From: Greg Kroah-Hartman Date: Wed, 6 Dec 2017 16:59:02 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.87~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95244f993d731c41acc7cd076716a1a8bd86ac4e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-omap1-dma-correct-the-number-of-logical-channels.patch arm-omap2-fix-wl1283-bluetooth-baud-rate.patch be2net-fix-accesses-to-unicast-list.patch be2net-fix-initial-mac-setting.patch be2net-fix-unicast-list-filling.patch cec-initiator-should-be-the-same-as-the-destination-for-poll.patch dax-avoid-page-invalidation-races-and-unnecessary-radix-tree-traversals.patch dmaengine-pl330-fix-double-lock.patch dmaengine-stm32-dma-fix-null-pointer-dereference-in-stm32_dma_tx_status.patch dmaengine-stm32-dma-set-correct-args-number-for-dma-request-from-dt.patch drm-amdgpu-fix-bug-set-incorrect-value-to-vce-register.patch drm-amdgpu-fix-unload-driver-issue-for-virtual-display.patch drm-exynos-decon5433-set-standalone_update_f-also-if-planes-are-disabled.patch drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch drm-exynos-decon5433-update-shadow-registers-iff-there-are-active-windows.patch edac-sb_edac-fix-missing-break-in-switch.patch gtp-clear-df-bit-on-gtp-packet-tx.patch gtp-fix-cross-netns-recv-on-gtp-socket.patch i2c-i2c-cadence-initialize-configuration-before-probing-devices.patch iio-adc-ti-ads1015-add-10-to-conversion-wait-time.patch ima-fix-hash-algorithm-initialization.patch kprobes-use-synchronize_rcu_tasks-for-optprobe-with-config_preempt-y.patch kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch l2tp-take-remote-address-into-account-in-l2tp_ip-and-l2tp_ip6-socket-lookups.patch libcxgb-fix-error-check-for-ip6_route_output.patch libfs-modify-mount_pseudo_xattr-to-be-clear-it-is-not-a-userspace-mount.patch m68k-fix-coldfire-node-shift-size-calculation.patch mac80211-calculate-min-channel-width-correctly.patch mac80211-don-t-try-to-sleep-in-rate_control_rate_init.patch mac80211-prevent-skb-txq-mismatch.patch mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch mm-fix-remote-numa-hits-statistics.patch mmc-sdhci-msm-fix-issue-with-power-irq.patch net-appletalk-fix-kernel-memory-disclosure.patch net-fec-fix-multicast-filtering-hardware-setup.patch net-mlx4_en-fix-type-mismatch-for-32-bit-systems.patch net-phy-micrel-ksz8795-do-not-set-supported_pause.patch net-qrtr-mark-buf-as-little-endian.patch net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch net-systemport-pad-packet-before-inserting-tsb.patch net-systemport-utilize-skb_put_padto.patch net-thunderx-avoid-dereferencing-xcv-when-null.patch nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch nvmet-cancel-fatal-error-and-flush-async-work-before-free-controller.patch perf-test-attr-fix-ignored-test-case-result.patch perf-x86-intel-account-interrupts-for-pebs-errors.patch powerpc-mm-fix-memory-hotplug-bug-on-radix.patch qla2xxx-fix-wrong-iocb-type-assumption.patch ravb-remove-rx-overflow-log-messages.patch rdma-qedr-fix-rdma-cm-loopback.patch rdma-qedr-return-success-when-not-changing-qp-state.patch s390-pci-do-not-require-ais-facility.patch selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch serial-8250-preserve-dld-for-port_xr17v35x.patch serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch spi-sh-msiof-fix-dma-transfer-size-check.patch spi-spi-axi-fix-potential-use-after-free-after-deregistration.patch staging-greybus-loopback-fix-iteration-count-on-async-path.patch staging-rtl8188eu-avoid-a-null-dereference-on-pmlmepriv.patch sysrq-fix-show-regs-call-trace-on-arm.patch tcp-correct-memory-barrier-usage-in-tcp_check_space.patch tipc-fix-cleanup-at-module-unload.patch tipc-fix-nametbl_lock-soft-lockup-at-module-exit.patch tools-include-do-not-use-poison-with-c.patch usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch usb-dwc2-fix-udc-state-tracking.patch usb-gadget-f_fs-fix-extcompat-descriptor-validation.patch usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch usb-serial-option-add-quectel-bg96-id.patch usbip-tools-install-all-headers-needed-for-libusbip-development.patch vfio-spapr-fix-missing-mutex-unlock-when-creating-a-window.patch vti6-fix-device-register-to-report-ifla_info_kind.patch x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch x86-fpu-set-the-xcomp_bv-when-we-fake-up-a-xsaves-area.patch xen-netback-vif-counters-from-int-long-to-u64.patch xen-netfront-improve-error-handling-during-initialization.patch --- diff --git a/queue-4.9/arm-omap1-dma-correct-the-number-of-logical-channels.patch b/queue-4.9/arm-omap1-dma-correct-the-number-of-logical-channels.patch new file mode 100644 index 00000000000..6989e9c4413 --- /dev/null +++ b/queue-4.9/arm-omap1-dma-correct-the-number-of-logical-channels.patch @@ -0,0 +1,70 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Peter Ujfalusi +Date: Tue, 3 Jan 2017 13:22:34 +0200 +Subject: ARM: OMAP1: DMA: Correct the number of logical channels + +From: Peter Ujfalusi + + +[ Upstream commit 657279778af54f35e54b07b6687918f254a2992c ] + +OMAP1510, OMAP5910 and OMAP310 have only 9 logical channels. +OMAP1610, OMAP5912, OMAP1710, OMAP730, and OMAP850 have 16 logical channels +available. + +The wired 17 for the lch_count must have been used to cover the 16 + 1 +dedicated LCD channel, in reality we can only use 9 or 16 channels. + +The d->chan_count is not used by the omap-dma stack, so we can skip the +setup. chan_count was configured to the number of logical channels and not +the actual number of physical channels anyways. + +Signed-off-by: Peter Ujfalusi +Acked-by: Aaro Koskinen +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap1/dma.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/arch/arm/mach-omap1/dma.c ++++ b/arch/arm/mach-omap1/dma.c +@@ -32,7 +32,6 @@ + #include "soc.h" + + #define OMAP1_DMA_BASE (0xfffed800) +-#define OMAP1_LOGICAL_DMA_CH_COUNT 17 + + static u32 enable_1510_mode; + +@@ -348,8 +347,6 @@ static int __init omap1_system_dma_init( + goto exit_iounmap; + } + +- d->lch_count = OMAP1_LOGICAL_DMA_CH_COUNT; +- + /* Valid attributes for omap1 plus processors */ + if (cpu_is_omap15xx()) + d->dev_caps = ENABLE_1510_MODE; +@@ -366,13 +363,14 @@ static int __init omap1_system_dma_init( + d->dev_caps |= CLEAR_CSR_ON_READ; + d->dev_caps |= IS_WORD_16; + +- if (cpu_is_omap15xx()) +- d->chan_count = 9; +- else if (cpu_is_omap16xx() || cpu_is_omap7xx()) { +- if (!(d->dev_caps & ENABLE_1510_MODE)) +- d->chan_count = 16; ++ /* available logical channels */ ++ if (cpu_is_omap15xx()) { ++ d->lch_count = 9; ++ } else { ++ if (d->dev_caps & ENABLE_1510_MODE) ++ d->lch_count = 9; + else +- d->chan_count = 9; ++ d->lch_count = 16; + } + + p = dma_plat_info; diff --git a/queue-4.9/arm-omap2-fix-wl1283-bluetooth-baud-rate.patch b/queue-4.9/arm-omap2-fix-wl1283-bluetooth-baud-rate.patch new file mode 100644 index 00000000000..530775841c3 --- /dev/null +++ b/queue-4.9/arm-omap2-fix-wl1283-bluetooth-baud-rate.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Adam Ford +Date: Tue, 3 Jan 2017 11:37:48 -0600 +Subject: ARM: OMAP2+: Fix WL1283 Bluetooth Baud Rate + +From: Adam Ford + + +[ Upstream commit a3ac350793d90d1da631c8beeee9352387974ed5 ] + +Commit 485fa1261f78 ("ARM: OMAP2+: LogicPD Torpedo + Wireless: Add Bluetooth") +set the wrong baud rate for the UART. The Baud rate was 300,000 and it should +be 3,000,000 for WL1283. + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/pdata-quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/pdata-quirks.c ++++ b/arch/arm/mach-omap2/pdata-quirks.c +@@ -147,7 +147,7 @@ static struct ti_st_plat_data wilink_pda + .nshutdown_gpio = 137, + .dev_name = "/dev/ttyO1", + .flow_cntrl = 1, +- .baud_rate = 300000, ++ .baud_rate = 3000000, + }; + + static struct platform_device wl18xx_device = { diff --git a/queue-4.9/be2net-fix-accesses-to-unicast-list.patch b/queue-4.9/be2net-fix-accesses-to-unicast-list.patch new file mode 100644 index 00000000000..94198e9a3be --- /dev/null +++ b/queue-4.9/be2net-fix-accesses-to-unicast-list.patch @@ -0,0 +1,58 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ivan Vecera +Date: Fri, 6 Jan 2017 20:30:02 +0100 +Subject: be2net: fix accesses to unicast list + +From: Ivan Vecera + + +[ Upstream commit 1d0f110a2c6c4bca3dbcc4b0e27f1e3dc2d44a2c ] + +Commit 988d44b "be2net: Avoid redundant addition of mac address in HW" +introduced be_dev_mac_add & be_uc_mac_add helpers that incorrectly +access adapter->uc_list as an array of bytes instead of an array of +be_eth_addr. Consequently NIC is not filled with valid data so unicast +filtering is broken. + +Cc: Sathya Perla +Cc: Ajit Khaparde +Cc: Sriharsha Basavapatna +Cc: Somnath Kotur +Fixes: 988d44b be2net: Avoid redundant addition of mac address in HW +Signed-off-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -275,8 +275,7 @@ static int be_dev_mac_add(struct be_adap + + /* Check if mac has already been added as part of uc-list */ + for (i = 0; i < adapter->uc_macs; i++) { +- if (ether_addr_equal((u8 *)&adapter->uc_list[i * ETH_ALEN], +- mac)) { ++ if (ether_addr_equal(adapter->uc_list[i].mac, mac)) { + /* mac already added, skip addition */ + adapter->pmac_id[0] = adapter->pmac_id[i + 1]; + return 0; +@@ -1679,14 +1678,12 @@ static void be_clear_mc_list(struct be_a + + static int be_uc_mac_add(struct be_adapter *adapter, int uc_idx) + { +- if (ether_addr_equal((u8 *)&adapter->uc_list[uc_idx * ETH_ALEN], +- adapter->dev_mac)) { ++ if (ether_addr_equal(adapter->uc_list[uc_idx].mac, adapter->dev_mac)) { + adapter->pmac_id[uc_idx + 1] = adapter->pmac_id[0]; + return 0; + } + +- return be_cmd_pmac_add(adapter, +- (u8 *)&adapter->uc_list[uc_idx * ETH_ALEN], ++ return be_cmd_pmac_add(adapter, adapter->uc_list[uc_idx].mac, + adapter->if_handle, + &adapter->pmac_id[uc_idx + 1], 0); + } diff --git a/queue-4.9/be2net-fix-initial-mac-setting.patch b/queue-4.9/be2net-fix-initial-mac-setting.patch new file mode 100644 index 00000000000..89037de6e8a --- /dev/null +++ b/queue-4.9/be2net-fix-initial-mac-setting.patch @@ -0,0 +1,137 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ivan Vecera +Date: Tue, 31 Jan 2017 20:01:31 +0100 +Subject: be2net: fix initial MAC setting + +From: Ivan Vecera + + +[ Upstream commit 4993b39ab04b083ff6ee1147e7e7f120feb6bf7f ] + +Recent commit 34393529163a ("be2net: fix MAC addr setting on privileged +BE3 VFs") allows privileged BE3 VFs to set its MAC address during +initialization. Although the initial MAC for such VFs is already +programmed by parent PF the subsequent setting performed by VF is OK, +but in certain cases (after fresh boot) this command in VF can fail. + +The MAC should be initialized only when: +1) no MAC is programmed (always except BE3 VFs during first init) +2) programmed MAC is different from requested (e.g. MAC is set when + interface is down). In this case the initial MAC programmed by PF + needs to be deleted. + +The adapter->dev_mac contains MAC address currently programmed in HW so +it should be zeroed when the MAC is deleted from HW and should not be +filled when MAC is set when interface is down in be_mac_addr_set() as +no programming is performed in this case. + +Example of failure without the fix (immediately after fresh boot): + +# ip link set eth0 up <- eth0 is BE3 PF +be2net 0000:01:00.0 eth0: Link is Up + +# echo 1 > /sys/class/net/eth0/device/sriov_numvfs <- Create 1 VF +... +be2net 0000:01:04.0: Emulex OneConnect(be3): VF port 0 + +# ip link set eth8 up <- eth8 is created privileged VF +be2net 0000:01:04.0: opcode 59-1 failed:status 1-76 +RTNETLINK answers: Input/output error + +# echo 0 > /sys/class/net/eth0/device/sriov_numvfs <- Delete VF +iommu: Removing device 0000:01:04.0 from group 33 +... + +# echo 1 > /sys/class/net/eth0/device/sriov_numvfs <- Create it again +iommu: Removing device 0000:01:04.0 from group 33 +... + +# ip link set eth8 up +be2net 0000:01:04.0 eth8: Link is Up + +Initialization is now OK. + +v2 - Corrected the comment and condition check suggested by Suresh & Harsha + +Fixes: 34393529163a ("be2net: fix MAC addr setting on privileged BE3 VFs") +Cc: Sathya Perla +Cc: Ajit Khaparde +Cc: Sriharsha Basavapatna +Cc: Somnath Kotur +Signed-off-by: Ivan Vecera +Acked-by: Sriharsha Basavapatna +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 33 +++++++++++++++++++++++----- + 1 file changed, 28 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -362,8 +362,10 @@ static int be_mac_addr_set(struct net_de + status = -EPERM; + goto err; + } +-done: ++ ++ /* Remember currently programmed MAC */ + ether_addr_copy(adapter->dev_mac, addr->sa_data); ++done: + ether_addr_copy(netdev->dev_addr, addr->sa_data); + dev_info(dev, "MAC address changed to %pM\n", addr->sa_data); + return 0; +@@ -3635,8 +3637,10 @@ static void be_disable_if_filters(struct + { + /* Don't delete MAC on BE3 VFs without FILTMGMT privilege */ + if (!BEx_chip(adapter) || !be_virtfn(adapter) || +- check_privilege(adapter, BE_PRIV_FILTMGMT)) ++ check_privilege(adapter, BE_PRIV_FILTMGMT)) { + be_dev_mac_del(adapter, adapter->pmac_id[0]); ++ eth_zero_addr(adapter->dev_mac); ++ } + + be_clear_uc_list(adapter); + be_clear_mc_list(adapter); +@@ -3790,12 +3794,27 @@ static int be_enable_if_filters(struct b + if (status) + return status; + +- /* Don't add MAC on BE3 VFs without FILTMGMT privilege */ +- if (!BEx_chip(adapter) || !be_virtfn(adapter) || +- check_privilege(adapter, BE_PRIV_FILTMGMT)) { ++ /* Normally this condition usually true as the ->dev_mac is zeroed. ++ * But on BE3 VFs the initial MAC is pre-programmed by PF and ++ * subsequent be_dev_mac_add() can fail (after fresh boot) ++ */ ++ if (!ether_addr_equal(adapter->dev_mac, adapter->netdev->dev_addr)) { ++ int old_pmac_id = -1; ++ ++ /* Remember old programmed MAC if any - can happen on BE3 VF */ ++ if (!is_zero_ether_addr(adapter->dev_mac)) ++ old_pmac_id = adapter->pmac_id[0]; ++ + status = be_dev_mac_add(adapter, adapter->netdev->dev_addr); + if (status) + return status; ++ ++ /* Delete the old programmed MAC as we successfully programmed ++ * a new MAC ++ */ ++ if (old_pmac_id >= 0 && old_pmac_id != adapter->pmac_id[0]) ++ be_dev_mac_del(adapter, old_pmac_id); ++ + ether_addr_copy(adapter->dev_mac, adapter->netdev->dev_addr); + } + +@@ -4569,6 +4588,10 @@ static int be_mac_setup(struct be_adapte + + memcpy(adapter->netdev->dev_addr, mac, ETH_ALEN); + memcpy(adapter->netdev->perm_addr, mac, ETH_ALEN); ++ ++ /* Initial MAC for BE3 VFs is already programmed by PF */ ++ if (BEx_chip(adapter) && be_virtfn(adapter)) ++ memcpy(adapter->dev_mac, mac, ETH_ALEN); + } + + return 0; diff --git a/queue-4.9/be2net-fix-unicast-list-filling.patch b/queue-4.9/be2net-fix-unicast-list-filling.patch new file mode 100644 index 00000000000..2b8c91fe287 --- /dev/null +++ b/queue-4.9/be2net-fix-unicast-list-filling.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ivan Vecera +Date: Fri, 6 Jan 2017 21:59:30 +0100 +Subject: be2net: fix unicast list filling + +From: Ivan Vecera + + +[ Upstream commit 6052cd1af86f9833b6b0b60d5d4787c4a06d65ea ] + +The adapter->pmac_id[0] item is used for primary MAC address but +this is not true for adapter->uc_list[0] as is assumed in +be_set_uc_list(). There are N UC addresses copied first from net_device +to adapter->uc_list[1..N] and then N UC addresses from +adapter->uc_list[0..N-1] are sent to HW. So the last UC address is never +stored into HW and address 00:00:00:00;00:00 (from uc_list[0]) is used +instead. + +Cc: Sathya Perla +Cc: Ajit Khaparde +Cc: Sriharsha Basavapatna +Cc: Somnath Kotur +Fixes: b717241 be2net: replace polling with sleeping in the FW completion path +Signed-off-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1719,9 +1719,8 @@ static void be_set_uc_list(struct be_ada + } + + if (adapter->update_uc_list) { +- i = 1; /* First slot is claimed by the Primary MAC */ +- + /* cache the uc-list in adapter array */ ++ i = 0; + netdev_for_each_uc_addr(ha, netdev) { + ether_addr_copy(adapter->uc_list[i].mac, ha->addr); + i++; diff --git a/queue-4.9/cec-initiator-should-be-the-same-as-the-destination-for-poll.patch b/queue-4.9/cec-initiator-should-be-the-same-as-the-destination-for-poll.patch new file mode 100644 index 00000000000..113f39c5b28 --- /dev/null +++ b/queue-4.9/cec-initiator-should-be-the-same-as-the-destination-for-poll.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Hans Verkuil +Date: Sat, 11 Feb 2017 09:24:46 -0200 +Subject: [media] cec: initiator should be the same as the destination for, poll + +From: Hans Verkuil + + +[ Upstream commit 42980da2eb7eb9695d8efc0c0ef145cbbb993b2c ] + +Poll messages that are used to allocate a logical address should +use the same initiator as the destination. Instead, it expected that +the initiator was 0xf which is not according to the standard. + +This also had consequences for the message checks in cec_transmit_msg_fh +that incorrectly rejected poll messages with the same initiator and +destination. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/cec/cec-adap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/staging/media/cec/cec-adap.c ++++ b/drivers/staging/media/cec/cec-adap.c +@@ -608,8 +608,7 @@ int cec_transmit_msg_fh(struct cec_adapt + } + memset(msg->msg + msg->len, 0, sizeof(msg->msg) - msg->len); + if (msg->len == 1) { +- if (cec_msg_initiator(msg) != 0xf || +- cec_msg_destination(msg) == 0xf) { ++ if (cec_msg_destination(msg) == 0xf) { + dprintk(1, "cec_transmit_msg: invalid poll message\n"); + return -EINVAL; + } +@@ -634,7 +633,7 @@ int cec_transmit_msg_fh(struct cec_adapt + dprintk(1, "cec_transmit_msg: destination is the adapter itself\n"); + return -EINVAL; + } +- if (cec_msg_initiator(msg) != 0xf && ++ if (msg->len > 1 && adap->is_configured && + !cec_has_log_addr(adap, cec_msg_initiator(msg))) { + dprintk(1, "cec_transmit_msg: initiator has unknown logical address %d\n", + cec_msg_initiator(msg)); +@@ -883,7 +882,7 @@ static int cec_config_log_addr(struct ce + + /* Send poll message */ + msg.len = 1; +- msg.msg[0] = 0xf0 | log_addr; ++ msg.msg[0] = (log_addr << 4) | log_addr; + err = cec_transmit_msg_fh(adap, &msg, NULL, true); + + /* diff --git a/queue-4.9/dax-avoid-page-invalidation-races-and-unnecessary-radix-tree-traversals.patch b/queue-4.9/dax-avoid-page-invalidation-races-and-unnecessary-radix-tree-traversals.patch new file mode 100644 index 00000000000..ff327b6bd8a --- /dev/null +++ b/queue-4.9/dax-avoid-page-invalidation-races-and-unnecessary-radix-tree-traversals.patch @@ -0,0 +1,75 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Jan Kara +Date: Wed, 10 Aug 2016 17:10:28 +0200 +Subject: dax: Avoid page invalidation races and unnecessary radix tree traversals + +From: Jan Kara + + +[ Upstream commit e3fce68cdbed297d927e993b3ea7b8b1cee545da ] + +Currently dax_iomap_rw() takes care of invalidating page tables and +evicting hole pages from the radix tree when write(2) to the file +happens. This invalidation is only necessary when there is some block +allocation resulting from write(2). Furthermore in current place the +invalidation is racy wrt page fault instantiating a hole page just after +we have invalidated it. + +So perform the page invalidation inside dax_iomap_actor() where we can +do it only when really necessary and after blocks have been allocated so +nobody will be instantiating new hole pages anymore. + +Reviewed-by: Christoph Hellwig +Reviewed-by: Ross Zwisler +Signed-off-by: Jan Kara +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dax.c | 28 +++++++++++----------------- + 1 file changed, 11 insertions(+), 17 deletions(-) + +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -1265,6 +1265,17 @@ iomap_dax_actor(struct inode *inode, lof + if (WARN_ON_ONCE(iomap->type != IOMAP_MAPPED)) + return -EIO; + ++ /* ++ * Write can allocate block for an area which has a hole page mapped ++ * into page tables. We have to tear down these mappings so that data ++ * written by write(2) is visible in mmap. ++ */ ++ if ((iomap->flags & IOMAP_F_NEW) && inode->i_mapping->nrpages) { ++ invalidate_inode_pages2_range(inode->i_mapping, ++ pos >> PAGE_SHIFT, ++ (end - 1) >> PAGE_SHIFT); ++ } ++ + while (pos < end) { + unsigned offset = pos & (PAGE_SIZE - 1); + struct blk_dax_ctl dax = { 0 }; +@@ -1329,23 +1340,6 @@ iomap_dax_rw(struct kiocb *iocb, struct + if (iov_iter_rw(iter) == WRITE) + flags |= IOMAP_WRITE; + +- /* +- * Yes, even DAX files can have page cache attached to them: A zeroed +- * page is inserted into the pagecache when we have to serve a write +- * fault on a hole. It should never be dirtied and can simply be +- * dropped from the pagecache once we get real data for the page. +- * +- * XXX: This is racy against mmap, and there's nothing we can do about +- * it. We'll eventually need to shift this down even further so that +- * we can check if we allocated blocks over a hole first. +- */ +- if (mapping->nrpages) { +- ret = invalidate_inode_pages2_range(mapping, +- pos >> PAGE_SHIFT, +- (pos + iov_iter_count(iter) - 1) >> PAGE_SHIFT); +- WARN_ON_ONCE(ret); +- } +- + while (iov_iter_count(iter)) { + ret = iomap_apply(inode, pos, iov_iter_count(iter), flags, ops, + iter, iomap_dax_actor); diff --git a/queue-4.9/dmaengine-pl330-fix-double-lock.patch b/queue-4.9/dmaengine-pl330-fix-double-lock.patch new file mode 100644 index 00000000000..b6830dc4247 --- /dev/null +++ b/queue-4.9/dmaengine-pl330-fix-double-lock.patch @@ -0,0 +1,145 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Iago Abal +Date: Wed, 11 Jan 2017 14:00:21 +0100 +Subject: dmaengine: pl330: fix double lock + +From: Iago Abal + + +[ Upstream commit 91539eb1fda2d530d3b268eef542c5414e54bf1a ] + +The static bug finder EBA (http://www.iagoabal.eu/eba/) reported the +following double-lock bug: + + Double lock: + 1. spin_lock_irqsave(pch->lock, flags) at pl330_free_chan_resources:2236; + 2. call to function `pl330_release_channel' immediately after; + 3. call to function `dma_pl330_rqcb' in line 1753; + 4. spin_lock_irqsave(pch->lock, flags) at dma_pl330_rqcb:1505. + +I have fixed it as suggested by Marek Szyprowski. + +First, I have replaced `pch->lock' with `pl330->lock' in functions +`pl330_alloc_chan_resources' and `pl330_free_chan_resources'. This avoids +the double-lock by acquiring a different lock than `dma_pl330_rqcb'. + +NOTE that, as a result, `pl330_free_chan_resources' executes +`list_splice_tail_init' on `pch->work_list' under lock `pl330->lock', +whereas in the rest of the code `pch->work_list' is protected by +`pch->lock'. I don't know if this may cause race conditions. Similarly +`pch->cyclic' is written by `pl330_alloc_chan_resources' under +`pl330->lock' but read by `pl330_tx_submit' under `pch->lock'. + +Second, I have removed locking from `pl330_request_channel' and +`pl330_release_channel' functions. Function `pl330_request_channel' is +only called from `pl330_alloc_chan_resources', so the lock is already +held. Function `pl330_release_channel' is called from +`pl330_free_chan_resources', which already holds the lock, and from +`pl330_del'. Function `pl330_del' is called in an error path of +`pl330_probe' and at the end of `pl330_remove', but I assume that there +cannot be concurrent accesses to the protected data at those points. + +Signed-off-by: Iago Abal +Reviewed-by: Marek Szyprowski +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1694,7 +1694,6 @@ static bool _chan_ns(const struct pl330_ + static struct pl330_thread *pl330_request_channel(struct pl330_dmac *pl330) + { + struct pl330_thread *thrd = NULL; +- unsigned long flags; + int chans, i; + + if (pl330->state == DYING) +@@ -1702,8 +1701,6 @@ static struct pl330_thread *pl330_reques + + chans = pl330->pcfg.num_chan; + +- spin_lock_irqsave(&pl330->lock, flags); +- + for (i = 0; i < chans; i++) { + thrd = &pl330->channels[i]; + if ((thrd->free) && (!_manager_ns(thrd) || +@@ -1721,8 +1718,6 @@ static struct pl330_thread *pl330_reques + thrd = NULL; + } + +- spin_unlock_irqrestore(&pl330->lock, flags); +- + return thrd; + } + +@@ -1740,7 +1735,6 @@ static inline void _free_event(struct pl + static void pl330_release_channel(struct pl330_thread *thrd) + { + struct pl330_dmac *pl330; +- unsigned long flags; + + if (!thrd || thrd->free) + return; +@@ -1752,10 +1746,8 @@ static void pl330_release_channel(struct + + pl330 = thrd->dmac; + +- spin_lock_irqsave(&pl330->lock, flags); + _free_event(thrd, thrd->ev); + thrd->free = true; +- spin_unlock_irqrestore(&pl330->lock, flags); + } + + /* Initialize the structure for PL330 configuration, that can be used +@@ -2120,20 +2112,20 @@ static int pl330_alloc_chan_resources(st + struct pl330_dmac *pl330 = pch->dmac; + unsigned long flags; + +- spin_lock_irqsave(&pch->lock, flags); ++ spin_lock_irqsave(&pl330->lock, flags); + + dma_cookie_init(chan); + pch->cyclic = false; + + pch->thread = pl330_request_channel(pl330); + if (!pch->thread) { +- spin_unlock_irqrestore(&pch->lock, flags); ++ spin_unlock_irqrestore(&pl330->lock, flags); + return -ENOMEM; + } + + tasklet_init(&pch->task, pl330_tasklet, (unsigned long) pch); + +- spin_unlock_irqrestore(&pch->lock, flags); ++ spin_unlock_irqrestore(&pl330->lock, flags); + + return 1; + } +@@ -2236,12 +2228,13 @@ static int pl330_pause(struct dma_chan * + static void pl330_free_chan_resources(struct dma_chan *chan) + { + struct dma_pl330_chan *pch = to_pchan(chan); ++ struct pl330_dmac *pl330 = pch->dmac; + unsigned long flags; + + tasklet_kill(&pch->task); + + pm_runtime_get_sync(pch->dmac->ddma.dev); +- spin_lock_irqsave(&pch->lock, flags); ++ spin_lock_irqsave(&pl330->lock, flags); + + pl330_release_channel(pch->thread); + pch->thread = NULL; +@@ -2249,7 +2242,7 @@ static void pl330_free_chan_resources(st + if (pch->cyclic) + list_splice_tail_init(&pch->work_list, &pch->dmac->desc_pool); + +- spin_unlock_irqrestore(&pch->lock, flags); ++ spin_unlock_irqrestore(&pl330->lock, flags); + pm_runtime_mark_last_busy(pch->dmac->ddma.dev); + pm_runtime_put_autosuspend(pch->dmac->ddma.dev); + } diff --git a/queue-4.9/dmaengine-stm32-dma-fix-null-pointer-dereference-in-stm32_dma_tx_status.patch b/queue-4.9/dmaengine-stm32-dma-fix-null-pointer-dereference-in-stm32_dma_tx_status.patch new file mode 100644 index 00000000000..e7a8c283714 --- /dev/null +++ b/queue-4.9/dmaengine-stm32-dma-fix-null-pointer-dereference-in-stm32_dma_tx_status.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: M'boumba Cedric Madianga +Date: Tue, 13 Dec 2016 14:40:46 +0100 +Subject: dmaengine: stm32-dma: Fix null pointer dereference in stm32_dma_tx_status + +From: M'boumba Cedric Madianga + + +[ Upstream commit 57b5a32135c813f2ab669039fb4ec16b30cb3305 ] + +chan->desc is always set to NULL when a DMA transfer is complete. +As a DMA transfer could be complete during the call of stm32_dma_tx_status, +we need to be sure that chan->desc is not NULL before using this variable +to avoid a null pointer deference issue. + +Signed-off-by: M'boumba Cedric Madianga +Reviewed-by: Ludovic BARRE +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-dma.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -884,7 +884,7 @@ static enum dma_status stm32_dma_tx_stat + struct virt_dma_desc *vdesc; + enum dma_status status; + unsigned long flags; +- u32 residue; ++ u32 residue = 0; + + status = dma_cookie_status(c, cookie, state); + if ((status == DMA_COMPLETE) || (!state)) +@@ -892,16 +892,12 @@ static enum dma_status stm32_dma_tx_stat + + spin_lock_irqsave(&chan->vchan.lock, flags); + vdesc = vchan_find_desc(&chan->vchan, cookie); +- if (cookie == chan->desc->vdesc.tx.cookie) { ++ if (chan->desc && cookie == chan->desc->vdesc.tx.cookie) + residue = stm32_dma_desc_residue(chan, chan->desc, + chan->next_sg); +- } else if (vdesc) { ++ else if (vdesc) + residue = stm32_dma_desc_residue(chan, + to_stm32_dma_desc(vdesc), 0); +- } else { +- residue = 0; +- } +- + dma_set_residue(state, residue); + + spin_unlock_irqrestore(&chan->vchan.lock, flags); diff --git a/queue-4.9/dmaengine-stm32-dma-set-correct-args-number-for-dma-request-from-dt.patch b/queue-4.9/dmaengine-stm32-dma-set-correct-args-number-for-dma-request-from-dt.patch new file mode 100644 index 00000000000..c87901710fe --- /dev/null +++ b/queue-4.9/dmaengine-stm32-dma-set-correct-args-number-for-dma-request-from-dt.patch @@ -0,0 +1,48 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: M'boumba Cedric Madianga +Date: Tue, 13 Dec 2016 14:40:43 +0100 +Subject: dmaengine: stm32-dma: Set correct args number for DMA request from DT + +From: M'boumba Cedric Madianga + + +[ Upstream commit 7e96304d99477de1f70db42035071e56439da817 ] + +This patch sets the right number of arguments to be used for DMA clients +which request channels from DT. + +Signed-off-by: M'boumba Cedric Madianga +Reviewed-by: Ludovic BARRE +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-dma.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -976,21 +976,18 @@ static struct dma_chan *stm32_dma_of_xla + struct stm32_dma_chan *chan; + struct dma_chan *c; + +- if (dma_spec->args_count < 3) ++ if (dma_spec->args_count < 4) + return NULL; + + cfg.channel_id = dma_spec->args[0]; + cfg.request_line = dma_spec->args[1]; + cfg.stream_config = dma_spec->args[2]; +- cfg.threshold = 0; ++ cfg.threshold = dma_spec->args[3]; + + if ((cfg.channel_id >= STM32_DMA_MAX_CHANNELS) || (cfg.request_line >= + STM32_DMA_MAX_REQUEST_ID)) + return NULL; + +- if (dma_spec->args_count > 3) +- cfg.threshold = dma_spec->args[3]; +- + chan = &dmadev->chan[cfg.channel_id]; + + c = dma_get_slave_channel(&chan->vchan.chan); diff --git a/queue-4.9/drm-amdgpu-fix-bug-set-incorrect-value-to-vce-register.patch b/queue-4.9/drm-amdgpu-fix-bug-set-incorrect-value-to-vce-register.patch new file mode 100644 index 00000000000..1a73edf7164 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-bug-set-incorrect-value-to-vce-register.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Rex Zhu +Date: Tue, 10 Jan 2017 20:00:40 +0800 +Subject: drm/amdgpu: fix bug set incorrect value to vce register + +From: Rex Zhu + + +[ Upstream commit e05208ded1905e500cd5b369d624b071951c68b9 ] + +Set the proper bits for clockgating setup. + +Signed-off-by: Rex Zhu +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c +@@ -182,7 +182,7 @@ static void vce_v3_0_set_vce_sw_clock_ga + WREG32(mmVCE_UENC_CLOCK_GATING_2, data); + + data = RREG32(mmVCE_UENC_REG_CLOCK_GATING); +- data &= ~0xffc00000; ++ data &= ~0x3ff; + WREG32(mmVCE_UENC_REG_CLOCK_GATING, data); + + data = RREG32(mmVCE_UENC_DMA_DCLK_CTRL); diff --git a/queue-4.9/drm-amdgpu-fix-unload-driver-issue-for-virtual-display.patch b/queue-4.9/drm-amdgpu-fix-unload-driver-issue-for-virtual-display.patch new file mode 100644 index 00000000000..ca98ef4954d --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-unload-driver-issue-for-virtual-display.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Xiangliang Yu +Date: Thu, 19 Jan 2017 09:57:41 +0800 +Subject: drm/amdgpu: fix unload driver issue for virtual display + +From: Xiangliang Yu + + +[ Upstream commit 3a1d19a29670aa7eb58576a31883d0aa9fb77549 ] + +Virtual display doesn't allocate amdgpu_encoder when initializing, +so will get invaild pointer if try to free amdgpu_encoder when +unloading driver. + +Signed-off-by: Xiangliang Yu +Reviewed-by: Alex Deucher +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/dce_virtual.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/dce_virtual.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_virtual.c +@@ -565,11 +565,8 @@ static const struct drm_encoder_helper_f + + static void dce_virtual_encoder_destroy(struct drm_encoder *encoder) + { +- struct amdgpu_encoder *amdgpu_encoder = to_amdgpu_encoder(encoder); +- +- kfree(amdgpu_encoder->enc_priv); + drm_encoder_cleanup(encoder); +- kfree(amdgpu_encoder); ++ kfree(encoder); + } + + static const struct drm_encoder_funcs dce_virtual_encoder_funcs = { diff --git a/queue-4.9/drm-exynos-decon5433-set-standalone_update_f-also-if-planes-are-disabled.patch b/queue-4.9/drm-exynos-decon5433-set-standalone_update_f-also-if-planes-are-disabled.patch new file mode 100644 index 00000000000..8f1e5350179 --- /dev/null +++ b/queue-4.9/drm-exynos-decon5433-set-standalone_update_f-also-if-planes-are-disabled.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Andrzej Hajda +Date: Fri, 13 Jan 2017 10:20:58 +0100 +Subject: drm/exynos/decon5433: set STANDALONE_UPDATE_F also if planes are disabled + +From: Andrzej Hajda + + +[ Upstream commit 821b40b79db7dedbfe15ab330dfd181e661a533f ] + +STANDALONE_UPDATE_F should be set if something changed in plane configurations, +including plane disable. +The patch fixes page-faults bugs, caused by decon still using framebuffers +of disabled planes. + +v2: fixed clear-bit code (Thx Marek) +v3: use test_and_clear_bit (Thx Joonyoung) + +Signed-off-by: Andrzej Hajda +Tested-by: Joonyoung Shim +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c +@@ -46,7 +46,8 @@ enum decon_flag_bits { + BIT_CLKS_ENABLED, + BIT_IRQS_ENABLED, + BIT_WIN_UPDATED, +- BIT_SUSPENDED ++ BIT_SUSPENDED, ++ BIT_REQUEST_UPDATE + }; + + struct decon_context { +@@ -313,6 +314,7 @@ static void decon_update_plane(struct ex + + /* window enable */ + decon_set_bits(ctx, DECON_WINCONx(win), WINCONx_ENWIN_F, ~0); ++ set_bit(BIT_REQUEST_UPDATE, &ctx->flags); + } + + static void decon_disable_plane(struct exynos_drm_crtc *crtc, +@@ -325,6 +327,7 @@ static void decon_disable_plane(struct e + return; + + decon_set_bits(ctx, DECON_WINCONx(win), WINCONx_ENWIN_F, 0); ++ set_bit(BIT_REQUEST_UPDATE, &ctx->flags); + } + + static void decon_atomic_flush(struct exynos_drm_crtc *crtc) +@@ -338,8 +341,7 @@ static void decon_atomic_flush(struct ex + for (i = ctx->first_win; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, false); + +- /* update iff there are active windows */ +- if (crtc->base.state->plane_mask) ++ if (test_and_clear_bit(BIT_REQUEST_UPDATE, &ctx->flags)) + decon_set_bits(ctx, DECON_UPDATE, STANDALONE_UPDATE_F, ~0); + + if (ctx->out_type & IFTYPE_I80) diff --git a/queue-4.9/drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch b/queue-4.9/drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch new file mode 100644 index 00000000000..99b45cd41be --- /dev/null +++ b/queue-4.9/drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Andrzej Hajda +Date: Tue, 17 Jan 2017 15:15:20 +0100 +Subject: drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement + +From: Andrzej Hajda + + +[ Upstream commit 11d8bcef7a0399e1d2519f207fd575fc404306b4 ] + +DECON_TV requires STANDALONE_UPDATE after output enabling, otherwise it does +not start. This change is neutral for DECON. + +Signed-off-by: Andrzej Hajda +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c +@@ -189,6 +189,8 @@ static void decon_commit(struct exynos_d + + /* enable output and display signal */ + decon_set_bits(ctx, DECON_VIDCON0, VIDCON0_ENVID | VIDCON0_ENVID_F, ~0); ++ ++ decon_set_bits(ctx, DECON_UPDATE, STANDALONE_UPDATE_F, ~0); + } + + static void decon_win_set_pixfmt(struct decon_context *ctx, unsigned int win, diff --git a/queue-4.9/drm-exynos-decon5433-update-shadow-registers-iff-there-are-active-windows.patch b/queue-4.9/drm-exynos-decon5433-update-shadow-registers-iff-there-are-active-windows.patch new file mode 100644 index 00000000000..158012c1673 --- /dev/null +++ b/queue-4.9/drm-exynos-decon5433-update-shadow-registers-iff-there-are-active-windows.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Andrzej Hajda +Date: Mon, 9 Jan 2017 15:33:02 +0100 +Subject: drm/exynos/decon5433: update shadow registers iff there are active windows + +From: Andrzej Hajda + + +[ Upstream commit f65a7c9cb3770ed4d3e7c57c66d7032689081b5e ] + +Improper usage of DECON_UPDATE register leads to subtle errors. +If it set in decon_commit when there are no active windows it results +in slow registry updates - all subsequent shadow registry updates takes more +than full vblank. On the other side if it is not set when there are +active windows it results in garbage on the screen after suspend/resume of +FB console. + +The patch hopefully fixes it. + +Signed-off-by: Andrzej Hajda +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c +@@ -188,8 +188,6 @@ static void decon_commit(struct exynos_d + + /* enable output and display signal */ + decon_set_bits(ctx, DECON_VIDCON0, VIDCON0_ENVID | VIDCON0_ENVID_F, ~0); +- +- decon_set_bits(ctx, DECON_UPDATE, STANDALONE_UPDATE_F, ~0); + } + + static void decon_win_set_pixfmt(struct decon_context *ctx, unsigned int win, +@@ -340,8 +338,9 @@ static void decon_atomic_flush(struct ex + for (i = ctx->first_win; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, false); + +- /* standalone update */ +- decon_set_bits(ctx, DECON_UPDATE, STANDALONE_UPDATE_F, ~0); ++ /* update iff there are active windows */ ++ if (crtc->base.state->plane_mask) ++ decon_set_bits(ctx, DECON_UPDATE, STANDALONE_UPDATE_F, ~0); + + if (ctx->out_type & IFTYPE_I80) + set_bit(BIT_WIN_UPDATED, &ctx->flags); diff --git a/queue-4.9/edac-sb_edac-fix-missing-break-in-switch.patch b/queue-4.9/edac-sb_edac-fix-missing-break-in-switch.patch new file mode 100644 index 00000000000..29afdbef23e --- /dev/null +++ b/queue-4.9/edac-sb_edac-fix-missing-break-in-switch.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: "Gustavo A. R. Silva" +Date: Mon, 16 Oct 2017 12:40:29 -0500 +Subject: EDAC, sb_edac: Fix missing break in switch + +From: "Gustavo A. R. Silva" + + +[ Upstream commit a8e9b186f153a44690ad0363a56716e7077ad28c ] + +Add missing break statement in order to prevent the code from falling +through. + +Signed-off-by: Gustavo A. R. Silva +Cc: Qiuxu Zhuo +Cc: linux-edac +Link: http://lkml.kernel.org/r/20171016174029.GA19757@embeddedor.com +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/sb_edac.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -2510,6 +2510,7 @@ static int ibridge_mci_bind_devs(struct + break; + case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_TA: + pvt->pci_ta = pdev; ++ break; + case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_RAS: + pvt->pci_ras = pdev; + break; diff --git a/queue-4.9/gtp-clear-df-bit-on-gtp-packet-tx.patch b/queue-4.9/gtp-clear-df-bit-on-gtp-packet-tx.patch new file mode 100644 index 00000000000..e6e768eb9c1 --- /dev/null +++ b/queue-4.9/gtp-clear-df-bit-on-gtp-packet-tx.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Andreas Schultz +Date: Fri, 27 Jan 2017 10:40:57 +0100 +Subject: gtp: clear DF bit on GTP packet tx + +From: Andreas Schultz + + +[ Upstream commit c6ce1d08eede4c2968ed08aafa3165e8e183c5a1 ] + +3GPP TS 29.281 and 3GPP TS 29.060 imply that GTP-U packets should be +sent with the DF bit cleared. For example 3GPP TS 29.060, Release 8, +Section 13.2.2: + +> Backbone router: Any router in the backbone may fragment the GTP +> packet if needed, according to IPv4. + +Signed-off-by: Andreas Schultz +Acked-by: Harald Welte +Acked-by: Pablo Neira Ayuso +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -612,7 +612,7 @@ static netdev_tx_t gtp_dev_xmit(struct s + pktinfo.fl4.saddr, pktinfo.fl4.daddr, + pktinfo.iph->tos, + ip4_dst_hoplimit(&pktinfo.rt->dst), +- htons(IP_DF), ++ 0, + pktinfo.gtph_port, pktinfo.gtph_port, + true, false); + break; diff --git a/queue-4.9/gtp-fix-cross-netns-recv-on-gtp-socket.patch b/queue-4.9/gtp-fix-cross-netns-recv-on-gtp-socket.patch new file mode 100644 index 00000000000..a4243bbf572 --- /dev/null +++ b/queue-4.9/gtp-fix-cross-netns-recv-on-gtp-socket.patch @@ -0,0 +1,80 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Andreas Schultz +Date: Fri, 27 Jan 2017 10:40:58 +0100 +Subject: gtp: fix cross netns recv on gtp socket + +From: Andreas Schultz + + +[ Upstream commit 3ab1b469e847ba425af3c5ad5068cc94b55b38d0 ] + +The use of the passed through netlink src_net to check for a +cross netns operation was wrong. Using the GTP socket and the +GTP netdevice is always correct (even if the netdev has been +moved to new netns after link creation). + +Remove the now obsolete net field from gtp_dev. + +Signed-off-by: Andreas Schultz +Acked-by: Pablo Neira Ayuso +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -69,7 +69,6 @@ struct gtp_dev { + struct socket *sock0; + struct socket *sock1u; + +- struct net *net; + struct net_device *dev; + + unsigned int hash_size; +@@ -316,7 +315,7 @@ static int gtp_encap_recv(struct sock *s + + netdev_dbg(gtp->dev, "encap_recv sk=%p\n", sk); + +- xnet = !net_eq(gtp->net, dev_net(gtp->dev)); ++ xnet = !net_eq(sock_net(sk), dev_net(gtp->dev)); + + switch (udp_sk(sk)->encap_type) { + case UDP_ENCAP_GTP0: +@@ -658,7 +657,7 @@ static void gtp_link_setup(struct net_de + static int gtp_hashtable_new(struct gtp_dev *gtp, int hsize); + static void gtp_hashtable_free(struct gtp_dev *gtp); + static int gtp_encap_enable(struct net_device *dev, struct gtp_dev *gtp, +- int fd_gtp0, int fd_gtp1, struct net *src_net); ++ int fd_gtp0, int fd_gtp1); + + static int gtp_newlink(struct net *src_net, struct net_device *dev, + struct nlattr *tb[], struct nlattr *data[]) +@@ -675,7 +674,7 @@ static int gtp_newlink(struct net *src_n + fd0 = nla_get_u32(data[IFLA_GTP_FD0]); + fd1 = nla_get_u32(data[IFLA_GTP_FD1]); + +- err = gtp_encap_enable(dev, gtp, fd0, fd1, src_net); ++ err = gtp_encap_enable(dev, gtp, fd0, fd1); + if (err < 0) + goto out_err; + +@@ -821,7 +820,7 @@ static void gtp_hashtable_free(struct gt + } + + static int gtp_encap_enable(struct net_device *dev, struct gtp_dev *gtp, +- int fd_gtp0, int fd_gtp1, struct net *src_net) ++ int fd_gtp0, int fd_gtp1) + { + struct udp_tunnel_sock_cfg tuncfg = {NULL}; + struct socket *sock0, *sock1u; +@@ -858,7 +857,6 @@ static int gtp_encap_enable(struct net_d + + gtp->sock0 = sock0; + gtp->sock1u = sock1u; +- gtp->net = src_net; + + tuncfg.sk_user_data = gtp; + tuncfg.encap_rcv = gtp_encap_recv; diff --git a/queue-4.9/i2c-i2c-cadence-initialize-configuration-before-probing-devices.patch b/queue-4.9/i2c-i2c-cadence-initialize-configuration-before-probing-devices.patch new file mode 100644 index 00000000000..6eaf22f9849 --- /dev/null +++ b/queue-4.9/i2c-i2c-cadence-initialize-configuration-before-probing-devices.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Mike Looijmans +Date: Mon, 16 Jan 2017 15:49:38 +0100 +Subject: i2c: i2c-cadence: Initialize configuration before probing devices + +From: Mike Looijmans + + +[ Upstream commit 0e1929dedea36781e25902118c93edd8d8f09af1 ] + +The cadence I2C driver calls cdns_i2c_writereg(..) to setup a workaround +in the controller, but did so after calling i2c_add_adapter() which starts +probing devices on the bus. Change the order so that the configuration is +completely finished before using the adapter. + +Signed-off-by: Mike Looijmans +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-cadence.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -962,10 +962,6 @@ static int cdns_i2c_probe(struct platfor + goto err_clk_dis; + } + +- ret = i2c_add_adapter(&id->adap); +- if (ret < 0) +- goto err_clk_dis; +- + /* + * Cadence I2C controller has a bug wherein it generates + * invalid read transaction after HW timeout in master receiver mode. +@@ -975,6 +971,10 @@ static int cdns_i2c_probe(struct platfor + */ + cdns_i2c_writereg(CDNS_I2C_TIMEOUT_MAX, CDNS_I2C_TIME_OUT_OFFSET); + ++ ret = i2c_add_adapter(&id->adap); ++ if (ret < 0) ++ goto err_clk_dis; ++ + dev_info(&pdev->dev, "%u kHz mmio %08lx irq %d\n", + id->i2c_clk / 1000, (unsigned long)r_mem->start, id->irq); + diff --git a/queue-4.9/iio-adc-ti-ads1015-add-10-to-conversion-wait-time.patch b/queue-4.9/iio-adc-ti-ads1015-add-10-to-conversion-wait-time.patch new file mode 100644 index 00000000000..9676c867ed7 --- /dev/null +++ b/queue-4.9/iio-adc-ti-ads1015-add-10-to-conversion-wait-time.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ladislav Michl +Date: Fri, 25 Aug 2017 07:39:16 +0200 +Subject: iio: adc: ti-ads1015: add 10% to conversion wait time + +From: Ladislav Michl + + +[ Upstream commit fe895ac88b9fbdf2026f0bfd56c82747bb9d7c48 ] + +As user's guide "ADS1015EVM, ADS1115EVM, ADS1015EVM-PDK, ADS1115EVM-PDK +User Guide (Rev. B)" (http://www.ti.com/lit/ug/sbau157b/sbau157b.pdf) +states at page 16: +"Note that both the ADS1115 and ADS1015 have internal clocks with a ±10% +accuracy. If performing FFT tests, frequencies may appear to be incorrect +as a result of this tolerance range.", add those 10% to converion wait +time. + +Cc: Daniel Baluta +Cc: Jonathan Cameron +Signed-off-by: Ladislav Michl +Reviewed-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads1015.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -269,6 +269,7 @@ int ads1015_get_adc_result(struct ads101 + + conv_time = DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr_old]); + conv_time += DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr]); ++ conv_time += conv_time / 10; /* 10% internal clock inaccuracy */ + usleep_range(conv_time, conv_time + 1); + data->conv_invalid = false; + } diff --git a/queue-4.9/ima-fix-hash-algorithm-initialization.patch b/queue-4.9/ima-fix-hash-algorithm-initialization.patch new file mode 100644 index 00000000000..4d787d86f0f --- /dev/null +++ b/queue-4.9/ima-fix-hash-algorithm-initialization.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Boshi Wang +Date: Fri, 20 Oct 2017 16:01:03 +0800 +Subject: ima: fix hash algorithm initialization + +From: Boshi Wang + + +[ Upstream commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee ] + +The hash_setup function always sets the hash_setup_done flag, even +when the hash algorithm is invalid. This prevents the default hash +algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. + +This patch sets hash_setup_done flag only for valid hash algorithms. + +Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms" +Signed-off-by: Boshi Wang +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -51,6 +51,8 @@ static int __init hash_setup(char *str) + ima_hash_algo = HASH_ALGO_SHA1; + else if (strncmp(str, "md5", 3) == 0) + ima_hash_algo = HASH_ALGO_MD5; ++ else ++ return 1; + goto out; + } + +@@ -60,6 +62,8 @@ static int __init hash_setup(char *str) + break; + } + } ++ if (i == HASH_ALGO__LAST) ++ return 1; + out: + hash_setup_done = 1; + return 1; diff --git a/queue-4.9/kprobes-use-synchronize_rcu_tasks-for-optprobe-with-config_preempt-y.patch b/queue-4.9/kprobes-use-synchronize_rcu_tasks-for-optprobe-with-config_preempt-y.patch new file mode 100644 index 00000000000..4fe255d5f63 --- /dev/null +++ b/queue-4.9/kprobes-use-synchronize_rcu_tasks-for-optprobe-with-config_preempt-y.patch @@ -0,0 +1,74 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Masami Hiramatsu +Date: Fri, 20 Oct 2017 08:43:39 +0900 +Subject: kprobes: Use synchronize_rcu_tasks() for optprobe with CONFIG_PREEMPT=y + +From: Masami Hiramatsu + + +[ Upstream commit a30b85df7d599f626973e9cd3056fe755bd778e0 ] + +We want to wait for all potentially preempted kprobes trampoline +execution to have completed. This guarantees that any freed +trampoline memory is not in use by any task in the system anymore. +synchronize_rcu_tasks() gives such a guarantee, so use it. + +Also, this guarantees to wait for all potentially preempted tasks +on the instructions which will be replaced with a jump. + +Since this becomes a problem only when CONFIG_PREEMPT=y, enable +CONFIG_TASKS_RCU=y for synchronize_rcu_tasks() in that case. + +Signed-off-by: Masami Hiramatsu +Acked-by: Paul E. McKenney +Cc: Ananth N Mavinakayanahalli +Cc: Linus Torvalds +Cc: Naveen N . Rao +Cc: Paul E . McKenney +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/150845661962.5443.17724352636247312231.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 2 +- + kernel/kprobes.c | 14 ++++++++------ + 2 files changed, 9 insertions(+), 7 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -83,7 +83,7 @@ config STATIC_KEYS_SELFTEST + config OPTPROBES + def_bool y + depends on KPROBES && HAVE_OPTPROBES +- depends on !PREEMPT ++ select TASKS_RCU if PREEMPT + + config KPROBES_ON_FTRACE + def_bool y +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -540,13 +540,15 @@ static void kprobe_optimizer(struct work + do_unoptimize_kprobes(); + + /* +- * Step 2: Wait for quiesence period to ensure all running interrupts +- * are done. Because optprobe may modify multiple instructions +- * there is a chance that Nth instruction is interrupted. In that +- * case, running interrupt can return to 2nd-Nth byte of jump +- * instruction. This wait is for avoiding it. ++ * Step 2: Wait for quiesence period to ensure all potentially ++ * preempted tasks to have normally scheduled. Because optprobe ++ * may modify multiple instructions, there is a chance that Nth ++ * instruction is preempted. In that case, such tasks can return ++ * to 2nd-Nth byte of jump instruction. This wait is for avoiding it. ++ * Note that on non-preemptive kernel, this is transparently converted ++ * to synchronoze_sched() to wait for all interrupts to have completed. + */ +- synchronize_sched(); ++ synchronize_rcu_tasks(); + + /* Step 3: Optimize kprobes after quiesence period */ + do_optimize_kprobes(); diff --git a/queue-4.9/kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch b/queue-4.9/kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch new file mode 100644 index 00000000000..8b04a51a537 --- /dev/null +++ b/queue-4.9/kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch @@ -0,0 +1,93 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Masami Hiramatsu +Date: Tue, 19 Sep 2017 19:01:40 +0900 +Subject: kprobes/x86: Disable preemption in ftrace-based jprobes + +From: Masami Hiramatsu + + +[ Upstream commit 5bb4fc2d8641219732eb2bb654206775a4219aca ] + +Disable preemption in ftrace-based jprobe handlers as +described in Documentation/kprobes.txt: + + "Probe handlers are run with preemption disabled." + +This will fix jprobes behavior when CONFIG_PREEMPT=y. + +Signed-off-by: Masami Hiramatsu +Cc: Alexei Starovoitov +Cc: Alexei Starovoitov +Cc: Ananth N Mavinakayanahalli +Cc: Linus Torvalds +Cc: Paul E . McKenney +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/150581530024.32348.9863783558598926771.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kprobes/ftrace.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/arch/x86/kernel/kprobes/ftrace.c ++++ b/arch/x86/kernel/kprobes/ftrace.c +@@ -26,7 +26,7 @@ + #include "common.h" + + static nokprobe_inline +-int __skip_singlestep(struct kprobe *p, struct pt_regs *regs, ++void __skip_singlestep(struct kprobe *p, struct pt_regs *regs, + struct kprobe_ctlblk *kcb, unsigned long orig_ip) + { + /* +@@ -41,20 +41,21 @@ int __skip_singlestep(struct kprobe *p, + __this_cpu_write(current_kprobe, NULL); + if (orig_ip) + regs->ip = orig_ip; +- return 1; + } + + int skip_singlestep(struct kprobe *p, struct pt_regs *regs, + struct kprobe_ctlblk *kcb) + { +- if (kprobe_ftrace(p)) +- return __skip_singlestep(p, regs, kcb, 0); +- else +- return 0; ++ if (kprobe_ftrace(p)) { ++ __skip_singlestep(p, regs, kcb, 0); ++ preempt_enable_no_resched(); ++ return 1; ++ } ++ return 0; + } + NOKPROBE_SYMBOL(skip_singlestep); + +-/* Ftrace callback handler for kprobes */ ++/* Ftrace callback handler for kprobes -- called under preepmt disabed */ + void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ops, struct pt_regs *regs) + { +@@ -77,13 +78,17 @@ void kprobe_ftrace_handler(unsigned long + /* Kprobe handler expects regs->ip = ip + 1 as breakpoint hit */ + regs->ip = ip + sizeof(kprobe_opcode_t); + ++ /* To emulate trap based kprobes, preempt_disable here */ ++ preempt_disable(); + __this_cpu_write(current_kprobe, p); + kcb->kprobe_status = KPROBE_HIT_ACTIVE; +- if (!p->pre_handler || !p->pre_handler(p, regs)) ++ if (!p->pre_handler || !p->pre_handler(p, regs)) { + __skip_singlestep(p, regs, kcb, orig_ip); ++ preempt_enable_no_resched(); ++ } + /* + * If pre_handler returns !0, it sets regs->ip and +- * resets current kprobe. ++ * resets current kprobe, and keep preempt count +1. + */ + } + end: diff --git a/queue-4.9/kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch b/queue-4.9/kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch new file mode 100644 index 00000000000..d5d570772ba --- /dev/null +++ b/queue-4.9/kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch @@ -0,0 +1,58 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Christoffer Dall +Date: Mon, 9 Jan 2017 12:18:56 +0100 +Subject: KVM: arm/arm64: Fix occasional warning from the timer work function + +From: Christoffer Dall + + +[ Upstream commit 63e41226afc3f7a044b70325566fa86ac3142538 ] + +When a VCPU blocks (WFI) and has programmed the vtimer, we program a +soft timer to expire in the future to wake up the vcpu thread when +appropriate. Because such as wake up involves a vcpu kick, and the +timer expire function can get called from interrupt context, and the +kick may sleep, we have to schedule the kick in the work function. + +The work function currently has a warning that gets raised if it turns +out that the timer shouldn't fire when it's run, which was added because +the idea was that in that case the work should never have been cancelled. + +However, it turns out that this whole thing is racy and we can get +spurious warnings. The problem is that we clear the armed flag in the +work function, which may run in parallel with the +kvm_timer_unschedule->timer_disarm() call. This results in a possible +situation where the timer_disarm() call does not call +cancel_work_sync(), which effectively synchronizes the completion of the +work function with running the VCPU. As a result, the VCPU thread +proceeds before the work function completees, causing changes to the +timer state such that kvm_timer_should_fire(vcpu) returns false in the +work function. + +All we do in the work function is to kick the VCPU, and an occasional +rare extra kick never harmed anyone. Since the race above is extremely +rare, we don't bother checking if the race happens but simply remove the +check and the clearing of the armed flag from the work function. + +Reported-by: Matthias Brugger +Reviewed-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/arch_timer.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/virt/kvm/arm/arch_timer.c ++++ b/virt/kvm/arm/arch_timer.c +@@ -89,9 +89,6 @@ static void kvm_timer_inject_irq_work(st + struct kvm_vcpu *vcpu; + + vcpu = container_of(work, struct kvm_vcpu, arch.timer_cpu.expired); +- vcpu->arch.timer_cpu.armed = false; +- +- WARN_ON(!kvm_timer_should_fire(vcpu)); + + /* + * If the vcpu is blocked we want to wake it up so that it will see diff --git a/queue-4.9/l2tp-take-remote-address-into-account-in-l2tp_ip-and-l2tp_ip6-socket-lookups.patch b/queue-4.9/l2tp-take-remote-address-into-account-in-l2tp_ip-and-l2tp_ip6-socket-lookups.patch new file mode 100644 index 00000000000..cfc571770e6 --- /dev/null +++ b/queue-4.9/l2tp-take-remote-address-into-account-in-l2tp_ip-and-l2tp_ip6-socket-lookups.patch @@ -0,0 +1,145 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Guillaume Nault +Date: Fri, 30 Dec 2016 19:48:20 +0100 +Subject: l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket lookups + +From: Guillaume Nault + + +[ Upstream commit a9b2dff80be979432484afaf7f8d8e73f9e8838a ] + +For connected sockets, __l2tp_ip{,6}_bind_lookup() needs to check the +remote IP when looking for a matching socket. Otherwise a connected +socket can receive traffic not originating from its peer. + +Drop l2tp_ip_bind_lookup() and l2tp_ip6_bind_lookup() instead of +updating their prototype, as these functions aren't used. + +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_ip.c | 19 ++++++------------- + net/l2tp/l2tp_ip6.c | 20 ++++++-------------- + 2 files changed, 12 insertions(+), 27 deletions(-) + +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -48,7 +48,8 @@ static inline struct l2tp_ip_sock *l2tp_ + return (struct l2tp_ip_sock *)sk; + } + +-static struct sock *__l2tp_ip_bind_lookup(struct net *net, __be32 laddr, int dif, u32 tunnel_id) ++static struct sock *__l2tp_ip_bind_lookup(const struct net *net, __be32 laddr, ++ __be32 raddr, int dif, u32 tunnel_id) + { + struct sock *sk; + +@@ -62,6 +63,7 @@ static struct sock *__l2tp_ip_bind_looku + if ((l2tp->conn_id == tunnel_id) && + net_eq(sock_net(sk), net) && + !(inet->inet_rcv_saddr && inet->inet_rcv_saddr != laddr) && ++ (!inet->inet_daddr || !raddr || inet->inet_daddr == raddr) && + (!sk->sk_bound_dev_if || !dif || + sk->sk_bound_dev_if == dif)) + goto found; +@@ -72,15 +74,6 @@ found: + return sk; + } + +-static inline struct sock *l2tp_ip_bind_lookup(struct net *net, __be32 laddr, int dif, u32 tunnel_id) +-{ +- struct sock *sk = __l2tp_ip_bind_lookup(net, laddr, dif, tunnel_id); +- if (sk) +- sock_hold(sk); +- +- return sk; +-} +- + /* When processing receive frames, there are two cases to + * consider. Data frames consist of a non-zero session-id and an + * optional cookie. Control frames consist of a regular L2TP header +@@ -186,8 +179,8 @@ pass_up: + struct iphdr *iph = (struct iphdr *) skb_network_header(skb); + + read_lock_bh(&l2tp_ip_lock); +- sk = __l2tp_ip_bind_lookup(net, iph->daddr, inet_iif(skb), +- tunnel_id); ++ sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr, ++ inet_iif(skb), tunnel_id); + if (!sk) { + read_unlock_bh(&l2tp_ip_lock); + goto discard; +@@ -289,7 +282,7 @@ static int l2tp_ip_bind(struct sock *sk, + inet->inet_saddr = 0; /* Use device */ + + write_lock_bh(&l2tp_ip_lock); +- if (__l2tp_ip_bind_lookup(net, addr->l2tp_addr.s_addr, ++ if (__l2tp_ip_bind_lookup(net, addr->l2tp_addr.s_addr, 0, + sk->sk_bound_dev_if, addr->l2tp_conn_id)) { + write_unlock_bh(&l2tp_ip_lock); + ret = -EADDRINUSE; +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -59,12 +59,14 @@ static inline struct l2tp_ip6_sock *l2tp + + static struct sock *__l2tp_ip6_bind_lookup(struct net *net, + struct in6_addr *laddr, ++ const struct in6_addr *raddr, + int dif, u32 tunnel_id) + { + struct sock *sk; + + sk_for_each_bound(sk, &l2tp_ip6_bind_table) { + const struct in6_addr *sk_laddr = inet6_rcv_saddr(sk); ++ const struct in6_addr *sk_raddr = &sk->sk_v6_daddr; + struct l2tp_ip6_sock *l2tp = l2tp_ip6_sk(sk); + + if (l2tp == NULL) +@@ -73,6 +75,7 @@ static struct sock *__l2tp_ip6_bind_look + if ((l2tp->conn_id == tunnel_id) && + net_eq(sock_net(sk), net) && + (!sk_laddr || ipv6_addr_any(sk_laddr) || ipv6_addr_equal(sk_laddr, laddr)) && ++ (!raddr || ipv6_addr_any(sk_raddr) || ipv6_addr_equal(sk_raddr, raddr)) && + (!sk->sk_bound_dev_if || !dif || + sk->sk_bound_dev_if == dif)) + goto found; +@@ -83,17 +86,6 @@ found: + return sk; + } + +-static inline struct sock *l2tp_ip6_bind_lookup(struct net *net, +- struct in6_addr *laddr, +- int dif, u32 tunnel_id) +-{ +- struct sock *sk = __l2tp_ip6_bind_lookup(net, laddr, dif, tunnel_id); +- if (sk) +- sock_hold(sk); +- +- return sk; +-} +- + /* When processing receive frames, there are two cases to + * consider. Data frames consist of a non-zero session-id and an + * optional cookie. Control frames consist of a regular L2TP header +@@ -200,8 +192,8 @@ pass_up: + struct ipv6hdr *iph = ipv6_hdr(skb); + + read_lock_bh(&l2tp_ip6_lock); +- sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, inet6_iif(skb), +- tunnel_id); ++ sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr, ++ inet6_iif(skb), tunnel_id); + if (!sk) { + read_unlock_bh(&l2tp_ip6_lock); + goto discard; +@@ -339,7 +331,7 @@ static int l2tp_ip6_bind(struct sock *sk + rcu_read_unlock(); + + write_lock_bh(&l2tp_ip6_lock); +- if (__l2tp_ip6_bind_lookup(net, &addr->l2tp_addr, bound_dev_if, ++ if (__l2tp_ip6_bind_lookup(net, &addr->l2tp_addr, NULL, bound_dev_if, + addr->l2tp_conn_id)) { + write_unlock_bh(&l2tp_ip6_lock); + err = -EADDRINUSE; diff --git a/queue-4.9/libcxgb-fix-error-check-for-ip6_route_output.patch b/queue-4.9/libcxgb-fix-error-check-for-ip6_route_output.patch new file mode 100644 index 00000000000..3ad75189c29 --- /dev/null +++ b/queue-4.9/libcxgb-fix-error-check-for-ip6_route_output.patch @@ -0,0 +1,46 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Varun Prakash +Date: Tue, 3 Jan 2017 21:25:48 +0530 +Subject: libcxgb: fix error check for ip6_route_output() + +From: Varun Prakash + + +[ Upstream commit a9a8cdb368d99bb655b5cdabea560446db0527cc ] + +ip6_route_output() never returns NULL so +check dst->error instead of !dst. + +Signed-off-by: Varun Prakash +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c ++++ b/drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c +@@ -133,17 +133,15 @@ cxgb_find_route6(struct cxgb4_lld_info * + if (ipv6_addr_type(&fl6.daddr) & IPV6_ADDR_LINKLOCAL) + fl6.flowi6_oif = sin6_scope_id; + dst = ip6_route_output(&init_net, NULL, &fl6); +- if (!dst) +- goto out; +- if (!cxgb_our_interface(lldi, get_real_dev, +- ip6_dst_idev(dst)->dev) && +- !(ip6_dst_idev(dst)->dev->flags & IFF_LOOPBACK)) { ++ if (dst->error || ++ (!cxgb_our_interface(lldi, get_real_dev, ++ ip6_dst_idev(dst)->dev) && ++ !(ip6_dst_idev(dst)->dev->flags & IFF_LOOPBACK))) { + dst_release(dst); +- dst = NULL; ++ return NULL; + } + } + +-out: + return dst; + } + EXPORT_SYMBOL(cxgb_find_route6); diff --git a/queue-4.9/libfs-modify-mount_pseudo_xattr-to-be-clear-it-is-not-a-userspace-mount.patch b/queue-4.9/libfs-modify-mount_pseudo_xattr-to-be-clear-it-is-not-a-userspace-mount.patch new file mode 100644 index 00000000000..98135de9f80 --- /dev/null +++ b/queue-4.9/libfs-modify-mount_pseudo_xattr-to-be-clear-it-is-not-a-userspace-mount.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: "Eric W. Biederman" +Date: Wed, 4 Jan 2017 17:37:27 +1300 +Subject: libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount + +From: "Eric W. Biederman" + + +[ Upstream commit 75422726b0f717d67db3283c2eb5bc14fa2619c5 ] + +Add MS_KERNMOUNT to the flags that are passed. +Use sget_userns and force &init_user_ns instead of calling sget so that +even if called from a weird context the internal filesystem will be +considered to be in the intial user namespace. + +Luis Ressel reported that the the failure to pass MS_KERNMOUNT into +mount_pseudo broke his in development graphics driver that uses the +generic drm infrastructure. I am not certain the deriver was bug +free in it's usage of that infrastructure but since +mount_pseudo_xattr can never be triggered by userspace it is clearer +and less error prone, and less problematic for the code to be explicit. + +Reported-by: Luis Ressel +Tested-by: Luis Ressel +Acked-by: Al Viro +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/libfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -245,7 +245,8 @@ struct dentry *mount_pseudo_xattr(struct + struct inode *root; + struct qstr d_name = QSTR_INIT(name, strlen(name)); + +- s = sget(fs_type, NULL, set_anon_super, MS_NOUSER, NULL); ++ s = sget_userns(fs_type, NULL, set_anon_super, MS_KERNMOUNT|MS_NOUSER, ++ &init_user_ns, NULL); + if (IS_ERR(s)) + return ERR_CAST(s); + diff --git a/queue-4.9/m68k-fix-coldfire-node-shift-size-calculation.patch b/queue-4.9/m68k-fix-coldfire-node-shift-size-calculation.patch new file mode 100644 index 00000000000..b2df831ab28 --- /dev/null +++ b/queue-4.9/m68k-fix-coldfire-node-shift-size-calculation.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Greg Ungerer +Date: Tue, 5 Sep 2017 22:57:06 +1000 +Subject: m68k: fix ColdFire node shift size calculation + +From: Greg Ungerer + + +[ Upstream commit f55ab8f27548ff3431a6567d400c6757c49fd520 ] + +The m68k pg_data_table is a fix size array defined in arch/m68k/mm/init.c. +Index numbers within it are defined based on memory size. But for Coldfire +these don't take into account a non-zero physical RAM base address, and this +causes us to access past the end of this array at system start time. + +Change the node shift calculation so that we keep the index inside its range. + +Reported-by: Angelo Dureghello +Tested-by: Angelo Dureghello +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/mm/mcfmmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/m68k/mm/mcfmmu.c ++++ b/arch/m68k/mm/mcfmmu.c +@@ -169,7 +169,7 @@ void __init cf_bootmem_alloc(void) + max_pfn = max_low_pfn = PFN_DOWN(_ramend); + high_memory = (void *)_ramend; + +- m68k_virt_to_node_shift = fls(_ramend - _rambase - 1) - 6; ++ m68k_virt_to_node_shift = fls(_ramend - 1) - 6; + module_fixup(NULL, __start_fixup, __stop_fixup); + + /* setup bootmem data */ diff --git a/queue-4.9/mac80211-calculate-min-channel-width-correctly.patch b/queue-4.9/mac80211-calculate-min-channel-width-correctly.patch new file mode 100644 index 00000000000..e2436476ae0 --- /dev/null +++ b/queue-4.9/mac80211-calculate-min-channel-width-correctly.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Johannes Berg +Date: Fri, 7 Oct 2016 12:23:49 +0200 +Subject: mac80211: calculate min channel width correctly + +From: Johannes Berg + + +[ Upstream commit 96aa2e7cf126773b16c6c19b7474a8a38d3c707e ] + +In the current minimum chandef code there's an issue in that the +recalculation can happen after rate control is initialized for a +station that has a wider bandwidth than the current chanctx, and +then rate control can immediately start using those higher rates +which could cause problems. + +Observe that first of all that this problem is because we don't +take non-associated and non-uploaded stations into account. The +restriction to non-associated is quite pointless and is one of +the causes for the problem described above, since the rate init +will happen before the station is set to associated; no frames +could actually be sent until associated, but the rate table can +already contain higher rates and that might cause problems. + +Also, rejecting non-uploaded stations is wrong, since the rate +control can select higher rates for those as well. + +Secondly, it's then necessary to recalculate the minimal config +before initializing rate control, so that when rate control is +initialized, the higher rates are already available. This can be +done easily by adding the necessary function call in rate init. + +Change-Id: Ib9bc02d34797078db55459d196993f39dcd43070 +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/chan.c | 3 --- + net/mac80211/rate.c | 2 ++ + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -231,9 +231,6 @@ ieee80211_get_max_required_bw(struct iee + !(sta->sdata->bss && sta->sdata->bss == sdata->bss)) + continue; + +- if (!sta->uploaded || !test_sta_flag(sta, WLAN_STA_ASSOC)) +- continue; +- + max_bw = max(max_bw, ieee80211_get_sta_bw(&sta->sta)); + } + rcu_read_unlock(); +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -40,6 +40,8 @@ void rate_control_rate_init(struct sta_i + + ieee80211_sta_set_rx_nss(sta); + ++ ieee80211_recalc_min_chandef(sta->sdata); ++ + if (!ref) + return; + diff --git a/queue-4.9/mac80211-don-t-try-to-sleep-in-rate_control_rate_init.patch b/queue-4.9/mac80211-don-t-try-to-sleep-in-rate_control_rate_init.patch new file mode 100644 index 00000000000..bb944e2d4fd --- /dev/null +++ b/queue-4.9/mac80211-don-t-try-to-sleep-in-rate_control_rate_init.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Johannes Berg +Date: Mon, 23 Jan 2017 09:29:09 +0100 +Subject: mac80211: don't try to sleep in rate_control_rate_init() + +From: Johannes Berg + + +[ Upstream commit 115865fa0826ed18ca04717cf72d0fe874c0fe7f ] + +In my previous patch, I missed that rate_control_rate_init() is +called from some places that cannot sleep, so it cannot call +ieee80211_recalc_min_chandef(). Remove that call for now to fix +the context bug, we'll have to find a different way to fix the +minimum channel width issue. + +Fixes: 96aa2e7cf126 ("mac80211: calculate min channel width correctly") +Reported-by: Xiaolong Ye (via lkp-robot) +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rate.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -40,8 +40,6 @@ void rate_control_rate_init(struct sta_i + + ieee80211_sta_set_rx_nss(sta); + +- ieee80211_recalc_min_chandef(sta->sdata); +- + if (!ref) + return; + diff --git a/queue-4.9/mac80211-prevent-skb-txq-mismatch.patch b/queue-4.9/mac80211-prevent-skb-txq-mismatch.patch new file mode 100644 index 00000000000..47ea5f96434 --- /dev/null +++ b/queue-4.9/mac80211-prevent-skb-txq-mismatch.patch @@ -0,0 +1,118 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Michal Kazior +Date: Fri, 13 Jan 2017 13:32:51 +0100 +Subject: mac80211: prevent skb/txq mismatch + +From: Michal Kazior + + +[ Upstream commit dbef53621116474bb883f76f0ba6b7640bc42332 ] + +Station structure is considered as not uploaded +(to driver) until drv_sta_state() finishes. This +call is however done after the structure is +attached to mac80211 internal lists and hashes. +This means mac80211 can lookup (and use) station +structure before it is uploaded to a driver. + +If this happens (structure exists, but +sta->uploaded is false) fast_tx path can still be +taken. Deep in the fastpath call the sta->uploaded +is checked against to derive "pubsta" argument for +ieee80211_get_txq(). If sta->uploaded is false +(and sta is actually non-NULL) ieee80211_get_txq() +effectively downgraded to vif->txq. + +At first glance this may look innocent but coerces +mac80211 into a state that is almost guaranteed +(codel may drop offending skb) to crash because a +station-oriented skb gets queued up on +vif-oriented txq. The ieee80211_tx_dequeue() ends +up looking at info->control.flags and tries to use +txq->sta which in the fail case is NULL. + +It's probably pointless to pretend one can +downgrade skb from sta-txq to vif-txq. + +Since downgrading unicast traffic to vif->txq must +not be done there's no txq to put a frame on if +sta->uploaded is false. Therefore the code is made +to fall back to regular tx() op path if the +described condition is hit. + +Only drivers using wake_tx_queue were affected. + +Example crash dump before fix: + + Unable to handle kernel paging request at virtual address ffffe26c + PC is at ieee80211_tx_dequeue+0x204/0x690 [mac80211] + [] (ieee80211_tx_dequeue [mac80211]) from + [] (ath10k_mac_tx_push_txq+0x54/0x1c0 [ath10k_core]) + [] (ath10k_mac_tx_push_txq [ath10k_core]) from + [] (ath10k_htt_txrx_compl_task+0xd78/0x11d0 [ath10k_core]) + [] (ath10k_htt_txrx_compl_task [ath10k_core]) + [] (ath10k_pci_napi_poll+0x54/0xe8 [ath10k_pci]) + [] (ath10k_pci_napi_poll [ath10k_pci]) from + [] (net_rx_action+0xac/0x160) + +Reported-by: Mohammed Shafi Shajakhan +Signed-off-by: Michal Kazior +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1244,7 +1244,7 @@ ieee80211_tx_prepare(struct ieee80211_su + + static struct txq_info *ieee80211_get_txq(struct ieee80211_local *local, + struct ieee80211_vif *vif, +- struct ieee80211_sta *pubsta, ++ struct sta_info *sta, + struct sk_buff *skb) + { + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; +@@ -1258,10 +1258,13 @@ static struct txq_info *ieee80211_get_tx + if (!ieee80211_is_data(hdr->frame_control)) + return NULL; + +- if (pubsta) { ++ if (sta) { + u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK; + +- txq = pubsta->txq[tid]; ++ if (!sta->uploaded) ++ return NULL; ++ ++ txq = sta->sta.txq[tid]; + } else if (vif) { + txq = vif->txq; + } +@@ -1499,23 +1502,17 @@ static bool ieee80211_queue_skb(struct i + struct fq *fq = &local->fq; + struct ieee80211_vif *vif; + struct txq_info *txqi; +- struct ieee80211_sta *pubsta; + + if (!local->ops->wake_tx_queue || + sdata->vif.type == NL80211_IFTYPE_MONITOR) + return false; + +- if (sta && sta->uploaded) +- pubsta = &sta->sta; +- else +- pubsta = NULL; +- + if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) + sdata = container_of(sdata->bss, + struct ieee80211_sub_if_data, u.ap); + + vif = &sdata->vif; +- txqi = ieee80211_get_txq(local, vif, pubsta, skb); ++ txqi = ieee80211_get_txq(local, vif, sta, skb); + + if (!txqi) + return false; diff --git a/queue-4.9/mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch b/queue-4.9/mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch new file mode 100644 index 00000000000..e59f5312982 --- /dev/null +++ b/queue-4.9/mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch @@ -0,0 +1,70 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Jan Kara +Date: Wed, 8 Feb 2017 14:30:53 -0800 +Subject: mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers + +From: Jan Kara + + +[ Upstream commit 0911d0041c22922228ca52a977d7b0b0159fee4b ] + +Some ->page_mkwrite handlers may return VM_FAULT_RETRY as its return +code (GFS2 or Lustre can definitely do this). However VM_FAULT_RETRY +from ->page_mkwrite is completely unhandled by the mm code and results +in locking and writeably mapping the page which definitely is not what +the caller wanted. + +Fix Lustre and block_page_mkwrite_ret() used by other filesystems +(notably GFS2) to return VM_FAULT_NOPAGE instead which results in +bailing out from the fault code, the CPU then retries the access, and we +fault again effectively doing what the handler wanted. + +Link: http://lkml.kernel.org/r/20170203150729.15863-1-jack@suse.cz +Signed-off-by: Jan Kara +Reported-by: Al Viro +Reviewed-by: Jinshan Xiong +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/llite/llite_mmap.c | 4 +--- + include/linux/buffer_head.h | 4 +--- + 2 files changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/staging/lustre/lustre/llite/llite_mmap.c ++++ b/drivers/staging/lustre/lustre/llite/llite_mmap.c +@@ -401,15 +401,13 @@ static int ll_page_mkwrite(struct vm_are + result = VM_FAULT_LOCKED; + break; + case -ENODATA: ++ case -EAGAIN: + case -EFAULT: + result = VM_FAULT_NOPAGE; + break; + case -ENOMEM: + result = VM_FAULT_OOM; + break; +- case -EAGAIN: +- result = VM_FAULT_RETRY; +- break; + default: + result = VM_FAULT_SIGBUS; + break; +--- a/include/linux/buffer_head.h ++++ b/include/linux/buffer_head.h +@@ -239,12 +239,10 @@ static inline int block_page_mkwrite_ret + { + if (err == 0) + return VM_FAULT_LOCKED; +- if (err == -EFAULT) ++ if (err == -EFAULT || err == -EAGAIN) + return VM_FAULT_NOPAGE; + if (err == -ENOMEM) + return VM_FAULT_OOM; +- if (err == -EAGAIN) +- return VM_FAULT_RETRY; + /* -ENOSPC, -EDQUOT, -EIO ... */ + return VM_FAULT_SIGBUS; + } diff --git a/queue-4.9/mm-fix-remote-numa-hits-statistics.patch b/queue-4.9/mm-fix-remote-numa-hits-statistics.patch new file mode 100644 index 00000000000..11f6ee186d8 --- /dev/null +++ b/queue-4.9/mm-fix-remote-numa-hits-statistics.patch @@ -0,0 +1,82 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Michal Hocko +Date: Tue, 10 Jan 2017 16:57:39 -0800 +Subject: mm: fix remote numa hits statistics + +From: Michal Hocko + + +[ Upstream commit 2df26639e708a88dcc22171949da638a9998f3bc ] + +Jia He has noticed that commit b9f00e147f27 ("mm, page_alloc: reduce +branches in zone_statistics") has an unintentional side effect that +remote node allocation requests are accounted as NUMA_MISS rathat than +NUMA_HIT and NUMA_OTHER if such a request doesn't use __GFP_OTHER_NODE. + +There are many of these potentially because the flag is used very rarely +while we have many users of __alloc_pages_node. + +Fix this by simply ignoring __GFP_OTHER_NODE (it can be removed in a +follow up patch) and treat all allocations that were satisfied from the +preferred zone's node as NUMA_HITS because this is the same node we +requested the allocation from in most cases. If this is not the local +node then we just account it as NUMA_OTHER rather than NUMA_LOCAL. + +One downsize would be that an allocation request for a node which is +outside of the mempolicy nodemask would be reported as a hit which is a +bit weird but that was the case before b9f00e147f27 already. + +Fixes: b9f00e147f27 ("mm, page_alloc: reduce branches in zone_statistics") +Link: http://lkml.kernel.org/r/20170102153057.9451-2-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Jia He +Reviewed-by: Vlastimil Babka # with cbmc[1] superpowers +Acked-by: Mel Gorman +Cc: Johannes Weiner +Cc: Joonsoo Kim +Cc: Taku Izumi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2592,30 +2592,23 @@ int __isolate_free_page(struct page *pag + * Update NUMA hit/miss statistics + * + * Must be called with interrupts disabled. +- * +- * When __GFP_OTHER_NODE is set assume the node of the preferred +- * zone is the local node. This is useful for daemons who allocate +- * memory on behalf of other processes. + */ + static inline void zone_statistics(struct zone *preferred_zone, struct zone *z, + gfp_t flags) + { + #ifdef CONFIG_NUMA +- int local_nid = numa_node_id(); + enum zone_stat_item local_stat = NUMA_LOCAL; + +- if (unlikely(flags & __GFP_OTHER_NODE)) { ++ if (z->node != numa_node_id()) + local_stat = NUMA_OTHER; +- local_nid = preferred_zone->node; +- } + +- if (z->node == local_nid) { ++ if (z->node == preferred_zone->node) + __inc_zone_state(z, NUMA_HIT); +- __inc_zone_state(z, local_stat); +- } else { ++ else { + __inc_zone_state(z, NUMA_MISS); + __inc_zone_state(preferred_zone, NUMA_FOREIGN); + } ++ __inc_zone_state(z, local_stat); + #endif + } + diff --git a/queue-4.9/mmc-sdhci-msm-fix-issue-with-power-irq.patch b/queue-4.9/mmc-sdhci-msm-fix-issue-with-power-irq.patch new file mode 100644 index 00000000000..91681477e04 --- /dev/null +++ b/queue-4.9/mmc-sdhci-msm-fix-issue-with-power-irq.patch @@ -0,0 +1,61 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Subhash Jadavani +Date: Wed, 27 Sep 2017 11:04:40 +0530 +Subject: mmc: sdhci-msm: fix issue with power irq + +From: Subhash Jadavani + + +[ Upstream commit c7ccee224d2d551f712752c4a16947f6529d6506 ] + +SDCC controller reset (SW_RST) during probe may trigger power irq if +previous status of PWRCTL was either BUS_ON or IO_HIGH_V. So before we +enable the power irq interrupt in GIC (by registering the interrupt +handler), we need to ensure that any pending power irq interrupt status +is acknowledged otherwise power irq interrupt handler would be fired +prematurely. + +Signed-off-by: Subhash Jadavani +Signed-off-by: Vijay Viswanath +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-msm.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -642,6 +642,21 @@ static int sdhci_msm_probe(struct platfo + CORE_VENDOR_SPEC_CAPABILITIES0); + } + ++ /* ++ * Power on reset state may trigger power irq if previous status of ++ * PWRCTL was either BUS_ON or IO_HIGH_V. So before enabling pwr irq ++ * interrupt in GIC, any pending power irq interrupt should be ++ * acknowledged. Otherwise power irq interrupt handler would be ++ * fired prematurely. ++ */ ++ sdhci_msm_voltage_switch(host); ++ ++ /* ++ * Ensure that above writes are propogated before interrupt enablement ++ * in GIC. ++ */ ++ mb(); ++ + /* Setup IRQ for handling power/voltage tasks with PMIC */ + msm_host->pwr_irq = platform_get_irq_byname(pdev, "pwr_irq"); + if (msm_host->pwr_irq < 0) { +@@ -651,6 +666,9 @@ static int sdhci_msm_probe(struct platfo + goto clk_disable; + } + ++ /* Enable pwr irq interrupts */ ++ writel_relaxed(INT_MASK, msm_host->core_mem + CORE_PWRCTL_MASK); ++ + ret = devm_request_threaded_irq(&pdev->dev, msm_host->pwr_irq, NULL, + sdhci_msm_pwr_irq, IRQF_ONESHOT, + dev_name(&pdev->dev), host); diff --git a/queue-4.9/net-appletalk-fix-kernel-memory-disclosure.patch b/queue-4.9/net-appletalk-fix-kernel-memory-disclosure.patch new file mode 100644 index 00000000000..ff9db7a5e3a --- /dev/null +++ b/queue-4.9/net-appletalk-fix-kernel-memory-disclosure.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Vlad Tsyrklevich +Date: Mon, 9 Jan 2017 20:57:48 +0700 +Subject: net/appletalk: Fix kernel memory disclosure + +From: Vlad Tsyrklevich + + +[ Upstream commit ce7e40c432ba84da104438f6799d460a4cad41bc ] + +ipddp_route structs contain alignment padding so kernel heap memory +is leaked when they are copied to user space in +ipddp_ioctl(SIOCFINDIPDDPRT). Change kmalloc() to kzalloc() to clear +that memory. + +Signed-off-by: Vlad Tsyrklevich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/appletalk/ipddp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/appletalk/ipddp.c ++++ b/drivers/net/appletalk/ipddp.c +@@ -191,7 +191,7 @@ static netdev_tx_t ipddp_xmit(struct sk_ + */ + static int ipddp_create(struct ipddp_route *new_rt) + { +- struct ipddp_route *rt = kmalloc(sizeof(*rt), GFP_KERNEL); ++ struct ipddp_route *rt = kzalloc(sizeof(*rt), GFP_KERNEL); + + if (rt == NULL) + return -ENOMEM; diff --git a/queue-4.9/net-fec-fix-multicast-filtering-hardware-setup.patch b/queue-4.9/net-fec-fix-multicast-filtering-hardware-setup.patch new file mode 100644 index 00000000000..82765a0cef0 --- /dev/null +++ b/queue-4.9/net-fec-fix-multicast-filtering-hardware-setup.patch @@ -0,0 +1,71 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Rui Sousa +Date: Mon, 13 Feb 2017 10:01:25 +0800 +Subject: net: fec: fix multicast filtering hardware setup + +From: Rui Sousa + + +[ Upstream commit 01f8902bcf3ff124d0aeb88a774180ebcec20ace ] + +Fix hardware setup of multicast address hash: +- Never clear the hardware hash (to avoid packet loss) +- Construct the hash register values in software and then write once +to hardware + +Signed-off-by: Rui Sousa +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2923,6 +2923,7 @@ static void set_multicast_list(struct ne + struct netdev_hw_addr *ha; + unsigned int i, bit, data, crc, tmp; + unsigned char hash; ++ unsigned int hash_high = 0, hash_low = 0; + + if (ndev->flags & IFF_PROMISC) { + tmp = readl(fep->hwp + FEC_R_CNTRL); +@@ -2945,11 +2946,7 @@ static void set_multicast_list(struct ne + return; + } + +- /* Clear filter and add the addresses in hash register +- */ +- writel(0, fep->hwp + FEC_GRP_HASH_TABLE_HIGH); +- writel(0, fep->hwp + FEC_GRP_HASH_TABLE_LOW); +- ++ /* Add the addresses in hash register */ + netdev_for_each_mc_addr(ha, ndev) { + /* calculate crc32 value of mac address */ + crc = 0xffffffff; +@@ -2967,16 +2964,14 @@ static void set_multicast_list(struct ne + */ + hash = (crc >> (32 - FEC_HASH_BITS)) & 0x3f; + +- if (hash > 31) { +- tmp = readl(fep->hwp + FEC_GRP_HASH_TABLE_HIGH); +- tmp |= 1 << (hash - 32); +- writel(tmp, fep->hwp + FEC_GRP_HASH_TABLE_HIGH); +- } else { +- tmp = readl(fep->hwp + FEC_GRP_HASH_TABLE_LOW); +- tmp |= 1 << hash; +- writel(tmp, fep->hwp + FEC_GRP_HASH_TABLE_LOW); +- } ++ if (hash > 31) ++ hash_high |= 1 << (hash - 32); ++ else ++ hash_low |= 1 << hash; + } ++ ++ writel(hash_high, fep->hwp + FEC_GRP_HASH_TABLE_HIGH); ++ writel(hash_low, fep->hwp + FEC_GRP_HASH_TABLE_LOW); + } + + /* Set a MAC change in hardware. */ diff --git a/queue-4.9/net-mlx4_en-fix-type-mismatch-for-32-bit-systems.patch b/queue-4.9/net-mlx4_en-fix-type-mismatch-for-32-bit-systems.patch new file mode 100644 index 00000000000..fb304739ba6 --- /dev/null +++ b/queue-4.9/net-mlx4_en-fix-type-mismatch-for-32-bit-systems.patch @@ -0,0 +1,46 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Slava Shwartsman +Date: Thu, 29 Dec 2016 18:37:12 +0200 +Subject: net/mlx4_en: Fix type mismatch for 32-bit systems + +From: Slava Shwartsman + + +[ Upstream commit 61b6034c6cfdcb265bb453505c3d688e7567727a ] + +is_power_of_2 expects unsigned long and we pass u64 max_val_cycles, +this will be truncated on 32 bit systems, and the result is not what we +were expecting. +div_u64 expects u32 as a second argument and we pass +max_val_cycles_rounded which is u64 hence it will always be truncated. +Fix was tested on both 64 and 32 bit systems and got same results for +max_val_cycles and max_val_cycles_rounded. + +Fixes: 4850cf458157 ("net/mlx4_en: Resolve dividing by zero in 32-bit system") +Signed-off-by: Slava Shwartsman +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +@@ -251,13 +251,9 @@ static u32 freq_to_shift(u16 freq) + { + u32 freq_khz = freq * 1000; + u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC; +- u64 tmp_rounded = +- roundup_pow_of_two(max_val_cycles) > max_val_cycles ? +- roundup_pow_of_two(max_val_cycles) - 1 : UINT_MAX; +- u64 max_val_cycles_rounded = is_power_of_2(max_val_cycles + 1) ? +- max_val_cycles : tmp_rounded; ++ u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1); + /* calculate max possible multiplier in order to fit in 64bit */ +- u64 max_mul = div_u64(0xffffffffffffffffULL, max_val_cycles_rounded); ++ u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded); + + /* This comes from the reverse of clocksource_khz2mult */ + return ilog2(div_u64(max_mul * freq_khz, 1000000)); diff --git a/queue-4.9/net-phy-micrel-ksz8795-do-not-set-supported_pause.patch b/queue-4.9/net-phy-micrel-ksz8795-do-not-set-supported_pause.patch new file mode 100644 index 00000000000..aade07dc290 --- /dev/null +++ b/queue-4.9/net-phy-micrel-ksz8795-do-not-set-supported_pause.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Sean Nyekjaer +Date: Fri, 27 Jan 2017 21:39:03 +0100 +Subject: net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause + +From: Sean Nyekjaer + + +[ Upstream commit cf626c3b252b2c9d131be0dd66096ec3bf729e54 ] + +As pr commit "net: phy: phy drivers should not set SUPPORTED_[Asym_]Pause" +this phy driver should not set these feature bits. + +Signed-off-by: Sean Nyekjaer +Fixes: 9d162ed69f51 ("net: phy: micrel: add support for KSZ8795") +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -1020,7 +1020,7 @@ static struct phy_driver ksphy_driver[] + .phy_id = PHY_ID_KSZ8795, + .phy_id_mask = MICREL_PHY_ID_MASK, + .name = "Micrel KSZ8795", +- .features = (SUPPORTED_Pause | SUPPORTED_Asym_Pause), ++ .features = PHY_BASIC_FEATURES, + .flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT, + .config_init = kszphy_config_init, + .config_aneg = ksz8873mll_config_aneg, diff --git a/queue-4.9/net-qrtr-mark-buf-as-little-endian.patch b/queue-4.9/net-qrtr-mark-buf-as-little-endian.patch new file mode 100644 index 00000000000..0b673317729 --- /dev/null +++ b/queue-4.9/net-qrtr-mark-buf-as-little-endian.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Stephen Boyd +Date: Mon, 9 Jan 2017 14:31:58 -0800 +Subject: net: qrtr: Mark 'buf' as little endian + +From: Stephen Boyd + + +[ Upstream commit 3512a1ad56174308a9fd3e10f4b1e3e152e9ec01 ] + +Failure to mark this pointer as __le32 causes checkers like +sparse to complain: + +net/qrtr/qrtr.c:274:16: warning: incorrect type in assignment (different base types) +net/qrtr/qrtr.c:274:16: expected unsigned int [unsigned] [usertype] +net/qrtr/qrtr.c:274:16: got restricted __le32 [usertype] +net/qrtr/qrtr.c:275:16: warning: incorrect type in assignment (different base types) +net/qrtr/qrtr.c:275:16: expected unsigned int [unsigned] [usertype] +net/qrtr/qrtr.c:275:16: got restricted __le32 [usertype] +net/qrtr/qrtr.c:276:16: warning: incorrect type in assignment (different base types) +net/qrtr/qrtr.c:276:16: expected unsigned int [unsigned] [usertype] +net/qrtr/qrtr.c:276:16: got restricted __le32 [usertype] + +Silence it. + +Cc: Bjorn Andersson +Signed-off-by: Stephen Boyd +Acked-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -252,7 +252,7 @@ static struct sk_buff *qrtr_alloc_resume + const int pkt_len = 20; + struct qrtr_hdr *hdr; + struct sk_buff *skb; +- u32 *buf; ++ __le32 *buf; + + skb = alloc_skb(QRTR_HDR_SIZE + pkt_len, GFP_KERNEL); + if (!skb) +@@ -269,7 +269,7 @@ static struct sk_buff *qrtr_alloc_resume + hdr->dst_node_id = cpu_to_le32(dst_node); + hdr->dst_port_id = cpu_to_le32(QRTR_PORT_CTRL); + +- buf = (u32 *)skb_put(skb, pkt_len); ++ buf = (__le32 *)skb_put(skb, pkt_len); + memset(buf, 0, pkt_len); + buf[0] = cpu_to_le32(QRTR_TYPE_RESUME_TX); + buf[1] = cpu_to_le32(src_node); diff --git a/queue-4.9/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch b/queue-4.9/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch new file mode 100644 index 00000000000..4a908f108ec --- /dev/null +++ b/queue-4.9/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Colin Ian King +Date: Fri, 20 Jan 2017 13:01:57 +0000 +Subject: net: sctp: fix array overrun read on sctp_timer_tbl + +From: Colin Ian King + + +[ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ] + +The comparison on the timeout can lead to an array overrun +read on sctp_timer_tbl because of an off-by-one error. Fix +this by using < instead of <= and also compare to the array +size rather than SCTP_EVENT_TIMEOUT_MAX. + +Fixes CoverityScan CID#1397639 ("Out-of-bounds read") + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/debug.c ++++ b/net/sctp/debug.c +@@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[ + /* Lookup timer debug name. */ + const char *sctp_tname(const sctp_subtype_t id) + { +- if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX) ++ if (id.timeout < ARRAY_SIZE(sctp_timer_tbl)) + return sctp_timer_tbl[id.timeout]; + return "unknown_timer"; + } diff --git a/queue-4.9/net-systemport-pad-packet-before-inserting-tsb.patch b/queue-4.9/net-systemport-pad-packet-before-inserting-tsb.patch new file mode 100644 index 00000000000..102c7a673a3 --- /dev/null +++ b/queue-4.9/net-systemport-pad-packet-before-inserting-tsb.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Florian Fainelli +Date: Tue, 3 Jan 2017 16:34:49 -0800 +Subject: net: systemport: Pad packet before inserting TSB + +From: Florian Fainelli + + +[ Upstream commit 38e5a85562a6cd911fc26d951d576551a688574c ] + +Inserting the TSB means adding an extra 8 bytes in front the of packet +that is going to be used as metadata information by the TDMA engine, but +stripped off, so it does not really help with the packet padding. + +For some odd packet sizes that fall below the 60 bytes payload (e.g: ARP) +we can end-up padding them after the TSB insertion, thus making them 64 +bytes, but with the TDMA stripping off the first 8 bytes, they could +still be smaller than 64 bytes which is required to ingress the switch. + +Fix this by swapping the padding and TSB insertion, guaranteeing that +the packets have the right sizes. + +Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1023,15 +1023,6 @@ static netdev_tx_t bcm_sysport_xmit(stru + goto out; + } + +- /* Insert TSB and checksum infos */ +- if (priv->tsb_en) { +- skb = bcm_sysport_insert_tsb(skb, dev); +- if (!skb) { +- ret = NETDEV_TX_OK; +- goto out; +- } +- } +- + /* The Ethernet switch we are interfaced with needs packets to be at + * least 64 bytes (including FCS) otherwise they will be discarded when + * they enter the switch port logic. When Broadcom tags are enabled, we +@@ -1044,6 +1035,15 @@ static netdev_tx_t bcm_sysport_xmit(stru + goto out; + } + ++ /* Insert TSB and checksum infos */ ++ if (priv->tsb_en) { ++ skb = bcm_sysport_insert_tsb(skb, dev); ++ if (!skb) { ++ ret = NETDEV_TX_OK; ++ goto out; ++ } ++ } ++ + skb_len = skb->len; + + mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE); diff --git a/queue-4.9/net-systemport-utilize-skb_put_padto.patch b/queue-4.9/net-systemport-utilize-skb_put_padto.patch new file mode 100644 index 00000000000..d03dcff9118 --- /dev/null +++ b/queue-4.9/net-systemport-utilize-skb_put_padto.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Florian Fainelli +Date: Tue, 3 Jan 2017 16:34:48 -0800 +Subject: net: systemport: Utilize skb_put_padto() + +From: Florian Fainelli + + +[ Upstream commit bb7da333d0a9f3bddc08f84187b7579a3f68fd24 ] + +Since we need to pad our packets, utilize skb_put_padto() which +increases skb->len by how much we need to pad, allowing us to eliminate +the test on skb->len right below. + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -1039,13 +1039,12 @@ static netdev_tx_t bcm_sysport_xmit(stru + * (including FCS and tag) because the length verification is done after + * the Broadcom tag is stripped off the ingress packet. + */ +- if (skb_padto(skb, ETH_ZLEN + ENET_BRCM_TAG_LEN)) { ++ if (skb_put_padto(skb, ETH_ZLEN + ENET_BRCM_TAG_LEN)) { + ret = NETDEV_TX_OK; + goto out; + } + +- skb_len = skb->len < ETH_ZLEN + ENET_BRCM_TAG_LEN ? +- ETH_ZLEN + ENET_BRCM_TAG_LEN : skb->len; ++ skb_len = skb->len; + + mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE); + if (dma_mapping_error(kdev, mapping)) { diff --git a/queue-4.9/net-thunderx-avoid-dereferencing-xcv-when-null.patch b/queue-4.9/net-thunderx-avoid-dereferencing-xcv-when-null.patch new file mode 100644 index 00000000000..54aa7c6f284 --- /dev/null +++ b/queue-4.9/net-thunderx-avoid-dereferencing-xcv-when-null.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Vincent +Date: Mon, 30 Jan 2017 15:06:43 +0100 +Subject: net: thunderx: avoid dereferencing xcv when NULL + +From: Vincent + + +[ Upstream commit c73e44269369e936165f0f9b61f1f09a11dae01c ] + +This fixes the following smatch and coccinelle warnings: + + drivers/net/ethernet/cavium/thunder/thunder_xcv.c:119 xcv_setup_link() error: we previously assumed 'xcv' could be null (see line 118) [smatch] + drivers/net/ethernet/cavium/thunder/thunder_xcv.c:119:16-20: ERROR: xcv is NULL but dereferenced. [coccinelle] + +Fixes: 6465859aba1e66a5 ("net: thunderx: Add RGMII interface type support") +Signed-off-by: Vincent Stehlé +Cc: Sunil Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/thunder/thunder_xcv.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/cavium/thunder/thunder_xcv.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_xcv.c +@@ -116,8 +116,7 @@ void xcv_setup_link(bool link_up, int li + int speed = 2; + + if (!xcv) { +- dev_err(&xcv->pdev->dev, +- "XCV init not done, probe may have failed\n"); ++ pr_err("XCV init not done, probe may have failed\n"); + return; + } + diff --git a/queue-4.9/nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch b/queue-4.9/nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch new file mode 100644 index 00000000000..abb4e2833c3 --- /dev/null +++ b/queue-4.9/nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Benjamin Coddington +Date: Thu, 5 Jan 2017 10:20:16 -0500 +Subject: nfs: Don't take a reference on fl->fl_file for LOCK operation + +From: Benjamin Coddington + + +[ Upstream commit 4b09ec4b14a168bf2c687e1f598140c3c11e9222 ] + +I have reports of a crash that look like __fput() was called twice for +a NFSv4.0 file. It seems possible that the state manager could try to +reclaim a lock and take a reference on the fl->fl_file at the same time the +file is being released if, during the close(), a signal interrupts the wait +for outstanding IO while removing locks which then skips the removal +of that lock. + +Since 83bfff23e9ed ("nfs4: have do_vfs_lock take an inode pointer") has +removed the need to traverse fl->fl_file->f_inode in nfs4_lock_done(), +taking that reference is no longer necessary. + +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -38,7 +38,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -6006,7 +6005,6 @@ static struct nfs4_lockdata *nfs4_alloc_ + p->server = server; + atomic_inc(&lsp->ls_count); + p->ctx = get_nfs_open_context(ctx); +- get_file(fl->fl_file); + memcpy(&p->fl, fl, sizeof(p->fl)); + return p; + out_free_seqid: +@@ -6119,7 +6117,6 @@ static void nfs4_lock_release(void *call + nfs_free_seqid(data->arg.lock_seqid); + nfs4_put_lock_state(data->lsp); + put_nfs_open_context(data->ctx); +- fput(data->fl.fl_file); + kfree(data); + dprintk("%s: done!\n", __func__); + } diff --git a/queue-4.9/nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch b/queue-4.9/nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch new file mode 100644 index 00000000000..f32cc49c751 --- /dev/null +++ b/queue-4.9/nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Trond Myklebust +Date: Fri, 13 Jan 2017 13:31:32 -0500 +Subject: NFSv4: Fix client recovery when server reboots multiple times + +From: Trond Myklebust + + +[ Upstream commit c6180a6237174f481dc856ed6e890d8196b6f0fb ] + +If the server reboots multiple times, the client should rely on the +server to tell it that it cannot reclaim state as per section 9.6.3.4 +in RFC7530 and section 8.4.2.1 in RFC5661. +Currently, the client is being to conservative, and is assuming that +if the server reboots while state recovery is in progress, then it must +ignore state that was not recovered before the reboot. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4state.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1718,7 +1718,6 @@ static int nfs4_recovery_handle_error(st + break; + case -NFS4ERR_STALE_CLIENTID: + set_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state); +- nfs4_state_clear_reclaim_reboot(clp); + nfs4_state_start_reclaim_reboot(clp); + break; + case -NFS4ERR_EXPIRED: diff --git a/queue-4.9/nvmet-cancel-fatal-error-and-flush-async-work-before-free-controller.patch b/queue-4.9/nvmet-cancel-fatal-error-and-flush-async-work-before-free-controller.patch new file mode 100644 index 00000000000..67e37f186c9 --- /dev/null +++ b/queue-4.9/nvmet-cancel-fatal-error-and-flush-async-work-before-free-controller.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Sagi Grimberg +Date: Sun, 1 Jan 2017 13:41:56 +0200 +Subject: nvmet: cancel fatal error and flush async work before free controller + +From: Sagi Grimberg + + +[ Upstream commit 06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 ] + +Make sure they are not running and we can free the controller +safely. + +Signed-off-by: Roy Shterman +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -816,6 +816,9 @@ static void nvmet_ctrl_free(struct kref + list_del(&ctrl->subsys_entry); + mutex_unlock(&subsys->lock); + ++ flush_work(&ctrl->async_event_work); ++ cancel_work_sync(&ctrl->fatal_err_work); ++ + ida_simple_remove(&subsys->cntlid_ida, ctrl->cntlid); + nvmet_subsys_put(subsys); + diff --git a/queue-4.9/perf-test-attr-fix-ignored-test-case-result.patch b/queue-4.9/perf-test-attr-fix-ignored-test-case-result.patch new file mode 100644 index 00000000000..f1e1daf21b9 --- /dev/null +++ b/queue-4.9/perf-test-attr-fix-ignored-test-case-result.patch @@ -0,0 +1,68 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Thomas Richter +Date: Wed, 13 Sep 2017 10:12:09 +0200 +Subject: perf test attr: Fix ignored test case result + +From: Thomas Richter + + +[ Upstream commit 22905582f6dd4bbd0c370fe5732c607452010c04 ] + +Command perf test -v 16 (Setup struct perf_event_attr test) always +reports success even if the test case fails. It works correctly if you +also specify -F (for don't fork). + + root@s35lp76 perf]# ./perf test -v 16 + 15: Setup struct perf_event_attr : + --- start --- + running './tests/attr/test-record-no-delay' + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.002 MB /tmp/tmp4E1h7R/perf.data + (1 samples) ] + expected task=0, got 1 + expected precise_ip=0, got 3 + expected wakeup_events=1, got 0 + FAILED './tests/attr/test-record-no-delay' - match failure + test child finished with 0 + ---- end ---- + Setup struct perf_event_attr: Ok + +The reason for the wrong error reporting is the return value of the +system() library call. It is called in run_dir() file tests/attr.c and +returns the exit status, in above case 0xff00. + +This value is given as parameter to the exit() function which can only +handle values 0-0xff. + +The child process terminates with exit value of 0 and the parent does +not detect any error. + +This patch corrects the error reporting and prints the correct test +result. + +Signed-off-by: Thomas-Mich Richter +Acked-by: Jiri Olsa +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Cc: Thomas-Mich Richter +LPU-Reference: 20170913081209.39570-2-tmricht@linux.vnet.ibm.com +Link: http://lkml.kernel.org/n/tip-rdube6rfcjsr1nzue72c7lqn@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/attr.c ++++ b/tools/perf/tests/attr.c +@@ -150,7 +150,7 @@ static int run_dir(const char *d, const + snprintf(cmd, 3*PATH_MAX, PYTHON " %s/attr.py -d %s/attr/ -p %s %.*s", + d, d, perf, vcnt, v); + +- return system(cmd); ++ return system(cmd) ? TEST_FAIL : TEST_OK; + } + + int test__attr(int subtest __maybe_unused) diff --git a/queue-4.9/perf-x86-intel-account-interrupts-for-pebs-errors.patch b/queue-4.9/perf-x86-intel-account-interrupts-for-pebs-errors.patch new file mode 100644 index 00000000000..116ee787fa5 --- /dev/null +++ b/queue-4.9/perf-x86-intel-account-interrupts-for-pebs-errors.patch @@ -0,0 +1,159 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Jiri Olsa +Date: Wed, 28 Dec 2016 14:31:03 +0100 +Subject: perf/x86/intel: Account interrupts for PEBS errors + +From: Jiri Olsa + + +[ Upstream commit 475113d937adfd150eb82b5e2c5507125a68e7af ] + +It's possible to set up PEBS events to get only errors and not +any data, like on SNB-X (model 45) and IVB-EP (model 62) +via 2 perf commands running simultaneously: + + taskset -c 1 ./perf record -c 4 -e branches:pp -j any -C 10 + +This leads to a soft lock up, because the error path of the +intel_pmu_drain_pebs_nhm() does not account event->hw.interrupt +for error PEBS interrupts, so in case you're getting ONLY +errors you don't have a way to stop the event when it's over +the max_samples_per_tick limit: + + NMI watchdog: BUG: soft lockup - CPU#22 stuck for 22s! [perf_fuzzer:5816] + ... + RIP: 0010:[] [] smp_call_function_single+0xe2/0x140 + ... + Call Trace: + ? trace_hardirqs_on_caller+0xf5/0x1b0 + ? perf_cgroup_attach+0x70/0x70 + perf_install_in_context+0x199/0x1b0 + ? ctx_resched+0x90/0x90 + SYSC_perf_event_open+0x641/0xf90 + SyS_perf_event_open+0x9/0x10 + do_syscall_64+0x6c/0x1f0 + entry_SYSCALL64_slow_path+0x25/0x25 + +Add perf_event_account_interrupt() which does the interrupt +and frequency checks and call it from intel_pmu_drain_pebs_nhm()'s +error path. + +We keep the pending_kill and pending_wakeup logic only in the +__perf_event_overflow() path, because they make sense only if +there's any data to deliver. + +Signed-off-by: Jiri Olsa +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: Vince Weaver +Link: http://lkml.kernel.org/r/1482931866-6018-2-git-send-email-jolsa@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/ds.c | 6 ++++- + include/linux/perf_event.h | 1 + kernel/events/core.c | 47 +++++++++++++++++++++++++++++---------------- + 3 files changed, 37 insertions(+), 17 deletions(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1389,9 +1389,13 @@ static void intel_pmu_drain_pebs_nhm(str + continue; + + /* log dropped samples number */ +- if (error[bit]) ++ if (error[bit]) { + perf_log_lost_samples(event, error[bit]); + ++ if (perf_event_account_interrupt(event)) ++ x86_pmu_stop(event, 0); ++ } ++ + if (counts[bit]) { + __intel_pmu_pebs_event(event, iregs, base, + top, bit, counts[bit]); +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1259,6 +1259,7 @@ extern void perf_event_disable(struct pe + extern void perf_event_disable_local(struct perf_event *event); + extern void perf_event_disable_inatomic(struct perf_event *event); + extern void perf_event_task_tick(void); ++extern int perf_event_account_interrupt(struct perf_event *event); + #else /* !CONFIG_PERF_EVENTS: */ + static inline void * + perf_aux_output_begin(struct perf_output_handle *handle, +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7088,25 +7088,12 @@ static void perf_log_itrace_start(struct + perf_output_end(&handle); + } + +-/* +- * Generic event overflow handling, sampling. +- */ +- +-static int __perf_event_overflow(struct perf_event *event, +- int throttle, struct perf_sample_data *data, +- struct pt_regs *regs) ++static int ++__perf_event_account_interrupt(struct perf_event *event, int throttle) + { +- int events = atomic_read(&event->event_limit); + struct hw_perf_event *hwc = &event->hw; +- u64 seq; + int ret = 0; +- +- /* +- * Non-sampling counters might still use the PMI to fold short +- * hardware counters, ignore those. +- */ +- if (unlikely(!is_sampling_event(event))) +- return 0; ++ u64 seq; + + seq = __this_cpu_read(perf_throttled_seq); + if (seq != hwc->interrupts_seq) { +@@ -7134,6 +7121,34 @@ static int __perf_event_overflow(struct + perf_adjust_period(event, delta, hwc->last_period, true); + } + ++ return ret; ++} ++ ++int perf_event_account_interrupt(struct perf_event *event) ++{ ++ return __perf_event_account_interrupt(event, 1); ++} ++ ++/* ++ * Generic event overflow handling, sampling. ++ */ ++ ++static int __perf_event_overflow(struct perf_event *event, ++ int throttle, struct perf_sample_data *data, ++ struct pt_regs *regs) ++{ ++ int events = atomic_read(&event->event_limit); ++ int ret = 0; ++ ++ /* ++ * Non-sampling counters might still use the PMI to fold short ++ * hardware counters, ignore those. ++ */ ++ if (unlikely(!is_sampling_event(event))) ++ return 0; ++ ++ ret = __perf_event_account_interrupt(event, throttle); ++ + /* + * XXX event_limit might not quite work as expected on inherited + * events diff --git a/queue-4.9/powerpc-mm-fix-memory-hotplug-bug-on-radix.patch b/queue-4.9/powerpc-mm-fix-memory-hotplug-bug-on-radix.patch new file mode 100644 index 00000000000..fe4be8627ac --- /dev/null +++ b/queue-4.9/powerpc-mm-fix-memory-hotplug-bug-on-radix.patch @@ -0,0 +1,89 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Reza Arbab +Date: Tue, 3 Jan 2017 14:39:51 -0600 +Subject: powerpc/mm: Fix memory hotplug BUG() on radix + +From: Reza Arbab + + +[ Upstream commit 32b53c012e0bfe20b2745962a89db0dc72ef3270 ] + +Memory hotplug is leading to hash page table calls, even on radix: + + arch_add_memory + create_section_mapping + htab_bolt_mapping + BUG_ON(!ppc_md.hpte_insert); + +To fix, refactor {create,remove}_section_mapping() into hash__ and +radix__ variants. Leave the radix versions stubbed for now. + +Reviewed-by: Aneesh Kumar K.V +Acked-by: Balbir Singh +Signed-off-by: Reza Arbab +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/book3s/64/hash.h | 4 ++++ + arch/powerpc/mm/hash_utils_64.c | 4 ++-- + arch/powerpc/mm/pgtable-book3s64.c | 18 ++++++++++++++++++ + 3 files changed, 24 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/book3s/64/hash.h ++++ b/arch/powerpc/include/asm/book3s/64/hash.h +@@ -201,6 +201,10 @@ extern int __meminit hash__vmemmap_creat + unsigned long phys); + extern void hash__vmemmap_remove_mapping(unsigned long start, + unsigned long page_size); ++ ++int hash__create_section_mapping(unsigned long start, unsigned long end); ++int hash__remove_section_mapping(unsigned long start, unsigned long end); ++ + #endif /* !__ASSEMBLY__ */ + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_BOOK3S_64_HASH_H */ +--- a/arch/powerpc/mm/hash_utils_64.c ++++ b/arch/powerpc/mm/hash_utils_64.c +@@ -747,7 +747,7 @@ static unsigned long __init htab_get_tab + } + + #ifdef CONFIG_MEMORY_HOTPLUG +-int create_section_mapping(unsigned long start, unsigned long end) ++int hash__create_section_mapping(unsigned long start, unsigned long end) + { + int rc = htab_bolt_mapping(start, end, __pa(start), + pgprot_val(PAGE_KERNEL), mmu_linear_psize, +@@ -761,7 +761,7 @@ int create_section_mapping(unsigned long + return rc; + } + +-int remove_section_mapping(unsigned long start, unsigned long end) ++int hash__remove_section_mapping(unsigned long start, unsigned long end) + { + int rc = htab_remove_mapping(start, end, mmu_linear_psize, + mmu_kernel_ssize); +--- a/arch/powerpc/mm/pgtable-book3s64.c ++++ b/arch/powerpc/mm/pgtable-book3s64.c +@@ -125,3 +125,21 @@ void mmu_cleanup_all(void) + else if (mmu_hash_ops.hpte_clear_all) + mmu_hash_ops.hpte_clear_all(); + } ++ ++#ifdef CONFIG_MEMORY_HOTPLUG ++int create_section_mapping(unsigned long start, unsigned long end) ++{ ++ if (radix_enabled()) ++ return -ENODEV; ++ ++ return hash__create_section_mapping(start, end); ++} ++ ++int remove_section_mapping(unsigned long start, unsigned long end) ++{ ++ if (radix_enabled()) ++ return -ENODEV; ++ ++ return hash__remove_section_mapping(start, end); ++} ++#endif /* CONFIG_MEMORY_HOTPLUG */ diff --git a/queue-4.9/qla2xxx-fix-wrong-iocb-type-assumption.patch b/queue-4.9/qla2xxx-fix-wrong-iocb-type-assumption.patch new file mode 100644 index 00000000000..456fb0afd7a --- /dev/null +++ b/queue-4.9/qla2xxx-fix-wrong-iocb-type-assumption.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Quinn Tran +Date: Fri, 23 Dec 2016 18:06:05 -0800 +Subject: qla2xxx: Fix wrong IOCB type assumption + +From: Quinn Tran + + +[ Upstream commit bb1181c9a8b46b6f10e749d9ed94480336445d7f ] + +qlt_reset is called with Immedidate Notify IOCB only. +Current code wrongly cast it as ATIO IOCB. + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Reviewed-by: Christoph Hellwig +Signed-off-by: Bart Van Assche +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_target.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -668,11 +668,9 @@ static int qlt_reset(struct scsi_qla_hos + { + struct qla_hw_data *ha = vha->hw; + struct qla_tgt_sess *sess = NULL; +- uint32_t unpacked_lun, lun = 0; + uint16_t loop_id; + int res = 0; + struct imm_ntfy_from_isp *n = (struct imm_ntfy_from_isp *)iocb; +- struct atio_from_isp *a = (struct atio_from_isp *)iocb; + unsigned long flags; + + loop_id = le16_to_cpu(n->u.isp24.nport_handle); +@@ -725,11 +723,7 @@ static int qlt_reset(struct scsi_qla_hos + "loop_id %d)\n", vha->host_no, sess, sess->port_name, + mcmd, loop_id); + +- lun = a->u.isp24.fcp_cmnd.lun; +- unpacked_lun = scsilun_to_int((struct scsi_lun *)&lun); +- +- return qlt_issue_task_mgmt(sess, unpacked_lun, mcmd, +- iocb, QLA24XX_MGMT_SEND_NACK); ++ return qlt_issue_task_mgmt(sess, 0, mcmd, iocb, QLA24XX_MGMT_SEND_NACK); + } + + /* ha->tgt.sess_lock supposed to be held on entry */ diff --git a/queue-4.9/ravb-remove-rx-overflow-log-messages.patch b/queue-4.9/ravb-remove-rx-overflow-log-messages.patch new file mode 100644 index 00000000000..dad56b63e53 --- /dev/null +++ b/queue-4.9/ravb-remove-rx-overflow-log-messages.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Kazuya Mizuguchi +Date: Thu, 12 Jan 2017 13:21:06 +0100 +Subject: ravb: Remove Rx overflow log messages + +From: Kazuya Mizuguchi + + +[ Upstream commit 18a3ed59d09cf81a6447aadf6931bf0c9ffec5e0 ] + +Remove Rx overflow log messages as in an environment where logging results +in network traffic logging may cause further overflows. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Kazuya Mizuguchi +[simon: reworked changelog] +Signed-off-by: Simon Horman +Acked-by: Sergei Shtylyov +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -941,14 +941,10 @@ static int ravb_poll(struct napi_struct + /* Receive error message handling */ + priv->rx_over_errors = priv->stats[RAVB_BE].rx_over_errors; + priv->rx_over_errors += priv->stats[RAVB_NC].rx_over_errors; +- if (priv->rx_over_errors != ndev->stats.rx_over_errors) { ++ if (priv->rx_over_errors != ndev->stats.rx_over_errors) + ndev->stats.rx_over_errors = priv->rx_over_errors; +- netif_err(priv, rx_err, ndev, "Receive Descriptor Empty\n"); +- } +- if (priv->rx_fifo_errors != ndev->stats.rx_fifo_errors) { ++ if (priv->rx_fifo_errors != ndev->stats.rx_fifo_errors) + ndev->stats.rx_fifo_errors = priv->rx_fifo_errors; +- netif_err(priv, rx_err, ndev, "Receive FIFO Overflow\n"); +- } + out: + return budget - quota; + } diff --git a/queue-4.9/rdma-qedr-fix-rdma-cm-loopback.patch b/queue-4.9/rdma-qedr-fix-rdma-cm-loopback.patch new file mode 100644 index 00000000000..1fee3edd3cb --- /dev/null +++ b/queue-4.9/rdma-qedr-fix-rdma-cm-loopback.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ram Amrani +Date: Tue, 24 Jan 2017 13:51:41 +0200 +Subject: RDMA/qedr: Fix RDMA CM loopback + +From: Ram Amrani + + +[ Upstream commit af2b14b8b8ae21b0047a52c767ac8b44f435a280 ] + +The loopback logic in RDMA CM packets compares Ethernet addresses and +was accidently inverse. + +Signed-off-by: Ram Amrani +Signed-off-by: Ariel Elior +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/qedr_cm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/qedr/qedr_cm.c ++++ b/drivers/infiniband/hw/qedr/qedr_cm.c +@@ -404,9 +404,9 @@ static inline int qedr_gsi_build_packet( + } + + if (ether_addr_equal(udh.eth.smac_h, udh.eth.dmac_h)) +- packet->tx_dest = QED_ROCE_LL2_TX_DEST_NW; +- else + packet->tx_dest = QED_ROCE_LL2_TX_DEST_LB; ++ else ++ packet->tx_dest = QED_ROCE_LL2_TX_DEST_NW; + + packet->roce_mode = roce_mode; + memcpy(packet->header.vaddr, ud_header_buffer, header_size); diff --git a/queue-4.9/rdma-qedr-return-success-when-not-changing-qp-state.patch b/queue-4.9/rdma-qedr-return-success-when-not-changing-qp-state.patch new file mode 100644 index 00000000000..7d70e9044ab --- /dev/null +++ b/queue-4.9/rdma-qedr-return-success-when-not-changing-qp-state.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ram Amrani +Date: Tue, 24 Jan 2017 13:50:34 +0200 +Subject: RDMA/qedr: Return success when not changing QP state + +From: Ram Amrani + + +[ Upstream commit 865cea40b69741c3da2574176876463233b2b67c ] + +If the user is requesting us to change the QP state to the same state +that it is already in, return success instead of failure. + +Signed-off-by: Ram Amrani +Signed-off-by: Michal Kalderon +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1653,7 +1653,7 @@ static int qedr_update_qp_state(struct q + int status = 0; + + if (new_state == qp->state) +- return 1; ++ return 0; + + switch (qp->state) { + case QED_ROCE_QP_STATE_RESET: diff --git a/queue-4.9/s390-pci-do-not-require-ais-facility.patch b/queue-4.9/s390-pci-do-not-require-ais-facility.patch new file mode 100644 index 00000000000..a32d85fe694 --- /dev/null +++ b/queue-4.9/s390-pci-do-not-require-ais-facility.patch @@ -0,0 +1,92 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Christian Borntraeger +Date: Mon, 30 Oct 2017 14:38:58 +0100 +Subject: s390/pci: do not require AIS facility + +From: Christian Borntraeger + + +[ Upstream commit 48070c73058be6de9c0d754d441ed7092dfc8f12 ] + +As of today QEMU does not provide the AIS facility to its guest. This +prevents Linux guests from using PCI devices as the ais facility is +checked during init. As this is just a performance optimization, we can +move the ais check into the code where we need it (calling the SIC +instruction). This is used at initialization and on interrupt. Both +places do not require any serialization, so we can simply skip the +instruction. + +Since we will now get all interrupts, we can also avoid the 2nd scan. +As we can have multiple interrupts in parallel we might trigger spurious +irqs more often for the non-AIS case but the core code can handle that. + +Signed-off-by: Christian Borntraeger +Reviewed-by: Pierre Morel +Reviewed-by: Halil Pasic +Acked-by: Sebastian Ott +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/pci_insn.h | 2 +- + arch/s390/pci/pci.c | 5 +++-- + arch/s390/pci/pci_insn.c | 6 +++++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +--- a/arch/s390/include/asm/pci_insn.h ++++ b/arch/s390/include/asm/pci_insn.h +@@ -81,6 +81,6 @@ int zpci_refresh_trans(u64 fn, u64 addr, + int zpci_load(u64 *data, u64 req, u64 offset); + int zpci_store(u64 data, u64 req, u64 offset); + int zpci_store_block(const u64 *data, u64 req, u64 offset); +-void zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc); ++int zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc); + + #endif +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -354,7 +354,8 @@ static void zpci_irq_handler(struct airq + /* End of second scan with interrupts on. */ + break; + /* First scan complete, reenable interrupts. */ +- zpci_set_irq_ctrl(SIC_IRQ_MODE_SINGLE, NULL, PCI_ISC); ++ if (zpci_set_irq_ctrl(SIC_IRQ_MODE_SINGLE, NULL, PCI_ISC)) ++ break; + si = 0; + continue; + } +@@ -928,7 +929,7 @@ static int __init pci_base_init(void) + if (!s390_pci_probe) + return 0; + +- if (!test_facility(69) || !test_facility(71) || !test_facility(72)) ++ if (!test_facility(69) || !test_facility(71)) + return 0; + + rc = zpci_debug_init(); +--- a/arch/s390/pci/pci_insn.c ++++ b/arch/s390/pci/pci_insn.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -91,11 +92,14 @@ int zpci_refresh_trans(u64 fn, u64 addr, + } + + /* Set Interruption Controls */ +-void zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc) ++int zpci_set_irq_ctrl(u16 ctl, char *unused, u8 isc) + { ++ if (!test_facility(72)) ++ return -EIO; + asm volatile ( + " .insn rsy,0xeb00000000d1,%[ctl],%[isc],%[u]\n" + : : [ctl] "d" (ctl), [isc] "d" (isc << 27), [u] "Q" (*unused)); ++ return 0; + } + + /* PCI Load */ diff --git a/queue-4.9/selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch b/queue-4.9/selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch new file mode 100644 index 00000000000..5ae0e65fad8 --- /dev/null +++ b/queue-4.9/selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch @@ -0,0 +1,58 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Andy Lutomirski +Date: Sat, 4 Nov 2017 04:19:52 -0700 +Subject: selftests/x86/ldt_get: Add a few additional tests for limits + +From: Andy Lutomirski + + +[ Upstream commit fec8f5ae1715a01c72ad52cb2ecd8aacaf142302 ] + +We weren't testing the .limit and .limit_in_pages fields very well. +Add more tests. + +This addition seems to trigger the "bits 16:19 are undefined" issue +that was fixed in an earlier patch. I think that, at least on my +CPU, the high nibble of the limit ends in LAR bits 16:19. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/5601c15ea9b3113d288953fd2838b18bedf6bc67.1509794321.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/ldt_gdt.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/x86/ldt_gdt.c ++++ b/tools/testing/selftests/x86/ldt_gdt.c +@@ -360,9 +360,24 @@ static void do_simple_tests(void) + install_invalid(&desc, false); + + desc.seg_not_present = 0; +- desc.read_exec_only = 0; + desc.seg_32bit = 1; ++ desc.read_exec_only = 0; ++ desc.limit = 0xfffff; ++ + install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB); ++ ++ desc.limit_in_pages = 1; ++ ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB | AR_G); ++ desc.read_exec_only = 1; ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S | AR_P | AR_DB | AR_G); ++ desc.contents = 1; ++ desc.read_exec_only = 0; ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G); ++ desc.read_exec_only = 1; ++ install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G); ++ ++ desc.limit = 0; + install_invalid(&desc, true); + } + diff --git a/queue-4.9/serial-8250-preserve-dld-for-port_xr17v35x.patch b/queue-4.9/serial-8250-preserve-dld-for-port_xr17v35x.patch new file mode 100644 index 00000000000..404226443e7 --- /dev/null +++ b/queue-4.9/serial-8250-preserve-dld-for-port_xr17v35x.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Aaron Sierra +Date: Wed, 4 Oct 2017 10:01:28 -0500 +Subject: serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X + +From: Aaron Sierra + + +[ Upstream commit 0ab84da2e076948c49d36197ee7d254125c53eab ] + +The upper four bits of the XR17V35x fractional divisor register (DLD) +control general chip function (RS-485 direction pin polarity, multidrop +mode, XON/XOFF parity check, and fast IR mode). Don't allow these bits +to be clobbered when setting the baudrate. + +Signed-off-by: Aaron Sierra +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2526,8 +2526,11 @@ static void serial8250_set_divisor(struc + serial_dl_write(up, quot); + + /* XR17V35x UARTs have an extra fractional divisor register (DLD) */ +- if (up->port.type == PORT_XR17V35X) ++ if (up->port.type == PORT_XR17V35X) { ++ /* Preserve bits not related to baudrate; DLD[7:4]. */ ++ quot_frac |= serial_port_in(port, 0x2) & 0xf0; + serial_port_out(port, 0x2, quot_frac); ++ } + } + + static unsigned int serial8250_get_baud_rate(struct uart_port *port, diff --git a/queue-4.9/serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch b/queue-4.9/serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch new file mode 100644 index 00000000000..a77b2d11a5f --- /dev/null +++ b/queue-4.9/serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Lukas Wunner +Date: Sat, 28 Oct 2017 11:35:49 +0200 +Subject: serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() + +From: Lukas Wunner + + +[ Upstream commit 3236a965486ba0c6043cf2c7b51943d8b382ae29 ] + +This driver's ->rs485_config callback checks if SER_RS485_RTS_ON_SEND +and SER_RS485_RTS_AFTER_SEND have the same value. If they do, it means +the user has passed in invalid data with the TIOCSRS485 ioctl() +since RTS must have a different polarity when sending and when not +sending. In this case, rs485 mode is not enabled (the RS485_URA bit +is not set in the RS485 Enable Register) and this is supposed to be +signaled back to the user by clearing the SER_RS485_ENABLED bit in +struct serial_rs485 ... except a missing tilde character is preventing +that from happening. + +Fixes: 28e3fb6c4dce ("serial: Add support for Fintek F81216A LPC to 4 UART") +Cc: Ricardo Ribalda Delgado +Cc: "Ji-Ze Hong (Peter Hong)" +Signed-off-by: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_fintek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_fintek.c ++++ b/drivers/tty/serial/8250/8250_fintek.c +@@ -121,7 +121,7 @@ static int fintek_8250_rs485_config(stru + + if ((!!(rs485->flags & SER_RS485_RTS_ON_SEND)) == + (!!(rs485->flags & SER_RS485_RTS_AFTER_SEND))) +- rs485->flags &= SER_RS485_ENABLED; ++ rs485->flags &= ~SER_RS485_ENABLED; + else + config |= RS485_URA; + diff --git a/queue-4.9/series b/queue-4.9/series index 8e85e09ba30..a9216a8f6d5 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -8,3 +8,81 @@ uas-always-apply-us_fl_no_ata_1x-quirk-to-seagate-devices.patch usb-quirks-add-no-lpm-quirk-for-ky-688-usb-3.1-type-c-hub.patch serial-8250_pci-add-amazon-pci-serial-device-id.patch s390-runtime-instrumentation-simplify-task-exit-handling.patch +usb-serial-option-add-quectel-bg96-id.patch +ima-fix-hash-algorithm-initialization.patch +s390-pci-do-not-require-ais-facility.patch +selftests-x86-ldt_get-add-a-few-additional-tests-for-limits.patch +staging-greybus-loopback-fix-iteration-count-on-async-path.patch +m68k-fix-coldfire-node-shift-size-calculation.patch +serial-8250_fintek-fix-rs485-disablement-on-invalid-ioctl.patch +staging-rtl8188eu-avoid-a-null-dereference-on-pmlmepriv.patch +spi-sh-msiof-fix-dma-transfer-size-check.patch +spi-spi-axi-fix-potential-use-after-free-after-deregistration.patch +mmc-sdhci-msm-fix-issue-with-power-irq.patch +usb-dwc2-fix-udc-state-tracking.patch +usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch +usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch +serial-8250-preserve-dld-for-port_xr17v35x.patch +kprobes-use-synchronize_rcu_tasks-for-optprobe-with-config_preempt-y.patch +x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch +edac-sb_edac-fix-missing-break-in-switch.patch +sysrq-fix-show-regs-call-trace-on-arm.patch +usbip-tools-install-all-headers-needed-for-libusbip-development.patch +perf-test-attr-fix-ignored-test-case-result.patch +kprobes-x86-disable-preemption-in-ftrace-based-jprobes.patch +tools-include-do-not-use-poison-with-c.patch +iio-adc-ti-ads1015-add-10-to-conversion-wait-time.patch +dax-avoid-page-invalidation-races-and-unnecessary-radix-tree-traversals.patch +net-mlx4_en-fix-type-mismatch-for-32-bit-systems.patch +l2tp-take-remote-address-into-account-in-l2tp_ip-and-l2tp_ip6-socket-lookups.patch +dmaengine-stm32-dma-set-correct-args-number-for-dma-request-from-dt.patch +dmaengine-stm32-dma-fix-null-pointer-dereference-in-stm32_dma_tx_status.patch +usb-gadget-f_fs-fix-extcompat-descriptor-validation.patch +libcxgb-fix-error-check-for-ip6_route_output.patch +net-systemport-utilize-skb_put_padto.patch +net-systemport-pad-packet-before-inserting-tsb.patch +arm-omap2-fix-wl1283-bluetooth-baud-rate.patch +arm-omap1-dma-correct-the-number-of-logical-channels.patch +vti6-fix-device-register-to-report-ifla_info_kind.patch +be2net-fix-accesses-to-unicast-list.patch +be2net-fix-unicast-list-filling.patch +net-appletalk-fix-kernel-memory-disclosure.patch +libfs-modify-mount_pseudo_xattr-to-be-clear-it-is-not-a-userspace-mount.patch +net-qrtr-mark-buf-as-little-endian.patch +mm-fix-remote-numa-hits-statistics.patch +mac80211-calculate-min-channel-width-correctly.patch +ravb-remove-rx-overflow-log-messages.patch +nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch +drm-exynos-decon5433-update-shadow-registers-iff-there-are-active-windows.patch +drm-exynos-decon5433-set-standalone_update_f-also-if-planes-are-disabled.patch +kvm-arm-arm64-fix-occasional-warning-from-the-timer-work-function.patch +mac80211-prevent-skb-txq-mismatch.patch +nfsv4-fix-client-recovery-when-server-reboots-multiple-times.patch +perf-x86-intel-account-interrupts-for-pebs-errors.patch +powerpc-mm-fix-memory-hotplug-bug-on-radix.patch +qla2xxx-fix-wrong-iocb-type-assumption.patch +drm-amdgpu-fix-bug-set-incorrect-value-to-vce-register.patch +drm-exynos-decon5433-set-standalone_update_f-on-output-enablement.patch +net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch +x86-fpu-set-the-xcomp_bv-when-we-fake-up-a-xsaves-area.patch +drm-amdgpu-fix-unload-driver-issue-for-virtual-display.patch +mac80211-don-t-try-to-sleep-in-rate_control_rate_init.patch +rdma-qedr-return-success-when-not-changing-qp-state.patch +rdma-qedr-fix-rdma-cm-loopback.patch +tipc-fix-nametbl_lock-soft-lockup-at-module-exit.patch +tipc-fix-cleanup-at-module-unload.patch +dmaengine-pl330-fix-double-lock.patch +tcp-correct-memory-barrier-usage-in-tcp_check_space.patch +i2c-i2c-cadence-initialize-configuration-before-probing-devices.patch +nvmet-cancel-fatal-error-and-flush-async-work-before-free-controller.patch +gtp-clear-df-bit-on-gtp-packet-tx.patch +gtp-fix-cross-netns-recv-on-gtp-socket.patch +net-phy-micrel-ksz8795-do-not-set-supported_pause.patch +net-thunderx-avoid-dereferencing-xcv-when-null.patch +be2net-fix-initial-mac-setting.patch +vfio-spapr-fix-missing-mutex-unlock-when-creating-a-window.patch +mm-avoid-returning-vm_fault_retry-from-page_mkwrite-handlers.patch +xen-netfront-improve-error-handling-during-initialization.patch +cec-initiator-should-be-the-same-as-the-destination-for-poll.patch +xen-netback-vif-counters-from-int-long-to-u64.patch +net-fec-fix-multicast-filtering-hardware-setup.patch diff --git a/queue-4.9/spi-sh-msiof-fix-dma-transfer-size-check.patch b/queue-4.9/spi-sh-msiof-fix-dma-transfer-size-check.patch new file mode 100644 index 00000000000..584a1025a08 --- /dev/null +++ b/queue-4.9/spi-sh-msiof-fix-dma-transfer-size-check.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Hiromitsu Yamasaki +Date: Thu, 2 Nov 2017 10:32:36 +0100 +Subject: spi: sh-msiof: Fix DMA transfer size check + +From: Hiromitsu Yamasaki + + +[ Upstream commit 36735783fdb599c94b9c86824583df367c65900b ] + +DMA supports 32-bit words only, +even if BITLEN1 of SITMDR2 register is 16bit. + +Fixes: b0d0ce8b6b91 ("spi: sh-msiof: Add DMA support") +Signed-off-by: Hiromitsu Yamasaki +Signed-off-by: Simon Horman +Acked-by: Geert Uytterhoeven +Acked-by: Dirk Behme +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sh-msiof.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -862,7 +862,7 @@ static int sh_msiof_transfer_one(struct + break; + copy32 = copy_bswap32; + } else if (bits <= 16) { +- if (l & 1) ++ if (l & 3) + break; + copy32 = copy_wswap32; + } else { diff --git a/queue-4.9/spi-spi-axi-fix-potential-use-after-free-after-deregistration.patch b/queue-4.9/spi-spi-axi-fix-potential-use-after-free-after-deregistration.patch new file mode 100644 index 00000000000..fe57f465975 --- /dev/null +++ b/queue-4.9/spi-spi-axi-fix-potential-use-after-free-after-deregistration.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Johan Hovold +Date: Mon, 30 Oct 2017 11:35:27 +0100 +Subject: spi: spi-axi: fix potential use-after-free after deregistration + +From: Johan Hovold + + +[ Upstream commit 4d5e0689dc9d5640ad46cdfbe1896b74d8df1661 ] + +Take an extra reference to the controller before deregistering it to +prevent use-after-free in the interrupt handler in case an interrupt +fires before the line is disabled. + +Fixes: b1353d1c1d45 ("spi: Add Analog Devices AXI SPI Engine controller support") +Acked-by: Lars-Peter Clausen +Signed-off-by: Johan Hovold +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-axi-spi-engine.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-axi-spi-engine.c ++++ b/drivers/spi/spi-axi-spi-engine.c +@@ -553,7 +553,7 @@ err_put_master: + + static int spi_engine_remove(struct platform_device *pdev) + { +- struct spi_master *master = platform_get_drvdata(pdev); ++ struct spi_master *master = spi_master_get(platform_get_drvdata(pdev)); + struct spi_engine *spi_engine = spi_master_get_devdata(master); + int irq = platform_get_irq(pdev, 0); + +@@ -561,6 +561,8 @@ static int spi_engine_remove(struct plat + + free_irq(irq, master); + ++ spi_master_put(master); ++ + writel_relaxed(0xff, spi_engine->base + SPI_ENGINE_REG_INT_PENDING); + writel_relaxed(0x00, spi_engine->base + SPI_ENGINE_REG_INT_ENABLE); + writel_relaxed(0x01, spi_engine->base + SPI_ENGINE_REG_RESET); diff --git a/queue-4.9/staging-greybus-loopback-fix-iteration-count-on-async-path.patch b/queue-4.9/staging-greybus-loopback-fix-iteration-count-on-async-path.patch new file mode 100644 index 00000000000..ff748c7fb8a --- /dev/null +++ b/queue-4.9/staging-greybus-loopback-fix-iteration-count-on-async-path.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Bryan O'Donoghue +Date: Mon, 6 Nov 2017 01:32:20 +0000 +Subject: staging: greybus: loopback: Fix iteration count on async path + +From: Bryan O'Donoghue + + +[ Upstream commit 44b02da39210e6dd67e39ff1f48d30c56d384240 ] + +Commit 12927835d211 ("greybus: loopback: Add asynchronous bi-directional +support") does what it says on the tin - namely, adds support for +asynchronous bi-directional loopback operations. + +What it neglects to do though is increment the per-connection +gb->iteration_count on an asynchronous operation error. This patch fixes +that omission. + +Fixes: 12927835d211 ("greybus: loopback: Add asynchronous bi-directional support") + +Signed-off-by: Bryan O'Donoghue +Reported-by: Mitch Tasman +Reviewed-by: Johan Hovold +Cc: Alex Elder +Cc: Mitch Tasman +Cc: greybus-dev@lists.linaro.org +Cc: devel@driverdev.osuosl.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/greybus/loopback.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/greybus/loopback.c ++++ b/drivers/staging/greybus/loopback.c +@@ -1034,8 +1034,10 @@ static int gb_loopback_fn(void *data) + error = gb_loopback_async_sink(gb, size); + } + +- if (error) ++ if (error) { + gb->error++; ++ gb->iteration_count++; ++ } + } else { + /* We are effectively single threaded here */ + if (type == GB_LOOPBACK_TYPE_PING) diff --git a/queue-4.9/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmepriv.patch b/queue-4.9/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmepriv.patch new file mode 100644 index 00000000000..c288c824ccd --- /dev/null +++ b/queue-4.9/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmepriv.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Colin Ian King +Date: Fri, 20 Oct 2017 20:40:24 +0200 +Subject: staging: rtl8188eu: avoid a null dereference on pmlmepriv + +From: Colin Ian King + + +[ Upstream commit 123c0aab0050cd0e07ce18e453389fbbb0a5a425 ] + +There is a check on pmlmepriv before dereferencing it when +vfree'ing pmlmepriv->free_bss_buf however the previous call +to rtw_free_mlme_priv_ie_data deferences pmlmepriv causing +a null pointer deference if it is null. Avoid this by also +calling rtw_free_mlme_priv_ie_data if the pointer is non-null. + +Detected by CoverityScan, CID#1230262 ("Dereference before null check") +Fixes: 7b464c9fa5cc ("staging: r8188eu: Add files for new driver - part 4") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/core/rtw_mlme.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c ++++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c +@@ -107,10 +107,10 @@ void rtw_free_mlme_priv_ie_data(struct m + + void rtw_free_mlme_priv(struct mlme_priv *pmlmepriv) + { +- rtw_free_mlme_priv_ie_data(pmlmepriv); +- +- if (pmlmepriv) ++ if (pmlmepriv) { ++ rtw_free_mlme_priv_ie_data(pmlmepriv); + vfree(pmlmepriv->free_bss_buf); ++ } + } + + struct wlan_network *_rtw_alloc_network(struct mlme_priv *pmlmepriv) diff --git a/queue-4.9/sysrq-fix-show-regs-call-trace-on-arm.patch b/queue-4.9/sysrq-fix-show-regs-call-trace-on-arm.patch new file mode 100644 index 00000000000..fb2e3228b00 --- /dev/null +++ b/queue-4.9/sysrq-fix-show-regs-call-trace-on-arm.patch @@ -0,0 +1,77 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Jibin Xu +Date: Sun, 10 Sep 2017 20:11:42 -0700 +Subject: sysrq : fix Show Regs call trace on ARM + +From: Jibin Xu + + +[ Upstream commit b00bebbc301c8e1f74f230dc82282e56b7e7a6db ] + +When kernel configuration SMP,PREEMPT and DEBUG_PREEMPT are enabled, +echo 1 >/proc/sys/kernel/sysrq +echo p >/proc/sysrq-trigger +kernel will print call trace as below: + +sysrq: SysRq : Show Regs +BUG: using __this_cpu_read() in preemptible [00000000] code: sh/435 +caller is __this_cpu_preempt_check+0x18/0x20 +Call trace: +[] dump_backtrace+0x0/0x1d0 +[] show_stack+0x24/0x30 +[] dump_stack+0x90/0xb0 +[] check_preemption_disabled+0x100/0x108 +[] __this_cpu_preempt_check+0x18/0x20 +[] sysrq_handle_showregs+0x1c/0x40 +[] __handle_sysrq+0x12c/0x1a0 +[] write_sysrq_trigger+0x60/0x70 +[] proc_reg_write+0x90/0xd0 +[] __vfs_write+0x48/0x90 +[] vfs_write+0xa4/0x190 +[] SyS_write+0x54/0xb0 +[] el0_svc_naked+0x24/0x28 + +This can be seen on a common board like an r-pi3. +This happens because when echo p >/proc/sysrq-trigger, +get_irq_regs() is called outside of IRQ context, +if preemption is enabled in this situation,kernel will +print the call trace. Since many prior discussions on +the mailing lists have made it clear that get_irq_regs +either just returns NULL or stale data when used outside +of IRQ context,we simply avoid calling it outside of +IRQ context. + +Signed-off-by: Jibin Xu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/sysrq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -243,8 +243,10 @@ static void sysrq_handle_showallcpus(int + * architecture has no support for it: + */ + if (!trigger_all_cpu_backtrace()) { +- struct pt_regs *regs = get_irq_regs(); ++ struct pt_regs *regs = NULL; + ++ if (in_irq()) ++ regs = get_irq_regs(); + if (regs) { + pr_info("CPU%d:\n", smp_processor_id()); + show_regs(regs); +@@ -263,7 +265,10 @@ static struct sysrq_key_op sysrq_showall + + static void sysrq_handle_showregs(int key) + { +- struct pt_regs *regs = get_irq_regs(); ++ struct pt_regs *regs = NULL; ++ ++ if (in_irq()) ++ regs = get_irq_regs(); + if (regs) + show_regs(regs); + perf_event_print_debug(); diff --git a/queue-4.9/tcp-correct-memory-barrier-usage-in-tcp_check_space.patch b/queue-4.9/tcp-correct-memory-barrier-usage-in-tcp_check_space.patch new file mode 100644 index 00000000000..007e745fd88 --- /dev/null +++ b/queue-4.9/tcp-correct-memory-barrier-usage-in-tcp_check_space.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Jason Baron +Date: Tue, 24 Jan 2017 21:49:41 -0500 +Subject: tcp: correct memory barrier usage in tcp_check_space() + +From: Jason Baron + + +[ Upstream commit 56d806222ace4c3aeae516cd7a855340fb2839d8 ] + +sock_reset_flag() maps to __clear_bit() not the atomic version clear_bit(). +Thus, we need smp_mb(), smp_mb__after_atomic() is not sufficient. + +Fixes: 3c7151275c0c ("tcp: add memory barriers to write space paths") +Cc: Eric Dumazet +Cc: Oleg Nesterov +Signed-off-by: Jason Baron +Acked-by: Eric Dumazet +Reported-by: Oleg Nesterov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5081,7 +5081,7 @@ static void tcp_check_space(struct sock + if (sock_flag(sk, SOCK_QUEUE_SHRUNK)) { + sock_reset_flag(sk, SOCK_QUEUE_SHRUNK); + /* pairs with tcp_poll() */ +- smp_mb__after_atomic(); ++ smp_mb(); + if (sk->sk_socket && + test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) + tcp_new_space(sk); diff --git a/queue-4.9/tipc-fix-cleanup-at-module-unload.patch b/queue-4.9/tipc-fix-cleanup-at-module-unload.patch new file mode 100644 index 00000000000..5b32b18b536 --- /dev/null +++ b/queue-4.9/tipc-fix-cleanup-at-module-unload.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Parthasarathy Bhuvaragan +Date: Tue, 24 Jan 2017 13:00:48 +0100 +Subject: tipc: fix cleanup at module unload + +From: Parthasarathy Bhuvaragan + + +[ Upstream commit 35e22e49a5d6a741ebe7f2dd280b2052c3003ef7 ] + +In tipc_server_stop(), we iterate over the connections with limiting +factor as server's idr_in_use. We ignore the fact that this variable +is decremented in tipc_close_conn(), leading to premature exit. + +In this commit, we iterate until the we have no connections left. + +Acked-by: Ying Xue +Acked-by: Jon Maloy +Tested-by: John Thompson +Signed-off-by: Parthasarathy Bhuvaragan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/server.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/tipc/server.c ++++ b/net/tipc/server.c +@@ -619,14 +619,12 @@ int tipc_server_start(struct tipc_server + void tipc_server_stop(struct tipc_server *s) + { + struct tipc_conn *con; +- int total = 0; + int id; + + spin_lock_bh(&s->idr_lock); +- for (id = 0; total < s->idr_in_use; id++) { ++ for (id = 0; s->idr_in_use; id++) { + con = idr_find(&s->conn_idr, id); + if (con) { +- total++; + spin_unlock_bh(&s->idr_lock); + tipc_close_conn(con); + spin_lock_bh(&s->idr_lock); diff --git a/queue-4.9/tipc-fix-nametbl_lock-soft-lockup-at-module-exit.patch b/queue-4.9/tipc-fix-nametbl_lock-soft-lockup-at-module-exit.patch new file mode 100644 index 00000000000..14ca0a295d1 --- /dev/null +++ b/queue-4.9/tipc-fix-nametbl_lock-soft-lockup-at-module-exit.patch @@ -0,0 +1,101 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Parthasarathy Bhuvaragan +Date: Tue, 24 Jan 2017 13:00:46 +0100 +Subject: tipc: fix nametbl_lock soft lockup at module exit + +From: Parthasarathy Bhuvaragan + + +[ Upstream commit 9dc3abdd1f7ea524e8552e0a3ef01219892ed1f4 ] + +Commit 333f796235a527 ("tipc: fix a race condition leading to +subscriber refcnt bug") reveals a soft lockup while acquiring +nametbl_lock. + +Before commit 333f796235a527, we call tipc_conn_shutdown() from +tipc_close_conn() in the context of tipc_topsrv_stop(). In that +context, we are allowed to grab the nametbl_lock. + +Commit 333f796235a527, moved tipc_conn_release (renamed from +tipc_conn_shutdown) to the connection refcount cleanup. This allows +either tipc_nametbl_withdraw() or tipc_topsrv_stop() to the cleanup. + +Since tipc_exit_net() first calls tipc_topsrv_stop() and then +tipc_nametble_withdraw() increases the chances for the later to +perform the connection cleanup. + +The soft lockup occurs in the call chain of tipc_nametbl_withdraw(), +when it performs the tipc_conn_kref_release() as it tries to grab +nametbl_lock again while holding it already. +tipc_nametbl_withdraw() grabs nametbl_lock + tipc_nametbl_remove_publ() + tipc_subscrp_report_overlap() + tipc_subscrp_send_event() + tipc_conn_sendmsg() + << if (con->flags != CF_CONNECTED) we do conn_put(), + triggering the cleanup as refcount=0. >> + tipc_conn_kref_release + tipc_sock_release + tipc_conn_release + tipc_subscrb_delete + tipc_subscrp_delete + tipc_nametbl_unsubscribe << Soft Lockup >> + +The previous changes in this series fixes the race conditions fixed +by commit 333f796235a527. Hence we can now revert the commit. + +Fixes: 333f796235a52727 ("tipc: fix a race condition leading to subscriber refcnt bug") +Reported-and-Tested-by: John Thompson +Acked-by: Ying Xue +Acked-by: Jon Maloy +Signed-off-by: Parthasarathy Bhuvaragan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/server.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/net/tipc/server.c ++++ b/net/tipc/server.c +@@ -86,7 +86,6 @@ struct outqueue_entry { + static void tipc_recv_work(struct work_struct *work); + static void tipc_send_work(struct work_struct *work); + static void tipc_clean_outqueues(struct tipc_conn *con); +-static void tipc_sock_release(struct tipc_conn *con); + + static void tipc_conn_kref_release(struct kref *kref) + { +@@ -104,7 +103,6 @@ static void tipc_conn_kref_release(struc + } + saddr->scope = -TIPC_NODE_SCOPE; + kernel_bind(sock, (struct sockaddr *)saddr, sizeof(*saddr)); +- tipc_sock_release(con); + sock_release(sock); + con->sock = NULL; + +@@ -194,19 +192,15 @@ static void tipc_unregister_callbacks(st + write_unlock_bh(&sk->sk_callback_lock); + } + +-static void tipc_sock_release(struct tipc_conn *con) ++static void tipc_close_conn(struct tipc_conn *con) + { + struct tipc_server *s = con->server; + +- if (con->conid) +- s->tipc_conn_release(con->conid, con->usr_data); +- +- tipc_unregister_callbacks(con); +-} +- +-static void tipc_close_conn(struct tipc_conn *con) +-{ + if (test_and_clear_bit(CF_CONNECTED, &con->flags)) { ++ tipc_unregister_callbacks(con); ++ ++ if (con->conid) ++ s->tipc_conn_release(con->conid, con->usr_data); + + /* We shouldn't flush pending works as we may be in the + * thread. In fact the races with pending rx/tx work structs diff --git a/queue-4.9/tools-include-do-not-use-poison-with-c.patch b/queue-4.9/tools-include-do-not-use-poison-with-c.patch new file mode 100644 index 00000000000..0abbb0e6bd6 --- /dev/null +++ b/queue-4.9/tools-include-do-not-use-poison-with-c.patch @@ -0,0 +1,81 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Arnaldo Carvalho de Melo +Date: Thu, 21 Sep 2017 12:12:17 -0300 +Subject: tools include: Do not use poison with C++ + +From: Arnaldo Carvalho de Melo + + +[ Upstream commit 6ae8eefc6c8fe050f057781b70a83262eb0a61ee ] + +LIST_POISON[12] are used to initialize list_head and hlist_node +pointers, and do void pointer arithmetic, which C++ doesn't like, so, to +avoid drifting from the kernel by introducing some HLIST_POISON to do +away with void pointer math, just make those poisoned pointers be NULL +when building it with a C++ compiler. + +Noticed with: + + $ make LLVM_CONFIG=/usr/bin/llvm-config-3.9 LIBCLANGLLVM=1 + CXX util/c++/clang.o + CXX util/c++/clang-test.o + In file included from /home/lizj/linux/tools/include/linux/list.h:5:0, + from /home/lizj/linux/tools/perf/util/namespaces.h:13, + from /home/lizj/linux/tools/perf/util/util.h:15, + from /home/lizj/linux/tools/perf/util/util-cxx.h:20, + from util/c++/clang-c.h:5, + from util/c++/clang-test.cpp:2: + /home/lizj/linux/tools/include/linux/list.h: In function ‘void list_del(list_head*)’: + /home/lizj/linux/tools/include/linux/poison.h:14:31: error: pointer of type ‘void *’ used in arithmetic [-Werror=pointer-arith] + # define POISON_POINTER_DELTA 0 + ^ + /home/lizj/linux/tools/include/linux/poison.h:22:41: note: in expansion of macro ‘POISON_POINTER_DELTA’ + #define LIST_POISON1 ((void *) 0x100 + POISON_POINTER_DELTA) + ^ + /home/lizj/linux/tools/include/linux/list.h:107:16: note: in expansion of macro ‘LIST_POISON1’ + entry->next = LIST_POISON1; + ^ + In file included from /home/lizj/linux/tools/perf/util/namespaces.h:13:0, + from /home/lizj/linux/tools/perf/util/util.h:15, + from /home/lizj/linux/tools/perf/util/util-cxx.h:20, + from util/c++/clang-c.h:5, + from util/c++/clang-test.cpp:2: + /home/lizj/linux/tools/include/linux/list.h:107:14: error: invalid conversion from ‘void*’ to ‘list_head*’ [-fpermissive] + +Reported-by: Li Zhijian +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Philip Li +Cc: Wang Nan +Link: http://lkml.kernel.org/n/tip-m5ei2o0mjshucbr28baf5lqz@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/linux/poison.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/tools/include/linux/poison.h ++++ b/tools/include/linux/poison.h +@@ -14,6 +14,10 @@ + # define POISON_POINTER_DELTA 0 + #endif + ++#ifdef __cplusplus ++#define LIST_POISON1 NULL ++#define LIST_POISON2 NULL ++#else + /* + * These are non-NULL pointers that will result in page faults + * under normal circumstances, used to verify that nobody uses +@@ -21,6 +25,7 @@ + */ + #define LIST_POISON1 ((void *) 0x100 + POISON_POINTER_DELTA) + #define LIST_POISON2 ((void *) 0x200 + POISON_POINTER_DELTA) ++#endif + + /********** include/linux/timer.h **********/ + /* diff --git a/queue-4.9/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch b/queue-4.9/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch new file mode 100644 index 00000000000..b0b62286e63 --- /dev/null +++ b/queue-4.9/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch @@ -0,0 +1,109 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: John Stultz +Date: Mon, 23 Oct 2017 14:32:49 -0700 +Subject: usb: dwc2: Error out of dwc2_hsotg_ep_disable() if we're in host mode + +From: John Stultz + + +[ Upstream commit 9b481092c2a31a6b630aff9c28f0145bf6683787 ] + +We've found that while in host mode, using Android, if one runs +the command: + stop adbd + +The existing usb devices being utilized in host mode are disconnected. +This is most visible with usb networking devices. + +This seems to be due to adbd closing the file: + /dev/usb-ffs/adb/ep0 +Which calls ffs_ep0_release() and the following backtrace: + +[] dwc2_hsotg_ep_disable+0x148/0x150 +[] dwc2_hsotg_udc_stop+0x60/0x110 +[] usb_gadget_remove_driver+0x58/0x78 +[] usb_gadget_unregister_driver+0x74/0xe8 +[] unregister_gadget+0x28/0x58 +[] unregister_gadget_item+0x2c/0x40 +[] ffs_data_clear+0xe8/0xf8 +[] ffs_data_reset+0x20/0x58 +[] ffs_data_closed+0x98/0xe8 +[] ffs_ep0_release+0x20/0x30 + +Then when dwc2_hsotg_ep_disable() is called, we call +kill_all_requests() which causes a bunch of the following +messages: + +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +dwc2 f72c0000.usb: Mode Mismatch Interrupt: currently in Host mode +init: Service 'adbd' (pid 1915) killed by signal 9 +init: Sending signal 9 to service 'adbd' (pid 1915) process group... +init: Successfully killed process cgroup uid 0 pid 1915 in 0ms +init: processing action (init.svc.adbd=stopped) from (/init.usb.configfs.rc:15) +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 8 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 12 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 15 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 3 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_hc_chhltd_intr_dma: Channel 4 - ChHltd set, but reason is unknown +dwc2 f72c0000.usb: hcint 0x00000002, intsts 0x04200029 +dwc2 f72c0000.usb: dwc2_update_urb_state_abn(): trimming xfer length + +And the usb devices connected are basically hung at this point. + +It seems like if we're in host mode, we probably shouldn't run +the dwc2_hostg_ep_disable logic, so this patch returns an error +in that case. + +With this patch (along with the previous patch in this set), we avoid +the mismatched interrupts and connected usb devices continue to function. + +I'm not sure if some other solution would be better here, but this seems +to work, so I wanted to send it out for input on what the right approach +should be. + +Cc: Wei Xu +Cc: Guodong Xu +Cc: Amit Pundir +Cc: YongQin Liu +Cc: John Youn +Cc: Minas Harutyunyan +Cc: Douglas Anderson +Cc: Chen Yu +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Acked-by: Minas Harutyunyan +Tested-by: Minas Harutyunyan +Reported-by: YongQin Liu +Signed-off-by: John Stultz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/gadget.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -3117,6 +3117,11 @@ static int dwc2_hsotg_ep_disable(struct + return -EINVAL; + } + ++ if (hsotg->op_state != OTG_STATE_B_PERIPHERAL) { ++ dev_err(hsotg->dev, "%s: called in host mode?\n", __func__); ++ return -EINVAL; ++ } ++ + epctrl_reg = dir_in ? DIEPCTL(index) : DOEPCTL(index); + + spin_lock_irqsave(&hsotg->lock, flags); diff --git a/queue-4.9/usb-dwc2-fix-udc-state-tracking.patch b/queue-4.9/usb-dwc2-fix-udc-state-tracking.patch new file mode 100644 index 00000000000..fc972edc731 --- /dev/null +++ b/queue-4.9/usb-dwc2-fix-udc-state-tracking.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: John Stultz +Date: Mon, 23 Oct 2017 14:32:50 -0700 +Subject: usb: dwc2: Fix UDC state tracking + +From: John Stultz + + +[ Upstream commit ce2b21a4e5ce042c0a42c9db8fa9e0f849427d5e ] + +It has been noticed that the dwc2 udc state reporting doesn't +seem to work (at least on HiKey boards). Where after the initial +setup, the sysfs /sys/class/udc/f72c0000.usb/state file would +report "configured" no matter the state of the OTG port. + +This patch adds a call so that we report to the UDC layer when +the gadget device is disconnected. + +This patch does depend on the previous patch ("usb: dwc2: +Improve gadget state disconnection handling") in this patch set +in order to properly work. + +Cc: Wei Xu +Cc: Guodong Xu +Cc: Amit Pundir +Cc: YongQin Liu +Cc: John Youn +Cc: Minas Harutyunyan +Cc: Douglas Anderson +Cc: Chen Yu +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Acked-by: Minas Harutyunyan +Tested-by: Minas Harutyunyan +Reported-by: Amit Pundir +Signed-off-by: John Stultz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -2467,6 +2467,8 @@ void dwc2_hsotg_disconnect(struct dwc2_h + + call_gadget(hsotg, disconnect); + hsotg->lx_state = DWC2_L3; ++ ++ usb_gadget_set_state(&hsotg->gadget, USB_STATE_NOTATTACHED); + } + + /** diff --git a/queue-4.9/usb-gadget-f_fs-fix-extcompat-descriptor-validation.patch b/queue-4.9/usb-gadget-f_fs-fix-extcompat-descriptor-validation.patch new file mode 100644 index 00000000000..633ad136c26 --- /dev/null +++ b/queue-4.9/usb-gadget-f_fs-fix-extcompat-descriptor-validation.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Vincent Pelletier +Date: Thu, 15 Dec 2016 12:47:42 +0000 +Subject: usb: gadget: f_fs: Fix ExtCompat descriptor validation + +From: Vincent Pelletier + + +[ Upstream commit 354bc45bf329494ef6051f3229ef50b9e2a7ea2a ] + +Reserved1 is documented as expected to be set to 0, but this test fails +when it it set to 0. Reverse the condition. + +Signed-off-by: Vincent Pelletier +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2263,7 +2263,7 @@ static int __ffs_data_do_os_desc(enum ff + + if (len < sizeof(*d) || + d->bFirstInterfaceNumber >= ffs->interfaces_count || +- !d->Reserved1) ++ d->Reserved1) + return -EINVAL; + for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i) + if (d->Reserved2[i]) diff --git a/queue-4.9/usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch b/queue-4.9/usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch new file mode 100644 index 00000000000..947314c7b75 --- /dev/null +++ b/queue-4.9/usb-phy-tahvo-fix-error-handling-in-tahvo_usb_probe.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Alexey Khoroshilov +Date: Sat, 21 Oct 2017 01:02:07 +0300 +Subject: usb: phy: tahvo: fix error handling in tahvo_usb_probe() + +From: Alexey Khoroshilov + + +[ Upstream commit ce035409bfa892a2fabb89720b542e1b335c3426 ] + +If devm_extcon_dev_allocate() fails, we should disable clk before return. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Fixes: 860d2686fda7 ("usb: phy: tahvo: Use devm_extcon_dev_[allocate|register]() and replace deprecated API") +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-tahvo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/phy/phy-tahvo.c ++++ b/drivers/usb/phy/phy-tahvo.c +@@ -368,7 +368,8 @@ static int tahvo_usb_probe(struct platfo + tu->extcon = devm_extcon_dev_allocate(&pdev->dev, tahvo_cable); + if (IS_ERR(tu->extcon)) { + dev_err(&pdev->dev, "failed to allocate memory for extcon\n"); +- return -ENOMEM; ++ ret = PTR_ERR(tu->extcon); ++ goto err_disable_clk; + } + + ret = devm_extcon_dev_register(&pdev->dev, tu->extcon); diff --git a/queue-4.9/usb-serial-option-add-quectel-bg96-id.patch b/queue-4.9/usb-serial-option-add-quectel-bg96-id.patch new file mode 100644 index 00000000000..92aadf41d4a --- /dev/null +++ b/queue-4.9/usb-serial-option-add-quectel-bg96-id.patch @@ -0,0 +1,41 @@ +From c654b21ede93845863597de9ad774fd30db5f2ab Mon Sep 17 00:00:00 2001 +From: Sebastian Sjoholm +Date: Mon, 20 Nov 2017 19:29:32 +0100 +Subject: USB: serial: option: add Quectel BG96 id + +From: Sebastian Sjoholm + +commit c654b21ede93845863597de9ad774fd30db5f2ab upstream. + +Quectel BG96 is an Qualcomm MDM9206 based IoT modem, supporting both +CAT-M and NB-IoT. Tested hardware is BG96 mounted on Quectel +development board (EVB). The USB id is added to option.c to allow +DIAG,GPS,AT and modem communication with the BG96. + +Signed-off-by: Sebastian Sjoholm +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -241,6 +241,7 @@ static void option_instat_callback(struc + /* These Quectel products use Quectel's vendor ID */ + #define QUECTEL_PRODUCT_EC21 0x0121 + #define QUECTEL_PRODUCT_EC25 0x0125 ++#define QUECTEL_PRODUCT_BG96 0x0296 + + #define CMOTECH_VENDOR_ID 0x16d8 + #define CMOTECH_PRODUCT_6001 0x6001 +@@ -1185,6 +1186,8 @@ static const struct usb_device_id option + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003), diff --git a/queue-4.9/usbip-tools-install-all-headers-needed-for-libusbip-development.patch b/queue-4.9/usbip-tools-install-all-headers-needed-for-libusbip-development.patch new file mode 100644 index 00000000000..c14871feede --- /dev/null +++ b/queue-4.9/usbip-tools-install-all-headers-needed-for-libusbip-development.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ben Hutchings +Date: Sun, 1 Oct 2017 02:18:37 +0100 +Subject: usbip: tools: Install all headers needed for libusbip development + +From: Ben Hutchings + + +[ Upstream commit c15562c0dcb2c7f26e891923b784cf1926b8c833 ] + +usbip_host_driver.h now depends on several additional headers, which +need to be installed along with it. + +Fixes: 021aed845303 ("staging: usbip: userspace: migrate usbip_host_driver ...") +Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with ...") +Signed-off-by: Ben Hutchings +Acked-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/usb/usbip/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/usb/usbip/Makefile.am ++++ b/tools/usb/usbip/Makefile.am +@@ -1,6 +1,7 @@ + SUBDIRS := libsrc src + includedir = @includedir@/usbip + include_HEADERS := $(addprefix libsrc/, \ +- usbip_common.h vhci_driver.h usbip_host_driver.h) ++ usbip_common.h vhci_driver.h usbip_host_driver.h \ ++ list.h sysfs_utils.h usbip_host_common.h) + + dist_man_MANS := $(addprefix doc/, usbip.8 usbipd.8) diff --git a/queue-4.9/vfio-spapr-fix-missing-mutex-unlock-when-creating-a-window.patch b/queue-4.9/vfio-spapr-fix-missing-mutex-unlock-when-creating-a-window.patch new file mode 100644 index 00000000000..dd4e0edcdb6 --- /dev/null +++ b/queue-4.9/vfio-spapr-fix-missing-mutex-unlock-when-creating-a-window.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Alexey Kardashevskiy +Date: Wed, 1 Feb 2017 14:26:16 +1100 +Subject: vfio/spapr: Fix missing mutex unlock when creating a window + +From: Alexey Kardashevskiy + + +[ Upstream commit 2da64d20a0b20046d688e44f4033efd09157e29d ] + +Commit d9c728949ddc ("vfio/spapr: Postpone default window creation") +added an additional exit to the VFIO_IOMMU_SPAPR_TCE_CREATE case and +made it possible to return from tce_iommu_ioctl() without unlocking +container->lock; this fixes the issue. + +Fixes: d9c728949ddc ("vfio/spapr: Postpone default window creation") +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: David Gibson +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/vfio_iommu_spapr_tce.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/vfio/vfio_iommu_spapr_tce.c ++++ b/drivers/vfio/vfio_iommu_spapr_tce.c +@@ -1123,12 +1123,11 @@ static long tce_iommu_ioctl(void *iommu_ + mutex_lock(&container->lock); + + ret = tce_iommu_create_default_window(container); +- if (ret) +- return ret; +- +- ret = tce_iommu_create_window(container, create.page_shift, +- create.window_size, create.levels, +- &create.start_addr); ++ if (!ret) ++ ret = tce_iommu_create_window(container, ++ create.page_shift, ++ create.window_size, create.levels, ++ &create.start_addr); + + mutex_unlock(&container->lock); + diff --git a/queue-4.9/vti6-fix-device-register-to-report-ifla_info_kind.patch b/queue-4.9/vti6-fix-device-register-to-report-ifla_info_kind.patch new file mode 100644 index 00000000000..a2b338d0489 --- /dev/null +++ b/queue-4.9/vti6-fix-device-register-to-report-ifla_info_kind.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: David Forster +Date: Fri, 6 Jan 2017 10:27:59 +0000 +Subject: vti6: fix device register to report IFLA_INFO_KIND + +From: David Forster + + +[ Upstream commit 93e246f783e6bd1bc64fdfbfe68b18161f69b28e ] + +vti6 interface is registered before the rtnl_link_ops block +is attached. As a result the resulting RTM_NEWLINK is missing +IFLA_INFO_KIND. Re-order attachment of rtnl_link_ops block to fix. + +Signed-off-by: Dave Forster +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -189,12 +189,12 @@ static int vti6_tnl_create2(struct net_d + struct vti6_net *ip6n = net_generic(net, vti6_net_id); + int err; + ++ dev->rtnl_link_ops = &vti6_link_ops; + err = register_netdevice(dev); + if (err < 0) + goto out; + + strcpy(t->parms.name, dev->name); +- dev->rtnl_link_ops = &vti6_link_ops; + + dev_hold(dev); + vti6_tnl_link(ip6n, t); diff --git a/queue-4.9/x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch b/queue-4.9/x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch new file mode 100644 index 00000000000..f56aa8ed608 --- /dev/null +++ b/queue-4.9/x86-entry-use-syscall_define-macros-for-sys_modify_ldt.patch @@ -0,0 +1,112 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Dave Hansen +Date: Wed, 18 Oct 2017 10:21:07 -0700 +Subject: x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() + +From: Dave Hansen + + +[ Upstream commit da20ab35180780e4a6eadc804544f1fa967f3567 ] + +We do not have tracepoints for sys_modify_ldt() because we define +it directly instead of using the normal SYSCALL_DEFINEx() macros. + +However, there is a reason sys_modify_ldt() does not use the macros: +it has an 'int' return type instead of 'unsigned long'. This is +a bug, but it's a bug cemented in the ABI. + +What does this mean? If we return -EINVAL from a function that +returns 'int', we have 0x00000000ffffffea in %rax. But, if we +return -EINVAL from a function returning 'unsigned long', we end +up with 0xffffffffffffffea in %rax, which is wrong. + +To work around this and maintain the 'int' behavior while using +the SYSCALL_DEFINEx() macros, so we add a cast to 'unsigned int' +in both implementations of sys_modify_ldt(). + +Signed-off-by: Dave Hansen +Reviewed-by: Andy Lutomirski +Reviewed-by: Brian Gerst +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20171018172107.1A79C532@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/syscalls.h | 2 +- + arch/x86/kernel/ldt.c | 16 +++++++++++++--- + arch/x86/um/ldt.c | 7 +++++-- + 3 files changed, 19 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/syscalls.h ++++ b/arch/x86/include/asm/syscalls.h +@@ -21,7 +21,7 @@ asmlinkage long sys_ioperm(unsigned long + asmlinkage long sys_iopl(unsigned int); + + /* kernel/ldt.c */ +-asmlinkage int sys_modify_ldt(int, void __user *, unsigned long); ++asmlinkage long sys_modify_ldt(int, void __user *, unsigned long); + + /* kernel/signal.c */ + asmlinkage long sys_rt_sigreturn(void); +--- a/arch/x86/kernel/ldt.c ++++ b/arch/x86/kernel/ldt.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -271,8 +272,8 @@ out: + return error; + } + +-asmlinkage int sys_modify_ldt(int func, void __user *ptr, +- unsigned long bytecount) ++SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr , ++ unsigned long , bytecount) + { + int ret = -ENOSYS; + +@@ -290,5 +291,14 @@ asmlinkage int sys_modify_ldt(int func, + ret = write_ldt(ptr, bytecount, 0); + break; + } +- return ret; ++ /* ++ * The SYSCALL_DEFINE() macros give us an 'unsigned long' ++ * return type, but tht ABI for sys_modify_ldt() expects ++ * 'int'. This cast gives us an int-sized value in %rax ++ * for the return code. The 'unsigned' is necessary so ++ * the compiler does not try to sign-extend the negative ++ * return codes into the high half of the register when ++ * taking the value from int->long. ++ */ ++ return (unsigned int)ret; + } +--- a/arch/x86/um/ldt.c ++++ b/arch/x86/um/ldt.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -369,7 +370,9 @@ void free_ldt(struct mm_context *mm) + mm->arch.ldt.entry_count = 0; + } + +-int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount) ++SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr , ++ unsigned long , bytecount) + { +- return do_modify_ldt_skas(func, ptr, bytecount); ++ /* See non-um modify_ldt() for why we do this cast */ ++ return (unsigned int)do_modify_ldt_skas(func, ptr, bytecount); + } diff --git a/queue-4.9/x86-fpu-set-the-xcomp_bv-when-we-fake-up-a-xsaves-area.patch b/queue-4.9/x86-fpu-set-the-xcomp_bv-when-we-fake-up-a-xsaves-area.patch new file mode 100644 index 00000000000..a234d931a67 --- /dev/null +++ b/queue-4.9/x86-fpu-set-the-xcomp_bv-when-we-fake-up-a-xsaves-area.patch @@ -0,0 +1,67 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Kevin Hao +Date: Sun, 22 Jan 2017 16:50:23 +0800 +Subject: x86/fpu: Set the xcomp_bv when we fake up a XSAVES area + +From: Kevin Hao + + +[ Upstream commit 4c833368f0bf748d4147bf301b1f95bc8eccb3c0 ] + +I got the following calltrace on a Apollo Lake SoC with 32-bit kernel: + + WARNING: CPU: 2 PID: 261 at arch/x86/include/asm/fpu/internal.h:363 fpu__restore+0x1f5/0x260 + [...] + Hardware name: Intel Corp. Broxton P/NOTEBOOK, BIOS APLIRVPA.X64.0138.B35.1608091058 08/09/2016 + Call Trace: + dump_stack() + __warn() + ? fpu__restore() + warn_slowpath_null() + fpu__restore() + __fpu__restore_sig() + fpu__restore_sig() + restore_sigcontext.isra.9() + sys_sigreturn() + do_int80_syscall_32() + entry_INT80_32() + +The reason is that a #GP occurs when executing XRSTORS. The root cause +is that we forget to set the xcomp_bv when we fake up the XSAVES area +in the copyin_to_xsaves() function. + +Signed-off-by: Kevin Hao +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Quentin Casasnovas +Cc: Rik van Riel +Cc: Thomas Gleixner +Cc: Yu-cheng Yu +Link: http://lkml.kernel.org/r/1485075023-30161-1-git-send-email-haokexin@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/fpu/xstate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -1077,6 +1077,7 @@ int copyin_to_xsaves(const void *kbuf, c + * Add back in the features that came in from userspace: + */ + xsave->header.xfeatures |= xfeatures; ++ xsave->header.xcomp_bv = XCOMP_BV_COMPACTED_FORMAT | xsave->header.xfeatures; + + return 0; + } diff --git a/queue-4.9/xen-netback-vif-counters-from-int-long-to-u64.patch b/queue-4.9/xen-netback-vif-counters-from-int-long-to-u64.patch new file mode 100644 index 00000000000..7830616d7a8 --- /dev/null +++ b/queue-4.9/xen-netback-vif-counters-from-int-long-to-u64.patch @@ -0,0 +1,60 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Mart van Santen +Date: Fri, 10 Feb 2017 12:02:18 +0000 +Subject: xen-netback: vif counters from int/long to u64 + +From: Mart van Santen + + +[ Upstream commit ebf692f85ff78092cd238166d8d7ec51419f9c02 ] + +This patch fixes an issue where the type of counters in the queue(s) +and interface are not in sync (queue counters are int, interface +counters are long), causing incorrect reporting of tx/rx values +of the vif interface and unclear counter overflows. +This patch sets both counters to the u64 type. + +Signed-off-by: Mart van Santen +Reviewed-by: Paul Durrant +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/common.h | 8 ++++---- + drivers/net/xen-netback/interface.c | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -113,10 +113,10 @@ struct xenvif_stats { + * A subset of struct net_device_stats that contains only the + * fields that are updated in netback.c for each queue. + */ +- unsigned int rx_bytes; +- unsigned int rx_packets; +- unsigned int tx_bytes; +- unsigned int tx_packets; ++ u64 rx_bytes; ++ u64 rx_packets; ++ u64 tx_bytes; ++ u64 tx_packets; + + /* Additional stats used by xenvif */ + unsigned long rx_gso_checksum_fixup; +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -225,10 +225,10 @@ static struct net_device_stats *xenvif_g + { + struct xenvif *vif = netdev_priv(dev); + struct xenvif_queue *queue = NULL; +- unsigned long rx_bytes = 0; +- unsigned long rx_packets = 0; +- unsigned long tx_bytes = 0; +- unsigned long tx_packets = 0; ++ u64 rx_bytes = 0; ++ u64 rx_packets = 0; ++ u64 tx_bytes = 0; ++ u64 tx_packets = 0; + unsigned int index; + + spin_lock(&vif->lock); diff --git a/queue-4.9/xen-netfront-improve-error-handling-during-initialization.patch b/queue-4.9/xen-netfront-improve-error-handling-during-initialization.patch new file mode 100644 index 00000000000..33fa19f4de3 --- /dev/null +++ b/queue-4.9/xen-netfront-improve-error-handling-during-initialization.patch @@ -0,0 +1,85 @@ +From foo@baz Wed Dec 6 17:39:55 CET 2017 +From: Ross Lagerwall +Date: Wed, 8 Feb 2017 10:57:37 +0000 +Subject: xen-netfront: Improve error handling during initialization + +From: Ross Lagerwall + + +[ Upstream commit e2e004acc7cbe3c531e752a270a74e95cde3ea48 ] + +This fixes a crash when running out of grant refs when creating many +queues across many netdevs. + +* If creating queues fails (i.e. there are no grant refs available), +call xenbus_dev_fatal() to ensure that the xenbus device is set to the +closed state. +* If no queues are created, don't call xennet_disconnect_backend as +netdev->real_num_tx_queues will not have been set correctly. +* If setup_netfront() fails, ensure that all the queues created are +cleaned up, not just those that have been set up. +* If any queues were set up and an error occurs, call +xennet_destroy_queues() to clean up the napi context. +* If any fatal error occurs, unregister and destroy the netdev to avoid +leaving around a half setup network device. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Boris Ostrovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 29 +++++++++++------------------ + 1 file changed, 11 insertions(+), 18 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1854,27 +1854,19 @@ static int talk_to_netback(struct xenbus + xennet_destroy_queues(info); + + err = xennet_create_queues(info, &num_queues); +- if (err < 0) +- goto destroy_ring; ++ if (err < 0) { ++ xenbus_dev_fatal(dev, err, "creating queues"); ++ kfree(info->queues); ++ info->queues = NULL; ++ goto out; ++ } + + /* Create shared ring, alloc event channel -- for each queue */ + for (i = 0; i < num_queues; ++i) { + queue = &info->queues[i]; + err = setup_netfront(dev, queue, feature_split_evtchn); +- if (err) { +- /* setup_netfront() will tidy up the current +- * queue on error, but we need to clean up +- * those already allocated. +- */ +- if (i > 0) { +- rtnl_lock(); +- netif_set_real_num_tx_queues(info->netdev, i); +- rtnl_unlock(); +- goto destroy_ring; +- } else { +- goto out; +- } +- } ++ if (err) ++ goto destroy_ring; + } + + again: +@@ -1964,9 +1956,10 @@ abort_transaction_no_dev_fatal: + xenbus_transaction_end(xbt, 1); + destroy_ring: + xennet_disconnect_backend(info); +- kfree(info->queues); +- info->queues = NULL; ++ xennet_destroy_queues(info); + out: ++ unregister_netdev(info->netdev); ++ xennet_free_netdev(info->netdev); + return err; + } +