From: Greg Kroah-Hartman Date: Mon, 4 Dec 2017 10:52:23 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.86~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a89393f7deaa01e99b185ff71a0ea636cfe53e41;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: acpi-ec-fix-regression-related-to-pm-ops-support-in-ecdt-device.patch apparmor-fix-oops-in-audit_signal_cb-hook.patch arm64-ftrace-emit-ftrace-mod.o-contents-through-code.patch arm64-module-plts-factor-out-plt-generation-code-for-ftrace.patch bcache-fix-building-error-on-mips.patch bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch bcache-recover-data-from-backing-when-data-is-clean.patch btrfs-clear-space-cache-inode-generation-always.patch crypto-af_alg-remove-locking-in-async-callback.patch crypto-algif_aead-skip-sgl-entries-with-null-page.patch crypto-skcipher-fix-skcipher_walk_aead_common.patch cxl-check-if-vphb-exists-before-iterating-over-afu-devices.patch drm-omapdrm-fix-dpi-on-platforms-using-the-dsi-vdds.patch eeprom-at24-check-at24_read-write-arguments.patch eeprom-at24-correctly-set-the-size-for-at24mac402.patch eeprom-at24-fix-reading-from-24mac402-24mac602.patch i2c-i801-fix-failed-to-allocate-irq-2147483648-error.patch kvm-lapic-fixup-ldr-on-load-in-x2apic.patch kvm-lapic-split-out-x2apic-ldr-calculation.patch kvm-x86-exit-to-user-mode-on-ud-intercept-when-emulator-requires.patch kvm-x86-inject-exceptions-produced-by-x86_decode_insn.patch kvm-x86-pvclock-handle-first-time-write-to-pvclock-page-contains-random-junk.patch lockd-lost-rollback-of-set_grace_period-in-lockd_down_net.patch mmc-block-check-return-value-of-blk_get_request.patch mmc-block-ensure-that-debugfs-files-are-removed.patch mmc-block-fix-missing-blk_put_request.patch mmc-core-do-not-leave-the-block-driver-in-a-suspended-state.patch mmc-core-prepend-0x-to-ocr-entry-in-sysfs.patch mmc-core-prepend-0x-to-pre_eol_info-entry-in-sysfs.patch mmc-sdhci-avoid-swiotlb-buffer-being-full.patch nfsd-fix-another-open-stateid-race.patch nfsd-fix-panic-in-posix_unblock_lock-called-from-nfs4_laundromat.patch nfsd-fix-stateid-races-between-open-and-close.patch omapdrm-hdmi4-correct-the-soc-revision-matching.patch powerpc-kexec-fix-kexec-kdump-in-p9-guest-kernels.patch powerpc-powernv-fix-kexec-crashes-caused-by-tlbie-tracing.patch s390-revert-elf_et_dyn_base-base-changes.patch --- diff --git a/queue-4.14/acpi-ec-fix-regression-related-to-pm-ops-support-in-ecdt-device.patch b/queue-4.14/acpi-ec-fix-regression-related-to-pm-ops-support-in-ecdt-device.patch new file mode 100644 index 00000000000..0f6fb98de66 --- /dev/null +++ b/queue-4.14/acpi-ec-fix-regression-related-to-pm-ops-support-in-ecdt-device.patch @@ -0,0 +1,236 @@ +From a64a62ce9a380213dc9e192f762266d70c9b40ec Mon Sep 17 00:00:00 2001 +From: Lv Zheng +Date: Tue, 26 Sep 2017 16:54:09 +0800 +Subject: ACPI / EC: Fix regression related to PM ops support in ECDT device + +From: Lv Zheng + +commit a64a62ce9a380213dc9e192f762266d70c9b40ec upstream. + +On platforms (ASUS X550ZE and possibly all ASUS X series) with valid ECDT +EC but invalid DSDT EC, EC PM ops won't be invoked as ECDT EC is not an +ACPI device. Thus the following commit actually removed post-resume +acpi_ec_enable_event() invocation for such platforms, and triggered a +regression on them that after being resumed, EC (actually should be ECDT) +driver stops handling EC events: + + Commit: c2b46d679b30c5c0d7eb47a21085943242bdd8dc + Subject: ACPI / EC: Add PM operations to improve event handling for resume process + +Notice that the root cause actually is "ECDT is not an ACPI device" rather +than "the timing of acpi_ec_enable_event() invocation", this patch fixes +this issue by enumerating ECDT EC as an ACPI device. Due to the existence +of the noirq stage, the ability of tuning the timing of +acpi_ec_enable_event() invocation is still meaningful. + +This patch is a little bit different from the posted fix by moving +acpi_config_boot_ec() from acpi_ec_ecdt_start() to acpi_ec_add() to make +sure that EC event handling won't be stopped as long as the ACPI EC driver +is bound. Thus the following sequence shouldn't disable EC event handling: +unbind,suspend,resume,bind. + +Fixes: c2b46d679b30 (ACPI / EC: Add PM operations to improve event handling for resume process) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=196847 +Reported-by: Luya Tshimbalanga +Tested-by: Luya Tshimbalanga +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 69 ++++++++++++++++++++++++++++---------------- + drivers/acpi/internal.h | 1 + drivers/acpi/scan.c | 21 +++++++++++++ + include/acpi/acpi_bus.h | 1 + include/acpi/acpi_drivers.h | 1 + 5 files changed, 69 insertions(+), 24 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1597,32 +1597,41 @@ static int acpi_ec_add(struct acpi_devic + { + struct acpi_ec *ec = NULL; + int ret; ++ bool is_ecdt = false; ++ acpi_status status; + + strcpy(acpi_device_name(device), ACPI_EC_DEVICE_NAME); + strcpy(acpi_device_class(device), ACPI_EC_CLASS); + +- ec = acpi_ec_alloc(); +- if (!ec) +- return -ENOMEM; +- if (ec_parse_device(device->handle, 0, ec, NULL) != +- AE_CTRL_TERMINATE) { ++ if (!strcmp(acpi_device_hid(device), ACPI_ECDT_HID)) { ++ is_ecdt = true; ++ ec = boot_ec; ++ } else { ++ ec = acpi_ec_alloc(); ++ if (!ec) ++ return -ENOMEM; ++ status = ec_parse_device(device->handle, 0, ec, NULL); ++ if (status != AE_CTRL_TERMINATE) { + ret = -EINVAL; + goto err_alloc; ++ } + } + + if (acpi_is_boot_ec(ec)) { +- boot_ec_is_ecdt = false; +- /* +- * Trust PNP0C09 namespace location rather than ECDT ID. +- * +- * But trust ECDT GPE rather than _GPE because of ASUS quirks, +- * so do not change boot_ec->gpe to ec->gpe. +- */ +- boot_ec->handle = ec->handle; +- acpi_handle_debug(ec->handle, "duplicated.\n"); +- acpi_ec_free(ec); +- ec = boot_ec; +- ret = acpi_config_boot_ec(ec, ec->handle, true, false); ++ boot_ec_is_ecdt = is_ecdt; ++ if (!is_ecdt) { ++ /* ++ * Trust PNP0C09 namespace location rather than ++ * ECDT ID. But trust ECDT GPE rather than _GPE ++ * because of ASUS quirks, so do not change ++ * boot_ec->gpe to ec->gpe. ++ */ ++ boot_ec->handle = ec->handle; ++ acpi_handle_debug(ec->handle, "duplicated.\n"); ++ acpi_ec_free(ec); ++ ec = boot_ec; ++ } ++ ret = acpi_config_boot_ec(ec, ec->handle, true, is_ecdt); + } else + ret = acpi_ec_setup(ec, true); + if (ret) +@@ -1635,8 +1644,10 @@ static int acpi_ec_add(struct acpi_devic + ret = !!request_region(ec->command_addr, 1, "EC cmd"); + WARN(!ret, "Could not request EC cmd io port 0x%lx", ec->command_addr); + +- /* Reprobe devices depending on the EC */ +- acpi_walk_dep_device_list(ec->handle); ++ if (!is_ecdt) { ++ /* Reprobe devices depending on the EC */ ++ acpi_walk_dep_device_list(ec->handle); ++ } + acpi_handle_debug(ec->handle, "enumerated.\n"); + return 0; + +@@ -1692,6 +1703,7 @@ ec_parse_io_ports(struct acpi_resource * + + static const struct acpi_device_id ec_device_ids[] = { + {"PNP0C09", 0}, ++ {ACPI_ECDT_HID, 0}, + {"", 0}, + }; + +@@ -1764,11 +1776,14 @@ static int __init acpi_ec_ecdt_start(voi + * Note: ec->handle can be valid if this function is called after + * acpi_ec_add(), hence the fast path. + */ +- if (boot_ec->handle != ACPI_ROOT_OBJECT) +- handle = boot_ec->handle; +- else if (!acpi_ec_ecdt_get_handle(&handle)) +- return -ENODEV; +- return acpi_config_boot_ec(boot_ec, handle, true, true); ++ if (boot_ec->handle == ACPI_ROOT_OBJECT) { ++ if (!acpi_ec_ecdt_get_handle(&handle)) ++ return -ENODEV; ++ boot_ec->handle = handle; ++ } ++ ++ /* Register to ACPI bus with PM ops attached */ ++ return acpi_bus_register_early_device(ACPI_BUS_TYPE_ECDT_EC); + } + + #if 0 +@@ -2020,6 +2035,12 @@ int __init acpi_ec_init(void) + + /* Drivers must be started after acpi_ec_query_init() */ + dsdt_fail = acpi_bus_register_driver(&acpi_ec_driver); ++ /* ++ * Register ECDT to ACPI bus only when PNP0C09 probe fails. This is ++ * useful for platforms (confirmed on ASUS X550ZE) with valid ECDT ++ * settings but invalid DSDT settings. ++ * https://bugzilla.kernel.org/show_bug.cgi?id=196847 ++ */ + ecdt_fail = acpi_ec_ecdt_start(); + return ecdt_fail && dsdt_fail ? -ENODEV : 0; + } +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -115,6 +115,7 @@ bool acpi_device_is_present(const struct + bool acpi_device_is_battery(struct acpi_device *adev); + bool acpi_device_is_first_physical_node(struct acpi_device *adev, + const struct device *dev); ++int acpi_bus_register_early_device(int type); + + /* -------------------------------------------------------------------------- + Device Matching and Notification +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1024,6 +1024,9 @@ static void acpi_device_get_busid(struct + case ACPI_BUS_TYPE_SLEEP_BUTTON: + strcpy(device->pnp.bus_id, "SLPF"); + break; ++ case ACPI_BUS_TYPE_ECDT_EC: ++ strcpy(device->pnp.bus_id, "ECDT"); ++ break; + default: + acpi_get_name(device->handle, ACPI_SINGLE_NAME, &buffer); + /* Clean up trailing underscores (if any) */ +@@ -1304,6 +1307,9 @@ static void acpi_set_pnp_ids(acpi_handle + case ACPI_BUS_TYPE_SLEEP_BUTTON: + acpi_add_id(pnp, ACPI_BUTTON_HID_SLEEPF); + break; ++ case ACPI_BUS_TYPE_ECDT_EC: ++ acpi_add_id(pnp, ACPI_ECDT_HID); ++ break; + } + } + +@@ -2049,6 +2055,21 @@ void acpi_bus_trim(struct acpi_device *a + } + EXPORT_SYMBOL_GPL(acpi_bus_trim); + ++int acpi_bus_register_early_device(int type) ++{ ++ struct acpi_device *device = NULL; ++ int result; ++ ++ result = acpi_add_single_object(&device, NULL, ++ type, ACPI_STA_DEFAULT); ++ if (result) ++ return result; ++ ++ device->flags.match_driver = true; ++ return device_attach(&device->dev); ++} ++EXPORT_SYMBOL_GPL(acpi_bus_register_early_device); ++ + static int acpi_bus_scan_fixed(void) + { + int result = 0; +--- a/include/acpi/acpi_bus.h ++++ b/include/acpi/acpi_bus.h +@@ -105,6 +105,7 @@ enum acpi_bus_device_type { + ACPI_BUS_TYPE_THERMAL, + ACPI_BUS_TYPE_POWER_BUTTON, + ACPI_BUS_TYPE_SLEEP_BUTTON, ++ ACPI_BUS_TYPE_ECDT_EC, + ACPI_BUS_DEVICE_TYPE_COUNT + }; + +--- a/include/acpi/acpi_drivers.h ++++ b/include/acpi/acpi_drivers.h +@@ -58,6 +58,7 @@ + #define ACPI_VIDEO_HID "LNXVIDEO" + #define ACPI_BAY_HID "LNXIOBAY" + #define ACPI_DOCK_HID "LNXDOCK" ++#define ACPI_ECDT_HID "LNXEC" + /* Quirk for broken IBM BIOSes */ + #define ACPI_SMBUS_IBM_HID "SMBUSIBM" + diff --git a/queue-4.14/apparmor-fix-oops-in-audit_signal_cb-hook.patch b/queue-4.14/apparmor-fix-oops-in-audit_signal_cb-hook.patch new file mode 100644 index 00000000000..4e6668d96cd --- /dev/null +++ b/queue-4.14/apparmor-fix-oops-in-audit_signal_cb-hook.patch @@ -0,0 +1,137 @@ +From b12cbb21586277f72533769832c24cc6c1d60ab3 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Wed, 22 Nov 2017 07:33:38 -0800 +Subject: apparmor: fix oops in audit_signal_cb hook + +From: John Johansen + +commit b12cbb21586277f72533769832c24cc6c1d60ab3 upstream. + +The apparmor_audit_data struct ordering got messed up during a merge +conflict, resulting in the signal integer and peer pointer being in +a union instead of a struct. + +For most of the 4.13 and 4.14 life cycle, this was hidden by +commit 651e28c5537a ("apparmor: add base infastructure for socket +mediation") which fixed the apparmor_audit_data struct when its data +was added. When that commit was reverted in -rc7 the signal audit bug +was exposed, and unfortunately it never showed up in any of the +testing until after 4.14 was released. Shaun Khan, Zephaniah +E. Loss-Cutler-Hull filed nearly simultaneous bug reports (with +different oopes, the smaller of which is included below). + +Full credit goes to Tetsuo Handa for jumping on this as well and +noticing the audit data struct problem and reporting it. + +[ 76.178568] BUG: unable to handle kernel paging request at +ffffffff0eee3bc0 +[ 76.178579] IP: audit_signal_cb+0x6c/0xe0 +[ 76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0 +[ 76.178586] Oops: 0000 [#1] PREEMPT SMP +[ 76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb +btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables +xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack +iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw +iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher +nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel +[ 76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted +4.14.0-f1-dirty #135 +[ 76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio +9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015 +[ 76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000 +[ 76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0 +[ 76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292 +[ 76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX: +0000000000000000 +[ 76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI: +ffff9c7a9493d800 +[ 76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09: +ffffa09b02a4fc46 +[ 76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12: +ffffa09b02a4fd40 +[ 76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15: +0000000000000001 +[ 76.178646] FS: 00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000) +knlGS:0000000000000000 +[ 76.178648] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4: +00000000001606f0 +[ 76.178652] Call Trace: +[ 76.178660] common_lsm_audit+0x1da/0x780 +[ 76.178665] ? d_absolute_path+0x60/0x90 +[ 76.178669] ? aa_check_perms+0xcd/0xe0 +[ 76.178672] aa_check_perms+0xcd/0xe0 +[ 76.178675] profile_signal_perm.part.0+0x90/0xa0 +[ 76.178679] aa_may_signal+0x16e/0x1b0 +[ 76.178686] apparmor_task_kill+0x51/0x120 +[ 76.178690] security_task_kill+0x44/0x60 +[ 76.178695] group_send_sig_info+0x25/0x60 +[ 76.178699] kill_pid_info+0x36/0x60 +[ 76.178703] SYSC_kill+0xdb/0x180 +[ 76.178707] ? preempt_count_sub+0x92/0xd0 +[ 76.178712] ? _raw_write_unlock_irq+0x13/0x30 +[ 76.178716] ? task_work_run+0x6a/0x90 +[ 76.178720] ? exit_to_usermode_loop+0x80/0xa0 +[ 76.178723] entry_SYSCALL_64_fastpath+0x13/0x94 +[ 76.178727] RIP: 0033:0x7f8b0e58b767 +[ 76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX: +000000000000003e +[ 76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX: +00007f8b0e58b767 +[ 76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI: +000000000000263b +[ 76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09: +0000000000000001 +[ 76.178739] R10: 000000000000022d R11: 0000000000000206 R12: +0000000000000000 +[ 76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15: +0000000000000000 +[ 76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b +42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd +00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35 +[ 76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08 +[ 76.178796] CR2: ffffffff0eee3bc0 +[ 76.178799] ---[ end trace 514af9529297f1a3 ]--- + +Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals") +Reported-by: Zephaniah E. Loss-Cutler-Hull +Reported-by: Shuah Khan +Suggested-by: Tetsuo Handa +Tested-by: Ivan Kozik +Tested-by: Zephaniah E. Loss-Cutler-Hull +Tested-by: Christian Boltz +Tested-by: Shuah Khan +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/include/audit.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/security/apparmor/include/audit.h ++++ b/security/apparmor/include/audit.h +@@ -121,17 +121,19 @@ struct apparmor_audit_data { + /* these entries require a custom callback fn */ + struct { + struct aa_label *peer; +- struct { +- const char *target; +- kuid_t ouid; +- } fs; ++ union { ++ struct { ++ const char *target; ++ kuid_t ouid; ++ } fs; ++ int signal; ++ }; + }; + struct { + struct aa_profile *profile; + const char *ns; + long pos; + } iface; +- int signal; + struct { + int rlim; + unsigned long max; diff --git a/queue-4.14/arm64-ftrace-emit-ftrace-mod.o-contents-through-code.patch b/queue-4.14/arm64-ftrace-emit-ftrace-mod.o-contents-through-code.patch new file mode 100644 index 00000000000..7e520595131 --- /dev/null +++ b/queue-4.14/arm64-ftrace-emit-ftrace-mod.o-contents-through-code.patch @@ -0,0 +1,177 @@ +From be0f272bfc83797f70d44faca86954df62e2bbc0 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 20 Nov 2017 17:41:30 +0000 +Subject: arm64: ftrace: emit ftrace-mod.o contents through code + +From: Ard Biesheuvel + +commit be0f272bfc83797f70d44faca86954df62e2bbc0 upstream. + +When building the arm64 kernel with both CONFIG_ARM64_MODULE_PLTS and +CONFIG_DYNAMIC_FTRACE enabled, the ftrace-mod.o object file is built +with the kernel and contains a trampoline that is linked into each +module, so that modules can be loaded far away from the kernel and +still reach the ftrace entry point in the core kernel with an ordinary +relative branch, as is emitted by the compiler instrumentation code +dynamic ftrace relies on. + +In order to be able to build out of tree modules, this object file +needs to be included into the linux-headers or linux-devel packages, +which is undesirable, as it makes arm64 a special case (although a +precedent does exist for 32-bit PPC). + +Given that the trampoline essentially consists of a PLT entry, let's +not bother with a source or object file for it, and simply patch it +in whenever the trampoline is being populated, using the existing +PLT support routines. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/Makefile | 3 --- + arch/arm64/include/asm/module.h | 2 +- + arch/arm64/kernel/Makefile | 3 --- + arch/arm64/kernel/ftrace-mod.S | 18 ------------------ + arch/arm64/kernel/ftrace.c | 14 ++++++++------ + arch/arm64/kernel/module-plts.c | 12 ++++++++++++ + arch/arm64/kernel/module.lds | 1 + + 7 files changed, 22 insertions(+), 31 deletions(-) + +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -77,9 +77,6 @@ endif + + ifeq ($(CONFIG_ARM64_MODULE_PLTS),y) + KBUILD_LDFLAGS_MODULE += -T $(srctree)/arch/arm64/kernel/module.lds +-ifeq ($(CONFIG_DYNAMIC_FTRACE),y) +-KBUILD_LDFLAGS_MODULE += $(objtree)/arch/arm64/kernel/ftrace-mod.o +-endif + endif + + # Default value +--- a/arch/arm64/include/asm/module.h ++++ b/arch/arm64/include/asm/module.h +@@ -32,7 +32,7 @@ struct mod_arch_specific { + struct mod_plt_sec init; + + /* for CONFIG_DYNAMIC_FTRACE */ +- void *ftrace_trampoline; ++ struct plt_entry *ftrace_trampoline; + }; + #endif + +--- a/arch/arm64/kernel/Makefile ++++ b/arch/arm64/kernel/Makefile +@@ -63,6 +63,3 @@ extra-y += $(head-y) vmlinux.lds + ifeq ($(CONFIG_DEBUG_EFI),y) + AFLAGS_head.o += -DVMLINUX_PATH="\"$(realpath $(objtree)/vmlinux)\"" + endif +- +-# will be included by each individual module but not by the core kernel itself +-extra-$(CONFIG_DYNAMIC_FTRACE) += ftrace-mod.o +--- a/arch/arm64/kernel/ftrace-mod.S ++++ /dev/null +@@ -1,18 +0,0 @@ +-/* +- * Copyright (C) 2017 Linaro Ltd +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License version 2 as +- * published by the Free Software Foundation. +- */ +- +-#include +-#include +- +- .section ".text.ftrace_trampoline", "ax" +- .align 3 +-0: .quad 0 +-__ftrace_trampoline: +- ldr x16, 0b +- br x16 +-ENDPROC(__ftrace_trampoline) +--- a/arch/arm64/kernel/ftrace.c ++++ b/arch/arm64/kernel/ftrace.c +@@ -76,7 +76,7 @@ int ftrace_make_call(struct dyn_ftrace * + + if (offset < -SZ_128M || offset >= SZ_128M) { + #ifdef CONFIG_ARM64_MODULE_PLTS +- unsigned long *trampoline; ++ struct plt_entry trampoline; + struct module *mod; + + /* +@@ -104,22 +104,24 @@ int ftrace_make_call(struct dyn_ftrace * + * is added in the future, but for now, the pr_err() below + * deals with a theoretical issue only. + */ +- trampoline = (unsigned long *)mod->arch.ftrace_trampoline; +- if (trampoline[0] != addr) { +- if (trampoline[0] != 0) { ++ trampoline = get_plt_entry(addr); ++ if (!plt_entries_equal(mod->arch.ftrace_trampoline, ++ &trampoline)) { ++ if (!plt_entries_equal(mod->arch.ftrace_trampoline, ++ &(struct plt_entry){})) { + pr_err("ftrace: far branches to multiple entry points unsupported inside a single module\n"); + return -EINVAL; + } + + /* point the trampoline to our ftrace entry point */ + module_disable_ro(mod); +- trampoline[0] = addr; ++ *mod->arch.ftrace_trampoline = trampoline; + module_enable_ro(mod, true); + + /* update trampoline before patching in the branch */ + smp_wmb(); + } +- addr = (unsigned long)&trampoline[1]; ++ addr = (unsigned long)(void *)mod->arch.ftrace_trampoline; + #else /* CONFIG_ARM64_MODULE_PLTS */ + return -EINVAL; + #endif /* CONFIG_ARM64_MODULE_PLTS */ +--- a/arch/arm64/kernel/module-plts.c ++++ b/arch/arm64/kernel/module-plts.c +@@ -120,6 +120,7 @@ int module_frob_arch_sections(Elf_Ehdr * + unsigned long core_plts = 0; + unsigned long init_plts = 0; + Elf64_Sym *syms = NULL; ++ Elf_Shdr *tramp = NULL; + int i; + + /* +@@ -131,6 +132,10 @@ int module_frob_arch_sections(Elf_Ehdr * + mod->arch.core.plt = sechdrs + i; + else if (!strcmp(secstrings + sechdrs[i].sh_name, ".init.plt")) + mod->arch.init.plt = sechdrs + i; ++ else if (IS_ENABLED(CONFIG_DYNAMIC_FTRACE) && ++ !strcmp(secstrings + sechdrs[i].sh_name, ++ ".text.ftrace_trampoline")) ++ tramp = sechdrs + i; + else if (sechdrs[i].sh_type == SHT_SYMTAB) + syms = (Elf64_Sym *)sechdrs[i].sh_addr; + } +@@ -181,5 +186,12 @@ int module_frob_arch_sections(Elf_Ehdr * + mod->arch.init.plt_num_entries = 0; + mod->arch.init.plt_max_entries = init_plts; + ++ if (tramp) { ++ tramp->sh_type = SHT_NOBITS; ++ tramp->sh_flags = SHF_EXECINSTR | SHF_ALLOC; ++ tramp->sh_addralign = __alignof__(struct plt_entry); ++ tramp->sh_size = sizeof(struct plt_entry); ++ } ++ + return 0; + } +--- a/arch/arm64/kernel/module.lds ++++ b/arch/arm64/kernel/module.lds +@@ -1,4 +1,5 @@ + SECTIONS { + .plt (NOLOAD) : { BYTE(0) } + .init.plt (NOLOAD) : { BYTE(0) } ++ .text.ftrace_trampoline (NOLOAD) : { BYTE(0) } + } diff --git a/queue-4.14/arm64-module-plts-factor-out-plt-generation-code-for-ftrace.patch b/queue-4.14/arm64-module-plts-factor-out-plt-generation-code-for-ftrace.patch new file mode 100644 index 00000000000..40292f068d8 --- /dev/null +++ b/queue-4.14/arm64-module-plts-factor-out-plt-generation-code-for-ftrace.patch @@ -0,0 +1,132 @@ +From 7e8b9c1d2e2f5f45db7d40b50d14f606097c25de Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 20 Nov 2017 17:41:29 +0000 +Subject: arm64: module-plts: factor out PLT generation code for ftrace + +From: Ard Biesheuvel + +commit 7e8b9c1d2e2f5f45db7d40b50d14f606097c25de upstream. + +To allow the ftrace trampoline code to reuse the PLT entry routines, +factor it out and move it into asm/module.h. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/module.h | 44 ++++++++++++++++++++++++++++++++++++++++ + arch/arm64/kernel/module-plts.c | 38 +--------------------------------- + 2 files changed, 46 insertions(+), 36 deletions(-) + +--- a/arch/arm64/include/asm/module.h ++++ b/arch/arm64/include/asm/module.h +@@ -45,4 +45,48 @@ extern u64 module_alloc_base; + #define module_alloc_base ((u64)_etext - MODULES_VSIZE) + #endif + ++struct plt_entry { ++ /* ++ * A program that conforms to the AArch64 Procedure Call Standard ++ * (AAPCS64) must assume that a veneer that alters IP0 (x16) and/or ++ * IP1 (x17) may be inserted at any branch instruction that is ++ * exposed to a relocation that supports long branches. Since that ++ * is exactly what we are dealing with here, we are free to use x16 ++ * as a scratch register in the PLT veneers. ++ */ ++ __le32 mov0; /* movn x16, #0x.... */ ++ __le32 mov1; /* movk x16, #0x...., lsl #16 */ ++ __le32 mov2; /* movk x16, #0x...., lsl #32 */ ++ __le32 br; /* br x16 */ ++}; ++ ++static inline struct plt_entry get_plt_entry(u64 val) ++{ ++ /* ++ * MOVK/MOVN/MOVZ opcode: ++ * +--------+------------+--------+-----------+-------------+---------+ ++ * | sf[31] | opc[30:29] | 100101 | hw[22:21] | imm16[20:5] | Rd[4:0] | ++ * +--------+------------+--------+-----------+-------------+---------+ ++ * ++ * Rd := 0x10 (x16) ++ * hw := 0b00 (no shift), 0b01 (lsl #16), 0b10 (lsl #32) ++ * opc := 0b11 (MOVK), 0b00 (MOVN), 0b10 (MOVZ) ++ * sf := 1 (64-bit variant) ++ */ ++ return (struct plt_entry){ ++ cpu_to_le32(0x92800010 | (((~val ) & 0xffff)) << 5), ++ cpu_to_le32(0xf2a00010 | ((( val >> 16) & 0xffff)) << 5), ++ cpu_to_le32(0xf2c00010 | ((( val >> 32) & 0xffff)) << 5), ++ cpu_to_le32(0xd61f0200) ++ }; ++} ++ ++static inline bool plt_entries_equal(const struct plt_entry *a, ++ const struct plt_entry *b) ++{ ++ return a->mov0 == b->mov0 && ++ a->mov1 == b->mov1 && ++ a->mov2 == b->mov2; ++} ++ + #endif /* __ASM_MODULE_H */ +--- a/arch/arm64/kernel/module-plts.c ++++ b/arch/arm64/kernel/module-plts.c +@@ -11,21 +11,6 @@ + #include + #include + +-struct plt_entry { +- /* +- * A program that conforms to the AArch64 Procedure Call Standard +- * (AAPCS64) must assume that a veneer that alters IP0 (x16) and/or +- * IP1 (x17) may be inserted at any branch instruction that is +- * exposed to a relocation that supports long branches. Since that +- * is exactly what we are dealing with here, we are free to use x16 +- * as a scratch register in the PLT veneers. +- */ +- __le32 mov0; /* movn x16, #0x.... */ +- __le32 mov1; /* movk x16, #0x...., lsl #16 */ +- __le32 mov2; /* movk x16, #0x...., lsl #32 */ +- __le32 br; /* br x16 */ +-}; +- + static bool in_init(const struct module *mod, void *loc) + { + return (u64)loc - (u64)mod->init_layout.base < mod->init_layout.size; +@@ -40,33 +25,14 @@ u64 module_emit_plt_entry(struct module + int i = pltsec->plt_num_entries; + u64 val = sym->st_value + rela->r_addend; + +- /* +- * MOVK/MOVN/MOVZ opcode: +- * +--------+------------+--------+-----------+-------------+---------+ +- * | sf[31] | opc[30:29] | 100101 | hw[22:21] | imm16[20:5] | Rd[4:0] | +- * +--------+------------+--------+-----------+-------------+---------+ +- * +- * Rd := 0x10 (x16) +- * hw := 0b00 (no shift), 0b01 (lsl #16), 0b10 (lsl #32) +- * opc := 0b11 (MOVK), 0b00 (MOVN), 0b10 (MOVZ) +- * sf := 1 (64-bit variant) +- */ +- plt[i] = (struct plt_entry){ +- cpu_to_le32(0x92800010 | (((~val ) & 0xffff)) << 5), +- cpu_to_le32(0xf2a00010 | ((( val >> 16) & 0xffff)) << 5), +- cpu_to_le32(0xf2c00010 | ((( val >> 32) & 0xffff)) << 5), +- cpu_to_le32(0xd61f0200) +- }; ++ plt[i] = get_plt_entry(val); + + /* + * Check if the entry we just created is a duplicate. Given that the + * relocations are sorted, this will be the last entry we allocated. + * (if one exists). + */ +- if (i > 0 && +- plt[i].mov0 == plt[i - 1].mov0 && +- plt[i].mov1 == plt[i - 1].mov1 && +- plt[i].mov2 == plt[i - 1].mov2) ++ if (i > 0 && plt_entries_equal(plt + i, plt + i - 1)) + return (u64)&plt[i - 1]; + + pltsec->plt_num_entries++; diff --git a/queue-4.14/bcache-fix-building-error-on-mips.patch b/queue-4.14/bcache-fix-building-error-on-mips.patch new file mode 100644 index 00000000000..9966767d8a5 --- /dev/null +++ b/queue-4.14/bcache-fix-building-error-on-mips.patch @@ -0,0 +1,72 @@ +From cf33c1ee5254c6a430bc1538232b49c3ea13e613 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Fri, 24 Nov 2017 15:14:25 -0800 +Subject: bcache: Fix building error on MIPS + +From: Huacai Chen + +commit cf33c1ee5254c6a430bc1538232b49c3ea13e613 upstream. + +This patch try to fix the building error on MIPS. The reason is MIPS +has already defined the PTR macro, which conflicts with the PTR macro +in include/uapi/linux/bcache.h. + +[fixed by mlyle: corrected a line-length issue] + +Signed-off-by: Huacai Chen +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/alloc.c | 2 +- + drivers/md/bcache/extents.c | 2 +- + drivers/md/bcache/journal.c | 2 +- + include/uapi/linux/bcache.h | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -480,7 +480,7 @@ int __bch_bucket_alloc_set(struct cache_ + if (b == -1) + goto err; + +- k->ptr[i] = PTR(ca->buckets[b].gen, ++ k->ptr[i] = MAKE_PTR(ca->buckets[b].gen, + bucket_to_sector(c, b), + ca->sb.nr_this_dev); + +--- a/drivers/md/bcache/extents.c ++++ b/drivers/md/bcache/extents.c +@@ -585,7 +585,7 @@ static bool bch_extent_merge(struct btre + return false; + + for (i = 0; i < KEY_PTRS(l); i++) +- if (l->ptr[i] + PTR(0, KEY_SIZE(l), 0) != r->ptr[i] || ++ if (l->ptr[i] + MAKE_PTR(0, KEY_SIZE(l), 0) != r->ptr[i] || + PTR_BUCKET_NR(b->c, l, i) != PTR_BUCKET_NR(b->c, r, i)) + return false; + +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -507,7 +507,7 @@ static void journal_reclaim(struct cache + continue; + + ja->cur_idx = next; +- k->ptr[n++] = PTR(0, ++ k->ptr[n++] = MAKE_PTR(0, + bucket_to_sector(c, ca->sb.d[ja->cur_idx]), + ca->sb.nr_this_dev); + } +--- a/include/uapi/linux/bcache.h ++++ b/include/uapi/linux/bcache.h +@@ -91,7 +91,7 @@ PTR_FIELD(PTR_GEN, 0, 8) + + #define PTR_CHECK_DEV ((1 << PTR_DEV_BITS) - 1) + +-#define PTR(gen, offset, dev) \ ++#define MAKE_PTR(gen, offset, dev) \ + ((((__u64) dev) << 51) | ((__u64) offset) << 8 | gen) + + /* Bkey utility code */ diff --git a/queue-4.14/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch b/queue-4.14/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch new file mode 100644 index 00000000000..112bf749588 --- /dev/null +++ b/queue-4.14/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch @@ -0,0 +1,76 @@ +From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 30 Oct 2017 14:46:31 -0700 +Subject: bcache: only permit to recovery read error when cache device is clean + +From: Coly Li + +commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream. + +When bcache does read I/Os, for example in writeback or writethrough mode, +if a read request on cache device is failed, bcache will try to recovery +the request by reading from cached device. If the data on cached device is +not synced with cache device, then requester will get a stale data. + +For critical storage system like database, providing stale data from +recovery may result an application level data corruption, which is +unacceptible. + +With this patch, for a failed read request in writeback or writethrough +mode, recovery a recoverable read request only happens when cache device +is clean. That is to say, all data on cached device is up to update. + +For other cache modes in bcache, read request will never hit +cached_dev_read_error(), they don't need this patch. + +Please note, because cache mode can be switched arbitrarily in run time, a +writethrough mode might be switched from a writeback mode. Therefore +checking dc->has_data in writethrough mode still makes sense. + +Changelog: +V4: Fix parens error pointed by Michael Lyle. +v3: By response from Kent Oversteet, he thinks recovering stale data is a + bug to fix, and option to permit it is unnecessary. So this version + the sysfs file is removed. +v2: rename sysfs entry from allow_stale_data_on_failure to + allow_stale_data_on_failure, and fix the confusing commit log. +v1: initial patch posted. + +[small change to patch comment spelling by mlyle] + +Signed-off-by: Coly Li +Signed-off-by: Michael Lyle +Reported-by: Arne Wolf +Reviewed-by: Michael Lyle +Cc: Kent Overstreet +Cc: Nix +Cc: Kai Krakow +Cc: Eric Wheeler +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -698,8 +698,16 @@ static void cached_dev_read_error(struct + { + struct search *s = container_of(cl, struct search, cl); + struct bio *bio = &s->bio.bio; ++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + +- if (s->recoverable) { ++ /* ++ * If cache device is dirty (dc->has_dirty is non-zero), then ++ * recovery a failed read request from cached device may get a ++ * stale data back. So read failure recovery is only permitted ++ * when cache device is clean. ++ */ ++ if (s->recoverable && ++ (dc && !atomic_read(&dc->has_dirty))) { + /* Retry from the backing device: */ + trace_bcache_read_retry(s->orig_bio); + diff --git a/queue-4.14/bcache-recover-data-from-backing-when-data-is-clean.patch b/queue-4.14/bcache-recover-data-from-backing-when-data-is-clean.patch new file mode 100644 index 00000000000..530917ae001 --- /dev/null +++ b/queue-4.14/bcache-recover-data-from-backing-when-data-is-clean.patch @@ -0,0 +1,76 @@ +From e393aa2446150536929140739f09c6ecbcbea7f0 Mon Sep 17 00:00:00 2001 +From: Rui Hua +Date: Fri, 24 Nov 2017 15:14:26 -0800 +Subject: bcache: recover data from backing when data is clean + +From: Rui Hua + +commit e393aa2446150536929140739f09c6ecbcbea7f0 upstream. + +When we send a read request and hit the clean data in cache device, there +is a situation called cache read race in bcache(see the commit in the tail +of cache_look_up(), the following explaination just copy from there): +The bucket we're reading from might be reused while our bio is in flight, +and we could then end up reading the wrong data. We guard against this +by checking (in bch_cache_read_endio()) if the pointer is stale again; +if so, we treat it as an error (s->iop.error = -EINTR) and reread from +the backing device (but we don't pass that error up anywhere) + +It should be noted that cache read race happened under normal +circumstances, not the circumstance when SSD failed, it was counted +and shown in /sys/fs/bcache/XXX/internal/cache_read_races. + +Without this patch, when we use writeback mode, we will never reread from +the backing device when cache read race happened, until the whole cache +device is clean, because the condition +(s->recoverable && (dc && !atomic_read(&dc->has_dirty))) is false in +cached_dev_read_error(). In this situation, the s->iop.error(= -EINTR) +will be passed up, at last, user will receive -EINTR when it's bio end, +this is not suitable, and wield to up-application. + +In this patch, we use s->read_dirty_data to judge whether the read +request hit dirty data in cache device, it is safe to reread data from +the backing device when the read request hit clean data. This can not +only handle cache read race, but also recover data when failed read +request from cache device. + +[edited by mlyle to fix up whitespace, commit log title, comment +spelling] + +Fixes: d59b23795933 ("bcache: only permit to recovery read error when cache device is clean") +Signed-off-by: Hua Rui +Reviewed-by: Michael Lyle +Reviewed-by: Coly Li +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -698,16 +698,15 @@ static void cached_dev_read_error(struct + { + struct search *s = container_of(cl, struct search, cl); + struct bio *bio = &s->bio.bio; +- struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + + /* +- * If cache device is dirty (dc->has_dirty is non-zero), then +- * recovery a failed read request from cached device may get a +- * stale data back. So read failure recovery is only permitted +- * when cache device is clean. ++ * If read request hit dirty data (s->read_dirty_data is true), ++ * then recovery a failed read request from cached device may ++ * get a stale data back. So read failure recovery is only ++ * permitted when read request hit clean data in cache device, ++ * or when cache read race happened. + */ +- if (s->recoverable && +- (dc && !atomic_read(&dc->has_dirty))) { ++ if (s->recoverable && !s->read_dirty_data) { + /* Retry from the backing device: */ + trace_bcache_read_retry(s->orig_bio); + diff --git a/queue-4.14/btrfs-clear-space-cache-inode-generation-always.patch b/queue-4.14/btrfs-clear-space-cache-inode-generation-always.patch new file mode 100644 index 00000000000..083244665c4 --- /dev/null +++ b/queue-4.14/btrfs-clear-space-cache-inode-generation-always.patch @@ -0,0 +1,59 @@ +From 8e138e0d92c6c9d3d481674fb14e3439b495be37 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 17 Nov 2017 14:50:46 -0500 +Subject: btrfs: clear space cache inode generation always + +From: Josef Bacik + +commit 8e138e0d92c6c9d3d481674fb14e3439b495be37 upstream. + +We discovered a box that had double allocations, and suspected the space +cache may be to blame. While auditing the write out path I noticed that +if we've already setup the space cache we will just carry on. This +means that any error we hit after cache_save_setup before we go to +actually write the cache out we won't reset the inode generation, so +whatever was already written will be considered correct, except it'll be +stale. Fix this by _always_ resetting the generation on the block group +inode, this way we only ever have valid or invalid cache. + +With this patch I was no longer able to reproduce cache corruption with +dm-log-writes and my bpf error injection tool. + +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -3526,13 +3526,6 @@ again: + goto again; + } + +- /* We've already setup this transaction, go ahead and exit */ +- if (block_group->cache_generation == trans->transid && +- i_size_read(inode)) { +- dcs = BTRFS_DC_SETUP; +- goto out_put; +- } +- + /* + * We want to set the generation to 0, that way if anything goes wrong + * from here on out we know not to trust this cache when we load up next +@@ -3556,6 +3549,13 @@ again: + } + WARN_ON(ret); + ++ /* We've already setup this transaction, go ahead and exit */ ++ if (block_group->cache_generation == trans->transid && ++ i_size_read(inode)) { ++ dcs = BTRFS_DC_SETUP; ++ goto out_put; ++ } ++ + if (i_size_read(inode) > 0) { + ret = btrfs_check_trunc_cache_free_space(fs_info, + &fs_info->global_block_rsv); diff --git a/queue-4.14/crypto-af_alg-remove-locking-in-async-callback.patch b/queue-4.14/crypto-af_alg-remove-locking-in-async-callback.patch new file mode 100644 index 00000000000..d7262942f56 --- /dev/null +++ b/queue-4.14/crypto-af_alg-remove-locking-in-async-callback.patch @@ -0,0 +1,187 @@ +From 7d2c3f54e6f646887d019faa45f35d6fe9fe82ce Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Fri, 10 Nov 2017 13:20:55 +0100 +Subject: crypto: af_alg - remove locking in async callback + +From: Stephan Mueller + +commit 7d2c3f54e6f646887d019faa45f35d6fe9fe82ce upstream. + +The code paths protected by the socket-lock do not use or modify the +socket in a non-atomic fashion. The actions pertaining the socket do not +even need to be handled as an atomic operation. Thus, the socket-lock +can be safely ignored. + +This fixes a bug regarding scheduling in atomic as the callback function +may be invoked in interrupt context. + +In addition, the sock_hold is moved before the AIO encrypt/decrypt +operation to ensure that the socket is always present. This avoids a +tiny race window where the socket is unprotected and yet used by the AIO +operation. + +Finally, the release of resources for a crypto operation is moved into a +common function of af_alg_free_resources. + +Fixes: e870456d8e7c8 ("crypto: algif_skcipher - overhaul memory management") +Fixes: d887c52d6ae43 ("crypto: algif_aead - overhaul memory management") +Reported-by: Romain Izard +Signed-off-by: Stephan Mueller +Tested-by: Romain Izard +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 21 ++++++++++++++------- + crypto/algif_aead.c | 23 ++++++++++++----------- + crypto/algif_skcipher.c | 23 ++++++++++++----------- + include/crypto/if_alg.h | 1 + + 4 files changed, 39 insertions(+), 29 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1048,6 +1048,18 @@ unlock: + EXPORT_SYMBOL_GPL(af_alg_sendpage); + + /** ++ * af_alg_free_resources - release resources required for crypto request ++ */ ++void af_alg_free_resources(struct af_alg_async_req *areq) ++{ ++ struct sock *sk = areq->sk; ++ ++ af_alg_free_areq_sgls(areq); ++ sock_kfree_s(sk, areq, areq->areqlen); ++} ++EXPORT_SYMBOL_GPL(af_alg_free_resources); ++ ++/** + * af_alg_async_cb - AIO callback handler + * + * This handler cleans up the struct af_alg_async_req upon completion of the +@@ -1063,18 +1075,13 @@ void af_alg_async_cb(struct crypto_async + struct kiocb *iocb = areq->iocb; + unsigned int resultlen; + +- lock_sock(sk); +- + /* Buffer size written by crypto operation. */ + resultlen = areq->outlen; + +- af_alg_free_areq_sgls(areq); +- sock_kfree_s(sk, areq, areq->areqlen); +- __sock_put(sk); ++ af_alg_free_resources(areq); ++ sock_put(sk); + + iocb->ki_complete(iocb, err ? err : resultlen, 0); +- +- release_sock(sk); + } + EXPORT_SYMBOL_GPL(af_alg_async_cb); + +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -283,12 +283,23 @@ static int _aead_recvmsg(struct socket * + + if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) { + /* AIO operation */ ++ sock_hold(sk); + areq->iocb = msg->msg_iocb; + aead_request_set_callback(&areq->cra_u.aead_req, + CRYPTO_TFM_REQ_MAY_BACKLOG, + af_alg_async_cb, areq); + err = ctx->enc ? crypto_aead_encrypt(&areq->cra_u.aead_req) : + crypto_aead_decrypt(&areq->cra_u.aead_req); ++ ++ /* AIO operation in progress */ ++ if (err == -EINPROGRESS || err == -EBUSY) { ++ /* Remember output size that will be generated. */ ++ areq->outlen = outlen; ++ ++ return -EIOCBQUEUED; ++ } ++ ++ sock_put(sk); + } else { + /* Synchronous operation */ + aead_request_set_callback(&areq->cra_u.aead_req, +@@ -300,19 +311,9 @@ static int _aead_recvmsg(struct socket * + &ctx->completion); + } + +- /* AIO operation in progress */ +- if (err == -EINPROGRESS) { +- sock_hold(sk); +- +- /* Remember output size that will be generated. */ +- areq->outlen = outlen; +- +- return -EIOCBQUEUED; +- } + + free: +- af_alg_free_areq_sgls(areq); +- sock_kfree_s(sk, areq, areq->areqlen); ++ af_alg_free_resources(areq); + + return err ? err : outlen; + } +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -117,6 +117,7 @@ static int _skcipher_recvmsg(struct sock + + if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) { + /* AIO operation */ ++ sock_hold(sk); + areq->iocb = msg->msg_iocb; + skcipher_request_set_callback(&areq->cra_u.skcipher_req, + CRYPTO_TFM_REQ_MAY_SLEEP, +@@ -124,6 +125,16 @@ static int _skcipher_recvmsg(struct sock + err = ctx->enc ? + crypto_skcipher_encrypt(&areq->cra_u.skcipher_req) : + crypto_skcipher_decrypt(&areq->cra_u.skcipher_req); ++ ++ /* AIO operation in progress */ ++ if (err == -EINPROGRESS || err == -EBUSY) { ++ /* Remember output size that will be generated. */ ++ areq->outlen = len; ++ ++ return -EIOCBQUEUED; ++ } ++ ++ sock_put(sk); + } else { + /* Synchronous operation */ + skcipher_request_set_callback(&areq->cra_u.skcipher_req, +@@ -137,19 +148,9 @@ static int _skcipher_recvmsg(struct sock + &ctx->completion); + } + +- /* AIO operation in progress */ +- if (err == -EINPROGRESS) { +- sock_hold(sk); +- +- /* Remember output size that will be generated. */ +- areq->outlen = len; +- +- return -EIOCBQUEUED; +- } + + free: +- af_alg_free_areq_sgls(areq); +- sock_kfree_s(sk, areq, areq->areqlen); ++ af_alg_free_resources(areq); + + return err ? err : len; + } +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -255,6 +255,7 @@ int af_alg_sendmsg(struct socket *sock, + unsigned int ivsize); + ssize_t af_alg_sendpage(struct socket *sock, struct page *page, + int offset, size_t size, int flags); ++void af_alg_free_resources(struct af_alg_async_req *areq); + void af_alg_async_cb(struct crypto_async_request *_req, int err); + unsigned int af_alg_poll(struct file *file, struct socket *sock, + poll_table *wait); diff --git a/queue-4.14/crypto-algif_aead-skip-sgl-entries-with-null-page.patch b/queue-4.14/crypto-algif_aead-skip-sgl-entries-with-null-page.patch new file mode 100644 index 00000000000..8d4172edc5b --- /dev/null +++ b/queue-4.14/crypto-algif_aead-skip-sgl-entries-with-null-page.patch @@ -0,0 +1,112 @@ +From 8e1fa89aa8bc2870009b4486644e4a58f2e2a4f5 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Fri, 10 Nov 2017 11:04:52 +0100 +Subject: crypto: algif_aead - skip SGL entries with NULL page + +From: Stephan Mueller + +commit 8e1fa89aa8bc2870009b4486644e4a58f2e2a4f5 upstream. + +The TX SGL may contain SGL entries that are assigned a NULL page. This +may happen if a multi-stage AIO operation is performed where the data +for each stage is pointed to by one SGL entry. Upon completion of that +stage, af_alg_pull_tsgl will assign NULL to the SGL entry. + +The NULL cipher used to copy the AAD from TX SGL to the destination +buffer, however, cannot handle the case where the SGL starts with an SGL +entry having a NULL page. Thus, the code needs to advance the start +pointer into the SGL to the first non-NULL entry. + +This fixes a crash visible on Intel x86 32 bit using the libkcapi test +suite. + +Fixes: 72548b093ee38 ("crypto: algif_aead - copy AAD from src to dst") +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algif_aead.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -101,10 +101,10 @@ static int _aead_recvmsg(struct socket * + struct aead_tfm *aeadc = pask->private; + struct crypto_aead *tfm = aeadc->aead; + struct crypto_skcipher *null_tfm = aeadc->null_tfm; +- unsigned int as = crypto_aead_authsize(tfm); ++ unsigned int i, as = crypto_aead_authsize(tfm); + struct af_alg_async_req *areq; +- struct af_alg_tsgl *tsgl; +- struct scatterlist *src; ++ struct af_alg_tsgl *tsgl, *tmp; ++ struct scatterlist *rsgl_src, *tsgl_src = NULL; + int err = 0; + size_t used = 0; /* [in] TX bufs to be en/decrypted */ + size_t outlen = 0; /* [out] RX bufs produced by kernel */ +@@ -178,7 +178,22 @@ static int _aead_recvmsg(struct socket * + } + + processed = used + ctx->aead_assoclen; +- tsgl = list_first_entry(&ctx->tsgl_list, struct af_alg_tsgl, list); ++ list_for_each_entry_safe(tsgl, tmp, &ctx->tsgl_list, list) { ++ for (i = 0; i < tsgl->cur; i++) { ++ struct scatterlist *process_sg = tsgl->sg + i; ++ ++ if (!(process_sg->length) || !sg_page(process_sg)) ++ continue; ++ tsgl_src = process_sg; ++ break; ++ } ++ if (tsgl_src) ++ break; ++ } ++ if (processed && !tsgl_src) { ++ err = -EFAULT; ++ goto free; ++ } + + /* + * Copy of AAD from source to destination +@@ -194,7 +209,7 @@ static int _aead_recvmsg(struct socket * + */ + + /* Use the RX SGL as source (and destination) for crypto op. */ +- src = areq->first_rsgl.sgl.sg; ++ rsgl_src = areq->first_rsgl.sgl.sg; + + if (ctx->enc) { + /* +@@ -207,7 +222,7 @@ static int _aead_recvmsg(struct socket * + * v v + * RX SGL: AAD || PT || Tag + */ +- err = crypto_aead_copy_sgl(null_tfm, tsgl->sg, ++ err = crypto_aead_copy_sgl(null_tfm, tsgl_src, + areq->first_rsgl.sgl.sg, processed); + if (err) + goto free; +@@ -225,7 +240,7 @@ static int _aead_recvmsg(struct socket * + */ + + /* Copy AAD || CT to RX SGL buffer for in-place operation. */ +- err = crypto_aead_copy_sgl(null_tfm, tsgl->sg, ++ err = crypto_aead_copy_sgl(null_tfm, tsgl_src, + areq->first_rsgl.sgl.sg, outlen); + if (err) + goto free; +@@ -257,11 +272,11 @@ static int _aead_recvmsg(struct socket * + areq->tsgl); + } else + /* no RX SGL present (e.g. authentication only) */ +- src = areq->tsgl; ++ rsgl_src = areq->tsgl; + } + + /* Initialize the crypto operation */ +- aead_request_set_crypt(&areq->cra_u.aead_req, src, ++ aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src, + areq->first_rsgl.sgl.sg, used, ctx->iv); + aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen); + aead_request_set_tfm(&areq->cra_u.aead_req, tfm); diff --git a/queue-4.14/crypto-skcipher-fix-skcipher_walk_aead_common.patch b/queue-4.14/crypto-skcipher-fix-skcipher_walk_aead_common.patch new file mode 100644 index 00000000000..7a96d160767 --- /dev/null +++ b/queue-4.14/crypto-skcipher-fix-skcipher_walk_aead_common.patch @@ -0,0 +1,41 @@ +From c14ca8386539a298c1c19b003fe55e37d0f0e89c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ondrej=20Mosn=C3=A1=C4=8Dek?= +Date: Thu, 23 Nov 2017 13:49:06 +0100 +Subject: crypto: skcipher - Fix skcipher_walk_aead_common + +From: Ondrej Mosnáček + +commit c14ca8386539a298c1c19b003fe55e37d0f0e89c upstream. + +The skcipher_walk_aead_common function calls scatterwalk_copychunks on +the input and output walks to skip the associated data. If the AD end +at an SG list entry boundary, then after these calls the walks will +still be pointing to the end of the skipped region. + +These offsets are later checked for alignment in skcipher_walk_next, +so the skcipher_walk may detect the alignment incorrectly. + +This patch fixes it by calling scatterwalk_done after the copychunks +calls to ensure that the offsets refer to the right SG list entry. + +Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/skcipher.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -522,6 +522,9 @@ static int skcipher_walk_aead_common(str + scatterwalk_copychunks(NULL, &walk->in, req->assoclen, 2); + scatterwalk_copychunks(NULL, &walk->out, req->assoclen, 2); + ++ scatterwalk_done(&walk->in, 0, walk->total); ++ scatterwalk_done(&walk->out, 0, walk->total); ++ + walk->iv = req->iv; + walk->oiv = req->iv; + diff --git a/queue-4.14/cxl-check-if-vphb-exists-before-iterating-over-afu-devices.patch b/queue-4.14/cxl-check-if-vphb-exists-before-iterating-over-afu-devices.patch new file mode 100644 index 00000000000..7bcbebd4db0 --- /dev/null +++ b/queue-4.14/cxl-check-if-vphb-exists-before-iterating-over-afu-devices.patch @@ -0,0 +1,70 @@ +From 12841f87b7a8ceb3d54f171660f72a86941bfcb3 Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Thu, 23 Nov 2017 09:08:57 +0530 +Subject: cxl: Check if vphb exists before iterating over AFU devices + +From: Vaibhav Jain + +commit 12841f87b7a8ceb3d54f171660f72a86941bfcb3 upstream. + +During an eeh a kernel-oops is reported if no vPHB is allocated to the +AFU. This happens as during AFU init, an error in creation of vPHB is +a non-fatal error. Hence afu->phb should always be checked for NULL +before iterating over it for the virtual AFU pci devices. + +This patch fixes the kenel-oops by adding a NULL pointer check for +afu->phb before it is dereferenced. + +Fixes: 9e8df8a21963 ("cxl: EEH support") +Signed-off-by: Vaibhav Jain +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/pci.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -2043,6 +2043,9 @@ static pci_ers_result_t cxl_vphb_error_d + /* There should only be one entry, but go through the list + * anyway + */ ++ if (afu->phb == NULL) ++ return result; ++ + list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) { + if (!afu_dev->driver) + continue; +@@ -2084,8 +2087,7 @@ static pci_ers_result_t cxl_pci_error_de + * Tell the AFU drivers; but we don't care what they + * say, we're going away. + */ +- if (afu->phb != NULL) +- cxl_vphb_error_detected(afu, state); ++ cxl_vphb_error_detected(afu, state); + } + return PCI_ERS_RESULT_DISCONNECT; + } +@@ -2225,6 +2227,9 @@ static pci_ers_result_t cxl_pci_slot_res + if (cxl_afu_select_best_mode(afu)) + goto err; + ++ if (afu->phb == NULL) ++ continue; ++ + list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) { + /* Reset the device context. + * TODO: make this less disruptive +@@ -2287,6 +2292,9 @@ static void cxl_pci_resume(struct pci_de + for (i = 0; i < adapter->slices; i++) { + afu = adapter->afu[i]; + ++ if (afu->phb == NULL) ++ continue; ++ + list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) { + if (afu_dev->driver && afu_dev->driver->err_handler && + afu_dev->driver->err_handler->resume) diff --git a/queue-4.14/drm-omapdrm-fix-dpi-on-platforms-using-the-dsi-vdds.patch b/queue-4.14/drm-omapdrm-fix-dpi-on-platforms-using-the-dsi-vdds.patch new file mode 100644 index 00000000000..a656c87242d --- /dev/null +++ b/queue-4.14/drm-omapdrm-fix-dpi-on-platforms-using-the-dsi-vdds.patch @@ -0,0 +1,42 @@ +From bf25dac38f71d392a31ec074f55cbc941f1eaf1d Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Thu, 16 Nov 2017 09:50:19 +0100 +Subject: drm: omapdrm: Fix DPI on platforms using the DSI VDDS + +From: Laurent Pinchart + +commit bf25dac38f71d392a31ec074f55cbc941f1eaf1d upstream. + +Commit d178e034d565 ("drm: omapdrm: Move FEAT_DPI_USES_VDDS_DSI feature +to dpi code") replaced usage of platform data version with SoC matching +to configure DPI VDDS. The SoC match entries were incorrect, they should +have matched on the machine name instead of the SoC family. Fix it. + +The result was observed on OpenPandora with OMAP3530 where the panel only +had the Blue channel and Red&Green were missing. It was not observed on +GTA04 with DM3730. + +Fixes: d178e034d565 ("drm: omapdrm: Move FEAT_DPI_USES_VDDS_DSI feature to dpi code") +Signed-off-by: Laurent Pinchart +Reported-by: H. Nikolaus Schaller +Tested-by: H. Nikolaus Schaller +Signed-off-by: Tomi Valkeinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/omapdrm/dss/dpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/dpi.c ++++ b/drivers/gpu/drm/omapdrm/dss/dpi.c +@@ -566,8 +566,8 @@ static int dpi_verify_pll(struct dss_pll + } + + static const struct soc_device_attribute dpi_soc_devices[] = { +- { .family = "OMAP3[456]*" }, +- { .family = "[AD]M37*" }, ++ { .machine = "OMAP3[456]*" }, ++ { .machine = "[AD]M37*" }, + { /* sentinel */ } + }; + diff --git a/queue-4.14/eeprom-at24-check-at24_read-write-arguments.patch b/queue-4.14/eeprom-at24-check-at24_read-write-arguments.patch new file mode 100644 index 00000000000..aac674ccaf8 --- /dev/null +++ b/queue-4.14/eeprom-at24-check-at24_read-write-arguments.patch @@ -0,0 +1,42 @@ +From d9bcd462daf34aebb8de9ad7f76de0198bb5a0f0 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Fri, 24 Nov 2017 07:47:50 +0100 +Subject: eeprom: at24: check at24_read/write arguments + +From: Heiner Kallweit + +commit d9bcd462daf34aebb8de9ad7f76de0198bb5a0f0 upstream. + +So far we completely rely on the caller to provide valid arguments. +To be on the safe side perform an own sanity check. + +Signed-off-by: Heiner Kallweit +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/eeprom/at24.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/misc/eeprom/at24.c ++++ b/drivers/misc/eeprom/at24.c +@@ -507,6 +507,9 @@ static int at24_read(void *priv, unsigne + if (unlikely(!count)) + return count; + ++ if (off + count > at24->chip.byte_len) ++ return -EINVAL; ++ + /* + * Read data from chip, protecting against concurrent updates + * from this host, but not from other I2C masters. +@@ -539,6 +542,9 @@ static int at24_write(void *priv, unsign + if (unlikely(!count)) + return -EINVAL; + ++ if (off + count > at24->chip.byte_len) ++ return -EINVAL; ++ + /* + * Write data to chip, protecting against concurrent updates + * from this host, but not from other I2C masters. diff --git a/queue-4.14/eeprom-at24-correctly-set-the-size-for-at24mac402.patch b/queue-4.14/eeprom-at24-correctly-set-the-size-for-at24mac402.patch new file mode 100644 index 00000000000..daacca2e841 --- /dev/null +++ b/queue-4.14/eeprom-at24-correctly-set-the-size-for-at24mac402.patch @@ -0,0 +1,47 @@ +From 5478e478eee3b096b8d998d4ed445da30da2dfbc Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Mon, 27 Nov 2017 22:06:13 +0100 +Subject: eeprom: at24: correctly set the size for at24mac402 + +From: Bartosz Golaszewski + +commit 5478e478eee3b096b8d998d4ed445da30da2dfbc upstream. + +There's an ilog2() expansion in AT24_DEVICE_MAGIC() which rounds down +the actual size of EUI-48 byte array in at24mac402 eeproms to 4 from 6, +making it impossible to read it all. + +Fix it by manually adjusting the value in probe(). + +This patch contains a temporary fix that is suitable for stable +branches. Eventually we'll probably remove the call to ilog2() while +converting the magic values to actual structs. + +Fixes: 0b813658c115 ("eeprom: at24: add support for at24mac series") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/eeprom/at24.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/misc/eeprom/at24.c ++++ b/drivers/misc/eeprom/at24.c +@@ -632,6 +632,16 @@ static int at24_probe(struct i2c_client + dev_warn(&client->dev, + "page_size looks suspicious (no power of 2)!\n"); + ++ /* ++ * REVISIT: the size of the EUI-48 byte array is 6 in at24mac402, while ++ * the call to ilog2() in AT24_DEVICE_MAGIC() rounds it down to 4. ++ * ++ * Eventually we'll get rid of the magic values altoghether in favor of ++ * real structs, but for now just manually set the right size. ++ */ ++ if (chip.flags & AT24_FLAG_MAC && chip.byte_len == 4) ++ chip.byte_len = 6; ++ + /* Use I2C operations unless we're stuck with SMBus extensions. */ + if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) { + if (chip.flags & AT24_FLAG_ADDR16) diff --git a/queue-4.14/eeprom-at24-fix-reading-from-24mac402-24mac602.patch b/queue-4.14/eeprom-at24-fix-reading-from-24mac402-24mac602.patch new file mode 100644 index 00000000000..a1eaf3564f0 --- /dev/null +++ b/queue-4.14/eeprom-at24-fix-reading-from-24mac402-24mac602.patch @@ -0,0 +1,34 @@ +From 644a1f19c6c8393d0c4168a5adf79056da6822eb Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Mon, 27 Nov 2017 20:46:22 +0100 +Subject: eeprom: at24: fix reading from 24MAC402/24MAC602 + +From: Heiner Kallweit + +commit 644a1f19c6c8393d0c4168a5adf79056da6822eb upstream. + +Chip datasheet mentions that word addresses other than the actual +start position of the MAC delivers undefined results. So fix this. +Current implementation doesn't work due to this wrong offset. + +Fixes: 0b813658c115 ("eeprom: at24: add support for at24mac series") +Signed-off-by: Heiner Kallweit +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/eeprom/at24.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/misc/eeprom/at24.c ++++ b/drivers/misc/eeprom/at24.c +@@ -365,7 +365,8 @@ static ssize_t at24_eeprom_read_mac(stru + memset(msg, 0, sizeof(msg)); + msg[0].addr = client->addr; + msg[0].buf = addrbuf; +- addrbuf[0] = 0x90 + offset; ++ /* EUI-48 starts from 0x9a, EUI-64 from 0x98 */ ++ addrbuf[0] = 0xa0 - at24->chip.byte_len + offset; + msg[0].len = 1; + msg[1].addr = client->addr; + msg[1].flags = I2C_M_RD; diff --git a/queue-4.14/i2c-i801-fix-failed-to-allocate-irq-2147483648-error.patch b/queue-4.14/i2c-i801-fix-failed-to-allocate-irq-2147483648-error.patch new file mode 100644 index 00000000000..959cbc19ca9 --- /dev/null +++ b/queue-4.14/i2c-i801-fix-failed-to-allocate-irq-2147483648-error.patch @@ -0,0 +1,37 @@ +From 6e0c9507bf51e1517a80ad0ac171e5402528fcef Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 22 Nov 2017 12:28:17 +0100 +Subject: i2c: i801: Fix Failed to allocate irq -2147483648 error + +From: Hans de Goede + +commit 6e0c9507bf51e1517a80ad0ac171e5402528fcef upstream. + +On Apollo Lake devices the BIOS does not set up IRQ routing for the i801 +SMBUS controller IRQ, so we end up with dev->irq set to IRQ_NOTCONNECTED. + +Detect this and do not try to use the irq in this case silencing: +i801_smbus 0000:00:1f.1: Failed to allocate irq -2147483648: -107 + +BugLink: https://communities.intel.com/thread/114759 +Signed-off-by: Hans de Goede +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-i801.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -1617,6 +1617,9 @@ static int i801_probe(struct pci_dev *de + /* Default timeout in interrupt mode: 200 ms */ + priv->adapter.timeout = HZ / 5; + ++ if (dev->irq == IRQ_NOTCONNECTED) ++ priv->features &= ~FEATURE_IRQ; ++ + if (priv->features & FEATURE_IRQ) { + u16 pcictl, pcists; + diff --git a/queue-4.14/kvm-lapic-fixup-ldr-on-load-in-x2apic.patch b/queue-4.14/kvm-lapic-fixup-ldr-on-load-in-x2apic.patch new file mode 100644 index 00000000000..f4d017d469b --- /dev/null +++ b/queue-4.14/kvm-lapic-fixup-ldr-on-load-in-x2apic.patch @@ -0,0 +1,56 @@ +From 12806ba937382fdfdbad62a399aa2dce65c10fcd Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Fri, 17 Nov 2017 11:52:50 +0000 +Subject: KVM: lapic: Fixup LDR on load in x2apic + +From: Dr. David Alan Gilbert + +commit 12806ba937382fdfdbad62a399aa2dce65c10fcd upstream. + +In x2apic mode the LDR is fixed based on the ID rather +than separately loadable like it was before x2. +When kvm_apic_set_state is called, the base is set, and if +it has the X2APIC_ENABLE flag set then the LDR is calculated; +however that value gets overwritten by the memcpy a few lines +below overwriting it with the value that came from userland. + +The symptom is a lack of EOI after loading the state +(e.g. after a QEMU migration) and is due to the EOI bitmap +being wrong due to the incorrect LDR. This was seen with +a Win2016 guest under Qemu with irqchip=split whose USB mouse +didn't work after a VM migration. + +This corresponds to RH bug: + https://bugzilla.redhat.com/show_bug.cgi?id=1502591 + +Reported-by: Yiqian Wei +Signed-off-by: Dr. David Alan Gilbert +[Applied fixup from Liran Alon. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -2201,6 +2201,7 @@ static int kvm_apic_state_fixup(struct k + { + if (apic_x2apic_mode(vcpu->arch.apic)) { + u32 *id = (u32 *)(s->regs + APIC_ID); ++ u32 *ldr = (u32 *)(s->regs + APIC_LDR); + + if (vcpu->kvm->arch.x2apic_format) { + if (*id != vcpu->vcpu_id) +@@ -2211,6 +2212,10 @@ static int kvm_apic_state_fixup(struct k + else + *id <<= 24; + } ++ ++ /* In x2APIC mode, the LDR is fixed and based on the id */ ++ if (set) ++ *ldr = kvm_apic_calc_x2apic_ldr(*id); + } + + return 0; diff --git a/queue-4.14/kvm-lapic-split-out-x2apic-ldr-calculation.patch b/queue-4.14/kvm-lapic-split-out-x2apic-ldr-calculation.patch new file mode 100644 index 00000000000..98a2f2038aa --- /dev/null +++ b/queue-4.14/kvm-lapic-split-out-x2apic-ldr-calculation.patch @@ -0,0 +1,38 @@ +From e872fa94662d0644057c7c80b3071bdb9249e5ab Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Fri, 17 Nov 2017 11:52:49 +0000 +Subject: KVM: lapic: Split out x2apic ldr calculation + +From: Dr. David Alan Gilbert + +commit e872fa94662d0644057c7c80b3071bdb9249e5ab upstream. + +Split out the ldr calculation from kvm_apic_set_x2apic_id +since we're about to reuse it in the following patch. + +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -266,9 +266,14 @@ static inline void kvm_apic_set_ldr(stru + recalculate_apic_map(apic->vcpu->kvm); + } + ++static inline u32 kvm_apic_calc_x2apic_ldr(u32 id) ++{ ++ return ((id >> 4) << 16) | (1 << (id & 0xf)); ++} ++ + static inline void kvm_apic_set_x2apic_id(struct kvm_lapic *apic, u32 id) + { +- u32 ldr = ((id >> 4) << 16) | (1 << (id & 0xf)); ++ u32 ldr = kvm_apic_calc_x2apic_ldr(id); + + WARN_ON_ONCE(id != apic->vcpu->vcpu_id); + diff --git a/queue-4.14/kvm-x86-exit-to-user-mode-on-ud-intercept-when-emulator-requires.patch b/queue-4.14/kvm-x86-exit-to-user-mode-on-ud-intercept-when-emulator-requires.patch new file mode 100644 index 00000000000..f12cd17e2e8 --- /dev/null +++ b/queue-4.14/kvm-x86-exit-to-user-mode-on-ud-intercept-when-emulator-requires.patch @@ -0,0 +1,54 @@ +From 61cb57c9ed631c95b54f8e9090c89d18b3695b3c Mon Sep 17 00:00:00 2001 +From: Liran Alon +Date: Sun, 5 Nov 2017 16:56:32 +0200 +Subject: KVM: x86: Exit to user-mode on #UD intercept when emulator requires +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Liran Alon + +commit 61cb57c9ed631c95b54f8e9090c89d18b3695b3c upstream. + +Instruction emulation after trapping a #UD exception can result in an +MMIO access, for example when emulating a MOVBE on a processor that +doesn't support the instruction. In this case, the #UD vmexit handler +must exit to user mode, but there wasn't any code to do so. Add it for +both VMX and SVM. + +Signed-off-by: Liran Alon +Reviewed-by: Nikita Leshenko +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 2 ++ + arch/x86/kvm/vmx.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2189,6 +2189,8 @@ static int ud_interception(struct vcpu_s + int er; + + er = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD); ++ if (er == EMULATE_USER_EXIT) ++ return 0; + if (er != EMULATE_DONE) + kvm_queue_exception(&svm->vcpu, UD_VECTOR); + return 1; +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5914,6 +5914,8 @@ static int handle_exception(struct kvm_v + return 1; + } + er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD); ++ if (er == EMULATE_USER_EXIT) ++ return 0; + if (er != EMULATE_DONE) + kvm_queue_exception(vcpu, UD_VECTOR); + return 1; diff --git a/queue-4.14/kvm-x86-inject-exceptions-produced-by-x86_decode_insn.patch b/queue-4.14/kvm-x86-inject-exceptions-produced-by-x86_decode_insn.patch new file mode 100644 index 00000000000..90f022c7c7a --- /dev/null +++ b/queue-4.14/kvm-x86-inject-exceptions-produced-by-x86_decode_insn.patch @@ -0,0 +1,53 @@ +From 6ea6e84309ca7e0e850b3083e6b09344ee15c290 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 10 Nov 2017 10:49:38 +0100 +Subject: KVM: x86: inject exceptions produced by x86_decode_insn +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit 6ea6e84309ca7e0e850b3083e6b09344ee15c290 upstream. + +Sometimes, a processor might execute an instruction while another +processor is updating the page tables for that instruction's code page, +but before the TLB shootdown completes. The interesting case happens +if the page is in the TLB. + +In general, the processor will succeed in executing the instruction and +nothing bad happens. However, what if the instruction is an MMIO access? +If *that* happens, KVM invokes the emulator, and the emulator gets the +updated page tables. If the update side had marked the code page as non +present, the page table walk then will fail and so will x86_decode_insn. + +Unfortunately, even though kvm_fetch_guest_virt is correctly returning +X86EMUL_PROPAGATE_FAULT, x86_decode_insn's caller treats the failure as +a fatal error if the instruction cannot simply be reexecuted (as is the +case for MMIO). And this in fact happened sometimes when rebooting +Windows 2012r2 guests. Just checking ctxt->have_exception and injecting +the exception if true is enough to fix the case. + +Thanks to Eduardo Habkost for helping in the debugging of this issue. + +Reported-by: Yanan Fu +Cc: Eduardo Habkost +Signed-off-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5708,6 +5708,8 @@ int x86_emulate_instruction(struct kvm_v + if (reexecute_instruction(vcpu, cr2, write_fault_to_spt, + emulation_type)) + return EMULATE_DONE; ++ if (ctxt->have_exception && inject_emulated_exception(vcpu)) ++ return EMULATE_DONE; + if (emulation_type & EMULTYPE_SKIP) + return EMULATE_FAIL; + return handle_emulation_failure(vcpu); diff --git a/queue-4.14/kvm-x86-pvclock-handle-first-time-write-to-pvclock-page-contains-random-junk.patch b/queue-4.14/kvm-x86-pvclock-handle-first-time-write-to-pvclock-page-contains-random-junk.patch new file mode 100644 index 00000000000..10c41754ff1 --- /dev/null +++ b/queue-4.14/kvm-x86-pvclock-handle-first-time-write-to-pvclock-page-contains-random-junk.patch @@ -0,0 +1,51 @@ +From 51c4b8bba674cfd2260d173602c4dac08e4c3a99 Mon Sep 17 00:00:00 2001 +From: Liran Alon +Date: Sun, 5 Nov 2017 16:11:30 +0200 +Subject: KVM: x86: pvclock: Handle first-time write to pvclock-page contains random junk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Liran Alon + +commit 51c4b8bba674cfd2260d173602c4dac08e4c3a99 upstream. + +When guest passes KVM it's pvclock-page GPA via WRMSR to +MSR_KVM_SYSTEM_TIME / MSR_KVM_SYSTEM_TIME_NEW, KVM don't initialize +pvclock-page to some start-values. It just requests a clock-update which +will happen before entering to guest. + +The clock-update logic will call kvm_setup_pvclock_page() to update the +pvclock-page with info. However, kvm_setup_pvclock_page() *wrongly* +assumes that the version-field is initialized to an even number. This is +wrong because at first-time write, field could be any-value. + +Fix simply makes sure that if first-time version-field is odd, increment +it once more to make it even and only then start standard logic. +This follows same logic as done in other pvclock shared-pages (See +kvm_write_wall_clock() and record_steal_time()). + +Signed-off-by: Liran Alon +Reviewed-by: Nikita Leshenko +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1830,6 +1830,9 @@ static void kvm_setup_pvclock_page(struc + */ + BUILD_BUG_ON(offsetof(struct pvclock_vcpu_time_info, version) != 0); + ++ if (guest_hv_clock.version & 1) ++ ++guest_hv_clock.version; /* first time write, random junk */ ++ + vcpu->hv_clock.version = guest_hv_clock.version + 1; + kvm_write_guest_cached(v->kvm, &vcpu->pv_time, + &vcpu->hv_clock, diff --git a/queue-4.14/lockd-lost-rollback-of-set_grace_period-in-lockd_down_net.patch b/queue-4.14/lockd-lost-rollback-of-set_grace_period-in-lockd_down_net.patch new file mode 100644 index 00000000000..da2c2ab9090 --- /dev/null +++ b/queue-4.14/lockd-lost-rollback-of-set_grace_period-in-lockd_down_net.patch @@ -0,0 +1,40 @@ +From 3a2b19d1ee5633f76ae8a88da7bc039a5d1732aa Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 2 Nov 2017 13:03:42 +0300 +Subject: lockd: lost rollback of set_grace_period() in lockd_down_net() + +From: Vasily Averin + +commit 3a2b19d1ee5633f76ae8a88da7bc039a5d1732aa upstream. + +Commit efda760fe95ea ("lockd: fix lockd shutdown race") is incorrect, +it removes lockd_manager and disarm grace_period_end for init_net only. + +If nfsd was started from another net namespace lockd_up_net() calls +set_grace_period() that adds lockd_manager into per-netns list +and queues grace_period_end delayed work. + +These action should be reverted in lockd_down_net(). +Otherwise it can lead to double list_add on after restart nfsd in netns, +and to use-after-free if non-disarmed delayed work will be executed after netns destroy. + +Fixes: efda760fe95e ("lockd: fix lockd shutdown race") +Signed-off-by: Vasily Averin +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/svc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -274,6 +274,8 @@ static void lockd_down_net(struct svc_se + if (ln->nlmsvc_users) { + if (--ln->nlmsvc_users == 0) { + nlm_shutdown_hosts_net(net); ++ cancel_delayed_work_sync(&ln->grace_period_end); ++ locks_end_grace(&ln->lockd_manager); + svc_shutdown_net(serv, net); + dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net); + } diff --git a/queue-4.14/mmc-block-check-return-value-of-blk_get_request.patch b/queue-4.14/mmc-block-check-return-value-of-blk_get_request.patch new file mode 100644 index 00000000000..643174ebed6 --- /dev/null +++ b/queue-4.14/mmc-block-check-return-value-of-blk_get_request.patch @@ -0,0 +1,88 @@ +From fb8e456e547ed2c699f64665bd8a3b9bde7b9728 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 21 Nov 2017 15:42:28 +0200 +Subject: mmc: block: Check return value of blk_get_request() + +From: Adrian Hunter + +commit fb8e456e547ed2c699f64665bd8a3b9bde7b9728 upstream. + +blk_get_request() can fail, always check the return value. + +Fixes: 0493f6fe5bde ("mmc: block: Move boot partition locking into a driver op") +Fixes: 3ecd8cf23f88 ("mmc: block: move multi-ioctl() to use block layer") +Fixes: 614f0388f580 ("mmc: block: move single ioctl() commands to block requests") +Fixes: 627c3ccfb46a ("mmc: debugfs: Move block debugfs into block module") +Signed-off-by: Adrian Hunter +Reviewed-by: Linus Walleij +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/block.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -204,6 +204,10 @@ static ssize_t power_ro_lock_store(struc + + /* Dispatch locking to the block layer */ + req = blk_get_request(mq->queue, REQ_OP_DRV_OUT, __GFP_RECLAIM); ++ if (IS_ERR(req)) { ++ count = PTR_ERR(req); ++ goto out_put; ++ } + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_BOOT_WP; + blk_execute_rq(mq->queue, NULL, req, 0); + ret = req_to_mmc_queue_req(req)->drv_op_result; +@@ -220,7 +224,7 @@ static ssize_t power_ro_lock_store(struc + set_disk_ro(part_md->disk, 1); + } + } +- ++out_put: + mmc_blk_put(md); + return count; + } +@@ -581,6 +585,10 @@ static int mmc_blk_ioctl_cmd(struct mmc_ + req = blk_get_request(mq->queue, + idata->ic.write_flag ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN, + __GFP_RECLAIM); ++ if (IS_ERR(req)) { ++ err = PTR_ERR(req); ++ goto cmd_done; ++ } + idatas[0] = idata; + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_IOCTL; + req_to_mmc_queue_req(req)->drv_op_data = idatas; +@@ -644,6 +652,10 @@ static int mmc_blk_ioctl_multi_cmd(struc + req = blk_get_request(mq->queue, + idata[0]->ic.write_flag ? REQ_OP_DRV_OUT : REQ_OP_DRV_IN, + __GFP_RECLAIM); ++ if (IS_ERR(req)) { ++ err = PTR_ERR(req); ++ goto cmd_err; ++ } + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_IOCTL; + req_to_mmc_queue_req(req)->drv_op_data = idata; + req_to_mmc_queue_req(req)->ioc_count = num_of_cmds; +@@ -2315,6 +2327,8 @@ static int mmc_dbg_card_status_get(void + + /* Ask the block layer about the card status */ + req = blk_get_request(mq->queue, REQ_OP_DRV_IN, __GFP_RECLAIM); ++ if (IS_ERR(req)) ++ return PTR_ERR(req); + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_CARD_STATUS; + blk_execute_rq(mq->queue, NULL, req, 0); + ret = req_to_mmc_queue_req(req)->drv_op_result; +@@ -2349,6 +2363,10 @@ static int mmc_ext_csd_open(struct inode + + /* Ask the block layer for the EXT CSD */ + req = blk_get_request(mq->queue, REQ_OP_DRV_IN, __GFP_RECLAIM); ++ if (IS_ERR(req)) { ++ err = PTR_ERR(req); ++ goto out_free; ++ } + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_GET_EXT_CSD; + req_to_mmc_queue_req(req)->drv_op_data = &ext_csd; + blk_execute_rq(mq->queue, NULL, req, 0); diff --git a/queue-4.14/mmc-block-ensure-that-debugfs-files-are-removed.patch b/queue-4.14/mmc-block-ensure-that-debugfs-files-are-removed.patch new file mode 100644 index 00000000000..1671bd9dc1e --- /dev/null +++ b/queue-4.14/mmc-block-ensure-that-debugfs-files-are-removed.patch @@ -0,0 +1,138 @@ +From f9f0da98819503b06b35e61869d18cf3a8cd3323 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 21 Nov 2017 15:42:30 +0200 +Subject: mmc: block: Ensure that debugfs files are removed + +From: Adrian Hunter + +commit f9f0da98819503b06b35e61869d18cf3a8cd3323 upstream. + +The card is not necessarily being removed, but the debugfs files must be +removed when the driver is removed, otherwise they will continue to exist +after unbinding the card from the driver. e.g. + + # echo "mmc1:0001" > /sys/bus/mmc/drivers/mmcblk/unbind + # cat /sys/kernel/debug/mmc1/mmc1\:0001/ext_csd + [ 173.634584] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 + [ 173.643356] IP: mmc_ext_csd_open+0x5e/0x170 + +A complication is that the debugfs_root may have already been removed, so +check for that too. + +Fixes: 627c3ccfb46a ("mmc: debugfs: Move block debugfs into block module") +Signed-off-by: Adrian Hunter +Reviewed-by: Linus Walleij +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/block.c | 44 +++++++++++++++++++++++++++++++++++++------- + drivers/mmc/core/debugfs.c | 1 + + 2 files changed, 38 insertions(+), 7 deletions(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -119,6 +119,10 @@ struct mmc_blk_data { + struct device_attribute force_ro; + struct device_attribute power_ro_lock; + int area_type; ++ ++ /* debugfs files (only in main mmc_blk_data) */ ++ struct dentry *status_dentry; ++ struct dentry *ext_csd_dentry; + }; + + static DEFINE_MUTEX(open_lock); +@@ -2417,7 +2421,7 @@ static const struct file_operations mmc_ + .llseek = default_llseek, + }; + +-static int mmc_blk_add_debugfs(struct mmc_card *card) ++static int mmc_blk_add_debugfs(struct mmc_card *card, struct mmc_blk_data *md) + { + struct dentry *root; + +@@ -2427,28 +2431,53 @@ static int mmc_blk_add_debugfs(struct mm + root = card->debugfs_root; + + if (mmc_card_mmc(card) || mmc_card_sd(card)) { +- if (!debugfs_create_file("status", S_IRUSR, root, card, +- &mmc_dbg_card_status_fops)) ++ md->status_dentry = ++ debugfs_create_file("status", S_IRUSR, root, card, ++ &mmc_dbg_card_status_fops); ++ if (!md->status_dentry) + return -EIO; + } + + if (mmc_card_mmc(card)) { +- if (!debugfs_create_file("ext_csd", S_IRUSR, root, card, +- &mmc_dbg_ext_csd_fops)) ++ md->ext_csd_dentry = ++ debugfs_create_file("ext_csd", S_IRUSR, root, card, ++ &mmc_dbg_ext_csd_fops); ++ if (!md->ext_csd_dentry) + return -EIO; + } + + return 0; + } + ++static void mmc_blk_remove_debugfs(struct mmc_card *card, ++ struct mmc_blk_data *md) ++{ ++ if (!card->debugfs_root) ++ return; ++ ++ if (!IS_ERR_OR_NULL(md->status_dentry)) { ++ debugfs_remove(md->status_dentry); ++ md->status_dentry = NULL; ++ } ++ ++ if (!IS_ERR_OR_NULL(md->ext_csd_dentry)) { ++ debugfs_remove(md->ext_csd_dentry); ++ md->ext_csd_dentry = NULL; ++ } ++} + + #else + +-static int mmc_blk_add_debugfs(struct mmc_card *card) ++static int mmc_blk_add_debugfs(struct mmc_card *card, struct mmc_blk_data *md) + { + return 0; + } + ++static void mmc_blk_remove_debugfs(struct mmc_card *card, ++ struct mmc_blk_data *md) ++{ ++} ++ + #endif /* CONFIG_DEBUG_FS */ + + static int mmc_blk_probe(struct mmc_card *card) +@@ -2488,7 +2517,7 @@ static int mmc_blk_probe(struct mmc_card + } + + /* Add two debugfs entries */ +- mmc_blk_add_debugfs(card); ++ mmc_blk_add_debugfs(card, md); + + pm_runtime_set_autosuspend_delay(&card->dev, 3000); + pm_runtime_use_autosuspend(&card->dev); +@@ -2514,6 +2543,7 @@ static void mmc_blk_remove(struct mmc_ca + { + struct mmc_blk_data *md = dev_get_drvdata(&card->dev); + ++ mmc_blk_remove_debugfs(card, md); + mmc_blk_remove_parts(card, md); + pm_runtime_get_sync(&card->dev); + mmc_claim_host(card->host); +--- a/drivers/mmc/core/debugfs.c ++++ b/drivers/mmc/core/debugfs.c +@@ -314,4 +314,5 @@ err: + void mmc_remove_card_debugfs(struct mmc_card *card) + { + debugfs_remove_recursive(card->debugfs_root); ++ card->debugfs_root = NULL; + } diff --git a/queue-4.14/mmc-block-fix-missing-blk_put_request.patch b/queue-4.14/mmc-block-fix-missing-blk_put_request.patch new file mode 100644 index 00000000000..918ef63981c --- /dev/null +++ b/queue-4.14/mmc-block-fix-missing-blk_put_request.patch @@ -0,0 +1,48 @@ +From 34c089e806793a66e450b11bd167db6047399fcd Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 21 Nov 2017 15:42:27 +0200 +Subject: mmc: block: Fix missing blk_put_request() + +From: Adrian Hunter + +commit 34c089e806793a66e450b11bd167db6047399fcd upstream. + +Ensure blk_get_request() is paired with blk_put_request(). + +Fixes: 0493f6fe5bde ("mmc: block: Move boot partition locking into a driver op") +Fixes: 627c3ccfb46a ("mmc: debugfs: Move block debugfs into block module") +Signed-off-by: Adrian Hunter +Reviewed-by: Linus Walleij +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/block.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -207,6 +207,7 @@ static ssize_t power_ro_lock_store(struc + req_to_mmc_queue_req(req)->drv_op = MMC_DRV_OP_BOOT_WP; + blk_execute_rq(mq->queue, NULL, req, 0); + ret = req_to_mmc_queue_req(req)->drv_op_result; ++ blk_put_request(req); + + if (!ret) { + pr_info("%s: Locking boot partition ro until next power on\n", +@@ -2321,6 +2322,7 @@ static int mmc_dbg_card_status_get(void + *val = ret; + ret = 0; + } ++ blk_put_request(req); + + return ret; + } +@@ -2351,6 +2353,7 @@ static int mmc_ext_csd_open(struct inode + req_to_mmc_queue_req(req)->drv_op_data = &ext_csd; + blk_execute_rq(mq->queue, NULL, req, 0); + err = req_to_mmc_queue_req(req)->drv_op_result; ++ blk_put_request(req); + if (err) { + pr_err("FAILED %d\n", err); + goto out_free; diff --git a/queue-4.14/mmc-core-do-not-leave-the-block-driver-in-a-suspended-state.patch b/queue-4.14/mmc-core-do-not-leave-the-block-driver-in-a-suspended-state.patch new file mode 100644 index 00000000000..a3c25a00a5c --- /dev/null +++ b/queue-4.14/mmc-core-do-not-leave-the-block-driver-in-a-suspended-state.patch @@ -0,0 +1,32 @@ +From ebe7dd45cf49e3b49cacbaace17f9f878f21fbea Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 21 Nov 2017 15:42:29 +0200 +Subject: mmc: core: Do not leave the block driver in a suspended state + +From: Adrian Hunter + +commit ebe7dd45cf49e3b49cacbaace17f9f878f21fbea upstream. + +The block driver must be resumed if the mmc bus fails to suspend the card. + +Signed-off-by: Adrian Hunter +Reviewed-by: Linus Walleij +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/bus.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/core/bus.c ++++ b/drivers/mmc/core/bus.c +@@ -157,6 +157,9 @@ static int mmc_bus_suspend(struct device + return ret; + + ret = host->bus_ops->suspend(host); ++ if (ret) ++ pm_generic_resume(dev); ++ + return ret; + } + diff --git a/queue-4.14/mmc-core-prepend-0x-to-ocr-entry-in-sysfs.patch b/queue-4.14/mmc-core-prepend-0x-to-ocr-entry-in-sysfs.patch new file mode 100644 index 00000000000..5e3ee402ac0 --- /dev/null +++ b/queue-4.14/mmc-core-prepend-0x-to-ocr-entry-in-sysfs.patch @@ -0,0 +1,45 @@ +From c892b0d81705c566f575e489efc3c50762db1bde Mon Sep 17 00:00:00 2001 +From: Bastian Stender +Date: Tue, 28 Nov 2017 09:24:07 +0100 +Subject: mmc: core: prepend 0x to OCR entry in sysfs + +From: Bastian Stender + +commit c892b0d81705c566f575e489efc3c50762db1bde upstream. + +The sysfs entry "ocr" was missing the 0x prefix to identify it as hex +formatted. + +Fixes: 5fb06af7a33b ("mmc: core: Extend sysfs with OCR register") +Signed-off-by: Bastian Stender +[Ulf: Amended change to also cover SD-cards] +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/mmc.c | 2 +- + drivers/mmc/core/sd.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -790,7 +790,7 @@ MMC_DEV_ATTR(enhanced_area_offset, "%llu + MMC_DEV_ATTR(enhanced_area_size, "%u\n", card->ext_csd.enhanced_area_size); + MMC_DEV_ATTR(raw_rpmb_size_mult, "%#x\n", card->ext_csd.raw_rpmb_size_mult); + MMC_DEV_ATTR(rel_sectors, "%#x\n", card->ext_csd.rel_sectors); +-MMC_DEV_ATTR(ocr, "%08x\n", card->ocr); ++MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr); + MMC_DEV_ATTR(cmdq_en, "%d\n", card->ext_csd.cmdq_en); + + static ssize_t mmc_fwrev_show(struct device *dev, +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -675,7 +675,7 @@ MMC_DEV_ATTR(manfid, "0x%06x\n", card->c + MMC_DEV_ATTR(name, "%s\n", card->cid.prod_name); + MMC_DEV_ATTR(oemid, "0x%04x\n", card->cid.oemid); + MMC_DEV_ATTR(serial, "0x%08x\n", card->cid.serial); +-MMC_DEV_ATTR(ocr, "%08x\n", card->ocr); ++MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr); + + + static ssize_t mmc_dsr_show(struct device *dev, diff --git a/queue-4.14/mmc-core-prepend-0x-to-pre_eol_info-entry-in-sysfs.patch b/queue-4.14/mmc-core-prepend-0x-to-pre_eol_info-entry-in-sysfs.patch new file mode 100644 index 00000000000..95617592b27 --- /dev/null +++ b/queue-4.14/mmc-core-prepend-0x-to-pre_eol_info-entry-in-sysfs.patch @@ -0,0 +1,32 @@ +From 80a780a167d9267c72867b806142bd6ec69ba123 Mon Sep 17 00:00:00 2001 +From: Bastian Stender +Date: Tue, 28 Nov 2017 09:24:06 +0100 +Subject: mmc: core: prepend 0x to pre_eol_info entry in sysfs + +From: Bastian Stender + +commit 80a780a167d9267c72867b806142bd6ec69ba123 upstream. + +The sysfs entry "pre_eol_info" was missing the 0x prefix to identify it +as hex formatted. + +Fixes: 46bc5c408e4e ("mmc: core: Export device lifetime information through sysfs") +Signed-off-by: Bastian Stender +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -780,7 +780,7 @@ MMC_DEV_ATTR(manfid, "0x%06x\n", card->c + MMC_DEV_ATTR(name, "%s\n", card->cid.prod_name); + MMC_DEV_ATTR(oemid, "0x%04x\n", card->cid.oemid); + MMC_DEV_ATTR(prv, "0x%x\n", card->cid.prv); +-MMC_DEV_ATTR(pre_eol_info, "%02x\n", card->ext_csd.pre_eol_info); ++MMC_DEV_ATTR(pre_eol_info, "0x%02x\n", card->ext_csd.pre_eol_info); + MMC_DEV_ATTR(life_time, "0x%02x 0x%02x\n", + card->ext_csd.device_life_time_est_typ_a, + card->ext_csd.device_life_time_est_typ_b); diff --git a/queue-4.14/mmc-sdhci-avoid-swiotlb-buffer-being-full.patch b/queue-4.14/mmc-sdhci-avoid-swiotlb-buffer-being-full.patch new file mode 100644 index 00000000000..ec6d18864a4 --- /dev/null +++ b/queue-4.14/mmc-sdhci-avoid-swiotlb-buffer-being-full.patch @@ -0,0 +1,78 @@ +From 250dcd11466e06df64b92520e2c56bdae453581b Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Mon, 27 Nov 2017 11:28:50 +0100 +Subject: mmc: sdhci: Avoid swiotlb buffer being full + +From: Ulf Hansson + +commit 250dcd11466e06df64b92520e2c56bdae453581b upstream. + +The commit de3ee99b097d ("mmc: Delete bounce buffer handling") deletes the +bounce buffer handling, but also causes the max_req_size for sdhci to be +increased, in case when max_segs == 1. This causes errors for sdhci-pci +Ricoh variant, about the swiotlb buffer to become full. + +Fix the issue, by taking IO_TLB_SEGSIZE and IO_TLB_SHIFT into account when +deciding the max_req_size for sdhci. + +Reported-by: Jiri Slaby +Fixes: de3ee99b097d ("mmc: Delete bounce buffer handling") +Signed-off-by: Ulf Hansson +Tested-by: Jiri Slaby +Acked-by: Adrian Hunter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3651,22 +3652,29 @@ int sdhci_setup_host(struct sdhci_host * + spin_lock_init(&host->lock); + + /* ++ * Maximum number of sectors in one transfer. Limited by SDMA boundary ++ * size (512KiB). Note some tuning modes impose a 4MiB limit, but this ++ * is less anyway. ++ */ ++ mmc->max_req_size = 524288; ++ ++ /* + * Maximum number of segments. Depends on if the hardware + * can do scatter/gather or not. + */ +- if (host->flags & SDHCI_USE_ADMA) ++ if (host->flags & SDHCI_USE_ADMA) { + mmc->max_segs = SDHCI_MAX_SEGS; +- else if (host->flags & SDHCI_USE_SDMA) ++ } else if (host->flags & SDHCI_USE_SDMA) { + mmc->max_segs = 1; +- else /* PIO */ ++ if (swiotlb_max_segment()) { ++ unsigned int max_req_size = (1 << IO_TLB_SHIFT) * ++ IO_TLB_SEGSIZE; ++ mmc->max_req_size = min(mmc->max_req_size, ++ max_req_size); ++ } ++ } else { /* PIO */ + mmc->max_segs = SDHCI_MAX_SEGS; +- +- /* +- * Maximum number of sectors in one transfer. Limited by SDMA boundary +- * size (512KiB). Note some tuning modes impose a 4MiB limit, but this +- * is less anyway. +- */ +- mmc->max_req_size = 524288; ++ } + + /* + * Maximum segment size. Could be one segment with the maximum number diff --git a/queue-4.14/nfsd-fix-another-open-stateid-race.patch b/queue-4.14/nfsd-fix-another-open-stateid-race.patch new file mode 100644 index 00000000000..f676e385c93 --- /dev/null +++ b/queue-4.14/nfsd-fix-another-open-stateid-race.patch @@ -0,0 +1,91 @@ +From d8a1a000555ecd1b824ac1ed6df8fe364dfbbbb0 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 3 Nov 2017 08:00:11 -0400 +Subject: nfsd: Fix another OPEN stateid race + +From: Trond Myklebust + +commit d8a1a000555ecd1b824ac1ed6df8fe364dfbbbb0 upstream. + +If nfsd4_process_open2() is initialising a new stateid, and yet the +call to nfs4_get_vfs_file() fails for some reason, then we must +declare the stateid closed, and unhash it before dropping the mutex. + +Right now, we unhash the stateid after dropping the mutex, and without +changing the stateid type, meaning that another OPEN could theoretically +look it up and attempt to use it. + +Reported-by: Andrew W Elble +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4452,6 +4452,7 @@ nfsd4_process_open2(struct svc_rqst *rqs + struct nfs4_ol_stateid *stp = NULL; + struct nfs4_delegation *dp = NULL; + __be32 status; ++ bool new_stp = false; + + /* + * Lookup file; if found, lookup stateid and check open request, +@@ -4471,11 +4472,19 @@ nfsd4_process_open2(struct svc_rqst *rqs + goto out; + } + ++ if (!stp) { ++ stp = init_open_stateid(fp, open); ++ if (!open->op_stp) ++ new_stp = true; ++ } ++ + /* + * OPEN the file, or upgrade an existing OPEN. + * If truncate fails, the OPEN fails. ++ * ++ * stp is already locked. + */ +- if (stp) { ++ if (!new_stp) { + /* Stateid was found, this is an OPEN upgrade */ + status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open); + if (status) { +@@ -4483,22 +4492,11 @@ nfsd4_process_open2(struct svc_rqst *rqs + goto out; + } + } else { +- /* stp is returned locked. */ +- stp = init_open_stateid(fp, open); +- /* See if we lost the race to some other thread */ +- if (stp->st_access_bmap != 0) { +- status = nfs4_upgrade_open(rqstp, fp, current_fh, +- stp, open); +- if (status) { +- mutex_unlock(&stp->st_mutex); +- goto out; +- } +- goto upgrade_out; +- } + status = nfs4_get_vfs_file(rqstp, fp, current_fh, stp, open); + if (status) { +- mutex_unlock(&stp->st_mutex); ++ stp->st_stid.sc_type = NFS4_CLOSED_STID; + release_open_stateid(stp); ++ mutex_unlock(&stp->st_mutex); + goto out; + } + +@@ -4507,7 +4505,7 @@ nfsd4_process_open2(struct svc_rqst *rqs + if (stp->st_clnt_odstate == open->op_odstate) + open->op_odstate = NULL; + } +-upgrade_out: ++ + nfs4_inc_and_copy_stateid(&open->op_stateid, &stp->st_stid); + mutex_unlock(&stp->st_mutex); + diff --git a/queue-4.14/nfsd-fix-panic-in-posix_unblock_lock-called-from-nfs4_laundromat.patch b/queue-4.14/nfsd-fix-panic-in-posix_unblock_lock-called-from-nfs4_laundromat.patch new file mode 100644 index 00000000000..c9317438e1f --- /dev/null +++ b/queue-4.14/nfsd-fix-panic-in-posix_unblock_lock-called-from-nfs4_laundromat.patch @@ -0,0 +1,49 @@ +From 64ebe12494fd5d193f014ce38e1fd83cc57883c8 Mon Sep 17 00:00:00 2001 +From: Naofumi Honda +Date: Thu, 9 Nov 2017 10:57:16 -0500 +Subject: nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat + +From: Naofumi Honda + +commit 64ebe12494fd5d193f014ce38e1fd83cc57883c8 upstream. + +From kernel 4.9, my two nfsv4 servers sometimes suffer from + "panic: unable to handle kernel page request" +in posix_unblock_lock() called from nfs4_laundromat(). + +These panics diseappear if we revert the commit "nfsd: add a LRU list +for blocked locks". + +The cause appears to be a typo in nfs4_laundromat(), which is also +present in nfs4_state_shutdown_net(). + +Fixes: 7919d0a27f1e "nfsd: add a LRU list for blocked locks" +Cc: jlayton@redhat.com +Reveiwed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4732,7 +4732,7 @@ nfs4_laundromat(struct nfsd_net *nn) + spin_unlock(&nn->blocked_locks_lock); + + while (!list_empty(&reaplist)) { +- nbl = list_first_entry(&nn->blocked_locks_lru, ++ nbl = list_first_entry(&reaplist, + struct nfsd4_blocked_lock, nbl_lru); + list_del_init(&nbl->nbl_lru); + posix_unblock_lock(&nbl->nbl_lock); +@@ -7152,7 +7152,7 @@ nfs4_state_shutdown_net(struct net *net) + spin_unlock(&nn->blocked_locks_lock); + + while (!list_empty(&reaplist)) { +- nbl = list_first_entry(&nn->blocked_locks_lru, ++ nbl = list_first_entry(&reaplist, + struct nfsd4_blocked_lock, nbl_lru); + list_del_init(&nbl->nbl_lru); + posix_unblock_lock(&nbl->nbl_lock); diff --git a/queue-4.14/nfsd-fix-stateid-races-between-open-and-close.patch b/queue-4.14/nfsd-fix-stateid-races-between-open-and-close.patch new file mode 100644 index 00000000000..a3c6f78c8e6 --- /dev/null +++ b/queue-4.14/nfsd-fix-stateid-races-between-open-and-close.patch @@ -0,0 +1,153 @@ +From 15ca08d3299682dc49bad73251677b2c5017ef08 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 3 Nov 2017 08:00:10 -0400 +Subject: nfsd: Fix stateid races between OPEN and CLOSE + +From: Trond Myklebust + +commit 15ca08d3299682dc49bad73251677b2c5017ef08 upstream. + +Open file stateids can linger on the nfs4_file list of stateids even +after they have been closed. In order to avoid reusing such a +stateid, and confusing the client, we need to recheck the +nfs4_stid's type after taking the mutex. +Otherwise, we risk reusing an old stateid that was already closed, +which will confuse clients that expect new stateids to conform to +RFC7530 Sections 9.1.4.2 and 16.2.5 or RFC5661 Sections 8.2.2 and 18.2.4. + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 67 +++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 59 insertions(+), 8 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3512,7 +3512,9 @@ nfsd4_find_existing_open(struct nfs4_fil + /* ignore lock owners */ + if (local->st_stateowner->so_is_open_owner == 0) + continue; +- if (local->st_stateowner == &oo->oo_owner) { ++ if (local->st_stateowner != &oo->oo_owner) ++ continue; ++ if (local->st_stid.sc_type == NFS4_OPEN_STID) { + ret = local; + atomic_inc(&ret->st_stid.sc_count); + break; +@@ -3521,6 +3523,52 @@ nfsd4_find_existing_open(struct nfs4_fil + return ret; + } + ++static __be32 ++nfsd4_verify_open_stid(struct nfs4_stid *s) ++{ ++ __be32 ret = nfs_ok; ++ ++ switch (s->sc_type) { ++ default: ++ break; ++ case NFS4_CLOSED_STID: ++ case NFS4_CLOSED_DELEG_STID: ++ ret = nfserr_bad_stateid; ++ break; ++ case NFS4_REVOKED_DELEG_STID: ++ ret = nfserr_deleg_revoked; ++ } ++ return ret; ++} ++ ++/* Lock the stateid st_mutex, and deal with races with CLOSE */ ++static __be32 ++nfsd4_lock_ol_stateid(struct nfs4_ol_stateid *stp) ++{ ++ __be32 ret; ++ ++ mutex_lock(&stp->st_mutex); ++ ret = nfsd4_verify_open_stid(&stp->st_stid); ++ if (ret != nfs_ok) ++ mutex_unlock(&stp->st_mutex); ++ return ret; ++} ++ ++static struct nfs4_ol_stateid * ++nfsd4_find_and_lock_existing_open(struct nfs4_file *fp, struct nfsd4_open *open) ++{ ++ struct nfs4_ol_stateid *stp; ++ for (;;) { ++ spin_lock(&fp->fi_lock); ++ stp = nfsd4_find_existing_open(fp, open); ++ spin_unlock(&fp->fi_lock); ++ if (!stp || nfsd4_lock_ol_stateid(stp) == nfs_ok) ++ break; ++ nfs4_put_stid(&stp->st_stid); ++ } ++ return stp; ++} ++ + static struct nfs4_openowner * + alloc_init_open_stateowner(unsigned int strhashval, struct nfsd4_open *open, + struct nfsd4_compound_state *cstate) +@@ -3565,6 +3613,7 @@ init_open_stateid(struct nfs4_file *fp, + mutex_init(&stp->st_mutex); + mutex_lock(&stp->st_mutex); + ++retry: + spin_lock(&oo->oo_owner.so_client->cl_lock); + spin_lock(&fp->fi_lock); + +@@ -3589,7 +3638,11 @@ out_unlock: + spin_unlock(&fp->fi_lock); + spin_unlock(&oo->oo_owner.so_client->cl_lock); + if (retstp) { +- mutex_lock(&retstp->st_mutex); ++ /* Handle races with CLOSE */ ++ if (nfsd4_lock_ol_stateid(retstp) != nfs_ok) { ++ nfs4_put_stid(&retstp->st_stid); ++ goto retry; ++ } + /* To keep mutex tracking happy */ + mutex_unlock(&stp->st_mutex); + stp = retstp; +@@ -4410,9 +4463,7 @@ nfsd4_process_open2(struct svc_rqst *rqs + status = nfs4_check_deleg(cl, open, &dp); + if (status) + goto out; +- spin_lock(&fp->fi_lock); +- stp = nfsd4_find_existing_open(fp, open); +- spin_unlock(&fp->fi_lock); ++ stp = nfsd4_find_and_lock_existing_open(fp, open); + } else { + open->op_file = NULL; + status = nfserr_bad_stateid; +@@ -4426,7 +4477,6 @@ nfsd4_process_open2(struct svc_rqst *rqs + */ + if (stp) { + /* Stateid was found, this is an OPEN upgrade */ +- mutex_lock(&stp->st_mutex); + status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open); + if (status) { + mutex_unlock(&stp->st_mutex); +@@ -5317,7 +5367,6 @@ static void nfsd4_close_open_stateid(str + bool unhashed; + LIST_HEAD(reaplist); + +- s->st_stid.sc_type = NFS4_CLOSED_STID; + spin_lock(&clp->cl_lock); + unhashed = unhash_open_stateid(s, &reaplist); + +@@ -5357,10 +5406,12 @@ nfsd4_close(struct svc_rqst *rqstp, stru + nfsd4_bump_seqid(cstate, status); + if (status) + goto out; ++ ++ stp->st_stid.sc_type = NFS4_CLOSED_STID; + nfs4_inc_and_copy_stateid(&close->cl_stateid, &stp->st_stid); +- mutex_unlock(&stp->st_mutex); + + nfsd4_close_open_stateid(stp); ++ mutex_unlock(&stp->st_mutex); + + /* put reference from nfs4_preprocess_seqid_op */ + nfs4_put_stid(&stp->st_stid); diff --git a/queue-4.14/omapdrm-hdmi4-correct-the-soc-revision-matching.patch b/queue-4.14/omapdrm-hdmi4-correct-the-soc-revision-matching.patch new file mode 100644 index 00000000000..af08c9f6e27 --- /dev/null +++ b/queue-4.14/omapdrm-hdmi4-correct-the-soc-revision-matching.patch @@ -0,0 +1,77 @@ +From 23970e150a0a49f9a966c46e5d22fed06226098f Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Mon, 20 Nov 2017 11:51:40 +0200 +Subject: omapdrm: hdmi4: Correct the SoC revision matching + +From: Peter Ujfalusi + +commit 23970e150a0a49f9a966c46e5d22fed06226098f upstream. + +I believe the intention of the commit 2c9fc9bf45f8 +("drm: omapdrm: Move FEAT_HDMI_* features to hdmi4 driver") +was to identify omap4430 ES1.x, omap4430 ES2.x and other OMAP4 revisions, +like omap4460. + +By using family=OMAP4 in the match the code will treat omap4460 ES1.x in a +same way as it would treat omap4430 ES1.x + +This breaks HDMI audio on OMAP4460 devices (PandaES for example). + +Correct the match rule so we are not going to get false positive match. + +Fixes: 2c9fc9bf45f8 ("drm: omapdrm: Move FEAT_HDMI_* features to hdmi4 driver") + +Signed-off-by: Peter Ujfalusi +Reviewed-by: Laurent Pinchart +Signed-off-by: Tomi Valkeinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c ++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c +@@ -889,25 +889,36 @@ struct hdmi4_features { + bool audio_use_mclk; + }; + +-static const struct hdmi4_features hdmi4_es1_features = { ++static const struct hdmi4_features hdmi4430_es1_features = { + .cts_swmode = false, + .audio_use_mclk = false, + }; + +-static const struct hdmi4_features hdmi4_es2_features = { ++static const struct hdmi4_features hdmi4430_es2_features = { + .cts_swmode = true, + .audio_use_mclk = false, + }; + +-static const struct hdmi4_features hdmi4_es3_features = { ++static const struct hdmi4_features hdmi4_features = { + .cts_swmode = true, + .audio_use_mclk = true, + }; + + static const struct soc_device_attribute hdmi4_soc_devices[] = { +- { .family = "OMAP4", .revision = "ES1.?", .data = &hdmi4_es1_features }, +- { .family = "OMAP4", .revision = "ES2.?", .data = &hdmi4_es2_features }, +- { .family = "OMAP4", .data = &hdmi4_es3_features }, ++ { ++ .machine = "OMAP4430", ++ .revision = "ES1.?", ++ .data = &hdmi4430_es1_features, ++ }, ++ { ++ .machine = "OMAP4430", ++ .revision = "ES2.?", ++ .data = &hdmi4430_es2_features, ++ }, ++ { ++ .family = "OMAP4", ++ .data = &hdmi4_features, ++ }, + { /* sentinel */ } + }; + diff --git a/queue-4.14/powerpc-kexec-fix-kexec-kdump-in-p9-guest-kernels.patch b/queue-4.14/powerpc-kexec-fix-kexec-kdump-in-p9-guest-kernels.patch new file mode 100644 index 00000000000..9b795ed192e --- /dev/null +++ b/queue-4.14/powerpc-kexec-fix-kexec-kdump-in-p9-guest-kernels.patch @@ -0,0 +1,45 @@ +From 2621e945fbf1d6df5f3f0ba7be5bae3d2cf9b6a5 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 24 Nov 2017 14:51:02 +1100 +Subject: powerpc/kexec: Fix kexec/kdump in P9 guest kernels + +From: Michael Ellerman + +commit 2621e945fbf1d6df5f3f0ba7be5bae3d2cf9b6a5 upstream. + +The code that cleans up the IAMR/AMOR before kexec'ing failed to +remember that when we're running as a guest AMOR is not writable, it's +hypervisor privileged. + +They symptom is that the kexec stops before entering purgatory and +nothing else is seen on the console. If you examine the state of the +system all threads will be in the 0x700 program check handler. + +Fix it by making the write to AMOR dependent on HV mode. + +Fixes: 1e2a516e89fc ("powerpc/kexec: Fix radix to hash kexec due to IAMR/AMOR") +Reported-by: Yilin Zhang +Debugged-by: David Gibson +Signed-off-by: Michael Ellerman +Acked-by: Balbir Singh +Reviewed-by: David Gibson +Tested-by: David Gibson +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/misc_64.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/kernel/misc_64.S ++++ b/arch/powerpc/kernel/misc_64.S +@@ -623,7 +623,9 @@ BEGIN_FTR_SECTION + * NOTE, we rely on r0 being 0 from above. + */ + mtspr SPRN_IAMR,r0 ++BEGIN_FTR_SECTION_NESTED(42) + mtspr SPRN_AMOR,r0 ++END_FTR_SECTION_NESTED_IFSET(CPU_FTR_HVMODE, 42) + END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + + /* save regs for local vars on new stack. diff --git a/queue-4.14/powerpc-powernv-fix-kexec-crashes-caused-by-tlbie-tracing.patch b/queue-4.14/powerpc-powernv-fix-kexec-crashes-caused-by-tlbie-tracing.patch new file mode 100644 index 00000000000..a9824df00d6 --- /dev/null +++ b/queue-4.14/powerpc-powernv-fix-kexec-crashes-caused-by-tlbie-tracing.patch @@ -0,0 +1,73 @@ +From a3961f824cdbe7eb431254dc7d8f6f6767f474aa Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Wed, 22 Nov 2017 23:02:07 +0530 +Subject: powerpc/powernv: Fix kexec crashes caused by tlbie tracing + +From: Mahesh Salgaonkar + +commit a3961f824cdbe7eb431254dc7d8f6f6767f474aa upstream. + +Rebooting into a new kernel with kexec fails in trace_tlbie() which is +called from native_hpte_clear(). This happens if the running kernel +has CONFIG_LOCKDEP enabled. With lockdep enabled, the tracepoints +always execute few RCU checks regardless of whether tracing is on or +off. We are already in the last phase of kexec sequence in real mode +with HILE_BE set. At this point the RCU check ends up in +RCU_LOCKDEP_WARN and causes kexec to fail. + +Fix this by not calling trace_tlbie() from native_hpte_clear(). + +mpe: It's not safe to call trace points at this point in the kexec +path, even if we could avoid the RCU checks/warnings. The only +solution is to not call them. + +Fixes: 0428491cba92 ("powerpc/mm: Trace tlbie(l) instructions") +Signed-off-by: Mahesh Salgaonkar +Reported-by: Aneesh Kumar K.V +Suggested-by: Michael Ellerman +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/hash_native_64.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/mm/hash_native_64.c ++++ b/arch/powerpc/mm/hash_native_64.c +@@ -47,7 +47,8 @@ + + DEFINE_RAW_SPINLOCK(native_tlbie_lock); + +-static inline void __tlbie(unsigned long vpn, int psize, int apsize, int ssize) ++static inline unsigned long ___tlbie(unsigned long vpn, int psize, ++ int apsize, int ssize) + { + unsigned long va; + unsigned int penc; +@@ -100,7 +101,15 @@ static inline void __tlbie(unsigned long + : "memory"); + break; + } +- trace_tlbie(0, 0, va, 0, 0, 0, 0); ++ return va; ++} ++ ++static inline void __tlbie(unsigned long vpn, int psize, int apsize, int ssize) ++{ ++ unsigned long rb; ++ ++ rb = ___tlbie(vpn, psize, apsize, ssize); ++ trace_tlbie(0, 0, rb, 0, 0, 0, 0); + } + + static inline void __tlbiel(unsigned long vpn, int psize, int apsize, int ssize) +@@ -652,7 +661,7 @@ static void native_hpte_clear(void) + if (hpte_v & HPTE_V_VALID) { + hpte_decode(hptep, slot, &psize, &apsize, &ssize, &vpn); + hptep->v = 0; +- __tlbie(vpn, psize, apsize, ssize); ++ ___tlbie(vpn, psize, apsize, ssize); + } + } + diff --git a/queue-4.14/s390-revert-elf_et_dyn_base-base-changes.patch b/queue-4.14/s390-revert-elf_et_dyn_base-base-changes.patch new file mode 100644 index 00000000000..7957f2b8b4b --- /dev/null +++ b/queue-4.14/s390-revert-elf_et_dyn_base-base-changes.patch @@ -0,0 +1,46 @@ +From 345f8f34bb473241d62803951c18a844dd705f8d Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Fri, 24 Nov 2017 16:23:15 +0100 +Subject: s390: revert ELF_ET_DYN_BASE base changes + +From: Martin Schwidefsky + +commit 345f8f34bb473241d62803951c18a844dd705f8d upstream. + +This reverts commit a73dc5370e153ac63718d850bddf0c9aa9d871e6. + +Reducing the base address for 31-bit PIE executables from +(STACK_TOP/3)*2 to 4MB broke several compat programs which +use -fpie to move the executable out of the lower 16MB. + +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/elf.h | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/arch/s390/include/asm/elf.h ++++ b/arch/s390/include/asm/elf.h +@@ -194,13 +194,14 @@ struct arch_elf_state { + #define CORE_DUMP_USE_REGSET + #define ELF_EXEC_PAGESIZE PAGE_SIZE + +-/* +- * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is raised to 4GB to leave the entire 32-bit address +- * space open for things that want to use the area for 32-bit pointers. +- */ +-#define ELF_ET_DYN_BASE (is_compat_task() ? 0x000400000UL : \ +- 0x100000000UL) ++/* This is the location that an ET_DYN program is loaded if exec'ed. Typical ++ use of this is to invoke "./ld.so someprog" to test out a new version of ++ the loader. We need to make sure that it is out of the way of the program ++ that it will "exec", and that there is sufficient room for the brk. 64-bit ++ tasks are aligned to 4GB. */ ++#define ELF_ET_DYN_BASE (is_compat_task() ? \ ++ (STACK_TOP / 3 * 2) : \ ++ (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1)) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. */ diff --git a/queue-4.14/series b/queue-4.14/series index 14acf634102..d6e196c180f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -18,3 +18,40 @@ fs-fat-inode.c-fix-sb_rdonly-change.patch autofs-revert-autofs-take-more-care-to-not-update-last_used-on-path-walk.patch autofs-revert-autofs-fix-at_no_automount-not-being-honored.patch mm-hugetlb-fix-null-pointer-dereference-on-5-level-paging-machine.patch +btrfs-clear-space-cache-inode-generation-always.patch +nfsd-fix-stateid-races-between-open-and-close.patch +nfsd-fix-another-open-stateid-race.patch +nfsd-fix-panic-in-posix_unblock_lock-called-from-nfs4_laundromat.patch +crypto-algif_aead-skip-sgl-entries-with-null-page.patch +crypto-af_alg-remove-locking-in-async-callback.patch +crypto-skcipher-fix-skcipher_walk_aead_common.patch +lockd-lost-rollback-of-set_grace_period-in-lockd_down_net.patch +s390-revert-elf_et_dyn_base-base-changes.patch +drm-omapdrm-fix-dpi-on-platforms-using-the-dsi-vdds.patch +omapdrm-hdmi4-correct-the-soc-revision-matching.patch +apparmor-fix-oops-in-audit_signal_cb-hook.patch +arm64-module-plts-factor-out-plt-generation-code-for-ftrace.patch +arm64-ftrace-emit-ftrace-mod.o-contents-through-code.patch +powerpc-powernv-fix-kexec-crashes-caused-by-tlbie-tracing.patch +powerpc-kexec-fix-kexec-kdump-in-p9-guest-kernels.patch +kvm-x86-pvclock-handle-first-time-write-to-pvclock-page-contains-random-junk.patch +kvm-x86-exit-to-user-mode-on-ud-intercept-when-emulator-requires.patch +kvm-x86-inject-exceptions-produced-by-x86_decode_insn.patch +kvm-lapic-split-out-x2apic-ldr-calculation.patch +kvm-lapic-fixup-ldr-on-load-in-x2apic.patch +mmc-sdhci-avoid-swiotlb-buffer-being-full.patch +mmc-block-fix-missing-blk_put_request.patch +mmc-block-check-return-value-of-blk_get_request.patch +mmc-core-do-not-leave-the-block-driver-in-a-suspended-state.patch +mmc-block-ensure-that-debugfs-files-are-removed.patch +mmc-core-prepend-0x-to-pre_eol_info-entry-in-sysfs.patch +mmc-core-prepend-0x-to-ocr-entry-in-sysfs.patch +acpi-ec-fix-regression-related-to-pm-ops-support-in-ecdt-device.patch +eeprom-at24-fix-reading-from-24mac402-24mac602.patch +eeprom-at24-correctly-set-the-size-for-at24mac402.patch +eeprom-at24-check-at24_read-write-arguments.patch +i2c-i801-fix-failed-to-allocate-irq-2147483648-error.patch +cxl-check-if-vphb-exists-before-iterating-over-afu-devices.patch +bcache-fix-building-error-on-mips.patch +bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch +bcache-recover-data-from-backing-when-data-is-clean.patch