From: Greg Kroah-Hartman Date: Fri, 6 Jan 2017 15:31:19 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.41~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8851f1e9e41d27ef2a6062a6bceb5dfccf7f09d7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: drm-i915-dsi-do-not-clear-dpounit_clock_gate_disable-from-vlv_init_display_clock_gating.patch drm-i915-dsi-fix-chv_exec_gpio-disabling-the-gpios-it-is-setting.patch i40iw-use-correct-src-address-in-memcpy-to-rdma-stats-counters.patch kconfig-nconf-fix-hang-when-editing-symbol-with-a-long-prompt.patch libceph-verify-authorize-reply-on-connect.patch libnvdimm-pfn-fix-align-attribute.patch net-mvpp2-fix-dma-unmapping-of-tx-buffers-for-fragments.patch nfs_write_end-fix-handling-of-short-copies.patch of-numa-return-numa_no_node-from-disable-of_node_to_nid-if-nid-not-possible.patch pci-check-for-pme-in-targeted-sleep-state.patch pnfs-clear-nfs_layout_return_requested-when-invalidating-the-layout-stateid.patch pnfs-don-t-clear-the-layout-stateid-if-a-layout-return-is-outstanding.patch pnfs-fix-a-deadlock-between-read-resends-and-layoutreturn.patch pnfs-on-error-do-not-send-layoutget-until-the-layoutreturn-has-completed.patch powerpc-64e-convert-cmpi-to-cmpwi-in-head_64.s.patch powerpc-boot-request-no-dynamic-linker-for-boot-wrapper.patch powerpc-ps3-fix-system-hang-with-gcc-5-builds.patch sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch sunrpc-fix-refcounting-problems-with-auth_gss-messages.patch target-user-fix-use-after-free-of-tcmu_cmds-if-they-are-expired.patch --- diff --git a/queue-4.9/drm-i915-dsi-do-not-clear-dpounit_clock_gate_disable-from-vlv_init_display_clock_gating.patch b/queue-4.9/drm-i915-dsi-do-not-clear-dpounit_clock_gate_disable-from-vlv_init_display_clock_gating.patch new file mode 100644 index 00000000000..8a2b4914516 --- /dev/null +++ b/queue-4.9/drm-i915-dsi-do-not-clear-dpounit_clock_gate_disable-from-vlv_init_display_clock_gating.patch @@ -0,0 +1,68 @@ +From bb98e72adaf9d19719aba35f802d4836f5d5176c Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 2 Dec 2016 15:29:04 +0100 +Subject: drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit bb98e72adaf9d19719aba35f802d4836f5d5176c upstream. + +On my Cherrytrail CUBE iwork8 Air tablet PIPE-A would get stuck on loading +i915 at boot 1 out of every 3 boots, resulting in a non functional LCD. +Once the i915 driver has successfully loaded, the panel can be disabled / +enabled without hitting this issue. + +The getting stuck is caused by vlv_init_display_clock_gating() clearing +the DPOUNIT_CLOCK_GATE_DISABLE bit in DSPCLK_GATE_D when called from +chv_pipe_power_well_ops.enable() on driver load, while a pipe is enabled +driving the DSI LCD by the BIOS. + +Clearing this bit while DSI is in use is a known issue and +intel_dsi_pre_enable() / intel_dsi_post_disable() already set / clear it +as appropriate. + +This commit modifies vlv_init_display_clock_gating() to leave the +DPOUNIT_CLOCK_GATE_DISABLE bit alone fixing the pipe getting stuck. + +Changes in v2: +-Replace PIPE-A with "a pipe" or "the pipe" in the commit msg and +comment + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97330 +Signed-off-by: Hans de Goede +Reviewed-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/20161202142904.25613-1-hdegoede@redhat.com +Signed-off-by: Ville Syrjälä +(cherry picked from commit 721d484563e1a51ada760089c490cbc47e909756) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_runtime_pm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_runtime_pm.c ++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c +@@ -1065,7 +1065,18 @@ static bool vlv_power_well_enabled(struc + + static void vlv_init_display_clock_gating(struct drm_i915_private *dev_priv) + { +- I915_WRITE(DSPCLK_GATE_D, VRHUNIT_CLOCK_GATE_DISABLE); ++ u32 val; ++ ++ /* ++ * On driver load, a pipe may be active and driving a DSI display. ++ * Preserve DPOUNIT_CLOCK_GATE_DISABLE to avoid the pipe getting stuck ++ * (and never recovering) in this case. intel_dsi_post_disable() will ++ * clear it when we turn off the display. ++ */ ++ val = I915_READ(DSPCLK_GATE_D); ++ val &= DPOUNIT_CLOCK_GATE_DISABLE; ++ val |= VRHUNIT_CLOCK_GATE_DISABLE; ++ I915_WRITE(DSPCLK_GATE_D, val); + + /* + * Disable trickle feed and enable pnd deadline calculation diff --git a/queue-4.9/drm-i915-dsi-fix-chv_exec_gpio-disabling-the-gpios-it-is-setting.patch b/queue-4.9/drm-i915-dsi-fix-chv_exec_gpio-disabling-the-gpios-it-is-setting.patch new file mode 100644 index 00000000000..e1d109d6cf7 --- /dev/null +++ b/queue-4.9/drm-i915-dsi-fix-chv_exec_gpio-disabling-the-gpios-it-is-setting.patch @@ -0,0 +1,41 @@ +From 22ca0d4991169b76e753d767a45f1105c356bbb8 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 1 Dec 2016 21:29:09 +0100 +Subject: drm/i915/dsi: Fix chv_exec_gpio disabling the GPIOs it is setting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +commit 22ca0d4991169b76e753d767a45f1105c356bbb8 upstream. + +Set the CHV_GPIO_GPIOEN bit when updating GPIOs from chv_exec_gpio. + +Fixes: a0a6d4ffd2ad ("drm/i915/dsi: add support for gpio elements on CHV") +Cc: Jani Nikula +Cc: Ville Syrjälä +Signed-off-by: Hans de Goede +Reviewed-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/20161201202925.12220-3-hdegoede@redhat.com +Signed-off-by: Ville Syrjälä +(cherry picked from commit b2b45fcd921e864a5e9bbc7aa55dee96d5e11c06) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dsi_panel_vbt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c ++++ b/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c +@@ -296,7 +296,8 @@ static void chv_exec_gpio(struct drm_i91 + mutex_lock(&dev_priv->sb_lock); + vlv_iosf_sb_write(dev_priv, port, cfg1, 0); + vlv_iosf_sb_write(dev_priv, port, cfg0, +- CHV_GPIO_GPIOCFG_GPO | CHV_GPIO_GPIOTXSTATE(value)); ++ CHV_GPIO_GPIOEN | CHV_GPIO_GPIOCFG_GPO | ++ CHV_GPIO_GPIOTXSTATE(value)); + mutex_unlock(&dev_priv->sb_lock); + } + diff --git a/queue-4.9/i40iw-use-correct-src-address-in-memcpy-to-rdma-stats-counters.patch b/queue-4.9/i40iw-use-correct-src-address-in-memcpy-to-rdma-stats-counters.patch new file mode 100644 index 00000000000..d7c5c589d4e --- /dev/null +++ b/queue-4.9/i40iw-use-correct-src-address-in-memcpy-to-rdma-stats-counters.patch @@ -0,0 +1,35 @@ +From 91c42b72f8e8b45961ff05a05009b644e6316ca2 Mon Sep 17 00:00:00 2001 +From: Shiraz Saleem +Date: Fri, 11 Nov 2016 10:55:41 -0600 +Subject: i40iw: Use correct src address in memcpy to rdma stats counters + +From: Shiraz Saleem + +commit 91c42b72f8e8b45961ff05a05009b644e6316ca2 upstream. + +hw_stats is a pointer to i40_iw_dev_stats struct in i40iw_get_hw_stats(). +Use hw_stats and not &hw_stats in the memcpy to copy the i40iw device stats +data into rdma_hw_stats counters. + +Fixes: b40f4757daa1 ("IB/core: Make device counter infrastructure dynamic") + +Signed-off-by: Shiraz Saleem +Signed-off-by: Faisal Latif +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -2501,7 +2501,7 @@ static int i40iw_get_hw_stats(struct ib_ + return -ENOSYS; + } + +- memcpy(&stats->value[0], &hw_stats, sizeof(*hw_stats)); ++ memcpy(&stats->value[0], hw_stats, sizeof(*hw_stats)); + + return stats->num_counters; + } diff --git a/queue-4.9/kconfig-nconf-fix-hang-when-editing-symbol-with-a-long-prompt.patch b/queue-4.9/kconfig-nconf-fix-hang-when-editing-symbol-with-a-long-prompt.patch new file mode 100644 index 00000000000..bed2a9da72a --- /dev/null +++ b/queue-4.9/kconfig-nconf-fix-hang-when-editing-symbol-with-a-long-prompt.patch @@ -0,0 +1,70 @@ +From 79e51b5c2deea542b3bb8c66e0d502230b017dde Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 24 Nov 2016 22:10:23 +0000 +Subject: kconfig/nconf: Fix hang when editing symbol with a long prompt + +From: Ben Hutchings + +commit 79e51b5c2deea542b3bb8c66e0d502230b017dde upstream. + +Currently it is impossible to edit the value of a config symbol with a +prompt longer than (terminal width - 2) characters. dialog_inputbox() +calculates a negative x-offset for the input window and newwin() fails +as this is invalid. It also doesn't check for this failure, so it +busy-loops calling wgetch(NULL) which immediately returns -1. + +The additions in the offset calculations also don't match the intended +size of the window. + +Limit the window size and calculate the offset similarly to +show_scroll_win(). + +Fixes: 692d97c380c6 ("kconfig: new configuration interface (nconfig)") +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/kconfig/nconf.gui.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -364,12 +364,14 @@ int dialog_inputbox(WINDOW *main_window, + WINDOW *prompt_win; + WINDOW *form_win; + PANEL *panel; +- int i, x, y; ++ int i, x, y, lines, columns, win_lines, win_cols; + int res = -1; + int cursor_position = strlen(init); + int cursor_form_win; + char *result = *resultp; + ++ getmaxyx(stdscr, lines, columns); ++ + if (strlen(init)+1 > *result_len) { + *result_len = strlen(init)+1; + *resultp = result = realloc(result, *result_len); +@@ -386,14 +388,19 @@ int dialog_inputbox(WINDOW *main_window, + if (title) + prompt_width = max(prompt_width, strlen(title)); + ++ win_lines = min(prompt_lines+6, lines-2); ++ win_cols = min(prompt_width+7, columns-2); ++ prompt_lines = max(win_lines-6, 0); ++ prompt_width = max(win_cols-7, 0); ++ + /* place dialog in middle of screen */ +- y = (getmaxy(stdscr)-(prompt_lines+4))/2; +- x = (getmaxx(stdscr)-(prompt_width+4))/2; ++ y = (lines-win_lines)/2; ++ x = (columns-win_cols)/2; + + strncpy(result, init, *result_len); + + /* create the windows */ +- win = newwin(prompt_lines+6, prompt_width+7, y, x); ++ win = newwin(win_lines, win_cols, y, x); + prompt_win = derwin(win, prompt_lines+1, prompt_width, 2, 2); + form_win = derwin(win, 1, prompt_width, prompt_lines+3, 2); + keypad(form_win, TRUE); diff --git a/queue-4.9/libceph-verify-authorize-reply-on-connect.patch b/queue-4.9/libceph-verify-authorize-reply-on-connect.patch new file mode 100644 index 00000000000..6192716c624 --- /dev/null +++ b/queue-4.9/libceph-verify-authorize-reply-on-connect.patch @@ -0,0 +1,54 @@ +From 5c056fdc5b474329037f2aa18401bd73033e0ce0 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 2 Dec 2016 16:35:09 +0100 +Subject: libceph: verify authorize reply on connect + +From: Ilya Dryomov + +commit 5c056fdc5b474329037f2aa18401bd73033e0ce0 upstream. + +After sending an authorizer (ceph_x_authorize_a + ceph_x_authorize_b), +the client gets back a ceph_x_authorize_reply, which it is supposed to +verify to ensure the authenticity and protect against replay attacks. +The code for doing this is there (ceph_x_verify_authorizer_reply(), +ceph_auth_verify_authorizer_reply() + plumbing), but it is never +invoked by the the messenger. + +AFAICT this goes back to 2009, when ceph authentication protocols +support was added to the kernel client in 4e7a5dcd1bba ("ceph: +negotiate authentication protocol; implement AUTH_NONE protocol"). + +The second param of ceph_connection_operations::verify_authorizer_reply +is unused all the way down. Pass 0 to facilitate backporting, and kill +it in the next commit. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2027,6 +2027,19 @@ static int process_connect(struct ceph_c + + dout("process_connect on %p tag %d\n", con, (int)con->in_tag); + ++ if (con->auth_reply_buf) { ++ /* ++ * Any connection that defines ->get_authorizer() ++ * should also define ->verify_authorizer_reply(). ++ * See get_connect_authorizer(). ++ */ ++ ret = con->ops->verify_authorizer_reply(con, 0); ++ if (ret < 0) { ++ con->error_msg = "bad authorize reply"; ++ return ret; ++ } ++ } ++ + switch (con->in_reply.tag) { + case CEPH_MSGR_TAG_FEATURES: + pr_err("%s%lld %s feature set mismatch," diff --git a/queue-4.9/libnvdimm-pfn-fix-align-attribute.patch b/queue-4.9/libnvdimm-pfn-fix-align-attribute.patch new file mode 100644 index 00000000000..94fb256ec0f --- /dev/null +++ b/queue-4.9/libnvdimm-pfn-fix-align-attribute.patch @@ -0,0 +1,32 @@ +From af7d9f0c57941b465043681cb5c3410f7f3f1a41 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sat, 10 Dec 2016 08:12:05 -0800 +Subject: libnvdimm, pfn: fix align attribute + +From: Dan Williams + +commit af7d9f0c57941b465043681cb5c3410f7f3f1a41 upstream. + +Fix the format specifier so that the attribute can be parsed correctly. +Currently it returns decimal 1000 for a 4096-byte alignment. + +Reported-by: Dave Jiang +Fixes: 315c562536c4 ("libnvdimm, pfn: add 'align' attribute, default to HPAGE_SIZE") +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/pfn_devs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -108,7 +108,7 @@ static ssize_t align_show(struct device + { + struct nd_pfn *nd_pfn = to_nd_pfn_safe(dev); + +- return sprintf(buf, "%lx\n", nd_pfn->align); ++ return sprintf(buf, "%ld\n", nd_pfn->align); + } + + static ssize_t __align_store(struct nd_pfn *nd_pfn, const char *buf) diff --git a/queue-4.9/net-mvpp2-fix-dma-unmapping-of-tx-buffers-for-fragments.patch b/queue-4.9/net-mvpp2-fix-dma-unmapping-of-tx-buffers-for-fragments.patch new file mode 100644 index 00000000000..8e2d7347b18 --- /dev/null +++ b/queue-4.9/net-mvpp2-fix-dma-unmapping-of-tx-buffers-for-fragments.patch @@ -0,0 +1,166 @@ +From 8354491c9d5b06709384cea91d13019bf5e61449 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Wed, 21 Dec 2016 11:28:49 +0100 +Subject: net: mvpp2: fix dma unmapping of TX buffers for fragments + +From: Thomas Petazzoni + +commit 8354491c9d5b06709384cea91d13019bf5e61449 upstream. + +Since commit 71ce391dfb784 ("net: mvpp2: enable proper per-CPU TX +buffers unmapping"), we are not correctly DMA unmapping TX buffers for +fragments. + +Indeed, the mvpp2_txq_inc_put() function only stores in the +txq_cpu->tx_buffs[] array the physical address of the buffer to be +DMA-unmapped when skb != NULL. In addition, when DMA-unmapping, we use +skb_headlen(skb) to get the size to be unmapped. Both of this works fine +for TX descriptors that are associated directly to a SKB, but not the +ones that are used for fragments, with a NULL pointer as skb: + + - We have a NULL physical address when calling DMA unmap + - skb_headlen(skb) crashes because skb is NULL + +This causes random crashes when fragments are used. + +To solve this problem, we need to: + + - Store the physical address of the buffer to be unmapped + unconditionally, regardless of whether it is tied to a SKB or not. + + - Store the length of the buffer to be unmapped, which requires a new + field. + +Instead of adding a third array to store the length of the buffer to be +unmapped, and as suggested by David Miller, this commit refactors the +tx_buffs[] and tx_skb[] arrays of 'struct mvpp2_txq_pcpu' into a +separate structure 'mvpp2_txq_pcpu_buf', to which a 'size' field is +added. Therefore, instead of having three arrays to allocate/free, we +have a single one, which also improve data locality, reducing the +impact on the CPU cache. + +Fixes: 71ce391dfb784 ("net: mvpp2: enable proper per-CPU TX buffers unmapping") +Reported-by: Raphael G +Cc: Raphael G +Signed-off-by: Thomas Petazzoni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvpp2.c | 59 +++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 29 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -770,6 +770,17 @@ struct mvpp2_rx_desc { + u32 reserved8; + }; + ++struct mvpp2_txq_pcpu_buf { ++ /* Transmitted SKB */ ++ struct sk_buff *skb; ++ ++ /* Physical address of transmitted buffer */ ++ dma_addr_t phys; ++ ++ /* Size transmitted */ ++ size_t size; ++}; ++ + /* Per-CPU Tx queue control */ + struct mvpp2_txq_pcpu { + int cpu; +@@ -785,11 +796,8 @@ struct mvpp2_txq_pcpu { + /* Number of Tx DMA descriptors reserved for each CPU */ + int reserved_num; + +- /* Array of transmitted skb */ +- struct sk_buff **tx_skb; +- +- /* Array of transmitted buffers' physical addresses */ +- dma_addr_t *tx_buffs; ++ /* Infos about transmitted buffers */ ++ struct mvpp2_txq_pcpu_buf *buffs; + + /* Index of last TX DMA descriptor that was inserted */ + int txq_put_index; +@@ -979,10 +987,11 @@ static void mvpp2_txq_inc_put(struct mvp + struct sk_buff *skb, + struct mvpp2_tx_desc *tx_desc) + { +- txq_pcpu->tx_skb[txq_pcpu->txq_put_index] = skb; +- if (skb) +- txq_pcpu->tx_buffs[txq_pcpu->txq_put_index] = +- tx_desc->buf_phys_addr; ++ struct mvpp2_txq_pcpu_buf *tx_buf = ++ txq_pcpu->buffs + txq_pcpu->txq_put_index; ++ tx_buf->skb = skb; ++ tx_buf->size = tx_desc->data_size; ++ tx_buf->phys = tx_desc->buf_phys_addr; + txq_pcpu->txq_put_index++; + if (txq_pcpu->txq_put_index == txq_pcpu->size) + txq_pcpu->txq_put_index = 0; +@@ -4401,17 +4410,16 @@ static void mvpp2_txq_bufs_free(struct m + int i; + + for (i = 0; i < num; i++) { +- dma_addr_t buf_phys_addr = +- txq_pcpu->tx_buffs[txq_pcpu->txq_get_index]; +- struct sk_buff *skb = txq_pcpu->tx_skb[txq_pcpu->txq_get_index]; ++ struct mvpp2_txq_pcpu_buf *tx_buf = ++ txq_pcpu->buffs + txq_pcpu->txq_get_index; + + mvpp2_txq_inc_get(txq_pcpu); + +- dma_unmap_single(port->dev->dev.parent, buf_phys_addr, +- skb_headlen(skb), DMA_TO_DEVICE); +- if (!skb) ++ dma_unmap_single(port->dev->dev.parent, tx_buf->phys, ++ tx_buf->size, DMA_TO_DEVICE); ++ if (!tx_buf->skb) + continue; +- dev_kfree_skb_any(skb); ++ dev_kfree_skb_any(tx_buf->skb); + } + } + +@@ -4651,15 +4659,10 @@ static int mvpp2_txq_init(struct mvpp2_p + for_each_present_cpu(cpu) { + txq_pcpu = per_cpu_ptr(txq->pcpu, cpu); + txq_pcpu->size = txq->size; +- txq_pcpu->tx_skb = kmalloc(txq_pcpu->size * +- sizeof(*txq_pcpu->tx_skb), +- GFP_KERNEL); +- if (!txq_pcpu->tx_skb) +- goto error; +- +- txq_pcpu->tx_buffs = kmalloc(txq_pcpu->size * +- sizeof(dma_addr_t), GFP_KERNEL); +- if (!txq_pcpu->tx_buffs) ++ txq_pcpu->buffs = kmalloc(txq_pcpu->size * ++ sizeof(struct mvpp2_txq_pcpu_buf), ++ GFP_KERNEL); ++ if (!txq_pcpu->buffs) + goto error; + + txq_pcpu->count = 0; +@@ -4673,8 +4676,7 @@ static int mvpp2_txq_init(struct mvpp2_p + error: + for_each_present_cpu(cpu) { + txq_pcpu = per_cpu_ptr(txq->pcpu, cpu); +- kfree(txq_pcpu->tx_skb); +- kfree(txq_pcpu->tx_buffs); ++ kfree(txq_pcpu->buffs); + } + + dma_free_coherent(port->dev->dev.parent, +@@ -4693,8 +4695,7 @@ static void mvpp2_txq_deinit(struct mvpp + + for_each_present_cpu(cpu) { + txq_pcpu = per_cpu_ptr(txq->pcpu, cpu); +- kfree(txq_pcpu->tx_skb); +- kfree(txq_pcpu->tx_buffs); ++ kfree(txq_pcpu->buffs); + } + + if (txq->descs) diff --git a/queue-4.9/nfs_write_end-fix-handling-of-short-copies.patch b/queue-4.9/nfs_write_end-fix-handling-of-short-copies.patch new file mode 100644 index 00000000000..428c9d3a0a8 --- /dev/null +++ b/queue-4.9/nfs_write_end-fix-handling-of-short-copies.patch @@ -0,0 +1,32 @@ +From c0cf3ef5e0f47e385920450b245d22bead93e7ad Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Mon, 5 Sep 2016 21:42:32 -0400 +Subject: nfs_write_end(): fix handling of short copies + +From: Al Viro + +commit c0cf3ef5e0f47e385920450b245d22bead93e7ad upstream. + +What matters when deciding if we should make a page uptodate is +not how much we _wanted_ to copy, but how much we actually have +copied. As it is, on architectures that do not zero tail on +short copy we can leave uninitialized data in page marked uptodate. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -374,7 +374,7 @@ static int nfs_write_end(struct file *fi + */ + if (!PageUptodate(page)) { + unsigned pglen = nfs_page_length(page); +- unsigned end = offset + len; ++ unsigned end = offset + copied; + + if (pglen == 0) { + zero_user_segments(page, 0, offset, diff --git a/queue-4.9/of-numa-return-numa_no_node-from-disable-of_node_to_nid-if-nid-not-possible.patch b/queue-4.9/of-numa-return-numa_no_node-from-disable-of_node_to_nid-if-nid-not-possible.patch new file mode 100644 index 00000000000..1d603891c6e --- /dev/null +++ b/queue-4.9/of-numa-return-numa_no_node-from-disable-of_node_to_nid-if-nid-not-possible.patch @@ -0,0 +1,77 @@ +From b6cc9474e2dd9f0c19b694b40961d81117f1e918 Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Fri, 28 Oct 2016 14:15:02 -0700 +Subject: of, numa: Return NUMA_NO_NODE from disable of_node_to_nid() if nid not possible. + +From: David Daney + +commit b6cc9474e2dd9f0c19b694b40961d81117f1e918 upstream. + +On arm64 NUMA kernels we can pass "numa=off" on the command line to +disable NUMA. A side effect of this is that kmalloc_node() calls to +non-zero nodes will crash the system with an OOPS: + +[ 0.000000] ITS@0x0000901000020000: allocated 2097152 Devices @10002000000 (flat, esz 8, psz 64K, shr 1) +[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00001680 +[ 0.000000] pgd = fffffc0009470000 +[ 0.000000] [00001680] *pgd=0000010ffff90003, *pud=0000010ffff90003, *pmd=0000010ffff90003, *pte=0000000000000000 +[ 0.000000] Internal error: Oops: 96000006 [#1] SMP +. +. +. +[ 0.000000] [] __alloc_pages_nodemask+0xa4/0xe68 +[ 0.000000] [] new_slab+0xd0/0x564 +[ 0.000000] [] ___slab_alloc+0x2e4/0x514 +[ 0.000000] [] __slab_alloc+0x48/0x58 +[ 0.000000] [] __kmalloc_node+0xd0/0x2dc +[ 0.000000] [] __irq_domain_add+0x7c/0x164 +[ 0.000000] [] its_probe+0x784/0x81c +[ 0.000000] [] its_init+0x48/0x1b0 +[ 0.000000] [] gic_init_bases+0x228/0x360 +[ 0.000000] [] gic_of_init+0x148/0x1cc +[ 0.000000] [] of_irq_init+0x184/0x298 +[ 0.000000] [] irqchip_init+0x14/0x38 +[ 0.000000] [] init_IRQ+0xc/0x30 +[ 0.000000] [] start_kernel+0x240/0x3b8 +[ 0.000000] [] __primary_switched+0x30/0x6c +[ 0.000000] Code: 912ec2a0 b9403809 0a0902fb 37b007db (f9400300) +. +. +. + +This is caused by code like this in kernel/irq/irqdomain.c + + domain = kzalloc_node(sizeof(*domain) + (sizeof(unsigned int) * size), + GFP_KERNEL, of_node_to_nid(of_node)); + +When NUMA is disabled, the concept of a node is really undefined, so +of_node_to_nid() should unconditionally return NUMA_NO_NODE. + +Fix by returning NUMA_NO_NODE when the nid is not in the set of +possible nodes. + +Reported-by: Gilbert Netzer +Signed-off-by: David Daney +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/of_numa.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/of/of_numa.c ++++ b/drivers/of/of_numa.c +@@ -176,7 +176,12 @@ int of_node_to_nid(struct device_node *d + np->name); + of_node_put(np); + +- if (!r) ++ /* ++ * If numa=off passed on command line, or with a defective ++ * device tree, the nid may not be in the set of possible ++ * nodes. Check for this case and return NUMA_NO_NODE. ++ */ ++ if (!r && nid < MAX_NUMNODES && node_possible(nid)) + return nid; + + return NUMA_NO_NODE; diff --git a/queue-4.9/pci-check-for-pme-in-targeted-sleep-state.patch b/queue-4.9/pci-check-for-pme-in-targeted-sleep-state.patch new file mode 100644 index 00000000000..bfc564bd76b --- /dev/null +++ b/queue-4.9/pci-check-for-pme-in-targeted-sleep-state.patch @@ -0,0 +1,48 @@ +From 6496ebd7edf446fccf8266a1a70ffcb64252593e Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 21 Oct 2016 16:45:38 -0400 +Subject: PCI: Check for PME in targeted sleep state + +From: Alan Stern + +commit 6496ebd7edf446fccf8266a1a70ffcb64252593e upstream. + +One some systems, the firmware does not allow certain PCI devices to be put +in deep D-states. This can cause problems for wakeup signalling, if the +device does not support PME# in the deepest allowed suspend state. For +example, Pierre reports that on his system, ACPI does not permit his xHCI +host controller to go into D3 during runtime suspend -- but D3 is the only +state in which the controller can generate PME# signals. As a result, the +controller goes into runtime suspend but never wakes up, so it doesn't work +properly. USB devices plugged into the controller are never detected. + +If the device relies on PME# for wakeup signals but is not capable of +generating PME# in the target state, the PCI core should accurately report +that it cannot do wakeup from runtime suspend. This patch modifies the +pci_dev_run_wake() routine to add this check. + +Reported-by: Pierre de Villemereuil +Tested-by: Pierre de Villemereuil +Signed-off-by: Alan Stern +Signed-off-by: Bjorn Helgaas +Acked-by: Rafael J. Wysocki +CC: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2106,6 +2106,10 @@ bool pci_dev_run_wake(struct pci_dev *de + if (!dev->pme_support) + return false; + ++ /* PME-capable in principle, but not from the intended sleep state */ ++ if (!pci_pme_capable(dev, pci_target_state(dev))) ++ return false; ++ + while (bus->parent) { + struct pci_dev *bridge = bus->self; + diff --git a/queue-4.9/pnfs-clear-nfs_layout_return_requested-when-invalidating-the-layout-stateid.patch b/queue-4.9/pnfs-clear-nfs_layout_return_requested-when-invalidating-the-layout-stateid.patch new file mode 100644 index 00000000000..277c2d12a10 --- /dev/null +++ b/queue-4.9/pnfs-clear-nfs_layout_return_requested-when-invalidating-the-layout-stateid.patch @@ -0,0 +1,60 @@ +From ae5a459d5f65c3e83f3e14068dde5fb9c9d81807 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 14 Nov 2016 14:34:18 -0500 +Subject: pNFS: Clear NFS_LAYOUT_RETURN_REQUESTED when invalidating the layout stateid + +From: Trond Myklebust + +commit ae5a459d5f65c3e83f3e14068dde5fb9c9d81807 upstream. + +We must ensure that we don't schedule a layoutreturn if the layout stateid +has been marked as invalid. + +Fixes: 2a59a0411671e ("pNFS: Fix pnfs_set_layout_stateid() to clear...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -299,6 +299,14 @@ pnfs_put_layout_hdr(struct pnfs_layout_h + } + } + ++static void ++pnfs_clear_layoutreturn_info(struct pnfs_layout_hdr *lo) ++{ ++ lo->plh_return_iomode = 0; ++ lo->plh_return_seq = 0; ++ clear_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags); ++} ++ + /* + * Mark a pnfs_layout_hdr and all associated layout segments as invalid + * +@@ -317,6 +325,7 @@ pnfs_mark_layout_stateid_invalid(struct + }; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ pnfs_clear_layoutreturn_info(lo); + return pnfs_mark_matching_lsegs_invalid(lo, lseg_list, &range, 0); + } + +@@ -818,14 +827,6 @@ pnfs_destroy_all_layouts(struct nfs_clie + pnfs_destroy_layouts_byclid(clp, false); + } + +-static void +-pnfs_clear_layoutreturn_info(struct pnfs_layout_hdr *lo) +-{ +- lo->plh_return_iomode = 0; +- lo->plh_return_seq = 0; +- clear_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags); +-} +- + /* update lo->plh_stateid with new if is more recent */ + void + pnfs_set_layout_stateid(struct pnfs_layout_hdr *lo, const nfs4_stateid *new, diff --git a/queue-4.9/pnfs-don-t-clear-the-layout-stateid-if-a-layout-return-is-outstanding.patch b/queue-4.9/pnfs-don-t-clear-the-layout-stateid-if-a-layout-return-is-outstanding.patch new file mode 100644 index 00000000000..0924269f3cd --- /dev/null +++ b/queue-4.9/pnfs-don-t-clear-the-layout-stateid-if-a-layout-return-is-outstanding.patch @@ -0,0 +1,34 @@ +From 7b650994ab07434ae58a247dc9ac87d2488ca75c Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 14 Nov 2016 13:10:48 -0500 +Subject: pNFS: Don't clear the layout stateid if a layout return is outstanding + +From: Trond Myklebust + +commit 7b650994ab07434ae58a247dc9ac87d2488ca75c upstream. + +If we no longer hold any layout segments, we're normally expected to +consider the layout stateid to be invalid. However we cannot assume this +if we're about to, or in the process of sending a layoutreturn. + +Fixes: 334a8f37115b ("pNFS: Don't forget the layout stateid if...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -411,7 +411,9 @@ pnfs_layout_remove_lseg(struct pnfs_layo + list_del_init(&lseg->pls_list); + /* Matched by pnfs_get_layout_hdr in pnfs_layout_insert_lseg */ + atomic_dec(&lo->plh_refcount); +- if (list_empty(&lo->plh_segs)) { ++ if (list_empty(&lo->plh_segs) && ++ !test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags) && ++ !test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) { + if (atomic_read(&lo->plh_outstanding) == 0) + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); + clear_bit(NFS_LAYOUT_BULK_RECALL, &lo->plh_flags); diff --git a/queue-4.9/pnfs-fix-a-deadlock-between-read-resends-and-layoutreturn.patch b/queue-4.9/pnfs-fix-a-deadlock-between-read-resends-and-layoutreturn.patch new file mode 100644 index 00000000000..5c8bf31acbb --- /dev/null +++ b/queue-4.9/pnfs-fix-a-deadlock-between-read-resends-and-layoutreturn.patch @@ -0,0 +1,55 @@ +From 54e4a0dfa25d9365c4e80a639e80d9213eb6edbe Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 27 Nov 2016 15:12:39 -0500 +Subject: pNFS: Fix a deadlock between read resends and layoutreturn + +From: Trond Myklebust + +commit 54e4a0dfa25d9365c4e80a639e80d9213eb6edbe upstream. + +We must not call nfs_pageio_init_read() on a new nfs_pageio_descriptor +while holding a reference to a layout segment, as that can deadlock +pnfs_update_layout(). + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 4 ++++ + fs/nfs/pnfs.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -28,6 +28,9 @@ + + static struct group_info *ff_zero_group; + ++static void ff_layout_read_record_layoutstats_done(struct rpc_task *task, ++ struct nfs_pgio_header *hdr); ++ + static struct pnfs_layout_hdr * + ff_layout_alloc_layout_hdr(struct inode *inode, gfp_t gfp_flags) + { +@@ -1293,6 +1296,7 @@ static int ff_layout_read_done_cb(struct + hdr->pgio_mirror_idx + 1, + &hdr->pgio_mirror_idx)) + goto out_eagain; ++ ff_layout_read_record_layoutstats_done(task, hdr); + pnfs_read_resend_pnfs(hdr); + return task->tk_status; + case -NFS4ERR_RESET_TO_MDS: +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2293,6 +2293,10 @@ void pnfs_read_resend_pnfs(struct nfs_pg + struct nfs_pageio_descriptor pgio; + + if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) { ++ /* Prevent deadlocks with layoutreturn! */ ++ pnfs_put_lseg(hdr->lseg); ++ hdr->lseg = NULL; ++ + nfs_pageio_init_read(&pgio, hdr->inode, false, + hdr->completion_ops); + hdr->task.tk_status = nfs_pageio_resend(&pgio, hdr); diff --git a/queue-4.9/pnfs-on-error-do-not-send-layoutget-until-the-layoutreturn-has-completed.patch b/queue-4.9/pnfs-on-error-do-not-send-layoutget-until-the-layoutreturn-has-completed.patch new file mode 100644 index 00000000000..db7a2043ec8 --- /dev/null +++ b/queue-4.9/pnfs-on-error-do-not-send-layoutget-until-the-layoutreturn-has-completed.patch @@ -0,0 +1,60 @@ +From 6604b203fb6394ed1f24c21bfa3c207e5ae8e461 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 17 Oct 2016 17:54:32 -0400 +Subject: pNFS: On error, do not send LAYOUTGET until the LAYOUTRETURN has completed + +From: Trond Myklebust + +commit 6604b203fb6394ed1f24c21bfa3c207e5ae8e461 upstream. + +If there is an I/O error, we should not call LAYOUTGET until the +LAYOUTRETURN that reports the error is complete. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 6 +++++- + fs/nfs/pnfs.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -944,6 +944,7 @@ static void pnfs_clear_layoutcommit(stru + void pnfs_clear_layoutreturn_waitbit(struct pnfs_layout_hdr *lo) + { + clear_bit_unlock(NFS_LAYOUT_RETURN, &lo->plh_flags); ++ clear_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags); + smp_mb__after_atomic(); + wake_up_bit(&lo->plh_flags, NFS_LAYOUT_RETURN); + rpc_wake_up(&NFS_SERVER(lo->plh_inode)->roc_rpcwaitq); +@@ -957,8 +958,9 @@ pnfs_prepare_layoutreturn(struct pnfs_la + /* Serialise LAYOUTGET/LAYOUTRETURN */ + if (atomic_read(&lo->plh_outstanding) != 0) + return false; +- if (test_and_set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) ++ if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) + return false; ++ set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags); + pnfs_get_layout_hdr(lo); + if (test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags)) { + if (stateid != NULL) { +@@ -1950,6 +1952,8 @@ void pnfs_error_mark_layout_for_return(s + + spin_lock(&inode->i_lock); + pnfs_set_plh_return_info(lo, range.iomode, 0); ++ /* Block LAYOUTGET */ ++ set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags); + /* + * mark all matching lsegs so that we are sure to have no live + * segments at hand when sending layoutreturn. See pnfs_put_lseg() +--- a/fs/nfs/pnfs.h ++++ b/fs/nfs/pnfs.h +@@ -96,6 +96,7 @@ enum { + NFS_LAYOUT_RW_FAILED, /* get rw layout failed stop trying */ + NFS_LAYOUT_BULK_RECALL, /* bulk recall affecting layout */ + NFS_LAYOUT_RETURN, /* layoutreturn in progress */ ++ NFS_LAYOUT_RETURN_LOCK, /* Serialise layoutreturn */ + NFS_LAYOUT_RETURN_REQUESTED, /* Return this layout ASAP */ + NFS_LAYOUT_INVALID_STID, /* layout stateid id is invalid */ + NFS_LAYOUT_FIRST_LAYOUTGET, /* Serialize first layoutget */ diff --git a/queue-4.9/powerpc-64e-convert-cmpi-to-cmpwi-in-head_64.s.patch b/queue-4.9/powerpc-64e-convert-cmpi-to-cmpwi-in-head_64.s.patch new file mode 100644 index 00000000000..434545667f5 --- /dev/null +++ b/queue-4.9/powerpc-64e-convert-cmpi-to-cmpwi-in-head_64.s.patch @@ -0,0 +1,57 @@ +From f87f253bac3ce4a4eb2a60a1ae604d74e65f9042 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Thu, 24 Nov 2016 00:02:07 +1100 +Subject: powerpc/64e: Convert cmpi to cmpwi in head_64.S + +From: Nicholas Piggin + +commit f87f253bac3ce4a4eb2a60a1ae604d74e65f9042 upstream. + +From 80f23935cadb ("powerpc: Convert cmp to cmpd in idle enter sequence"): + + PowerPC's "cmp" instruction has four operands. Normally people write + "cmpw" or "cmpd" for the second cmp operand 0 or 1. But, frequently + people forget, and write "cmp" with just three operands. + + With older binutils this is silently accepted as if this was "cmpw", + while often "cmpd" is wanted. With newer binutils GAS will complain + about this for 64-bit code. For 32-bit code it still silently assumes + "cmpw" is what is meant. + +In this case, cmpwi is called for, so this is just a build fix for +new toolchains. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/head_64.S | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/kernel/head_64.S ++++ b/arch/powerpc/kernel/head_64.S +@@ -214,9 +214,9 @@ booting_thread_hwid: + */ + _GLOBAL(book3e_start_thread) + LOAD_REG_IMMEDIATE(r5, MSR_KERNEL) +- cmpi 0, r3, 0 ++ cmpwi r3, 0 + beq 10f +- cmpi 0, r3, 1 ++ cmpwi r3, 1 + beq 11f + /* If the thread id is invalid, just exit. */ + b 13f +@@ -241,9 +241,9 @@ _GLOBAL(book3e_start_thread) + * r3 = the thread physical id + */ + _GLOBAL(book3e_stop_thread) +- cmpi 0, r3, 0 ++ cmpwi r3, 0 + beq 10f +- cmpi 0, r3, 1 ++ cmpwi r3, 1 + beq 10f + /* If the thread id is invalid, just exit. */ + b 13f diff --git a/queue-4.9/powerpc-boot-request-no-dynamic-linker-for-boot-wrapper.patch b/queue-4.9/powerpc-boot-request-no-dynamic-linker-for-boot-wrapper.patch new file mode 100644 index 00000000000..7376a7fd39c --- /dev/null +++ b/queue-4.9/powerpc-boot-request-no-dynamic-linker-for-boot-wrapper.patch @@ -0,0 +1,73 @@ +From ff45000fcb56b5b0f1a14a865d3541746d838a0a Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 28 Nov 2016 12:42:26 +1100 +Subject: powerpc/boot: Request no dynamic linker for boot wrapper + +From: Nicholas Piggin + +commit ff45000fcb56b5b0f1a14a865d3541746d838a0a upstream. + +The boot wrapper performs its own relocations and does not require +PT_INTERP segment. However currently we don't tell the linker that. + +Prior to binutils 2.28 that works OK. But since binutils commit +1a9ccd70f9a7 ("Fix the linker so that it will not silently generate ELF +binaries with invalid program headers. Fix readelf to report such +invalid binaries.") binutils tries to create a program header segment +due to PT_INTERP, and the link fails because there is no space for it: + + ld: arch/powerpc/boot/zImage.pseries: Not enough room for program headers, try linking with -N + ld: final link failed: Bad value + +So tell the linker not to do that, by passing --no-dynamic-linker. + +Reported-by: Anton Blanchard +Signed-off-by: Nicholas Piggin +[mpe: Drop dependency on ld-version.sh and massage change log] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/boot/wrapper | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/boot/wrapper ++++ b/arch/powerpc/boot/wrapper +@@ -181,6 +181,28 @@ case "$elfformat" in + elf32-powerpc) format=elf32ppc ;; + esac + ++ld_version() ++{ ++ # Poached from scripts/ld-version.sh, but we don't want to call that because ++ # this script (wrapper) is distributed separately from the kernel source. ++ # Extract linker version number from stdin and turn into single number. ++ awk '{ ++ gsub(".*\\)", ""); ++ gsub(".*version ", ""); ++ gsub("-.*", ""); ++ split($1,a, "."); ++ print a[1]*100000000 + a[2]*1000000 + a[3]*10000; ++ exit ++ }' ++} ++ ++# Do not include PT_INTERP segment when linking pie. Non-pie linking ++# just ignores this option. ++LD_VERSION=$(${CROSS}ld --version | ld_version) ++LD_NO_DL_MIN_VERSION=$(echo 2.26 | ld_version) ++if [ "$LD_VERSION" -ge "$LD_NO_DL_MIN_VERSION" ] ; then ++ nodl="--no-dynamic-linker" ++fi + + platformo=$object/"$platform".o + lds=$object/zImage.lds +@@ -446,7 +468,7 @@ if [ "$platform" != "miboot" ]; then + text_start="-Ttext $link_address" + fi + #link everything +- ${CROSS}ld -m $format -T $lds $text_start $pie -o "$ofile" \ ++ ${CROSS}ld -m $format -T $lds $text_start $pie $nodl -o "$ofile" \ + $platformo $tmp $object/wrapper.a + rm $tmp + fi diff --git a/queue-4.9/powerpc-ps3-fix-system-hang-with-gcc-5-builds.patch b/queue-4.9/powerpc-ps3-fix-system-hang-with-gcc-5-builds.patch new file mode 100644 index 00000000000..5f43b791a72 --- /dev/null +++ b/queue-4.9/powerpc-ps3-fix-system-hang-with-gcc-5-builds.patch @@ -0,0 +1,65 @@ +From 6dff5b67054e17c91bd630bcdda17cfca5aa4215 Mon Sep 17 00:00:00 2001 +From: Geoff Levand +Date: Tue, 29 Nov 2016 10:47:32 -0800 +Subject: powerpc/ps3: Fix system hang with GCC 5 builds + +From: Geoff Levand + +commit 6dff5b67054e17c91bd630bcdda17cfca5aa4215 upstream. + +GCC 5 generates different code for this bootwrapper null check that +causes the PS3 to hang very early in its bootup. This check is of +limited value, so just get rid of it. + +Signed-off-by: Geoff Levand +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/boot/ps3-head.S | 5 ----- + arch/powerpc/boot/ps3.c | 8 +------- + 2 files changed, 1 insertion(+), 12 deletions(-) + +--- a/arch/powerpc/boot/ps3-head.S ++++ b/arch/powerpc/boot/ps3-head.S +@@ -57,11 +57,6 @@ __system_reset_overlay: + bctr + + 1: +- /* Save the value at addr zero for a null pointer write check later. */ +- +- li r4, 0 +- lwz r3, 0(r4) +- + /* Primary delays then goes to _zimage_start in wrapper. */ + + or 31, 31, 31 /* db16cyc */ +--- a/arch/powerpc/boot/ps3.c ++++ b/arch/powerpc/boot/ps3.c +@@ -119,13 +119,12 @@ void ps3_copy_vectors(void) + flush_cache((void *)0x100, 512); + } + +-void platform_init(unsigned long null_check) ++void platform_init(void) + { + const u32 heapsize = 0x1000000 - (u32)_end; /* 16MiB */ + void *chosen; + unsigned long ft_addr; + u64 rm_size; +- unsigned long val; + + console_ops.write = ps3_console_write; + platform_ops.exit = ps3_exit; +@@ -153,11 +152,6 @@ void platform_init(unsigned long null_ch + + printf(" flat tree at 0x%lx\n\r", ft_addr); + +- val = *(unsigned long *)0; +- +- if (val != null_check) +- printf("null check failed: %lx != %lx\n\r", val, null_check); +- + ((kernel_entry_t)0)(ft_addr, 0, NULL); + + ps3_exit(); diff --git a/queue-4.9/series b/queue-4.9/series index 1d555cfc317..dbb035859ef 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -90,3 +90,23 @@ media-solo6x10-fix-lockup-by-avoiding-delayed-register-write.patch v4l-tvp5150-add-missing-break-in-set-control-handler.patch input-drv260x-fix-input-device-s-parent-assignment.patch bad_inode-add-missing-i_op-initializers.patch +i40iw-use-correct-src-address-in-memcpy-to-rdma-stats-counters.patch +pci-check-for-pme-in-targeted-sleep-state.patch +libceph-verify-authorize-reply-on-connect.patch +nfs_write_end-fix-handling-of-short-copies.patch +pnfs-on-error-do-not-send-layoutget-until-the-layoutreturn-has-completed.patch +pnfs-don-t-clear-the-layout-stateid-if-a-layout-return-is-outstanding.patch +pnfs-clear-nfs_layout_return_requested-when-invalidating-the-layout-stateid.patch +pnfs-fix-a-deadlock-between-read-resends-and-layoutreturn.patch +sunrpc-fix-refcounting-problems-with-auth_gss-messages.patch +powerpc-64e-convert-cmpi-to-cmpwi-in-head_64.s.patch +powerpc-ps3-fix-system-hang-with-gcc-5-builds.patch +powerpc-boot-request-no-dynamic-linker-for-boot-wrapper.patch +of-numa-return-numa_no_node-from-disable-of_node_to_nid-if-nid-not-possible.patch +libnvdimm-pfn-fix-align-attribute.patch +target-user-fix-use-after-free-of-tcmu_cmds-if-they-are-expired.patch +kconfig-nconf-fix-hang-when-editing-symbol-with-a-long-prompt.patch +sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch +net-mvpp2-fix-dma-unmapping-of-tx-buffers-for-fragments.patch +drm-i915-dsi-fix-chv_exec_gpio-disabling-the-gpios-it-is-setting.patch +drm-i915-dsi-do-not-clear-dpounit_clock_gate_disable-from-vlv_init_display_clock_gating.patch diff --git a/queue-4.9/sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch b/queue-4.9/sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch new file mode 100644 index 00000000000..4dac648ef4a --- /dev/null +++ b/queue-4.9/sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch @@ -0,0 +1,46 @@ +From 128394eff343fc6d2f32172f03e24829539c5835 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 16 Dec 2016 13:42:06 -0500 +Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS + +From: Al Viro + +commit 128394eff343fc6d2f32172f03e24829539c5835 upstream. + +Both damn things interpret userland pointers embedded into the payload; +worse, they are actually traversing those. Leaving aside the bad +API design, this is very much _not_ safe to call with KERNEL_DS. +Bail out early if that happens. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + block/bsg.c | 3 +++ + drivers/scsi/sg.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/block/bsg.c ++++ b/block/bsg.c +@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char + + dprintk("%s: write %Zd bytes\n", bd->name, count); + ++ if (unlikely(segment_eq(get_fs(), KERNEL_DS))) ++ return -EINVAL; ++ + bsg_set_block(bd, file); + + bytes_written = 0; +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -581,6 +581,9 @@ sg_write(struct file *filp, const char _ + sg_io_hdr_t *hp; + unsigned char cmnd[SG_MAX_CDB_SIZE]; + ++ if (unlikely(segment_eq(get_fs(), KERNEL_DS))) ++ return -EINVAL; ++ + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, diff --git a/queue-4.9/sunrpc-fix-refcounting-problems-with-auth_gss-messages.patch b/queue-4.9/sunrpc-fix-refcounting-problems-with-auth_gss-messages.patch new file mode 100644 index 00000000000..ba718caf8bf --- /dev/null +++ b/queue-4.9/sunrpc-fix-refcounting-problems-with-auth_gss-messages.patch @@ -0,0 +1,84 @@ +From 1cded9d2974fe4fe339fc0ccd6638b80d465ab2c Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 5 Dec 2016 15:10:11 +1100 +Subject: SUNRPC: fix refcounting problems with auth_gss messages. + +From: NeilBrown + +commit 1cded9d2974fe4fe339fc0ccd6638b80d465ab2c upstream. + +There are two problems with refcounting of auth_gss messages. + +First, the reference on the pipe->pipe list (taken by a call +to rpc_queue_upcall()) is not counted. It seems to be +assumed that a message in pipe->pipe will always also be in +pipe->in_downcall, where it is correctly reference counted. + +However there is no guaranty of this. I have a report of a +NULL dereferences in rpc_pipe_read() which suggests a msg +that has been freed is still on the pipe->pipe list. + +One way I imagine this might happen is: +- message is queued for uid=U and auth->service=S1 +- rpc.gssd reads this message and starts processing. + This removes the message from pipe->pipe +- message is queued for uid=U and auth->service=S2 +- rpc.gssd replies to the first message. gss_pipe_downcall() + calls __gss_find_upcall(pipe, U, NULL) and it finds the + *second* message, as new messages are placed at the head + of ->in_downcall, and the service type is not checked. +- This second message is removed from ->in_downcall and freed + by gss_release_msg() (even though it is still on pipe->pipe) +- rpc.gssd tries to read another message, and dereferences a pointer + to this message that has just been freed. + +I fix this by incrementing the reference count before calling +rpc_queue_upcall(), and decrementing it if that fails, or normally in +gss_pipe_destroy_msg(). + +It seems strange that the reply doesn't target the message more +precisely, but I don't know all the details. In any case, I think the +reference counting irregularity became a measureable bug when the +extra arg was added to __gss_find_upcall(), hence the Fixes: line +below. + +The second problem is that if rpc_queue_upcall() fails, the new +message is not freed. gss_alloc_msg() set the ->count to 1, +gss_add_msg() increments this to 2, gss_unhash_msg() decrements to 1, +then the pointer is discarded so the memory never gets freed. + +Fixes: 9130b8dbc6ac ("SUNRPC: allow for upcalls for same uid but different gss service") +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1011250 +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/auth_gss.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -541,9 +541,13 @@ gss_setup_upcall(struct gss_auth *gss_au + return gss_new; + gss_msg = gss_add_msg(gss_new); + if (gss_msg == gss_new) { +- int res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg); ++ int res; ++ atomic_inc(&gss_msg->count); ++ res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg); + if (res) { + gss_unhash_msg(gss_new); ++ atomic_dec(&gss_msg->count); ++ gss_release_msg(gss_new); + gss_msg = ERR_PTR(res); + } + } else +@@ -836,6 +840,7 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg + warn_gssd(); + gss_release_msg(gss_msg); + } ++ gss_release_msg(gss_msg); + } + + static void gss_pipe_dentry_destroy(struct dentry *dir, diff --git a/queue-4.9/target-user-fix-use-after-free-of-tcmu_cmds-if-they-are-expired.patch b/queue-4.9/target-user-fix-use-after-free-of-tcmu_cmds-if-they-are-expired.patch new file mode 100644 index 00000000000..2a1442ecbc4 --- /dev/null +++ b/queue-4.9/target-user-fix-use-after-free-of-tcmu_cmds-if-they-are-expired.patch @@ -0,0 +1,37 @@ +From d0905ca757bc40bd1ebc261a448a521b064777d7 Mon Sep 17 00:00:00 2001 +From: Andy Grover +Date: Mon, 21 Nov 2016 16:35:30 -0800 +Subject: target/user: Fix use-after-free of tcmu_cmds if they are expired + +From: Andy Grover + +commit d0905ca757bc40bd1ebc261a448a521b064777d7 upstream. + +Don't free the cmd in tcmu_check_expired_cmd, it's still referenced by +an entry in our cmd_id->cmd idr. If userspace ever resumes processing, +tcmu_handle_completions() will use the now-invalid cmd pointer. + +Instead, don't free cmd. It will be freed by tcmu_handle_completion() if +userspace ever recovers, or tcmu_free_device if not. + +Reported-by: Bryant G Ly +Tested-by: Bryant G Ly +Signed-off-by: Andy Grover +Signed-off-by: Bart Van Assche +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_user.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -685,8 +685,6 @@ static int tcmu_check_expired_cmd(int id + target_complete_cmd(cmd->se_cmd, SAM_STAT_CHECK_CONDITION); + cmd->se_cmd = NULL; + +- kmem_cache_free(tcmu_cmd_cache, cmd); +- + return 0; + } +