62d9086a1a47adc286e7fcffc1fa55c upstream. + +A regression is caused by the following commit: + + Commit: 02b771b64b73226052d6e731a0987db3b47281e9 + Subject: ACPI / EC: Fix an issue caused by the serialized _Qxx evaluations + +In this commit, using system workqueue causes that the maximum parallel +executions of _Qxx can exceed 255. This violates the method reentrancy +limit in ACPICA and generates the following error log: + + ACPI Error: Method reached maximum reentrancy limit (255) (20150818/dsmethod-341) + +This patch creates a seperate workqueue and limits the number of parallel +_Qxx evaluations down to a configurable value (can be tuned against number +of online CPUs). + +Since EC events are handled after driver probe, we can create the workqueue +in acpi_ec_init(). + +Fixes: 02b771b64b73 (ACPI / EC: Fix an issue caused by the serialized _Qxx evaluations) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=135691 +Reported-and-tested-by: Helen Buus +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 41 +++++++++++++++++++++++++++++++++++++---- + 1 file changed, 37 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -101,6 +101,7 @@ enum ec_command { + #define ACPI_EC_UDELAY_POLL 550 /* Wait 1ms for EC transaction polling */ + #define ACPI_EC_CLEAR_MAX 100 /* Maximum number of events to query + * when trying to clear the EC */ ++#define ACPI_EC_MAX_QUERIES 16 /* Maximum number of parallel queries */ + + enum { + EC_FLAGS_QUERY_PENDING, /* Query is pending */ +@@ -121,6 +122,10 @@ static unsigned int ec_delay __read_most + module_param(ec_delay, uint, 0644); + MODULE_PARM_DESC(ec_delay, "Timeout(ms) waited until an EC command completes"); + ++static unsigned int ec_max_queries __read_mostly = ACPI_EC_MAX_QUERIES; ++module_param(ec_max_queries, uint, 0644); ++MODULE_PARM_DESC(ec_max_queries, "Maximum parallel _Qxx evaluations"); ++ + static bool ec_busy_polling __read_mostly; + module_param(ec_busy_polling, bool, 0644); + MODULE_PARM_DESC(ec_busy_polling, "Use busy polling to advance EC transaction"); +@@ -174,6 +179,7 @@ static void acpi_ec_event_processor(stru + + struct acpi_ec *boot_ec, *first_ec; + EXPORT_SYMBOL(first_ec); ++static struct workqueue_struct *ec_query_wq; + + static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */ + static int EC_FLAGS_QUERY_HANDSHAKE; /* Needs QR_EC issued when SCI_EVT set */ +@@ -1098,7 +1104,7 @@ static int acpi_ec_query(struct acpi_ec + * work queue execution. + */ + ec_dbg_evt("Query(0x%02x) scheduled", value); +- if (!schedule_work(&q->work)) { ++ if (!queue_work(ec_query_wq, &q->work)) { + ec_dbg_evt("Query(0x%02x) overlapped", value); + result = -EBUSY; + } +@@ -1660,15 +1666,41 @@ static struct acpi_driver acpi_ec_driver + }, + }; + ++static inline int acpi_ec_query_init(void) ++{ ++ if (!ec_query_wq) { ++ ec_query_wq = alloc_workqueue("kec_query", 0, ++ ec_max_queries); ++ if (!ec_query_wq) ++ return -ENODEV; ++ } ++ return 0; ++} ++ ++static inline void acpi_ec_query_exit(void) ++{ ++ if (ec_query_wq) { ++ destroy_workqueue(ec_query_wq); ++ ec_query_wq = NULL; ++ } ++} ++ + int __init acpi_ec_init(void) + { +- int result = 0; ++ int result; + ++ /* register workqueue for _Qxx evaluations */ ++ result = acpi_ec_query_init(); ++ if (result) ++ goto err_exit; + /* Now register the driver for the EC */ + result = acpi_bus_register_driver(&acpi_ec_driver); +- if (result < 0) +- return -ENODEV; ++ if (result) ++ goto err_exit; + ++err_exit: ++ if (result) ++ acpi_ec_query_exit(); + return result; + } + +@@ -1678,5 +1710,6 @@ static void __exit acpi_ec_exit(void) + { + + acpi_bus_unregister_driver(&acpi_ec_driver); ++ acpi_ec_query_exit(); + } + #endif /* 0 */ diff --git a/queue-4.7/input-elan_i2c-properly-wake-up-touchpad-on-asus-laptops.patch b/queue-4.7/input-elan_i2c-properly-wake-up-touchpad-on-asus-laptops.patch new file mode 100644 index 00000000000..c65d992a836 --- /dev/null +++ b/queue-4.7/input-elan_i2c-properly-wake-up-touchpad-on-asus-laptops.patch @@ -0,0 +1,163 @@ +From 2de4fcc64685def3e586856a2dc636df44532395 Mon Sep 17 00:00:00 2001 +From: KT Liao +Date: Wed, 13 Jul 2016 11:12:12 -0700 +Subject: Input: elan_i2c - properly wake up touchpad on ASUS laptops + +From: KT Liao + +commit 2de4fcc64685def3e586856a2dc636df44532395 upstream. + +Some ASUS laptops were shipped with touchpads that require to be woken up +first, before trying to switch them into absolute reporting mode, otherwise +touchpad would fail to work while flooding the logs with: + + elan_i2c i2c-ELAN1000:00: invalid report id data (1) + +Among affected devices are Asus E202SA, N552VW, X456UF, UX305CA, and +others. We detect such devices by checking the IC type and product ID +numbers and adjusting order of operations accordingly. + +Signed-off-by: KT Liao +Reported-by: Chris Chiu +Reported-by: Vlad Glagolev +Tested-by: Vlad Glagolev +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 79 ++++++++++++++++++++++++++++-------- + 1 file changed, 63 insertions(+), 16 deletions(-) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -4,7 +4,8 @@ + * Copyright (c) 2013 ELAN Microelectronics Corp. + * + * Author: 林政維 (Duson Lin) +- * Version: 1.6.0 ++ * Author: KT Liao ++ * Version: 1.6.2 + * + * Based on cyapa driver: + * copyright (c) 2011-2012 Cypress Semiconductor, Inc. +@@ -40,7 +41,7 @@ + #include "elan_i2c.h" + + #define DRIVER_NAME "elan_i2c" +-#define ELAN_DRIVER_VERSION "1.6.1" ++#define ELAN_DRIVER_VERSION "1.6.2" + #define ELAN_VENDOR_ID 0x04f3 + #define ETP_MAX_PRESSURE 255 + #define ETP_FWIDTH_REDUCE 90 +@@ -199,9 +200,41 @@ static int elan_sleep(struct elan_tp_dat + return error; + } + ++static int elan_query_product(struct elan_tp_data *data) ++{ ++ int error; ++ ++ error = data->ops->get_product_id(data->client, &data->product_id); ++ if (error) ++ return error; ++ ++ error = data->ops->get_sm_version(data->client, &data->ic_type, ++ &data->sm_version); ++ if (error) ++ return error; ++ ++ return 0; ++} ++ ++static int elan_check_ASUS_special_fw(struct elan_tp_data *data) ++{ ++ if (data->ic_type != 0x0E) ++ return false; ++ ++ switch (data->product_id) { ++ case 0x05 ... 0x07: ++ case 0x09: ++ case 0x13: ++ return true; ++ default: ++ return false; ++ } ++} ++ + static int __elan_initialize(struct elan_tp_data *data) + { + struct i2c_client *client = data->client; ++ bool woken_up = false; + int error; + + error = data->ops->initialize(client); +@@ -210,6 +243,27 @@ static int __elan_initialize(struct elan + return error; + } + ++ error = elan_query_product(data); ++ if (error) ++ return error; ++ ++ /* ++ * Some ASUS devices were shipped with firmware that requires ++ * touchpads to be woken up first, before attempting to switch ++ * them into absolute reporting mode. ++ */ ++ if (elan_check_ASUS_special_fw(data)) { ++ error = data->ops->sleep_control(client, false); ++ if (error) { ++ dev_err(&client->dev, ++ "failed to wake device up: %d\n", error); ++ return error; ++ } ++ ++ msleep(200); ++ woken_up = true; ++ } ++ + data->mode |= ETP_ENABLE_ABS; + error = data->ops->set_mode(client, data->mode); + if (error) { +@@ -218,11 +272,13 @@ static int __elan_initialize(struct elan + return error; + } + +- error = data->ops->sleep_control(client, false); +- if (error) { +- dev_err(&client->dev, +- "failed to wake device up: %d\n", error); +- return error; ++ if (!woken_up) { ++ error = data->ops->sleep_control(client, false); ++ if (error) { ++ dev_err(&client->dev, ++ "failed to wake device up: %d\n", error); ++ return error; ++ } + } + + return 0; +@@ -248,10 +304,6 @@ static int elan_query_device_info(struct + { + int error; + +- error = data->ops->get_product_id(data->client, &data->product_id); +- if (error) +- return error; +- + error = data->ops->get_version(data->client, false, &data->fw_version); + if (error) + return error; +@@ -261,11 +313,6 @@ static int elan_query_device_info(struct + if (error) + return error; + +- error = data->ops->get_sm_version(data->client, &data->ic_type, +- &data->sm_version); +- if (error) +- return error; +- + error = data->ops->get_version(data->client, true, &data->iap_version); + if (error) + return error; diff --git a/queue-4.7/input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch b/queue-4.7/input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch new file mode 100644 index 00000000000..6e3215b5aef --- /dev/null +++ b/queue-4.7/input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch @@ -0,0 +1,168 @@ +From 4097461897df91041382ff6fcd2bfa7ee6b2448c Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 25 Jul 2016 11:36:54 -0700 +Subject: Input: i8042 - break load dependency between atkbd/psmouse and i8042 + +From: Dmitry Torokhov + +commit 4097461897df91041382ff6fcd2bfa7ee6b2448c upstream. + +As explained in 1407814240-4275-1-git-send-email-decui@microsoft.com we +have a hard load dependency between i8042 and atkbd which prevents +keyboard from working on Gen2 Hyper-V VMs. + +> hyperv_keyboard invokes serio_interrupt(), which needs a valid serio +> driver like atkbd.c. atkbd.c depends on libps2.c because it invokes +> ps2_command(). libps2.c depends on i8042.c because it invokes +> i8042_check_port_owner(). As a result, hyperv_keyboard actually +> depends on i8042.c. +> +> For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a +> Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042=m +> rather than =y, atkbd.ko can't load because i8042.ko can't load(due to +> no i8042 device emulated) and finally hyperv_keyboard can't work and +> the user can't input: https://bugs.archlinux.org/task/39820 +> (Ubuntu/RHEL/SUSE aren't affected since they use CONFIG_SERIO_I8042=y) + +To break the dependency we move away from using i8042_check_port_owner() +and instead allow serio port owner specify a mutex that clients should use +to serialize PS/2 command stream. + +Reported-by: Mark Laws +Tested-by: Mark Laws +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042.c | 16 +--------------- + drivers/input/serio/libps2.c | 10 ++++------ + include/linux/i8042.h | 6 ------ + include/linux/serio.h | 24 +++++++++++++++++++----- + 4 files changed, 24 insertions(+), 32 deletions(-) + +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -1277,6 +1277,7 @@ static int __init i8042_create_kbd_port( + serio->start = i8042_start; + serio->stop = i8042_stop; + serio->close = i8042_port_close; ++ serio->ps2_cmd_mutex = &i8042_mutex; + serio->port_data = port; + serio->dev.parent = &i8042_platform_device->dev; + strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name)); +@@ -1373,21 +1374,6 @@ static void i8042_unregister_ports(void) + } + } + +-/* +- * Checks whether port belongs to i8042 controller. +- */ +-bool i8042_check_port_owner(const struct serio *port) +-{ +- int i; +- +- for (i = 0; i < I8042_NUM_PORTS; i++) +- if (i8042_ports[i].serio == port) +- return true; +- +- return false; +-} +-EXPORT_SYMBOL(i8042_check_port_owner); +- + static void i8042_free_irqs(void) + { + if (i8042_aux_irq_registered) +--- a/drivers/input/serio/libps2.c ++++ b/drivers/input/serio/libps2.c +@@ -56,19 +56,17 @@ EXPORT_SYMBOL(ps2_sendbyte); + + void ps2_begin_command(struct ps2dev *ps2dev) + { +- mutex_lock(&ps2dev->cmd_mutex); ++ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex; + +- if (i8042_check_port_owner(ps2dev->serio)) +- i8042_lock_chip(); ++ mutex_lock(m); + } + EXPORT_SYMBOL(ps2_begin_command); + + void ps2_end_command(struct ps2dev *ps2dev) + { +- if (i8042_check_port_owner(ps2dev->serio)) +- i8042_unlock_chip(); ++ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex; + +- mutex_unlock(&ps2dev->cmd_mutex); ++ mutex_unlock(m); + } + EXPORT_SYMBOL(ps2_end_command); + +--- a/include/linux/i8042.h ++++ b/include/linux/i8042.h +@@ -62,7 +62,6 @@ struct serio; + void i8042_lock_chip(void); + void i8042_unlock_chip(void); + int i8042_command(unsigned char *param, int command); +-bool i8042_check_port_owner(const struct serio *); + int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str, + struct serio *serio)); + int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str, +@@ -83,11 +82,6 @@ static inline int i8042_command(unsigned + return -ENODEV; + } + +-static inline bool i8042_check_port_owner(const struct serio *serio) +-{ +- return false; +-} +- + static inline int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str, + struct serio *serio)) + { +--- a/include/linux/serio.h ++++ b/include/linux/serio.h +@@ -31,7 +31,8 @@ struct serio { + + struct serio_device_id id; + +- spinlock_t lock; /* protects critical sections from port's interrupt handler */ ++ /* Protects critical sections from port's interrupt handler */ ++ spinlock_t lock; + + int (*write)(struct serio *, unsigned char); + int (*open)(struct serio *); +@@ -40,16 +41,29 @@ struct serio { + void (*stop)(struct serio *); + + struct serio *parent; +- struct list_head child_node; /* Entry in parent->children list */ ++ /* Entry in parent->children list */ ++ struct list_head child_node; + struct list_head children; +- unsigned int depth; /* level of nesting in serio hierarchy */ ++ /* Level of nesting in serio hierarchy */ ++ unsigned int depth; + +- struct serio_driver *drv; /* accessed from interrupt, must be protected by serio->lock and serio->sem */ +- struct mutex drv_mutex; /* protects serio->drv so attributes can pin driver */ ++ /* ++ * serio->drv is accessed from interrupt handlers; when modifying ++ * caller should acquire serio->drv_mutex and serio->lock. ++ */ ++ struct serio_driver *drv; ++ /* Protects serio->drv so attributes can pin current driver */ ++ struct mutex drv_mutex; + + struct device dev; + + struct list_head node; ++ ++ /* ++ * For use by PS/2 layer when several ports share hardware and ++ * may get indigestion when exposed to concurrent access (i8042). ++ */ ++ struct mutex *ps2_cmd_mutex; + }; + #define to_serio_port(d) container_of(d, struct serio, dev) + diff --git a/queue-4.7/iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi-session.patch b/queue-4.7/iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi-session.patch new file mode 100644 index 00000000000..6e2c4d3f461 --- /dev/null +++ b/queue-4.7/iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi-session.patch @@ -0,0 +1,39 @@ +From 8abc718de6e9e52d8a6bfdb735060554aeae25e4 Mon Sep 17 00:00:00 2001 +From: Feng Li +Date: Tue, 12 Jul 2016 06:15:44 +0800 +Subject: iscsi-target: Fix panic when adding second TCP connection to iSCSI session + +From: Feng Li + +commit 8abc718de6e9e52d8a6bfdb735060554aeae25e4 upstream. + +In MC/S scenario, the conn->sess has been set NULL in +iscsi_login_non_zero_tsih_s1 when the second connection comes here, +then kernel panic. + +The conn->sess will be assigned in iscsi_login_non_zero_tsih_s2. So +we should check whether it's NULL before calling. + +Signed-off-by: Feng Li +Tested-by: Sumit Rai +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_login.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -1371,8 +1371,9 @@ static int __iscsi_target_login_thread(s + } + login->zero_tsih = zero_tsih; + +- conn->sess->se_sess->sup_prot_ops = +- conn->conn_transport->iscsit_get_sup_prot_ops(conn); ++ if (conn->sess) ++ conn->sess->se_sess->sup_prot_ops = ++ conn->conn_transport->iscsit_get_sup_prot_ops(conn); + + tpg = conn->tpg; + if (!tpg) { diff --git a/queue-4.7/lpfc-fix-oops-in-lpfc_sli4_scmd_to_wqidx_distr-from-lpfc_send_taskmgmt.patch b/queue-4.7/lpfc-fix-oops-in-lpfc_sli4_scmd_to_wqidx_distr-from-lpfc_send_taskmgmt.patch new file mode 100644 index 00000000000..5b2290a2c01 --- /dev/null +++ b/queue-4.7/lpfc-fix-oops-in-lpfc_sli4_scmd_to_wqidx_distr-from-lpfc_send_taskmgmt.patch @@ -0,0 +1,152 @@ +From 05a05872c8d4b4357c9d913e6d73ae64882bddf5 Mon Sep 17 00:00:00 2001 +From: Mauricio Faria de Oliveira +Date: Tue, 7 Jun 2016 20:13:08 -0300 +Subject: lpfc: fix oops in lpfc_sli4_scmd_to_wqidx_distr() from lpfc_send_taskmgmt() + +From: Mauricio Faria de Oliveira + +commit 05a05872c8d4b4357c9d913e6d73ae64882bddf5 upstream. + +The lpfc_sli4_scmd_to_wqidx_distr() function expects the scsi_cmnd +'lpfc_cmd->pCmd' not to be null, and point to the midlayer command. + +That's not true in the .eh_(device|target|bus)_reset_handler path, +because lpfc_send_taskmgmt() sends commands not from the midlayer, so +does not set 'lpfc_cmd->pCmd'. + +That is true in the .queuecommand path because lpfc_queuecommand() +stores the scsi_cmnd from midlayer in lpfc_cmd->pCmd; and lpfc_cmd is +stored by lpfc_scsi_prep_cmnd() in piocbq->context1 -- which is passed +to lpfc_sli4_scmd_to_wqidx_distr() as lpfc_cmd parameter. + +This problem can be hit on SCSI EH, and immediately with sg_reset. +These 2 test-cases demonstrate the problem/fix with next-20160601. + +Test-case 1) sg_reset + + # strace sg_reset --device /dev/sdm + <...> + open("/dev/sdm", O_RDWR|O_NONBLOCK) = 3 + ioctl(3, SG_SCSI_RESET, 0x3fffde6d0994 + +++ killed by SIGSEGV +++ + Segmentation fault + + # dmesg + Unable to handle kernel paging request for data at address 0x00000000 + Faulting instruction address: 0xd00000001c88442c + Oops: Kernel access of bad area, sig: 11 [#1] + <...> + CPU: 104 PID: 16333 Comm: sg_reset Tainted: G W 4.7.0-rc1-next-20160601-00004-g95b89dc #6 + <...> + NIP [d00000001c88442c] lpfc_sli4_scmd_to_wqidx_distr+0xc/0xd0 [lpfc] + LR [d00000001c826fe8] lpfc_sli_calc_ring.part.27+0x98/0xd0 [lpfc] + Call Trace: + [c000003c9ec876f0] [c000003c9ec87770] 0xc000003c9ec87770 (unreliable) + [c000003c9ec87720] [d00000001c82e004] lpfc_sli_issue_iocb+0xd4/0x260 [lpfc] + [c000003c9ec87780] [d00000001c831a3c] lpfc_sli_issue_iocb_wait+0x15c/0x5b0 [lpfc] + [c000003c9ec87880] [d00000001c87f27c] lpfc_send_taskmgmt+0x24c/0x650 [lpfc] + [c000003c9ec87950] [d00000001c87fd7c] lpfc_device_reset_handler+0x10c/0x200 [lpfc] + [c000003c9ec87a10] [c000000000610694] scsi_try_bus_device_reset+0x44/0xc0 + [c000003c9ec87a40] [c0000000006113e8] scsi_ioctl_reset+0x198/0x2c0 + [c000003c9ec87bf0] [c00000000060fe5c] scsi_ioctl+0x13c/0x4b0 + [c000003c9ec87c80] [c0000000006629b0] sd_ioctl+0xf0/0x120 + [c000003c9ec87cd0] [c00000000046e4f8] blkdev_ioctl+0x248/0xb70 + [c000003c9ec87d30] [c0000000002a1f60] block_ioctl+0x70/0x90 + [c000003c9ec87d50] [c00000000026d334] do_vfs_ioctl+0xc4/0x890 + [c000003c9ec87de0] [c00000000026db60] SyS_ioctl+0x60/0xc0 + [c000003c9ec87e30] [c000000000009120] system_call+0x38/0x108 + Instruction dump: + <...> + + With fix: + + # strace sg_reset --device /dev/sdm + <...> + open("/dev/sdm", O_RDWR|O_NONBLOCK) = 3 + ioctl(3, SG_SCSI_RESET, 0x3fffe103c554) = 0 + close(3) = 0 + exit_group(0) = ? + +++ exited with 0 +++ + + # dmesg + [ 424.658649] lpfc 0006:01:00.4: 4:(0):0713 SCSI layer issued Device Reset (1, 0) return x2002 + +Test-case 2) SCSI EH + + Using this debug patch to wire an SCSI EH trigger, for lpfc_scsi_cmd_iocb_cmpl(): + - cmd->scsi_done(cmd); + + if ((phba->pport ? phba->pport->cfg_log_verbose : phba->cfg_log_verbose) == 0x32100000) + + printk(KERN_ALERT "lpfc: skip scsi_done()\n"); + + else + + cmd->scsi_done(cmd); + + # echo 0x32100000 > /sys/class/scsi_host/host11/lpfc_log_verbose + + # dd if=/dev/sdm of=/dev/null iflag=direct & + <...> + + After a while: + + # dmesg + lpfc 0006:01:00.4: 4:(0):3053 lpfc_log_verbose changed from 0 (x0) to 839909376 (x32100000) + lpfc: skip scsi_done() + <...> + Unable to handle kernel paging request for data at address 0x00000000 + Faulting instruction address: 0xd0000000199e448c + Oops: Kernel access of bad area, sig: 11 [#1] + <...> + CPU: 96 PID: 28556 Comm: scsi_eh_11 Tainted: G W 4.7.0-rc1-next-20160601-00004-g95b89dc #6 + <...> + NIP [d0000000199e448c] lpfc_sli4_scmd_to_wqidx_distr+0xc/0xd0 [lpfc] + LR [d000000019986fe8] lpfc_sli_calc_ring.part.27+0x98/0xd0 [lpfc] + Call Trace: + [c000000ff0d0b890] [c000000ff0d0b900] 0xc000000ff0d0b900 (unreliable) + [c000000ff0d0b8c0] [d00000001998e004] lpfc_sli_issue_iocb+0xd4/0x260 [lpfc] + [c000000ff0d0b920] [d000000019991a3c] lpfc_sli_issue_iocb_wait+0x15c/0x5b0 [lpfc] + [c000000ff0d0ba20] [d0000000199df27c] lpfc_send_taskmgmt+0x24c/0x650 [lpfc] + [c000000ff0d0baf0] [d0000000199dfd7c] lpfc_device_reset_handler+0x10c/0x200 [lpfc] + [c000000ff0d0bbb0] [c000000000610694] scsi_try_bus_device_reset+0x44/0xc0 + [c000000ff0d0bbe0] [c0000000006126cc] scsi_eh_ready_devs+0x49c/0x9c0 + [c000000ff0d0bcb0] [c000000000614160] scsi_error_handler+0x580/0x680 + [c000000ff0d0bd80] [c0000000000ae848] kthread+0x108/0x130 + [c000000ff0d0be30] [c0000000000094a8] ret_from_kernel_thread+0x5c/0xb4 + Instruction dump: + <...> + + With fix: + + # dmesg + lpfc 0006:01:00.4: 4:(0):3053 lpfc_log_verbose changed from 0 (x0) to 839909376 (x32100000) + lpfc: skip scsi_done() + <...> + lpfc 0006:01:00.4: 4:(0):0713 SCSI layer issued Device Reset (0, 0) return x2002 + <...> + lpfc 0006:01:00.4: 4:(0):0723 SCSI layer issued Target Reset (1, 0) return x2002 + <...> + lpfc 0006:01:00.4: 4:(0):0714 SCSI layer issued Bus Reset Data: x2002 + <...> + lpfc 0006:01:00.4: 4:(0):3172 SCSI layer issued Host Reset Data: + <...> + +Fixes: 8b0dff14164d ("lpfc: Add support for using block multi-queue") +Signed-off-by: Mauricio Faria de Oliveira +Reviewed-by: Johannes Thumshirn +Acked-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc_scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -3874,7 +3874,7 @@ int lpfc_sli4_scmd_to_wqidx_distr(struct + uint32_t tag; + uint16_t hwq; + +- if (shost_use_blk_mq(cmnd->device->host)) { ++ if (cmnd && shost_use_blk_mq(cmnd->device->host)) { + tag = blk_mq_unique_tag(cmnd->request); + hwq = blk_mq_unique_tag_to_hwq(tag); + diff --git a/queue-4.7/mips-don-t-register-r4k-sched-clock-when-cpufreq-enabled.patch b/queue-4.7/mips-don-t-register-r4k-sched-clock-when-cpufreq-enabled.patch new file mode 100644 index 00000000000..2cad57f0ff7 --- /dev/null +++ b/queue-4.7/mips-don-t-register-r4k-sched-clock-when-cpufreq-enabled.patch @@ -0,0 +1,47 @@ +From 07d69579e7fec27e371296d8ca9d6076fc401b5c Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Fri, 22 Jul 2016 11:46:31 +0800 +Subject: MIPS: Don't register r4k sched clock when CPUFREQ enabled + +From: Huacai Chen + +commit 07d69579e7fec27e371296d8ca9d6076fc401b5c upstream. + +Don't register r4k sched clock when CPUFREQ enabled because sched clock +need a constant frequency. + +Signed-off-by: Huacai Chen +Cc: John Crispin +Cc: Steven J . Hill +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13820/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/csrc-r4k.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/mips/kernel/csrc-r4k.c ++++ b/arch/mips/kernel/csrc-r4k.c +@@ -23,7 +23,7 @@ static struct clocksource clocksource_mi + .flags = CLOCK_SOURCE_IS_CONTINUOUS, + }; + +-static u64 notrace r4k_read_sched_clock(void) ++static u64 __maybe_unused notrace r4k_read_sched_clock(void) + { + return read_c0_count(); + } +@@ -82,7 +82,9 @@ int __init init_r4k_clocksource(void) + + clocksource_register_hz(&clocksource_mips, mips_hpt_frequency); + ++#ifndef CONFIG_CPU_FREQ + sched_clock_register(r4k_read_sched_clock, 32, mips_hpt_frequency); ++#endif + + return 0; + } diff --git a/queue-4.7/mips-fix-r4k-clockevents-registration.patch b/queue-4.7/mips-fix-r4k-clockevents-registration.patch new file mode 100644 index 00000000000..b73486efded --- /dev/null +++ b/queue-4.7/mips-fix-r4k-clockevents-registration.patch @@ -0,0 +1,51 @@ +From 6dabf2b7a597a9613f0b8a2fcbe01e2a0a05c896 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 21 Jul 2016 14:27:49 +0800 +Subject: MIPS: Fix r4k clockevents registration + +From: Huacai Chen + +commit 6dabf2b7a597a9613f0b8a2fcbe01e2a0a05c896 upstream. + +CPUFreq need min_delta_ticks/max_delta_ticks to be initialized, and +this can be done by clockevents_config_and_register(). + +Signed-off-by: Heiher +Signed-off-by: Huacai Chen +Cc: John Crispin +Cc: Steven J . Hill +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13817/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/cevt-r4k.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/arch/mips/kernel/cevt-r4k.c ++++ b/arch/mips/kernel/cevt-r4k.c +@@ -276,12 +276,7 @@ int r4k_clockevent_init(void) + CLOCK_EVT_FEAT_C3STOP | + CLOCK_EVT_FEAT_PERCPU; + +- clockevent_set_clock(cd, mips_hpt_frequency); +- +- /* Calculate the min / max delta */ +- cd->max_delta_ns = clockevent_delta2ns(0x7fffffff, cd); + min_delta = calculate_min_delta(); +- cd->min_delta_ns = clockevent_delta2ns(min_delta, cd); + + cd->rating = 300; + cd->irq = irq; +@@ -289,7 +284,7 @@ int r4k_clockevent_init(void) + cd->set_next_event = mips_next_event; + cd->event_handler = mips_event_handler; + +- clockevents_register_device(cd); ++ clockevents_config_and_register(cd, mips_hpt_frequency, min_delta, 0x7fffffff); + + if (cp0_timer_irq_installed) + return 0; diff --git a/queue-4.7/mips-hpet-increase-hpet_min_prog_delta-and-decrease-hpet_min_cycles.patch b/queue-4.7/mips-hpet-increase-hpet_min_prog_delta-and-decrease-hpet_min_cycles.patch new file mode 100644 index 00000000000..1673932500b --- /dev/null +++ b/queue-4.7/mips-hpet-increase-hpet_min_prog_delta-and-decrease-hpet_min_cycles.patch @@ -0,0 +1,84 @@ +From 3ef06653987d4c4536b408321edf0e5caa2a317f Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 21 Jul 2016 14:27:51 +0800 +Subject: MIPS: hpet: Increase HPET_MIN_PROG_DELTA and decrease HPET_MIN_CYCLES + +From: Huacai Chen + +commit 3ef06653987d4c4536b408321edf0e5caa2a317f upstream. + +At first, we prefer to use mips clockevent device, so we decrease the +rating of hpet clockevent device. + +For hpet, if HPET_MIN_PROG_DELTA (minimum delta of hpet programming) is +too small and HPET_MIN_CYCLES (threshold of -ETIME checking) is too +large, then hpet_next_event() can easily return -ETIME. After commit +c6eb3f70d44828 ("hrtimer: Get rid of hrtimer softirq") this will cause +a RCU stall. + +So, HPET_MIN_PROG_DELTA must be sufficient that we don't re-trip the +-ETIME check -- if we do, we will return -ETIME, forward the next event +time, try to set it, return -ETIME again, and basically lock the system +up. Meanwhile, HPET_MIN_CYCLES doesn't need to be too large, 16 cycles +is enough. + +This solution is similar to commit f9eccf24615672 ("clocksource/drivers +/vt8500: Increase the minimum delta"). + +By the way, this patch ensures hpet count/compare to be 32-bit long. + +Signed-off-by: Huacai Chen +Cc: John Crispin +Cc: Steven J . Hill +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13819/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/loongson64/loongson-3/hpet.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/arch/mips/loongson64/loongson-3/hpet.c ++++ b/arch/mips/loongson64/loongson-3/hpet.c +@@ -13,8 +13,8 @@ + #define SMBUS_PCI_REG64 0x64 + #define SMBUS_PCI_REGB4 0xb4 + +-#define HPET_MIN_CYCLES 64 +-#define HPET_MIN_PROG_DELTA (HPET_MIN_CYCLES + (HPET_MIN_CYCLES >> 1)) ++#define HPET_MIN_CYCLES 16 ++#define HPET_MIN_PROG_DELTA (HPET_MIN_CYCLES * 12) + + static DEFINE_SPINLOCK(hpet_lock); + DEFINE_PER_CPU(struct clock_event_device, hpet_clockevent_device); +@@ -157,14 +157,14 @@ static int hpet_tick_resume(struct clock + static int hpet_next_event(unsigned long delta, + struct clock_event_device *evt) + { +- unsigned int cnt; +- int res; ++ u32 cnt; ++ s32 res; + + cnt = hpet_read(HPET_COUNTER); +- cnt += delta; ++ cnt += (u32) delta; + hpet_write(HPET_T0_CMP, cnt); + +- res = (int)(cnt - hpet_read(HPET_COUNTER)); ++ res = (s32)(cnt - hpet_read(HPET_COUNTER)); + + return res < HPET_MIN_CYCLES ? -ETIME : 0; + } +@@ -230,7 +230,7 @@ void __init setup_hpet_timer(void) + + cd = &per_cpu(hpet_clockevent_device, cpu); + cd->name = "hpet"; +- cd->rating = 320; ++ cd->rating = 100; + cd->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT; + cd->set_state_shutdown = hpet_set_state_shutdown; + cd->set_state_periodic = hpet_set_state_periodic; diff --git a/queue-4.7/mips-mm-fix-definition-of-r6-cache-instruction.patch b/queue-4.7/mips-mm-fix-definition-of-r6-cache-instruction.patch new file mode 100644 index 00000000000..9c6858d039f --- /dev/null +++ b/queue-4.7/mips-mm-fix-definition-of-r6-cache-instruction.patch @@ -0,0 +1,40 @@ +From 4f53989b0652ffe2605221c81ca8ffcfc90aed2a Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 14 Jun 2016 14:59:38 +0100 +Subject: MIPS: mm: Fix definition of R6 cache instruction + +From: Matt Redfearn + +commit 4f53989b0652ffe2605221c81ca8ffcfc90aed2a upstream. + +Commit a168b8f1cde6 ("MIPS: mm: Add MIPS R6 instruction encodings") added +an incorrect definition of the redefined MIPSr6 cache instruction. + +Executing any kernel code including this instuction results in a +reserved instruction exception and kernel panic. + +Fix the instruction definition. + +Fixes: a168b8f1cde6588ff7a67699fa11e01bc77a5ddd +Signed-off-by: Matt Redfearn +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13663/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/uasm-mips.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/mm/uasm-mips.c ++++ b/arch/mips/mm/uasm-mips.c +@@ -65,7 +65,7 @@ static struct insn insn_table[] = { + #ifndef CONFIG_CPU_MIPSR6 + { insn_cache, M(cache_op, 0, 0, 0, 0, 0), RS | RT | SIMM }, + #else +- { insn_cache, M6(cache_op, 0, 0, 0, cache6_op), RS | RT | SIMM9 }, ++ { insn_cache, M6(spec3_op, 0, 0, 0, cache6_op), RS | RT | SIMM9 }, + #endif + { insn_daddiu, M(daddiu_op, 0, 0, 0, 0, 0), RS | RT | SIMM }, + { insn_daddu, M(spec_op, 0, 0, 0, 0, daddu_op), RS | RT | RD }, diff --git a/queue-4.7/of-fix-memory-leak-related-to-safe_name.patch b/queue-4.7/of-fix-memory-leak-related-to-safe_name.patch new file mode 100644 index 00000000000..c7e3b7a6070 --- /dev/null +++ b/queue-4.7/of-fix-memory-leak-related-to-safe_name.patch @@ -0,0 +1,161 @@ +From d9fc880723321dbf16b2981e3f3e916b73942210 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Thu, 16 Jun 2016 10:51:46 -0700 +Subject: of: fix memory leak related to safe_name() + +From: Frank Rowand + +commit d9fc880723321dbf16b2981e3f3e916b73942210 upstream. + +Fix a memory leak resulting from memory allocation in safe_name(). +This patch fixes all call sites of safe_name(). + +Mathieu Malaterre reported the memory leak on boot: + +On my PowerMac device-tree would generate a duplicate name: + +[ 0.023043] device-tree: Duplicate name in PowerPC,G4@0, renamed to "l2-cache#1" + +in this case a newly allocated name is generated by `safe_name`. However +in this case it is never deallocated. + +The bug was found using kmemleak reported as: + +unreferenced object 0xdf532e60 (size 32): + comm "swapper", pid 1, jiffies 4294892300 (age 1993.532s) + hex dump (first 32 bytes): + 6c 32 2d 63 61 63 68 65 23 31 00 dd e4 dd 1e c2 l2-cache#1...... + ec d4 ba ce 04 ec cc de 8e 85 e9 ca c4 ec cc 9e ................ + backtrace: + [] kvasprintf+0x64/0xc8 + [] kasprintf+0x4c/0x5c + [] safe_name.isra.1+0x80/0xc4 + [] __of_attach_node_sysfs+0x6c/0x11c + [] of_core_init+0x8c/0xf8 + [] kernel_init_freeable+0xd4/0x208 + [] kernel_init+0x24/0x11c + [] ret_from_kernel_thread+0x5c/0x64 + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=120331 + +Signed-off-by: Frank Rowand +Reported-by: mathieu.malaterre@gmail.com +Tested-by: Mathieu Malaterre +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 30 +++++++++++++++++++++--------- + drivers/of/dynamic.c | 2 +- + drivers/of/of_private.h | 3 +++ + 3 files changed, 25 insertions(+), 10 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -112,6 +112,7 @@ static ssize_t of_node_property_read(str + return memory_read_from_buffer(buf, count, &offset, pp->value, pp->length); + } + ++/* always return newly allocated name, caller must free after use */ + static const char *safe_name(struct kobject *kobj, const char *orig_name) + { + const char *name = orig_name; +@@ -126,9 +127,12 @@ static const char *safe_name(struct kobj + name = kasprintf(GFP_KERNEL, "%s#%i", orig_name, ++i); + } + +- if (name != orig_name) ++ if (name == orig_name) { ++ name = kstrdup(orig_name, GFP_KERNEL); ++ } else { + pr_warn("device-tree: Duplicate name in %s, renamed to \"%s\"\n", + kobject_name(kobj), name); ++ } + return name; + } + +@@ -159,6 +163,7 @@ int __of_add_property_sysfs(struct devic + int __of_attach_node_sysfs(struct device_node *np) + { + const char *name; ++ struct kobject *parent; + struct property *pp; + int rc; + +@@ -171,15 +176,16 @@ int __of_attach_node_sysfs(struct device + np->kobj.kset = of_kset; + if (!np->parent) { + /* Nodes without parents are new top level trees */ +- rc = kobject_add(&np->kobj, NULL, "%s", +- safe_name(&of_kset->kobj, "base")); ++ name = safe_name(&of_kset->kobj, "base"); ++ parent = NULL; + } else { + name = safe_name(&np->parent->kobj, kbasename(np->full_name)); +- if (!name || !name[0]) +- return -EINVAL; +- +- rc = kobject_add(&np->kobj, &np->parent->kobj, "%s", name); ++ parent = &np->parent->kobj; + } ++ if (!name) ++ return -ENOMEM; ++ rc = kobject_add(&np->kobj, parent, "%s", name); ++ kfree(name); + if (rc) + return rc; + +@@ -1815,6 +1821,12 @@ int __of_remove_property(struct device_n + return 0; + } + ++void __of_sysfs_remove_bin_file(struct device_node *np, struct property *prop) ++{ ++ sysfs_remove_bin_file(&np->kobj, &prop->attr); ++ kfree(prop->attr.attr.name); ++} ++ + void __of_remove_property_sysfs(struct device_node *np, struct property *prop) + { + if (!IS_ENABLED(CONFIG_SYSFS)) +@@ -1822,7 +1834,7 @@ void __of_remove_property_sysfs(struct d + + /* at early boot, bail here and defer setup to of_init() */ + if (of_kset && of_node_is_attached(np)) +- sysfs_remove_bin_file(&np->kobj, &prop->attr); ++ __of_sysfs_remove_bin_file(np, prop); + } + + /** +@@ -1895,7 +1907,7 @@ void __of_update_property_sysfs(struct d + return; + + if (oldprop) +- sysfs_remove_bin_file(&np->kobj, &oldprop->attr); ++ __of_sysfs_remove_bin_file(np, oldprop); + __of_add_property_sysfs(np, newprop); + } + +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -55,7 +55,7 @@ void __of_detach_node_sysfs(struct devic + /* only remove properties if on sysfs */ + if (of_node_is_attached(np)) { + for_each_property_of_node(np, pp) +- sysfs_remove_bin_file(&np->kobj, &pp->attr); ++ __of_sysfs_remove_bin_file(np, pp); + kobject_del(&np->kobj); + } + +--- a/drivers/of/of_private.h ++++ b/drivers/of/of_private.h +@@ -83,6 +83,9 @@ extern int __of_attach_node_sysfs(struct + extern void __of_detach_node(struct device_node *np); + extern void __of_detach_node_sysfs(struct device_node *np); + ++extern void __of_sysfs_remove_bin_file(struct device_node *np, ++ struct property *prop); ++ + /* iterators for transactions, used for overlays */ + /* forward iterator */ + #define for_each_transaction_entry(_oft, _te) \ diff --git a/queue-4.7/pci-mark-atheros-ar9485-and-qca9882-to-avoid-bus-reset.patch b/queue-4.7/pci-mark-atheros-ar9485-and-qca9882-to-avoid-bus-reset.patch new file mode 100644 index 00000000000..59f362ea131 --- /dev/null +++ b/queue-4.7/pci-mark-atheros-ar9485-and-qca9882-to-avoid-bus-reset.patch @@ -0,0 +1,43 @@ +From 9ac0108c2bac3f1d0255f64fb89fc27e71131b24 Mon Sep 17 00:00:00 2001 +From: Chris Blake +Date: Mon, 30 May 2016 07:26:37 -0500 +Subject: PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset + +From: Chris Blake + +commit 9ac0108c2bac3f1d0255f64fb89fc27e71131b24 upstream. + +Similar to the AR93xx series, the AR94xx and the Qualcomm QCA988x also have +the same quirk for the Bus Reset. + +Fixes: c3e59ee4e766 ("PCI: Mark Atheros AR93xx to avoid bus reset") +Signed-off-by: Chris Blake +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3189,13 +3189,15 @@ static void quirk_no_bus_reset(struct pc + } + + /* +- * Atheros AR93xx chips do not behave after a bus reset. The device will +- * throw a Link Down error on AER-capable systems and regardless of AER, +- * config space of the device is never accessible again and typically +- * causes the system to hang or reset when access is attempted. ++ * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset. ++ * The device will throw a Link Down error on AER-capable systems and ++ * regardless of AER, config space of the device is never accessible again ++ * and typically causes the system to hang or reset when access is attempted. + * http://www.spinics.net/lists/linux-pci/msg34797.html + */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0030, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); + + static void quirk_no_pm_reset(struct pci_dev *dev) + { diff --git a/queue-4.7/series b/queue-4.7/series index ee5fff261a0..96520cb2440 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -157,3 +157,25 @@ ib-rdmavt-add-missing-spin_lock_init-call-for-rdi-n_cqs_lock.patch ib-srpt-limit-the-number-of-sg-elements-per-work-request.patch ib-core-make-rdma_rw_ctx_init-initialize-all-used-fields.patch ib-core-rdma-rw-api-do-not-exceed-qp-sge-send-limit.patch +of-fix-memory-leak-related-to-safe_name.patch +ubi-make-volume-resize-power-cut-aware.patch +ubi-fix-early-logging.patch +ubi-fix-race-condition-between-ubi-device-creation-and-udev.patch +iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi-session.patch +target-fix-ordered-task-target_setup_cmd_from_cdb-exception-hang.patch +target-fix-missing-complete-during-abort_task-cmd_t_fabric_stop.patch +target-fix-race-between-iscsi-target-connection-shutdown-abort_task.patch +target-fix-max_unmap_lba_count-calc-overflow.patch +target-fix-ordered-task-check_condition-early-exception-handling.patch +um-fix-possible-deadlock-in-sig_handler_common.patch +input-elan_i2c-properly-wake-up-touchpad-on-asus-laptops.patch +input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch +sunrpc-don-t-allocate-a-full-sockaddr_storage-for-tracing.patch +mips-mm-fix-definition-of-r6-cache-instruction.patch +mips-fix-r4k-clockevents-registration.patch +mips-don-t-register-r4k-sched-clock-when-cpufreq-enabled.patch +mips-hpet-increase-hpet_min_prog_delta-and-decrease-hpet_min_cycles.patch +pci-mark-atheros-ar9485-and-qca9882-to-avoid-bus-reset.patch +x86-platform-intel_mid_pci-rework-irq0-workaround.patch +acpi-ec-work-around-method-reentrancy-limit-in-acpica-for-_qxx.patch +lpfc-fix-oops-in-lpfc_sli4_scmd_to_wqidx_distr-from-lpfc_send_taskmgmt.patch diff --git a/queue-4.7/sunrpc-don-t-allocate-a-full-sockaddr_storage-for-tracing.patch b/queue-4.7/sunrpc-don-t-allocate-a-full-sockaddr_storage-for-tracing.patch new file mode 100644 index 00000000000..48d8deec08b --- /dev/null +++ b/queue-4.7/sunrpc-don-t-allocate-a-full-sockaddr_storage-for-tracing.patch @@ -0,0 +1,117 @@ +From db1bb44c4c7e8d49ed674dc59e5222d99c698088 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 24 Jun 2016 10:55:44 -0400 +Subject: SUNRPC: Don't allocate a full sockaddr_storage for tracing + +From: Trond Myklebust + +commit db1bb44c4c7e8d49ed674dc59e5222d99c698088 upstream. + +We're always tracing IPv4 or IPv6 addresses, so we can save a lot +of space on the ringbuffer by allocating the correct sockaddr size. + +Signed-off-by: Trond Myklebust +Fixes: 83a712e0afef "sunrpc: add some tracepoints around ..." +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/sunrpc.h | 47 ++++++++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 13 deletions(-) + +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -529,20 +529,27 @@ TRACE_EVENT(svc_xprt_do_enqueue, + + TP_STRUCT__entry( + __field(struct svc_xprt *, xprt) +- __field_struct(struct sockaddr_storage, ss) + __field(int, pid) + __field(unsigned long, flags) ++ __dynamic_array(unsigned char, addr, xprt != NULL ? ++ xprt->xpt_remotelen : 0) + ), + + TP_fast_assign( + __entry->xprt = xprt; +- xprt ? memcpy(&__entry->ss, &xprt->xpt_remote, sizeof(__entry->ss)) : memset(&__entry->ss, 0, sizeof(__entry->ss)); + __entry->pid = rqst? rqst->rq_task->pid : 0; +- __entry->flags = xprt ? xprt->xpt_flags : 0; ++ if (xprt) { ++ memcpy(__get_dynamic_array(addr), ++ &xprt->xpt_remote, ++ xprt->xpt_remotelen); ++ __entry->flags = xprt->xpt_flags; ++ } else ++ __entry->flags = 0; + ), + + TP_printk("xprt=0x%p addr=%pIScp pid=%d flags=%s", __entry->xprt, +- (struct sockaddr *)&__entry->ss, ++ __get_dynamic_array_len(addr) != 0 ? ++ (struct sockaddr *)__get_dynamic_array(addr) : NULL, + __entry->pid, show_svc_xprt_flags(__entry->flags)) + ); + +@@ -553,18 +560,25 @@ TRACE_EVENT(svc_xprt_dequeue, + + TP_STRUCT__entry( + __field(struct svc_xprt *, xprt) +- __field_struct(struct sockaddr_storage, ss) + __field(unsigned long, flags) ++ __dynamic_array(unsigned char, addr, xprt != NULL ? ++ xprt->xpt_remotelen : 0) + ), + + TP_fast_assign( +- __entry->xprt = xprt, +- xprt ? memcpy(&__entry->ss, &xprt->xpt_remote, sizeof(__entry->ss)) : memset(&__entry->ss, 0, sizeof(__entry->ss)); +- __entry->flags = xprt ? xprt->xpt_flags : 0; ++ __entry->xprt = xprt; ++ if (xprt) { ++ memcpy(__get_dynamic_array(addr), ++ &xprt->xpt_remote, ++ xprt->xpt_remotelen); ++ __entry->flags = xprt->xpt_flags; ++ } else ++ __entry->flags = 0; + ), + + TP_printk("xprt=0x%p addr=%pIScp flags=%s", __entry->xprt, +- (struct sockaddr *)&__entry->ss, ++ __get_dynamic_array_len(addr) != 0 ? ++ (struct sockaddr *)__get_dynamic_array(addr) : NULL, + show_svc_xprt_flags(__entry->flags)) + ); + +@@ -592,19 +606,26 @@ TRACE_EVENT(svc_handle_xprt, + TP_STRUCT__entry( + __field(struct svc_xprt *, xprt) + __field(int, len) +- __field_struct(struct sockaddr_storage, ss) + __field(unsigned long, flags) ++ __dynamic_array(unsigned char, addr, xprt != NULL ? ++ xprt->xpt_remotelen : 0) + ), + + TP_fast_assign( + __entry->xprt = xprt; +- xprt ? memcpy(&__entry->ss, &xprt->xpt_remote, sizeof(__entry->ss)) : memset(&__entry->ss, 0, sizeof(__entry->ss)); + __entry->len = len; +- __entry->flags = xprt ? xprt->xpt_flags : 0; ++ if (xprt) { ++ memcpy(__get_dynamic_array(addr), ++ &xprt->xpt_remote, ++ xprt->xpt_remotelen); ++ __entry->flags = xprt->xpt_flags; ++ } else ++ __entry->flags = 0; + ), + + TP_printk("xprt=0x%p addr=%pIScp len=%d flags=%s", __entry->xprt, +- (struct sockaddr *)&__entry->ss, ++ __get_dynamic_array_len(addr) != 0 ? ++ (struct sockaddr *)__get_dynamic_array(addr) : NULL, + __entry->len, show_svc_xprt_flags(__entry->flags)) + ); + #endif /* _TRACE_SUNRPC_H */ diff --git a/queue-4.7/target-fix-max_unmap_lba_count-calc-overflow.patch b/queue-4.7/target-fix-max_unmap_lba_count-calc-overflow.patch new file mode 100644 index 00000000000..fe4d2818235 --- /dev/null +++ b/queue-4.7/target-fix-max_unmap_lba_count-calc-overflow.patch @@ -0,0 +1,92 @@ +From ea263c7fada4af8ec7fe5fcfd6e7d7705a89351b Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Thu, 2 Jun 2016 20:12:37 -0500 +Subject: target: Fix max_unmap_lba_count calc overflow + +From: Mike Christie + +commit ea263c7fada4af8ec7fe5fcfd6e7d7705a89351b upstream. + +max_discard_sectors only 32bits, and some non scsi backend +devices will set this to the max 0xffffffff, so we can end up +overflowing during the max_unmap_lba_count calculation. + +This fixes a regression caused by my patch: + +commit 8a9ebe717a133ba7bc90b06047f43cc6b8bcb8b3 +Author: Mike Christie +Date: Mon Jan 18 14:09:27 2016 -0600 + + target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors + +which can result in extra discards being sent to due the overflow +causing max_unmap_lba_count to be smaller than what the backing +device can actually support. + +Signed-off-by: Mike Christie +Reviewed-by: Bart Van Assche +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_device.c | 8 +++++--- + drivers/target/target_core_file.c | 3 +-- + drivers/target/target_core_iblock.c | 3 +-- + include/target/target_core_backend.h | 2 +- + 4 files changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -821,13 +821,15 @@ struct se_device *target_alloc_device(st + * in ATA and we need to set TPE=1 + */ + bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib, +- struct request_queue *q, int block_size) ++ struct request_queue *q) + { ++ int block_size = queue_logical_block_size(q); ++ + if (!blk_queue_discard(q)) + return false; + +- attrib->max_unmap_lba_count = (q->limits.max_discard_sectors << 9) / +- block_size; ++ attrib->max_unmap_lba_count = ++ q->limits.max_discard_sectors >> (ilog2(block_size) - 9); + /* + * Currently hardcoded to 1 in Linux/SCSI code.. + */ +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -161,8 +161,7 @@ static int fd_configure_device(struct se + dev_size, div_u64(dev_size, fd_dev->fd_block_size), + fd_dev->fd_block_size); + +- if (target_configure_unmap_from_queue(&dev->dev_attrib, q, +- fd_dev->fd_block_size)) ++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q)) + pr_debug("IFILE: BLOCK Discard support available," + " disabled by default\n"); + /* +--- a/drivers/target/target_core_iblock.c ++++ b/drivers/target/target_core_iblock.c +@@ -121,8 +121,7 @@ static int iblock_configure_device(struc + dev->dev_attrib.hw_max_sectors = queue_max_hw_sectors(q); + dev->dev_attrib.hw_queue_depth = q->nr_requests; + +- if (target_configure_unmap_from_queue(&dev->dev_attrib, q, +- dev->dev_attrib.hw_block_size)) ++ if (target_configure_unmap_from_queue(&dev->dev_attrib, q)) + pr_debug("IBLOCK: BLOCK Discard support available," + " disabled by default\n"); + +--- a/include/target/target_core_backend.h ++++ b/include/target/target_core_backend.h +@@ -95,6 +95,6 @@ sense_reason_t passthrough_parse_cdb(str + bool target_sense_desc_format(struct se_device *dev); + sector_t target_to_linux_sector(struct se_device *dev, sector_t lb); + bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib, +- struct request_queue *q, int block_size); ++ struct request_queue *q); + + #endif /* TARGET_CORE_BACKEND_H */ diff --git a/queue-4.7/target-fix-missing-complete-during-abort_task-cmd_t_fabric_stop.patch b/queue-4.7/target-fix-missing-complete-during-abort_task-cmd_t_fabric_stop.patch new file mode 100644 index 00000000000..d6a07b7a952 --- /dev/null +++ b/queue-4.7/target-fix-missing-complete-during-abort_task-cmd_t_fabric_stop.patch @@ -0,0 +1,57 @@ +From 5e2c956b8aa24d4f33ff7afef92d409eed164746 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Wed, 25 May 2016 12:25:04 -0700 +Subject: target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP + +From: Nicholas Bellinger + +commit 5e2c956b8aa24d4f33ff7afef92d409eed164746 upstream. + +During transport_generic_free_cmd() with a concurrent TMR +ABORT_TASK and shutdown CMD_T_FABRIC_STOP bit set, the +caller will be blocked on se_cmd->cmd_wait_stop completion +until the final kref_put() -> target_release_cmd_kref() +has been invoked to call complete(). + +However, when ABORT_TASK is completed with FUNCTION_COMPLETE +in core_tmr_abort_task(), the aborted se_cmd will have already +been removed from se_sess->sess_cmd_list via list_del_init(). + +This results in target_release_cmd_kref() hitting the +legacy list_empty() == true check, invoking ->release_cmd() +but skipping complete() to wakeup se_cmd->cmd_wait_stop +blocked earlier in transport_generic_free_cmd() code. + +To address this bug, it's safe to go ahead and drop the +original list_empty() check so that fabric_stop invokes +the complete() as expected, since list_del_init() can +safely be used on a empty list. + +Cc: Mike Christie +Cc: Quinn Tran +Cc: Himanshu Madhani +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Tested-by: Nicholas Bellinger +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2565,12 +2565,6 @@ static void target_release_cmd_kref(stru + bool fabric_stop; + + spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); +- if (list_empty(&se_cmd->se_cmd_list)) { +- spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags); +- target_free_cmd_mem(se_cmd); +- se_cmd->se_tfo->release_cmd(se_cmd); +- return; +- } + + spin_lock(&se_cmd->t_state_lock); + fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP); diff --git a/queue-4.7/target-fix-ordered-task-check_condition-early-exception-handling.patch b/queue-4.7/target-fix-ordered-task-check_condition-early-exception-handling.patch new file mode 100644 index 00000000000..077566b4ed8 --- /dev/null +++ b/queue-4.7/target-fix-ordered-task-check_condition-early-exception-handling.patch @@ -0,0 +1,74 @@ +From 410c29dfbfdf73d0d0b5d14a21868ab038eca703 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 13 Jun 2016 22:58:09 -0700 +Subject: target: Fix ordered task CHECK_CONDITION early exception handling + +From: Nicholas Bellinger + +commit 410c29dfbfdf73d0d0b5d14a21868ab038eca703 upstream. + +If a Simple command is sent with a failure, target_setup_cmd_from_cdb +returns with TCM_UNSUPPORTED_SCSI_OPCODE or TCM_INVALID_CDB_FIELD. + +So in the cases where target_setup_cmd_from_cdb returns an error, we +never get far enough to call target_execute_cmd to increment simple_cmds. +Since simple_cmds isn't incremented, the result of the failure from +target_setup_cmd_from_cdb causes transport_generic_request_failure to +decrement simple_cmds, due to call to transport_complete_task_attr. + +With this dev->simple_cmds or dev->dev_ordered_sync is now -1, not 0. +So when a subsequent command with an Ordered Task is sent, it causes +a hang, since dev->simple_cmds is at -1. + +Tested-by: Bryant G. Ly +Signed-off-by: Bryant G. Ly +Tested-by: Michael Cyr +Signed-off-by: Michael Cyr +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 7 ++++++- + include/target/target_core_base.h | 1 + + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1827,6 +1827,8 @@ static bool target_handle_task_attr(stru + if (dev->transport->transport_flags & TRANSPORT_FLAG_PASSTHROUGH) + return false; + ++ cmd->se_cmd_flags |= SCF_TASK_ATTR_SET; ++ + /* + * Check for the existence of HEAD_OF_QUEUE, and if true return 1 + * to allow the passed struct se_cmd list of tasks to the front of the list. +@@ -1949,6 +1951,9 @@ static void transport_complete_task_attr + if (dev->transport->transport_flags & TRANSPORT_FLAG_PASSTHROUGH) + return; + ++ if (!(cmd->se_cmd_flags & SCF_TASK_ATTR_SET)) ++ goto restart; ++ + if (cmd->sam_task_attr == TCM_SIMPLE_TAG) { + atomic_dec_mb(&dev->simple_cmds); + dev->dev_cur_ordered_id++; +@@ -1965,7 +1970,7 @@ static void transport_complete_task_attr + pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n", + dev->dev_cur_ordered_id); + } +- ++restart: + target_restart_delayed_cmds(dev); + } + +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -142,6 +142,7 @@ enum se_cmd_flags_table { + SCF_PASSTHROUGH_PROT_SG_TO_MEM_NOALLOC = 0x00200000, + SCF_ACK_KREF = 0x00400000, + SCF_USE_CPUID = 0x00800000, ++ SCF_TASK_ATTR_SET = 0x01000000, + }; + + /* diff --git a/queue-4.7/target-fix-ordered-task-target_setup_cmd_from_cdb-exception-hang.patch b/queue-4.7/target-fix-ordered-task-target_setup_cmd_from_cdb-exception-hang.patch new file mode 100644 index 00000000000..be4def73297 --- /dev/null +++ b/queue-4.7/target-fix-ordered-task-target_setup_cmd_from_cdb-exception-hang.patch @@ -0,0 +1,166 @@ +From dff0ca9ea7dc8be2181a62df4a722c32ce68ff4a Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 17 May 2016 22:19:10 -0700 +Subject: target: Fix ordered task target_setup_cmd_from_cdb exception hang + +From: Nicholas Bellinger + +commit dff0ca9ea7dc8be2181a62df4a722c32ce68ff4a upstream. + +If a command with a Simple task attribute is failed due to a Unit +Attention, then a subsequent command with an Ordered task attribute +will hang forever. The reason for this is that the Unit Attention +status is checked for in target_setup_cmd_from_cdb, before the call +to target_execute_cmd, which calls target_handle_task_attr, which +in turn increments dev->simple_cmds. + +However, transport_generic_request_failure still calls +transport_complete_task_attr, which will decrement dev->simple_cmds. +In this case, simple_cmds is now -1. So when a command with the +Ordered task attribute is sent, target_handle_task_attr sees that +dev->simple_cmds is not 0, so it decides it can't execute the +command until all the (nonexistent) Simple commands have completed. + +Reported-by: Michael Cyr +Tested-by: Michael Cyr +Reported-by: Bryant G. Ly +Tested-by: Bryant G. Ly +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_internal.h | 1 + drivers/target/target_core_sbc.c | 2 - + drivers/target/target_core_transport.c | 62 ++++++++++++++++++--------------- + include/target/target_core_fabric.h | 1 + 4 files changed, 37 insertions(+), 29 deletions(-) + +--- a/drivers/target/target_core_internal.h ++++ b/drivers/target/target_core_internal.h +@@ -146,6 +146,7 @@ sense_reason_t target_cmd_size_check(str + void target_qf_do_work(struct work_struct *work); + bool target_check_wce(struct se_device *dev); + bool target_check_fua(struct se_device *dev); ++void __target_execute_cmd(struct se_cmd *, bool); + + /* target_core_stat.c */ + void target_stat_setup_dev_default_groups(struct se_device *); +--- a/drivers/target/target_core_sbc.c ++++ b/drivers/target/target_core_sbc.c +@@ -602,7 +602,7 @@ static sense_reason_t compare_and_write_ + cmd->transport_state |= CMD_T_ACTIVE|CMD_T_BUSY|CMD_T_SENT; + spin_unlock_irq(&cmd->t_state_lock); + +- __target_execute_cmd(cmd); ++ __target_execute_cmd(cmd, false); + + kfree(buf); + return ret; +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1303,23 +1303,6 @@ target_setup_cmd_from_cdb(struct se_cmd + + trace_target_sequencer_start(cmd); + +- /* +- * Check for an existing UNIT ATTENTION condition +- */ +- ret = target_scsi3_ua_check(cmd); +- if (ret) +- return ret; +- +- ret = target_alua_state_check(cmd); +- if (ret) +- return ret; +- +- ret = target_check_reservation(cmd); +- if (ret) { +- cmd->scsi_status = SAM_STAT_RESERVATION_CONFLICT; +- return ret; +- } +- + ret = dev->transport->parse_cdb(cmd); + if (ret == TCM_UNSUPPORTED_SCSI_OPCODE) + pr_warn_ratelimited("%s/%s: Unsupported SCSI Opcode 0x%02x, sending CHECK_CONDITION.\n", +@@ -1761,20 +1744,45 @@ queue_full: + } + EXPORT_SYMBOL(transport_generic_request_failure); + +-void __target_execute_cmd(struct se_cmd *cmd) ++void __target_execute_cmd(struct se_cmd *cmd, bool do_checks) + { + sense_reason_t ret; + +- if (cmd->execute_cmd) { +- ret = cmd->execute_cmd(cmd); +- if (ret) { +- spin_lock_irq(&cmd->t_state_lock); +- cmd->transport_state &= ~(CMD_T_BUSY|CMD_T_SENT); +- spin_unlock_irq(&cmd->t_state_lock); ++ if (!cmd->execute_cmd) { ++ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; ++ goto err; ++ } ++ if (do_checks) { ++ /* ++ * Check for an existing UNIT ATTENTION condition after ++ * target_handle_task_attr() has done SAM task attr ++ * checking, and possibly have already defered execution ++ * out to target_restart_delayed_cmds() context. ++ */ ++ ret = target_scsi3_ua_check(cmd); ++ if (ret) ++ goto err; ++ ++ ret = target_alua_state_check(cmd); ++ if (ret) ++ goto err; + +- transport_generic_request_failure(cmd, ret); ++ ret = target_check_reservation(cmd); ++ if (ret) { ++ cmd->scsi_status = SAM_STAT_RESERVATION_CONFLICT; ++ goto err; + } + } ++ ++ ret = cmd->execute_cmd(cmd); ++ if (!ret) ++ return; ++err: ++ spin_lock_irq(&cmd->t_state_lock); ++ cmd->transport_state &= ~(CMD_T_BUSY|CMD_T_SENT); ++ spin_unlock_irq(&cmd->t_state_lock); ++ ++ transport_generic_request_failure(cmd, ret); + } + + static int target_write_prot_action(struct se_cmd *cmd) +@@ -1899,7 +1907,7 @@ void target_execute_cmd(struct se_cmd *c + return; + } + +- __target_execute_cmd(cmd); ++ __target_execute_cmd(cmd, true); + } + EXPORT_SYMBOL(target_execute_cmd); + +@@ -1923,7 +1931,7 @@ static void target_restart_delayed_cmds( + list_del(&cmd->se_delayed_node); + spin_unlock(&dev->delayed_cmd_lock); + +- __target_execute_cmd(cmd); ++ __target_execute_cmd(cmd, true); + + if (cmd->sam_task_attr == TCM_ORDERED_TAG) + break; +--- a/include/target/target_core_fabric.h ++++ b/include/target/target_core_fabric.h +@@ -163,7 +163,6 @@ int core_tmr_alloc_req(struct se_cmd *, + void core_tmr_release_req(struct se_tmr_req *); + int transport_generic_handle_tmr(struct se_cmd *); + void transport_generic_request_failure(struct se_cmd *, sense_reason_t); +-void __target_execute_cmd(struct se_cmd *); + int transport_lookup_tmr_lun(struct se_cmd *, u64); + void core_allocate_nexus_loss_ua(struct se_node_acl *acl); + diff --git a/queue-4.7/target-fix-race-between-iscsi-target-connection-shutdown-abort_task.patch b/queue-4.7/target-fix-race-between-iscsi-target-connection-shutdown-abort_task.patch new file mode 100644 index 00000000000..eb32af713e8 --- /dev/null +++ b/queue-4.7/target-fix-race-between-iscsi-target-connection-shutdown-abort_task.patch @@ -0,0 +1,105 @@ +From 064cdd2d91c2805d788876082f31cc63506f22c3 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 2 Jun 2016 14:56:45 -0700 +Subject: target: Fix race between iscsi-target connection shutdown + ABORT_TASK + +From: Nicholas Bellinger + +commit 064cdd2d91c2805d788876082f31cc63506f22c3 upstream. + +This patch fixes a race in iscsit_release_commands_from_conn() -> +iscsit_free_cmd() -> transport_generic_free_cmd() + wait_for_tasks=1, +where CMD_T_FABRIC_STOP could end up being set after the final +kref_put() is called from core_tmr_abort_task() context. + +This results in transport_generic_free_cmd() blocking indefinately +on se_cmd->cmd_wait_comp, because the target_release_cmd_kref() +check for CMD_T_FABRIC_STOP returns false. + +To address this bug, make iscsit_release_commands_from_conn() +do list_splice and set CMD_T_FABRIC_STOP early while holding +iscsi_conn->cmd_lock. Also make iscsit_aborted_task() only +remove iscsi_cmd_t if CMD_T_FABRIC_STOP has not already been +set. + +Finally in target_release_cmd_kref(), only honor fabric_stop +if CMD_T_ABORTED has been set. + +Cc: Mike Christie +Cc: Quinn Tran +Cc: Himanshu Madhani +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Tested-by: Nicholas Bellinger +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 22 ++++++++++++++++------ + drivers/target/target_core_transport.c | 3 ++- + 2 files changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -492,7 +492,8 @@ void iscsit_aborted_task(struct iscsi_co + bool scsi_cmd = (cmd->iscsi_opcode == ISCSI_OP_SCSI_CMD); + + spin_lock_bh(&conn->cmd_lock); +- if (!list_empty(&cmd->i_conn_node)) ++ if (!list_empty(&cmd->i_conn_node) && ++ !(cmd->se_cmd.transport_state & CMD_T_FABRIC_STOP)) + list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + +@@ -4034,6 +4035,7 @@ int iscsi_target_rx_thread(void *arg) + + static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) + { ++ LIST_HEAD(tmp_list); + struct iscsi_cmd *cmd = NULL, *cmd_tmp = NULL; + struct iscsi_session *sess = conn->sess; + /* +@@ -4042,18 +4044,26 @@ static void iscsit_release_commands_from + * has been reset -> returned sleeping pre-handler state. + */ + spin_lock_bh(&conn->cmd_lock); +- list_for_each_entry_safe(cmd, cmd_tmp, &conn->conn_cmd_list, i_conn_node) { ++ list_splice_init(&conn->conn_cmd_list, &tmp_list); + ++ list_for_each_entry(cmd, &tmp_list, i_conn_node) { ++ struct se_cmd *se_cmd = &cmd->se_cmd; ++ ++ if (se_cmd->se_tfo != NULL) { ++ spin_lock(&se_cmd->t_state_lock); ++ se_cmd->transport_state |= CMD_T_FABRIC_STOP; ++ spin_unlock(&se_cmd->t_state_lock); ++ } ++ } ++ spin_unlock_bh(&conn->cmd_lock); ++ ++ list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) { + list_del_init(&cmd->i_conn_node); +- spin_unlock_bh(&conn->cmd_lock); + + iscsit_increment_maxcmdsn(cmd, sess); +- + iscsit_free_cmd(cmd, true); + +- spin_lock_bh(&conn->cmd_lock); + } +- spin_unlock_bh(&conn->cmd_lock); + } + + static void iscsit_stop_timers_for_cmds( +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2567,7 +2567,8 @@ static void target_release_cmd_kref(stru + spin_lock_irqsave(&se_sess->sess_cmd_lock, flags); + + spin_lock(&se_cmd->t_state_lock); +- fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP); ++ fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP) && ++ (se_cmd->transport_state & CMD_T_ABORTED); + spin_unlock(&se_cmd->t_state_lock); + + if (se_cmd->cmd_wait_set || fabric_stop) { diff --git a/queue-4.7/ubi-fix-early-logging.patch b/queue-4.7/ubi-fix-early-logging.patch new file mode 100644 index 00000000000..bdf901e8e48 --- /dev/null +++ b/queue-4.7/ubi-fix-early-logging.patch @@ -0,0 +1,58 @@ +From bc743f34dfa011e62edd0ea4ae8455be06c083b5 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 4 Jul 2016 22:06:51 +0200 +Subject: ubi: Fix early logging + +From: Richard Weinberger + +commit bc743f34dfa011e62edd0ea4ae8455be06c083b5 upstream. + +We cannot use ubi_* logging functions before the UBI +object is initialized. + +Fixes: 3260870331 ("UBI: Extend UBI layer debug/messaging capabilities") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/build.