From: Greg Kroah-Hartman Date: Sat, 22 Jul 2017 14:16:14 +0000 (+0200) Subject: 4.12-stable patches X-Git-Tag: v3.18.63~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c1f29cb319ee577a5dd4ccb43f9ae252ffbab42;p=thirdparty%2Fkernel%2Fstable-queue.git 4.12-stable patches added patches: asoc-atmel-tse850-fix-off-by-one-in-the-ana-enumeration-count.patch asoc-compress-derive-substream-from-stream-based-on-direction.patch asoc-zx-i2s-flip-i2s-master-slave-mode.patch iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch powerpc-fix-emulation-of-mcrf-in-emulate_step.patch powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch powerpc-mm-radix-fix-execute-permissions-for-interrupt_vectors.patch powerpc-mm-radix-only-add-x-for-pages-overlapping-kernel-text.patch powerpc-mm-radix-properly-clear-process-table-entry.patch powerpc-perf-fix-sdar_mode-value-for-continous-sampling-on-power9.patch powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch scsi-add-starget_created_remove-state-to-scsi_target_state.patch scsi-avoid-that-scsi_exit_rq-triggers-a-use-after-free.patch scsi-qla2xxx-allow-abts-purx-rida-on-atioq-for-isp83xx-27xx.patch scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch scsi-virtio_scsi-always-read-vpd-pages-for-multiqueue-too.patch scsi-virtio_scsi-let-host-do-exception-handling.patch xen-scsiback-fix-a-tmr-related-use-after-free.patch --- diff --git a/queue-4.12/asoc-atmel-tse850-fix-off-by-one-in-the-ana-enumeration-count.patch b/queue-4.12/asoc-atmel-tse850-fix-off-by-one-in-the-ana-enumeration-count.patch new file mode 100644 index 00000000000..626bb17d664 --- /dev/null +++ b/queue-4.12/asoc-atmel-tse850-fix-off-by-one-in-the-ana-enumeration-count.patch @@ -0,0 +1,42 @@ +From a00cebf51d5ceed8ba9f6fac5fb189b38cd5a7c2 Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Wed, 31 May 2017 14:32:33 +0200 +Subject: ASoC: atmel: tse850: fix off-by-one in the "ANA" enumeration count + +From: Peter Rosin + +commit a00cebf51d5ceed8ba9f6fac5fb189b38cd5a7c2 upstream. + +At some point I added the "Low" entry at the beginning of the array +without bumping the enumeration count from 9 to 10. Fix this. While at +it, fix the anti-pattern for the other enumeration (used by MUX{1,2}). + +Fixes: aa43112445f0 ("ASoC: atmel: tse850: add ASoC driver for the Axentia TSE-850") +Signed-off-by: Peter Rosin +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/atmel/tse850-pcm5142.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/atmel/tse850-pcm5142.c ++++ b/sound/soc/atmel/tse850-pcm5142.c +@@ -227,7 +227,7 @@ int tse850_put_ana(struct snd_kcontrol * + static const char * const mux_text[] = { "Mixer", "Loop" }; + + static const struct soc_enum mux_enum = +- SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, 2, mux_text); ++ SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, ARRAY_SIZE(mux_text), mux_text); + + static const struct snd_kcontrol_new mux1 = + SOC_DAPM_ENUM_EXT("MUX1", mux_enum, tse850_get_mux1, tse850_put_mux1); +@@ -252,7 +252,7 @@ static const char * const ana_text[] = { + }; + + static const struct soc_enum ana_enum = +- SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, 9, ana_text); ++ SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, ARRAY_SIZE(ana_text), ana_text); + + static const struct snd_kcontrol_new out = + SOC_DAPM_ENUM_EXT("ANA", ana_enum, tse850_get_ana, tse850_put_ana); diff --git a/queue-4.12/asoc-compress-derive-substream-from-stream-based-on-direction.patch b/queue-4.12/asoc-compress-derive-substream-from-stream-based-on-direction.patch new file mode 100644 index 00000000000..e6966ff3a50 --- /dev/null +++ b/queue-4.12/asoc-compress-derive-substream-from-stream-based-on-direction.patch @@ -0,0 +1,47 @@ +From 01b8cedfd0422326caae308641dcadaa85e0ca72 Mon Sep 17 00:00:00 2001 +From: Satish Babu Patakokila +Date: Fri, 16 Jun 2017 17:33:40 -0700 +Subject: ASoC: compress: Derive substream from stream based on direction + +From: Satish Babu Patakokila + +commit 01b8cedfd0422326caae308641dcadaa85e0ca72 upstream. + +Currently compress driver hardcodes direction as playback to get +substream from the stream. This results in getting the incorrect +substream for compressed capture usecase. +To fix this, remove the hardcoding and derive substream based on +the stream direction. + +Signed-off-by: Satish Babu Patakokila +Signed-off-by: Banajit Goswami +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-compress.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-compress.c ++++ b/sound/soc/soc-compress.c +@@ -81,7 +81,8 @@ out: + static int soc_compr_open_fe(struct snd_compr_stream *cstream) + { + struct snd_soc_pcm_runtime *fe = cstream->private_data; +- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream; ++ struct snd_pcm_substream *fe_substream = ++ fe->pcm->streams[cstream->direction].substream; + struct snd_soc_platform *platform = fe->platform; + struct snd_soc_dai *cpu_dai = fe->cpu_dai; + struct snd_soc_dpcm *dpcm; +@@ -467,7 +468,8 @@ static int soc_compr_set_params_fe(struc + struct snd_compr_params *params) + { + struct snd_soc_pcm_runtime *fe = cstream->private_data; +- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream; ++ struct snd_pcm_substream *fe_substream = ++ fe->pcm->streams[cstream->direction].substream; + struct snd_soc_platform *platform = fe->platform; + struct snd_soc_dai *cpu_dai = fe->cpu_dai; + int ret = 0, stream; diff --git a/queue-4.12/asoc-zx-i2s-flip-i2s-master-slave-mode.patch b/queue-4.12/asoc-zx-i2s-flip-i2s-master-slave-mode.patch new file mode 100644 index 00000000000..33fa19ca18e --- /dev/null +++ b/queue-4.12/asoc-zx-i2s-flip-i2s-master-slave-mode.patch @@ -0,0 +1,43 @@ +From a205c159f9e2db586a5ea475f4d22fa22e78fed8 Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Sat, 17 Jun 2017 22:25:28 +0800 +Subject: ASoC: zx-i2s: flip I2S master/slave mode + +From: Shawn Guo + +commit a205c159f9e2db586a5ea475f4d22fa22e78fed8 upstream. + +The SND_SOC_DAIFMT_MASTER bits are defined to specify the master/slave +mode for Codec, not I2S. So the I2S master/slave mode should be flipped +according to SND_SOC_DAIFMT_MASTER bits. + +Signed-off-by: Shawn Guo +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/zte/zx-i2s.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/sound/soc/zte/zx-i2s.c ++++ b/sound/soc/zte/zx-i2s.c +@@ -203,13 +203,15 @@ static int zx_i2s_set_fmt(struct snd_soc + + switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) { + case SND_SOC_DAIFMT_CBM_CFM: +- i2s->master = 1; +- val |= ZX_I2S_TIMING_MAST; +- break; +- case SND_SOC_DAIFMT_CBS_CFS: ++ /* Codec is master, and I2S is slave. */ + i2s->master = 0; + val |= ZX_I2S_TIMING_SLAVE; + break; ++ case SND_SOC_DAIFMT_CBS_CFS: ++ /* Codec is slave, and I2S is master. */ ++ i2s->master = 1; ++ val |= ZX_I2S_TIMING_MAST; ++ break; + default: + dev_err(cpu_dai->dev, "Unknown master/slave format\n"); + return -EINVAL; diff --git a/queue-4.12/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch b/queue-4.12/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch new file mode 100644 index 00000000000..8de975caff8 --- /dev/null +++ b/queue-4.12/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch @@ -0,0 +1,242 @@ +From 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 7 Jul 2017 14:45:49 -0700 +Subject: iscsi-target: Add login_keys_workaround attribute for non RFC initiators + +From: Nicholas Bellinger + +commit 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 upstream. + +This patch re-introduces part of a long standing login workaround that +was recently dropped by: + + commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 + Author: Nicholas Bellinger + Date: Sun Apr 2 13:36:44 2017 -0700 + + iscsi-target: Drop work-around for legacy GlobalSAN initiator + +Namely, the workaround for FirstBurstLength ended up being required by +Mellanox Flexboot PXE boot ROMs as reported by Robert. + +So this patch re-adds the work-around for FirstBurstLength within +iscsi_check_proposer_for_optional_reply(), and makes the key optional +to respond when the initiator does not propose, nor respond to it. + +Also as requested by Arun, this patch introduces a new TPG attribute +named 'login_keys_workaround' that controls the use of both the +FirstBurstLength workaround, as well as the two other existing +workarounds for gPXE iSCSI boot client. + +By default, the workaround is enabled with login_keys_workaround=1, +since Mellanox FlexBoot requires it, and Arun has verified the Qlogic +MSFT initiator already proposes FirstBurstLength, so it's uneffected +by this re-adding this part of the original work-around. + +Reported-by: Robert LeBlanc +Cc: Robert LeBlanc +Reviewed-by: Arun Easi +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_configfs.c | 2 + + drivers/target/iscsi/iscsi_target_nego.c | 6 ++- + drivers/target/iscsi/iscsi_target_parameters.c | 41 +++++++++++++++++-------- + drivers/target/iscsi/iscsi_target_parameters.h | 2 - + drivers/target/iscsi/iscsi_target_tpg.c | 19 +++++++++++ + drivers/target/iscsi/iscsi_target_tpg.h | 1 + include/target/iscsi/iscsi_target_core.h | 9 +++++ + 7 files changed, 64 insertions(+), 16 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -781,6 +781,7 @@ DEF_TPG_ATTRIB(default_erl); + DEF_TPG_ATTRIB(t10_pi); + DEF_TPG_ATTRIB(fabric_prot_type); + DEF_TPG_ATTRIB(tpg_enabled_sendtargets); ++DEF_TPG_ATTRIB(login_keys_workaround); + + static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = { + &iscsi_tpg_attrib_attr_authentication, +@@ -796,6 +797,7 @@ static struct configfs_attribute *lio_ta + &iscsi_tpg_attrib_attr_t10_pi, + &iscsi_tpg_attrib_attr_fabric_prot_type, + &iscsi_tpg_attrib_attr_tpg_enabled_sendtargets, ++ &iscsi_tpg_attrib_attr_login_keys_workaround, + NULL, + }; + +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -886,7 +886,8 @@ static int iscsi_target_handle_csg_zero( + SENDER_TARGET, + login->rsp_buf, + &login->rsp_length, +- conn->param_list); ++ conn->param_list, ++ conn->tpg->tpg_attrib.login_keys_workaround); + if (ret < 0) + return -1; + +@@ -956,7 +957,8 @@ static int iscsi_target_handle_csg_one(s + SENDER_TARGET, + login->rsp_buf, + &login->rsp_length, +- conn->param_list); ++ conn->param_list, ++ conn->tpg->tpg_attrib.login_keys_workaround); + if (ret < 0) { + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR, + ISCSI_LOGIN_STATUS_INIT_ERR); +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -765,7 +765,8 @@ static int iscsi_check_for_auth_key(char + return 0; + } + +-static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param) ++static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param, ++ bool keys_workaround) + { + if (IS_TYPE_BOOL_AND(param)) { + if (!strcmp(param->value, NO)) +@@ -773,19 +774,31 @@ static void iscsi_check_proposer_for_opt + } else if (IS_TYPE_BOOL_OR(param)) { + if (!strcmp(param->value, YES)) + SET_PSTATE_REPLY_OPTIONAL(param); +- /* +- * Required for gPXE iSCSI boot client +- */ +- if (!strcmp(param->name, IMMEDIATEDATA)) +- SET_PSTATE_REPLY_OPTIONAL(param); ++ ++ if (keys_workaround) { ++ /* ++ * Required for gPXE iSCSI boot client ++ */ ++ if (!strcmp(param->name, IMMEDIATEDATA)) ++ SET_PSTATE_REPLY_OPTIONAL(param); ++ } + } else if (IS_TYPE_NUMBER(param)) { + if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH)) + SET_PSTATE_REPLY_OPTIONAL(param); +- /* +- * Required for gPXE iSCSI boot client +- */ +- if (!strcmp(param->name, MAXCONNECTIONS)) +- SET_PSTATE_REPLY_OPTIONAL(param); ++ ++ if (keys_workaround) { ++ /* ++ * Required for Mellanox Flexboot PXE boot ROM ++ */ ++ if (!strcmp(param->name, FIRSTBURSTLENGTH)) ++ SET_PSTATE_REPLY_OPTIONAL(param); ++ ++ /* ++ * Required for gPXE iSCSI boot client ++ */ ++ if (!strcmp(param->name, MAXCONNECTIONS)) ++ SET_PSTATE_REPLY_OPTIONAL(param); ++ } + } else if (IS_PHASE_DECLARATIVE(param)) + SET_PSTATE_REPLY_OPTIONAL(param); + } +@@ -1422,7 +1435,8 @@ int iscsi_encode_text_output( + u8 sender, + char *textbuf, + u32 *length, +- struct iscsi_param_list *param_list) ++ struct iscsi_param_list *param_list, ++ bool keys_workaround) + { + char *output_buf = NULL; + struct iscsi_extra_response *er; +@@ -1458,7 +1472,8 @@ int iscsi_encode_text_output( + *length += 1; + output_buf = textbuf + *length; + SET_PSTATE_PROPOSER(param); +- iscsi_check_proposer_for_optional_reply(param); ++ iscsi_check_proposer_for_optional_reply(param, ++ keys_workaround); + pr_debug("Sending key: %s=%s\n", + param->name, param->value); + } +--- a/drivers/target/iscsi/iscsi_target_parameters.h ++++ b/drivers/target/iscsi/iscsi_target_parameters.h +@@ -46,7 +46,7 @@ extern int iscsi_extract_key_value(char + extern int iscsi_update_param_value(struct iscsi_param *, char *); + extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsi_conn *); + extern int iscsi_encode_text_output(u8, u8, char *, u32 *, +- struct iscsi_param_list *); ++ struct iscsi_param_list *, bool); + extern int iscsi_check_negotiated_keys(struct iscsi_param_list *); + extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *, + struct iscsi_param_list *); +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -227,6 +227,7 @@ static void iscsit_set_default_tpg_attri + a->t10_pi = TA_DEFAULT_T10_PI; + a->fabric_prot_type = TA_DEFAULT_FABRIC_PROT_TYPE; + a->tpg_enabled_sendtargets = TA_DEFAULT_TPG_ENABLED_SENDTARGETS; ++ a->login_keys_workaround = TA_DEFAULT_LOGIN_KEYS_WORKAROUND; + } + + int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_group *tpg) +@@ -899,3 +900,21 @@ int iscsit_ta_tpg_enabled_sendtargets( + + return 0; + } ++ ++int iscsit_ta_login_keys_workaround( ++ struct iscsi_portal_group *tpg, ++ u32 flag) ++{ ++ struct iscsi_tpg_attrib *a = &tpg->tpg_attrib; ++ ++ if ((flag != 0) && (flag != 1)) { ++ pr_err("Illegal value %d\n", flag); ++ return -EINVAL; ++ } ++ ++ a->login_keys_workaround = flag; ++ pr_debug("iSCSI_TPG[%hu] - TPG enabled bit for login keys workaround: %s ", ++ tpg->tpgt, (a->login_keys_workaround) ? "ON" : "OFF"); ++ ++ return 0; ++} +--- a/drivers/target/iscsi/iscsi_target_tpg.h ++++ b/drivers/target/iscsi/iscsi_target_tpg.h +@@ -48,5 +48,6 @@ extern int iscsit_ta_default_erl(struct + extern int iscsit_ta_t10_pi(struct iscsi_portal_group *, u32); + extern int iscsit_ta_fabric_prot_type(struct iscsi_portal_group *, u32); + extern int iscsit_ta_tpg_enabled_sendtargets(struct iscsi_portal_group *, u32); ++extern int iscsit_ta_login_keys_workaround(struct iscsi_portal_group *, u32); + + #endif /* ISCSI_TARGET_TPG_H */ +--- a/include/target/iscsi/iscsi_target_core.h ++++ b/include/target/iscsi/iscsi_target_core.h +@@ -66,6 +66,14 @@ struct sock; + #define TA_DEFAULT_FABRIC_PROT_TYPE 0 + /* TPG status needs to be enabled to return sendtargets discovery endpoint info */ + #define TA_DEFAULT_TPG_ENABLED_SENDTARGETS 1 ++/* ++ * Used to control the sending of keys with optional to respond state bit, ++ * as a workaround for non RFC compliant initiators,that do not propose, ++ * nor respond to specific keys required for login to complete. ++ * ++ * See iscsi_check_proposer_for_optional_reply() for more details. ++ */ ++#define TA_DEFAULT_LOGIN_KEYS_WORKAROUND 1 + + #define ISCSI_IOV_DATA_BUFFER 5 + +@@ -769,6 +777,7 @@ struct iscsi_tpg_attrib { + u8 t10_pi; + u32 fabric_prot_type; + u32 tpg_enabled_sendtargets; ++ u32 login_keys_workaround; + struct iscsi_portal_group *tpg; + }; + diff --git a/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch b/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch new file mode 100644 index 00000000000..0b16e288367 --- /dev/null +++ b/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch @@ -0,0 +1,43 @@ +From c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jun 2017 16:56:18 +0200 +Subject: PM / Domains: Fix unsafe iteration over modified list of device links + +From: Krzysztof Kozlowski + +commit c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 upstream. + +pm_genpd_remove_subdomain() iterates over domain's master_links list and +removes matching element thus it has to use safe version of list +iteration. + +Fixes: f721889ff65a ("PM / Domains: Support for generic I/O PM domains (v8)") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/domain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1393,7 +1393,7 @@ EXPORT_SYMBOL_GPL(pm_genpd_add_subdomain + int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd, + struct generic_pm_domain *subdomain) + { +- struct gpd_link *link; ++ struct gpd_link *l, *link; + int ret = -EINVAL; + + if (IS_ERR_OR_NULL(genpd) || IS_ERR_OR_NULL(subdomain)) +@@ -1409,7 +1409,7 @@ int pm_genpd_remove_subdomain(struct gen + goto out; + } + +- list_for_each_entry(link, &genpd->master_links, master_node) { ++ list_for_each_entry_safe(link, l, &genpd->master_links, master_node) { + if (link->slave != subdomain) + continue; + diff --git a/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch b/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch new file mode 100644 index 00000000000..80e139e2b6d --- /dev/null +++ b/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch @@ -0,0 +1,40 @@ +From b556b15dc04e9b9b98790f04c21acf5e24f994b2 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jun 2017 16:56:19 +0200 +Subject: PM / Domains: Fix unsafe iteration over modified list of domain providers + +From: Krzysztof Kozlowski + +commit b556b15dc04e9b9b98790f04c21acf5e24f994b2 upstream. + +of_genpd_del_provider() iterates over list of domain provides and +removes matching element thus it has to use safe version of list +iteration. + +Fixes: aa42240ab254 (PM / Domains: Add generic OF-based PM domain look-up) +Signed-off-by: Krzysztof Kozlowski +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/domain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1780,12 +1780,12 @@ EXPORT_SYMBOL_GPL(of_genpd_add_provider_ + */ + void of_genpd_del_provider(struct device_node *np) + { +- struct of_genpd_provider *cp; ++ struct of_genpd_provider *cp, *tmp; + struct generic_pm_domain *gpd; + + mutex_lock(&gpd_list_lock); + mutex_lock(&of_genpd_mutex); +- list_for_each_entry(cp, &of_genpd_providers, link) { ++ list_for_each_entry_safe(cp, tmp, &of_genpd_providers, link) { + if (cp->node == np) { + /* + * For each PM domain associated with the diff --git a/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch b/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch new file mode 100644 index 00000000000..09ee8c095f4 --- /dev/null +++ b/queue-4.12/pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch @@ -0,0 +1,41 @@ +From a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jun 2017 16:56:20 +0200 +Subject: PM / Domains: Fix unsafe iteration over modified list of domains + +From: Krzysztof Kozlowski + +commit a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 upstream. + +of_genpd_remove_last() iterates over list of domains and removes +matching element thus it has to use safe version of list iteration. + +Fixes: 17926551c98a (PM / Domains: Add support for removing nested PM domains by provider) +Signed-off-by: Krzysztof Kozlowski +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/domain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1925,14 +1925,14 @@ EXPORT_SYMBOL_GPL(of_genpd_add_subdomain + */ + struct generic_pm_domain *of_genpd_remove_last(struct device_node *np) + { +- struct generic_pm_domain *gpd, *genpd = ERR_PTR(-ENOENT); ++ struct generic_pm_domain *gpd, *tmp, *genpd = ERR_PTR(-ENOENT); + int ret; + + if (IS_ERR_OR_NULL(np)) + return ERR_PTR(-EINVAL); + + mutex_lock(&gpd_list_lock); +- list_for_each_entry(gpd, &gpd_list, gpd_list_node) { ++ list_for_each_entry_safe(gpd, tmp, &gpd_list, gpd_list_node) { + if (gpd->provider == &np->fwnode) { + ret = genpd_remove(gpd); + genpd = ret ? ERR_PTR(ret) : gpd; diff --git a/queue-4.12/powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch b/queue-4.12/powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch new file mode 100644 index 00000000000..8589c52cf41 --- /dev/null +++ b/queue-4.12/powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch @@ -0,0 +1,59 @@ +From 01e6a61aceb82e13bec29502a8eb70d9574f97ad Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 11 Jul 2017 22:10:54 +1000 +Subject: powerpc/64: Fix atomic64_inc_not_zero() to return an int + +From: Michael Ellerman + +commit 01e6a61aceb82e13bec29502a8eb70d9574f97ad upstream. + +Although it's not documented anywhere, there is an expectation that +atomic64_inc_not_zero() returns a result which fits in an int. This is +the behaviour implemented on all arches except powerpc. + +This has caused at least one bug in practice, in the percpu-refcount +code, where the long result from our atomic64_inc_not_zero() was +truncated to an int leading to lost references and stuck systems. That +was worked around in that code in commit 966d2b04e070 ("percpu-refcount: +fix reference leak during percpu-atomic transition"). + +To the best of my grepping abilities there are no other callers +in-tree which truncate the value, but we should fix it anyway. Because +the breakage is subtle and potentially very harmful I'm also tagging +it for stable. + +Code generation is largely unaffected because in most cases the +callers are just using the result for a test anyway. In particular the +case of fget() that was mentioned in commit a6cf7ed5119f +("powerpc/atomic: Implement atomic*_inc_not_zero") generates exactly +the same code. + +Fixes: a6cf7ed5119f ("powerpc/atomic: Implement atomic*_inc_not_zero") +Noticed-by: Linus Torvalds +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/atomic.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/atomic.h ++++ b/arch/powerpc/include/asm/atomic.h +@@ -560,7 +560,7 @@ static __inline__ int atomic64_add_unles + * Atomically increments @v by 1, so long as @v is non-zero. + * Returns non-zero if @v was non-zero, and zero otherwise. + */ +-static __inline__ long atomic64_inc_not_zero(atomic64_t *v) ++static __inline__ int atomic64_inc_not_zero(atomic64_t *v) + { + long t1, t2; + +@@ -579,7 +579,7 @@ static __inline__ long atomic64_inc_not_ + : "r" (&v->counter) + : "cc", "xer", "memory"); + +- return t1; ++ return t1 != 0; + } + + #endif /* __powerpc64__ */ diff --git a/queue-4.12/powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch b/queue-4.12/powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch new file mode 100644 index 00000000000..643d6a1f125 --- /dev/null +++ b/queue-4.12/powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch @@ -0,0 +1,35 @@ +From 2400fd822f467cb4c886c879d8ad99feac9cf319 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Thu, 6 Jul 2017 18:46:43 +1000 +Subject: powerpc/asm: Mark cr0 as clobbered in mftb() + +From: Oliver O'Halloran + +commit 2400fd822f467cb4c886c879d8ad99feac9cf319 upstream. + +The workaround for the CELL timebase bug does not correctly mark cr0 as +being clobbered. This means GCC doesn't know that the asm block changes cr0 and +might leave the result of an unrelated comparison in cr0 across the block, which +we then trash, leading to basically random behaviour. + +Fixes: 859deea949c3 ("[POWERPC] Cell timebase bug workaround") +Signed-off-by: Oliver O'Halloran +[mpe: Tweak change log and flag for stable] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -1303,7 +1303,7 @@ static inline void msr_check_and_clear(u + " .llong 0\n" \ + ".previous" \ + : "=r" (rval) \ +- : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL)); \ ++ : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL) : "cr0"); \ + rval;}) + #else + #define mftb() ({unsigned long rval; \ diff --git a/queue-4.12/powerpc-fix-emulation-of-mcrf-in-emulate_step.patch b/queue-4.12/powerpc-fix-emulation-of-mcrf-in-emulate_step.patch new file mode 100644 index 00000000000..ef98068b721 --- /dev/null +++ b/queue-4.12/powerpc-fix-emulation-of-mcrf-in-emulate_step.patch @@ -0,0 +1,39 @@ +From 87c4b83e0fe234a1f0eed131ab6fa232036860d5 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Thu, 15 Jun 2017 09:46:38 +1000 +Subject: powerpc: Fix emulation of mcrf in emulate_step() + +From: Anton Blanchard + +commit 87c4b83e0fe234a1f0eed131ab6fa232036860d5 upstream. + +The mcrf emulation code was using the CR field number directly as the shift +value, without taking into account that CR fields are numbered from 0-7 starting +at the high bits. That meant it was looking at the CR fields in the reverse +order. + +Fixes: cf87c3f6b647 ("powerpc: Emulate icbi, mcrf and conditional-trap instructions") +Signed-off-by: Anton Blanchard +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/sstep.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -683,8 +683,10 @@ int analyse_instr(struct instruction_op + case 19: + switch ((instr >> 1) & 0x3ff) { + case 0: /* mcrf */ +- rd = (instr >> 21) & 0x1c; +- ra = (instr >> 16) & 0x1c; ++ rd = 7 - ((instr >> 23) & 0x7); ++ ra = 7 - ((instr >> 18) & 0x7); ++ rd *= 4; ++ ra *= 4; + val = (regs->ccr >> ra) & 0xf; + regs->ccr = (regs->ccr & ~(0xfUL << rd)) | (val << rd); + goto instr_done; diff --git a/queue-4.12/powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch b/queue-4.12/powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch new file mode 100644 index 00000000000..c65dbc2bd82 --- /dev/null +++ b/queue-4.12/powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch @@ -0,0 +1,48 @@ +From 64e756c55aa46fc18fd53e8f3598b73b528d8637 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Thu, 15 Jun 2017 09:46:39 +1000 +Subject: powerpc: Fix emulation of mfocrf in emulate_step() + +From: Anton Blanchard + +commit 64e756c55aa46fc18fd53e8f3598b73b528d8637 upstream. + +From POWER4 onwards, mfocrf() only places the specified CR field into +the destination GPR, and the rest of it is set to 0. The PowerPC AS +from version 3.0 now requires this behaviour. + +The emulation code currently puts the entire CR into the destination GPR. +Fix it. + +Fixes: 6888199f7fe5 ("[POWERPC] Emulate more instructions in software") +Signed-off-by: Anton Blanchard +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/sstep.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -966,6 +966,19 @@ int analyse_instr(struct instruction_op + #endif + + case 19: /* mfcr */ ++ if ((instr >> 20) & 1) { ++ imm = 0xf0000000UL; ++ for (sh = 0; sh < 8; ++sh) { ++ if (instr & (0x80000 >> sh)) { ++ regs->gpr[rd] = regs->ccr & imm; ++ break; ++ } ++ imm >>= 4; ++ } ++ ++ goto instr_done; ++ } ++ + regs->gpr[rd] = regs->ccr; + regs->gpr[rd] &= 0xffffffffUL; + goto instr_done; diff --git a/queue-4.12/powerpc-mm-radix-fix-execute-permissions-for-interrupt_vectors.patch b/queue-4.12/powerpc-mm-radix-fix-execute-permissions-for-interrupt_vectors.patch new file mode 100644 index 00000000000..fe076207407 --- /dev/null +++ b/queue-4.12/powerpc-mm-radix-fix-execute-permissions-for-interrupt_vectors.patch @@ -0,0 +1,49 @@ +From 7f6d498ed3354740cfd100e4aa99e388f1a95be7 Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Thu, 29 Jun 2017 03:04:10 +1000 +Subject: powerpc/mm/radix: Fix execute permissions for interrupt_vectors + +From: Balbir Singh + +commit 7f6d498ed3354740cfd100e4aa99e388f1a95be7 upstream. + +Commit 9abcc981de97 ("powerpc/mm/radix: Only add X for pages +overlapping kernel text") changed the linear mapping on Radix to only +mark the kernel text executable. + +However if the kernel is run relocated, for example as a kdump kernel, +then the exception vectors are split from the kernel text, ie. they +remain at real address 0. + +We tend to get away with it, because the kernel itself will usually be +below 1G, which means the 1G page at 0-1G is marked executable and +everything works OK. However if the kernel is loaded above 1G, or the +system has less than 1G in total (meaning we can't use a 1G page), +then the exception vectors will not be marked executable and the +kernel will fail to boot. + +Fix it by also checking if the address range overlaps the exception +vectors when deciding if we should add PAGE_KERNEL_X. + +Fixes: 9abcc981de97 ("powerpc/mm/radix: Only add X for pages overlapping kernel text") +Signed-off-by: Balbir Singh +[mpe: Combine with the existing check, rewrite change log] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pgtable-radix.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/mm/pgtable-radix.c ++++ b/arch/powerpc/mm/pgtable-radix.c +@@ -149,7 +149,8 @@ static int __meminit create_physical_map + + vaddr = (unsigned long)__va(addr); + +- if (overlaps_kernel_text(vaddr, vaddr + mapping_size)) ++ if (overlaps_kernel_text(vaddr, vaddr + mapping_size) || ++ overlaps_interrupt_vector_text(vaddr, vaddr + mapping_size)) + prot = PAGE_KERNEL_X; + else + prot = PAGE_KERNEL; diff --git a/queue-4.12/powerpc-mm-radix-only-add-x-for-pages-overlapping-kernel-text.patch b/queue-4.12/powerpc-mm-radix-only-add-x-for-pages-overlapping-kernel-text.patch new file mode 100644 index 00000000000..83ff7148038 --- /dev/null +++ b/queue-4.12/powerpc-mm-radix-only-add-x-for-pages-overlapping-kernel-text.patch @@ -0,0 +1,82 @@ +From 9abcc981de9775659a0f6e4a52a3448ea72e59da Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 6 Jun 2017 15:48:57 +1000 +Subject: powerpc/mm/radix: Only add X for pages overlapping kernel text + +From: Michael Ellerman + +commit 9abcc981de9775659a0f6e4a52a3448ea72e59da upstream. + +Currently we map the whole linear mapping with PAGE_KERNEL_X. Instead we +should check if the page overlaps the kernel text and only then add +PAGE_KERNEL_X. + +Note that we still use 1G pages if they're available, so this will +typically still result in a 1G executable page at KERNELBASE. So this fix is +primarily useful for catching stray branches to high linear mapping addresses. + +Without this patch, we can execute at 1G in xmon using: + + 0:mon> m c000000040000000 + c000000040000000 00 l + c000000040000000 00000000 01006038 + c000000040000004 00000000 2000804e + c000000040000008 00000000 x + 0:mon> di c000000040000000 + c000000040000000 38600001 li r3,1 + c000000040000004 4e800020 blr + 0:mon> p c000000040000000 + return value is 0x1 + +After we get a 400 as expected: + + 0:mon> p c000000040000000 + *** 400 exception occurred + +Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines") +Signed-off-by: Michael Ellerman +Reviewed-by: Aneesh Kumar K.V +Acked-by: Balbir Singh +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pgtable-radix.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/mm/pgtable-radix.c ++++ b/arch/powerpc/mm/pgtable-radix.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include + +@@ -121,7 +122,8 @@ static inline void __meminit print_mappi + static int __meminit create_physical_mapping(unsigned long start, + unsigned long end) + { +- unsigned long addr, mapping_size = 0; ++ unsigned long vaddr, addr, mapping_size = 0; ++ pgprot_t prot; + + start = _ALIGN_UP(start, PAGE_SIZE); + for (addr = start; addr < end; addr += mapping_size) { +@@ -145,8 +147,14 @@ static int __meminit create_physical_map + start = addr; + } + +- rc = radix__map_kernel_page((unsigned long)__va(addr), addr, +- PAGE_KERNEL_X, mapping_size); ++ vaddr = (unsigned long)__va(addr); ++ ++ if (overlaps_kernel_text(vaddr, vaddr + mapping_size)) ++ prot = PAGE_KERNEL_X; ++ else ++ prot = PAGE_KERNEL; ++ ++ rc = radix__map_kernel_page(vaddr, addr, prot, mapping_size); + if (rc) + return rc; + } diff --git a/queue-4.12/powerpc-mm-radix-properly-clear-process-table-entry.patch b/queue-4.12/powerpc-mm-radix-properly-clear-process-table-entry.patch new file mode 100644 index 00000000000..e13513aec5b --- /dev/null +++ b/queue-4.12/powerpc-mm-radix-properly-clear-process-table-entry.patch @@ -0,0 +1,44 @@ +From c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Sat, 8 Jul 2017 07:45:32 -0500 +Subject: powerpc/mm/radix: Properly clear process table entry + +From: Benjamin Herrenschmidt + +commit c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb upstream. + +On radix, the process table entry we want to clear when destroying a +context is entry 0, not entry 1. This has no *immediate* consequence +on Power9, but it can cause other bugs to become worse. + +Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix") +Signed-off-by: Benjamin Herrenschmidt +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/mmu_context_book3s64.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/mm/mmu_context_book3s64.c ++++ b/arch/powerpc/mm/mmu_context_book3s64.c +@@ -223,9 +223,15 @@ void destroy_context(struct mm_struct *m + mm->context.cop_lockp = NULL; + #endif /* CONFIG_PPC_ICSWX */ + +- if (radix_enabled()) +- process_tb[mm->context.id].prtb1 = 0; +- else ++ if (radix_enabled()) { ++ /* ++ * Radix doesn't have a valid bit in the process table ++ * entries. However we know that at least P9 implementation ++ * will avoid caching an entry with an invalid RTS field, ++ * and 0 is invalid. So this will do. ++ */ ++ process_tb[mm->context.id].prtb0 = 0; ++ } else + subpage_prot_free(mm); + destroy_pagetable_page(mm); + __destroy_context(mm->context.id); diff --git a/queue-4.12/powerpc-perf-fix-sdar_mode-value-for-continous-sampling-on-power9.patch b/queue-4.12/powerpc-perf-fix-sdar_mode-value-for-continous-sampling-on-power9.patch new file mode 100644 index 00000000000..73f5286e093 --- /dev/null +++ b/queue-4.12/powerpc-perf-fix-sdar_mode-value-for-continous-sampling-on-power9.patch @@ -0,0 +1,48 @@ +From 20dd4c624d25156d5ec3345bbb690b98175ef879 Mon Sep 17 00:00:00 2001 +From: Madhavan Srinivasan +Date: Tue, 11 Jul 2017 16:27:49 +0530 +Subject: powerpc/perf: Fix SDAR_MODE value for continous sampling on Power9 + +From: Madhavan Srinivasan + +commit 20dd4c624d25156d5ec3345bbb690b98175ef879 upstream. + +In case of continous sampling (non-marked), the code currently +sets MMCRA[SDAR_MODE] to 0b01 (Update on TLB miss) for Power9 DD1. + +On DD2 and later it copies the sdar_mode value from the event code, +which for most events is 0b00 (No updates). + +However we must set a non-zero value for SDAR_MODE when doing +continuous sampling, so honor the event code, unless it's zero, in +which case we use use 0b01 (Update on TLB miss). + +Fixes: 78b4416aa249 ("powerpc/perf: Handle sdar_mode for marked event in power9") +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/perf/isa207-common.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -90,13 +90,15 @@ static void mmcra_sdar_mode(u64 event, u + * MMCRA[SDAR_MODE] will be set to 0b01 + * For rest + * MMCRA[SDAR_MODE] will be set from event code. ++ * If sdar_mode from event is zero, default to 0b01. Hardware ++ * requires that we set a non-zero value. + */ + if (cpu_has_feature(CPU_FTR_ARCH_300)) { + if (is_event_marked(event) || (*mmcra & MMCRA_SAMPLE_ENABLE)) + *mmcra &= MMCRA_SDAR_MODE_NO_UPDATES; +- else if (!cpu_has_feature(CPU_FTR_POWER9_DD1)) ++ else if (!cpu_has_feature(CPU_FTR_POWER9_DD1) && p9_SDAR_MODE(event)) + *mmcra |= p9_SDAR_MODE(event) << MMCRA_SDAR_MODE_SHIFT; +- else if (cpu_has_feature(CPU_FTR_POWER9_DD1)) ++ else + *mmcra |= MMCRA_SDAR_MODE_TLB; + } else + *mmcra |= MMCRA_SDAR_MODE_TLB; diff --git a/queue-4.12/powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch b/queue-4.12/powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch new file mode 100644 index 00000000000..7543e68e759 --- /dev/null +++ b/queue-4.12/powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch @@ -0,0 +1,71 @@ +From e71ff982ae4c17d176e9f0132157d54973788377 Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Thu, 29 Jun 2017 03:04:07 +1000 +Subject: powerpc/pseries: Fix passing of pp0 in updatepp() and updateboltedpp() + +From: Balbir Singh + +commit e71ff982ae4c17d176e9f0132157d54973788377 upstream. + +Once upon a time there were only two PP (page protection) bits. In ISA +2.03 an additional PP bit was added, but because of the layout of the +HPTE it could not be made contiguous with the existing PP bits. + +The result is that we now have three PP bits, named pp0, pp1, pp2, +where pp0 occupies bit 63 of dword 1 of the HPTE and pp1 and pp2 +occupy bits 1 and 0 respectively. Until recently Linux hasn't used +pp0, however with the addition of _PAGE_KERNEL_RO we started using it. + +The problem arises in the LPAR code, where we need to translate the PP +bits into the argument for the H_PROTECT hypercall. Currently the code +only passes bits 0-2 of newpp, which covers pp1, pp2 and N (no +execute), meaning pp0 is not passed to the hypervisor at all. + +We can't simply pass it through in bit 63, as that would collide with a +different field in the flags argument, as defined in PAPR. Instead we +have to shift it down to bit 8 (IBM bit 55). + +Fixes: e58e87adc8bf ("powerpc/mm: Update _PAGE_KERNEL_RO") +Signed-off-by: Balbir Singh +[mpe: Simplify the test, rework change log] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/lpar.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -301,7 +301,7 @@ static long pSeries_lpar_hpte_updatepp(u + int ssize, unsigned long inv_flags) + { + unsigned long lpar_rc; +- unsigned long flags = (newpp & 7) | H_AVPN; ++ unsigned long flags; + unsigned long want_v; + + want_v = hpte_encode_avpn(vpn, psize, ssize); +@@ -309,6 +309,11 @@ static long pSeries_lpar_hpte_updatepp(u + pr_devel(" update: avpnv=%016lx, hash=%016lx, f=%lx, psize: %d ...", + want_v, slot, flags, psize); + ++ flags = (newpp & 7) | H_AVPN; ++ if (mmu_has_feature(MMU_FTR_KERNEL_RO)) ++ /* Move pp0 into bit 8 (IBM 55) */ ++ flags |= (newpp & HPTE_R_PP0) >> 55; ++ + lpar_rc = plpar_pte_protect(flags, slot, want_v); + + if (lpar_rc == H_NOT_FOUND) { +@@ -380,6 +385,10 @@ static void pSeries_lpar_hpte_updatebolt + BUG_ON(slot == -1); + + flags = newpp & 7; ++ if (mmu_has_feature(MMU_FTR_KERNEL_RO)) ++ /* Move pp0 into bit 8 (IBM 55) */ ++ flags |= (newpp & HPTE_R_PP0) >> 55; ++ + lpar_rc = plpar_pte_protect(flags, slot, 0); + + BUG_ON(lpar_rc != H_SUCCESS); diff --git a/queue-4.12/scsi-add-starget_created_remove-state-to-scsi_target_state.patch b/queue-4.12/scsi-add-starget_created_remove-state-to-scsi_target_state.patch new file mode 100644 index 00000000000..bdc1cc05637 --- /dev/null +++ b/queue-4.12/scsi-add-starget_created_remove-state-to-scsi_target_state.patch @@ -0,0 +1,133 @@ +From f9279c968c257ee39b0d7bd2571a4d231a67bcc1 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Tue, 27 Jun 2017 14:55:58 -0400 +Subject: scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state + +From: Ewan D. Milne + +commit f9279c968c257ee39b0d7bd2571a4d231a67bcc1 upstream. + +The addition of the STARGET_REMOVE state had the side effect of +introducing a race condition that can cause a crash. + +scsi_target_reap_ref_release() checks the starget->state to +see if it still in STARGET_CREATED, and if so, skips calling +transport_remove_device() and device_del(), because the starget->state +is only set to STARGET_RUNNING after scsi_target_add() has called +device_add() and transport_add_device(). + +However, if an rport loss occurs while a target is being scanned, +it can happen that scsi_remove_target() will be called while the +starget is still in the STARGET_CREATED state. In this case, the +starget->state will be set to STARGET_REMOVE, and as a result, +scsi_target_reap_ref_release() will take the wrong path. The end +result is a panic: + +[ 1255.356653] Oops: 0000 [#1] SMP +[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i +[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G W 4.11.0+ #8 +[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013 +[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc] +[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000 +[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0 +[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246 +[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000 +[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025 +[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659 +[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000 +[ 1255.474931] FS: 0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000 +[ 1255.483959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0 +[ 1255.498332] Call Trace: +[ 1255.501058] kernfs_find_and_get_ns+0x31/0x60 +[ 1255.505916] sysfs_unmerge_group+0x1d/0x60 +[ 1255.510498] dpm_sysfs_remove+0x22/0x60 +[ 1255.514783] device_del+0xf4/0x2e0 +[ 1255.518577] ? device_remove_file+0x19/0x20 +[ 1255.523241] attribute_container_class_device_del+0x1a/0x20 +[ 1255.529457] transport_remove_classdev+0x4e/0x60 +[ 1255.534607] ? transport_add_class_device+0x40/0x40 +[ 1255.540046] attribute_container_device_trigger+0xb0/0xc0 +[ 1255.546069] transport_remove_device+0x15/0x20 +[ 1255.551025] scsi_target_reap_ref_release+0x25/0x40 +[ 1255.556467] scsi_target_reap+0x2e/0x40 +[ 1255.560744] __scsi_scan_target+0xaa/0x5b0 +[ 1255.565312] scsi_scan_target+0xec/0x100 +[ 1255.569689] fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc] +[ 1255.576099] process_one_work+0x14b/0x390 +[ 1255.580569] worker_thread+0x4b/0x390 +[ 1255.584651] kthread+0x109/0x140 +[ 1255.588251] ? rescuer_thread+0x330/0x330 +[ 1255.592730] ? kthread_park+0x60/0x60 +[ 1255.596815] ret_from_fork+0x29/0x40 +[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 +[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0 +[ 1255.628479] CR2: 0000000000000068 +[ 1255.632756] ---[ end trace 34a69ba0477d036f ]--- + +Fix this by adding another scsi_target state STARGET_CREATED_REMOVE +to distinguish this case. + +Fixes: f05795d3d771 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state") +Reported-by: David Jeffery +Signed-off-by: Ewan D. Milne +Reviewed-by: Laurence Oberman +Tested-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_scan.c | 5 +++-- + drivers/scsi/scsi_sysfs.c | 8 ++++++-- + include/scsi/scsi_device.h | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -384,11 +384,12 @@ static void scsi_target_reap_ref_release + = container_of(kref, struct scsi_target, reap_ref); + + /* +- * if we get here and the target is still in the CREATED state that ++ * if we get here and the target is still in a CREATED state that + * means it was allocated but never made visible (because a scan + * turned up no LUNs), so don't call device_del() on it. + */ +- if (starget->state != STARGET_CREATED) { ++ if ((starget->state != STARGET_CREATED) && ++ (starget->state != STARGET_CREATED_REMOVE)) { + transport_remove_device(&starget->dev); + device_del(&starget->dev); + } +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -1370,11 +1370,15 @@ restart: + spin_lock_irqsave(shost->host_lock, flags); + list_for_each_entry(starget, &shost->__targets, siblings) { + if (starget->state == STARGET_DEL || +- starget->state == STARGET_REMOVE) ++ starget->state == STARGET_REMOVE || ++ starget->state == STARGET_CREATED_REMOVE) + continue; + if (starget->dev.parent == dev || &starget->dev == dev) { + kref_get(&starget->reap_ref); +- starget->state = STARGET_REMOVE; ++ if (starget->state == STARGET_CREATED) ++ starget->state = STARGET_CREATED_REMOVE; ++ else ++ starget->state = STARGET_REMOVE; + spin_unlock_irqrestore(shost->host_lock, flags); + __scsi_remove_target(starget); + scsi_target_reap(starget); +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -248,6 +248,7 @@ enum scsi_target_state { + STARGET_CREATED = 1, + STARGET_RUNNING, + STARGET_REMOVE, ++ STARGET_CREATED_REMOVE, + STARGET_DEL, + }; + diff --git a/queue-4.12/scsi-avoid-that-scsi_exit_rq-triggers-a-use-after-free.patch b/queue-4.12/scsi-avoid-that-scsi_exit_rq-triggers-a-use-after-free.patch new file mode 100644 index 00000000000..d3d0740c48e --- /dev/null +++ b/queue-4.12/scsi-avoid-that-scsi_exit_rq-triggers-a-use-after-free.patch @@ -0,0 +1,187 @@ +From 8e6882545d8c06f99e9e117741cc87f3338b0bef Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 2 Jun 2017 14:21:52 -0700 +Subject: scsi: Avoid that scsi_exit_rq() triggers a use-after-free + +From: Bart Van Assche + +commit 8e6882545d8c06f99e9e117741cc87f3338b0bef upstream. + +Dereferencing shost from scsi_exit_rq() is not safe because the SCSI +host may already have been freed when scsi_exit_rq() is called. +Increasing the shost reference count in scsi_init_rq() and dropping that +reference in scsi_exit_rq() is nontrivial since scsi_host_dev_release() +may sleep and since scsi_exit_rq() may be called from interrupt +context. Since scsi_exit_rq() only needs a single bit from shost, copy +that bit into struct scsi_cmnd. + +Reported-by: Scott Bauer +Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request") +Signed-off-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Scott Bauer +Cc: Jan Kara +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_lib.c | 47 +++++++++++++++++++++++++++++------------------ + include/scsi/scsi_cmnd.h | 1 + + 2 files changed, 30 insertions(+), 18 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -45,23 +45,23 @@ static struct kmem_cache *scsi_sense_isa + static DEFINE_MUTEX(scsi_sense_cache_mutex); + + static inline struct kmem_cache * +-scsi_select_sense_cache(struct Scsi_Host *shost) ++scsi_select_sense_cache(bool unchecked_isa_dma) + { +- return shost->unchecked_isa_dma ? +- scsi_sense_isadma_cache : scsi_sense_cache; ++ return unchecked_isa_dma ? scsi_sense_isadma_cache : scsi_sense_cache; + } + +-static void scsi_free_sense_buffer(struct Scsi_Host *shost, +- unsigned char *sense_buffer) ++static void scsi_free_sense_buffer(bool unchecked_isa_dma, ++ unsigned char *sense_buffer) + { +- kmem_cache_free(scsi_select_sense_cache(shost), sense_buffer); ++ kmem_cache_free(scsi_select_sense_cache(unchecked_isa_dma), ++ sense_buffer); + } + +-static unsigned char *scsi_alloc_sense_buffer(struct Scsi_Host *shost, ++static unsigned char *scsi_alloc_sense_buffer(bool unchecked_isa_dma, + gfp_t gfp_mask, int numa_node) + { +- return kmem_cache_alloc_node(scsi_select_sense_cache(shost), gfp_mask, +- numa_node); ++ return kmem_cache_alloc_node(scsi_select_sense_cache(unchecked_isa_dma), ++ gfp_mask, numa_node); + } + + int scsi_init_sense_cache(struct Scsi_Host *shost) +@@ -69,7 +69,7 @@ int scsi_init_sense_cache(struct Scsi_Ho + struct kmem_cache *cache; + int ret = 0; + +- cache = scsi_select_sense_cache(shost); ++ cache = scsi_select_sense_cache(shost->unchecked_isa_dma); + if (cache) + return 0; + +@@ -1138,6 +1138,7 @@ void scsi_init_command(struct scsi_devic + { + void *buf = cmd->sense_buffer; + void *prot = cmd->prot_sdb; ++ unsigned int unchecked_isa_dma = cmd->flags & SCMD_UNCHECKED_ISA_DMA; + unsigned long flags; + + /* zero out the cmd, except for the embedded scsi_request */ +@@ -1147,6 +1148,7 @@ void scsi_init_command(struct scsi_devic + cmd->device = dev; + cmd->sense_buffer = buf; + cmd->prot_sdb = prot; ++ cmd->flags = unchecked_isa_dma; + INIT_DELAYED_WORK(&cmd->abort_work, scmd_eh_abort_handler); + cmd->jiffies_at_alloc = jiffies; + +@@ -1847,6 +1849,7 @@ static int scsi_mq_prep_fn(struct reques + struct scsi_device *sdev = req->q->queuedata; + struct Scsi_Host *shost = sdev->host; + unsigned char *sense_buf = cmd->sense_buffer; ++ unsigned int unchecked_isa_dma = cmd->flags & SCMD_UNCHECKED_ISA_DMA; + struct scatterlist *sg; + + /* zero out the cmd, except for the embedded scsi_request */ +@@ -1858,6 +1861,7 @@ static int scsi_mq_prep_fn(struct reques + cmd->request = req; + cmd->device = sdev; + cmd->sense_buffer = sense_buf; ++ cmd->flags = unchecked_isa_dma; + + cmd->tag = req->tag; + +@@ -2004,10 +2008,13 @@ static int scsi_init_request(struct blk_ + unsigned int hctx_idx, unsigned int numa_node) + { + struct Scsi_Host *shost = set->driver_data; ++ const bool unchecked_isa_dma = shost->unchecked_isa_dma; + struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq); + +- cmd->sense_buffer = +- scsi_alloc_sense_buffer(shost, GFP_KERNEL, numa_node); ++ if (unchecked_isa_dma) ++ cmd->flags |= SCMD_UNCHECKED_ISA_DMA; ++ cmd->sense_buffer = scsi_alloc_sense_buffer(unchecked_isa_dma, ++ GFP_KERNEL, numa_node); + if (!cmd->sense_buffer) + return -ENOMEM; + cmd->req.sense = cmd->sense_buffer; +@@ -2017,10 +2024,10 @@ static int scsi_init_request(struct blk_ + static void scsi_exit_request(struct blk_mq_tag_set *set, struct request *rq, + unsigned int hctx_idx) + { +- struct Scsi_Host *shost = set->driver_data; + struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq); + +- scsi_free_sense_buffer(shost, cmd->sense_buffer); ++ scsi_free_sense_buffer(cmd->flags & SCMD_UNCHECKED_ISA_DMA, ++ cmd->sense_buffer); + } + + static int scsi_map_queues(struct blk_mq_tag_set *set) +@@ -2093,11 +2100,15 @@ EXPORT_SYMBOL_GPL(__scsi_init_queue); + static int scsi_init_rq(struct request_queue *q, struct request *rq, gfp_t gfp) + { + struct Scsi_Host *shost = q->rq_alloc_data; ++ const bool unchecked_isa_dma = shost->unchecked_isa_dma; + struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq); + + memset(cmd, 0, sizeof(*cmd)); + +- cmd->sense_buffer = scsi_alloc_sense_buffer(shost, gfp, NUMA_NO_NODE); ++ if (unchecked_isa_dma) ++ cmd->flags |= SCMD_UNCHECKED_ISA_DMA; ++ cmd->sense_buffer = scsi_alloc_sense_buffer(unchecked_isa_dma, gfp, ++ NUMA_NO_NODE); + if (!cmd->sense_buffer) + goto fail; + cmd->req.sense = cmd->sense_buffer; +@@ -2111,19 +2122,19 @@ static int scsi_init_rq(struct request_q + return 0; + + fail_free_sense: +- scsi_free_sense_buffer(shost, cmd->sense_buffer); ++ scsi_free_sense_buffer(unchecked_isa_dma, cmd->sense_buffer); + fail: + return -ENOMEM; + } + + static void scsi_exit_rq(struct request_queue *q, struct request *rq) + { +- struct Scsi_Host *shost = q->rq_alloc_data; + struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq); + + if (cmd->prot_sdb) + kmem_cache_free(scsi_sdb_cache, cmd->prot_sdb); +- scsi_free_sense_buffer(shost, cmd->sense_buffer); ++ scsi_free_sense_buffer(cmd->flags & SCMD_UNCHECKED_ISA_DMA, ++ cmd->sense_buffer); + } + + struct request_queue *scsi_alloc_queue(struct scsi_device *sdev) +--- a/include/scsi/scsi_cmnd.h ++++ b/include/scsi/scsi_cmnd.h +@@ -56,6 +56,7 @@ struct scsi_pointer { + + /* for scmd->flags */ + #define SCMD_TAGGED (1 << 0) ++#define SCMD_UNCHECKED_ISA_DMA (1 << 1) + + struct scsi_cmnd { + struct scsi_request req; diff --git a/queue-4.12/scsi-qla2xxx-allow-abts-purx-rida-on-atioq-for-isp83xx-27xx.patch b/queue-4.12/scsi-qla2xxx-allow-abts-purx-rida-on-atioq-for-isp83xx-27xx.patch new file mode 100644 index 00000000000..ae3cb2ff797 --- /dev/null +++ b/queue-4.12/scsi-qla2xxx-allow-abts-purx-rida-on-atioq-for-isp83xx-27xx.patch @@ -0,0 +1,49 @@ +From 3c4810ffdc8e4f34d387f59baf0abefcfa4ada6a Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 2 Jun 2017 09:11:53 -0700 +Subject: scsi: qla2xxx: Allow ABTS, PURX, RIDA on ATIOQ for ISP83XX/27XX + +From: Quinn Tran + +commit 3c4810ffdc8e4f34d387f59baf0abefcfa4ada6a upstream. + +Driver added mechanism to move ABTS/PUREX/RIDA mailbox to +ATIO queue as part of commit id 41dc529a4602ac737020f423f84686a81de38e6d +("qla2xxx: Improve RSCN handling in driver"). + +This patch adds a check to only allow ABTS/PURX/RIDA +to be moved to ATIO Queue for ISP83XX and ISP27XX. + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2946,7 +2946,8 @@ qla24xx_update_fw_options(scsi_qla_host_ + } + + /* Move PUREX, ABTS RX & RIDA to ATIOQ */ +- if (ql2xmvasynctoatio) { ++ if (ql2xmvasynctoatio && ++ (IS_QLA83XX(ha) || IS_QLA27XX(ha))) { + if (qla_tgt_mode_enabled(vha) || + qla_dual_mode_enabled(vha)) + ha->fw_options[2] |= BIT_11; +@@ -2958,7 +2959,9 @@ qla24xx_update_fw_options(scsi_qla_host_ + "%s, add FW options 1-3 = 0x%04x 0x%04x 0x%04x mode %x\n", + __func__, ha->fw_options[1], ha->fw_options[2], + ha->fw_options[3], vha->host->active_mode); +- qla2x00_set_fw_options(vha, ha->fw_options); ++ ++ if (ha->fw_options[1] || ha->fw_options[2] || ha->fw_options[3]) ++ qla2x00_set_fw_options(vha, ha->fw_options); + + /* Update Serial Link options. */ + if ((le16_to_cpu(ha->fw_seriallink_options24[0]) & BIT_0) == 0) diff --git a/queue-4.12/scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch b/queue-4.12/scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch new file mode 100644 index 00000000000..83ec194ba04 --- /dev/null +++ b/queue-4.12/scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch @@ -0,0 +1,54 @@ +From 62e62ffd95539b9220894a7900a619e0f3ef4756 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Tue, 27 Jun 2017 11:53:27 +0200 +Subject: scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails. + +From: Maurizio Lombardi + +commit 62e62ffd95539b9220894a7900a619e0f3ef4756 upstream. + +The enclosure_add_device() function should fail if it can't create the +relevant sysfs links. + +Signed-off-by: Maurizio Lombardi +Tested-by: Douglas Miller +Acked-by: James Bottomley +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/enclosure.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -375,6 +375,7 @@ int enclosure_add_device(struct enclosur + struct device *dev) + { + struct enclosure_component *cdev; ++ int err; + + if (!edev || component >= edev->components) + return -EINVAL; +@@ -384,12 +385,17 @@ int enclosure_add_device(struct enclosur + if (cdev->dev == dev) + return -EEXIST; + +- if (cdev->dev) ++ if (cdev->dev) { + enclosure_remove_links(cdev); +- +- put_device(cdev->dev); ++ put_device(cdev->dev); ++ } + cdev->dev = get_device(dev); +- return enclosure_add_links(cdev); ++ err = enclosure_add_links(cdev); ++ if (err) { ++ put_device(cdev->dev); ++ cdev->dev = NULL; ++ } ++ return err; + } + EXPORT_SYMBOL_GPL(enclosure_add_device); + diff --git a/queue-4.12/scsi-virtio_scsi-always-read-vpd-pages-for-multiqueue-too.patch b/queue-4.12/scsi-virtio_scsi-always-read-vpd-pages-for-multiqueue-too.patch new file mode 100644 index 00000000000..d6b0d9c297a --- /dev/null +++ b/queue-4.12/scsi-virtio_scsi-always-read-vpd-pages-for-multiqueue-too.patch @@ -0,0 +1,34 @@ +From a680f1d463aeaeb00d22af257a56e111967c2f18 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 5 Jul 2017 10:30:56 +0200 +Subject: scsi: virtio_scsi: always read VPD pages for multiqueue too + +From: Paolo Bonzini + +commit a680f1d463aeaeb00d22af257a56e111967c2f18 upstream. + +Multi-queue virtio-scsi uses a different scsi_host_template struct. Add +the .device_alloc field there, too. + +Fixes: 25d1d50e23275e141e3a3fe06c25a99f4c4bf4e0 +Cc: David Gibson +Signed-off-by: Paolo Bonzini +Reviewed-by: Fam Zheng +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/virtio_scsi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -838,6 +838,7 @@ static struct scsi_host_template virtscs + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, + .eh_timed_out = virtscsi_eh_timed_out, ++ .slave_alloc = virtscsi_device_alloc, + + .can_queue = 1024, + .dma_boundary = UINT_MAX, diff --git a/queue-4.12/scsi-virtio_scsi-let-host-do-exception-handling.patch b/queue-4.12/scsi-virtio_scsi-let-host-do-exception-handling.patch new file mode 100644 index 00000000000..d231849eb0d --- /dev/null +++ b/queue-4.12/scsi-virtio_scsi-let-host-do-exception-handling.patch @@ -0,0 +1,71 @@ +From e72c9a2a67a6400c8ef3d01d4c461dbbbfa0e1f0 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 21 Jun 2017 16:35:46 +0200 +Subject: scsi: virtio_scsi: let host do exception handling + +From: Paolo Bonzini + +commit e72c9a2a67a6400c8ef3d01d4c461dbbbfa0e1f0 upstream. + +virtio_scsi tries to do exception handling after the default 30 seconds +timeout expires. However, it's better to let the host control the +timeout, otherwise with a heavy I/O load it is likely that an abort will +also timeout. This leads to fatal errors like filesystems going +offline. + +Disable the 'sd' timeout and allow the host to do exception handling, +following the precedent of the storvsc driver. + +Hannes has a proposal to introduce timeouts in virtio, but this provides +an immediate solution for stable kernels too. + +[mkp: fixed typo] + +Reported-by: Douglas Miller +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: Hannes Reinecke +Cc: linux-scsi@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/virtio_scsi.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -796,6 +796,16 @@ static int virtscsi_map_queues(struct Sc + return blk_mq_virtio_map_queues(&shost->tag_set, vscsi->vdev, 2); + } + ++/* ++ * The host guarantees to respond to each command, although I/O ++ * latencies might be higher than on bare metal. Reset the timer ++ * unconditionally to give the host a chance to perform EH. ++ */ ++static enum blk_eh_timer_return virtscsi_eh_timed_out(struct scsi_cmnd *scmnd) ++{ ++ return BLK_EH_RESET_TIMER; ++} ++ + static struct scsi_host_template virtscsi_host_template_single = { + .module = THIS_MODULE, + .name = "Virtio SCSI HBA", +@@ -806,6 +816,7 @@ static struct scsi_host_template virtscs + .change_queue_depth = virtscsi_change_queue_depth, + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, ++ .eh_timed_out = virtscsi_eh_timed_out, + .slave_alloc = virtscsi_device_alloc, + + .can_queue = 1024, +@@ -826,6 +837,7 @@ static struct scsi_host_template virtscs + .change_queue_depth = virtscsi_change_queue_depth, + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, ++ .eh_timed_out = virtscsi_eh_timed_out, + + .can_queue = 1024, + .dma_boundary = UINT_MAX, diff --git a/queue-4.12/series b/queue-4.12/series index de385522dfe..9e9a9c3698f 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -32,3 +32,26 @@ btrfs-don-t-clear-sgid-when-inheriting-acls.patch btrfs-incremental-send-fix-invalid-memory-access.patch igb-explicitly-select-page-0-at-initialization.patch spi-atmel-fix-corrupted-data-issue-on-sam9-family-socs.patch +asoc-zx-i2s-flip-i2s-master-slave-mode.patch +asoc-compress-derive-substream-from-stream-based-on-direction.patch +asoc-atmel-tse850-fix-off-by-one-in-the-ana-enumeration-count.patch +pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch +pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch +pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch +scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch +scsi-virtio_scsi-let-host-do-exception-handling.patch +scsi-qla2xxx-allow-abts-purx-rida-on-atioq-for-isp83xx-27xx.patch +scsi-add-starget_created_remove-state-to-scsi_target_state.patch +scsi-avoid-that-scsi_exit_rq-triggers-a-use-after-free.patch +iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch +xen-scsiback-fix-a-tmr-related-use-after-free.patch +scsi-virtio_scsi-always-read-vpd-pages-for-multiqueue-too.patch +powerpc-mm-radix-only-add-x-for-pages-overlapping-kernel-text.patch +powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch +powerpc-mm-radix-fix-execute-permissions-for-interrupt_vectors.patch +powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch +powerpc-fix-emulation-of-mcrf-in-emulate_step.patch +powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch +powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch +powerpc-mm-radix-properly-clear-process-table-entry.patch +powerpc-perf-fix-sdar_mode-value-for-continous-sampling-on-power9.patch diff --git a/queue-4.12/xen-scsiback-fix-a-tmr-related-use-after-free.patch b/queue-4.12/xen-scsiback-fix-a-tmr-related-use-after-free.patch new file mode 100644 index 00000000000..364fa785976 --- /dev/null +++ b/queue-4.12/xen-scsiback-fix-a-tmr-related-use-after-free.patch @@ -0,0 +1,110 @@ +From 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 23 May 2017 16:48:36 -0700 +Subject: xen/scsiback: Fix a TMR related use-after-free + +From: Bart Van Assche + +commit 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 upstream. + +scsiback_release_cmd() must not dereference se_cmd->se_tmr_req +because that memory is freed by target_free_cmd_mem() before +scsiback_release_cmd() is called. Fix this use-after-free by +inlining struct scsiback_tmr into struct vscsibk_pend. + +Signed-off-by: Bart Van Assche +Reviewed-by: Juergen Gross +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: David Disseldorp +Cc: xen-devel@lists.xenproject.org +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ + 1 file changed, 9 insertions(+), 24 deletions(-) + +--- a/drivers/xen/xen-scsiback.c ++++ b/drivers/xen/xen-scsiback.c +@@ -134,9 +134,7 @@ struct vscsibk_pend { + struct page *pages[VSCSI_MAX_GRANTS]; + + struct se_cmd se_cmd; +-}; + +-struct scsiback_tmr { + atomic_t tmr_complete; + wait_queue_head_t tmr_wait; + }; +@@ -599,26 +597,20 @@ static void scsiback_device_action(struc + struct scsiback_tpg *tpg = pending_req->v2p->tpg; + struct scsiback_nexus *nexus = tpg->tpg_nexus; + struct se_cmd *se_cmd = &pending_req->se_cmd; +- struct scsiback_tmr *tmr; + u64 unpacked_lun = pending_req->v2p->lun; + int rc, err = FAILED; + +- tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL); +- if (!tmr) { +- target_put_sess_cmd(se_cmd); +- goto err; +- } +- +- init_waitqueue_head(&tmr->tmr_wait); ++ init_waitqueue_head(&pending_req->tmr_wait); + + rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess, + &pending_req->sense_buffer[0], +- unpacked_lun, tmr, act, GFP_KERNEL, ++ unpacked_lun, NULL, act, GFP_KERNEL, + tag, TARGET_SCF_ACK_KREF); + if (rc) + goto err; + +- wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete)); ++ wait_event(pending_req->tmr_wait, ++ atomic_read(&pending_req->tmr_complete)); + + err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ? + SUCCESS : FAILED; +@@ -626,9 +618,8 @@ static void scsiback_device_action(struc + scsiback_do_resp_with_sense(NULL, err, 0, pending_req); + transport_generic_free_cmd(&pending_req->se_cmd, 1); + return; ++ + err: +- if (tmr) +- kfree(tmr); + scsiback_do_resp_with_sense(NULL, err, 0, pending_req); + } + +@@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(stru + static void scsiback_release_cmd(struct se_cmd *se_cmd) + { + struct se_session *se_sess = se_cmd->se_sess; +- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; +- +- if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) { +- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; +- kfree(tmr); +- } + + percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag); + } +@@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct + + static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd) + { +- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; +- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; ++ struct vscsibk_pend *pending_req = container_of(se_cmd, ++ struct vscsibk_pend, se_cmd); + +- atomic_set(&tmr->tmr_complete, 1); +- wake_up(&tmr->tmr_wait); ++ atomic_set(&pending_req->tmr_complete, 1); ++ wake_up(&pending_req->tmr_wait); + } + + static void scsiback_aborted_task(struct se_cmd *se_cmd)