From: Greg Kroah-Hartman Date: Mon, 27 Nov 2017 17:08:02 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.85~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=866778f1c054a3affaa279247683ee5760ddf782;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: cx231xx-cards-fix-null-deref-on-missing-association-descriptor.patch fm10k-use-smp_rmb-rather-than-read_barrier_depends.patch i40e-use-smp_rmb-rather-than-read_barrier_depends.patch i40evf-use-smp_rmb-rather-than-read_barrier_depends.patch igb-use-smp_rmb-rather-than-read_barrier_depends.patch igbvf-use-smp_rmb-rather-than-read_barrier_depends.patch ixgbe-fix-skb-list-corruption-on-power-systems.patch ixgbevf-use-smp_rmb-rather-than-read_barrier_depends.patch media-don-t-do-dma-on-stack-for-firmware-upload-in-the-as102-driver.patch media-rc-check-for-integer-overflow.patch media-rc-nec-decoder-should-not-send-both-repeat-and-keycode.patch media-v4l2-ctrl-fix-flags-field-on-control-events.patch media-venus-fix-wrong-size-on-dma_free.patch media-venus-reimplement-decoder-stop-command.patch media-venus-venc-fix-bytesused-v4l2_plane-field.patch parisc-fix-validity-check-of-pointer-size-argument-in-new-cas-implementation.patch powerpc-64s-fix-masking-of-srr1-bits-on-instruction-fault.patch powerpc-64s-hash-allow-map_fixed-allocations-to-cross-128tb-boundary.patch powerpc-64s-hash-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch powerpc-64s-hash-fix-512t-hint-detection-to-use-128t.patch powerpc-64s-hash-fix-fork-with-512tb-process-address-space.patch powerpc-64s-radix-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch powerpc-fix-boot-on-book3s_32-with-config_strict_kernel_rwx.patch powerpc-mm-radix-fix-crashes-on-power9-dd1-with-radix-mmu-and-strict_rwx.patch powerpc-perf-imc-use-cpu_to_node-not-topology_physical_package_id.patch powerpc-signal-properly-handle-return-value-from-uprobe_deny_signal.patch --- diff --git a/queue-4.14/cx231xx-cards-fix-null-deref-on-missing-association-descriptor.patch b/queue-4.14/cx231xx-cards-fix-null-deref-on-missing-association-descriptor.patch new file mode 100644 index 00000000000..c170b256062 --- /dev/null +++ b/queue-4.14/cx231xx-cards-fix-null-deref-on-missing-association-descriptor.patch @@ -0,0 +1,36 @@ +From 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 21 Sep 2017 05:40:18 -0300 +Subject: [media] cx231xx-cards: fix NULL-deref on missing association descriptor + +From: Johan Hovold + +commit 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 upstream. + +Make sure to check that we actually have an Interface Association +Descriptor before dereferencing it during probe to avoid dereferencing a +NULL-pointer. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") +Reported-by: Andrey Konovalov +Signed-off-by: Johan Hovold +Tested-by: Andrey Konovalov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_ + nr = dev->devno; + + assoc_desc = udev->actconfig->intf_assoc[0]; +- if (assoc_desc->bFirstInterface != ifnum) { ++ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) { + dev_err(d, "Not found matching IAD interface\n"); + retval = -ENODEV; + goto err_if; diff --git a/queue-4.14/fm10k-use-smp_rmb-rather-than-read_barrier_depends.patch b/queue-4.14/fm10k-use-smp_rmb-rather-than-read_barrier_depends.patch new file mode 100644 index 00000000000..665fd369235 --- /dev/null +++ b/queue-4.14/fm10k-use-smp_rmb-rather-than-read_barrier_depends.patch @@ -0,0 +1,36 @@ +From 7b8edcc685b5e2c3c37aa13dc50a88e84a5bfef8 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 17 Nov 2017 11:05:48 -0600 +Subject: fm10k: Use smp_rmb rather than read_barrier_depends + +From: Brian King + +commit 7b8edcc685b5e2c3c37aa13dc50a88e84a5bfef8 upstream. + +The original issue being fixed in this patch was seen with the ixgbe +driver, but the same issue exists with fm10k as well, as the code is +very similar. read_barrier_depends is not sufficient to ensure +loads following it are not speculatively loaded out of order +by the CPU, which can result in stale data being loaded, causing +potential system crashes. + +Signed-off-by: Brian King +Acked-by: Jesse Brandeburg +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +@@ -1229,7 +1229,7 @@ static bool fm10k_clean_tx_irq(struct fm + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->flags & FM10K_TXD_FLAG_DONE)) diff --git a/queue-4.14/i40e-use-smp_rmb-rather-than-read_barrier_depends.patch b/queue-4.14/i40e-use-smp_rmb-rather-than-read_barrier_depends.patch new file mode 100644 index 00000000000..6834333b870 --- /dev/null +++ b/queue-4.14/i40e-use-smp_rmb-rather-than-read_barrier_depends.patch @@ -0,0 +1,49 @@ +From 52c6912fde0133981ee50ba08808f257829c4c93 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 17 Nov 2017 11:05:44 -0600 +Subject: i40e: Use smp_rmb rather than read_barrier_depends + +From: Brian King + +commit 52c6912fde0133981ee50ba08808f257829c4c93 upstream. + +The original issue being fixed in this patch was seen with the ixgbe +driver, but the same issue exists with i40e as well, as the code is +very similar. read_barrier_depends is not sufficient to ensure +loads following it are not speculatively loaded out of order +by the CPU, which can result in stale data being loaded, causing +potential system crashes. + +Signed-off-by: Brian King +Acked-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -3760,7 +3760,7 @@ static bool i40e_clean_fdir_tx_irq(struc + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if the descriptor isn't done, no work yet to do */ + if (!(eop_desc->cmd_type_offset_bsz & +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -759,7 +759,7 @@ static bool i40e_clean_tx_irq(struct i40 + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ diff --git a/queue-4.14/i40evf-use-smp_rmb-rather-than-read_barrier_depends.patch b/queue-4.14/i40evf-use-smp_rmb-rather-than-read_barrier_depends.patch new file mode 100644 index 00000000000..8d181350fe2 --- /dev/null +++ b/queue-4.14/i40evf-use-smp_rmb-rather-than-read_barrier_depends.patch @@ -0,0 +1,37 @@ +From f72271e2a0ae4277d53c4053f5eed8bb346ba38a Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 17 Nov 2017 11:05:49 -0600 +Subject: i40evf: Use smp_rmb rather than read_barrier_depends + +From: Brian King + +commit f72271e2a0ae4277d53c4053f5eed8bb346ba38a upstream. + +The original issue being fixed in this patch was seen with the ixgbe +driver, but the same issue exists with i40evf as well, as the code is +very similar. read_barrier_depends is not sufficient to ensure +loads following it are not speculatively loaded out of order +by the CPU, which can result in stale data being loaded, causing +potential system crashes. + +Signed-off-by: Brian King +Acked-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c +@@ -179,7 +179,7 @@ static bool i40e_clean_tx_irq(struct i40 + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* if the descriptor isn't done, no work yet to do */ diff --git a/queue-4.14/igb-use-smp_rmb-rather-than-read_barrier_depends.patch b/queue-4.14/igb-use-smp_rmb-rather-than-read_barrier_depends.patch new file mode 100644 index 00000000000..e5c6f1e78b7 --- /dev/null +++ b/queue-4.14/igb-use-smp_rmb-rather-than-read_barrier_depends.patch @@ -0,0 +1,37 @@ +From c4cb99185b4cc96c0a1c70104dc21ae14d7e7f28 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 17 Nov 2017 11:05:47 -0600 +Subject: igb: Use smp_rmb rather than read_barrier_depends + +From: Brian King + +commit c4cb99185b4cc96c0a1c70104dc21ae14d7e7f28 upstream. + +The original issue being fixed in this patch was seen with the ixgbe +driver, but the same issue exists with igb as well, as the code is +very similar. read_barrier_depends is not sufficient to ensure +loads following it are not speculatively loaded out of order +by the CPU, which can result in stale data being loaded, causing +potential system crashes. + +Signed-off-by: Brian King +Acked-by: Jesse Brandeburg +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6970,7 +6970,7 @@ static bool igb_clean_tx_irq(struct igb_ + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD))) diff --git a/queue-4.14/igbvf-use-smp_rmb-rather-than-read_barrier_depends.patch b/queue-4.14/igbvf-use-smp_rmb-rather-than-read_barrier_depends.patch new file mode 100644 index 00000000000..8c79b44c077 --- /dev/null +++ b/queue-4.14/igbvf-use-smp_rmb-rather-than-read_barrier_depends.patch @@ -0,0 +1,37 @@ +From 1e1f9ca546556e508d021545861f6b5fc75a95fe Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 17 Nov 2017 11:05:46 -0600 +Subject: igbvf: Use smp_rmb rather than read_barrier_depends + +From: Brian King + +commit 1e1f9ca546556e508d021545861f6b5fc75a95fe upstream. + +The original issue being fixed in this patch was seen with the ixgbe +driver, but the same issue exists with igbvf as well, as the code is +very similar. read_barrier_depends is not sufficient to ensure +loads following it are not speculatively loaded out of order +by the CPU, which can result in stale data being loaded, causing +potential system crashes. + +Signed-off-by: Brian King +Acked-by: Jesse Brandeburg +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igbvf/netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igbvf/netdev.c ++++ b/drivers/net/ethernet/intel/igbvf/netdev.c +@@ -810,7 +810,7 @@ static bool igbvf_clean_tx_irq(struct ig + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD))) diff --git a/queue-4.14/ixgbe-fix-skb-list-corruption-on-power-systems.patch b/queue-4.14/ixgbe-fix-skb-list-corruption-on-power-systems.patch new file mode 100644 index 00000000000..fc2b1557e01 --- /dev/null +++ b/queue-4.14/ixgbe-fix-skb-list-corruption-on-power-systems.patch @@ -0,0 +1,49 @@ +From 0a9a17e3bb4564caf4bfe2a6783ae1287667d188 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 17 Nov 2017 11:05:43 -0600 +Subject: ixgbe: Fix skb list corruption on Power systems + +From: Brian King + +commit 0a9a17e3bb4564caf4bfe2a6783ae1287667d188 upstream. + +This patch fixes an issue seen on Power systems with ixgbe which results +in skb list corruption and an eventual kernel oops. The following is what +was observed: + +CPU 1 CPU2 +============================ ============================ +1: ixgbe_xmit_frame_ring ixgbe_clean_tx_irq +2: first->skb = skb eop_desc = tx_buffer->next_to_watch +3: ixgbe_tx_map read_barrier_depends() +4: wmb check adapter written status bit +5: first->next_to_watch = tx_desc napi_consume_skb(tx_buffer->skb ..); +6: writel(i, tx_ring->tail); + +The read_barrier_depends is insufficient to ensure that tx_buffer->skb does not +get loaded prior to tx_buffer->next_to_watch, which then results in loading +a stale skb pointer. This patch replaces the read_barrier_depends with +smp_rmb to ensure loads are ordered with respect to the load of +tx_buffer->next_to_watch. + +Signed-off-by: Brian King +Acked-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -1192,7 +1192,7 @@ static bool ixgbe_clean_tx_irq(struct ix + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD))) diff --git a/queue-4.14/ixgbevf-use-smp_rmb-rather-than-read_barrier_depends.patch b/queue-4.14/ixgbevf-use-smp_rmb-rather-than-read_barrier_depends.patch new file mode 100644 index 00000000000..214f8caa9de --- /dev/null +++ b/queue-4.14/ixgbevf-use-smp_rmb-rather-than-read_barrier_depends.patch @@ -0,0 +1,37 @@ +From ae0c585d93dfaf923d2c7eb44b2c3ab92854ea9b Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 17 Nov 2017 11:05:45 -0600 +Subject: ixgbevf: Use smp_rmb rather than read_barrier_depends + +From: Brian King + +commit ae0c585d93dfaf923d2c7eb44b2c3ab92854ea9b upstream. + +The original issue being fixed in this patch was seen with the ixgbe +driver, but the same issue exists with ixgbevf as well, as the code is +very similar. read_barrier_depends is not sufficient to ensure +loads following it are not speculatively loaded out of order +by the CPU, which can result in stale data being loaded, causing +potential system crashes. + +Signed-off-by: Brian King +Acked-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -326,7 +326,7 @@ static bool ixgbevf_clean_tx_irq(struct + break; + + /* prevent any other reads prior to eop_desc */ +- read_barrier_depends(); ++ smp_rmb(); + + /* if DD is not set pending work has not been completed */ + if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD))) diff --git a/queue-4.14/media-don-t-do-dma-on-stack-for-firmware-upload-in-the-as102-driver.patch b/queue-4.14/media-don-t-do-dma-on-stack-for-firmware-upload-in-the-as102-driver.patch new file mode 100644 index 00000000000..cb7b4dbec22 --- /dev/null +++ b/queue-4.14/media-don-t-do-dma-on-stack-for-firmware-upload-in-the-as102-driver.patch @@ -0,0 +1,166 @@ +From b3120d2cc447ee77b9d69bf4ad7b452c9adb4d39 Mon Sep 17 00:00:00 2001 +From: Michele Baldessari +Date: Mon, 6 Nov 2017 08:50:22 -0500 +Subject: media: Don't do DMA on stack for firmware upload in the AS102 driver + +From: Michele Baldessari + +commit b3120d2cc447ee77b9d69bf4ad7b452c9adb4d39 upstream. + +Firmware load on AS102 is using the stack which is not allowed any +longer. We currently fail with: + +kernel: transfer buffer not dma capable +kernel: ------------[ cut here ]------------ +kernel: WARNING: CPU: 0 PID: 598 at drivers/usb/core/hcd.c:1595 usb_hcd_map_urb_for_dma+0x41d/0x620 +kernel: Modules linked in: amd64_edac_mod(-) edac_mce_amd as102_fe dvb_as102(+) kvm_amd kvm snd_hda_codec_realtek dvb_core snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_hda_codec irqbypass crct10dif_pclmul crc32_pclmul snd_hda_core snd_hwdep snd_seq ghash_clmulni_intel sp5100_tco fam15h_power wmi k10temp i2c_piix4 snd_seq_device snd_pcm snd_timer parport_pc parport tpm_infineon snd tpm_tis soundcore tpm_tis_core tpm shpchp acpi_cpufreq xfs libcrc32c amdgpu amdkfd amd_iommu_v2 radeon hid_logitech_hidpp i2c_algo_bit drm_kms_helper crc32c_intel ttm drm r8169 mii hid_logitech_dj +kernel: CPU: 0 PID: 598 Comm: systemd-udevd Not tainted 4.13.10-200.fc26.x86_64 #1 +kernel: Hardware name: ASUS All Series/AM1I-A, BIOS 0505 03/13/2014 +kernel: task: ffff979933b24c80 task.stack: ffffaf83413a4000 +kernel: RIP: 0010:usb_hcd_map_urb_for_dma+0x41d/0x620 +systemd-fsck[659]: /dev/sda2: clean, 49/128016 files, 268609/512000 blocks +kernel: RSP: 0018:ffffaf83413a7728 EFLAGS: 00010282 +systemd-udevd[604]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. +kernel: RAX: 000000000000001f RBX: ffff979930bce780 RCX: 0000000000000000 +kernel: RDX: 0000000000000000 RSI: ffff97993ec0e118 RDI: ffff97993ec0e118 +kernel: RBP: ffffaf83413a7768 R08: 000000000000039a R09: 0000000000000000 +kernel: R10: 0000000000000001 R11: 00000000ffffffff R12: 00000000fffffff5 +kernel: R13: 0000000001400000 R14: 0000000000000001 R15: ffff979930806800 +kernel: FS: 00007effaca5c8c0(0000) GS:ffff97993ec00000(0000) knlGS:0000000000000000 +kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +kernel: CR2: 00007effa9fca962 CR3: 0000000233089000 CR4: 00000000000406f0 +kernel: Call Trace: +kernel: usb_hcd_submit_urb+0x493/0xb40 +kernel: ? page_cache_tree_insert+0x100/0x100 +kernel: ? xfs_iunlock+0xd5/0x100 [xfs] +kernel: ? xfs_file_buffered_aio_read+0x57/0xc0 [xfs] +kernel: usb_submit_urb+0x22d/0x560 +kernel: usb_start_wait_urb+0x6e/0x180 +kernel: usb_bulk_msg+0xb8/0x160 +kernel: as102_send_ep1+0x49/0xe0 [dvb_as102] +kernel: ? devres_add+0x3f/0x50 +kernel: as102_firmware_upload.isra.0+0x1dc/0x210 [dvb_as102] +kernel: as102_fw_upload+0xb6/0x1f0 [dvb_as102] +kernel: as102_dvb_register+0x2af/0x2d0 [dvb_as102] +kernel: as102_usb_probe+0x1f3/0x260 [dvb_as102] +kernel: usb_probe_interface+0x124/0x300 +kernel: driver_probe_device+0x2ff/0x450 +kernel: __driver_attach+0xa4/0xe0 +kernel: ? driver_probe_device+0x450/0x450 +kernel: bus_for_each_dev+0x6e/0xb0 +kernel: driver_attach+0x1e/0x20 +kernel: bus_add_driver+0x1c7/0x270 +kernel: driver_register+0x60/0xe0 +kernel: usb_register_driver+0x81/0x150 +kernel: ? 0xffffffffc0807000 +kernel: as102_usb_driver_init+0x1e/0x1000 [dvb_as102] +kernel: do_one_initcall+0x50/0x190 +kernel: ? __vunmap+0x81/0xb0 +kernel: ? kfree+0x154/0x170 +kernel: ? kmem_cache_alloc_trace+0x15f/0x1c0 +kernel: ? do_init_module+0x27/0x1e9 +kernel: do_init_module+0x5f/0x1e9 +kernel: load_module+0x2602/0x2c30 +kernel: SYSC_init_module+0x170/0x1a0 +kernel: ? SYSC_init_module+0x170/0x1a0 +kernel: SyS_init_module+0xe/0x10 +kernel: do_syscall_64+0x67/0x140 +kernel: entry_SYSCALL64_slow_path+0x25/0x25 +kernel: RIP: 0033:0x7effab6cf3ea +kernel: RSP: 002b:00007fff5cfcbbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000af +kernel: RAX: ffffffffffffffda RBX: 00005569e0b83760 RCX: 00007effab6cf3ea +kernel: RDX: 00007effac2099c5 RSI: 0000000000009a13 RDI: 00005569e0b98c50 +kernel: RBP: 00007effac2099c5 R08: 00005569e0b83ed0 R09: 0000000000001d80 +kernel: R10: 00007effab98db00 R11: 0000000000000246 R12: 00005569e0b98c50 +kernel: R13: 00005569e0b81c60 R14: 0000000000020000 R15: 00005569dfadfdf7 +kernel: Code: 48 39 c8 73 30 80 3d 59 60 9d 00 00 41 bc f5 ff ff ff 0f 85 26 ff ff ff 48 c7 c7 b8 6b d0 92 c6 05 3f 60 9d 00 01 e8 24 3d ad ff <0f> ff 8b 53 64 e9 09 ff ff ff 65 48 8b 0c 25 00 d3 00 00 48 8b +kernel: ---[ end trace c4cae366180e70ec ]--- +kernel: as10x_usb: error during firmware upload part1 + +Let's allocate the the structure dynamically so we can get the firmware +loaded correctly: +[ 14.243057] as10x_usb: firmware: as102_data1_st.hex loaded with success +[ 14.500777] as10x_usb: firmware: as102_data2_st.hex loaded with success + +Signed-off-by: Michele Baldessari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/as102/as102_fw.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/media/usb/as102/as102_fw.c ++++ b/drivers/media/usb/as102/as102_fw.c +@@ -101,18 +101,23 @@ static int as102_firmware_upload(struct + unsigned char *cmd, + const struct firmware *firmware) { + +- struct as10x_fw_pkt_t fw_pkt; ++ struct as10x_fw_pkt_t *fw_pkt; + int total_read_bytes = 0, errno = 0; + unsigned char addr_has_changed = 0; + ++ fw_pkt = kmalloc(sizeof(*fw_pkt), GFP_KERNEL); ++ if (!fw_pkt) ++ return -ENOMEM; ++ ++ + for (total_read_bytes = 0; total_read_bytes < firmware->size; ) { + int read_bytes = 0, data_len = 0; + + /* parse intel hex line */ + read_bytes = parse_hex_line( + (u8 *) (firmware->data + total_read_bytes), +- fw_pkt.raw.address, +- fw_pkt.raw.data, ++ fw_pkt->raw.address, ++ fw_pkt->raw.data, + &data_len, + &addr_has_changed); + +@@ -122,28 +127,28 @@ static int as102_firmware_upload(struct + /* detect the end of file */ + total_read_bytes += read_bytes; + if (total_read_bytes == firmware->size) { +- fw_pkt.u.request[0] = 0x00; +- fw_pkt.u.request[1] = 0x03; ++ fw_pkt->u.request[0] = 0x00; ++ fw_pkt->u.request[1] = 0x03; + + /* send EOF command */ + errno = bus_adap->ops->upload_fw_pkt(bus_adap, + (uint8_t *) +- &fw_pkt, 2, 0); ++ fw_pkt, 2, 0); + if (errno < 0) + goto error; + } else { + if (!addr_has_changed) { + /* prepare command to send */ +- fw_pkt.u.request[0] = 0x00; +- fw_pkt.u.request[1] = 0x01; ++ fw_pkt->u.request[0] = 0x00; ++ fw_pkt->u.request[1] = 0x01; + +- data_len += sizeof(fw_pkt.u.request); +- data_len += sizeof(fw_pkt.raw.address); ++ data_len += sizeof(fw_pkt->u.request); ++ data_len += sizeof(fw_pkt->raw.address); + + /* send cmd to device */ + errno = bus_adap->ops->upload_fw_pkt(bus_adap, + (uint8_t *) +- &fw_pkt, ++ fw_pkt, + data_len, + 0); + if (errno < 0) +@@ -152,6 +157,7 @@ static int as102_firmware_upload(struct + } + } + error: ++ kfree(fw_pkt); + return (errno == 0) ? total_read_bytes : errno; + } + diff --git a/queue-4.14/media-rc-check-for-integer-overflow.patch b/queue-4.14/media-rc-check-for-integer-overflow.patch new file mode 100644 index 00000000000..bc8d0fdb5c7 --- /dev/null +++ b/queue-4.14/media-rc-check-for-integer-overflow.patch @@ -0,0 +1,40 @@ +From 3e45067f94bbd61dec0619b1c32744eb0de480c8 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 8 Oct 2017 14:18:52 -0400 +Subject: media: rc: check for integer overflow + +From: Sean Young + +commit 3e45067f94bbd61dec0619b1c32744eb0de480c8 upstream. + +The ioctl LIRC_SET_REC_TIMEOUT would set a timeout of 704ns if called +with a timeout of 4294968us. + +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/ir-lirc-codec.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/media/rc/ir-lirc-codec.c ++++ b/drivers/media/rc/ir-lirc-codec.c +@@ -298,11 +298,14 @@ static long ir_lirc_ioctl(struct file *f + if (!dev->max_timeout) + return -ENOTTY; + ++ /* Check for multiply overflow */ ++ if (val > U32_MAX / 1000) ++ return -EINVAL; ++ + tmp = val * 1000; + +- if (tmp < dev->min_timeout || +- tmp > dev->max_timeout) +- return -EINVAL; ++ if (tmp < dev->min_timeout || tmp > dev->max_timeout) ++ return -EINVAL; + + if (dev->s_timeout) + ret = dev->s_timeout(dev, tmp); diff --git a/queue-4.14/media-rc-nec-decoder-should-not-send-both-repeat-and-keycode.patch b/queue-4.14/media-rc-nec-decoder-should-not-send-both-repeat-and-keycode.patch new file mode 100644 index 00000000000..59b74bb97fd --- /dev/null +++ b/queue-4.14/media-rc-nec-decoder-should-not-send-both-repeat-and-keycode.patch @@ -0,0 +1,71 @@ +From 829bbf268894d0866bb9dd2b1e430cfa5c5f0779 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 1 Oct 2017 16:38:29 -0400 +Subject: media: rc: nec decoder should not send both repeat and keycode + +From: Sean Young + +commit 829bbf268894d0866bb9dd2b1e430cfa5c5f0779 upstream. + +When receiving an nec repeat, rc_repeat() is called and then rc_keydown() +with the last decoded scancode. That last call is redundant. + +Fixes: 265a2988d202 ("media: rc-core: consistent use of rc_repeat()") + +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/ir-nec-decoder.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +--- a/drivers/media/rc/ir-nec-decoder.c ++++ b/drivers/media/rc/ir-nec-decoder.c +@@ -87,8 +87,6 @@ static int ir_nec_decode(struct rc_dev * + data->state = STATE_BIT_PULSE; + return 0; + } else if (eq_margin(ev.duration, NEC_REPEAT_SPACE, NEC_UNIT / 2)) { +- rc_repeat(dev); +- IR_dprintk(1, "Repeat last key\n"); + data->state = STATE_TRAILER_PULSE; + return 0; + } +@@ -151,19 +149,26 @@ static int ir_nec_decode(struct rc_dev * + if (!geq_margin(ev.duration, NEC_TRAILER_SPACE, NEC_UNIT / 2)) + break; + +- address = bitrev8((data->bits >> 24) & 0xff); +- not_address = bitrev8((data->bits >> 16) & 0xff); +- command = bitrev8((data->bits >> 8) & 0xff); +- not_command = bitrev8((data->bits >> 0) & 0xff); +- +- scancode = ir_nec_bytes_to_scancode(address, not_address, +- command, not_command, +- &rc_proto); ++ if (data->count == NEC_NBITS) { ++ address = bitrev8((data->bits >> 24) & 0xff); ++ not_address = bitrev8((data->bits >> 16) & 0xff); ++ command = bitrev8((data->bits >> 8) & 0xff); ++ not_command = bitrev8((data->bits >> 0) & 0xff); ++ ++ scancode = ir_nec_bytes_to_scancode(address, ++ not_address, ++ command, ++ not_command, ++ &rc_proto); ++ ++ if (data->is_nec_x) ++ data->necx_repeat = true; + +- if (data->is_nec_x) +- data->necx_repeat = true; ++ rc_keydown(dev, rc_proto, scancode, 0); ++ } else { ++ rc_repeat(dev); ++ } + +- rc_keydown(dev, rc_proto, scancode, 0); + data->state = STATE_INACTIVE; + return 0; + } diff --git a/queue-4.14/media-v4l2-ctrl-fix-flags-field-on-control-events.patch b/queue-4.14/media-v4l2-ctrl-fix-flags-field-on-control-events.patch new file mode 100644 index 00000000000..bb5762cfcae --- /dev/null +++ b/queue-4.14/media-v4l2-ctrl-fix-flags-field-on-control-events.patch @@ -0,0 +1,67 @@ +From 9cac9d2fb2fe0e0cadacdb94415b3fe49e3f724f Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Tue, 17 Oct 2017 11:48:50 -0400 +Subject: media: v4l2-ctrl: Fix flags field on Control events + +From: Ricardo Ribalda Delgado + +commit 9cac9d2fb2fe0e0cadacdb94415b3fe49e3f724f upstream. + +VIDIOC_DQEVENT and VIDIOC_QUERY_EXT_CTRL should give the same output for +the control flags field. + +This patch creates a new function user_flags(), that calculates the user +exported flags value (which is different than the kernel internal flags +structure). This function is then used by all the code that exports the +internal flags to userspace. + +Reported-by: Dimitrios Katsaros +Signed-off-by: Ricardo Ribalda Delgado +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -1227,6 +1227,16 @@ void v4l2_ctrl_fill(u32 id, const char * + } + EXPORT_SYMBOL(v4l2_ctrl_fill); + ++static u32 user_flags(const struct v4l2_ctrl *ctrl) ++{ ++ u32 flags = ctrl->flags; ++ ++ if (ctrl->is_ptr) ++ flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD; ++ ++ return flags; ++} ++ + static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes) + { + memset(ev->reserved, 0, sizeof(ev->reserved)); +@@ -1234,7 +1244,7 @@ static void fill_event(struct v4l2_event + ev->id = ctrl->id; + ev->u.ctrl.changes = changes; + ev->u.ctrl.type = ctrl->type; +- ev->u.ctrl.flags = ctrl->flags; ++ ev->u.ctrl.flags = user_flags(ctrl); + if (ctrl->is_ptr) + ev->u.ctrl.value64 = 0; + else +@@ -2577,10 +2587,8 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl + else + qc->id = ctrl->id; + strlcpy(qc->name, ctrl->name, sizeof(qc->name)); +- qc->flags = ctrl->flags; ++ qc->flags = user_flags(ctrl); + qc->type = ctrl->type; +- if (ctrl->is_ptr) +- qc->flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD; + qc->elem_size = ctrl->elem_size; + qc->elems = ctrl->elems; + qc->nr_of_dims = ctrl->nr_of_dims; diff --git a/queue-4.14/media-venus-fix-wrong-size-on-dma_free.patch b/queue-4.14/media-venus-fix-wrong-size-on-dma_free.patch new file mode 100644 index 00000000000..0a2008c85a0 --- /dev/null +++ b/queue-4.14/media-venus-fix-wrong-size-on-dma_free.patch @@ -0,0 +1,56 @@ +From cd1a77e3c9cc6dbb57f02aa50e1740fc144d2dad Mon Sep 17 00:00:00 2001 +From: Stanimir Varbanov +Date: Mon, 9 Oct 2017 14:24:57 +0200 +Subject: media: venus: fix wrong size on dma_free + +From: Stanimir Varbanov + +commit cd1a77e3c9cc6dbb57f02aa50e1740fc144d2dad upstream. + +This change will fix an issue with dma_free size found with +DMA API debug enabled. + +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -344,7 +344,7 @@ static int venus_alloc(struct venus_hfi_ + desc->attrs = DMA_ATTR_WRITE_COMBINE; + desc->size = ALIGN(size, SZ_4K); + +- desc->kva = dma_alloc_attrs(dev, size, &desc->da, GFP_KERNEL, ++ desc->kva = dma_alloc_attrs(dev, desc->size, &desc->da, GFP_KERNEL, + desc->attrs); + if (!desc->kva) + return -ENOMEM; +@@ -710,10 +710,8 @@ static int venus_interface_queues_init(s + if (ret) + return ret; + +- hdev->ifaceq_table.kva = desc.kva; +- hdev->ifaceq_table.da = desc.da; +- hdev->ifaceq_table.size = IFACEQ_TABLE_SIZE; +- offset = hdev->ifaceq_table.size; ++ hdev->ifaceq_table = desc; ++ offset = IFACEQ_TABLE_SIZE; + + for (i = 0; i < IFACEQ_NUM; i++) { + queue = &hdev->queues[i]; +@@ -755,9 +753,7 @@ static int venus_interface_queues_init(s + if (ret) { + hdev->sfr.da = 0; + } else { +- hdev->sfr.da = desc.da; +- hdev->sfr.kva = desc.kva; +- hdev->sfr.size = ALIGNED_SFR_SIZE; ++ hdev->sfr = desc; + sfr = hdev->sfr.kva; + sfr->buf_size = ALIGNED_SFR_SIZE; + } diff --git a/queue-4.14/media-venus-reimplement-decoder-stop-command.patch b/queue-4.14/media-venus-reimplement-decoder-stop-command.patch new file mode 100644 index 00000000000..1bc659941f4 --- /dev/null +++ b/queue-4.14/media-venus-reimplement-decoder-stop-command.patch @@ -0,0 +1,149 @@ +From e69b987a97599456b95b5fef4aca8dcdb1505aea Mon Sep 17 00:00:00 2001 +From: Stanimir Varbanov +Date: Fri, 13 Oct 2017 16:13:17 +0200 +Subject: media: venus: reimplement decoder stop command + +From: Stanimir Varbanov + +commit e69b987a97599456b95b5fef4aca8dcdb1505aea upstream. + +This addresses the wrong behavior of decoder stop command by +rewriting it. These new implementation enqueue an empty buffer +on the decoder input buffer queue to signal end-of-stream. The +client should stop queuing buffers on the V4L2 Output queue +and continue queuing/dequeuing buffers on Capture queue. This +process will continue until the client receives a buffer with +V4L2_BUF_FLAG_LAST flag raised, which means that this is last +decoded buffer with data. + +Signed-off-by: Stanimir Varbanov +Tested-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/qcom/venus/core.h | 2 - + drivers/media/platform/qcom/venus/helpers.c | 7 ----- + drivers/media/platform/qcom/venus/hfi.c | 1 + drivers/media/platform/qcom/venus/vdec.c | 34 ++++++++++++++++++---------- + 4 files changed, 24 insertions(+), 20 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.h ++++ b/drivers/media/platform/qcom/venus/core.h +@@ -194,7 +194,6 @@ struct venus_buffer { + * @fh: a holder of v4l file handle structure + * @streamon_cap: stream on flag for capture queue + * @streamon_out: stream on flag for output queue +- * @cmd_stop: a flag to signal encoder/decoder commands + * @width: current capture width + * @height: current capture height + * @out_width: current output width +@@ -258,7 +257,6 @@ struct venus_inst { + } controls; + struct v4l2_fh fh; + unsigned int streamon_cap, streamon_out; +- bool cmd_stop; + u32 width; + u32 height; + u32 out_width; +--- a/drivers/media/platform/qcom/venus/helpers.c ++++ b/drivers/media/platform/qcom/venus/helpers.c +@@ -623,13 +623,6 @@ void venus_helper_vb2_buf_queue(struct v + + mutex_lock(&inst->lock); + +- if (inst->cmd_stop) { +- vbuf->flags |= V4L2_BUF_FLAG_LAST; +- v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_DONE); +- inst->cmd_stop = false; +- goto unlock; +- } +- + v4l2_m2m_buf_queue(m2m_ctx, vbuf); + + if (!(inst->streamon_out & inst->streamon_cap)) +--- a/drivers/media/platform/qcom/venus/hfi.c ++++ b/drivers/media/platform/qcom/venus/hfi.c +@@ -484,6 +484,7 @@ int hfi_session_process_buf(struct venus + + return -EINVAL; + } ++EXPORT_SYMBOL_GPL(hfi_session_process_buf); + + irqreturn_t hfi_isr_thread(int irq, void *dev_id) + { +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -469,8 +469,14 @@ static int vdec_subscribe_event(struct v + static int + vdec_try_decoder_cmd(struct file *file, void *fh, struct v4l2_decoder_cmd *cmd) + { +- if (cmd->cmd != V4L2_DEC_CMD_STOP) ++ switch (cmd->cmd) { ++ case V4L2_DEC_CMD_STOP: ++ if (cmd->flags & V4L2_DEC_CMD_STOP_TO_BLACK) ++ return -EINVAL; ++ break; ++ default: + return -EINVAL; ++ } + + return 0; + } +@@ -479,6 +485,7 @@ static int + vdec_decoder_cmd(struct file *file, void *fh, struct v4l2_decoder_cmd *cmd) + { + struct venus_inst *inst = to_inst(file); ++ struct hfi_frame_data fdata = {0}; + int ret; + + ret = vdec_try_decoder_cmd(file, fh, cmd); +@@ -486,12 +493,23 @@ vdec_decoder_cmd(struct file *file, void + return ret; + + mutex_lock(&inst->lock); +- inst->cmd_stop = true; +- mutex_unlock(&inst->lock); + +- hfi_session_flush(inst); ++ /* ++ * Implement V4L2_DEC_CMD_STOP by enqueue an empty buffer on decoder ++ * input to signal EOS. ++ */ ++ if (!(inst->streamon_out & inst->streamon_cap)) ++ goto unlock; ++ ++ fdata.buffer_type = HFI_BUFFER_INPUT; ++ fdata.flags |= HFI_BUFFERFLAG_EOS; ++ fdata.device_addr = 0xdeadbeef; + +- return 0; ++ ret = hfi_session_process_buf(inst, &fdata); ++ ++unlock: ++ mutex_unlock(&inst->lock); ++ return ret; + } + + static const struct v4l2_ioctl_ops vdec_ioctl_ops = { +@@ -718,7 +736,6 @@ static int vdec_start_streaming(struct v + inst->reconfig = false; + inst->sequence_cap = 0; + inst->sequence_out = 0; +- inst->cmd_stop = false; + + ret = vdec_init_session(inst); + if (ret) +@@ -807,11 +824,6 @@ static void vdec_buf_done(struct venus_i + vb->timestamp = timestamp_us * NSEC_PER_USEC; + vbuf->sequence = inst->sequence_cap++; + +- if (inst->cmd_stop) { +- vbuf->flags |= V4L2_BUF_FLAG_LAST; +- inst->cmd_stop = false; +- } +- + if (vbuf->flags & V4L2_BUF_FLAG_LAST) { + const struct v4l2_event ev = { .type = V4L2_EVENT_EOS }; + diff --git a/queue-4.14/media-venus-venc-fix-bytesused-v4l2_plane-field.patch b/queue-4.14/media-venus-venc-fix-bytesused-v4l2_plane-field.patch new file mode 100644 index 00000000000..8fdd9ccf616 --- /dev/null +++ b/queue-4.14/media-venus-venc-fix-bytesused-v4l2_plane-field.patch @@ -0,0 +1,41 @@ +From 5232c37ce244db04fd50d160b92e40d2df46a2e9 Mon Sep 17 00:00:00 2001 +From: Stanimir Varbanov +Date: Tue, 10 Oct 2017 09:52:36 +0200 +Subject: media: venus: venc: fix bytesused v4l2_plane field + +From: Stanimir Varbanov + +commit 5232c37ce244db04fd50d160b92e40d2df46a2e9 upstream. + +This fixes wrongly filled bytesused field of v4l2_plane structure +by include data_offset in the plane, Also fill data_offset and +bytesused for capture type of buffers only. + +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/qcom/venus/venc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/qcom/venus/venc.c ++++ b/drivers/media/platform/qcom/venus/venc.c +@@ -963,13 +963,12 @@ static void venc_buf_done(struct venus_i + if (!vbuf) + return; + +- vb = &vbuf->vb2_buf; +- vb->planes[0].bytesused = bytesused; +- vb->planes[0].data_offset = data_offset; +- + vbuf->flags = flags; + + if (type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) { ++ vb = &vbuf->vb2_buf; ++ vb2_set_plane_payload(vb, 0, bytesused + data_offset); ++ vb->planes[0].data_offset = data_offset; + vb->timestamp = timestamp_us * NSEC_PER_USEC; + vbuf->sequence = inst->sequence_cap++; + } else { diff --git a/queue-4.14/parisc-fix-validity-check-of-pointer-size-argument-in-new-cas-implementation.patch b/queue-4.14/parisc-fix-validity-check-of-pointer-size-argument-in-new-cas-implementation.patch new file mode 100644 index 00000000000..025ec81a637 --- /dev/null +++ b/queue-4.14/parisc-fix-validity-check-of-pointer-size-argument-in-new-cas-implementation.patch @@ -0,0 +1,54 @@ +From 05f016d2ca7a4fab99d5d5472168506ddf95e74f Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Sat, 11 Nov 2017 17:11:16 -0500 +Subject: parisc: Fix validity check of pointer size argument in new CAS implementation + +From: John David Anglin + +commit 05f016d2ca7a4fab99d5d5472168506ddf95e74f upstream. + +As noted by Christoph Biedl, passing a pointer size of 4 in the new CAS +implementation causes a kernel crash. The attached patch corrects the +off by one error in the argument validity check. + +In reviewing the code, I noticed that we only perform word operations +with the pointer size argument. The subi instruction intentionally uses +a word condition on 64-bit kernels. Nullification was used instead of a +cmpib instruction as the branch should never be taken. The shlw +pseudo-operation generates a depw,z instruction and it clears the target +before doing a shift left word deposit. Thus, we don't need to clip the +upper 32 bits of this argument on 64-bit kernels. + +Tested with a gcc testsuite run with a 64-bit kernel. The gcc atomic +code in libgcc is the only direct user of the new CAS implementation +that I am aware of. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/syscall.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -690,15 +690,15 @@ cas_action: + /* ELF32 Process entry path */ + lws_compare_and_swap_2: + #ifdef CONFIG_64BIT +- /* Clip the input registers */ ++ /* Clip the input registers. We don't need to clip %r23 as we ++ only use it for word operations */ + depdi 0, 31, 32, %r26 + depdi 0, 31, 32, %r25 + depdi 0, 31, 32, %r24 +- depdi 0, 31, 32, %r23 + #endif + + /* Check the validity of the size pointer */ +- subi,>>= 4, %r23, %r0 ++ subi,>>= 3, %r23, %r0 + b,n lws_exit_nosys + + /* Jump to the functions which will load the old and new values into diff --git a/queue-4.14/powerpc-64s-fix-masking-of-srr1-bits-on-instruction-fault.patch b/queue-4.14/powerpc-64s-fix-masking-of-srr1-bits-on-instruction-fault.patch new file mode 100644 index 00000000000..afd04442581 --- /dev/null +++ b/queue-4.14/powerpc-64s-fix-masking-of-srr1-bits-on-instruction-fault.patch @@ -0,0 +1,59 @@ +From 475b581ff57bc01437cbc680e281869918447763 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 14 Nov 2017 15:48:47 +1100 +Subject: powerpc/64s: Fix masking of SRR1 bits on instruction fault + +From: Michael Ellerman + +commit 475b581ff57bc01437cbc680e281869918447763 upstream. + +On 64-bit Book3s, when we take an instruction fault the reason for the +fault may be reported in SRR1. For data faults the reason is reported +in DSISR (Data Storage Instruction Status Register). + +The reasons reported in each do not necessarily correspond, so we mask +the SRR1 bits before copying them to the DSISR, which is then used by +the page fault code. + +Prior to commit b4c001dc44f0 ("powerpc/mm: Use symbolic constants for +filtering SRR1 bits on ISIs") we used a hard-coded mask of 0x58200000, +which corresponds to: + + DSISR_NOHPTE 0x40000000 /* no translation found */ + DSISR_NOEXEC_OR_G 0x10000000 /* exec of no-exec or guarded */ + DSISR_PROTFAULT 0x08000000 /* protection fault */ + DSISR_KEYFAULT 0x00200000 /* Storage Key fault */ + +That commit added a #define for the mask, DSISR_SRR1_MATCH_64S, but +incorrectly used a different similarly named DSISR_BAD_FAULT_64S. + +This had the effect of changing the mask to 0xa43a0000, which omits +everything but DSISR_KEYFAULT. + +Luckily this had no visible effect, because in practice we hardly use +the DSISR bits. The lack of DSISR_NOHPTE means a TLB flush +optimisation was missed in the native HPTE code, and DSISR_NOEXEC_OR_G +and DSISR_PROTFAULT are both only used to trigger rare warnings. + +So we got lucky, but let's fix it. The new value only has bits between +17 and 30 set, so we can continue to use andis. + +Fixes: b4c001dc44f0 ("powerpc/mm: Use symbolic constants for filtering SRR1 bits on ISIs") +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -542,7 +542,7 @@ EXC_COMMON_BEGIN(instruction_access_comm + RECONCILE_IRQ_STATE(r10, r11) + ld r12,_MSR(r1) + ld r3,_NIP(r1) +- andis. r4,r12,DSISR_BAD_FAULT_64S@h ++ andis. r4,r12,DSISR_SRR1_MATCH_64S@h + li r5,0x400 + std r3,_DAR(r1) + std r4,_DSISR(r1) diff --git a/queue-4.14/powerpc-64s-hash-allow-map_fixed-allocations-to-cross-128tb-boundary.patch b/queue-4.14/powerpc-64s-hash-allow-map_fixed-allocations-to-cross-128tb-boundary.patch new file mode 100644 index 00000000000..f0f7afca478 --- /dev/null +++ b/queue-4.14/powerpc-64s-hash-allow-map_fixed-allocations-to-cross-128tb-boundary.patch @@ -0,0 +1,35 @@ +From 35602f82d0c765f991420e319c8d3a596c921eb8 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 10 Nov 2017 04:27:38 +1100 +Subject: powerpc/64s/hash: Allow MAP_FIXED allocations to cross 128TB boundary + +From: Nicholas Piggin + +commit 35602f82d0c765f991420e319c8d3a596c921eb8 upstream. + +While mapping hints with a length that cross 128TB are disallowed, +MAP_FIXED allocations that cross 128TB are allowed. These are failing +on hash (on radix they succeed). Add an additional case for fixed +mappings to expand the addr_limit when crossing 128TB. + +Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB") +Signed-off-by: Nicholas Piggin +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/slice.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/mm/slice.c ++++ b/arch/powerpc/mm/slice.c +@@ -418,7 +418,7 @@ unsigned long slice_get_unmapped_area(un + unsigned long high_limit; + + high_limit = DEFAULT_MAP_WINDOW; +- if (addr >= high_limit) ++ if (addr >= high_limit || (fixed && (addr + len > high_limit))) + high_limit = TASK_SIZE; + + if (len > high_limit) diff --git a/queue-4.14/powerpc-64s-hash-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch b/queue-4.14/powerpc-64s-hash-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch new file mode 100644 index 00000000000..4805de432fa --- /dev/null +++ b/queue-4.14/powerpc-64s-hash-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch @@ -0,0 +1,126 @@ +From 6a72dc038b615229a1b285829d6c8378d15c2347 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 10 Nov 2017 04:27:36 +1100 +Subject: powerpc/64s/hash: Fix 128TB-512TB virtual address boundary case allocation + +From: Nicholas Piggin + +commit 6a72dc038b615229a1b285829d6c8378d15c2347 upstream. + +When allocating VA space with a hint that crosses 128TB, the SLB +addr_limit variable is not expanded if addr is not > 128TB, but the +slice allocation looks at task_size, which is 512TB. This results in +slice_check_fit() incorrectly succeeding because the slice_count +truncates off bit 128 of the requested mask, so the comparison to the +available mask succeeds. + +Fix this by using mm->context.addr_limit instead of mm->task_size for +testing allocation limits. This causes such allocations to fail. + +Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB") +Reported-by: Florian Weimer +Signed-off-by: Nicholas Piggin +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/slice.c | 50 +++++++++++++++++++++++------------------------- + 1 file changed, 24 insertions(+), 26 deletions(-) + +--- a/arch/powerpc/mm/slice.c ++++ b/arch/powerpc/mm/slice.c +@@ -96,7 +96,7 @@ static int slice_area_is_free(struct mm_ + { + struct vm_area_struct *vma; + +- if ((mm->task_size - len) < addr) ++ if ((mm->context.addr_limit - len) < addr) + return 0; + vma = find_vma(mm, addr); + return (!vma || (addr + len) <= vm_start_gap(vma)); +@@ -133,7 +133,7 @@ static void slice_mask_for_free(struct m + if (!slice_low_has_vma(mm, i)) + ret->low_slices |= 1u << i; + +- if (mm->task_size <= SLICE_LOW_TOP) ++ if (mm->context.addr_limit <= SLICE_LOW_TOP) + return; + + for (i = 0; i < GET_HIGH_SLICE_INDEX(mm->context.addr_limit); i++) +@@ -412,25 +412,31 @@ unsigned long slice_get_unmapped_area(un + struct slice_mask compat_mask; + int fixed = (flags & MAP_FIXED); + int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT); ++ unsigned long page_size = 1UL << pshift; + struct mm_struct *mm = current->mm; + unsigned long newaddr; + unsigned long high_limit; + +- /* +- * Check if we need to expland slice area. +- */ +- if (unlikely(addr >= mm->context.addr_limit && +- mm->context.addr_limit != TASK_SIZE)) { +- mm->context.addr_limit = TASK_SIZE; ++ high_limit = DEFAULT_MAP_WINDOW; ++ if (addr >= high_limit) ++ high_limit = TASK_SIZE; ++ ++ if (len > high_limit) ++ return -ENOMEM; ++ if (len & (page_size - 1)) ++ return -EINVAL; ++ if (fixed) { ++ if (addr & (page_size - 1)) ++ return -EINVAL; ++ if (addr > high_limit - len) ++ return -ENOMEM; ++ } ++ ++ if (high_limit > mm->context.addr_limit) { ++ mm->context.addr_limit = high_limit; + on_each_cpu(slice_flush_segments, mm, 1); + } +- /* +- * This mmap request can allocate upt to 512TB +- */ +- if (addr >= DEFAULT_MAP_WINDOW) +- high_limit = mm->context.addr_limit; +- else +- high_limit = DEFAULT_MAP_WINDOW; ++ + /* + * init different masks + */ +@@ -446,27 +452,19 @@ unsigned long slice_get_unmapped_area(un + + /* Sanity checks */ + BUG_ON(mm->task_size == 0); ++ BUG_ON(mm->context.addr_limit == 0); + VM_BUG_ON(radix_enabled()); + + slice_dbg("slice_get_unmapped_area(mm=%p, psize=%d...\n", mm, psize); + slice_dbg(" addr=%lx, len=%lx, flags=%lx, topdown=%d\n", + addr, len, flags, topdown); + +- if (len > mm->task_size) +- return -ENOMEM; +- if (len & ((1ul << pshift) - 1)) +- return -EINVAL; +- if (fixed && (addr & ((1ul << pshift) - 1))) +- return -EINVAL; +- if (fixed && addr > (mm->task_size - len)) +- return -ENOMEM; +- + /* If hint, make sure it matches our alignment restrictions */ + if (!fixed && addr) { +- addr = _ALIGN_UP(addr, 1ul << pshift); ++ addr = _ALIGN_UP(addr, page_size); + slice_dbg(" aligned addr=%lx\n", addr); + /* Ignore hint if it's too large or overlaps a VMA */ +- if (addr > mm->task_size - len || ++ if (addr > high_limit - len || + !slice_area_is_free(mm, addr, len)) + addr = 0; + } diff --git a/queue-4.14/powerpc-64s-hash-fix-512t-hint-detection-to-use-128t.patch b/queue-4.14/powerpc-64s-hash-fix-512t-hint-detection-to-use-128t.patch new file mode 100644 index 00000000000..eedd945719b --- /dev/null +++ b/queue-4.14/powerpc-64s-hash-fix-512t-hint-detection-to-use-128t.patch @@ -0,0 +1,47 @@ +From 7ece370996b694ae263025e056ad785afc1be5ab Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 13 Nov 2017 23:17:28 +1100 +Subject: powerpc/64s/hash: Fix 512T hint detection to use >= 128T + +From: Michael Ellerman + +commit 7ece370996b694ae263025e056ad785afc1be5ab upstream. + +Currently userspace is able to request mmap() search between 128T-512T +by specifying a hint address that is greater than 128T. But that means +a hint of 128T exactly will return an address below 128T, which is +confusing and wrong. + +So fix the logic to check the hint is greater than *or equal* to 128T. + +Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB") +Suggested-by: Aneesh Kumar K.V +Suggested-by: Nicholas Piggin +[mpe: Split out of Nick's bigger patch] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/slice.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/mm/slice.c ++++ b/arch/powerpc/mm/slice.c +@@ -419,7 +419,7 @@ unsigned long slice_get_unmapped_area(un + /* + * Check if we need to expland slice area. + */ +- if (unlikely(addr > mm->context.addr_limit && ++ if (unlikely(addr >= mm->context.addr_limit && + mm->context.addr_limit != TASK_SIZE)) { + mm->context.addr_limit = TASK_SIZE; + on_each_cpu(slice_flush_segments, mm, 1); +@@ -427,7 +427,7 @@ unsigned long slice_get_unmapped_area(un + /* + * This mmap request can allocate upt to 512TB + */ +- if (addr > DEFAULT_MAP_WINDOW) ++ if (addr >= DEFAULT_MAP_WINDOW) + high_limit = mm->context.addr_limit; + else + high_limit = DEFAULT_MAP_WINDOW; diff --git a/queue-4.14/powerpc-64s-hash-fix-fork-with-512tb-process-address-space.patch b/queue-4.14/powerpc-64s-hash-fix-fork-with-512tb-process-address-space.patch new file mode 100644 index 00000000000..bc2aa0676ce --- /dev/null +++ b/queue-4.14/powerpc-64s-hash-fix-fork-with-512tb-process-address-space.patch @@ -0,0 +1,45 @@ +From effc1b25088502fbd30305c79773de2d1f7470a6 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 10 Nov 2017 04:27:37 +1100 +Subject: powerpc/64s/hash: Fix fork() with 512TB process address space + +From: Nicholas Piggin + +commit effc1b25088502fbd30305c79773de2d1f7470a6 upstream. + +Hash unconditionally resets the addr_limit to default (128TB) when the +mm context is initialised. If a process has > 128TB mappings when it +forks, the child will not get the 512TB addr_limit, so accesses to +valid > 128TB mappings will fail in the child. + +Fix this by only resetting the addr_limit to default if it was 0. Non +zero indicates it was duplicated from the parent (0 means exec()). + +Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB") +Signed-off-by: Nicholas Piggin +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/mmu_context_book3s64.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/mm/mmu_context_book3s64.c ++++ b/arch/powerpc/mm/mmu_context_book3s64.c +@@ -93,11 +93,11 @@ static int hash__init_new_context(struct + return index; + + /* +- * We do switch_slb() early in fork, even before we setup the +- * mm->context.addr_limit. Default to max task size so that we copy the +- * default values to paca which will help us to handle slb miss early. ++ * In the case of exec, use the default limit, ++ * otherwise inherit it from the mm we are duplicating. + */ +- mm->context.addr_limit = DEFAULT_MAP_WINDOW_USER64; ++ if (!mm->context.addr_limit) ++ mm->context.addr_limit = DEFAULT_MAP_WINDOW_USER64; + + /* + * The old code would re-promote on fork, we don't do that when using diff --git a/queue-4.14/powerpc-64s-radix-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch b/queue-4.14/powerpc-64s-radix-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch new file mode 100644 index 00000000000..af620004830 --- /dev/null +++ b/queue-4.14/powerpc-64s-radix-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch @@ -0,0 +1,199 @@ +From 85e3f1adcb9d49300b0a943bb93f9604be375bfb Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 10 Nov 2017 04:27:39 +1100 +Subject: powerpc/64s/radix: Fix 128TB-512TB virtual address boundary case allocation + +From: Nicholas Piggin + +commit 85e3f1adcb9d49300b0a943bb93f9604be375bfb upstream. + +Radix VA space allocations test addresses against mm->task_size which +is 512TB, even in cases where the intention is to limit allocation to +below 128TB. + +This results in mmap with a hint address below 128TB but address + +length above 128TB succeeding when it should fail (as hash does after +the previous patch). + +Set the high address limit to be considered up front, and base +subsequent allocation checks on that consistently. + +Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB") +Signed-off-by: Nicholas Piggin +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/hugetlbpage-radix.c | 26 +++++++++++------ + arch/powerpc/mm/mmap.c | 55 +++++++++++++++++++++--------------- + 2 files changed, 50 insertions(+), 31 deletions(-) + +--- a/arch/powerpc/mm/hugetlbpage-radix.c ++++ b/arch/powerpc/mm/hugetlbpage-radix.c +@@ -49,17 +49,28 @@ radix__hugetlb_get_unmapped_area(struct + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + struct hstate *h = hstate_file(file); ++ int fixed = (flags & MAP_FIXED); ++ unsigned long high_limit; + struct vm_unmapped_area_info info; + +- if (unlikely(addr > mm->context.addr_limit && addr < TASK_SIZE)) +- mm->context.addr_limit = TASK_SIZE; ++ high_limit = DEFAULT_MAP_WINDOW; ++ if (addr >= high_limit || (fixed && (addr + len > high_limit))) ++ high_limit = TASK_SIZE; + + if (len & ~huge_page_mask(h)) + return -EINVAL; +- if (len > mm->task_size) ++ if (len > high_limit) + return -ENOMEM; ++ if (fixed) { ++ if (addr > high_limit - len) ++ return -ENOMEM; ++ } + +- if (flags & MAP_FIXED) { ++ if (unlikely(addr > mm->context.addr_limit && ++ mm->context.addr_limit != TASK_SIZE)) ++ mm->context.addr_limit = TASK_SIZE; ++ ++ if (fixed) { + if (prepare_hugepage_range(file, addr, len)) + return -EINVAL; + return addr; +@@ -68,7 +79,7 @@ radix__hugetlb_get_unmapped_area(struct + if (addr) { + addr = ALIGN(addr, huge_page_size(h)); + vma = find_vma(mm, addr); +- if (mm->task_size - len >= addr && ++ if (high_limit - len >= addr && + (!vma || addr + len <= vm_start_gap(vma))) + return addr; + } +@@ -79,12 +90,9 @@ radix__hugetlb_get_unmapped_area(struct + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; + info.low_limit = PAGE_SIZE; +- info.high_limit = current->mm->mmap_base; ++ info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW); + info.align_mask = PAGE_MASK & ~huge_page_mask(h); + info.align_offset = 0; + +- if (addr > DEFAULT_MAP_WINDOW) +- info.high_limit += mm->context.addr_limit - DEFAULT_MAP_WINDOW; +- + return vm_unmapped_area(&info); + } +--- a/arch/powerpc/mm/mmap.c ++++ b/arch/powerpc/mm/mmap.c +@@ -106,22 +106,32 @@ radix__arch_get_unmapped_area(struct fil + { + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; ++ int fixed = (flags & MAP_FIXED); ++ unsigned long high_limit; + struct vm_unmapped_area_info info; + ++ high_limit = DEFAULT_MAP_WINDOW; ++ if (addr >= high_limit || (fixed && (addr + len > high_limit))) ++ high_limit = TASK_SIZE; ++ ++ if (len > high_limit) ++ return -ENOMEM; ++ if (fixed) { ++ if (addr > high_limit - len) ++ return -ENOMEM; ++ } ++ + if (unlikely(addr > mm->context.addr_limit && + mm->context.addr_limit != TASK_SIZE)) + mm->context.addr_limit = TASK_SIZE; + +- if (len > mm->task_size - mmap_min_addr) +- return -ENOMEM; +- +- if (flags & MAP_FIXED) ++ if (fixed) + return addr; + + if (addr) { + addr = PAGE_ALIGN(addr); + vma = find_vma(mm, addr); +- if (mm->task_size - len >= addr && addr >= mmap_min_addr && ++ if (high_limit - len >= addr && addr >= mmap_min_addr && + (!vma || addr + len <= vm_start_gap(vma))) + return addr; + } +@@ -129,13 +139,9 @@ radix__arch_get_unmapped_area(struct fil + info.flags = 0; + info.length = len; + info.low_limit = mm->mmap_base; ++ info.high_limit = high_limit; + info.align_mask = 0; + +- if (unlikely(addr > DEFAULT_MAP_WINDOW)) +- info.high_limit = mm->context.addr_limit; +- else +- info.high_limit = DEFAULT_MAP_WINDOW; +- + return vm_unmapped_area(&info); + } + +@@ -149,37 +155,42 @@ radix__arch_get_unmapped_area_topdown(st + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; ++ int fixed = (flags & MAP_FIXED); ++ unsigned long high_limit; + struct vm_unmapped_area_info info; + ++ high_limit = DEFAULT_MAP_WINDOW; ++ if (addr >= high_limit || (fixed && (addr + len > high_limit))) ++ high_limit = TASK_SIZE; ++ ++ if (len > high_limit) ++ return -ENOMEM; ++ if (fixed) { ++ if (addr > high_limit - len) ++ return -ENOMEM; ++ } ++ + if (unlikely(addr > mm->context.addr_limit && + mm->context.addr_limit != TASK_SIZE)) + mm->context.addr_limit = TASK_SIZE; + +- /* requested length too big for entire address space */ +- if (len > mm->task_size - mmap_min_addr) +- return -ENOMEM; +- +- if (flags & MAP_FIXED) ++ if (fixed) + return addr; + +- /* requesting a specific address */ + if (addr) { + addr = PAGE_ALIGN(addr); + vma = find_vma(mm, addr); +- if (mm->task_size - len >= addr && addr >= mmap_min_addr && +- (!vma || addr + len <= vm_start_gap(vma))) ++ if (high_limit - len >= addr && addr >= mmap_min_addr && ++ (!vma || addr + len <= vm_start_gap(vma))) + return addr; + } + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; + info.low_limit = max(PAGE_SIZE, mmap_min_addr); +- info.high_limit = mm->mmap_base; ++ info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW); + info.align_mask = 0; + +- if (addr > DEFAULT_MAP_WINDOW) +- info.high_limit += mm->context.addr_limit - DEFAULT_MAP_WINDOW; +- + addr = vm_unmapped_area(&info); + if (!(addr & ~PAGE_MASK)) + return addr; diff --git a/queue-4.14/powerpc-fix-boot-on-book3s_32-with-config_strict_kernel_rwx.patch b/queue-4.14/powerpc-fix-boot-on-book3s_32-with-config_strict_kernel_rwx.patch new file mode 100644 index 00000000000..0ab4227485f --- /dev/null +++ b/queue-4.14/powerpc-fix-boot-on-book3s_32-with-config_strict_kernel_rwx.patch @@ -0,0 +1,53 @@ +From 252eb55816a6f69ef9464cad303cdb3326cdc61d Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 Nov 2017 15:28:20 +0100 +Subject: powerpc: Fix boot on BOOK3S_32 with CONFIG_STRICT_KERNEL_RWX + +From: Christophe Leroy + +commit 252eb55816a6f69ef9464cad303cdb3326cdc61d upstream. + +On powerpc32, patch_instruction() is called by apply_feature_fixups() +which is called from early_init() + +There is the following note in front of early_init(): + * Note that the kernel may be running at an address which is different + * from the address that it was linked at, so we must use RELOC/PTRRELOC + * to access static data (including strings). -- paulus + +Therefore, slab_is_available() cannot be called yet, and +text_poke_area must be addressed with PTRRELOC() + +Fixes: 95902e6c8864 ("powerpc/mm: Implement STRICT_KERNEL_RWX on PPC32") +Reported-by: Meelis Roos +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/code-patching.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/lib/code-patching.c ++++ b/arch/powerpc/lib/code-patching.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + static int __patch_instruction(unsigned int *addr, unsigned int instr) + { +@@ -146,11 +147,8 @@ int patch_instruction(unsigned int *addr + * During early early boot patch_instruction is called + * when text_poke_area is not ready, but we still need + * to allow patching. We just do the plain old patching +- * We use slab_is_available and per cpu read * via this_cpu_read +- * of text_poke_area. Per-CPU areas might not be up early +- * this can create problems with just using this_cpu_read() + */ +- if (!slab_is_available() || !this_cpu_read(text_poke_area)) ++ if (!this_cpu_read(*PTRRELOC(&text_poke_area))) + return __patch_instruction(addr, instr); + + local_irq_save(flags); diff --git a/queue-4.14/powerpc-mm-radix-fix-crashes-on-power9-dd1-with-radix-mmu-and-strict_rwx.patch b/queue-4.14/powerpc-mm-radix-fix-crashes-on-power9-dd1-with-radix-mmu-and-strict_rwx.patch new file mode 100644 index 00000000000..093e8d5e770 --- /dev/null +++ b/queue-4.14/powerpc-mm-radix-fix-crashes-on-power9-dd1-with-radix-mmu-and-strict_rwx.patch @@ -0,0 +1,64 @@ +From f79ad50ea3c73fb1ea5b09e95c864e5bb263adfb Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Mon, 16 Oct 2017 16:21:35 +1100 +Subject: powerpc/mm/radix: Fix crashes on Power9 DD1 with radix MMU and STRICT_RWX + +From: Balbir Singh + +commit f79ad50ea3c73fb1ea5b09e95c864e5bb263adfb upstream. + +When using the radix MMU on Power9 DD1, to work around a hardware +problem, radix__pte_update() is required to do a two stage update of +the PTE. First we write a zero value into the PTE, then we flush the +TLB, and then we write the new PTE value. + +In the normal case that works OK, but it does not work if we're +updating the PTE that maps the code we're executing, because the +mapping is removed by the TLB flush and we can no longer execute from +it. Unfortunately the STRICT_RWX code needs to do exactly that. + +The exact symptoms when we hit this case vary, sometimes we print an +oops and then get stuck after that, but I've also seen a machine just +get stuck continually page faulting with no oops printed. The variance +is presumably due to the exact layout of the text and the page size +used for the mappings. In all cases we are unable to boot to a shell. + +There are possible solutions such as creating a second mapping of the +TLB flush code, executing from that, and then jumping back to the +original. However we don't want to add that level of complexity for a +DD1 work around. + +So just detect that we're running on Power9 DD1 and refrain from +changing the permissions, effectively disabling STRICT_RWX on Power9 +DD1. + +Fixes: 7614ff3272a1 ("powerpc/mm/radix: Implement STRICT_RWX/mark_rodata_ro() for Radix") +Reported-by: Andrew Jeffery +[Changelog as suggested by Michael Ellerman ] +Signed-off-by: Balbir Singh +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pgtable-radix.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/mm/pgtable-radix.c ++++ b/arch/powerpc/mm/pgtable-radix.c +@@ -169,6 +169,16 @@ void radix__mark_rodata_ro(void) + { + unsigned long start, end; + ++ /* ++ * mark_rodata_ro() will mark itself as !writable at some point. ++ * Due to DD1 workaround in radix__pte_update(), we'll end up with ++ * an invalid pte and the system will crash quite severly. ++ */ ++ if (cpu_has_feature(CPU_FTR_POWER9_DD1)) { ++ pr_warn("Warning: Unable to mark rodata read only on P9 DD1\n"); ++ return; ++ } ++ + start = (unsigned long)_stext; + end = (unsigned long)__init_begin; + diff --git a/queue-4.14/powerpc-perf-imc-use-cpu_to_node-not-topology_physical_package_id.patch b/queue-4.14/powerpc-perf-imc-use-cpu_to_node-not-topology_physical_package_id.patch new file mode 100644 index 00000000000..a3b17825a28 --- /dev/null +++ b/queue-4.14/powerpc-perf-imc-use-cpu_to_node-not-topology_physical_package_id.patch @@ -0,0 +1,75 @@ +From f3f1dfd600ff82b18b7ea73d80eb27f476a6aa97 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 16 Oct 2017 00:13:41 +0530 +Subject: powerpc/perf/imc: Use cpu_to_node() not topology_physical_package_id() + +From: Michael Ellerman + +commit f3f1dfd600ff82b18b7ea73d80eb27f476a6aa97 upstream. + +init_imc_pmu() uses topology_physical_package_id() to detect the +node id of the processor it is on to get local memory, but that's +wrong, and can lead to crashes. Fix it to use cpu_to_node(). + +Fixes: 885dcd709ba9 ("powerpc/perf: Add nest IMC PMU support") +Reported-By: Rob Lippert +Tested-By: Madhavan Srinivasan +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/perf/imc-pmu.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -467,7 +467,7 @@ static int nest_imc_event_init(struct pe + * Nest HW counter memory resides in a per-chip reserve-memory (HOMER). + * Get the base memory addresss for this cpu. + */ +- chip_id = topology_physical_package_id(event->cpu); ++ chip_id = cpu_to_chip_id(event->cpu); + pcni = pmu->mem_info; + do { + if (pcni->id == chip_id) { +@@ -524,19 +524,19 @@ static int nest_imc_event_init(struct pe + */ + static int core_imc_mem_init(int cpu, int size) + { +- int phys_id, rc = 0, core_id = (cpu / threads_per_core); ++ int nid, rc = 0, core_id = (cpu / threads_per_core); + struct imc_mem_info *mem_info; + + /* + * alloc_pages_node() will allocate memory for core in the + * local node only. + */ +- phys_id = topology_physical_package_id(cpu); ++ nid = cpu_to_node(cpu); + mem_info = &core_imc_pmu->mem_info[core_id]; + mem_info->id = core_id; + + /* We need only vbase for core counters */ +- mem_info->vbase = page_address(alloc_pages_node(phys_id, ++ mem_info->vbase = page_address(alloc_pages_node(nid, + GFP_KERNEL | __GFP_ZERO | __GFP_THISNODE | + __GFP_NOWARN, get_order(size))); + if (!mem_info->vbase) +@@ -797,14 +797,14 @@ static int core_imc_event_init(struct pe + static int thread_imc_mem_alloc(int cpu_id, int size) + { + u64 ldbar_value, *local_mem = per_cpu(thread_imc_mem, cpu_id); +- int phys_id = topology_physical_package_id(cpu_id); ++ int nid = cpu_to_node(cpu_id); + + if (!local_mem) { + /* + * This case could happen only once at start, since we dont + * free the memory in cpu offline path. + */ +- local_mem = page_address(alloc_pages_node(phys_id, ++ local_mem = page_address(alloc_pages_node(nid, + GFP_KERNEL | __GFP_ZERO | __GFP_THISNODE | + __GFP_NOWARN, get_order(size))); + if (!local_mem) diff --git a/queue-4.14/powerpc-signal-properly-handle-return-value-from-uprobe_deny_signal.patch b/queue-4.14/powerpc-signal-properly-handle-return-value-from-uprobe_deny_signal.patch new file mode 100644 index 00000000000..0cd57d3dc03 --- /dev/null +++ b/queue-4.14/powerpc-signal-properly-handle-return-value-from-uprobe_deny_signal.patch @@ -0,0 +1,46 @@ +From 46725b17f1c6c815a41429259b3f070c01e71bc1 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 31 Aug 2017 21:55:57 +0530 +Subject: powerpc/signal: Properly handle return value from uprobe_deny_signal() + +From: Naveen N. Rao + +commit 46725b17f1c6c815a41429259b3f070c01e71bc1 upstream. + +When a uprobe is installed on an instruction that we currently do not +emulate, we copy the instruction into a xol buffer and single step +that instruction. If that instruction generates a fault, we abort the +single stepping before invoking the signal handler. Once the signal +handler is done, the uprobe trap is hit again since the instruction is +retried and the process repeats. + +We use uprobe_deny_signal() to detect if the xol instruction triggered +a signal. If so, we clear TIF_SIGPENDING and set TIF_UPROBE so that the +signal is not handled until after the single stepping is aborted. In +this case, uprobe_deny_signal() returns true and get_signal() ends up +returning 0. However, in do_signal(), we are not looking at the return +value, but depending on ksig.sig for further action, all with an +uninitialized ksig that is not touched in this scenario. Fix the same +by initializing ksig.sig to 0. + +Fixes: 129b69df9c90 ("powerpc: Use get_signal() signal_setup_done()") +Reported-by: Anton Blanchard +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/signal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -103,7 +103,7 @@ static void check_syscall_restart(struct + static void do_signal(struct task_struct *tsk) + { + sigset_t *oldset = sigmask_to_save(); +- struct ksignal ksig; ++ struct ksignal ksig = { .sig = 0 }; + int ret; + int is32 = is_32bit_task(); + diff --git a/queue-4.14/series b/queue-4.14/series index e1397ffe501..ba9eab53e31 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -152,3 +152,29 @@ ib-core-avoid-crash-on-pkey-enforcement-failed-in-received-mads.patch ib-core-only-maintain-real-qps-in-the-security-lists.patch nfc-fix-device-allocation-error-return.patch spi-nor-intel-spi-fix-broken-software-sequencing-codes.patch +i40e-use-smp_rmb-rather-than-read_barrier_depends.patch +igb-use-smp_rmb-rather-than-read_barrier_depends.patch +igbvf-use-smp_rmb-rather-than-read_barrier_depends.patch +ixgbevf-use-smp_rmb-rather-than-read_barrier_depends.patch +i40evf-use-smp_rmb-rather-than-read_barrier_depends.patch +fm10k-use-smp_rmb-rather-than-read_barrier_depends.patch +ixgbe-fix-skb-list-corruption-on-power-systems.patch +parisc-fix-validity-check-of-pointer-size-argument-in-new-cas-implementation.patch +powerpc-fix-boot-on-book3s_32-with-config_strict_kernel_rwx.patch +powerpc-mm-radix-fix-crashes-on-power9-dd1-with-radix-mmu-and-strict_rwx.patch +powerpc-perf-imc-use-cpu_to_node-not-topology_physical_package_id.patch +powerpc-signal-properly-handle-return-value-from-uprobe_deny_signal.patch +powerpc-64s-fix-masking-of-srr1-bits-on-instruction-fault.patch +powerpc-64s-radix-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch +powerpc-64s-hash-fix-512t-hint-detection-to-use-128t.patch +powerpc-64s-hash-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch +powerpc-64s-hash-fix-fork-with-512tb-process-address-space.patch +powerpc-64s-hash-allow-map_fixed-allocations-to-cross-128tb-boundary.patch +media-don-t-do-dma-on-stack-for-firmware-upload-in-the-as102-driver.patch +media-rc-check-for-integer-overflow.patch +media-rc-nec-decoder-should-not-send-both-repeat-and-keycode.patch +cx231xx-cards-fix-null-deref-on-missing-association-descriptor.patch +media-v4l2-ctrl-fix-flags-field-on-control-events.patch +media-venus-fix-wrong-size-on-dma_free.patch +media-venus-venc-fix-bytesused-v4l2_plane-field.patch +media-venus-reimplement-decoder-stop-command.patch