From: Greg Kroah-Hartman Date: Sun, 12 Feb 2017 22:15:22 +0000 (-0800) Subject: 4.9-stable patches X-Git-Tag: v4.9.10~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a04c9128d5ba66328da0809d808167e7139634cb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-hda-adding-a-new-nv-hdmi-dp-codec-id-in-the-driver.patch alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch alsa-seq-fix-race-at-creating-a-queue.patch btrfs-fix-btrfs_compat_ioctl-failures-on-non-compat-ioctls.patch ib-rxe-fix-mem_check_range-integer-overflow.patch ib-rxe-fix-resid-update.patch powerpc-mm-radix-update-erat-flushes-when-invalidating-tlb.patch powerpc-powernv-fix-cpu-hotplug-to-handle-waking-on-hvi.patch revert-alsa-line6-only-determine-control-port-properties-if-needed.patch scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch scsi-qla2xxx-avoid-that-issuing-a-lip-triggers-a-kernel-crash.patch scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch x86-cpu-amd-bring-back-compute-unit-id.patch x86-cpu-amd-fix-zen-smt-topology.patch x86-mm-ptdump-fix-soft-lockup-in-page-table-walker.patch xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch --- diff --git a/queue-4.9/alsa-hda-adding-a-new-nv-hdmi-dp-codec-id-in-the-driver.patch b/queue-4.9/alsa-hda-adding-a-new-nv-hdmi-dp-codec-id-in-the-driver.patch new file mode 100644 index 00000000000..fd331e91cd8 --- /dev/null +++ b/queue-4.9/alsa-hda-adding-a-new-nv-hdmi-dp-codec-id-in-the-driver.patch @@ -0,0 +1,33 @@ +From af677166cf63c179dc2485053166e02c4aea01eb Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Thu, 9 Feb 2017 09:20:54 +0800 +Subject: ALSA: hda - adding a new NV HDMI/DP codec ID in the driver + +From: Hui Wang + +commit af677166cf63c179dc2485053166e02c4aea01eb upstream. + +Without this change, the HDMI/DP codec will be recognised as a +generic codec, and there is no sound when playing through this codec. + +As suggested by NVidia side, after adding the new ID in the driver, +the sound playing works well. + +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -3638,6 +3638,7 @@ HDA_CODEC_ENTRY(0x10de0070, "GPU 70 HDMI + HDA_CODEC_ENTRY(0x10de0071, "GPU 71 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de0072, "GPU 72 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de007d, "GPU 7d HDMI/DP", patch_nvhdmi), ++HDA_CODEC_ENTRY(0x10de0080, "GPU 80 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de0082, "GPU 82 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de0083, "GPU 83 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), diff --git a/queue-4.9/alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch b/queue-4.9/alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch new file mode 100644 index 00000000000..aa2c1f028c5 --- /dev/null +++ b/queue-4.9/alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch @@ -0,0 +1,54 @@ +From 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 6 Feb 2017 15:09:48 +0100 +Subject: ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() + +From: Takashi Iwai + +commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream. + +snd_seq_pool_done() syncs with closing of all opened threads, but it +aborts the wait loop with a timeout, and proceeds to the release +resource even if not all threads have been closed. The timeout was 5 +seconds, and if you run a crazy stuff, it can exceed easily, and may +result in the access of the invalid memory address -- this is what +syzkaller detected in a bug report. + +As a fix, let the code graduate from naiveness, simply remove the loop +timeout. + +BugLink: http://lkml.kernel.org/r/CACT4Y+YdhDV2H5LLzDTJDVF-qiYHUHhtRaW4rbb4gUhTCQB81w@mail.gmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_memory.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/sound/core/seq/seq_memory.c ++++ b/sound/core/seq/seq_memory.c +@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_poo + { + unsigned long flags; + struct snd_seq_event_cell *ptr; +- int max_count = 5 * HZ; + + if (snd_BUG_ON(!pool)) + return -EINVAL; +@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_poo + if (waitqueue_active(&pool->output_sleep)) + wake_up(&pool->output_sleep); + +- while (atomic_read(&pool->counter) > 0) { +- if (max_count == 0) { +- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter)); +- break; +- } ++ while (atomic_read(&pool->counter) > 0) + schedule_timeout_uninterruptible(1); +- max_count--; +- } + + /* release all resources */ + spin_lock_irqsave(&pool->lock, flags); diff --git a/queue-4.9/alsa-seq-fix-race-at-creating-a-queue.patch b/queue-4.9/alsa-seq-fix-race-at-creating-a-queue.patch new file mode 100644 index 00000000000..b84117d1e57 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-race-at-creating-a-queue.patch @@ -0,0 +1,92 @@ +From 4842e98f26dd80be3623c4714a244ba52ea096a8 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 8 Feb 2017 12:35:39 +0100 +Subject: ALSA: seq: Fix race at creating a queue + +From: Takashi Iwai + +commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream. + +When a sequencer queue is created in snd_seq_queue_alloc(),it adds the +new queue element to the public list before referencing it. Thus the +queue might be deleted before the call of snd_seq_queue_use(), and it +results in the use-after-free error, as spotted by syzkaller. + +The fix is to reference the queue object at the right time. + +Reported-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_queue.c | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void) + } + } + ++static void queue_use(struct snd_seq_queue *queue, int client, int use); ++ + /* allocate a new queue - + * return queue index value or negative value for error + */ +@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int + if (q == NULL) + return -ENOMEM; + q->info_flags = info_flags; ++ queue_use(q, client, 1); + if (queue_list_add(q) < 0) { + queue_delete(q); + return -ENOMEM; + } +- snd_seq_queue_use(q->queue, client, 1); /* use this queue */ + return q->queue; + } + +@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int qu + return result; + } + +- +-/* use or unuse this queue - +- * if it is the first client, starts the timer. +- * if it is not longer used by any clients, stop the timer. +- */ +-int snd_seq_queue_use(int queueid, int client, int use) ++/* use or unuse this queue */ ++static void queue_use(struct snd_seq_queue *queue, int client, int use) + { +- struct snd_seq_queue *queue; +- +- queue = queueptr(queueid); +- if (queue == NULL) +- return -EINVAL; +- mutex_lock(&queue->timer_mutex); + if (use) { + if (!test_and_set_bit(client, queue->clients_bitmap)) + queue->clients++; +@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int c + } else { + snd_seq_timer_close(queue); + } ++} ++ ++/* use or unuse this queue - ++ * if it is the first client, starts the timer. ++ * if it is not longer used by any clients, stop the timer. ++ */ ++int snd_seq_queue_use(int queueid, int client, int use) ++{ ++ struct snd_seq_queue *queue; ++ ++ queue = queueptr(queueid); ++ if (queue == NULL) ++ return -EINVAL; ++ mutex_lock(&queue->timer_mutex); ++ queue_use(queue, client, use); + mutex_unlock(&queue->timer_mutex); + queuefree(queue); + return 0; diff --git a/queue-4.9/btrfs-fix-btrfs_compat_ioctl-failures-on-non-compat-ioctls.patch b/queue-4.9/btrfs-fix-btrfs_compat_ioctl-failures-on-non-compat-ioctls.patch new file mode 100644 index 00000000000..b43d204f9cd --- /dev/null +++ b/queue-4.9/btrfs-fix-btrfs_compat_ioctl-failures-on-non-compat-ioctls.patch @@ -0,0 +1,47 @@ +From 2a362249187a8d0f6d942d6e1d763d150a296f47 Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Mon, 6 Feb 2017 19:39:09 -0500 +Subject: btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls + +From: Jeff Mahoney + +commit 2a362249187a8d0f6d942d6e1d763d150a296f47 upstream. + +Commit 4c63c2454ef incorrectly assumed that returning -ENOIOCTLCMD would +cause the native ioctl to be called. The ->compat_ioctl callback is +expected to handle all ioctls, not just compat variants. As a result, +when using 32-bit userspace on 64-bit kernels, everything except those +three ioctls would return -ENOTTY. + +Fixes: 4c63c2454ef ("btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl") +Signed-off-by: Jeff Mahoney +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -5648,6 +5648,10 @@ long btrfs_ioctl(struct file *file, unsi + #ifdef CONFIG_COMPAT + long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { ++ /* ++ * These all access 32-bit values anyway so no further ++ * handling is necessary. ++ */ + switch (cmd) { + case FS_IOC32_GETFLAGS: + cmd = FS_IOC_GETFLAGS; +@@ -5658,8 +5662,6 @@ long btrfs_compat_ioctl(struct file *fil + case FS_IOC32_GETVERSION: + cmd = FS_IOC_GETVERSION; + break; +- default: +- return -ENOIOCTLCMD; + } + + return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg)); diff --git a/queue-4.9/ib-rxe-fix-mem_check_range-integer-overflow.patch b/queue-4.9/ib-rxe-fix-mem_check_range-integer-overflow.patch new file mode 100644 index 00000000000..41ff5c9c6fb --- /dev/null +++ b/queue-4.9/ib-rxe-fix-mem_check_range-integer-overflow.patch @@ -0,0 +1,39 @@ +From 647bf3d8a8e5777319da92af672289b2a6c4dc66 Mon Sep 17 00:00:00 2001 +From: Eyal Itkin +Date: Tue, 7 Feb 2017 16:45:19 +0300 +Subject: IB/rxe: Fix mem_check_range integer overflow + +From: Eyal Itkin + +commit 647bf3d8a8e5777319da92af672289b2a6c4dc66 upstream. + +Update the range check to avoid integer-overflow in edge case. +Resolves CVE 2016-8636. + +Signed-off-by: Eyal Itkin +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_mr.c ++++ b/drivers/infiniband/sw/rxe/rxe_mr.c +@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, + + case RXE_MEM_TYPE_MR: + case RXE_MEM_TYPE_FMR: +- return ((iova < mem->iova) || +- ((iova + length) > (mem->iova + mem->length))) ? +- -EFAULT : 0; ++ if (iova < mem->iova || ++ length > mem->length || ++ iova > mem->iova + mem->length - length) ++ return -EFAULT; ++ return 0; + + default: + return -EFAULT; diff --git a/queue-4.9/ib-rxe-fix-resid-update.patch b/queue-4.9/ib-rxe-fix-resid-update.patch new file mode 100644 index 00000000000..8d852d92226 --- /dev/null +++ b/queue-4.9/ib-rxe-fix-resid-update.patch @@ -0,0 +1,34 @@ +From 628f07d33c1f2e7bf31e0a4a988bb07914bd5e73 Mon Sep 17 00:00:00 2001 +From: Eyal Itkin +Date: Tue, 7 Feb 2017 16:43:05 +0300 +Subject: IB/rxe: Fix resid update + +From: Eyal Itkin + +commit 628f07d33c1f2e7bf31e0a4a988bb07914bd5e73 upstream. + +Update the response's resid field when larger than MTU, instead of only +updating the local resid variable. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Signed-off-by: Eyal Itkin +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -472,7 +472,7 @@ static enum resp_states check_rkey(struc + goto err2; + } + +- resid = mtu; ++ qp->resp.resid = mtu; + } else { + if (pktlen != resid) { + state = RESPST_ERR_LENGTH; diff --git a/queue-4.9/powerpc-mm-radix-update-erat-flushes-when-invalidating-tlb.patch b/queue-4.9/powerpc-mm-radix-update-erat-flushes-when-invalidating-tlb.patch new file mode 100644 index 00000000000..c760dade2de --- /dev/null +++ b/queue-4.9/powerpc-mm-radix-update-erat-flushes-when-invalidating-tlb.patch @@ -0,0 +1,48 @@ +From 90c1e3c2fafec57fcb55b5d69bcf293b1a5fc8b3 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Mon, 6 Feb 2017 13:05:16 +1100 +Subject: powerpc/mm/radix: Update ERAT flushes when invalidating TLB + +From: Benjamin Herrenschmidt + +commit 90c1e3c2fafec57fcb55b5d69bcf293b1a5fc8b3 upstream. + +Three tiny changes to the ERAT flushing logic: First don't make +it depend on DD1. It hasn't been decided yet but we might run +DD2 in a mode that also requires explicit flushes for performance +reasons so make it unconditional. We also add a missing isync, and +finally remove the flush from _tlbiel_va as it is only necessary +for congruence-class invalidations (PID, LPID and full TLB), not +targetted invalidations. + +Fixes: 96ed1fe511a8 ("powerpc/mm/radix: Invalidate ERAT on tlbiel for POWER9 DD1") +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/tlb-radix.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/arch/powerpc/mm/tlb-radix.c ++++ b/arch/powerpc/mm/tlb-radix.c +@@ -50,9 +50,7 @@ static inline void _tlbiel_pid(unsigned + for (set = 0; set < POWER9_TLB_SETS_RADIX ; set++) { + __tlbiel_pid(pid, set, ric); + } +- if (cpu_has_feature(CPU_FTR_POWER9_DD1)) +- asm volatile(PPC_INVALIDATE_ERAT : : :"memory"); +- return; ++ asm volatile(PPC_INVALIDATE_ERAT "; isync" : : :"memory"); + } + + static inline void _tlbie_pid(unsigned long pid, unsigned long ric) +@@ -85,8 +83,6 @@ static inline void _tlbiel_va(unsigned l + asm volatile(PPC_TLBIEL(%0, %4, %3, %2, %1) + : : "r"(rb), "i"(r), "i"(prs), "i"(ric), "r"(rs) : "memory"); + asm volatile("ptesync": : :"memory"); +- if (cpu_has_feature(CPU_FTR_POWER9_DD1)) +- asm volatile(PPC_INVALIDATE_ERAT : : :"memory"); + } + + static inline void _tlbie_va(unsigned long va, unsigned long pid, diff --git a/queue-4.9/powerpc-powernv-fix-cpu-hotplug-to-handle-waking-on-hvi.patch b/queue-4.9/powerpc-powernv-fix-cpu-hotplug-to-handle-waking-on-hvi.patch new file mode 100644 index 00000000000..0eec90a1dbb --- /dev/null +++ b/queue-4.9/powerpc-powernv-fix-cpu-hotplug-to-handle-waking-on-hvi.patch @@ -0,0 +1,125 @@ +From 9b256714979fad61ae11d90b53cf67dd5e6484eb Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Tue, 7 Feb 2017 11:35:31 +1100 +Subject: powerpc/powernv: Fix CPU hotplug to handle waking on HVI + +From: Benjamin Herrenschmidt + +commit 9b256714979fad61ae11d90b53cf67dd5e6484eb upstream. + +The IPIs come in as HVI not EE, so we need to test the appropriate +SRR1 bits. The encoding is such that it won't have false positives +on P7 and P8 so we can just test it like that. We also need to handle +the icp-opal variant of the flush. + +Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend") +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 3 ++- + arch/powerpc/include/asm/xics.h | 1 + + arch/powerpc/platforms/powernv/smp.c | 12 ++++++++++-- + arch/powerpc/sysdev/xics/icp-opal.c | 29 +++++++++++++++++++++++++++++ + 4 files changed, 42 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -641,9 +641,10 @@ + #define SRR1_ISI_N_OR_G 0x10000000 /* ISI: Access is no-exec or G */ + #define SRR1_ISI_PROT 0x08000000 /* ISI: Other protection fault */ + #define SRR1_WAKEMASK 0x00380000 /* reason for wakeup */ +-#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 */ ++#define SRR1_WAKEMASK_P8 0x003c0000 /* reason for wakeup on POWER8 and 9 */ + #define SRR1_WAKESYSERR 0x00300000 /* System error */ + #define SRR1_WAKEEE 0x00200000 /* External interrupt */ ++#define SRR1_WAKEHVI 0x00240000 /* Hypervisor Virtualization Interrupt (P9) */ + #define SRR1_WAKEMT 0x00280000 /* mtctrl */ + #define SRR1_WAKEHMI 0x00280000 /* Hypervisor maintenance */ + #define SRR1_WAKEDEC 0x00180000 /* Decrementer interrupt */ +--- a/arch/powerpc/include/asm/xics.h ++++ b/arch/powerpc/include/asm/xics.h +@@ -44,6 +44,7 @@ static inline int icp_hv_init(void) { re + + #ifdef CONFIG_PPC_POWERNV + extern int icp_opal_init(void); ++extern void icp_opal_flush_interrupt(void); + #else + static inline int icp_opal_init(void) { return -ENODEV; } + #endif +--- a/arch/powerpc/platforms/powernv/smp.c ++++ b/arch/powerpc/platforms/powernv/smp.c +@@ -155,8 +155,10 @@ static void pnv_smp_cpu_kill_self(void) + wmask = SRR1_WAKEMASK_P8; + + idle_states = pnv_get_supported_cpuidle_states(); ++ + /* We don't want to take decrementer interrupts while we are offline, +- * so clear LPCR:PECE1. We keep PECE2 enabled. ++ * so clear LPCR:PECE1. We keep PECE2 (and LPCR_PECE_HVEE on P9) ++ * enabled as to let IPIs in. + */ + mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) & ~(u64)LPCR_PECE1); + +@@ -206,8 +208,12 @@ static void pnv_smp_cpu_kill_self(void) + * contains 0. + */ + if (((srr1 & wmask) == SRR1_WAKEEE) || ++ ((srr1 & wmask) == SRR1_WAKEHVI) || + (local_paca->irq_happened & PACA_IRQ_EE)) { +- icp_native_flush_interrupt(); ++ if (cpu_has_feature(CPU_FTR_ARCH_300)) ++ icp_opal_flush_interrupt(); ++ else ++ icp_native_flush_interrupt(); + } else if ((srr1 & wmask) == SRR1_WAKEHDBELL) { + unsigned long msg = PPC_DBELL_TYPE(PPC_DBELL_SERVER); + asm volatile(PPC_MSGCLR(%0) : : "r" (msg)); +@@ -221,6 +227,8 @@ static void pnv_smp_cpu_kill_self(void) + if (srr1 && !generic_check_cpu_restart(cpu)) + DBG("CPU%d Unexpected exit while offline !\n", cpu); + } ++ ++ /* Re-enable decrementer interrupts */ + mtspr(SPRN_LPCR, mfspr(SPRN_LPCR) | LPCR_PECE1); + DBG("CPU%d coming online...\n", cpu); + } +--- a/arch/powerpc/sysdev/xics/icp-opal.c ++++ b/arch/powerpc/sysdev/xics/icp-opal.c +@@ -132,6 +132,35 @@ static irqreturn_t icp_opal_ipi_action(i + return smp_ipi_demux(); + } + ++/* ++ * Called when an interrupt is received on an off-line CPU to ++ * clear the interrupt, so that the CPU can go back to nap mode. ++ */ ++void icp_opal_flush_interrupt(void) ++{ ++ unsigned int xirr; ++ unsigned int vec; ++ ++ do { ++ xirr = icp_opal_get_xirr(); ++ vec = xirr & 0x00ffffff; ++ if (vec == XICS_IRQ_SPURIOUS) ++ break; ++ if (vec == XICS_IPI) { ++ /* Clear pending IPI */ ++ int cpu = smp_processor_id(); ++ kvmppc_set_host_ipi(cpu, 0); ++ opal_int_set_mfrr(get_hard_smp_processor_id(cpu), 0xff); ++ } else { ++ pr_err("XICS: hw interrupt 0x%x to offline cpu, " ++ "disabling\n", vec); ++ xics_mask_unknown_vec(vec); ++ } ++ ++ /* EOI the interrupt */ ++ } while (opal_int_eoi(xirr) > 0); ++} ++ + #endif /* CONFIG_SMP */ + + static const struct icp_ops icp_opal_ops = { diff --git a/queue-4.9/revert-alsa-line6-only-determine-control-port-properties-if-needed.patch b/queue-4.9/revert-alsa-line6-only-determine-control-port-properties-if-needed.patch new file mode 100644 index 00000000000..9eb40461c9a --- /dev/null +++ b/queue-4.9/revert-alsa-line6-only-determine-control-port-properties-if-needed.patch @@ -0,0 +1,39 @@ +From f3d83317a69e7d658e7c83e24f8b31ac533c39e3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 7 Feb 2017 09:32:30 +0100 +Subject: Revert "ALSA: line6: Only determine control port properties if needed" + +From: Takashi Iwai + +commit f3d83317a69e7d658e7c83e24f8b31ac533c39e3 upstream. + +This reverts commit f6a0dd107ad0c8b59d1c9735eea4b8cb9f460949. + +The commit caused a regression on LINE6 Transport that has no control +caps. Although reverting the commit may result back in a spurious +error message for some device again, it's the simplest regression fix, +hence it's taken as is at first. The further code fix will follow +later. + +Fixes: f6a0dd107ad0 ("ALSA: line6: Only determine control port properties if needed") +Reported-by: Igor Zinovev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -754,8 +754,9 @@ int line6_probe(struct usb_interface *in + goto error; + } + ++ line6_get_interval(line6); ++ + if (properties->capabilities & LINE6_CAP_CONTROL) { +- line6_get_interval(line6); + ret = line6_init_cap_control(line6); + if (ret < 0) + goto error; diff --git a/queue-4.9/scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch b/queue-4.9/scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch new file mode 100644 index 00000000000..bd2aefb6beb --- /dev/null +++ b/queue-4.9/scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch @@ -0,0 +1,44 @@ +From 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 Mon Sep 17 00:00:00 2001 +From: Dave Carroll +Date: Thu, 9 Feb 2017 11:04:47 -0700 +Subject: scsi: aacraid: Fix INTx/MSI-x issue with older controllers + +From: Dave Carroll + +commit 8af8e1c22f9994bb1849c01d66c24fe23f9bc9a0 upstream. + +commit 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang") + +caused a problem on older controllers which do not support MSI-x (namely +ASR3405,ASR3805). This patch conditionalizes the previous patch to +controllers which support MSI-x + +Fixes: 78cbccd3bd68 ("aacraid: Fix for KDUMP driver hang") +Reported-by: Arkadiusz Miskiewicz +Signed-off-by: Dave Carroll +Reviewed-by: Raghava Aditya Renukunta +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/comminit.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/aacraid/comminit.c ++++ b/drivers/scsi/aacraid/comminit.c +@@ -50,9 +50,13 @@ struct aac_common aac_config = { + + static inline int aac_is_msix_mode(struct aac_dev *dev) + { +- u32 status; ++ u32 status = 0; + +- status = src_readl(dev, MUnit.OMR); ++ if (dev->pdev->device == PMC_DEVICE_S6 || ++ dev->pdev->device == PMC_DEVICE_S7 || ++ dev->pdev->device == PMC_DEVICE_S8) { ++ status = src_readl(dev, MUnit.OMR); ++ } + return (status & AAC_INT_MODE_MSIX); + } + diff --git a/queue-4.9/scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch b/queue-4.9/scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch new file mode 100644 index 00000000000..68984a483b9 --- /dev/null +++ b/queue-4.9/scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch @@ -0,0 +1,41 @@ +From ffdadd68af5a397b8a52289ab39d62e1acb39e63 Mon Sep 17 00:00:00 2001 +From: ojab +Date: Wed, 28 Dec 2016 11:05:24 +0000 +Subject: scsi: mpt3sas: disable ASPM for MPI2 controllers + +From: ojab + +commit ffdadd68af5a397b8a52289ab39d62e1acb39e63 upstream. + +MPI2 controllers sometimes got lost (i.e. disappear from +/sys/bus/pci/devices) if ASMP is enabled. + +Signed-off-by: Slava Kardakov +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=60644 +Acked-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -8706,6 +8707,8 @@ _scsih_probe(struct pci_dev *pdev, const + + switch (hba_mpi_version) { + case MPI2_VERSION: ++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S | ++ PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM); + /* Use mpt2sas driver host template for SAS 2.0 HBA's */ + shost = scsi_host_alloc(&mpt2sas_driver_template, + sizeof(struct MPT3SAS_ADAPTER)); diff --git a/queue-4.9/scsi-qla2xxx-avoid-that-issuing-a-lip-triggers-a-kernel-crash.patch b/queue-4.9/scsi-qla2xxx-avoid-that-issuing-a-lip-triggers-a-kernel-crash.patch new file mode 100644 index 00000000000..b11722b6c54 --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-avoid-that-issuing-a-lip-triggers-a-kernel-crash.patch @@ -0,0 +1,47 @@ +From 2780f3c8f0233de90b6b47a23fc422b7780c5436 Mon Sep 17 00:00:00 2001 +From: Mauricio Faria de Oliveira +Date: Wed, 25 Jan 2017 22:07:06 -0200 +Subject: scsi: qla2xxx: Avoid that issuing a LIP triggers a kernel crash + +From: Mauricio Faria de Oliveira + +commit 2780f3c8f0233de90b6b47a23fc422b7780c5436 upstream. + +Avoid that issuing a LIP as follows: + + find /sys -name 'issue_lip'|while read f; do echo 1 > $f; done + +triggers the following: + +BUG: unable to handle kernel NULL pointer dereference at (null) +Call Trace: + qla2x00_abort_all_cmds+0xed/0x140 [qla2xxx] + qla2x00_abort_isp_cleanup+0x1e3/0x280 [qla2xxx] + qla2x00_abort_isp+0xef/0x690 [qla2xxx] + qla2x00_do_dpc+0x36c/0x880 [qla2xxx] + kthread+0x10c/0x140 + +[mkp: consolidated Mauricio's and Bart's fixes] + +Signed-off-by: Mauricio Faria de Oliveira +Reported-by: Bart Van Assche +Fixes: 1535aa75a3d8 ("qla2xxx: fix invalid DMA access after command aborts in PCI device remove") +Cc: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1459,7 +1459,7 @@ qla2x00_abort_all_cmds(scsi_qla_host_t * + /* Don't abort commands in adapter during EEH + * recovery as it's not accessible/responding. + */ +- if (!ha->flags.eeh_busy) { ++ if (GET_CMD_SP(sp) && !ha->flags.eeh_busy) { + /* Get a reference to the sp and drop the lock. + * The reference ensures this sp->done() call + * - and not the call in qla2xxx_eh_abort() - diff --git a/queue-4.9/scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch b/queue-4.9/scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch new file mode 100644 index 00000000000..5bd34179caa --- /dev/null +++ b/queue-4.9/scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch @@ -0,0 +1,97 @@ +From 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Wed, 8 Feb 2017 15:34:22 +0100 +Subject: scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send + +From: Steffen Maier + +commit 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 upstream. + +Dan Carpenter kindly reported: + +The patch d27a7cb91960: "zfcp: trace on request for open and close of +WKA port" from Aug 10, 2016, leads to the following static checker +warning: + + drivers/s390/scsi/zfcp_fsf.c:1615 zfcp_fsf_open_wka_port() + warn: 'req' was already freed. + +drivers/s390/scsi/zfcp_fsf.c + 1609 zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT); + 1610 retval = zfcp_fsf_req_send(req); + 1611 if (retval) + 1612 zfcp_fsf_req_free(req); + ^^^ +Freed. + + 1613 out: + 1614 spin_unlock_irq(&qdio->req_q_lock); + 1615 if (req && !IS_ERR(req)) + 1616 zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id); + ^^^^^^^^^^^ +Use after free. + + 1617 return retval; + 1618 } + +Same thing for zfcp_fsf_close_wka_port() as well. + + +Rather than relying on req being NULL (or ERR_PTR) for all cases where +we don't want to trace or should not trace, +simply check retval which is unconditionally initialized with -EIO != 0 +and it can only become 0 on successful retval = zfcp_fsf_req_send(req). +With that we can also remove the then again unnecessary unconditional +initialization of req which was introduced with that earlier commit. + +Reported-by: Dan Carpenter +Suggested-by: Benjamin Block +Signed-off-by: Steffen Maier +Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port") +Reviewed-by: Benjamin Block +Reviewed-by: Jens Remus +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_fsf.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/s390/scsi/zfcp_fsf.c ++++ b/drivers/s390/scsi/zfcp_fsf.c +@@ -1583,7 +1583,7 @@ out: + int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port) + { + struct zfcp_qdio *qdio = wka_port->adapter->qdio; +- struct zfcp_fsf_req *req = NULL; ++ struct zfcp_fsf_req *req; + int retval = -EIO; + + spin_lock_irq(&qdio->req_q_lock); +@@ -1612,7 +1612,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_f + zfcp_fsf_req_free(req); + out: + spin_unlock_irq(&qdio->req_q_lock); +- if (req && !IS_ERR(req)) ++ if (!retval) + zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id); + return retval; + } +@@ -1638,7 +1638,7 @@ static void zfcp_fsf_close_wka_port_hand + int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port) + { + struct zfcp_qdio *qdio = wka_port->adapter->qdio; +- struct zfcp_fsf_req *req = NULL; ++ struct zfcp_fsf_req *req; + int retval = -EIO; + + spin_lock_irq(&qdio->req_q_lock); +@@ -1667,7 +1667,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_ + zfcp_fsf_req_free(req); + out: + spin_unlock_irq(&qdio->req_q_lock); +- if (req && !IS_ERR(req)) ++ if (!retval) + zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id); + return retval; + } diff --git a/queue-4.9/series b/queue-4.9/series index 66232400bc0..cc0c8ccd9e2 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -37,3 +37,21 @@ drivers-hv-vmbus-base-host-signaling-strictly-on-the-ring-state.patch drivers-hv-vmbus-on-write-cleanup-the-logic-to-interrupt-the-host.patch drivers-hv-vmbus-on-the-read-path-cleanup-the-logic-to-interrupt-the-host.patch drivers-hv-vmbus-finally-fix-hv_need_to_signal_on_read.patch +scsi-zfcp-fix-use-after-free-by-not-tracing-wka-port-open-close-on-failed-send.patch +scsi-aacraid-fix-intx-msi-x-issue-with-older-controllers.patch +scsi-mpt3sas-disable-aspm-for-mpi2-controllers.patch +scsi-qla2xxx-avoid-that-issuing-a-lip-triggers-a-kernel-crash.patch +btrfs-fix-btrfs_compat_ioctl-failures-on-non-compat-ioctls.patch +tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch +powerpc-mm-radix-update-erat-flushes-when-invalidating-tlb.patch +powerpc-powernv-fix-cpu-hotplug-to-handle-waking-on-hvi.patch +xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch +alsa-hda-adding-a-new-nv-hdmi-dp-codec-id-in-the-driver.patch +alsa-seq-fix-race-at-creating-a-queue.patch +alsa-seq-don-t-handle-loop-timeout-at-snd_seq_pool_done.patch +revert-alsa-line6-only-determine-control-port-properties-if-needed.patch +x86-mm-ptdump-fix-soft-lockup-in-page-table-walker.patch +x86-cpu-amd-bring-back-compute-unit-id.patch +x86-cpu-amd-fix-zen-smt-topology.patch +ib-rxe-fix-resid-update.patch +ib-rxe-fix-mem_check_range-integer-overflow.patch diff --git a/queue-4.9/tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch b/queue-4.9/tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch new file mode 100644 index 00000000000..0e89b4ae148 --- /dev/null +++ b/queue-4.9/tick-nohz-fix-possible-missing-clock-reprog-after-tick-soft-restart.patch @@ -0,0 +1,56 @@ +From 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Tue, 7 Feb 2017 17:44:54 +0100 +Subject: tick/nohz: Fix possible missing clock reprog after tick soft restart + +From: Frederic Weisbecker + +commit 7bdb59f1ad474bd7161adc8f923cdef10f2638d1 upstream. + +ts->next_tick keeps track of the next tick deadline in order to optimize +clock programmation on irq exit and avoid redundant clock device writes. + +Now if ts->next_tick missed an update, we may spuriously miss a clock +reprog later as the nohz code is fooled by an obsolete next_tick value. + +This is what happens here on a specific path: when we observe an +expired timer from the nohz update code on irq exit, we perform a soft +tick restart which simply fires the closest possible tick without +actually exiting the nohz mode and restoring a periodic state. But we +forget to update ts->next_tick accordingly. + +As a result, after the next tick resulting from such soft tick restart, +the nohz code sees a stale value on ts->next_tick which doesn't match +the clock deadline that just expired. If that obsolete ts->next_tick +value happens to collide with the actual next tick deadline to be +scheduled, we may spuriously bypass the clock reprogramming. In the +worst case, the tick may never fire again. + +Fix this with a ts->next_tick reset on soft tick restart. + +Signed-off-by: Frederic Weisbecker +Reviewed: Wanpeng Li +Acked-by: Rik van Riel +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1486485894-29173-1-git-send-email-fweisbec@gmail.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/tick-sched.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -730,6 +730,11 @@ static ktime_t tick_nohz_stop_sched_tick + */ + if (delta == 0) { + tick_nohz_restart(ts, now); ++ /* ++ * Make sure next tick stop doesn't get fooled by past ++ * clock deadline ++ */ ++ ts->next_tick = 0; + goto out; + } + } diff --git a/queue-4.9/x86-cpu-amd-bring-back-compute-unit-id.patch b/queue-4.9/x86-cpu-amd-bring-back-compute-unit-id.patch new file mode 100644 index 00000000000..fe7b631126b --- /dev/null +++ b/queue-4.9/x86-cpu-amd-bring-back-compute-unit-id.patch @@ -0,0 +1,109 @@ +From 79a8b9aa388b0620cc1d525d7c0f0d9a8a85e08e Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Sun, 5 Feb 2017 11:50:21 +0100 +Subject: x86/CPU/AMD: Bring back Compute Unit ID + +From: Borislav Petkov + +commit 79a8b9aa388b0620cc1d525d7c0f0d9a8a85e08e upstream. + +Commit: + + a33d331761bc ("x86/CPU/AMD: Fix Bulldozer topology") + +restored the initial approach we had with the Fam15h topology of +enumerating CU (Compute Unit) threads as cores. And this is still +correct - they're beefier than HT threads but still have some +shared functionality. + +Our current approach has a problem with the Mad Max Steam game, for +example. Yves Dionne reported a certain "choppiness" while playing on +v4.9.5. + +That problem stems most likely from the fact that the CU threads share +resources within one CU and when we schedule to a thread of a different +compute unit, this incurs latency due to migrating the working set to a +different CU through the caches. + +When the thread siblings mask mirrors that aspect of the CUs and +threads, the scheduler pays attention to it and tries to schedule within +one CU first. Which takes care of the latency, of course. + +Reported-by: Yves Dionne +Signed-off-by: Borislav Petkov +Cc: Brice Goglin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Yazen Ghannam +Link: http://lkml.kernel.org/r/20170205105022.8705-1-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/processor.h | 1 + + arch/x86/kernel/cpu/amd.c | 9 ++++++++- + arch/x86/kernel/cpu/common.c | 1 + + arch/x86/kernel/smpboot.c | 12 +++++++++--- + 4 files changed, 19 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -104,6 +104,7 @@ struct cpuinfo_x86 { + __u8 x86_phys_bits; + /* CPUID returned core id bits: */ + __u8 x86_coreid_bits; ++ __u8 cu_id; + /* Max extended CPUID function supported: */ + __u32 extended_cpuid_level; + /* Maximum supported CPUID level, -1=no CPUID: */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -309,8 +309,15 @@ static void amd_get_topology(struct cpui + + /* get information required for multi-node processors */ + if (boot_cpu_has(X86_FEATURE_TOPOEXT)) { ++ u32 eax, ebx, ecx, edx; + +- node_id = cpuid_ecx(0x8000001e) & 7; ++ cpuid(0x8000001e, &eax, &ebx, &ecx, &edx); ++ ++ node_id = ecx & 0xff; ++ smp_num_siblings = ((ebx >> 8) & 0xff) + 1; ++ ++ if (c->x86 == 0x15) ++ c->cu_id = ebx & 0xff; + + /* + * We may have multiple LLCs if L3 caches exist, so check if we +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1015,6 +1015,7 @@ static void identify_cpu(struct cpuinfo_ + c->x86_model_id[0] = '\0'; /* Unset */ + c->x86_max_cores = 1; + c->x86_coreid_bits = 0; ++ c->cu_id = 0xff; + #ifdef CONFIG_X86_64 + c->x86_clflush_size = 64; + c->x86_phys_bits = 36; +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -423,9 +423,15 @@ static bool match_smt(struct cpuinfo_x86 + int cpu1 = c->cpu_index, cpu2 = o->cpu_index; + + if (c->phys_proc_id == o->phys_proc_id && +- per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2) && +- c->cpu_core_id == o->cpu_core_id) +- return topology_sane(c, o, "smt"); ++ per_cpu(cpu_llc_id, cpu1) == per_cpu(cpu_llc_id, cpu2)) { ++ if (c->cpu_core_id == o->cpu_core_id) ++ return topology_sane(c, o, "smt"); ++ ++ if ((c->cu_id != 0xff) && ++ (o->cu_id != 0xff) && ++ (c->cu_id == o->cu_id)) ++ return topology_sane(c, o, "smt"); ++ } + + } else if (c->phys_proc_id == o->phys_proc_id && + c->cpu_core_id == o->cpu_core_id) { diff --git a/queue-4.9/x86-cpu-amd-fix-zen-smt-topology.patch b/queue-4.9/x86-cpu-amd-fix-zen-smt-topology.patch new file mode 100644 index 00000000000..12b2d891945 --- /dev/null +++ b/queue-4.9/x86-cpu-amd-fix-zen-smt-topology.patch @@ -0,0 +1,49 @@ +From 08b259631b5a1d912af4832847b5642f377d9101 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Sun, 5 Feb 2017 11:50:22 +0100 +Subject: x86/CPU/AMD: Fix Zen SMT topology + +From: Yazen Ghannam + +commit 08b259631b5a1d912af4832847b5642f377d9101 upstream. + +After: + + a33d331761bc ("x86/CPU/AMD: Fix Bulldozer topology") + +our SMT scheduling topology for Fam17h systems is broken, because +the ThreadId is included in the ApicId when SMT is enabled. + +So, without further decoding cpu_core_id is unique for each thread +rather than the same for threads on the same core. This didn't affect +systems with SMT disabled. Make cpu_core_id be what it is defined to be. + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20170205105022.8705-2-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/amd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -319,6 +319,13 @@ static void amd_get_topology(struct cpui + if (c->x86 == 0x15) + c->cu_id = ebx & 0xff; + ++ if (c->x86 >= 0x17) { ++ c->cpu_core_id = ebx & 0xff; ++ ++ if (smp_num_siblings > 1) ++ c->x86_max_cores /= smp_num_siblings; ++ } ++ + /* + * We may have multiple LLCs if L3 caches exist, so check if we + * have an L3 cache by looking at the L3 cache CPUID leaf. diff --git a/queue-4.9/x86-mm-ptdump-fix-soft-lockup-in-page-table-walker.patch b/queue-4.9/x86-mm-ptdump-fix-soft-lockup-in-page-table-walker.patch new file mode 100644 index 00000000000..cbdef3bb0a7 --- /dev/null +++ b/queue-4.9/x86-mm-ptdump-fix-soft-lockup-in-page-table-walker.patch @@ -0,0 +1,60 @@ +From 146fbb766934dc003fcbf755b519acef683576bf Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Fri, 10 Feb 2017 12:54:05 +0300 +Subject: x86/mm/ptdump: Fix soft lockup in page table walker + +From: Andrey Ryabinin + +commit 146fbb766934dc003fcbf755b519acef683576bf upstream. + +CONFIG_KASAN=y needs a lot of virtual memory mapped for its shadow. +In that case ptdump_walk_pgd_level_core() takes a lot of time to +walk across all page tables and doing this without +a rescheduling causes soft lockups: + + NMI watchdog: BUG: soft lockup - CPU#3 stuck for 23s! [swapper/0:1] + ... + Call Trace: + ptdump_walk_pgd_level_core+0x40c/0x550 + ptdump_walk_pgd_level_checkwx+0x17/0x20 + mark_rodata_ro+0x13b/0x150 + kernel_init+0x2f/0x120 + ret_from_fork+0x2c/0x40 + +I guess that this issue might arise even without KASAN on huge machines +with several terabytes of RAM. + +Stick cond_resched() in pgd loop to fix this. + +Reported-by: Tobias Regnery +Signed-off-by: Andrey Ryabinin +Cc: kasan-dev@googlegroups.com +Cc: Alexander Potapenko +Cc: "Paul E . McKenney" +Cc: Dmitry Vyukov +Link: http://lkml.kernel.org/r/20170210095405.31802-1-aryabinin@virtuozzo.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/dump_pagetables.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/mm/dump_pagetables.c ++++ b/arch/x86/mm/dump_pagetables.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -406,6 +407,7 @@ static void ptdump_walk_pgd_level_core(s + } else + note_page(m, &st, __pgprot(0), 1); + ++ cond_resched(); + start++; + } + diff --git a/queue-4.9/xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch b/queue-4.9/xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch new file mode 100644 index 00000000000..52b22445269 --- /dev/null +++ b/queue-4.9/xen-netfront-delete-rx_refill_timer-in-xennet_disconnect_backend.patch @@ -0,0 +1,42 @@ +From 74470954857c264168d2b5a113904cf0cfd27d18 Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Mon, 30 Jan 2017 12:45:46 -0500 +Subject: xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() + +From: Boris Ostrovsky + +commit 74470954857c264168d2b5a113904cf0cfd27d18 upstream. + +rx_refill_timer should be deleted as soon as we disconnect from the +backend since otherwise it is possible for the timer to go off before +we get to xennet_destroy_queues(). If this happens we may dereference +queue->rx.sring which is set to NULL in xennet_disconnect_backend(). + +Signed-off-by: Boris Ostrovsky +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netfront.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1397,6 +1397,8 @@ static void xennet_disconnect_backend(st + for (i = 0; i < num_queues && info->queues; ++i) { + struct netfront_queue *queue = &info->queues[i]; + ++ del_timer_sync(&queue->rx_refill_timer); ++ + if (queue->tx_irq && (queue->tx_irq == queue->rx_irq)) + unbind_from_irqhandler(queue->tx_irq, queue); + if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) { +@@ -1751,7 +1753,6 @@ static void xennet_destroy_queues(struct + + if (netif_running(info->netdev)) + napi_disable(&queue->napi); +- del_timer_sync(&queue->rx_refill_timer); + netif_napi_del(&queue->napi); + } +