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -874,7 +874,7 @@ int ubi_attach_mtd_dev(struct mtd_info * + for (i = 0; i < UBI_MAX_DEVICES; i++) { + ubi = ubi_devices[i]; + if (ubi && mtd->index == ubi->mtd->index) { +- ubi_err(ubi, "mtd%d is already attached to ubi%d", ++ pr_err("ubi: mtd%d is already attached to ubi%d", + mtd->index, i); + return -EEXIST; + } +@@ -889,7 +889,7 @@ int ubi_attach_mtd_dev(struct mtd_info * + * no sense to attach emulated MTD devices, so we prohibit this. + */ + if (mtd->type == MTD_UBIVOLUME) { +- ubi_err(ubi, "refuse attaching mtd%d - it is already emulated on top of UBI", ++ pr_err("ubi: refuse attaching mtd%d - it is already emulated on top of UBI", + mtd->index); + return -EINVAL; + } +@@ -900,7 +900,7 @@ int ubi_attach_mtd_dev(struct mtd_info * + if (!ubi_devices[ubi_num]) + break; + if (ubi_num == UBI_MAX_DEVICES) { +- ubi_err(ubi, "only %d UBI devices may be created", ++ pr_err("ubi: only %d UBI devices may be created", + UBI_MAX_DEVICES); + return -ENFILE; + } +@@ -910,7 +910,7 @@ int ubi_attach_mtd_dev(struct mtd_info * + + /* Make sure ubi_num is not busy */ + if (ubi_devices[ubi_num]) { +- ubi_err(ubi, "already exists"); ++ pr_err("ubi: ubi%i already exists", ubi_num); + return -EEXIST; + } + } diff --git a/queue-4.7/ubi-fix-race-condition-between-ubi-device-creation-and-udev.patch b/queue-4.7/ubi-fix-race-condition-between-ubi-device-creation-and-udev.patch new file mode 100644 index 00000000000..d6d7a2cd299 --- /dev/null +++ b/queue-4.7/ubi-fix-race-condition-between-ubi-device-creation-and-udev.patch @@ -0,0 +1,50 @@ +From 714fb87e8bc05ff78255afc0dca981e8c5242785 Mon Sep 17 00:00:00 2001 +From: Iosif Harutyunov +Date: Fri, 22 Jul 2016 23:22:42 +0000 +Subject: ubi: Fix race condition between ubi device creation and udev + +From: Iosif Harutyunov + +commit 714fb87e8bc05ff78255afc0dca981e8c5242785 upstream. + +Install the UBI device object before we arm sysfs. +Otherwise udev tries to read sysfs attributes before UBI is ready and +udev rules will not match. + +Signed-off-by: Iosif Harutyunov +[rw: massaged commit message] +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/build.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -992,6 +992,9 @@ int ubi_attach_mtd_dev(struct mtd_info * + goto out_detach; + } + ++ /* Make device "available" before it becomes accessible via sysfs */ ++ ubi_devices[ubi_num] = ubi; ++ + err = uif_init(ubi, &ref); + if (err) + goto out_detach; +@@ -1036,7 +1039,6 @@ int ubi_attach_mtd_dev(struct mtd_info * + wake_up_process(ubi->bgt_thread); + spin_unlock(&ubi->wl_lock); + +- ubi_devices[ubi_num] = ubi; + ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL); + return ubi_num; + +@@ -1047,6 +1049,7 @@ out_uif: + ubi_assert(ref); + uif_close(ubi); + out_detach: ++ ubi_devices[ubi_num] = NULL; + ubi_wl_close(ubi); + ubi_free_internal_volumes(ubi); + vfree(ubi->vtbl); diff --git a/queue-4.7/ubi-make-volume-resize-power-cut-aware.patch b/queue-4.7/ubi-make-volume-resize-power-cut-aware.patch new file mode 100644 index 00000000000..56016956fe3 --- /dev/null +++ b/queue-4.7/ubi-make-volume-resize-power-cut-aware.patch @@ -0,0 +1,69 @@ +From 4946784bd3924b1374f05eebff2fd68660bae866 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Thu, 23 Jun 2016 19:30:38 +0200 +Subject: ubi: Make volume resize power cut aware + +From: Richard Weinberger + +commit 4946784bd3924b1374f05eebff2fd68660bae866 upstream. + +When the volume resize operation shrinks a volume, +LEBs will be unmapped. Since unmapping will not erase these +LEBs immediately we have to wait for that operation to finish. +Otherwise in case of a power cut right after writing the new +volume table the UBI attach process can find more LEBs than the +volume table knows. This will render the UBI image unattachable. + +Fix this issue by waiting for erase to complete and write the new +volume table afterward. + +Reported-by: Boris Brezillon +Reviewed-by: Boris Brezillon +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/vmt.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -488,13 +488,6 @@ int ubi_resize_volume(struct ubi_volume_ + spin_unlock(&ubi->volumes_lock); + } + +- /* Change volume table record */ +- vtbl_rec = ubi->vtbl[vol_id]; +- vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs); +- err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec); +- if (err) +- goto out_acc; +- + if (pebs < 0) { + for (i = 0; i < -pebs; i++) { + err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i); +@@ -512,6 +505,24 @@ int ubi_resize_volume(struct ubi_volume_ + spin_unlock(&ubi->volumes_lock); + } + ++ /* ++ * When we shrink a volume we have to flush all pending (erase) work. ++ * Otherwise it can happen that upon next attach UBI finds a LEB with ++ * lnum > highest_lnum and refuses to attach. ++ */ ++ if (pebs < 0) { ++ err = ubi_wl_flush(ubi, vol_id, UBI_ALL); ++ if (err) ++ goto out_acc; ++ } ++ ++ /* Change volume table record */ ++ vtbl_rec = ubi->vtbl[vol_id]; ++ vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs); ++ err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec); ++ if (err) ++ goto out_acc; ++ + vol->reserved_pebs = reserved_pebs; + if (vol->vol_type == UBI_DYNAMIC_VOLUME) { + vol->used_ebs = reserved_pebs; diff --git a/queue-4.7/um-fix-possible-deadlock-in-sig_handler_common.patch b/queue-4.7/um-fix-possible-deadlock-in-sig_handler_common.patch new file mode 100644 index 00000000000..5693f4a5e56 --- /dev/null +++ b/queue-4.7/um-fix-possible-deadlock-in-sig_handler_common.patch @@ -0,0 +1,49 @@ +From 57a05d83b16710aff30510c33768df7ab17e0b4a Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 12 Jun 2016 22:03:16 +0200 +Subject: um: Fix possible deadlock in sig_handler_common() + +From: Richard Weinberger + +commit 57a05d83b16710aff30510c33768df7ab17e0b4a upstream. + +We are in atomic context and must not sleep. +Sleeping here is possible since malloc() maps +to kmalloc() with GFP_KERNEL. + +Fixes: b6024b21 ("um: extend fpstate to _xstate to support YMM registers") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/os-Linux/signal.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/um/os-Linux/signal.c ++++ b/arch/um/os-Linux/signal.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + void (*sig_info[NSIG])(int, struct siginfo *, struct uml_pt_regs *) = { + [SIGTRAP] = relay_signal, +@@ -32,7 +33,7 @@ static void sig_handler_common(int sig, + struct uml_pt_regs *r; + int save_errno = errno; + +- r = malloc(sizeof(struct uml_pt_regs)); ++ r = uml_kmalloc(sizeof(struct uml_pt_regs), UM_GFP_ATOMIC); + if (!r) + panic("out of memory"); + +@@ -91,7 +92,7 @@ static void timer_real_alarm_handler(mco + { + struct uml_pt_regs *regs; + +- regs = malloc(sizeof(struct uml_pt_regs)); ++ regs = uml_kmalloc(sizeof(struct uml_pt_regs), UM_GFP_ATOMIC); + if (!regs) + panic("out of memory"); + diff --git a/queue-4.7/x86-platform-intel_mid_pci-rework-irq0-workaround.patch b/queue-4.7/x86-platform-intel_mid_pci-rework-irq0-workaround.patch new file mode 100644 index 00000000000..9feecd684f4 --- /dev/null +++ b/queue-4.7/x86-platform-intel_mid_pci-rework-irq0-workaround.patch @@ -0,0 +1,69 @@ +From bb27570525a71f48347ed0e0c265063e7952bb61 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 13 Jun 2016 21:28:00 +0300 +Subject: x86/platform/intel_mid_pci: Rework IRQ0 workaround + +From: Andy Shevchenko + +commit bb27570525a71f48347ed0e0c265063e7952bb61 upstream. + +On Intel Merrifield platform several PCI devices have a bogus configuration, +i.e. the IRQ0 had been assigned to few of them. These are PCI root bridge, +eMMC0, HS UART common registers, PWM, and HDMI. The actual interrupt line can +be allocated to one device exclusively, in our case to eMMC0, the rest should +cope without it and basically known drivers for them are not using interrupt +line at all. + +Rework IRQ0 workaround, which was previously done to avoid conflict between +eMMC0 and HS UART common registers, to behave differently based on the device +in question, i.e. allocate interrupt line to eMMC0, but silently skip interrupt +allocation for the rest except HS UART common registers which are not used +anyway. With this rework IOSF MBI driver in particular would be used. + +Signed-off-by: Andy Shevchenko +Acked-by: Thomas Gleixner +Cc: Bjorn Helgaas +Cc: Linus Torvalds +Cc: Peter Zijlstra +Fixes: 39d9b77b8deb ("x86/pci/intel_mid_pci: Work around for IRQ0 assignment") +Link: http://lkml.kernel.org/r/1465842481-136852-1-git-send-email-andriy.shevchenko@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/intel_mid_pci.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/x86/pci/intel_mid_pci.c ++++ b/arch/x86/pci/intel_mid_pci.c +@@ -37,6 +37,7 @@ + + /* Quirks for the listed devices */ + #define PCI_DEVICE_ID_INTEL_MRFL_MMC 0x1190 ++#define PCI_DEVICE_ID_INTEL_MRFL_HSU 0x1191 + + /* Fixed BAR fields */ + #define PCIE_VNDR_CAP_ID_FIXED_BAR 0x00 /* Fixed BAR (TBD) */ +@@ -225,13 +226,20 @@ static int intel_mid_pci_irq_enable(stru + /* Special treatment for IRQ0 */ + if (dev->irq == 0) { + /* ++ * Skip HS UART common registers device since it has ++ * IRQ0 assigned and not used by the kernel. ++ */ ++ if (dev->device == PCI_DEVICE_ID_INTEL_MRFL_HSU) ++ return -EBUSY; ++ /* + * TNG has IRQ0 assigned to eMMC controller. But there + * are also other devices with bogus PCI configuration + * that have IRQ0 assigned. This check ensures that +- * eMMC gets it. ++ * eMMC gets it. The rest of devices still could be ++ * enabled without interrupt line being allocated. + */ + if (dev->device != PCI_DEVICE_ID_INTEL_MRFL_MMC) +- return -EBUSY; ++ return 0; + } + break; + default: