From: Greg Kroah-Hartman Date: Mon, 3 Jul 2017 07:58:34 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.60~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c838b195a4b84248da9b523d308895f3aab1ffa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-hda-fix-endless-loop-of-codec-configure.patch alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch gpiolib-fix-filtering-out-unwanted-events.patch mips-avoid-accidental-raw-backtrace.patch mips-fix-irq-tracing-lockdep-when-rescheduling.patch mips-head-reorder-instructions-missing-a-delay-slot.patch mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch --- diff --git a/queue-4.9/alsa-hda-fix-endless-loop-of-codec-configure.patch b/queue-4.9/alsa-hda-fix-endless-loop-of-codec-configure.patch new file mode 100644 index 00000000000..52e0891285c --- /dev/null +++ b/queue-4.9/alsa-hda-fix-endless-loop-of-codec-configure.patch @@ -0,0 +1,61 @@ +From d94815f917da770d42c377786dc428f542e38f71 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 28 Jun 2017 12:02:02 +0200 +Subject: ALSA: hda - Fix endless loop of codec configure + +From: Takashi Iwai + +commit d94815f917da770d42c377786dc428f542e38f71 upstream. + +azx_codec_configure() loops over the codecs found on the given +controller via a linked list. The code used to work in the past, but +in the current version, this may lead to an endless loop when a codec +binding returns an error. + +The culprit is that the snd_hda_codec_configure() unregisters the +device upon error, and this eventually deletes the given codec object +from the bus. Since the list is initialized via list_del_init(), the +next object points to the same device itself. This behavior change +was introduced at splitting the HD-audio code code, and forgotten to +adapt it here. + +For fixing this bug, just use a *_safe() version of list iteration. + +Fixes: d068ebc25e6e ("ALSA: hda - Move some codes up to hdac_bus struct") +Reported-by: Daniel Vetter +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.h | 2 ++ + sound/pci/hda/hda_controller.c | 8 ++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_codec.h ++++ b/sound/pci/hda/hda_codec.h +@@ -294,6 +294,8 @@ struct hda_codec { + + #define list_for_each_codec(c, bus) \ + list_for_each_entry(c, &(bus)->core.codec_list, core.list) ++#define list_for_each_codec_safe(c, n, bus) \ ++ list_for_each_entry_safe(c, n, &(bus)->core.codec_list, core.list) + + /* snd_hda_codec_read/write optional flags */ + #define HDA_RW_NO_RESPONSE_FALLBACK (1 << 0) +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1333,8 +1333,12 @@ EXPORT_SYMBOL_GPL(azx_probe_codecs); + /* configure each codec instance */ + int azx_codec_configure(struct azx *chip) + { +- struct hda_codec *codec; +- list_for_each_codec(codec, &chip->bus) { ++ struct hda_codec *codec, *next; ++ ++ /* use _safe version here since snd_hda_codec_configure() deregisters ++ * the device upon error and deletes itself from the bus list. ++ */ ++ list_for_each_codec_safe(codec, next, &chip->bus) { + snd_hda_codec_configure(codec); + } + return 0; diff --git a/queue-4.9/alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch b/queue-4.9/alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch new file mode 100644 index 00000000000..d6aaf2995a3 --- /dev/null +++ b/queue-4.9/alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch @@ -0,0 +1,42 @@ +From a8f20fd25bdce81a8e41767c39f456d346b63427 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 28 Jun 2017 08:59:16 +0800 +Subject: ALSA: hda - set input_path bitmap to zero after moving it to new place + +From: Hui Wang + +commit a8f20fd25bdce81a8e41767c39f456d346b63427 upstream. + +Recently we met a problem, the codec has valid adcs and input pins, +and they can form valid input paths, but the driver does not build +valid controls for them like "Mic boost", "Capture Volume" and +"Capture Switch". + +Through debugging, I found the driver needs to shrink the invalid +adcs and input paths for this machine, so it will move the whole +column bitmap value to the previous column, after moving it, the +driver forgets to set the original column bitmap value to zero, as a +result, the driver will invalidate the path whose index value is the +original colume bitmap value. After executing this function, all +valid input paths are invalidated by a mistake, there are no any +valid input paths, so the driver won't build controls for them. + +Fixes: 3a65bcdc577a ("ALSA: hda - Fix inconsistent input_paths after ADC reduction") +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_generic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -3169,6 +3169,7 @@ static int check_dyn_adc_switch(struct h + spec->input_paths[i][nums]); + spec->input_paths[i][nums] = + spec->input_paths[i][n]; ++ spec->input_paths[i][n] = 0; + } + } + nums++; diff --git a/queue-4.9/dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch b/queue-4.9/dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch new file mode 100644 index 00000000000..b6b81112f1c --- /dev/null +++ b/queue-4.9/dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch @@ -0,0 +1,122 @@ +From 00a0ea33b495ee6149bf5a77ac5807ce87323abb Mon Sep 17 00:00:00 2001 +From: Vallish Vaidyeshwara +Date: Fri, 23 Jun 2017 18:53:06 +0000 +Subject: dm thin: do not queue freed thin mapping for next stage processing + +From: Vallish Vaidyeshwara + +commit 00a0ea33b495ee6149bf5a77ac5807ce87323abb upstream. + +process_prepared_discard_passdown_pt1() should cleanup +dm_thin_new_mapping in cases of error. + +dm_pool_inc_data_range() can fail trying to get a block reference: + +metadata operation 'dm_pool_inc_data_range' failed: error = -61 + +When dm_pool_inc_data_range() fails, dm thin aborts current metadata +transaction and marks pool as PM_READ_ONLY. Memory for thin mapping +is released as well. However, current thin mapping will be queued +onto next stage as part of queue_passdown_pt2() or passdown_endio(). +This dangling thin mapping memory when processed and accessed in +next stage will lead to device mapper crashing. + +Code flow without fix: +-> process_prepared_discard_passdown_pt1(m) + -> dm_thin_remove_range() + -> discard passdown + --> passdown_endio(m) queues m onto next stage + -> dm_pool_inc_data_range() fails, frees memory m + but does not remove it from next stage queue + +-> process_prepared_discard_passdown_pt2(m) + -> processes freed memory m and crashes + +One such stack: + +Call Trace: +[] dm_cell_release_no_holder+0x2f/0x70 [dm_bio_prison] +[] cell_defer_no_holder+0x3c/0x80 [dm_thin_pool] +[] process_prepared_discard_passdown_pt2+0x4b/0x90 [dm_thin_pool] +[] process_prepared+0x81/0xa0 [dm_thin_pool] +[] do_worker+0xc5/0x820 [dm_thin_pool] +[] ? __schedule+0x244/0x680 +[] ? pwq_activate_delayed_work+0x42/0xb0 +[] process_one_work+0x153/0x3f0 +[] worker_thread+0x12b/0x4b0 +[] ? rescuer_thread+0x350/0x350 +[] kthread+0xca/0xe0 +[] ? kthread_park+0x60/0x60 +[] ret_from_fork+0x25/0x30 + +The fix is to first take the block ref count for discarded block and +then do a passdown discard of this block. If block ref count fails, +then bail out aborting current metadata transaction, mark pool as +PM_READ_ONLY and also free current thin mapping memory (existing error +handling code) without queueing this thin mapping onto next stage of +processing. If block ref count succeeds, then passdown discard of this +block. Discard callback of passdown_endio() will queue this thin mapping +onto next stage of processing. + +Code flow with fix: +-> process_prepared_discard_passdown_pt1(m) + -> dm_thin_remove_range() + -> dm_pool_inc_data_range() + --> if fails, free memory m and bail out + -> discard passdown + --> passdown_endio(m) queues m onto next stage + +Reviewed-by: Eduardo Valentin +Reviewed-by: Cristian Gafton +Reviewed-by: Anchal Agarwal +Signed-off-by: Vallish Vaidyeshwara +Reviewed-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1095,6 +1095,19 @@ static void process_prepared_discard_pas + return; + } + ++ /* ++ * Increment the unmapped blocks. This prevents a race between the ++ * passdown io and reallocation of freed blocks. ++ */ ++ r = dm_pool_inc_data_range(pool->pmd, m->data_block, data_end); ++ if (r) { ++ metadata_operation_failed(pool, "dm_pool_inc_data_range", r); ++ bio_io_error(m->bio); ++ cell_defer_no_holder(tc, m->cell); ++ mempool_free(m, pool->mapping_pool); ++ return; ++ } ++ + discard_parent = bio_alloc(GFP_NOIO, 1); + if (!discard_parent) { + DMWARN("%s: unable to allocate top level discard bio for passdown. Skipping passdown.", +@@ -1115,19 +1128,6 @@ static void process_prepared_discard_pas + end_discard(&op, r); + } + } +- +- /* +- * Increment the unmapped blocks. This prevents a race between the +- * passdown io and reallocation of freed blocks. +- */ +- r = dm_pool_inc_data_range(pool->pmd, m->data_block, data_end); +- if (r) { +- metadata_operation_failed(pool, "dm_pool_inc_data_range", r); +- bio_io_error(m->bio); +- cell_defer_no_holder(tc, m->cell); +- mempool_free(m, pool->mapping_pool); +- return; +- } + } + + static void process_prepared_discard_passdown_pt2(struct dm_thin_new_mapping *m) diff --git a/queue-4.9/drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch b/queue-4.9/drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch new file mode 100644 index 00000000000..5309e48f8ee --- /dev/null +++ b/queue-4.9/drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch @@ -0,0 +1,35 @@ +From 82fcee526ba8ca2c5d378bdf51b21b7eb058fe3a Mon Sep 17 00:00:00 2001 +From: Deepak Rawat +Date: Mon, 26 Jun 2017 14:39:08 +0200 +Subject: drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr + +From: Deepak Rawat + +commit 82fcee526ba8ca2c5d378bdf51b21b7eb058fe3a upstream. + +The hash table created during vmw_cmdbuf_res_man_create was +never freed. This causes memory leak in context creation. +Added the corresponding drm_ht_remove in vmw_cmdbuf_res_man_destroy. + +Tested for memory leak by running piglit overnight and kernel +memory is not inflated which earlier was. + +Signed-off-by: Deepak Rawat +Reviewed-by: Sinclair Yeh +Signed-off-by: Thomas Hellstrom +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +@@ -321,6 +321,7 @@ void vmw_cmdbuf_res_man_destroy(struct v + list_for_each_entry_safe(entry, next, &man->list, head) + vmw_cmdbuf_res_free(man, entry); + ++ drm_ht_remove(&man->resources); + kfree(man); + } + diff --git a/queue-4.9/gpiolib-fix-filtering-out-unwanted-events.patch b/queue-4.9/gpiolib-fix-filtering-out-unwanted-events.patch new file mode 100644 index 00000000000..132a0fcb7bf --- /dev/null +++ b/queue-4.9/gpiolib-fix-filtering-out-unwanted-events.patch @@ -0,0 +1,38 @@ +From ad537b822577fcc143325786cd6ad50d7b9df31c Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 23 Jun 2017 13:45:16 +0200 +Subject: gpiolib: fix filtering out unwanted events + +From: Bartosz Golaszewski + +commit ad537b822577fcc143325786cd6ad50d7b9df31c upstream. + +GPIOEVENT_REQUEST_BOTH_EDGES is not a single flag, but a binary OR of +GPIOEVENT_REQUEST_RISING_EDGE and GPIOEVENT_REQUEST_FALLING_EDGE. + +The expression 'le->eflags & GPIOEVENT_REQUEST_BOTH_EDGES' we'll get +evaluated to true even if only one event type was requested. + +Fix it by checking both RISING & FALLING flags explicitly. + +Fixes: 61f922db7221 ("gpio: userspace ABI for reading GPIO line events") +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -707,7 +707,8 @@ static irqreturn_t lineevent_irq_thread( + + ge.timestamp = ktime_get_real_ns(); + +- if (le->eflags & GPIOEVENT_REQUEST_BOTH_EDGES) { ++ if (le->eflags & GPIOEVENT_REQUEST_RISING_EDGE ++ && le->eflags & GPIOEVENT_REQUEST_FALLING_EDGE) { + int level = gpiod_get_value_cansleep(le->desc); + + if (level) diff --git a/queue-4.9/mips-avoid-accidental-raw-backtrace.patch b/queue-4.9/mips-avoid-accidental-raw-backtrace.patch new file mode 100644 index 00000000000..14e0700676c --- /dev/null +++ b/queue-4.9/mips-avoid-accidental-raw-backtrace.patch @@ -0,0 +1,45 @@ +From 854236363370995a609a10b03e35fd3dc5e9e4a1 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 29 Jun 2017 15:05:04 +0100 +Subject: MIPS: Avoid accidental raw backtrace + +From: James Hogan + +commit 854236363370995a609a10b03e35fd3dc5e9e4a1 upstream. + +Since commit 81a76d7119f6 ("MIPS: Avoid using unwind_stack() with +usermode") show_backtrace() invokes the raw backtracer when +cp0_status & ST0_KSU indicates user mode to fix issues on EVA kernels +where user and kernel address spaces overlap. + +However this is used by show_stack() which creates its own pt_regs on +the stack and leaves cp0_status uninitialised in most of the code paths. +This results in the non deterministic use of the raw back tracer +depending on the previous stack content. + +show_stack() deals exclusively with kernel mode stacks anyway, so +explicitly initialise regs.cp0_status to KSU_KERNEL (i.e. 0) to ensure +we get a useful backtrace. + +Fixes: 81a76d7119f6 ("MIPS: Avoid using unwind_stack() with usermode") +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16656/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/traps.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -199,6 +199,8 @@ void show_stack(struct task_struct *task + { + struct pt_regs regs; + mm_segment_t old_fs = get_fs(); ++ ++ regs.cp0_status = KSU_KERNEL; + if (sp) { + regs.regs[29] = (unsigned long)sp; + regs.regs[31] = 0; diff --git a/queue-4.9/mips-fix-irq-tracing-lockdep-when-rescheduling.patch b/queue-4.9/mips-fix-irq-tracing-lockdep-when-rescheduling.patch new file mode 100644 index 00000000000..6399c00a1b2 --- /dev/null +++ b/queue-4.9/mips-fix-irq-tracing-lockdep-when-rescheduling.patch @@ -0,0 +1,109 @@ +From d8550860d910c6b7b70f830f59003b33daaa52c9 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 3 Mar 2017 15:26:05 -0800 +Subject: MIPS: Fix IRQ tracing & lockdep when rescheduling + +From: Paul Burton + +commit d8550860d910c6b7b70f830f59003b33daaa52c9 upstream. + +When the scheduler sets TIF_NEED_RESCHED & we call into the scheduler +from arch/mips/kernel/entry.S we disable interrupts. This is true +regardless of whether we reach work_resched from syscall_exit_work, +resume_userspace or by looping after calling schedule(). Although we +disable interrupts in these paths we don't call trace_hardirqs_off() +before calling into C code which may acquire locks, and we therefore +leave lockdep with an inconsistent view of whether interrupts are +disabled or not when CONFIG_PROVE_LOCKING & CONFIG_DEBUG_LOCKDEP are +both enabled. + +Without tracing this interrupt state lockdep will print warnings such +as the following once a task returns from a syscall via +syscall_exit_partial with TIF_NEED_RESCHED set: + +[ 49.927678] ------------[ cut here ]------------ +[ 49.934445] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:3687 check_flags.part.41+0x1dc/0x1e8 +[ 49.946031] DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled) +[ 49.946355] CPU: 0 PID: 1 Comm: init Not tainted 4.10.0-00439-gc9fd5d362289-dirty #197 +[ 49.963505] Stack : 0000000000000000 ffffffff81bb5d6a 0000000000000006 ffffffff801ce9c4 +[ 49.974431] 0000000000000000 0000000000000000 0000000000000000 000000000000004a +[ 49.985300] ffffffff80b7e487 ffffffff80a24498 a8000000ff160000 ffffffff80ede8b8 +[ 49.996194] 0000000000000001 0000000000000000 0000000000000000 0000000077c8030c +[ 50.007063] 000000007fd8a510 ffffffff801cd45c 0000000000000000 a8000000ff127c88 +[ 50.017945] 0000000000000000 ffffffff801cf928 0000000000000001 ffffffff80a24498 +[ 50.028827] 0000000000000000 0000000000000001 0000000000000000 0000000000000000 +[ 50.039688] 0000000000000000 a8000000ff127bd0 0000000000000000 ffffffff805509bc +[ 50.050575] 00000000140084e0 0000000000000000 0000000000000000 0000000000040a00 +[ 50.061448] 0000000000000000 ffffffff8010e1b0 0000000000000000 ffffffff805509bc +[ 50.072327] ... +[ 50.076087] Call Trace: +[ 50.079869] [] show_stack+0x80/0xa8 +[ 50.086577] [] dump_stack+0x10c/0x190 +[ 50.093498] [] __warn+0xf0/0x108 +[ 50.099889] [] warn_slowpath_fmt+0x3c/0x48 +[ 50.107241] [] check_flags.part.41+0x1dc/0x1e8 +[ 50.114961] [] lock_is_held_type+0x8c/0xb0 +[ 50.122291] [] __schedule+0x8c0/0x10f8 +[ 50.129221] [] schedule+0x30/0x98 +[ 50.135659] [] work_resched+0x8/0x34 +[ 50.142397] ---[ end trace 0cb4f6ef5b99fe21 ]--- +[ 50.148405] possible reason: unannotated irqs-off. +[ 50.154600] irq event stamp: 400463 +[ 50.159566] hardirqs last enabled at (400463): [] _raw_spin_unlock_irqrestore+0x40/0xa8 +[ 50.171981] hardirqs last disabled at (400462): [] _raw_spin_lock_irqsave+0x30/0xb0 +[ 50.183897] softirqs last enabled at (400450): [] __do_softirq+0x4ac/0x6a8 +[ 50.195015] softirqs last disabled at (400425): [] irq_exit+0x110/0x128 + +Fix this by using the TRACE_IRQS_OFF macro to call trace_hardirqs_off() +when CONFIG_TRACE_IRQFLAGS is enabled. This is done before invoking +schedule() following the work_resched label because: + + 1) Interrupts are disabled regardless of the path we take to reach + work_resched() & schedule(). + + 2) Performing the tracing here avoids the need to do it in paths which + disable interrupts but don't call out to C code before hitting a + path which uses the RESTORE_SOME macro that will call + trace_hardirqs_on() or trace_hardirqs_off() as appropriate. + +We call trace_hardirqs_on() using the TRACE_IRQS_ON macro before calling +syscall_trace_leave() for similar reasons, ensuring that lockdep has a +consistent view of state after we re-enable interrupts. + +Signed-off-by: Paul Burton +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15385/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/entry.S | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/mips/kernel/entry.S ++++ b/arch/mips/kernel/entry.S +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -137,6 +138,7 @@ work_pending: + andi t0, a2, _TIF_NEED_RESCHED # a2 is preloaded with TI_FLAGS + beqz t0, work_notifysig + work_resched: ++ TRACE_IRQS_OFF + jal schedule + + local_irq_disable # make sure need_resched and +@@ -173,6 +175,7 @@ syscall_exit_work: + beqz t0, work_pending # trace bit set? + local_irq_enable # could let syscall_trace_leave() + # call schedule() instead ++ TRACE_IRQS_ON + move a0, sp + jal syscall_trace_leave + b resume_userspace diff --git a/queue-4.9/mips-head-reorder-instructions-missing-a-delay-slot.patch b/queue-4.9/mips-head-reorder-instructions-missing-a-delay-slot.patch new file mode 100644 index 00000000000..324c38632b8 --- /dev/null +++ b/queue-4.9/mips-head-reorder-instructions-missing-a-delay-slot.patch @@ -0,0 +1,41 @@ +From 25d8b92e0af75d72ce8b99e63e5a449cc0888efa Mon Sep 17 00:00:00 2001 +From: Karl Beldan +Date: Tue, 27 Jun 2017 19:22:16 +0000 +Subject: MIPS: head: Reorder instructions missing a delay slot + +From: Karl Beldan + +commit 25d8b92e0af75d72ce8b99e63e5a449cc0888efa upstream. + +In this sequence the 'move' is assumed in the delay slot of the 'beq', +but head.S is in reorder mode and the former gets pushed one 'nop' +farther by the assembler. + +The corrected behavior made booting with an UHI supplied dtb erratic. + +Fixes: 15f37e158892 ("MIPS: store the appended dtb address in a variable") +Signed-off-by: Karl Beldan +Reviewed-by: James Hogan +Cc: Jonas Gorski +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/16614/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/head.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/head.S ++++ b/arch/mips/kernel/head.S +@@ -106,8 +106,8 @@ NESTED(kernel_entry, 16, sp) # kernel + beq t0, t1, dtb_found + #endif + li t1, -2 +- beq a0, t1, dtb_found + move t2, a1 ++ beq a0, t1, dtb_found + + li t2, 0 + dtb_found: diff --git a/queue-4.9/mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch b/queue-4.9/mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch new file mode 100644 index 00000000000..61e8c5cb1f7 --- /dev/null +++ b/queue-4.9/mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch @@ -0,0 +1,74 @@ +From 161c51ccb7a6faf45ffe09aa5cf1ad85ccdad503 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 2 Mar 2017 14:02:40 -0800 +Subject: MIPS: pm-cps: Drop manual cache-line alignment of ready_count + +From: Paul Burton + +commit 161c51ccb7a6faf45ffe09aa5cf1ad85ccdad503 upstream. + +We allocate memory for a ready_count variable per-CPU, which is accessed +via a cached non-coherent TLB mapping to perform synchronisation between +threads within the core using LL/SC instructions. In order to ensure +that the variable is contained within its own data cache line we +allocate 2 lines worth of memory & align the resulting pointer to a line +boundary. This is however unnecessary, since kmalloc is guaranteed to +return memory which is at least cache-line aligned (see +ARCH_DMA_MINALIGN). Stop the redundant manual alignment. + +Besides cleaning up the code & avoiding needless work, this has the side +effect of avoiding an arithmetic error found by Bryan on 64 bit systems +due to the 32 bit size of the former dlinesz. This led the ready_count +variable to have its upper 32b cleared erroneously for MIPS64 kernels, +causing problems when ready_count was later used on MIPS64 via cpuidle. + +Signed-off-by: Paul Burton +Fixes: 3179d37ee1ed ("MIPS: pm-cps: add PM state entry code for CPS systems") +Reported-by: Bryan O'Donoghue +Reviewed-by: Bryan O'Donoghue +Tested-by: Bryan O'Donoghue +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15383/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/pm-cps.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/arch/mips/kernel/pm-cps.c ++++ b/arch/mips/kernel/pm-cps.c +@@ -56,7 +56,6 @@ DECLARE_BITMAP(state_support, CPS_PM_STA + * state. Actually per-core rather than per-CPU. + */ + static DEFINE_PER_CPU_ALIGNED(u32*, ready_count); +-static DEFINE_PER_CPU_ALIGNED(void*, ready_count_alloc); + + /* Indicates online CPUs coupled with the current CPU */ + static DEFINE_PER_CPU_ALIGNED(cpumask_t, online_coupled); +@@ -642,7 +641,6 @@ static int cps_pm_online_cpu(unsigned in + { + enum cps_pm_state state; + unsigned core = cpu_data[cpu].core; +- unsigned dlinesz = cpu_data[cpu].dcache.linesz; + void *entry_fn, *core_rc; + + for (state = CPS_PM_NC_WAIT; state < CPS_PM_STATE_COUNT; state++) { +@@ -662,16 +660,11 @@ static int cps_pm_online_cpu(unsigned in + } + + if (!per_cpu(ready_count, core)) { +- core_rc = kmalloc(dlinesz * 2, GFP_KERNEL); ++ core_rc = kmalloc(sizeof(u32), GFP_KERNEL); + if (!core_rc) { + pr_err("Failed allocate core %u ready_count\n", core); + return -ENOMEM; + } +- per_cpu(ready_count_alloc, core) = core_rc; +- +- /* Ensure ready_count is aligned to a cacheline boundary */ +- core_rc += dlinesz - 1; +- core_rc = (void *)((unsigned long)core_rc & ~(dlinesz - 1)); + per_cpu(ready_count, core) = core_rc; + } + diff --git a/queue-4.9/nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch b/queue-4.9/nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch new file mode 100644 index 00000000000..6c7a22fa5bd --- /dev/null +++ b/queue-4.9/nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch @@ -0,0 +1,41 @@ +From bd171930e6a3de4f5cffdafbb944e50093dfb59b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 27 Jun 2017 17:33:38 -0400 +Subject: NFSv4.1: Fix a race in nfs4_proc_layoutget + +From: Trond Myklebust + +commit bd171930e6a3de4f5cffdafbb944e50093dfb59b upstream. + +If the task calling layoutget is signalled, then it is possible for the +calls to nfs4_sequence_free_slot() and nfs4_layoutget_prepare() to race, +in which case we leak a slot. +The fix is to move the call to nfs4_sequence_free_slot() into the +nfs4_layoutget_release() so that it gets called at task teardown time. + +Fixes: 2e80dbe7ac51 ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -8429,6 +8429,7 @@ static void nfs4_layoutget_release(void + size_t max_pages = max_response_pages(server); + + dprintk("--> %s\n", __func__); ++ nfs4_sequence_free_slot(&lgp->res.seq_res); + nfs4_free_pages(lgp->args.layout.pages, max_pages); + pnfs_put_layout_hdr(NFS_I(inode)->layout); + put_nfs_open_context(lgp->args.ctx); +@@ -8503,7 +8504,6 @@ nfs4_proc_layoutget(struct nfs4_layoutge + /* if layoutp->len is 0, nfs4_layoutget_prepare called rpc_exit */ + if (status == 0 && lgp->res.layoutp->len) + lseg = pnfs_layout_process(lgp); +- nfs4_sequence_free_slot(&lgp->res.seq_res); + rpc_put_task(task); + dprintk("<-- %s status=%d\n", __func__, status); + if (status) diff --git a/queue-4.9/series b/queue-4.9/series index 85b89279bcc..e7cae7fe41e 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -30,3 +30,13 @@ nfsv4.x-callback-create-the-callback-service-through-svc_create_pooled.patch xen-blkback-don-t-use-xen_blkif_get-in-xen-blkback-kthread.patch drm-ast-handle-configuration-without-p2a-bridge.patch mm-swap_cgroup-reschedule-when-neeed-in-swap_cgroup_swapoff.patch +mips-head-reorder-instructions-missing-a-delay-slot.patch +mips-avoid-accidental-raw-backtrace.patch +mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch +mips-fix-irq-tracing-lockdep-when-rescheduling.patch +alsa-hda-fix-endless-loop-of-codec-configure.patch +alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch +nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch +gpiolib-fix-filtering-out-unwanted-events.patch +drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch +dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch