From: Greg Kroah-Hartman Date: Sun, 27 May 2018 14:32:43 +0000 (+0200) Subject: 4.16-stable patches X-Git-Tag: v3.18.111~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9300359b386f845ad635ac912499a8af8e9ff9f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.16-stable patches added patches: acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch acpica-fix-memory-leak-on-unusual-memory-leak.patch alsa-vmaster-propagate-slave-error.patch arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch arm-dts-ls1021a-specify-tbipa-register-address.patch arm-dts-porter-fix-hdmi-output-routing.patch arm-dts-socfpga-fix-gic-ppi-warning.patch arm64-dts-qcom-fix-spi5-config-on-msm8996.patch ath10k-advertize-beacon_int_min_gcd.patch ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch ath9k-fix-crash-in-spectral-scan.patch audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch bcache-stop-dc-writeback_rate_update-properly.patch block-null_blk-fix-invalid-parameters-when-loading-module.patch bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch btrfs-bail-out-on-error-during-replay_dir_deletes.patch btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch btrfs-fix-copy_items-return-value-when-logging-an-inode.patch btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch btrfs-fix-null-pointer-dereference-in-log_dir_items.patch btrfs-fix-possible-softlock-on-single-core-machines.patch btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch coresight-use-px-to-print-pcsr-instead-of-p.patch cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch cpufreq-reorder-cpufreq_online-error-code-path.patch cxgb4-fix-queue-free-path-of-uld-drivers.patch cxgb4-setup-fw-queues-before-registering-netdev.patch cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch dpaa_eth-fix-pause-capability-advertisement-logic.patch dpaa_eth-fix-sg-mapping.patch drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch drm-amdkfd-add-missing-include-of-mm.h.patch drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch efi-arm-only-register-page-tables-when-they-exist.patch enic-enable-rq-before-updating-rq-descriptors.patch ext4-don-t-complain-about-incorrect-features-when-probing.patch f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch f2fs-fix-to-clear-cp_trimmed_flag.patch f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch firmware-dmi_scan-fix-uuid-length-safety-check.patch firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch gfs2-check-for-the-end-of-metadata-in-punch_hole.patch gfs2-fix-fallocate-chunk-size.patch hv_netvsc-fix-the-return-status-in-rx-path.patch hwmon-nct6775-fix-writing-pwmx_mode.patch hwmon-pmbus-adm1275-accept-negative-page-register-values.patch hwmon-pmbus-max8688-accept-negative-page-register-values.patch hwrng-bcm2835-handle-deferred-clock-properly.patch hwrng-stm32-add-reset-during-probe.patch i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch ibmvnic-allocate-statistics-buffers-during-probe.patch ibmvnic-fix-reset-return-from-closed-state.patch ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch ieee802154-ca8210-fix-uninitialised-data-read.patch ima-clear-ima_hash.patch ima-fallback-to-the-builtin-hash-algorithm.patch ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch intel_th-use-correct-method-of-finding-hub.patch iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch iommu-mediatek-fix-protect-memory-setting.patch ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch kasan-fix-invalid-free-test-crashing-the-kernel.patch kasan-slub-fix-handling-of-kasan_slab_free-hook.patch kdb-make-mdr-command-repeat.patch kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch lan78xx-connect-phy-early.patch m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch max17042-propagate-of_node-to-power-supply-device.patch mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch mm-ksm-fix-interaction-with-thp.patch mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch net-bgmac-correctly-annotate-register-space.patch net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch net-mlx5-protect-from-command-bit-overflow.patch net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch net-smc-pay-attention-to-max_order-for-cq-entries.patch net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch nvme-don-t-send-keep-alives-to-the-discovery-controller.patch nvme-expand-nvmf_check_if_ready-checks.patch nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch perf-clang-add-support-for-recent-clang-versions.patch perf-core-fix-installing-cgroup-events-on-cpu.patch perf-core-fix-perf_output_read_group.patch perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch perf-report-fix-wrong-jump-arrow.patch perf-stat-fix-core-dump-when-flag-t-is-used.patch perf-test-fix-test-case-inet_pton-to-accept-inlines.patch perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch perf-tools-fix-perf-builds-with-clang-support.patch perf-top-fix-top.call-graph-config-option-reading.patch perf-x86-intel-fix-event-update-for-auto-reload.patch perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch phy-qcom-qmp-fix-phy-pipe-clock-gating.patch phy-rockchip-emmc-retry-calpad-busy-trimming.patch pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch pinctrl-msm-use-dynamic-gpio-numbering.patch pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch power-supply-ltc2941-battery-gauge-fix-temperature-units.patch powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch powerpc-add-missing-prototype-for-arch_irq_work_raise.patch powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch regmap-correct-comparison-in-regmap_cached.patch regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch riscv-spinlock-strengthen-implementations-with-fences.patch rsi-fix-kernel-panic-observed-on-64bit-machine.patch rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch rxrpc-fix-resend-event-time-calculation.patch rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch selftests-add-fib-onlink-tests.patch selftests-net-fixes-psock_fanout-ebpf-test-case.patch selftests-print-the-test-we-re-running-to-dev-kmsg.patch sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch soc-renesas-r8a77970-sysc-fix-power-area-parents.patch sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch spi-bcm-qspi-fix-some-error-handling-paths.patch sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch tools-hv-fix-compiler-warnings-about-major-target_fname.patch tools-thermal-tmon-fix-for-segfault.patch udf-provide-saner-default-for-invalid-uid-gid.patch vfio-ccw-fence-off-transport-mode.patch virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch watchdog-aspeed-allow-configuring-for-alternate-boot.patch watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch watchdog-dw-rmw-the-control-register.patch watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch x86-devicetree-fix-device-irq-settings-in-dt.patch x86-devicetree-initialize-device-tree-before-using-it.patch x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch xen-acpi-off-by-one-in-read_acpi_id.patch z3fold-fix-memory-leak.patch zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch --- diff --git a/queue-4.16/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch b/queue-4.16/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch new file mode 100644 index 00000000000..173f6712914 --- /dev/null +++ b/queue-4.16/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Lenny Szubowicz +Date: Tue, 27 Mar 2018 09:56:40 -0400 +Subject: ACPI: acpi_pad: Fix memory leak in power saving threads + +From: Lenny Szubowicz + +[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ] + +Fix once per second (round_robin_time) memory leak of about 1 KB in +each acpi_pad kernel idling thread that is activated. + +Found by testing with kmemleak. + +Signed-off-by: Lenny Szubowicz +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_pad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -110,6 +110,7 @@ static void round_robin_cpu(unsigned int + cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus); + if (cpumask_empty(tmp)) { + mutex_unlock(&round_robin_lock); ++ free_cpumask_var(tmp); + return; + } + for_each_cpu(cpu, tmp) { +@@ -127,6 +128,8 @@ static void round_robin_cpu(unsigned int + mutex_unlock(&round_robin_lock); + + set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu)); ++ ++ free_cpumask_var(tmp); + } + + static void exit_round_robin(unsigned int tsk_index) diff --git a/queue-4.16/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch b/queue-4.16/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch new file mode 100644 index 00000000000..324d386c677 --- /dev/null +++ b/queue-4.16/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Seunghun Han +Date: Wed, 14 Mar 2018 16:12:56 -0700 +Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c + +From: Seunghun Han + +[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ] + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.464168] ACPI: Added _OSI(Module Device) +>[ 0.467022] ACPI: Added _OSI(Processor Device) +>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.497683] ACPI: Interpreter enabled +>[ 0.499385] ACPI: (supports S0) +>[ 0.501151] ACPI: Using IOAPIC for interrupt routing +>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991) +>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 +>[ 0.529668] Call Trace: +>[ 0.530811] ? dump_stack+0x5c/0x81 +>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.537237] ? acpi_terminate+0xa/0x14 +>[ 0.538701] ? acpi_init+0x2af/0x34f +>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.541593] ? do_one_initcall+0x4e/0x1a0 +>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f +>[ 0.546202] ? rest_init+0x80/0x80 +>[ 0.547513] ? kernel_init+0xa/0x100 +>[ 0.548817] ? ret_from_fork+0x25/0x30 +>[ 0.550587] vgaarb: loaded +>[ 0.551716] EDAC MC: Ver: 3.0.0 +>[ 0.553744] PCI: Probing PCI hardware +>[ 0.555038] PCI host bridge to bus 0000:00 +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ns_evaluate() function +only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors +occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is +also not null. Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Signed-off-by: Seunghun Han +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/nseval.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/acpica/nseval.c ++++ b/drivers/acpi/acpica/nseval.c +@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi + /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */ + + status = AE_OK; ++ } else if (ACPI_FAILURE(status)) { ++ ++ /* If return_object exists, delete it */ ++ ++ if (info->return_object) { ++ acpi_ut_remove_reference(info->return_object); ++ info->return_object = NULL; ++ } + } + + ACPI_DEBUG_PRINT((ACPI_DB_NAMES, diff --git a/queue-4.16/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch b/queue-4.16/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch new file mode 100644 index 00000000000..25fbbb73846 --- /dev/null +++ b/queue-4.16/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Erik Schmauss +Date: Wed, 14 Mar 2018 16:13:08 -0700 +Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read + +From: Erik Schmauss + +[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ] + +This ensures that acpi_ev_fixed_event_detect() does not use fixed_status +and and fixed_enable as uninitialized variables. + +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/evevent.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpica/evevent.c ++++ b/drivers/acpi/acpica/evevent.c +@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void) + u32 fixed_status; + u32 fixed_enable; + u32 i; ++ acpi_status status; + + ACPI_FUNCTION_NAME(ev_fixed_event_detect); + +@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void) + * Read the fixed feature status and enable registers, as all the cases + * depend on their values. Ignore errors here. + */ +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); ++ status |= ++ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ if (ACPI_FAILURE(status)) { ++ return (int_status); ++ } + + ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS, + "Fixed Event Block: Enable %08X Status %08X\n", diff --git a/queue-4.16/acpica-fix-memory-leak-on-unusual-memory-leak.patch b/queue-4.16/acpica-fix-memory-leak-on-unusual-memory-leak.patch new file mode 100644 index 00000000000..48ed08e5090 --- /dev/null +++ b/queue-4.16/acpica-fix-memory-leak-on-unusual-memory-leak.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Bob Moore +Date: Wed, 14 Mar 2018 16:13:01 -0700 +Subject: ACPICA: Fix memory leak on unusual memory leak + +From: Bob Moore + +[ Upstream commit 1c29c372b2d1d2415601041532745ce859f24126 ] + +Fixes a single-object memory leak on a store-to-reference method +invocation. ACPICA BZ 1439. + +Signed-off-by: Bob Moore +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/psargs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -890,6 +890,10 @@ acpi_ps_get_next_arg(struct acpi_walk_st + ACPI_POSSIBLE_METHOD_CALL); + + if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) { ++ ++ /* Free method call op and corresponding namestring sub-ob */ ++ ++ acpi_ps_free_op(arg->common.value.arg); + acpi_ps_free_op(arg); + arg = NULL; + walk_state->arg_count = 1; diff --git a/queue-4.16/alsa-vmaster-propagate-slave-error.patch b/queue-4.16/alsa-vmaster-propagate-slave-error.patch new file mode 100644 index 00000000000..6596128eadf --- /dev/null +++ b/queue-4.16/alsa-vmaster-propagate-slave-error.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Takashi Iwai +Date: Thu, 8 Mar 2018 08:26:48 +0100 +Subject: ALSA: vmaster: Propagate slave error + +From: Takashi Iwai + +[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ] + +In slave_update() of vmaster code ignores the error from the slave +get() callback and copies the values. It's not only about the missing +error code but also that this may potentially lead to a leak of +uninitialized variables when the slave get() don't clear them. + +This patch fixes slave_update() not to copy the potentially +uninitialized values when an error is returned from the slave get() +callback, and to propagate the error value properly. + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/vmaster.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/core/vmaster.c ++++ b/sound/core/vmaster.c +@@ -68,10 +68,13 @@ static int slave_update(struct link_slav + return -ENOMEM; + uctl->id = slave->slave.id; + err = slave->slave.get(&slave->slave, uctl); ++ if (err < 0) ++ goto error; + for (ch = 0; ch < slave->info.count; ch++) + slave->vals[ch] = uctl->value.integer.value[ch]; ++ error: + kfree(uctl); +- return 0; ++ return err < 0 ? err : 0; + } + + /* get the slave ctl info and save the initial values */ diff --git a/queue-4.16/arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch b/queue-4.16/arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch new file mode 100644 index 00000000000..a12a809c043 --- /dev/null +++ b/queue-4.16/arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Peter Rosin +Date: Tue, 16 Jan 2018 17:06:17 +0100 +Subject: ARM: dts: at91: nattis: use the correct compatible for the eeprom + +From: Peter Rosin + +[ Upstream commit 6b65933008a6bbe5ff79a344b41175826848682d ] + +The used part does contain an eeprom compatible with an Atmel 24c02 +chip and it is from NXP, but it is not called 24c02. It's actually a +se97b chip. Adjust the compatible accordingly. + +Fixes: 0e4323899973 ("ARM: dts: at91: add devicetree for the Axentia Nattis with Natte power") +Signed-off-by: Peter Rosin +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-nattis-2-natte-2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/at91-nattis-2-natte-2.dts ++++ b/arch/arm/boot/dts/at91-nattis-2-natte-2.dts +@@ -146,7 +146,7 @@ + }; + + eeprom@50 { +- compatible = "nxp,24c02"; ++ compatible = "nxp,se97b", "atmel,24c02"; + reg = <0x50>; + pagesize = <16>; + }; diff --git a/queue-4.16/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch b/queue-4.16/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch new file mode 100644 index 00000000000..ab429eb70a1 --- /dev/null +++ b/queue-4.16/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Peter Rosin +Date: Tue, 16 Jan 2018 17:06:18 +0100 +Subject: ARM: dts: at91: tse850: use the correct compatible for the eeprom + +From: Peter Rosin + +[ Upstream commit 7981190fb5dd710dea08c2613cee3d05e795ca5e ] + +The used part does contain an eeprom compatible with an Atmel 24c02 +chip and it is from NXP, but it is not called 24c02. It's actually a +se97b chip. Adjust the compatible accordingly. + +Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850") +Signed-off-by: Peter Rosin +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-tse850-3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/at91-tse850-3.dts ++++ b/arch/arm/boot/dts/at91-tse850-3.dts +@@ -246,7 +246,7 @@ + }; + + eeprom@50 { +- compatible = "nxp,24c02", "atmel,24c02"; ++ compatible = "nxp,se97b", "atmel,24c02"; + reg = <0x50>; + pagesize = <16>; + }; diff --git a/queue-4.16/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch b/queue-4.16/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch new file mode 100644 index 00000000000..110c47f06ff --- /dev/null +++ b/queue-4.16/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Henry Zhang +Date: Wed, 17 Jan 2018 18:41:33 -0800 +Subject: ARM: dts: bcm283x: Fix pin function of JTAG pins + +From: Henry Zhang + +[ Upstream commit 1a012cb2569f2031b3636232c3ab21c20c92d281 ] + +BCM2835 ARM Peripherals doc shows gpio pins 4, 5, 6, 12 and 13 +carry altenate function, ALT5 for ARM JTAG + +Fixes: 21ff843931b2 ("ARM: dts: bcm283x: Define standard pinctrl groups in the gpio node.") + +Signed-off-by: Henry Zhang +Acked-by: Stefan Wahren +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm283x.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -252,7 +252,7 @@ + + jtag_gpio4: jtag_gpio4 { + brcm,pins = <4 5 6 12 13>; +- brcm,function = ; ++ brcm,function = ; + }; + jtag_gpio22: jtag_gpio22 { + brcm,pins = <22 23 24 25 26 27>; diff --git a/queue-4.16/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch b/queue-4.16/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch new file mode 100644 index 00000000000..9a92174e633 --- /dev/null +++ b/queue-4.16/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Stefan Wahren +Date: Fri, 16 Feb 2018 11:55:34 +0100 +Subject: ARM: dts: bcm283x: Fix probing of bcm2835-i2s + +From: Stefan Wahren + +[ Upstream commit 79c81facdc0b43b1cef37b8d5689a8c8b78f8be0 ] + +Since 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +the bcm2835-i2s requires a clock as DT property. Unfortunately +the necessary DT change has never been applied. While we are at it +also fix the first PCM register range to cover the PCM_GRAY register. + +Fixes: 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +Signed-off-by: Stefan Wahren +Reviewed-by: Eric Anholt +Tested-by: Matthias Reichl +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm283x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -397,8 +397,8 @@ + + i2s: i2s@7e203000 { + compatible = "brcm,bcm2835-i2s"; +- reg = <0x7e203000 0x20>, +- <0x7e101098 0x02>; ++ reg = <0x7e203000 0x24>; ++ clocks = <&clocks BCM2835_CLOCK_PCM>; + + dmas = <&dma 2>, + <&dma 3>; diff --git a/queue-4.16/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch b/queue-4.16/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch new file mode 100644 index 00000000000..2596ecde38f --- /dev/null +++ b/queue-4.16/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Ravikumar Kattekola +Date: Tue, 6 Feb 2018 18:28:02 +0530 +Subject: ARM: dts: dra71-evm: Correct evm_sd regulator max voltage + +From: Ravikumar Kattekola + +[ Upstream commit f4aa1bd5b4fc80f5f4ecd184caad832fd62c25f7 ] + +Correct vpo_sd_1v8_3v3 regulator max voltage to 3.3V + +Fixes: 9868bc585ae2 ("ARM: dts: Add support for dra718-evm") +Signed-off-by: Ravikumar Kattekola +Signed-off-by: Sekhar Nori +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/dra71-evm.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra71-evm.dts ++++ b/arch/arm/boot/dts/dra71-evm.dts +@@ -24,13 +24,13 @@ + + regulator-name = "vddshv8"; + regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <3000000>; ++ regulator-max-microvolt = <3300000>; + regulator-boot-on; + vin-supply = <&evm_5v0>; + + gpios = <&gpio7 11 GPIO_ACTIVE_HIGH>; + states = <1800000 0x0 +- 3000000 0x1>; ++ 3300000 0x1>; + }; + + evm_1v8_sw: fixedregulator-evm_1v8 { diff --git a/queue-4.16/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch b/queue-4.16/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch new file mode 100644 index 00000000000..b6c16cd8997 --- /dev/null +++ b/queue-4.16/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Aapo Vienamo +Date: Wed, 31 Jan 2018 14:34:07 +0000 +Subject: ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet + +From: Aapo Vienamo + +[ Upstream commit 2bada7ac1fdcbf79a9689bd2ff65fa515ca7a31f ] + +The missing last digit of the CONFIG values is added. Looks like a typo +of some sort when comparing to the downstream dt. This fixes +intermittent behavior behaviour of the ethernet controllers. + +Signed-off-by: Aapo Vienamo +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7d-cl-som-imx7.dts | 52 ++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +--- a/arch/arm/boot/dts/imx7d-cl-som-imx7.dts ++++ b/arch/arm/boot/dts/imx7d-cl-som-imx7.dts +@@ -213,37 +213,37 @@ + &iomuxc { + pinctrl_enet1: enet1grp { + fsl,pins = < +- MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x3 +- MX7D_PAD_SD2_WP__ENET1_MDC 0x3 +- MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x1 +- MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x1 +- MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x1 +- MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x1 +- MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x1 +- MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x1 +- MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x1 +- MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x1 +- MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x1 +- MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x1 +- MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x1 +- MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x1 ++ MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x30 ++ MX7D_PAD_SD2_WP__ENET1_MDC 0x30 ++ MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x11 ++ MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x11 ++ MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x11 ++ MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x11 ++ MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x11 ++ MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x11 ++ MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x11 ++ MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x11 ++ MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x11 ++ MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x11 ++ MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x11 ++ MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x11 + >; + }; + + pinctrl_enet2: enet2grp { + fsl,pins = < +- MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x1 +- MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x1 +- MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x1 +- MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x1 +- MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x1 +- MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x1 +- MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x1 +- MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x1 +- MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x1 +- MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x1 +- MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x1 +- MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x1 ++ MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x11 ++ MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x11 ++ MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x11 ++ MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x11 ++ MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x11 ++ MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x11 ++ MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x11 ++ MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x11 ++ MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x11 ++ MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x11 ++ MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x11 ++ MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x11 + >; + }; + diff --git a/queue-4.16/arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch b/queue-4.16/arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch new file mode 100644 index 00000000000..82f6d7491b4 --- /dev/null +++ b/queue-4.16/arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Suman Anna +Date: Mon, 5 Mar 2018 16:18:49 -0800 +Subject: ARM: dts: keystone-k2e-clocks: Fix missing unit address separator + +From: Suman Anna + +[ Upstream commit 5a3a03905a433216f517babd0a343ae7265e9ca1 ] + +Commit 95d8b41c765b ("ARM: dts: keystone-k2e-clocks: Add missing unit +name to clock nodes that have regs") fixed the unit names on various +clock nodes but missed out adding the unit address separator on the +clkhyperlink0 clock node. Fix the same. + +Fixes: 95d8b41c765b ("ARM: dts: keystone-k2e-clocks: Add missing unit name to clock nodes that have regs") +Signed-off-by: Suman Anna +Signed-off-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/keystone-k2e-clocks.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/keystone-k2e-clocks.dtsi ++++ b/arch/arm/boot/dts/keystone-k2e-clocks.dtsi +@@ -42,7 +42,7 @@ clocks { + domain-id = <0>; + }; + +- clkhyperlink0: clkhyperlink02350030 { ++ clkhyperlink0: clkhyperlink0@2350030 { + #clock-cells = <0>; + compatible = "ti,keystone,psc-clock"; + clocks = <&chipclk12>; diff --git a/queue-4.16/arm-dts-ls1021a-specify-tbipa-register-address.patch b/queue-4.16/arm-dts-ls1021a-specify-tbipa-register-address.patch new file mode 100644 index 00000000000..000113dfde0 --- /dev/null +++ b/queue-4.16/arm-dts-ls1021a-specify-tbipa-register-address.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Esben Haabendal +Date: Fri, 6 Apr 2018 14:46:35 +0200 +Subject: ARM: dts: ls1021a: Specify TBIPA register address + +From: Esben Haabendal + +[ Upstream commit 5571196135abb6d51e01592812997403c136067c ] + +The current (mildly evil) fsl_pq_mdio code uses an undocumented shadow of +the TBIPA register on LS1021A, which happens to be read-only. +Changing TBI PHY address therefore does not work on LS1021A. + +The real (and documented) address of the TBIPA registere lies in the eTSEC +block and not in MDIO/MII, which is read/write, so using that fixes +the problem. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/ls1021a.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -587,7 +587,8 @@ + device_type = "mdio"; + #address-cells = <1>; + #size-cells = <0>; +- reg = <0x0 0x2d24000 0x0 0x4000>; ++ reg = <0x0 0x2d24000 0x0 0x4000>, ++ <0x0 0x2d10030 0x0 0x4>; + }; + + ptp_clock@2d10e00 { diff --git a/queue-4.16/arm-dts-porter-fix-hdmi-output-routing.patch b/queue-4.16/arm-dts-porter-fix-hdmi-output-routing.patch new file mode 100644 index 00000000000..4b6d711c570 --- /dev/null +++ b/queue-4.16/arm-dts-porter-fix-hdmi-output-routing.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Laurent Pinchart +Date: Sat, 13 Jan 2018 01:14:23 +0200 +Subject: ARM: dts: porter: Fix HDMI output routing + +From: Laurent Pinchart + +[ Upstream commit d4b78db6ac3e084e2bdc57d5518bd247c727f396 ] + +The HDMI encoder is connected to the RGB output of the DU, which is +port@0, not port@1. Fix the incorrect DT description. + +Fixes: c5af8a4248d3 ("ARM: dts: porter: add DU DT support") +Signed-off-by: Laurent Pinchart +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/r8a7791-porter.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/r8a7791-porter.dts ++++ b/arch/arm/boot/dts/r8a7791-porter.dts +@@ -425,7 +425,7 @@ + "dclkin.0", "dclkin.1"; + + ports { +- port@1 { ++ port@0 { + endpoint { + remote-endpoint = <&adv7511_in>; + }; diff --git a/queue-4.16/arm-dts-socfpga-fix-gic-ppi-warning.patch b/queue-4.16/arm-dts-socfpga-fix-gic-ppi-warning.patch new file mode 100644 index 00000000000..7c683979e9c --- /dev/null +++ b/queue-4.16/arm-dts-socfpga-fix-gic-ppi-warning.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Philipp Puschmann +Date: Fri, 23 Mar 2018 10:22:15 +0100 +Subject: arm: dts: socfpga: fix GIC PPI warning + +From: Philipp Puschmann + +[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ] + +Fixes the warning "GIC: PPI13 is secure or misconfigured" by +changing the interrupt type from level_low to edge_raising + +Signed-off-by: Philipp Puschmann +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -831,7 +831,7 @@ + timer@fffec600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xfffec600 0x100>; +- interrupts = <1 13 0xf04>; ++ interrupts = <1 13 0xf01>; + clocks = <&mpu_periph_clk>; + }; + diff --git a/queue-4.16/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch b/queue-4.16/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch new file mode 100644 index 00000000000..689e1ff31b8 --- /dev/null +++ b/queue-4.16/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Ilia Lin +Date: Tue, 23 Jan 2018 09:36:18 +0200 +Subject: arm64: dts: qcom: Fix SPI5 config on MSM8996 + +From: Ilia Lin + +[ Upstream commit e723795c702b52cfceb3bb3faa63059eb4658313 ] + +Set correct clocks and interrupt values. +Fixes the incorrect SPI master configuration. This is +mandatory to make the SPI5 interface functional. + +Signed-off-by: Ilia Lin +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -497,8 +497,8 @@ + blsp2_spi5: spi@75ba000{ + compatible = "qcom,spi-qup-v2.2.1"; + reg = <0x075ba000 0x600>; +- interrupts = ; +- clocks = <&gcc GCC_BLSP2_QUP5_SPI_APPS_CLK>, ++ interrupts = ; ++ clocks = <&gcc GCC_BLSP2_QUP6_SPI_APPS_CLK>, + <&gcc GCC_BLSP2_AHB_CLK>; + clock-names = "core", "iface"; + pinctrl-names = "default", "sleep"; diff --git a/queue-4.16/ath10k-advertize-beacon_int_min_gcd.patch b/queue-4.16/ath10k-advertize-beacon_int_min_gcd.patch new file mode 100644 index 00000000000..b70e9ca7347 --- /dev/null +++ b/queue-4.16/ath10k-advertize-beacon_int_min_gcd.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Anilkumar Kolli +Date: Wed, 28 Mar 2018 12:19:40 +0300 +Subject: ath10k: advertize beacon_int_min_gcd + +From: Anilkumar Kolli + +[ Upstream commit 8ebee73b574ad3dd1f14d461f65ceaffbd637650 ] + +This patch fixes regression caused by 0c317a02ca98 +("cfg80211: support virtual interfaces with different beacon intervals"), +with this change cfg80211 expects the driver to advertize +'beacon_int_min_gcd' to support different beacon intervals in multivap +scenario. This support is added for, QCA988X/QCA99X0/QCA9984/QCA4019. + +Verifed AP + mesh bring up on QCA9984 with beacon interval 100msec and +1000msec respectively. +Frimware: firmware-5.bin_10.4-3.5.3-00053 + +Fixes: 0c317a02ca98 ("cfg80211: support virtual interfaces with different beacon intervals") +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7873,6 +7873,7 @@ static const struct ieee80211_iface_comb + .max_interfaces = 8, + .num_different_channels = 1, + .beacon_int_infra_match = true, ++ .beacon_int_min_gcd = 1, + #ifdef CONFIG_ATH10K_DFS_CERTIFIED + .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) | + BIT(NL80211_CHAN_WIDTH_20) | +@@ -7996,6 +7997,7 @@ static const struct ieee80211_iface_comb + .max_interfaces = 16, + .num_different_channels = 1, + .beacon_int_infra_match = true, ++ .beacon_int_min_gcd = 1, + #ifdef CONFIG_ATH10K_DFS_CERTIFIED + .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) | + BIT(NL80211_CHAN_WIDTH_20) | diff --git a/queue-4.16/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch b/queue-4.16/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch new file mode 100644 index 00000000000..069a5a2c324 --- /dev/null +++ b/queue-4.16/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch @@ -0,0 +1,104 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Karthikeyan Periyasamy +Date: Mon, 12 Mar 2018 17:09:40 +0530 +Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) + +From: Karthikeyan Periyasamy + +[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ] + +When attempt to run worker (ath10k_sta_rc_update_wk) after the station object +(ieee80211_sta) delete will trigger the kernel panic. + +This problem arise in AP + Mesh configuration, Where the current node AP VAP +and neighbor node mesh VAP MAC address are same. When the current mesh node +try to establish the mesh link with neighbor node, driver peer creation for +the neighbor mesh node fails due to duplication MAC address. Already the AP +VAP created with same MAC address. + +It is caused by the following scenario steps. + +Steps: +1. In above condition, ath10k driver sta_state callback (ath10k_sta_state) + fails to do the state change for a station from IEEE80211_STA_NOTEXIST + to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is + called from ieee80211_add_station() to handle the new station + (neighbor mesh node) request from the wpa_supplicant. +2. Concurrently ath10k receive the sta_rc_update callback notification from + the mesh_neighbour_update() to handle the beacon frames of the above + neighbor mesh node. since its atomic callback, ath10k driver queue the + work (ath10k_sta_rc_update_wk) to handle rc update. +3. Due to driver sta_state callback fails (step 1), mac80211 free the station + object. +4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access + the station object which is already deleted. so it will trigger kernel + panic. + +Added the peer exist check in sta_rc_update callback before queue the work. + +Kernel Panic log: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = c0204000 +[00000000] *pgd=00000000 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1 +task: dcef0000 ti: d72b6000 task.ti: d72b6000 +PC is at pwq_activate_delayed_work+0x10/0x40 +LR is at pwq_activate_delayed_work+0xc/0x40 +pc : [] lr : [] psr: 40000193 +sp : d72b7f18 ip : 0000007a fp : d72b6000 +r10: 00000000 r9 : dd404414 r8 : d8c31998 +r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300 +r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000 +Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 10c5787d Table: 595bc06a DAC: 00000015 +... +Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238) +Stack: (0xd72b7f18 to 0xd72b8000) +7f00: 00000001 dcee1300 +7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089 +7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000 +7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000 +7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340 +7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000 +7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[] (pwq_activate_delayed_work) from [] (pwq_dec_nr_in_flight+0x58/0xc4) +[] (pwq_dec_nr_in_flight) from [] (worker_thread+0x228/0x360) +[] (worker_thread) from [] (kthread+0xd8/0xec) +[] (kthread) from [] (ret_from_fork+0x14/0x34) +Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs +Rebooting in 3 seconds.. + +Signed-off-by: Karthikeyan Periyasamy +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7084,10 +7084,20 @@ static void ath10k_sta_rc_update(struct + { + struct ath10k *ar = hw->priv; + struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv; ++ struct ath10k_vif *arvif = (void *)vif->drv_priv; ++ struct ath10k_peer *peer; + u32 bw, smps; + + spin_lock_bh(&ar->data_lock); + ++ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr); ++ if (!peer) { ++ spin_unlock_bh(&ar->data_lock); ++ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n", ++ sta->addr, arvif->vdev_id); ++ return; ++ } ++ + ath10k_dbg(ar, ATH10K_DBG_MAC, + "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n", + sta->addr, changed, sta->bandwidth, sta->rx_nss, diff --git a/queue-4.16/ath9k-fix-crash-in-spectral-scan.patch b/queue-4.16/ath9k-fix-crash-in-spectral-scan.patch new file mode 100644 index 00000000000..79c2b9c19a3 --- /dev/null +++ b/queue-4.16/ath9k-fix-crash-in-spectral-scan.patch @@ -0,0 +1,147 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sebastian Gottschall +Date: Sat, 3 Mar 2018 05:10:44 +0100 +Subject: ath9k: fix crash in spectral scan + +From: Sebastian Gottschall + +[ Upstream commit 221b6ec69ed9c56b6cd9a124a387a9472f14284e ] + +Fixes crash seen on arm smp systems (gateworks ventana imx6): + +Unable to handle kernel NULL pointer dereference at virtual address 00000014 +pgd = 80004000 +[00000014] *pgd=00000000 +Internal error: Oops - BUG: 17 [#1] PREEMPT SMP ARM +Modules linked in: ip6table_filter nf_conntrack_ipv6 ip6_tables nf_log_ipv6 nf_defrag_ipv6 shortcut_fe ipcomp6 xfrm_ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet ip6_tunnel tunnel6 mip6 ah6 esp6 xfrm_algo sit ip_tunnel tunnel4 ipv6 ath10k_pci ath10k_core ath9k ath mac80211 cfg80211 compat ath_pci ath_hal(P) caamalg authencesn authenc caamrng caamhash caam_jr caam cdc_ncm usbnet usbcore sky2 imx2_wdt +CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P 4.9.85 #19 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +task: bf064980 task.stack: bf07c000 +PC is at relay_buf_full+0xc/0x30 +LR is at _674+0x740/0xf10 [ath9k] +pc : [<8018bce0>] lr : [<7f1aa604>] psr: 80000013 +sp : bf07dbf0 ip : bf07dc00 fp : bf07dbfc +r10: 0000003f r9 : bf130e00 r8 : 809044b0 +r7 : 00000000 r6 : be67a9f0 r5 : 00000000 r4 : 809043e4 +r3 : c0864c24 r2 : 00000000 r1 : 00000004 r0 : 00000000 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c5387d Table: 4e6a004a DAC: 00000055 +Process ksoftirqd/0 (pid: 3, stack limit = 0xbf07c210) +Stack: (0xbf07dbf0 to 0xbf07e000) +dbe0: bf07dd04 bf07dc00 7f1aa604 8018bce0 +dc00: 00004014 be59e010 bf07dc34 bf07dc18 7f1a7084 7f19c07c be59c010 be6470a0 +dc20: 0000096c be648954 bf07dc6c bf07dc38 7f1c286c bf07dd90 bf07dc5c bf07dc48 +dc40: 8029ea4c 0000003c 00000001 be59c010 00000094 00000000 00000000 00000000 +dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dcc0: 00000000 00000000 00000000 00000000 00000000 00000000 8010ef24 00000030 +dce0: be94f5e8 be6485a0 bddf0200 be59c010 be6465a0 be6415a0 bf07ddf4 bf07dd08 +dd00: 7f1cf800 7f1aa55c 1fc38c4c 00000000 bf07dd58 cccccccd 66666667 be640bc0 +dd20: bf07dd54 be6415a0 1fc38c4c 00000000 00000000 be59c038 be67a9c0 be59e010 +dd40: be67a9f0 be647170 8090c904 be59c010 00000000 00000001 1fc38e84 00000000 +dd60: be640bc0 bddf0200 00000200 00000010 0000003f 00000002 20000013 be59c010 +dd80: 8092d940 bf7ca2c0 bf07ddb4 bf07dd98 1fc38c4c 2602003f 0100ff1b 80ff1b00 +dda0: 00808080 00000000 00000000 80808080 80808080 80808080 80808080 00008080 +ddc0: 00000000 00000000 7f1b62b8 00000002 be6470ec be6470f0 00000000 bf07de98 +dde0: 8092d940 be6415a0 bf07de94 bf07ddf8 7f1d1ed8 7f1cf1fc 00000000 00000000 +de00: bf7cc4c0 00000400 be6470f0 bf07de18 8015165c be59c010 8090453c 8090453c +de20: bf07dec4 be6465a0 8014f614 80148884 0000619a 00000001 bf07c000 00000100 +de40: bf07de78 00000001 7f327850 00000002 afb50401 bf064980 bf07de9c bf07de68 +de60: bf064a00 803cc668 bf064a00 be6470b4 be6470b8 80844180 00000000 bf07de98 +de80: 8092d940 bf07c000 bf07dec4 bf07de98 80124d18 7f1d1c44 80124c94 00000000 +dea0: 00000006 80902098 80902080 40000006 00000100 bf07c000 bf07df24 bf07dec8 +dec0: 8012501c 80124ca0 bf7cc4c0 bf064980 be95e1c0 04208040 80902d00 000061c7 +dee0: 0000000a 80600b54 8092d940 808441f8 80902080 bf07dec8 bf03b200 bf07c000 +df00: bf03b200 8090fe54 00000000 00000000 00000000 00000000 bf07df34 bf07df28 +df20: 80125148 80124f28 bf07df5c bf07df38 8013deb4 8012511c 00000000 bf03b240 +df40: bf03b200 8013dc90 00000000 00000000 bf07dfac bf07df60 8013ad40 8013dc9c +df60: 70448040 00000001 00000000 bf03b200 00000000 00030003 bf07df78 bf07df78 +df80: 00000000 00000000 bf07df88 bf07df88 bf03b240 8013ac48 00000000 00000000 +dfa0: 00000000 bf07dfb0 80107760 8013ac54 00000000 00000000 00000000 00000000 +dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 8c120004 1190ad04 +Backtrace: +[<8018bcd4>] (relay_buf_full) from [<7f1aa604>] (_674+0x740/0xf10 [ath9k]) +[<7f1aa550>] (_674 [ath9k]) from [<7f1cf800>] (_582+0x14b4/0x3708 [ath9k]) + r10:be6415a0 r9:be6465a0 r8:be59c010 r7:bddf0200 r6:be6485a0 r5:be94f5e8 + r4:00000030 +[<7f1cf1f0>] (_582 [ath9k]) from [<7f1d1ed8>] (_735+0x2a0/0xec4 [ath9k]) + r10:be6415a0 r9:8092d940 r8:bf07de98 r7:00000000 r6:be6470f0 r5:be6470ec + r4:00000002 +[<7f1d1c38>] (_735 [ath9k]) from [<80124d18>] (tasklet_action+0x84/0xf8) + r10:bf07c000 r9:8092d940 r8:bf07de98 r7:00000000 r6:80844180 r5:be6470b8 + r4:be6470b4 +[<80124c94>] (tasklet_action) from [<8012501c>] (__do_softirq+0x100/0x1f4) + r10:bf07c000 r9:00000100 r8:40000006 r7:80902080 r6:80902098 r5:00000006 + r4:00000000 r3:80124c94 +[<80124f1c>] (__do_softirq) from [<80125148>] (run_ksoftirqd+0x38/0x4c) + r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:8090fe54 r5:bf03b200 + r4:bf07c000 +[<80125110>] (run_ksoftirqd) from [<8013deb4>] (smpboot_thread_fn+0x224/0x260) +[<8013dc90>] (smpboot_thread_fn) from [<8013ad40>] (kthread+0xf8/0x100) + r9:00000000 r8:00000000 r7:8013dc90 r6:bf03b200 r5:bf03b240 r4:00000000 +[<8013ac48>] (kthread) from [<80107760>] (ret_from_fork+0x14/0x34) + r7:00000000 r6:00000000 r5:8013ac48 r4:bf03b240 +Code: e89da800 e1a0c00d e92dd800 e24cb004 (e5901014) +---[ end trace dddf11ac9111b272 ]--- +Kernel panic - not syncing: Fatal exception in interrupt +CPU1: stopping +CPU: 1 PID: 0 Comm: swapper/1 Tainted: P D 4.9.85 #19 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Backtrace: +[<8010a708>] (dump_backtrace) from [<8010a99c>] (show_stack+0x18/0x1c) + r7:bf093f58 r6:20000193 r5:809168e8 r4:00000000 +[<8010a984>] (show_stack) from [<802a09c4>] (dump_stack+0x94/0xa8) +[<802a0930>] (dump_stack) from [<8010d184>] (handle_IPI+0xe8/0x180) + r7:bf093f58 r6:00000000 r5:00000001 r4:808478c4 +[<8010d09c>] (handle_IPI) from [<801013e8>] (gic_handle_irq+0x78/0x7c) + r7:f4000100 r6:bf093f58 r5:f400010c r4:8090467c +[<80101370>] (gic_handle_irq) from [<8010b378>] (__irq_svc+0x58/0x8c) +Exception stack(0xbf093f58 to 0xbf093fa0) +3f40: bf7d62a0 00000000 +3f60: 0010a5f4 80113460 bf092000 809043e4 00000002 80904434 bf092008 412fc09a +3f80: 00000000 bf093fb4 bf093fb8 bf093fa8 8010804c 80108050 60000013 ffffffff + r9:bf092000 r8:bf092008 r7:bf093f8c r6:ffffffff r5:60000013 r4:80108050 +[<80108014>] (arch_cpu_idle) from [<80553c2c>] (default_idle_call+0x30/0x34) +[<80553bfc>] (default_idle_call) from [<80158394>] (cpu_startup_entry+0xc4/0xfc) +[<801582d0>] (cpu_startup_entry) from [<8010ce40>] (secondary_start_kernel+0x168/0x174) + r7:8092d2f8 r4:80913568 +[<8010ccd8>] (secondary_start_kernel) from [<10101488>] (0x10101488) + r5:00000055 r4:4f07806a +Rebooting in 10 seconds.. +Reboot failed -- System halted + +Signed-off-by: Sebastian Gottschall +Signed-off-by: Kalle Valo + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/common-spectral.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/common-spectral.c ++++ b/drivers/net/wireless/ath/ath9k/common-spectral.c +@@ -479,14 +479,16 @@ ath_cmn_is_fft_buf_full(struct ath_spec_ + { + int i = 0; + int ret = 0; ++ struct rchan_buf *buf; + struct rchan *rc = spec_priv->rfs_chan_spec_scan; + +- for_each_online_cpu(i) +- ret += relay_buf_full(*per_cpu_ptr(rc->buf, i)); ++ for_each_possible_cpu(i) { ++ if ((buf = *per_cpu_ptr(rc->buf, i))) { ++ ret += relay_buf_full(buf); ++ } ++ } + +- i = num_online_cpus(); +- +- if (ret == i) ++ if (ret) + return 1; + else + return 0; diff --git a/queue-4.16/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch b/queue-4.16/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..500ea4689dd --- /dev/null +++ b/queue-4.16/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Richard Guy Briggs +Date: Wed, 21 Feb 2018 04:30:07 -0500 +Subject: audit: return on memory error to avoid null pointer dereference + +From: Richard Guy Briggs + +[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ] + +If there is a memory allocation error when trying to change an audit +kernel feature value, the ignored allocation error will trigger a NULL +pointer dereference oops on subsequent use of that pointer. Return +instead. + +Passes audit-testsuite. +See: https://github.com/linux-audit/audit-kernel/issues/76 + +Signed-off-by: Richard Guy Briggs +[PM: not necessary (other funcs check for NULL), but a good practice] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1058,6 +1058,8 @@ static void audit_log_feature_change(int + return; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); ++ if (!ab) ++ return; + audit_log_task_info(ab, current); + audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, diff --git a/queue-4.16/bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch b/queue-4.16/bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch new file mode 100644 index 00000000000..b3a8cd4adbc --- /dev/null +++ b/queue-4.16/bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch @@ -0,0 +1,176 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:14 -0700 +Subject: bcache: fix cached_dev->count usage for bch_cache_set_error() + +From: Coly Li + +[ Upstream commit 804f3c6981f5e4a506a8f14dc284cb218d0659ae ] + +When bcache metadata I/O fails, bcache will call bch_cache_set_error() +to retire the whole cache set. The expected behavior to retire a cache +set is to unregister the cache set, and unregister all backing device +attached to this cache set, then remove sysfs entries of the cache set +and all attached backing devices, finally release memory of structs +cache_set, cache, cached_dev and bcache_device. + +In my testing when journal I/O failure triggered by disconnected cache +device, sometimes the cache set cannot be retired, and its sysfs +entry /sys/fs/bcache/ still exits and the backing device also +references it. This is not expected behavior. + +When metadata I/O failes, the call senquence to retire whole cache set is, + bch_cache_set_error() + bch_cache_set_unregister() + bch_cache_set_stop() + __cache_set_unregister() <- called as callback by calling + clousre_queue(&c->caching) + cache_set_flush() <- called as a callback when refcount + of cache_set->caching is 0 + cache_set_free() <- called as a callback when refcount + of catch_set->cl is 0 + bch_cache_set_release() <- called as a callback when refcount + of catch_set->kobj is 0 + +I find if kernel thread bch_writeback_thread() quits while-loop when +kthread_should_stop() is true and searched_full_index is false, clousre +callback cache_set_flush() set by continue_at() will never be called. The +result is, bcache fails to retire whole cache set. + +cache_set_flush() will be called when refcount of closure c->caching is 0, +and in function bcache_device_detach() refcount of closure c->caching is +released to 0 by clousre_put(). In metadata error code path, function +bcache_device_detach() is called by cached_dev_detach_finish(). This is a +callback routine being called when cached_dev->count is 0. This refcount +is decreased by cached_dev_put(). + +The above dependence indicates, cache_set_flush() will be called when +refcount of cache_set->cl is 0, and refcount of cache_set->cl to be 0 +when refcount of cache_dev->count is 0. + +The reason why sometimes cache_dev->count is not 0 (when metadata I/O fails +and bch_cache_set_error() called) is, in bch_writeback_thread(), refcount +of cache_dev is not decreased properly. + +In bch_writeback_thread(), cached_dev_put() is called only when +searched_full_index is true and cached_dev->writeback_keys is empty, a.k.a +there is no dirty data on cache. In most of run time it is correct, but +when bch_writeback_thread() quits the while-loop while cache is still +dirty, current code forget to call cached_dev_put() before this kernel +thread exits. This is why sometimes cache_set_flush() is not executed and +cache set fails to be retired. + +The reason to call cached_dev_put() in bch_writeback_rate() is, when the +cache device changes from clean to dirty, cached_dev_get() is called, to +make sure during writeback operatiions both backing and cache devices +won't be released. + +Adding following code in bch_writeback_thread() does not work, + static int bch_writeback_thread(void *arg) + } + ++ if (atomic_read(&dc->has_dirty)) ++ cached_dev_put() ++ + return 0; + } +because writeback kernel thread can be waken up and start via sysfs entry: + echo 1 > /sys/block/bcache/bcache/writeback_running +It is difficult to check whether backing device is dirty without race and +extra lock. So the above modification will introduce potential refcount +underflow in some conditions. + +The correct fix is, to take cached dev refcount when creating the kernel +thread, and put it before the kernel thread exits. Then bcache does not +need to take a cached dev refcount when cache turns from clean to dirty, +or to put a cached dev refcount when cache turns from ditry to clean. The +writeback kernel thread is alwasy safe to reference data structure from +cache set, cache and cached device (because a refcount of cache device is +taken for it already), and no matter the kernel thread is stopped by I/O +errors or system reboot, cached_dev->count can always be used correctly. + +The patch is simple, but understanding how it works is quite complicated. + +Changelog: +v2: set dc->writeback_thread to NULL in this patch, as suggested by Hannes. +v1: initial version for review. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Reviewed-by: Michael Lyle +Cc: Michael Lyle +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 1 - + drivers/md/bcache/writeback.c | 11 ++++++++--- + drivers/md/bcache/writeback.h | 2 -- + 3 files changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1065,7 +1065,6 @@ int bch_cached_dev_attach(struct cached_ + if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) { + bch_sectors_dirty_init(&dc->disk); + atomic_set(&dc->has_dirty, 1); +- refcount_inc(&dc->count); + bch_writeback_queue(dc); + } + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -578,7 +578,7 @@ static int bch_writeback_thread(void *ar + + if (kthread_should_stop()) { + set_current_state(TASK_RUNNING); +- return 0; ++ break; + } + + schedule(); +@@ -591,7 +591,6 @@ static int bch_writeback_thread(void *ar + if (searched_full_index && + RB_EMPTY_ROOT(&dc->writeback_keys.keys)) { + atomic_set(&dc->has_dirty, 0); +- cached_dev_put(dc); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); + bch_write_bdev_super(dc, NULL); + /* +@@ -620,6 +619,9 @@ static int bch_writeback_thread(void *ar + } + } + ++ dc->writeback_thread = NULL; ++ cached_dev_put(dc); ++ + return 0; + } + +@@ -683,10 +685,13 @@ int bch_cached_dev_writeback_start(struc + if (!dc->writeback_write_wq) + return -ENOMEM; + ++ cached_dev_get(dc); + dc->writeback_thread = kthread_create(bch_writeback_thread, dc, + "bcache_writeback"); +- if (IS_ERR(dc->writeback_thread)) ++ if (IS_ERR(dc->writeback_thread)) { ++ cached_dev_put(dc); + return PTR_ERR(dc->writeback_thread); ++ } + + schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); +--- a/drivers/md/bcache/writeback.h ++++ b/drivers/md/bcache/writeback.h +@@ -105,8 +105,6 @@ static inline void bch_writeback_add(str + { + if (!atomic_read(&dc->has_dirty) && + !atomic_xchg(&dc->has_dirty, 1)) { +- refcount_inc(&dc->count); +- + if (BDEV_STATE(&dc->sb) != BDEV_STATE_DIRTY) { + SET_BDEV_STATE(&dc->sb, BDEV_STATE_DIRTY); + /* XXX: should do this synchronously */ diff --git a/queue-4.16/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch b/queue-4.16/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch new file mode 100644 index 00000000000..07cdbe3805b --- /dev/null +++ b/queue-4.16/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch @@ -0,0 +1,132 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:15 -0700 +Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set + +From: Coly Li + +[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ] + +In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()", +cached_dev_get() is called when creating dc->writeback_thread, and +cached_dev_put() is called when exiting dc->writeback_thread. This +modification works well unless people detach the bcache device manually by + 'echo 1 > /sys/block/bcache/bcache/detach' +Because this sysfs interface only calls bch_cached_dev_detach() which wakes +up dc->writeback_thread but does not stop it. The reason is, before patch +"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside +bch_writeback_thread(), if cache is not dirty after writeback, +cached_dev_put() will be called here. And in cached_dev_make_request() when +a new write request makes cache from clean to dirty, cached_dev_get() will +be called there. Since we don't operate dc->count in these locations, +refcount d->count cannot be dropped after cache becomes clean, and +cached_dev_detach_finish() won't be called to detach bcache device. + +This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is +set inside bch_writeback_thread(). If this bit is set and cache is clean +(no existing writeback_keys), break the while-loop, call cached_dev_put() +and quit the writeback thread. + +Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the +writeback thread should continue to perform writeback, this is the original +design of manually detach. + +It is safe to do the following check without locking, let me explain why, ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + +If the kenrel thread does not sleep and continue to run due to conditions +are not updated in time on the running CPU core, it just consumes more CPU +cycles and has no hurt. This should-sleep-but-run is safe here. We just +focus on the should-run-but-sleep condition, which means the writeback +thread goes to sleep in mistake while it should continue to run. +1, First of all, no matter the writeback thread is hung or not, + kthread_stop() from cached_dev_detach_finish() will wake up it and + terminate by making kthread_should_stop() return true. And in normal + run time, bit on index BCACHE_DEV_DETACHING is always cleared, the + condition + !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) + is always true and can be ignored as constant value. +2, If one of the following conditions is true, the writeback thread should + go to sleep, + "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)" + each of them independently controls the writeback thread should sleep or + not, let's analyse them one by one. +2.1 condition "!atomic_read(&dc->has_dirty)" + If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will + call bch_writeback_queue() immediately or call bch_writeback_add() which + indirectly calls bch_writeback_queue() too. In bch_writeback_queue(), + wake_up_process(dc->writeback_thread) is called. It sets writeback + thread's task state to TASK_RUNNING and following an implicit memory + barrier, then tries to wake up the writeback thread. + In writeback thread, its task state is set to TASK_INTERRUPTIBLE before + doing the condition check. If other CPU core sets the TASK_RUNNING state + after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread + will be scheduled to run very soon because its state is not + TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before + writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier + of wake_up_process() will make sure modification of dc->has_dirty on + other CPU core is updated and observed on the CPU core of writeback + thread. Therefore the condition check will correctly be false, and + continue writeback code without sleeping. +2.2 condition "!dc->writeback_running)" + dc->writeback_running can be changed via sysfs file, every time it is + modified, a following bch_writeback_queue() is alwasy called. So the + change is always observed on the CPU core of writeback thread. If + dc->writeback_running is changed from 0 to 1 on other CPU core, this + condition check will observe the modification and allow writeback + thread to continue to run without sleeping. +Now we can see, even without a locking protection, multiple conditions +check is safe here, no deadlock or process hang up will happen. + +I compose a separte patch because that patch "bcache: fix cached_dev->count +usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes +Reinecke. Also this fix is not trivial and good for a separate patch. + +Signed-off-by: Coly Li +Reviewed-by: Michael Lyle +Cc: Hannes Reinecke +Cc: Huijun Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/writeback.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -565,9 +565,15 @@ static int bch_writeback_thread(void *ar + while (!kthread_should_stop()) { + down_write(&dc->writeback_lock); + set_current_state(TASK_INTERRUPTIBLE); +- if (!atomic_read(&dc->has_dirty) || +- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && +- !dc->writeback_running)) { ++ /* ++ * If the bache device is detaching, skip here and continue ++ * to perform writeback. Otherwise, if no dirty data on cache, ++ * or there is dirty data on cache but writeback is disabled, ++ * the writeback thread should sleep here and wait for others ++ * to wake up it. ++ */ ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + up_write(&dc->writeback_lock); + + if (kthread_should_stop()) { +@@ -588,6 +594,14 @@ static int bch_writeback_thread(void *ar + cached_dev_put(dc); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); + bch_write_bdev_super(dc, NULL); ++ /* ++ * If bcache device is detaching via sysfs interface, ++ * writeback thread should stop after there is no dirty ++ * data on cache. BCACHE_DEV_DETACHING flag is set in ++ * bch_cached_dev_detach(). ++ */ ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) ++ break; + } + + up_write(&dc->writeback_lock); diff --git a/queue-4.16/bcache-stop-dc-writeback_rate_update-properly.patch b/queue-4.16/bcache-stop-dc-writeback_rate_update-properly.patch new file mode 100644 index 00000000000..1aa4665be83 --- /dev/null +++ b/queue-4.16/bcache-stop-dc-writeback_rate_update-properly.patch @@ -0,0 +1,264 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:16 -0700 +Subject: bcache: stop dc->writeback_rate_update properly + +From: Coly Li + +[ Upstream commit 3fd47bfe55b00d5ac7b0a44c9301c07be39b1082 ] + +struct delayed_work writeback_rate_update in struct cache_dev is a delayed +worker to call function update_writeback_rate() in period (the interval is +defined by dc->writeback_rate_update_seconds). + +When a metadate I/O error happens on cache device, bcache error handling +routine bch_cache_set_error() will call bch_cache_set_unregister() to +retire whole cache set. On the unregister code path, this delayed work is +stopped by calling cancel_delayed_work_sync(&dc->writeback_rate_update). + +dc->writeback_rate_update is a special delayed work from others in bcache. +In its routine update_writeback_rate(), this delayed work is re-armed +itself. That means when cancel_delayed_work_sync() returns, this delayed +work can still be executed after several seconds defined by +dc->writeback_rate_update_seconds. + +The problem is, after cancel_delayed_work_sync() returns, the cache set +unregister code path will continue and release memory of struct cache set. +Then the delayed work is scheduled to run, __update_writeback_rate() +will reference the already released cache_set memory, and trigger a NULL +pointer deference fault. + +This patch introduces two more bcache device flags, +- BCACHE_DEV_WB_RUNNING + bit set: bcache device is in writeback mode and running, it is OK for + dc->writeback_rate_update to re-arm itself. + bit clear:bcache device is trying to stop dc->writeback_rate_update, + this delayed work should not re-arm itself and quit. +- BCACHE_DEV_RATE_DW_RUNNING + bit set: routine update_writeback_rate() is executing. + bit clear: routine update_writeback_rate() quits. + +This patch also adds a function cancel_writeback_rate_update_dwork() to +wait for dc->writeback_rate_update quits before cancel it by calling +cancel_delayed_work_sync(). In order to avoid a deadlock by unexpected +quit dc->writeback_rate_update, after time_out seconds this function will +give up and continue to call cancel_delayed_work_sync(). + +And here I explain how this patch stops self re-armed delayed work properly +with the above stuffs. + +update_writeback_rate() sets BCACHE_DEV_RATE_DW_RUNNING at its beginning +and clears BCACHE_DEV_RATE_DW_RUNNING at its end. Before calling +cancel_writeback_rate_update_dwork() clear flag BCACHE_DEV_WB_RUNNING. + +Before calling cancel_delayed_work_sync() wait utill flag +BCACHE_DEV_RATE_DW_RUNNING is clear. So when calling +cancel_delayed_work_sync(), dc->writeback_rate_update must be already re- +armed, or quite by seeing BCACHE_DEV_WB_RUNNING cleared. In both cases +delayed work routine update_writeback_rate() won't be executed after +cancel_delayed_work_sync() returns. + +Inside update_writeback_rate() before calling schedule_delayed_work(), flag +BCACHE_DEV_WB_RUNNING is checked before. If this flag is cleared, it means +someone is about to stop the delayed work. Because flag +BCACHE_DEV_RATE_DW_RUNNING is set already and cancel_delayed_work_sync() +has to wait for this flag to be cleared, we don't need to worry about race +condition here. + +If update_writeback_rate() is scheduled to run after checking +BCACHE_DEV_RATE_DW_RUNNING and before calling cancel_delayed_work_sync() +in cancel_writeback_rate_update_dwork(), it is also safe. Because at this +moment BCACHE_DEV_WB_RUNNING is cleared with memory barrier. As I mentioned +previously, update_writeback_rate() will see BCACHE_DEV_WB_RUNNING is clear +and quit immediately. + +Because there are more dependences inside update_writeback_rate() to struct +cache_set memory, dc->writeback_rate_update is not a simple self re-arm +delayed work. After trying many different methods (e.g. hold dc->count, or +use locks), this is the only way I can find which works to properly stop +dc->writeback_rate_update delayed work. + +Changelog: +v3: change values of BCACHE_DEV_WB_RUNNING and BCACHE_DEV_RATE_DW_RUNNING + to bit index, for test_bit(). +v2: Try to fix the race issue which is pointed out by Junhui. +v1: The initial version for review + +Signed-off-by: Coly Li +Reviewed-by: Junhui Tang +Reviewed-by: Michael Lyle +Cc: Michael Lyle +Cc: Hannes Reinecke +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/bcache.h | 9 +++++---- + drivers/md/bcache/super.c | 38 ++++++++++++++++++++++++++++++++++---- + drivers/md/bcache/sysfs.c | 3 ++- + drivers/md/bcache/writeback.c | 29 ++++++++++++++++++++++++++++- + 4 files changed, 69 insertions(+), 10 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -258,10 +258,11 @@ struct bcache_device { + struct gendisk *disk; + + unsigned long flags; +-#define BCACHE_DEV_CLOSING 0 +-#define BCACHE_DEV_DETACHING 1 +-#define BCACHE_DEV_UNLINK_DONE 2 +- ++#define BCACHE_DEV_CLOSING 0 ++#define BCACHE_DEV_DETACHING 1 ++#define BCACHE_DEV_UNLINK_DONE 2 ++#define BCACHE_DEV_WB_RUNNING 3 ++#define BCACHE_DEV_RATE_DW_RUNNING 4 + unsigned nr_stripes; + unsigned stripe_size; + atomic_t *stripe_sectors_dirty; +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -899,6 +899,31 @@ void bch_cached_dev_run(struct cached_de + pr_debug("error creating sysfs link"); + } + ++/* ++ * If BCACHE_DEV_RATE_DW_RUNNING is set, it means routine of the delayed ++ * work dc->writeback_rate_update is running. Wait until the routine ++ * quits (BCACHE_DEV_RATE_DW_RUNNING is clear), then continue to ++ * cancel it. If BCACHE_DEV_RATE_DW_RUNNING is not clear after time_out ++ * seconds, give up waiting here and continue to cancel it too. ++ */ ++static void cancel_writeback_rate_update_dwork(struct cached_dev *dc) ++{ ++ int time_out = WRITEBACK_RATE_UPDATE_SECS_MAX * HZ; ++ ++ do { ++ if (!test_bit(BCACHE_DEV_RATE_DW_RUNNING, ++ &dc->disk.flags)) ++ break; ++ time_out--; ++ schedule_timeout_interruptible(1); ++ } while (time_out > 0); ++ ++ if (time_out == 0) ++ pr_warn("give up waiting for dc->writeback_write_update to quit"); ++ ++ cancel_delayed_work_sync(&dc->writeback_rate_update); ++} ++ + static void cached_dev_detach_finish(struct work_struct *w) + { + struct cached_dev *dc = container_of(w, struct cached_dev, detach); +@@ -911,7 +936,9 @@ static void cached_dev_detach_finish(str + + mutex_lock(&bch_register_lock); + +- cancel_delayed_work_sync(&dc->writeback_rate_update); ++ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) ++ cancel_writeback_rate_update_dwork(dc); ++ + if (!IS_ERR_OR_NULL(dc->writeback_thread)) { + kthread_stop(dc->writeback_thread); + dc->writeback_thread = NULL; +@@ -954,6 +981,7 @@ void bch_cached_dev_detach(struct cached + closure_get(&dc->disk.cl); + + bch_writeback_queue(dc); ++ + cached_dev_put(dc); + } + +@@ -1092,14 +1120,16 @@ static void cached_dev_free(struct closu + { + struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl); + +- cancel_delayed_work_sync(&dc->writeback_rate_update); ++ mutex_lock(&bch_register_lock); ++ ++ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) ++ cancel_writeback_rate_update_dwork(dc); ++ + if (!IS_ERR_OR_NULL(dc->writeback_thread)) + kthread_stop(dc->writeback_thread); + if (dc->writeback_write_wq) + destroy_workqueue(dc->writeback_write_wq); + +- mutex_lock(&bch_register_lock); +- + if (atomic_read(&dc->running)) + bd_unlink_disk_holder(dc->bdev, dc->disk.disk); + bcache_device_free(&dc->disk); +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -309,7 +309,8 @@ STORE(bch_cached_dev) + bch_writeback_queue(dc); + + if (attr == &sysfs_writeback_percent) +- schedule_delayed_work(&dc->writeback_rate_update, ++ if (!test_and_set_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) ++ schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); + + mutex_unlock(&bch_register_lock); +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -115,6 +115,21 @@ static void update_writeback_rate(struct + struct cached_dev, + writeback_rate_update); + ++ /* ++ * should check BCACHE_DEV_RATE_DW_RUNNING before calling ++ * cancel_delayed_work_sync(). ++ */ ++ set_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags); ++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */ ++ smp_mb(); ++ ++ if (!test_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) { ++ clear_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags); ++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */ ++ smp_mb(); ++ return; ++ } ++ + down_read(&dc->writeback_lock); + + if (atomic_read(&dc->has_dirty) && +@@ -123,8 +138,18 @@ static void update_writeback_rate(struct + + up_read(&dc->writeback_lock); + +- schedule_delayed_work(&dc->writeback_rate_update, ++ if (test_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) { ++ schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); ++ } ++ ++ /* ++ * should check BCACHE_DEV_RATE_DW_RUNNING before calling ++ * cancel_delayed_work_sync(). ++ */ ++ clear_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags); ++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */ ++ smp_mb(); + } + + static unsigned writeback_delay(struct cached_dev *dc, unsigned sectors) +@@ -675,6 +700,7 @@ void bch_cached_dev_writeback_init(struc + dc->writeback_rate_p_term_inverse = 40; + dc->writeback_rate_i_term_inverse = 10000; + ++ WARN_ON(test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)); + INIT_DELAYED_WORK(&dc->writeback_rate_update, update_writeback_rate); + } + +@@ -693,6 +719,7 @@ int bch_cached_dev_writeback_start(struc + return PTR_ERR(dc->writeback_thread); + } + ++ WARN_ON(test_and_set_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)); + schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); + diff --git a/queue-4.16/block-null_blk-fix-invalid-parameters-when-loading-module.patch b/queue-4.16/block-null_blk-fix-invalid-parameters-when-loading-module.patch new file mode 100644 index 00000000000..2c6ee5aea0e --- /dev/null +++ b/queue-4.16/block-null_blk-fix-invalid-parameters-when-loading-module.patch @@ -0,0 +1,167 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Ming Lei +Date: Tue, 6 Mar 2018 12:07:13 +0800 +Subject: block: null_blk: fix 'Invalid parameters' when loading module + +From: Ming Lei + +[ Upstream commit 66231ad3e2886ba99fbf440cea44cab547e5163f ] + +On ARM64, the default page size has been 64K on some distributions, and +we should allow ARM64 people to play null_blk. + +This patch fixes the issue by extend page bitmap size for supporting +other non-4KB PAGE_SIZE. + +Cc: Bart Van Assche +Cc: Shaohua Li +Cc: Kyungchan Koh , +Cc: weiping zhang +Cc: Yi Zhang +Reported-by: Yi Zhang +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk.c | 46 +++++++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +--- a/drivers/block/null_blk.c ++++ b/drivers/block/null_blk.c +@@ -72,6 +72,7 @@ enum nullb_device_flags { + NULLB_DEV_FL_CACHE = 3, + }; + ++#define MAP_SZ ((PAGE_SIZE >> SECTOR_SHIFT) + 2) + /* + * nullb_page is a page in memory for nullb devices. + * +@@ -86,10 +87,10 @@ enum nullb_device_flags { + */ + struct nullb_page { + struct page *page; +- unsigned long bitmap; ++ DECLARE_BITMAP(bitmap, MAP_SZ); + }; +-#define NULLB_PAGE_LOCK (sizeof(unsigned long) * 8 - 1) +-#define NULLB_PAGE_FREE (sizeof(unsigned long) * 8 - 2) ++#define NULLB_PAGE_LOCK (MAP_SZ - 1) ++#define NULLB_PAGE_FREE (MAP_SZ - 2) + + struct nullb_device { + struct nullb *nullb; +@@ -728,7 +729,7 @@ static struct nullb_page *null_alloc_pag + if (!t_page->page) + goto out_freepage; + +- t_page->bitmap = 0; ++ memset(t_page->bitmap, 0, sizeof(t_page->bitmap)); + return t_page; + out_freepage: + kfree(t_page); +@@ -738,13 +739,20 @@ out: + + static void null_free_page(struct nullb_page *t_page) + { +- __set_bit(NULLB_PAGE_FREE, &t_page->bitmap); +- if (test_bit(NULLB_PAGE_LOCK, &t_page->bitmap)) ++ __set_bit(NULLB_PAGE_FREE, t_page->bitmap); ++ if (test_bit(NULLB_PAGE_LOCK, t_page->bitmap)) + return; + __free_page(t_page->page); + kfree(t_page); + } + ++static bool null_page_empty(struct nullb_page *page) ++{ ++ int size = MAP_SZ - 2; ++ ++ return find_first_bit(page->bitmap, size) == size; ++} ++ + static void null_free_sector(struct nullb *nullb, sector_t sector, + bool is_cache) + { +@@ -759,9 +767,9 @@ static void null_free_sector(struct null + + t_page = radix_tree_lookup(root, idx); + if (t_page) { +- __clear_bit(sector_bit, &t_page->bitmap); ++ __clear_bit(sector_bit, t_page->bitmap); + +- if (!t_page->bitmap) { ++ if (null_page_empty(t_page)) { + ret = radix_tree_delete_item(root, idx, t_page); + WARN_ON(ret != t_page); + null_free_page(ret); +@@ -832,7 +840,7 @@ static struct nullb_page *__null_lookup_ + t_page = radix_tree_lookup(root, idx); + WARN_ON(t_page && t_page->page->index != idx); + +- if (t_page && (for_write || test_bit(sector_bit, &t_page->bitmap))) ++ if (t_page && (for_write || test_bit(sector_bit, t_page->bitmap))) + return t_page; + + return NULL; +@@ -895,10 +903,10 @@ static int null_flush_cache_page(struct + + t_page = null_insert_page(nullb, idx << PAGE_SECTORS_SHIFT, true); + +- __clear_bit(NULLB_PAGE_LOCK, &c_page->bitmap); +- if (test_bit(NULLB_PAGE_FREE, &c_page->bitmap)) { ++ __clear_bit(NULLB_PAGE_LOCK, c_page->bitmap); ++ if (test_bit(NULLB_PAGE_FREE, c_page->bitmap)) { + null_free_page(c_page); +- if (t_page && t_page->bitmap == 0) { ++ if (t_page && null_page_empty(t_page)) { + ret = radix_tree_delete_item(&nullb->dev->data, + idx, t_page); + null_free_page(t_page); +@@ -914,11 +922,11 @@ static int null_flush_cache_page(struct + + for (i = 0; i < PAGE_SECTORS; + i += (nullb->dev->blocksize >> SECTOR_SHIFT)) { +- if (test_bit(i, &c_page->bitmap)) { ++ if (test_bit(i, c_page->bitmap)) { + offset = (i << SECTOR_SHIFT); + memcpy(dst + offset, src + offset, + nullb->dev->blocksize); +- __set_bit(i, &t_page->bitmap); ++ __set_bit(i, t_page->bitmap); + } + } + +@@ -955,10 +963,10 @@ again: + * We found the page which is being flushed to disk by other + * threads + */ +- if (test_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap)) ++ if (test_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap)) + c_pages[i] = NULL; + else +- __set_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap); ++ __set_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap); + } + + one_round = 0; +@@ -1011,7 +1019,7 @@ static int copy_to_nullb(struct nullb *n + kunmap_atomic(dst); + kunmap_atomic(src); + +- __set_bit(sector & SECTOR_MASK, &t_page->bitmap); ++ __set_bit(sector & SECTOR_MASK, t_page->bitmap); + + if (is_fua) + null_free_sector(nullb, sector, true); +@@ -1802,10 +1810,6 @@ static int __init null_init(void) + struct nullb *nullb; + struct nullb_device *dev; + +- /* check for nullb_page.bitmap */ +- if (sizeof(unsigned long) * 8 - 2 < (PAGE_SIZE >> SECTOR_SHIFT)) +- return -EINVAL; +- + if (g_bs > PAGE_SIZE) { + pr_warn("null_blk: invalid block size\n"); + pr_warn("null_blk: defaults block size to %lu\n", PAGE_SIZE); diff --git a/queue-4.16/bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch b/queue-4.16/bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch new file mode 100644 index 00000000000..686eaf6d504 --- /dev/null +++ b/queue-4.16/bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Scott Branden +Date: Sat, 31 Mar 2018 13:54:09 -0400 +Subject: bnxt_en: fix clear flags in ethtool reset handling + +From: Scott Branden + +[ Upstream commit 2373d8d6a7932d28b8e31ea2a70bf6c002d97ac8 ] + +Clear flags when reset command processed successfully for components +specified. + +Fixes: 6502ad5963a5 ("bnxt_en: Add ETH_RESET_AP support") +Signed-off-by: Scott Branden +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -2552,16 +2552,20 @@ static int bnxt_reset(struct net_device + return -EOPNOTSUPP; + + rc = bnxt_firmware_reset(dev, BNXT_FW_RESET_CHIP); +- if (!rc) ++ if (!rc) { + netdev_info(dev, "Reset request successful. Reload driver to complete reset\n"); ++ *flags = 0; ++ } + } else if (*flags == ETH_RESET_AP) { + /* This feature is not supported in older firmware versions */ + if (bp->hwrm_spec_code < 0x10803) + return -EOPNOTSUPP; + + rc = bnxt_firmware_reset(dev, BNXT_FW_RESET_AP); +- if (!rc) ++ if (!rc) { + netdev_info(dev, "Reset Application Processor request successful.\n"); ++ *flags = 0; ++ } + } else { + rc = -EINVAL; + } diff --git a/queue-4.16/bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch b/queue-4.16/bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch new file mode 100644 index 00000000000..f39e1416839 --- /dev/null +++ b/queue-4.16/bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Sriharsha Basavapatna +Date: Wed, 11 Apr 2018 11:50:15 -0400 +Subject: bnxt_en: Ignore src port field in decap filter nodes + +From: Sriharsha Basavapatna + +[ Upstream commit 479ca3bf91da971fcefc003cf5773e8d7db24794 ] + +The driver currently uses src port field (along with other fields) in the +decap tunnel key, while looking up and adding tunnel nodes. This leads to +redundant cfa_decap_filter_alloc() requests to the FW and flow-miss in the +flow engine. Fix this by ignoring the src port field in decap tunnel nodes. + +Fixes: f484f6782e01 ("bnxt_en: add hwrm FW cmds for cfa_encap_record and decap_filter") +Signed-off-by: Sriharsha Basavapatna +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c +@@ -992,8 +992,10 @@ static int bnxt_tc_get_decap_handle(stru + + /* Check if there's another flow using the same tunnel decap. + * If not, add this tunnel to the table and resolve the other +- * tunnel header fileds ++ * tunnel header fileds. Ignore src_port in the tunnel_key, ++ * since it is not required for decap filters. + */ ++ decap_key->tp_src = 0; + decap_node = bnxt_tc_get_tunnel_node(bp, &tc_info->decap_table, + &tc_info->decap_ht_params, + decap_key); diff --git a/queue-4.16/btrfs-bail-out-on-error-during-replay_dir_deletes.patch b/queue-4.16/btrfs-bail-out-on-error-during-replay_dir_deletes.patch new file mode 100644 index 00000000000..35ac0ad1e26 --- /dev/null +++ b/queue-4.16/btrfs-bail-out-on-error-during-replay_dir_deletes.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:48 +0800 +Subject: Btrfs: bail out on error during replay_dir_deletes + +From: Liu Bo + +[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ] + +If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs +to bail out, otherwise @ret would be forced to be 0 after 'break;' and +the caller won't be aware of it. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2356,8 +2356,10 @@ again: + nritems = btrfs_header_nritems(path->nodes[0]); + if (path->slots[0] >= nritems) { + ret = btrfs_next_leaf(root, path); +- if (ret) ++ if (ret == 1) + break; ++ else if (ret < 0) ++ goto out; + } + btrfs_item_key_to_cpu(path->nodes[0], &found_key, + path->slots[0]); diff --git a/queue-4.16/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch b/queue-4.16/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch new file mode 100644 index 00000000000..792bd91d6f9 --- /dev/null +++ b/queue-4.16/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Liu Bo +Date: Sat, 31 Mar 2018 06:11:56 +0800 +Subject: Btrfs: clean up resources during umount after trans is aborted + +From: Liu Bo + +[ Upstream commit af7227338135d2f1b1552bf9a6d43e02dcba10b9 ] + +Currently if some fatal errors occur, like all IO get -EIO, resources +would be cleaned up when +a) transaction is being committed or +b) BTRFS_FS_STATE_ERROR is set + +However, in some rare cases, resources may be left alone after transaction +gets aborted and umount may run into some ASSERT(), e.g. +ASSERT(list_empty(&block_group->dirty_list)); + +For case a), in btrfs_commit_transaciton(), there're several places at the +beginning where we just call btrfs_end_transaction() without cleaning up +resources. For case b), it is possible that the trans handle doesn't have +any dirty stuff, then only trans hanlde is marked as aborted while +BTRFS_FS_STATE_ERROR is not set, so resources remain in memory. + +This makes btrfs also check BTRFS_FS_STATE_TRANS_ABORTED to make sure that +all resources won't stay in memory after umount. + +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3735,7 +3735,8 @@ void close_ctree(struct btrfs_fs_info *f + btrfs_err(fs_info, "commit super ret %d", ret); + } + +- if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state)) ++ if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state) || ++ test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state)) + btrfs_error_commit_super(fs_info); + + kthread_stop(fs_info->transaction_kthread); diff --git a/queue-4.16/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch b/queue-4.16/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch new file mode 100644 index 00000000000..1db0779cba6 --- /dev/null +++ b/queue-4.16/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Filipe Manana +Date: Mon, 26 Mar 2018 23:59:12 +0100 +Subject: Btrfs: fix copy_items() return value when logging an inode + +From: Filipe Manana + +[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ] + +When logging an inode, at tree-log.c:copy_items(), if we call +btrfs_next_leaf() at the loop which checks for the need to log holes, we +need to make sure copy_items() returns the value 1 to its caller and +not 0 (on success). This is because the path the caller passed was +released and is now different from what is was before, and the caller +expects a return value of 0 to mean both success and that the path +has not changed, while a return value of 1 means both success and +signals the caller that it can not reuse the path, it has to perform +another tree search. + +Even though this is a case that should not be triggered on normal +circumstances or very rare at least, its consequences can be very +unpredictable (especially when replaying a log tree). + +Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4005,6 +4005,7 @@ fill_holes: + ASSERT(ret == 0); + src = src_path->nodes[0]; + i = 0; ++ need_find_last_extent = true; + } + + btrfs_item_key_to_cpu(src, &key, i); diff --git a/queue-4.16/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch b/queue-4.16/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch new file mode 100644 index 00000000000..f1e94a29850 --- /dev/null +++ b/queue-4.16/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch @@ -0,0 +1,436 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jeff Mahoney +Date: Fri, 16 Mar 2018 14:36:27 -0400 +Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers + +From: Jeff Mahoney + +[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ] + +While running btrfs/011, I hit the following lockdep splat. + +This is the important bit: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + +The percpu_counter_init call in btrfs_alloc_subvolume_writers +uses GFP_KERNEL, which we can't do during transaction commit. + +This switches it to GFP_NOFS. + +======================================================== +WARNING: possible irq lock inversion dependency detected +4.12.14-kvmsmall #8 Tainted: G W +-------------------------------------------------------- +kswapd0/50 just changed the state of lock: + (&delayed_node->mutex){+.+.-.}, at: [] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] +but this lock took another, RECLAIM_FS-unsafe lock in the past: + (pcpu_alloc_mutex){+.+.+.} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: +Chain exists of: + &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(pcpu_alloc_mutex); + local_irq_disable(); + lock(&delayed_node->mutex); + lock(&found->groups_sem); + + lock(&delayed_node->mutex); + + *** DEADLOCK *** + +2 locks held by kswapd0/50: + #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x7f/0x5b0 + #1: (&type->s_umount_key#30){+++++.}, at: [] trylock_super+0x16/0x50 + +the shortest dependencies between 2nd lock and 1st lock: + -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + RECLAIM_FS-ON-W at: + __kmalloc+0x47/0x310 + pcpu_extend_area_map+0x2b/0xc0 + pcpu_alloc+0x3ec/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + __kmem_cache_create+0x1bf/0x390 + create_cache+0xba/0x1b0 + kmem_cache_create+0x1f8/0x2b0 + ksm_init+0x6f/0x19d + do_one_initcall+0x50/0x1b0 + kernel_init_freeable+0x201/0x289 + kernel_init+0xa/0x100 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + setup_cpu_cache+0x2f/0x1f0 + __kmem_cache_create+0x1bf/0x390 + create_boot_cache+0x8b/0xb1 + kmem_cache_init+0xa1/0x19e + start_kernel+0x270/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + } + ... key at: [] pcpu_alloc_mutex+0x70/0xa0 + ... acquired at: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + transaction_kthread+0x176/0x1b0 [btrfs] + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + + -> (&fs_info->commit_root_sem){++++..} ops: 1566382 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.61970+0x0/0xfffffffffff9aa88 [btrfs] + ... acquired at: + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + btrfs_create_tree+0xbb/0x2a0 [btrfs] + btrfs_create_uuid_tree+0x37/0x140 [btrfs] + open_ctree+0x23c0/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + + -> (&found->groups_sem){++++..} ops: 2134587 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + INITIAL USE at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.59101+0x0/0xfffffffffff9ab78 [btrfs] + ... acquired at: + find_free_extent+0xcb4/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + __btrfs_cow_block+0x110/0x5b0 [btrfs] + btrfs_cow_block+0xd7/0x290 [btrfs] + btrfs_search_slot+0x1f6/0x960 [btrfs] + btrfs_lookup_inode+0x2a/0x90 [btrfs] + __btrfs_update_delayed_inode+0x65/0x210 [btrfs] + btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs] + btrfs_evict_inode+0x3fe/0x6a0 [btrfs] + evict+0xc4/0x190 + __dentry_kill+0xbf/0x170 + dput+0x2ae/0x2f0 + SyS_rename+0x2a6/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +-> (&delayed_node->mutex){+.+.-.} ops: 5580204 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + IN-RECLAIM_FS-W at: + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.56935+0x0/0xfffffffffff96b78 [btrfs] + ... acquired at: + __lock_acquire+0x264/0x11c0 + lock_acquire+0xbd/0x1e0 + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + +stack backtrace: +CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0x78/0xb7 + print_irq_inversion_bug.part.38+0x19f/0x1aa + check_usage_forwards+0x102/0x120 + ? ret_from_fork+0x3a/0x50 + ? check_usage_backwards+0x110/0x110 + mark_lock+0x16c/0x270 + __lock_acquire+0x264/0x11c0 + ? pagevec_lookup_entries+0x1a/0x30 + ? truncate_inode_pages_range+0x2b3/0x7f0 + lock_acquire+0xbd/0x1e0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + __mutex_lock+0x4e/0x8c0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs] + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ? mem_cgroup_shrink_node+0x2c0/0x2c0 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x3a/0x50 + +Signed-off-by: Jeff Mahoney +Reviewed-by: Liu Bo +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1108,7 +1108,7 @@ static struct btrfs_subvolume_writers *b + if (!writers) + return ERR_PTR(-ENOMEM); + +- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL); ++ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS); + if (ret < 0) { + kfree(writers); + return ERR_PTR(ret); diff --git a/queue-4.16/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch b/queue-4.16/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch new file mode 100644 index 00000000000..7544c4c766f --- /dev/null +++ b/queue-4.16/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch @@ -0,0 +1,147 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Filipe Manana +Date: Thu, 5 Apr 2018 22:55:12 +0100 +Subject: Btrfs: fix loss of prealloc extents past i_size after fsync log replay + +From: Filipe Manana + +[ Upstream commit 471d557afed155b85da237ec46c549f443eeb5de ] + +Currently if we allocate extents beyond an inode's i_size (through the +fallocate system call) and then fsync the file, we log the extents but +after a power failure we replay them and then immediately drop them. +This behaviour happens since about 2009, commit c71bf099abdd ("Btrfs: +Avoid orphan inodes cleanup while replaying log"), because it marks +the inode as an orphan instead of dropping any extents beyond i_size +before replaying logged extents, so after the log replay, and while +the mount operation is still ongoing, we find the inode marked as an +orphan and then perform a truncation (drop extents beyond the inode's +i_size). Because the processing of orphan inodes is still done +right after replaying the log and before the mount operation finishes, +the intention of that commit does not make any sense (at least as +of today). However reverting that behaviour is not enough, because +we can not simply discard all extents beyond i_size and then replay +logged extents, because we risk dropping extents beyond i_size created +in past transactions, for example: + + add prealloc extent beyond i_size + fsync - clears the flag BTRFS_INODE_NEEDS_FULL_SYNC from the inode + transaction commit + add another prealloc extent beyond i_size + fsync - triggers the fast fsync path + power failure + +In that scenario, we would drop the first extent and then replay the +second one. To fix this just make sure that all prealloc extents +beyond i_size are logged, and if we find too many (which is far from +a common case), fallback to a full transaction commit (like we do when +logging regular extents in the fast fsync path). + +Trivial reproducer: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + $ xfs_io -f -c "pwrite -S 0xab 0 256K" /mnt/foo + $ sync + $ xfs_io -c "falloc -k 256K 1M" /mnt/foo + $ xfs_io -c "fsync" /mnt/foo + + + # mount to replay log + $ mount /dev/sdb /mnt + # at this point the file only has one extent, at offset 0, size 256K + +A test case for fstests follows soon, covering multiple scenarios that +involve adding prealloc extents with previous shrinking truncates and +without such truncates. + +Fixes: c71bf099abdd ("Btrfs: Avoid orphan inodes cleanup while replaying log") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 58 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2461,13 +2461,41 @@ static int replay_one_buffer(struct btrf + if (ret) + break; + +- /* for regular files, make sure corresponding +- * orphan item exist. extents past the new EOF +- * will be truncated later by orphan cleanup. ++ /* ++ * Before replaying extents, truncate the inode to its ++ * size. We need to do it now and not after log replay ++ * because before an fsync we can have prealloc extents ++ * added beyond the inode's i_size. If we did it after, ++ * through orphan cleanup for example, we would drop ++ * those prealloc extents just after replaying them. + */ + if (S_ISREG(mode)) { +- ret = insert_orphan_item(wc->trans, root, +- key.objectid); ++ struct inode *inode; ++ u64 from; ++ ++ inode = read_one_inode(root, key.objectid); ++ if (!inode) { ++ ret = -EIO; ++ break; ++ } ++ from = ALIGN(i_size_read(inode), ++ root->fs_info->sectorsize); ++ ret = btrfs_drop_extents(wc->trans, root, inode, ++ from, (u64)-1, 1); ++ /* ++ * If the nlink count is zero here, the iput ++ * will free the inode. We bump it to make ++ * sure it doesn't get freed until the link ++ * count fixup is done. ++ */ ++ if (!ret) { ++ if (inode->i_nlink == 0) ++ inc_nlink(inode); ++ /* Update link count and nbytes. */ ++ ret = btrfs_update_inode(wc->trans, ++ root, inode); ++ } ++ iput(inode); + if (ret) + break; + } +@@ -4321,6 +4349,31 @@ static int btrfs_log_changed_extents(str + num++; + } + ++ /* ++ * Add all prealloc extents beyond the inode's i_size to make sure we ++ * don't lose them after doing a fast fsync and replaying the log. ++ */ ++ if (inode->flags & BTRFS_INODE_PREALLOC) { ++ struct rb_node *node; ++ ++ for (node = rb_last(&tree->map); node; node = rb_prev(node)) { ++ em = rb_entry(node, struct extent_map, rb_node); ++ if (em->start < i_size_read(&inode->vfs_inode)) ++ break; ++ if (!list_empty(&em->list)) ++ continue; ++ /* Same as above loop. */ ++ if (++num > 32768) { ++ list_del_init(&tree->modified_extents); ++ ret = -EFBIG; ++ goto process; ++ } ++ refcount_inc(&em->refs); ++ set_bit(EXTENT_FLAG_LOGGING, &em->flags); ++ list_add_tail(&em->list, &extents); ++ } ++ } ++ + list_sort(NULL, &extents, extent_cmp); + btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); + /* diff --git a/queue-4.16/btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch b/queue-4.16/btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch new file mode 100644 index 00000000000..0b83383d682 --- /dev/null +++ b/queue-4.16/btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Anand Jain +Date: Sat, 24 Feb 2018 19:43:56 +0800 +Subject: btrfs: fix null pointer deref when target device is missing + +From: Anand Jain + +[ Upstream commit acf18c56fdcb952a06650282192e3b4ca1855c5e ] + +The replace target device can be missing when mounted with -o degraded, +but we wont allocate a missing btrfs_device to it. So check the device +before accessing. + +BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0 +IP: btrfs_destroy_dev_replace_tgtdev+0x43/0xf0 [btrfs] +Call Trace: +btrfs_dev_replace_cancel+0x15f/0x180 [btrfs] +btrfs_ioctl+0x2216/0x2590 [btrfs] +do_vfs_ioctl+0x625/0x650 +SyS_ioctl+0x4e/0x80 +do_syscall_64+0x5d/0x160 +entry_SYSCALL64_slow_path+0x25/0x25 + +This patch has been moved in front of patch "btrfs: log, when replace, +is canceled by the user" that could reproduce the crash if the system +reboots inside btrfs_dev_replace_start before the +btrfs_dev_replace_finishing call. + + $ mkfs /dev/sda + $ mount /dev/sda mnt + $ btrfs replace start /dev/sda /dev/sdb + + $ mount po degraded /dev/sdb mnt + + +Signed-off-by: Anand Jain +[ added reproducer description from mail ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/dev-replace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -307,7 +307,7 @@ void btrfs_after_dev_replace_commit(stru + + static char* btrfs_dev_name(struct btrfs_device *device) + { +- if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) ++ if (!device || test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) + return ""; + else + return rcu_str_deref(device->name); diff --git a/queue-4.16/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch b/queue-4.16/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch new file mode 100644 index 00000000000..fc968943250 --- /dev/null +++ b/queue-4.16/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:47 +0800 +Subject: Btrfs: fix NULL pointer dereference in log_dir_items + +From: Liu Bo + +[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ] + +0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is +returned, path->nodes[0] could be NULL, log_dir_items lacks such a +check for <0 and we may run into a null pointer dereference panic. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3548,8 +3548,11 @@ static noinline int log_dir_items(struct + * from this directory and from this transaction + */ + ret = btrfs_next_leaf(root, path); +- if (ret == 1) { +- last_offset = (u64)-1; ++ if (ret) { ++ if (ret == 1) ++ last_offset = (u64)-1; ++ else ++ err = ret; + goto done; + } + btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]); diff --git a/queue-4.16/btrfs-fix-possible-softlock-on-single-core-machines.patch b/queue-4.16/btrfs-fix-possible-softlock-on-single-core-machines.patch new file mode 100644 index 00000000000..585be827165 --- /dev/null +++ b/queue-4.16/btrfs-fix-possible-softlock-on-single-core-machines.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Nikolay Borisov +Date: Thu, 5 Apr 2018 10:40:15 +0300 +Subject: btrfs: Fix possible softlock on single core machines + +From: Nikolay Borisov + +[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ] + +do_chunk_alloc implements a loop checking whether there is a pending +chunk allocation and if so causes the caller do loop. Generally this +loop is executed only once, however testing with btrfs/072 on a single +core vm machines uncovered an extreme case where the system could loop +indefinitely. This is due to a missing cond_resched when loop which +doesn't give a chance to the previous chunk allocator finish its job. + +The fix is to simply add the missing cond_resched. + +Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc") +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4657,6 +4657,7 @@ again: + if (wait_for_alloc) { + mutex_unlock(&fs_info->chunk_mutex); + wait_for_alloc = 0; ++ cond_resched(); + goto again; + } + diff --git a/queue-4.16/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch b/queue-4.16/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch new file mode 100644 index 00000000000..33aabf8d74f --- /dev/null +++ b/queue-4.16/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Qu Wenruo +Date: Tue, 19 Dec 2017 15:44:54 +0800 +Subject: btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled + +From: Qu Wenruo + +[ Upstream commit 4d31778aa2fa342f5f92ca4025b293a1729161d1 ] + +When multiple pending snapshots referring to the same source subvolume +are executed, enabled quota will cause root item corruption, where root +items are using old bytenr (no backref in extent tree). + +This can be triggered by fstests btrfs/152. + +The cause is when source subvolume is still dirty, extra commit +(simplied transaction commit) of qgroup_account_snapshot() can skip +dirty roots not recorded in current transaction, making root item of +source subvolume not updated. + +Fix it by forcing recording source subvolume in current transaction +before qgroup sub-transaction commit. + +Reported-by: Justin Maggard +Signed-off-by: Qu Wenruo +Reviewed-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -319,7 +319,7 @@ static int record_root_in_trans(struct b + if ((test_bit(BTRFS_ROOT_REF_COWS, &root->state) && + root->last_trans < trans->transid) || force) { + WARN_ON(root == fs_info->extent_root); +- WARN_ON(root->commit_root != root->node); ++ WARN_ON(!force && root->commit_root != root->node); + + /* + * see below for IN_TRANS_SETUP usage rules +@@ -1366,6 +1366,14 @@ static int qgroup_account_snapshot(struc + return 0; + + /* ++ * Ensure dirty @src will be commited. Or, after comming ++ * commit_fs_roots() and switch_commit_roots(), any dirty but not ++ * recorded root will never be updated again, causing an outdated root ++ * item. ++ */ ++ record_root_in_trans(trans, src, 1); ++ ++ /* + * We are going to commit transaction, see btrfs_commit_transaction() + * comment for reason locking tree_log_mutex + */ diff --git a/queue-4.16/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch b/queue-4.16/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch new file mode 100644 index 00000000000..1d192344c25 --- /dev/null +++ b/queue-4.16/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Qu Wenruo +Date: Tue, 27 Mar 2018 20:44:18 +0800 +Subject: btrfs: tests/qgroup: Fix wrong tree backref level + +From: Qu Wenruo + +[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ] + +The extent tree of the test fs is like the following: + + BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919 + item 0 key (4096 168 4096) itemoff 3944 itemsize 51 + extent refs 1 gen 1 flags 2 + tree block key (68719476736 0 0) level 1 + ^^^^^^^ + ref#0: tree block backref root 5 + +And it's using an empty tree for fs tree, so there is no way that its +level can be 1. + +For REAL (created by mkfs) fs tree backref with no skinny metadata, the +result should look like: + + item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51 + refs 1 gen 4 flags TREE_BLOCK + tree block key (256 INODE_ITEM 0) level 0 + ^^^^^^^ + tree block backref root 5 + +Fix the level to 0, so it won't break later tree level checker. + +Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code") +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/qgroup-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tests/qgroup-tests.c ++++ b/fs/btrfs/tests/qgroup-tests.c +@@ -63,7 +63,7 @@ static int insert_normal_tree_ref(struct + btrfs_set_extent_generation(leaf, item, 1); + btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK); + block_info = (struct btrfs_tree_block_info *)(item + 1); +- btrfs_set_tree_block_level(leaf, block_info, 1); ++ btrfs_set_tree_block_level(leaf, block_info, 0); + iref = (struct btrfs_extent_inline_ref *)(block_info + 1); + if (parent > 0) { + btrfs_set_extent_inline_ref_type(leaf, iref, diff --git a/queue-4.16/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch b/queue-4.16/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch new file mode 100644 index 00000000000..5ffd3235ca0 --- /dev/null +++ b/queue-4.16/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch @@ -0,0 +1,155 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Maurizio Lombardi +Date: Fri, 9 Mar 2018 13:59:06 +0100 +Subject: cdrom: do not call check_disk_change() inside cdrom_open() + +From: Maurizio Lombardi + +[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ] + +when mounting an ISO filesystem sometimes (very rarely) +the system hangs because of a race condition between two tasks. + +PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount" + #0 [ffff880078447ae0] __schedule at ffffffff8168d605 + #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49 + #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995 + #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef + #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod] + #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50 + #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3 + #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs] + #8 [ffff880078447da8] mount_bdev at ffffffff81202570 + #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs] +#10 [ffff880078447e28] mount_fs at ffffffff81202d09 +#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f +#12 [ffff880078447ea8] do_mount at ffffffff81220fee +#13 [ffff880078447f28] sys_mount at ffffffff812218d6 +#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246 + RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010 + RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30 + RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010 + R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040 + R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30 + ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b + +This task was trying to mount the cdrom. It allocated and configured a +super_block struct and owned the write-lock for the super_block->s_umount +rwsem. While exclusively owning the s_umount lock, it called +sr_block_ioctl and waited to acquire the global sr_mutex lock. + +PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd" + #0 [ffff880078417898] __schedule at ffffffff8168d605 + #1 [ffff880078417900] schedule at ffffffff8168dc59 + #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605 + #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838 + #4 [ffff8800784179d0] down_read at ffffffff8168cde0 + #5 [ffff8800784179e8] get_super at ffffffff81201cc7 + #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de + #7 [ffff880078417a40] flush_disk at ffffffff8123a94b + #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50 + #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom] +#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod] +#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86 +#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65 +#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b +#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7 +#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf +#16 [ffff880078417d00] do_last at ffffffff8120d53d +#17 [ffff880078417db0] path_openat at ffffffff8120e6b2 +#18 [ffff880078417e48] do_filp_open at ffffffff8121082b +#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33 +#20 [ffff880078417f70] sys_open at ffffffff811fde4e +#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246 + RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000 + RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70 + RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020 + R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e + R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010 + ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b + +This task tried to open the cdrom device, the sr_block_open function +acquired the global sr_mutex lock. The call to check_disk_change() +then saw an event flag indicating a possible media change and tried +to flush any cached data for the device. +As part of the flush, it tried to acquire the super_block->s_umount +lock associated with the cdrom device. +This was the same super_block as created and locked by the previous task. + +The first task acquires the s_umount lock and then the sr_mutex_lock; +the second task acquires the sr_mutex_lock and then the s_umount lock. + +This patch fixes the issue by moving check_disk_change() out of +cdrom_open() and let the caller take care of it. + +Signed-off-by: Maurizio Lombardi +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/paride/pcd.c | 2 ++ + drivers/cdrom/cdrom.c | 3 --- + drivers/cdrom/gdrom.c | 3 +++ + drivers/ide/ide-cd.c | 2 ++ + drivers/scsi/sr.c | 2 ++ + 5 files changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/block/paride/pcd.c ++++ b/drivers/block/paride/pcd.c +@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_d + struct pcd_unit *cd = bdev->bd_disk->private_data; + int ret; + ++ check_disk_change(bdev); ++ + mutex_lock(&pcd_mutex); + ret = cdrom_open(&cd->info, bdev, mode); + mutex_unlock(&pcd_mutex); +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -1152,9 +1152,6 @@ int cdrom_open(struct cdrom_device_info + + cd_dbg(CD_OPEN, "entering cdrom_open\n"); + +- /* open is event synchronization point, check events first */ +- check_disk_change(bdev); +- + /* if this was a O_NONBLOCK open and we should honor the flags, + * do a quick open without drive/disc integrity checks. */ + cdi->use_count++; +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -497,6 +497,9 @@ static const struct cdrom_device_ops gdr + static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) + { + int ret; ++ ++ check_disk_change(bdev); ++ + mutex_lock(&gdrom_mutex); + ret = cdrom_open(gd.cd_info, bdev, mode); + mutex_unlock(&gdrom_mutex); +--- a/drivers/ide/ide-cd.c ++++ b/drivers/ide/ide-cd.c +@@ -1613,6 +1613,8 @@ static int idecd_open(struct block_devic + struct cdrom_info *info; + int rc = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&ide_cd_mutex); + info = ide_cd_get(bdev->bd_disk); + if (!info) +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -525,6 +525,8 @@ static int sr_block_open(struct block_de + struct scsi_cd *cd; + int ret = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&sr_mutex); + cd = scsi_cd_get(bdev->bd_disk); + if (cd) { diff --git a/queue-4.16/coresight-use-px-to-print-pcsr-instead-of-p.patch b/queue-4.16/coresight-use-px-to-print-pcsr-instead-of-p.patch new file mode 100644 index 00000000000..bb62d4b31e9 --- /dev/null +++ b/queue-4.16/coresight-use-px-to-print-pcsr-instead-of-p.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Leo Yan +Date: Tue, 13 Mar 2018 11:24:30 -0600 +Subject: coresight: Use %px to print pcsr instead of %p + +From: Leo Yan + +[ Upstream commit 831c326fcd0e8e2a6ece952f898a1ec9b1dc1004 ] + +Commit ad67b74d2469 ("printk: hash addresses printed with %p") lets +printk specifier %p to hash all addresses before printing, this was +resulting in the high 32 bits of pcsr can only output zeros. So +module cannot completely print pc value and it's pointless for debugging +purpose. + +This patch fixes this by using %px to print pcsr instead. + +Cc: Mathieu Poirier +Signed-off-by: Leo Yan +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-cpu-debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c +@@ -315,7 +315,7 @@ static void debug_dump_regs(struct debug + } + + pc = debug_adjust_pc(drvdata); +- dev_emerg(dev, " EDPCSR: [<%p>] %pS\n", (void *)pc, (void *)pc); ++ dev_emerg(dev, " EDPCSR: [<%px>] %pS\n", (void *)pc, (void *)pc); + + if (drvdata->edcidsr_present) + dev_emerg(dev, " EDCIDSR: %08x\n", drvdata->edcidsr); diff --git a/queue-4.16/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch b/queue-4.16/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch new file mode 100644 index 00000000000..15735888599 --- /dev/null +++ b/queue-4.16/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Shunyong Yang +Date: Fri, 6 Apr 2018 10:43:49 +0800 +Subject: cpufreq: CPPC: Initialize shared perf capabilities of CPUs + +From: Shunyong Yang + +[ Upstream commit 8913315e9459b146e5888ab5138e10daa061b885 ] + +When multiple CPUs are related in one cpufreq policy, the first online +CPU will be chosen by default to handle cpufreq operations. Let's take +cpu0 and cpu1 as an example. + +When cpu0 is offline, policy->cpu will be shifted to cpu1. cpu1's perf +capabilities should be initialized. Otherwise, perf capabilities are 0s +and speed change can not take effect. + +This patch copies perf capabilities of the first online CPU to other +shared CPUs when policy shared type is CPUFREQ_SHARED_TYPE_ANY. + +Acked-by: Viresh Kumar +Signed-off-by: Shunyong Yang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -167,9 +167,19 @@ static int cppc_cpufreq_cpu_init(struct + NSEC_PER_USEC; + policy->shared_type = cpu->shared_type; + +- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) ++ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) { ++ int i; ++ + cpumask_copy(policy->cpus, cpu->shared_cpu_map); +- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { ++ ++ for_each_cpu(i, policy->cpus) { ++ if (unlikely(i == policy->cpu)) ++ continue; ++ ++ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps, ++ sizeof(cpu->perf_caps)); ++ } ++ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { + /* Support only SW_ANY for now. */ + pr_debug("Unsupported CPU co-ord type\n"); + return -EFAULT; diff --git a/queue-4.16/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch b/queue-4.16/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch new file mode 100644 index 00000000000..9aaabe27ead --- /dev/null +++ b/queue-4.16/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Chunyu Hu +Date: Mon, 5 Mar 2018 13:40:38 +0800 +Subject: cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path + +From: Chunyu Hu + +[ Upstream commit 55b55abc17f238c61921360e61dde90dd9a326d1 ] + +Kmemleak reported the below leak. When cppc_cpufreq_init went into +failure path, the cpu mask is not freed. After fix, this report is +gone. And to avaoid potential NULL pointer reference, check the cpu +value first. + +unreferenced object 0xffff800fd5ea4880 (size 128): + comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s) + hex dump (first 32 bytes): + 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 .... ........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __kmalloc_node+0x278/0x634 + [] alloc_cpumask_var_node+0x28/0x60 + [] zalloc_cpumask_var+0x14/0x1c + [] cppc_cpufreq_init+0xd0/0x19c + [] do_one_initcall+0xec/0x15c + [] kernel_init_freeable+0x1f4/0x2a4 + [] kernel_init+0x18/0x10c + [] ret_from_fork+0x10/0x18 + [] 0xffffffffffffffff + +Signed-off-by: Chunyu Hu +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -243,8 +243,13 @@ static int __init cppc_cpufreq_init(void + return ret; + + out: +- for_each_possible_cpu(i) +- kfree(all_cpu_data[i]); ++ for_each_possible_cpu(i) { ++ cpu = all_cpu_data[i]; ++ if (!cpu) ++ break; ++ free_cpumask_var(cpu->shared_cpu_map); ++ kfree(cpu); ++ } + + kfree(all_cpu_data); + return -ENODEV; diff --git a/queue-4.16/cpufreq-reorder-cpufreq_online-error-code-path.patch b/queue-4.16/cpufreq-reorder-cpufreq_online-error-code-path.patch new file mode 100644 index 00000000000..a91adabac66 --- /dev/null +++ b/queue-4.16/cpufreq-reorder-cpufreq_online-error-code-path.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Viresh Kumar +Date: Thu, 22 Feb 2018 11:29:43 +0530 +Subject: cpufreq: Reorder cpufreq_online() error code path + +From: Viresh Kumar + +[ Upstream commit b24b6478e65f140610ab1ffaadc7bc6bf0be8aad ] + +Ideally the de-allocation of resources should happen in the exact +opposite order in which they were allocated. It helps maintain the code +in long term, even if nothing really breaks with incorrect ordering. + +That wasn't followed in cpufreq_online() and it has some +inconsistencies. For example, the symlinks were created from within +the locked region while they are removed only after putting the locks. +Also ->exit() should have been called only after the symlinks are +removed and the lock is dropped, as that was the case when ->init() +was first called. + +Signed-off-by: Viresh Kumar +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1327,14 +1327,14 @@ static int cpufreq_online(unsigned int c + return 0; + + out_exit_policy: ++ for_each_cpu(j, policy->real_cpus) ++ remove_cpu_dev_symlink(policy, get_cpu_device(j)); ++ + up_write(&policy->rwsem); + + if (cpufreq_driver->exit) + cpufreq_driver->exit(policy); + +- for_each_cpu(j, policy->real_cpus) +- remove_cpu_dev_symlink(policy, get_cpu_device(j)); +- + out_free_policy: + cpufreq_policy_free(policy); + return ret; diff --git a/queue-4.16/cxgb4-fix-queue-free-path-of-uld-drivers.patch b/queue-4.16/cxgb4-fix-queue-free-path-of-uld-drivers.patch new file mode 100644 index 00000000000..06077609488 --- /dev/null +++ b/queue-4.16/cxgb4-fix-queue-free-path-of-uld-drivers.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Arjun Vynipadath +Date: Thu, 15 Mar 2018 17:34:14 +0530 +Subject: cxgb4: Fix queue free path of ULD drivers + +From: Arjun Vynipadath + +[ Upstream commit d7cb44496a9bb458632cb3c18acb08949c210448 ] + +Setting sge_uld_rxq_info to NULL in free_queues_uld(). +We are referencing sge_uld_rxq_info in cxgb_up(). This +will fix a panic when interface is brought up after a +ULDq creation failure. + +Fixes: 94cdb8bb993a (cxgb4: Add support for dynamic allocation + of resources for ULD) +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudhar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -342,6 +342,7 @@ static void free_queues_uld(struct adapt + { + struct sge_uld_rxq_info *rxq_info = adap->sge.uld_rxq_info[uld_type]; + ++ adap->sge.uld_rxq_info[uld_type] = NULL; + kfree(rxq_info->rspq_id); + kfree(rxq_info->uldrxq); + kfree(rxq_info); diff --git a/queue-4.16/cxgb4-setup-fw-queues-before-registering-netdev.patch b/queue-4.16/cxgb4-setup-fw-queues-before-registering-netdev.patch new file mode 100644 index 00000000000..6601a1349a3 --- /dev/null +++ b/queue-4.16/cxgb4-setup-fw-queues-before-registering-netdev.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Arjun Vynipadath +Date: Fri, 23 Mar 2018 15:25:10 +0530 +Subject: cxgb4: Setup FW queues before registering netdev + +From: Arjun Vynipadath + +[ Upstream commit 843bd7db79c861b49e2912d723625f5fa8e94502 ] + +When NetworkManager is enabled, there are chances that interface up +is called even before probe completes. This means we have not yet +allocated the FW sge queues, hence rest of ingress queue allocation +wont be proper. Fix this by calling setup_fw_sge_queues() before +register_netdev(). + +Fixes: 0fbc81b3ad51 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's') +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -833,8 +833,6 @@ static int setup_fw_sge_queues(struct ad + + err = t4_sge_alloc_rxq(adap, &s->fw_evtq, true, adap->port[0], + adap->msi_idx, NULL, fwevtq_handler, NULL, -1); +- if (err) +- t4_free_sge_resources(adap); + return err; + } + +@@ -5474,6 +5472,13 @@ static int init_one(struct pci_dev *pdev + if (err) + goto out_free_dev; + ++ err = setup_fw_sge_queues(adapter); ++ if (err) { ++ dev_err(adapter->pdev_dev, ++ "FW sge queue allocation failed, err %d", err); ++ goto out_free_dev; ++ } ++ + /* + * The card is now ready to go. If any errors occur during device + * registration we do not fail the whole card but rather proceed only +@@ -5522,10 +5527,10 @@ static int init_one(struct pci_dev *pdev + cxgb4_ptp_init(adapter); + + print_adapter_info(adapter); +- setup_fw_sge_queues(adapter); + return 0; + + out_free_dev: ++ t4_free_sge_resources(adapter); + free_some_resources(adapter); + if (adapter->flags & USING_MSIX) + free_msix_info(adapter); diff --git a/queue-4.16/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch b/queue-4.16/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch new file mode 100644 index 00000000000..3852aea4ce6 --- /dev/null +++ b/queue-4.16/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch @@ -0,0 +1,127 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Vaibhav Jain +Date: Thu, 15 Feb 2018 21:19:24 +0530 +Subject: cxl: Check if PSL data-cache is available before issue flush request + +From: Vaibhav Jain + +[ Upstream commit 94322ed8e857e3b2a33cf75118051af9baaa110f ] + +PSL9D doesn't have a data-cache that needs to be flushed before +resetting the card. However when cxl tries to flush data-cache on such +a card, it times-out as PSL_Control register never indicates flush +operation complete due to missing data-cache. This is usually +indicated in the kernel logs with this message: + +"WARNING: cache flush timed out" + +To fix this the patch checks PSL_Debug register CDC-Field(BIT:27) +which indicates the absence of a data-cache and sets a flag +'no_data_cache' in 'struct cxl_native' to indicate this. When +cxl_data_cache_flush() is called it checks the flag and if set bails +out early without requesting a data-cache flush operation to the PSL. + +Signed-off-by: Vaibhav Jain +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cxl/cxl.h | 4 ++++ + drivers/misc/cxl/native.c | 11 ++++++++++- + drivers/misc/cxl/pci.c | 19 +++++++++++++------ + 3 files changed, 27 insertions(+), 7 deletions(-) + +--- a/drivers/misc/cxl/cxl.h ++++ b/drivers/misc/cxl/cxl.h +@@ -369,6 +369,9 @@ static const cxl_p2n_reg_t CXL_PSL_WED_A + #define CXL_PSL_TFC_An_AE (1ull << (63-30)) /* Restart PSL with address error */ + #define CXL_PSL_TFC_An_R (1ull << (63-31)) /* Restart PSL transaction */ + ++/****** CXL_PSL_DEBUG *****************************************************/ ++#define CXL_PSL_DEBUG_CDC (1ull << (63-27)) /* Coherent Data cache support */ ++ + /****** CXL_XSL9_IERAT_ERAT - CAIA 2 **********************************/ + #define CXL_XSL9_IERAT_MLPID (1ull << (63-0)) /* Match LPID */ + #define CXL_XSL9_IERAT_MPID (1ull << (63-1)) /* Match PID */ +@@ -669,6 +672,7 @@ struct cxl_native { + irq_hw_number_t err_hwirq; + unsigned int err_virq; + u64 ps_off; ++ bool no_data_cache; /* set if no data cache on the card */ + const struct cxl_service_layer_ops *sl_ops; + }; + +--- a/drivers/misc/cxl/native.c ++++ b/drivers/misc/cxl/native.c +@@ -353,8 +353,17 @@ int cxl_data_cache_flush(struct cxl *ada + u64 reg; + unsigned long timeout = jiffies + (HZ * CXL_TIMEOUT); + +- pr_devel("Flushing data cache\n"); ++ /* ++ * Do a datacache flush only if datacache is available. ++ * In case of PSL9D datacache absent hence flush operation. ++ * would timeout. ++ */ ++ if (adapter->native->no_data_cache) { ++ pr_devel("No PSL data cache. Ignoring cache flush req.\n"); ++ return 0; ++ } + ++ pr_devel("Flushing data cache\n"); + reg = cxl_p1_read(adapter, CXL_PSL_Control); + reg |= CXL_PSL_Control_Fr; + cxl_p1_write(adapter, CXL_PSL_Control, reg); +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -456,6 +456,7 @@ static int init_implementation_adapter_r + u64 chipid; + u32 phb_index; + u64 capp_unit_id; ++ u64 psl_debug; + int rc; + + rc = cxl_calc_capp_routing(dev, &chipid, &phb_index, &capp_unit_id); +@@ -506,6 +507,16 @@ static int init_implementation_adapter_r + } else + cxl_p1_write(adapter, CXL_PSL9_DEBUG, 0x4000000000000000ULL); + ++ /* ++ * Check if PSL has data-cache. We need to flush adapter datacache ++ * when as its about to be removed. ++ */ ++ psl_debug = cxl_p1_read(adapter, CXL_PSL9_DEBUG); ++ if (psl_debug & CXL_PSL_DEBUG_CDC) { ++ dev_dbg(&dev->dev, "No data-cache present\n"); ++ adapter->native->no_data_cache = true; ++ } ++ + return 0; + } + +@@ -1449,10 +1460,8 @@ int cxl_pci_reset(struct cxl *adapter) + + /* + * The adapter is about to be reset, so ignore errors. +- * Not supported on P9 DD1 + */ +- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1()))) +- cxl_data_cache_flush(adapter); ++ cxl_data_cache_flush(adapter); + + /* pcie_warm_reset requests a fundamental pci reset which includes a + * PERST assert/deassert. PERST triggers a loading of the image +@@ -1936,10 +1945,8 @@ static void cxl_pci_remove_adapter(struc + + /* + * Flush adapter datacache as its about to be removed. +- * Not supported on P9 DD1. + */ +- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1()))) +- cxl_data_cache_flush(adapter); ++ cxl_data_cache_flush(adapter); + + cxl_deconfigure_adapter(adapter); + diff --git a/queue-4.16/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch b/queue-4.16/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch new file mode 100644 index 00000000000..ff3b91ee113 --- /dev/null +++ b/queue-4.16/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch @@ -0,0 +1,162 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Qi Hou +Date: Tue, 6 Mar 2018 09:13:37 +0800 +Subject: dmaengine: pl330: fix a race condition in case of threaded irqs + +From: Qi Hou + +[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ] + +When booting up with "threadirqs" in command line, all irq handlers of the DMA +controller pl330 will be threaded forcedly. These threads will race for the same +list, pl330->req_done. + +Before the callback, the spinlock was released. And after it, the spinlock was +taken. This opened an race window where another threaded irq handler could steal +the spinlock and be permitted to delete entries of the list, pl330->req_done. + +If the later deleted an entry that was still referred to by the former, there would +be a kernel panic when the former was scheduled and tried to get the next sibling +of the deleted entry. + +The scenario could be depicted as below: + + Thread: T1 pl330->req_done Thread: T2 + | | | + | -A-B-C-D- | + Locked | | + | | Waiting + Del A | | + | -B-C-D- | + Unlocked | | + | | Locked + Waiting | | + | | Del B + | | | + | -C-D- Unlocked + Waiting | | + | + Locked + | + get C via B + \ + - Kernel panic + +The kernel panic looked like as below: + +Unable to handle kernel paging request at virtual address dead000000000108 +pgd = ffffff8008c9e000 +[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000 +Internal error: Oops: 96000044 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2 +Hardware name: Broadcom NS2 SVK (DT) +task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000 +PC is at pl330_irq_handler+0x27c/0x390 +LR is at pl330_irq_handler+0x2a8/0x390 +pc : [] lr : [] pstate: 800001c5 +sp : ffffffc1f5ce3d00 +x29: ffffffc1f5ce3d00 x28: 0000000000000140 +x27: ffffffc1f5c530b0 x26: dead000000000100 +x25: dead000000000200 x24: 0000000000418958 +x23: 0000000000000001 x22: ffffffc1f5ccd668 +x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418 +x19: dead000000000060 x18: 0000000000000001 +x17: 0000000000000007 x16: 0000000000000001 +x15: ffffffffffffffff x14: ffffffffffffffff +x13: ffffffffffffffff x12: 0000000000000000 +x11: 0000000000000001 x10: 0000000000000840 +x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338 +x7 : ffffff8008ce2020 x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : dead000000000200 x2 : dead000000000100 +x1 : 0000000000000140 x0 : ffffffc1f5ccd590 + +Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020) +Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000) +3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600 +3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998 +3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000 +3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0 +3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001 +3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8 +3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00 +3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000 +3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68 +3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80 +3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648 +3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00 +3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90 +3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0 +3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000 +3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8 +Call trace: +Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60) +3b20: dead000000000060 0000008000000000 +3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88 +3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4 +3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc +3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000 +3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140 +3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000 +3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000 +3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff +3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007 +[] pl330_irq_handler+0x27c/0x390 +[] irq_forced_thread_fn+0x38/0x88 +[] irq_thread+0x140/0x200 +[] kthread+0xd8/0xf0 +[] ret_from_fork+0x10/0x40 +Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443) +---[ end trace f50005726d31199c ]--- +Kernel panic - not syncing: Fatal exception in interrupt +SMP: stopping secondary CPUs +SMP: failed to stop secondary CPUs 0-1 +Kernel Offset: disabled +Memory Limit: none +---[ end Kernel panic - not syncing: Fatal exception in interrupt + +To fix this, re-start with the list-head after dropping the lock then +re-takeing it. + +Reviewed-by: Frank Mori Hess +Tested-by: Frank Mori Hess +Signed-off-by: Qi Hou +Signed-off-by: Vinod Koul + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1510,7 +1510,7 @@ static void pl330_dotask(unsigned long d + /* Returns 1 if state was updated, 0 otherwise */ + static int pl330_update(struct pl330_dmac *pl330) + { +- struct dma_pl330_desc *descdone, *tmp; ++ struct dma_pl330_desc *descdone; + unsigned long flags; + void __iomem *regs; + u32 val; +@@ -1588,7 +1588,9 @@ static int pl330_update(struct pl330_dma + } + + /* Now that we are in no hurry, do the callbacks */ +- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) { ++ while (!list_empty(&pl330->req_done)) { ++ descdone = list_first_entry(&pl330->req_done, ++ struct dma_pl330_desc, rqd); + list_del(&descdone->rqd); + spin_unlock_irqrestore(&pl330->lock, flags); + dma_pl330_rqcb(descdone, PL330_ERR_NONE); diff --git a/queue-4.16/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch b/queue-4.16/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch new file mode 100644 index 00000000000..bcadd83423f --- /dev/null +++ b/queue-4.16/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Srinivas Kandagatla +Date: Thu, 15 Feb 2018 12:25:09 +0000 +Subject: dmaengine: qcom: bam_dma: get num-channels and num-ees from dt + +From: Srinivas Kandagatla + +[ Upstream commit 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 ] + +When Linux is master of BAM, it can directly read registers to know number +of supported channels, however when its remotely controlled reading these +registers would trigger a crash if the BAM is not yet initialized or +powered up on the remote side. + +This patch allows driver to read num-channels and num-ees from Device Tree +for remotely controlled BAM. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/bam_dma.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -393,6 +393,7 @@ struct bam_device { + struct device_dma_parameters dma_parms; + struct bam_chan *channels; + u32 num_channels; ++ u32 num_ees; + + /* execution environment ID, from DT */ + u32 ee; +@@ -1128,15 +1129,19 @@ static int bam_init(struct bam_device *b + u32 val; + + /* read revision and configuration information */ +- val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)) >> NUM_EES_SHIFT; +- val &= NUM_EES_MASK; ++ if (!bdev->num_ees) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)); ++ bdev->num_ees = (val >> NUM_EES_SHIFT) & NUM_EES_MASK; ++ } + + /* check that configured EE is within range */ +- if (bdev->ee >= val) ++ if (bdev->ee >= bdev->num_ees) + return -EINVAL; + +- val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); +- bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ if (!bdev->num_channels) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); ++ bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ } + + if (bdev->controlled_remotely) + return 0; +@@ -1232,6 +1237,18 @@ static int bam_dma_probe(struct platform + bdev->controlled_remotely = of_property_read_bool(pdev->dev.of_node, + "qcom,controlled-remotely"); + ++ if (bdev->controlled_remotely) { ++ ret = of_property_read_u32(pdev->dev.of_node, "num-channels", ++ &bdev->num_channels); ++ if (ret) ++ dev_err(bdev->dev, "num-channels unspecified in dt\n"); ++ ++ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees", ++ &bdev->num_ees); ++ if (ret) ++ dev_err(bdev->dev, "num-ees unspecified in dt\n"); ++ } ++ + bdev->bamclk = devm_clk_get(bdev->dev, "bam_clk"); + if (IS_ERR(bdev->bamclk)) + return PTR_ERR(bdev->bamclk); diff --git a/queue-4.16/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch b/queue-4.16/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch new file mode 100644 index 00000000000..0aa046da551 --- /dev/null +++ b/queue-4.16/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Yoshihiro Shimoda +Date: Fri, 2 Feb 2018 19:05:15 +0900 +Subject: dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue() + +From: Yoshihiro Shimoda + +[ Upstream commit 3e081628d510b2ddbe493371d9c574d9275da17e ] + +This patch fixes an issue that a race condition happens between a client +driver and the rcar-dmac driver: + +- The rcar_dmac_isr_transfer_end() is called. + - The done list appears, and desc.running is the next active list. +- rcar_dmac_chan_get_residue() is called by a client driver before + rcar_dmac_isr_channel_thread() is called. + - The rcar_dmac_chan_get_residue() will not find any descriptors. + - And, the following WARNING happens: + WARN(1, "No descriptor for cookie!"); + +The sh-sci driver with HSCIF (921,600bps) on R-Car H3 can cause this +situation. +So, this patch checks the done lists in rcar_dmac_chan_get_residue() +and returns zero if the done lists has the argument cookie. + +Tested-by: Nguyen Viet Dung +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1301,8 +1301,17 @@ static unsigned int rcar_dmac_chan_get_r + * If the cookie doesn't correspond to the currently running transfer + * then the descriptor hasn't been processed yet, and the residue is + * equal to the full descriptor size. ++ * Also, a client driver is possible to call this function before ++ * rcar_dmac_isr_channel_thread() runs. In this case, the "desc.running" ++ * will be the next descriptor, and the done list will appear. So, if ++ * the argument cookie matches the done list's cookie, we can assume ++ * the residue is zero. + */ + if (cookie != desc->async_tx.cookie) { ++ list_for_each_entry(desc, &chan->desc.done, node) { ++ if (cookie == desc->async_tx.cookie) ++ return 0; ++ } + list_for_each_entry(desc, &chan->desc.pending, node) { + if (cookie == desc->async_tx.cookie) + return desc->size; diff --git a/queue-4.16/dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch b/queue-4.16/dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch new file mode 100644 index 00000000000..3cdb6c8e41a --- /dev/null +++ b/queue-4.16/dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Geert Uytterhoeven +Date: Thu, 29 Mar 2018 18:53:32 +0200 +Subject: dmaengine: rcar-dmac: Fix too early/late system suspend/resume callbacks + +From: Geert Uytterhoeven + +[ Upstream commit 73dcc666d6bd0db56cd556010f93d8f04c1cc70c ] + +If serial console wake-up is enabled ("echo enabled > +/sys/.../ttySC0/power/wakeup"), and any serial input is received while +the system is suspended, serial port input no longer works after system +resume. + +Note that: + 1) The system can still be woken up using the serial console, + 2) Serial port input keeps working if the system is woken up in some + other way (e.g. Wake-on-LAN or gpio-keys), and no serial input was + received while suspended. + +To fix this, replace SET_LATE_SYSTEM_SLEEP_PM_OPS() by +SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(), as the callbacks installed by the +former happen too early resp. late in the suspend resp. resume process. + +Reported-by: RVC test team via Yoshihiro Shimoda +Fixes: 1131b0a4af911de5 ("dmaengine: rcar-dmac: Make DMAC reinit during system resume explicit") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1677,8 +1677,8 @@ static const struct dev_pm_ops rcar_dmac + * - Wait for the current transfer to complete and stop the device, + * - Resume transfers, if any. + */ +- SET_LATE_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, +- pm_runtime_force_resume) ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, ++ pm_runtime_force_resume) + SET_RUNTIME_PM_OPS(rcar_dmac_runtime_suspend, rcar_dmac_runtime_resume, + NULL) + }; diff --git a/queue-4.16/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch b/queue-4.16/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch new file mode 100644 index 00000000000..5bc8c86c938 --- /dev/null +++ b/queue-4.16/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Esben Haabendal +Date: Sun, 8 Apr 2018 22:17:01 +0200 +Subject: dp83640: Ensure against premature access to PHY registers after reset + +From: Esben Haabendal + +[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ] + +The datasheet specifies a 3uS pause after performing a software +reset. The default implementation of genphy_soft_reset() does not +provide this, so implement soft_reset with the needed pause. + +Signed-off-by: Esben Haabendal +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1207,6 +1207,23 @@ static void dp83640_remove(struct phy_de + kfree(dp83640); + } + ++static int dp83640_soft_reset(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = genphy_soft_reset(phydev); ++ if (ret < 0) ++ return ret; ++ ++ /* From DP83640 datasheet: "Software driver code must wait 3 us ++ * following a software reset before allowing further serial MII ++ * operations with the DP83640." ++ */ ++ udelay(10); /* Taking udelay inaccuracy into account */ ++ ++ return 0; ++} ++ + static int dp83640_config_init(struct phy_device *phydev) + { + struct dp83640_private *dp83640 = phydev->priv; +@@ -1501,6 +1518,7 @@ static struct phy_driver dp83640_driver + .flags = PHY_HAS_INTERRUPT, + .probe = dp83640_probe, + .remove = dp83640_remove, ++ .soft_reset = dp83640_soft_reset, + .config_init = dp83640_config_init, + .ack_interrupt = dp83640_ack_interrupt, + .config_intr = dp83640_config_intr, diff --git a/queue-4.16/dpaa_eth-fix-pause-capability-advertisement-logic.patch b/queue-4.16/dpaa_eth-fix-pause-capability-advertisement-logic.patch new file mode 100644 index 00000000000..aafb87f8811 --- /dev/null +++ b/queue-4.16/dpaa_eth-fix-pause-capability-advertisement-logic.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jake Moroni +Date: Sun, 18 Feb 2018 15:26:04 -0500 +Subject: dpaa_eth: fix pause capability advertisement logic + +From: Jake Moroni + +[ Upstream commit 3021efb440d02bf5b952b6d151c7ffee9bdd49fe ] + +The ADVERTISED_Asym_Pause bit was being improperly set when both +rx and tx pause were enabled. When rx and tx are both enabled, only +the ADVERTISED_Pause bit is supposed to be set. + +Signed-off-by: Jake Moroni +Acked-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -211,7 +211,7 @@ static int dpaa_set_pauseparam(struct ne + if (epause->rx_pause) + newadv = ADVERTISED_Pause | ADVERTISED_Asym_Pause; + if (epause->tx_pause) +- newadv |= ADVERTISED_Asym_Pause; ++ newadv ^= ADVERTISED_Asym_Pause; + + oldadv = phydev->advertising & + (ADVERTISED_Pause | ADVERTISED_Asym_Pause); diff --git a/queue-4.16/dpaa_eth-fix-sg-mapping.patch b/queue-4.16/dpaa_eth-fix-sg-mapping.patch new file mode 100644 index 00000000000..265732d331c --- /dev/null +++ b/queue-4.16/dpaa_eth-fix-sg-mapping.patch @@ -0,0 +1,73 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Madalin Bucur +Date: Mon, 26 Feb 2018 11:24:01 -0600 +Subject: dpaa_eth: fix SG mapping + +From: Madalin Bucur + +[ Upstream commit 120d75ecf043044554abbba8507f6d22e4715beb ] + +An issue in the code mapping the skb fragments into +scatter-gather frames was evidentiated by netperf +TCP_SENDFILE tests. The size was set wrong for all +fragments but the first, affecting the transmission +of any skb with more than one fragment. + +Signed-off-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -1916,8 +1916,10 @@ static int skb_to_sg_fd(struct dpaa_priv + goto csum_failed; + } + ++ /* SGT[0] is used by the linear part */ + sgt = (struct qm_sg_entry *)(sgt_buf + priv->tx_headroom); +- qm_sg_entry_set_len(&sgt[0], skb_headlen(skb)); ++ frag_len = skb_headlen(skb); ++ qm_sg_entry_set_len(&sgt[0], frag_len); + sgt[0].bpid = FSL_DPAA_BPID_INV; + sgt[0].offset = 0; + addr = dma_map_single(dev, skb->data, +@@ -1930,9 +1932,9 @@ static int skb_to_sg_fd(struct dpaa_priv + qm_sg_entry_set64(&sgt[0], addr); + + /* populate the rest of SGT entries */ +- frag = &skb_shinfo(skb)->frags[0]; +- frag_len = frag->size; +- for (i = 1; i <= nr_frags; i++, frag++) { ++ for (i = 0; i < nr_frags; i++) { ++ frag = &skb_shinfo(skb)->frags[i]; ++ frag_len = frag->size; + WARN_ON(!skb_frag_page(frag)); + addr = skb_frag_dma_map(dev, frag, 0, + frag_len, dma_dir); +@@ -1942,15 +1944,16 @@ static int skb_to_sg_fd(struct dpaa_priv + goto sg_map_failed; + } + +- qm_sg_entry_set_len(&sgt[i], frag_len); +- sgt[i].bpid = FSL_DPAA_BPID_INV; +- sgt[i].offset = 0; ++ qm_sg_entry_set_len(&sgt[i + 1], frag_len); ++ sgt[i + 1].bpid = FSL_DPAA_BPID_INV; ++ sgt[i + 1].offset = 0; + + /* keep the offset in the address */ +- qm_sg_entry_set64(&sgt[i], addr); +- frag_len = frag->size; ++ qm_sg_entry_set64(&sgt[i + 1], addr); + } +- qm_sg_entry_set_f(&sgt[i - 1], frag_len); ++ ++ /* Set the final bit in the last used entry of the SGT */ ++ qm_sg_entry_set_f(&sgt[nr_frags], frag_len); + + qm_fd_set_sg(fd, priv->tx_headroom, skb->len); + diff --git a/queue-4.16/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch b/queue-4.16/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch new file mode 100644 index 00000000000..d3e4e534edd --- /dev/null +++ b/queue-4.16/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Aaro Koskinen +Date: Fri, 16 Mar 2018 22:17:28 +0200 +Subject: drivers: macintosh: rack-meter: really fix bogus memsets + +From: Aaro Koskinen + +[ Upstream commit e283655b5abe26462d53d5196f186c5e8863af3b ] + +We should zero an array using sizeof instead of number of elements. + +Fixes the following compiler (GCC 7.3.0) warnings: + +drivers/macintosh/rack-meter.c: In function 'rackmeter_do_pause': +drivers/macintosh/rack-meter.c:157:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] +drivers/macintosh/rack-meter.c:158:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] + +Fixes: 4f7bef7a9f69 ("drivers: macintosh: rack-meter: fix bogus memsets") +Reported-by: Stephen Rothwell +Signed-off-by: Aaro Koskinen +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/macintosh/rack-meter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/macintosh/rack-meter.c ++++ b/drivers/macintosh/rack-meter.c +@@ -154,8 +154,8 @@ static void rackmeter_do_pause(struct ra + DBDMA_DO_STOP(rm->dma_regs); + return; + } +- memset(rdma->buf1, 0, ARRAY_SIZE(rdma->buf1)); +- memset(rdma->buf2, 0, ARRAY_SIZE(rdma->buf2)); ++ memset(rdma->buf1, 0, sizeof(rdma->buf1)); ++ memset(rdma->buf2, 0, sizeof(rdma->buf2)); + + rm->dma_buf_v->mark = 0; + diff --git a/queue-4.16/drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch b/queue-4.16/drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch new file mode 100644 index 00000000000..548fb61d511 --- /dev/null +++ b/queue-4.16/drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Tao +Date: Thu, 8 Feb 2018 16:04:25 -0500 +Subject: drm/amd/display: Set vsc pack revision when DPCD revision is >= 1.2 + +From: Tao + +[ Upstream commit 3b94a4007dcfd4ac5780cd3d8a2d99979c966073 ] + +Brightness couldn't change when booting up in DC mode. +It was because "psr_enabled" flag was not set to true before +setting vsc packet revision, causing packet rev setup was skipped. +Now instead of checking the psr flag, it checks if the DPCD_REV >= 1.2 +and set the vsc packet revision. + +Signed-off-by: Tao +Reviewed-by: Tony Cheng +Acked-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -35,6 +35,7 @@ + #include "core_types.h" + #include "set_mode_types.h" + #include "virtual/virtual_stream_encoder.h" ++#include "dpcd_defs.h" + + #include "dce80/dce80_resource.h" + #include "dce100/dce100_resource.h" +@@ -2428,7 +2429,8 @@ static void set_vsc_info_packet( + unsigned int vscPacketRevision = 0; + unsigned int i; + +- if (stream->sink->link->psr_enabled) { ++ /*VSC packet set to 2 when DP revision >= 1.2*/ ++ if (stream->sink->link->dpcd_caps.dpcd_rev.raw >= DPCD_REV_12) { + vscPacketRevision = 2; + } + diff --git a/queue-4.16/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch b/queue-4.16/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch new file mode 100644 index 00000000000..0a3a22b6f50 --- /dev/null +++ b/queue-4.16/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch @@ -0,0 +1,85 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Monk Liu +Date: Tue, 23 Jan 2018 18:26:20 +0800 +Subject: drm/amdgpu: adjust timeout for ib_ring_tests(v2) + +From: Monk Liu + +[ Upstream commit dbf797655a43c6318ebb90b899e6583fcadc6472 ] + +issue: +sometime GFX/MM ib test hit timeout under SRIOV env, root cause +is that engine doesn't come back soon enough so the current +IB test considered as timed out. + +fix: +for SRIOV GFX IB test wait time need to be expanded a lot during +SRIOV runtimei mode since it couldn't really begin before GFX engine +come back. + +for SRIOV MM IB test it always need more time since MM scheduling +is not go together with GFX engine, it is controled by h/w MM +scheduler so no matter runtime or exclusive mode MM IB test +always need more time. + +v2: +use ring type instead of idx to judge + +Signed-off-by: Monk Liu +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +@@ -321,14 +321,45 @@ int amdgpu_ib_ring_tests(struct amdgpu_d + { + unsigned i; + int r, ret = 0; ++ long tmo_gfx, tmo_mm; ++ ++ tmo_mm = tmo_gfx = AMDGPU_IB_TEST_TIMEOUT; ++ if (amdgpu_sriov_vf(adev)) { ++ /* for MM engines in hypervisor side they are not scheduled together ++ * with CP and SDMA engines, so even in exclusive mode MM engine could ++ * still running on other VF thus the IB TEST TIMEOUT for MM engines ++ * under SR-IOV should be set to a long time. 8 sec should be enough ++ * for the MM comes back to this VF. ++ */ ++ tmo_mm = 8 * AMDGPU_IB_TEST_TIMEOUT; ++ } ++ ++ if (amdgpu_sriov_runtime(adev)) { ++ /* for CP & SDMA engines since they are scheduled together so ++ * need to make the timeout width enough to cover the time ++ * cost waiting for it coming back under RUNTIME only ++ */ ++ tmo_gfx = 8 * AMDGPU_IB_TEST_TIMEOUT; ++ } + + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; ++ long tmo; + + if (!ring || !ring->ready) + continue; + +- r = amdgpu_ring_test_ib(ring, AMDGPU_IB_TEST_TIMEOUT); ++ /* MM engine need more time */ ++ if (ring->funcs->type == AMDGPU_RING_TYPE_UVD || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCE || ++ ring->funcs->type == AMDGPU_RING_TYPE_UVD_ENC || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_DEC || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC) ++ tmo = tmo_mm; ++ else ++ tmo = tmo_gfx; ++ ++ r = amdgpu_ring_test_ib(ring, tmo); + if (r) { + ring->ready = false; + diff --git a/queue-4.16/drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch b/queue-4.16/drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch new file mode 100644 index 00000000000..801147883eb --- /dev/null +++ b/queue-4.16/drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Emily Deng +Date: Wed, 7 Mar 2018 09:47:43 +0800 +Subject: drm/amdgpu: Clean sdma wptr register when only enable wptr polling + +From: Emily Deng + +[ Upstream commit 4062119b9d958df33bcda703dc3ac646908fa861 ] + +The sdma wptr polling memory is not fast enough, then the sdma +wptr register will be random, and not equal to sdma rptr, which +will cause sdma engine hang when load driver, so clean up the sdma +wptr directly to fix this issue. + +v2:add comment above the code and correct coding style + +Reviewed-by: Xiangliang Yu +Reviewed-by: Christian König +Signed-off-by: Emily Deng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c +@@ -719,14 +719,17 @@ static int sdma_v3_0_gfx_resume(struct a + WREG32(mmSDMA0_GFX_RB_WPTR_POLL_ADDR_HI + sdma_offsets[i], + upper_32_bits(wptr_gpu_addr)); + wptr_poll_cntl = RREG32(mmSDMA0_GFX_RB_WPTR_POLL_CNTL + sdma_offsets[i]); +- if (ring->use_pollmem) ++ if (ring->use_pollmem) { ++ /*wptr polling is not enogh fast, directly clean the wptr register */ ++ WREG32(mmSDMA0_GFX_RB_WPTR + sdma_offsets[i], 0); + wptr_poll_cntl = REG_SET_FIELD(wptr_poll_cntl, + SDMA0_GFX_RB_WPTR_POLL_CNTL, + ENABLE, 1); +- else ++ } else { + wptr_poll_cntl = REG_SET_FIELD(wptr_poll_cntl, + SDMA0_GFX_RB_WPTR_POLL_CNTL, + ENABLE, 0); ++ } + WREG32(mmSDMA0_GFX_RB_WPTR_POLL_CNTL + sdma_offsets[i], wptr_poll_cntl); + + /* enable DMA RB */ diff --git a/queue-4.16/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch b/queue-4.16/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch new file mode 100644 index 00000000000..2293348a97b --- /dev/null +++ b/queue-4.16/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Monk Liu +Date: Mon, 29 Jan 2018 19:24:32 +0800 +Subject: drm/amdgpu: disable GFX ring and disable PQ wptr in hw_fini + +From: Monk Liu + +[ Upstream commit 9f0178fb67699992d38601cb923b434f9986dd68 ] + +otherwise there will be DMAR reading error comes out from CP since +GFX is still alive and CPC's WPTR_POLL is still enabled, which would +lead to DMAR read error. + +fix: +we can hault CPG after hw_fini, but cannot halt CPC becaues KIQ +stil need to be alive to let RLCV invoke, but its WPTR_POLL could +be disabled. + +Signed-off-by: Monk Liu +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -2954,7 +2954,13 @@ static int gfx_v9_0_hw_fini(void *handle + gfx_v9_0_kcq_disable(&adev->gfx.kiq.ring, &adev->gfx.compute_ring[i]); + + if (amdgpu_sriov_vf(adev)) { +- pr_debug("For SRIOV client, shouldn't do anything.\n"); ++ gfx_v9_0_cp_gfx_enable(adev, false); ++ /* must disable polling for SRIOV when hw finished, otherwise ++ * CPC engine may still keep fetching WB address which is already ++ * invalid after sw finished and trigger DMAR reading error in ++ * hypervisor side. ++ */ ++ WREG32_FIELD15(GC, 0, CP_PQ_WPTR_POLL_CNTL, EN, 0); + return 0; + } + gfx_v9_0_cp_enable(adev, false); diff --git a/queue-4.16/drm-amdkfd-add-missing-include-of-mm.h.patch b/queue-4.16/drm-amdkfd-add-missing-include-of-mm.h.patch new file mode 100644 index 00000000000..f1d57960b43 --- /dev/null +++ b/queue-4.16/drm-amdkfd-add-missing-include-of-mm.h.patch @@ -0,0 +1,28 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Oded Gabbay +Date: Thu, 15 Mar 2018 10:08:35 +0200 +Subject: drm/amdkfd: add missing include of mm.h + +From: Oded Gabbay + +[ Upstream commit 7420f482ea5163bf6dae39a5c7628d5397cd6307 ] + +This patch fixes kernel build in ARCH=frv + +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +@@ -26,6 +26,7 @@ + #define AMDGPU_AMDKFD_H_INCLUDED + + #include ++#include + #include + #include + diff --git a/queue-4.16/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch b/queue-4.16/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch new file mode 100644 index 00000000000..75035b707c0 --- /dev/null +++ b/queue-4.16/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch @@ -0,0 +1,95 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Linus Walleij +Date: Mon, 5 Mar 2018 11:17:02 +0100 +Subject: drm/bridge: sii902x: Retry status read after DDI I2C + +From: Linus Walleij + +[ Upstream commit 2e7a66a8b5ebf1b04a866e5d7c981640f7f62934 ] + +The following happens when connection a DVI output driven +from the SiI9022 using a DVI-to-VGA adapter plug: + +i2c i2c-0: sendbytes: NAK bailout. +i2c i2c-0: sendbytes: NAK bailout. + +Then no picture. Apparently the I2C engine inside the SiI9022 +is not smart enough to try to fall back to DDC I2C. Or the +vendor have not integrated the electronics properly. I don't +know which one it is. + +After this, the I2C bus seems stalled and the first attempt to +read the status register fails, and the code returns with +negative return value, and the display fails to initialized. + +Instead, retry status readout five times and continue even +if this fails. + +Tested on the ARM Versatile Express with a DVI-to-VGA +connector, it now gives picture. + +Introduce a helper struct device *dev variable to make +the code more readable. + +Cc: Ville Syrjälä +Reviewed-by: Liviu Dudau +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20180305101702.13441-1-linus.walleij@linaro.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/sii902x.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/bridge/sii902x.c ++++ b/drivers/gpu/drm/bridge/sii902x.c +@@ -137,7 +137,9 @@ static int sii902x_get_modes(struct drm_ + struct sii902x *sii902x = connector_to_sii902x(connector); + struct regmap *regmap = sii902x->regmap; + u32 bus_format = MEDIA_BUS_FMT_RGB888_1X24; ++ struct device *dev = &sii902x->i2c->dev; + unsigned long timeout; ++ unsigned int retries; + unsigned int status; + struct edid *edid; + int num = 0; +@@ -159,7 +161,7 @@ static int sii902x_get_modes(struct drm_ + time_before(jiffies, timeout)); + + if (!(status & SII902X_SYS_CTRL_DDC_BUS_GRTD)) { +- dev_err(&sii902x->i2c->dev, "failed to acquire the i2c bus\n"); ++ dev_err(dev, "failed to acquire the i2c bus\n"); + return -ETIMEDOUT; + } + +@@ -179,9 +181,19 @@ static int sii902x_get_modes(struct drm_ + if (ret) + return ret; + +- ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, &status); ++ /* ++ * Sometimes the I2C bus can stall after failure to use the ++ * EDID channel. Retry a few times to see if things clear ++ * up, else continue anyway. ++ */ ++ retries = 5; ++ do { ++ ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, ++ &status); ++ retries--; ++ } while (ret && retries); + if (ret) +- return ret; ++ dev_err(dev, "failed to read status (%d)\n", ret); + + ret = regmap_update_bits(regmap, SII902X_SYS_CTRL_DATA, + SII902X_SYS_CTRL_DDC_BUS_REQ | +@@ -201,7 +213,7 @@ static int sii902x_get_modes(struct drm_ + + if (status & (SII902X_SYS_CTRL_DDC_BUS_REQ | + SII902X_SYS_CTRL_DDC_BUS_GRTD)) { +- dev_err(&sii902x->i2c->dev, "failed to release the i2c bus\n"); ++ dev_err(dev, "failed to release the i2c bus\n"); + return -ETIMEDOUT; + } + diff --git a/queue-4.16/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch b/queue-4.16/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch new file mode 100644 index 00000000000..ee1e9978a80 --- /dev/null +++ b/queue-4.16/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Christophe JAILLET +Date: Mon, 12 Mar 2018 21:15:08 +0100 +Subject: drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()' + +From: Christophe JAILLET + +[ Upstream commit e770f6bf18182bc3af6ceec30189b6c323cbc157 ] + +'drm_vblank_init()' can fail. So handle this (unlikely) error. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Christophe JAILLET +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/6cbf3d70ac3904489c7194c895225c4103aebb96.1520885192.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -230,7 +230,10 @@ static int meson_drv_bind_master(struct + + priv->vsync_irq = platform_get_irq(pdev, 0); + +- drm_vblank_init(drm, 1); ++ ret = drm_vblank_init(drm, 1); ++ if (ret) ++ goto free_drm; ++ + drm_mode_config_init(drm); + drm->mode_config.max_width = 3840; + drm->mode_config.max_height = 2160; diff --git a/queue-4.16/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch b/queue-4.16/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch new file mode 100644 index 00000000000..846aae879b7 --- /dev/null +++ b/queue-4.16/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch @@ -0,0 +1,77 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Christophe JAILLET +Date: Mon, 12 Mar 2018 21:15:10 +0100 +Subject: drm/meson: Fix some error handling paths in 'meson_drv_bind_master()' + +From: Christophe JAILLET + +[ Upstream commit 2c18107b9d58972588cd45d89b8f58d0f033c110 ] + +If one of these functions fail, we whould free 'drm', as alreadry done in +the other error handling paths, below and above. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Christophe JAILLET +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/df47e03d36c2cf7bc37ec3105fc47c16555bd946.1520885192.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_drv.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -189,35 +189,43 @@ static int meson_drv_bind_master(struct + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "vpu"); + regs = devm_ioremap_resource(dev, res); +- if (IS_ERR(regs)) +- return PTR_ERR(regs); ++ if (IS_ERR(regs)) { ++ ret = PTR_ERR(regs); ++ goto free_drm; ++ } + + priv->io_base = regs; + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "hhi"); + /* Simply ioremap since it may be a shared register zone */ + regs = devm_ioremap(dev, res->start, resource_size(res)); +- if (!regs) +- return -EADDRNOTAVAIL; ++ if (!regs) { ++ ret = -EADDRNOTAVAIL; ++ goto free_drm; ++ } + + priv->hhi = devm_regmap_init_mmio(dev, regs, + &meson_regmap_config); + if (IS_ERR(priv->hhi)) { + dev_err(&pdev->dev, "Couldn't create the HHI regmap\n"); +- return PTR_ERR(priv->hhi); ++ ret = PTR_ERR(priv->hhi); ++ goto free_drm; + } + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dmc"); + /* Simply ioremap since it may be a shared register zone */ + regs = devm_ioremap(dev, res->start, resource_size(res)); +- if (!regs) +- return -EADDRNOTAVAIL; ++ if (!regs) { ++ ret = -EADDRNOTAVAIL; ++ goto free_drm; ++ } + + priv->dmc = devm_regmap_init_mmio(dev, regs, + &meson_regmap_config); + if (IS_ERR(priv->dmc)) { + dev_err(&pdev->dev, "Couldn't create the DMC regmap\n"); +- return PTR_ERR(priv->dmc); ++ ret = PTR_ERR(priv->dmc); ++ goto free_drm; + } + + priv->vsync_irq = platform_get_irq(pdev, 0); diff --git a/queue-4.16/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch b/queue-4.16/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch new file mode 100644 index 00000000000..f722c68dd15 --- /dev/null +++ b/queue-4.16/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch @@ -0,0 +1,311 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Laurent Pinchart +Date: Sun, 11 Feb 2018 15:07:44 +0200 +Subject: drm: omapdrm: dss: Move initialization code from component bind to probe + +From: Laurent Pinchart + +[ Upstream commit 215003b4ae1d47035092fef73b6a22aa82037091 ] + +There's no reason to delay initialization of most of the driver (such as +mapping memory I/O, getting clocks or enabling runtime PM) to the +component master bind handler. + +This additionally fixes a real PM issue caused enabling runtime PM in +the bind handler. + +The bind handler performs the following sequence of PM operations: + + pm_runtime_enable(dev); + pm_runtime_get_sync(dev); + + ... (access the hardware to read the device revision) ... + + pm_runtime_put_sync(dev); + +If a failure occurs at this point, the error path calls +pm_runtime_disable() to balance the pm_runtime_enable() call. + +To understand the problem, it should be noted that the bind handler is +called when one of the component registers itself, which happens in the +component's probe handler. Furthermore, as the components are children +of the DSS, the device core calls pm_runtime_get_sync() on the DSS +platform device before calling the component's probe handler. This +increases the DSS power usage count but doesn't runtime resume the +device, as runtime PM is disabled at that point. + +The bind handler is thus called with runtime PM disabled, with the +device runtime suspended, but with the power usage count larger than 0. +The pm_runtime_get_sync() call will thus further increase the power +usage count and runtime resume the device. The pm_runtime_put_sync() +handler will decrease the power usage count to a non-zero value and will +thus not suspend the device. Finally, the pm_runtime_disable() call will +disable runtime PM, preventing the pm_runtime_put() call in the device +core from runtime suspending the device. The DSS device is thus left +powered on. + +To fix this, move the initialization code from the bind handler to the +probe handler. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Sebastian Reichel +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/dss.c | 193 ++++++++++++++++++++------------------ + 1 file changed, 104 insertions(+), 89 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/dss.c ++++ b/drivers/gpu/drm/omapdrm/dss/dss.c +@@ -1300,88 +1300,18 @@ static const struct soc_device_attribute + + static int dss_bind(struct device *dev) + { +- struct platform_device *pdev = to_platform_device(dev); +- struct resource *dss_mem; +- u32 rev; + int r; + +- dss_mem = platform_get_resource(dss.pdev, IORESOURCE_MEM, 0); +- dss.base = devm_ioremap_resource(&pdev->dev, dss_mem); +- if (IS_ERR(dss.base)) +- return PTR_ERR(dss.base); +- +- r = dss_get_clocks(); ++ r = component_bind_all(dev, NULL); + if (r) + return r; + +- r = dss_setup_default_clock(); +- if (r) +- goto err_setup_clocks; +- +- r = dss_video_pll_probe(pdev); +- if (r) +- goto err_pll_init; +- +- r = dss_init_ports(pdev); +- if (r) +- goto err_init_ports; +- +- pm_runtime_enable(&pdev->dev); +- +- r = dss_runtime_get(); +- if (r) +- goto err_runtime_get; +- +- dss.dss_clk_rate = clk_get_rate(dss.dss_clk); +- +- /* Select DPLL */ +- REG_FLD_MOD(DSS_CONTROL, 0, 0, 0); +- +- dss_select_dispc_clk_source(DSS_CLK_SRC_FCK); +- +-#ifdef CONFIG_OMAP2_DSS_VENC +- REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */ +- REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */ +- REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */ +-#endif +- dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK; +- dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK; +- dss.dispc_clk_source = DSS_CLK_SRC_FCK; +- dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK; +- dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK; +- +- rev = dss_read_reg(DSS_REVISION); +- pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0)); +- +- dss_runtime_put(); +- +- r = component_bind_all(&pdev->dev, NULL); +- if (r) +- goto err_component; +- +- dss_debugfs_create_file("dss", dss_dump_regs); +- + pm_set_vt_switch(0); + + omapdss_gather_components(dev); + omapdss_set_is_initialized(true); + + return 0; +- +-err_component: +-err_runtime_get: +- pm_runtime_disable(&pdev->dev); +- dss_uninit_ports(pdev); +-err_init_ports: +- if (dss.video1_pll) +- dss_video_pll_uninit(dss.video1_pll); +- +- if (dss.video2_pll) +- dss_video_pll_uninit(dss.video2_pll); +-err_pll_init: +-err_setup_clocks: +- dss_put_clocks(); +- return r; + } + + static void dss_unbind(struct device *dev) +@@ -1391,18 +1321,6 @@ static void dss_unbind(struct device *de + omapdss_set_is_initialized(false); + + component_unbind_all(&pdev->dev, NULL); +- +- if (dss.video1_pll) +- dss_video_pll_uninit(dss.video1_pll); +- +- if (dss.video2_pll) +- dss_video_pll_uninit(dss.video2_pll); +- +- dss_uninit_ports(pdev); +- +- pm_runtime_disable(&pdev->dev); +- +- dss_put_clocks(); + } + + static const struct component_master_ops dss_component_ops = { +@@ -1434,10 +1352,46 @@ static int dss_add_child_component(struc + return 0; + } + ++static int dss_probe_hardware(void) ++{ ++ u32 rev; ++ int r; ++ ++ r = dss_runtime_get(); ++ if (r) ++ return r; ++ ++ dss.dss_clk_rate = clk_get_rate(dss.dss_clk); ++ ++ /* Select DPLL */ ++ REG_FLD_MOD(DSS_CONTROL, 0, 0, 0); ++ ++ dss_select_dispc_clk_source(DSS_CLK_SRC_FCK); ++ ++#ifdef CONFIG_OMAP2_DSS_VENC ++ REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */ ++ REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */ ++ REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */ ++#endif ++ dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK; ++ dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK; ++ dss.dispc_clk_source = DSS_CLK_SRC_FCK; ++ dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK; ++ dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK; ++ ++ rev = dss_read_reg(DSS_REVISION); ++ pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0)); ++ ++ dss_runtime_put(); ++ ++ return 0; ++} ++ + static int dss_probe(struct platform_device *pdev) + { + const struct soc_device_attribute *soc; + struct component_match *match = NULL; ++ struct resource *dss_mem; + int r; + + dss.pdev = pdev; +@@ -1458,20 +1412,69 @@ static int dss_probe(struct platform_dev + else + dss.feat = of_match_device(dss_of_match, &pdev->dev)->data; + +- r = dss_initialize_debugfs(); ++ /* Map I/O registers, get and setup clocks. */ ++ dss_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ dss.base = devm_ioremap_resource(&pdev->dev, dss_mem); ++ if (IS_ERR(dss.base)) ++ return PTR_ERR(dss.base); ++ ++ r = dss_get_clocks(); + if (r) + return r; + +- /* add all the child devices as components */ ++ r = dss_setup_default_clock(); ++ if (r) ++ goto err_put_clocks; ++ ++ /* Setup the video PLLs and the DPI and SDI ports. */ ++ r = dss_video_pll_probe(pdev); ++ if (r) ++ goto err_put_clocks; ++ ++ r = dss_init_ports(pdev); ++ if (r) ++ goto err_uninit_plls; ++ ++ /* Enable runtime PM and probe the hardware. */ ++ pm_runtime_enable(&pdev->dev); ++ ++ r = dss_probe_hardware(); ++ if (r) ++ goto err_pm_runtime_disable; ++ ++ /* Initialize debugfs. */ ++ r = dss_initialize_debugfs(); ++ if (r) ++ goto err_pm_runtime_disable; ++ ++ dss_debugfs_create_file("dss", dss_dump_regs); ++ ++ /* Add all the child devices as components. */ + device_for_each_child(&pdev->dev, &match, dss_add_child_component); + + r = component_master_add_with_match(&pdev->dev, &dss_component_ops, match); +- if (r) { +- dss_uninitialize_debugfs(); +- return r; +- } ++ if (r) ++ goto err_uninit_debugfs; + + return 0; ++ ++err_uninit_debugfs: ++ dss_uninitialize_debugfs(); ++ ++err_pm_runtime_disable: ++ pm_runtime_disable(&pdev->dev); ++ dss_uninit_ports(pdev); ++ ++err_uninit_plls: ++ if (dss.video1_pll) ++ dss_video_pll_uninit(dss.video1_pll); ++ if (dss.video2_pll) ++ dss_video_pll_uninit(dss.video2_pll); ++ ++err_put_clocks: ++ dss_put_clocks(); ++ ++ return r; + } + + static int dss_remove(struct platform_device *pdev) +@@ -1480,6 +1483,18 @@ static int dss_remove(struct platform_de + + dss_uninitialize_debugfs(); + ++ pm_runtime_disable(&pdev->dev); ++ ++ dss_uninit_ports(pdev); ++ ++ if (dss.video1_pll) ++ dss_video_pll_uninit(dss.video1_pll); ++ ++ if (dss.video2_pll) ++ dss_video_pll_uninit(dss.video2_pll); ++ ++ dss_put_clocks(); ++ + return 0; + } + diff --git a/queue-4.16/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch b/queue-4.16/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch new file mode 100644 index 00000000000..21c6e561f81 --- /dev/null +++ b/queue-4.16/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Eric Anholt +Date: Fri, 9 Mar 2018 15:33:32 -0800 +Subject: drm/panel: simple: Fix the bus format for the Ontat panel + +From: Eric Anholt + +[ Upstream commit 5651e5e094591f479adad5830ac1bc45196a39b3 ] + +This fixes bad color output. When I was first testing the device I +had the DPI hardware set to 666 mode, but apparently in the refactor +to use the bus_format information from the panel driver, I failed to +actually update the panel. + +Signed-off-by: Eric Anholt +Fixes: e8b6f561b2ee ("drm/panel: simple: Add the 7" DPI panel from Adafruit") +Cc: Thierry Reding +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20180309233332.1769-1-eric@anholt.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1597,7 +1597,7 @@ static const struct panel_desc ontat_yx7 + .width = 154, + .height = 83, + }, +- .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18, + }; + + static const struct drm_display_mode ortustech_com43h4m85ulc_mode = { diff --git a/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch new file mode 100644 index 00000000000..c8814cb2445 --- /dev/null +++ b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sergei Shtylyov +Date: Fri, 12 Jan 2018 23:12:05 +0300 +Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2 + +From: Sergei Shtylyov + +[ Upstream commit 8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4 ] + +According to the latest revision 2.00 of the R-Car Gen2 manual, the LVDS +and the bias circuit must be enabled after the LVDS I/O pins are +enabled, not before. Fix the Gen2 LVDS startup sequence accordingly. + +While at it, also fix the comment preceding the first LVDCR0 write that +still talks about hardcoding the LVDS mode 0. + +Fixes: 90374b5c25c9 ("drm/rcar-du: Add internal LVDS encoder support") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Laurent Pinchart +Tested-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -59,11 +59,8 @@ static void rcar_du_lvdsenc_start_gen2(s + + rcar_lvds_write(lvds, LVDPLLCR, pllcr); + +- /* +- * Select the input, hardcode mode 0, enable LVDS operation and turn +- * bias circuitry on. +- */ +- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_BEN | LVDCR0_LVEN; ++ /* Select the input and set the LVDS mode. */ ++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT; + if (rcrtc->index == 2) + lvdcr0 |= LVDCR0_DUSEL; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); +@@ -74,6 +71,10 @@ static void rcar_du_lvdsenc_start_gen2(s + LVDCR1_CHSTBY_GEN2(1) | LVDCR1_CHSTBY_GEN2(0) | + LVDCR1_CLKSTBY_GEN2); + ++ /* Enable LVDS operation and turn bias circuitry on. */ ++ lvdcr0 |= LVDCR0_BEN | LVDCR0_LVEN; ++ rcar_lvds_write(lvds, LVDCR0, lvdcr0); ++ + /* + * Turn the PLL on, wait for the startup delay, and turn the output + * on. diff --git a/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch new file mode 100644 index 00000000000..94277f8001a --- /dev/null +++ b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sergei Shtylyov +Date: Fri, 12 Jan 2018 23:12:04 +0300 +Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen3 + +From: Sergei Shtylyov + +[ Upstream commit 796ceb9269626afaed3b4955c40d2c3d7a8c5d01 ] + +According to the latest revisions of the R-Car Gen3 manual, the LVDS mode +must be set before the LVDS I/O pins are enabled, not after -- fix the +Gen3 LVDS startup sequence accordingly. + +Fixes: e947eccbeba4 ("drm: rcar-du: Add support for LVDS mode selection") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Laurent Pinchart +[Updated comment in rcar_du_lvdsenc_start_gen3()] +[Moved Gen2 startup comment update to separate commit] +[Fixed =| typo] +Tested-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -95,7 +95,7 @@ static void rcar_du_lvdsenc_start_gen3(s + u32 lvdcr0; + u32 pllcr; + +- /* PLL clock configuration */ ++ /* Set the PLL clock configuration and LVDS mode. */ + if (freq < 42000) + pllcr = LVDPLLCR_PLLDIVCNT_42M; + else if (freq < 85000) +@@ -107,6 +107,9 @@ static void rcar_du_lvdsenc_start_gen3(s + + rcar_lvds_write(lvds, LVDPLLCR, pllcr); + ++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT; ++ rcar_lvds_write(lvds, LVDCR0, lvdcr0); ++ + /* Turn all the channels on. */ + rcar_lvds_write(lvds, LVDCR1, + LVDCR1_CHSTBY_GEN3(3) | LVDCR1_CHSTBY_GEN3(2) | +@@ -117,7 +120,7 @@ static void rcar_du_lvdsenc_start_gen3(s + * Turn the PLL on, set it to LVDS normal mode, wait for the startup + * delay and turn the output on. + */ +- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_PLLON; ++ lvdcr0 |= LVDCR0_PLLON; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); + + lvdcr0 |= LVDCR0_PWD; diff --git a/queue-4.16/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch b/queue-4.16/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch new file mode 100644 index 00000000000..e38861eb5f6 --- /dev/null +++ b/queue-4.16/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "Ørjan Eide" +Date: Tue, 30 Jan 2018 21:28:33 +0100 +Subject: drm/rockchip: Respect page offset for PRIME mmap calls + +From: "Ørjan Eide" + +[ Upstream commit 57de50af162b67612da99207b061ade3239e57db ] + +When mapping external DMA-bufs through the PRIME mmap call, we might be +given an offset which has to be respected. However for the internal DRM +GEM mmap path, we have to ignore the fake mmap offset used to identify +the buffer only. Currently the code always zeroes out vma->vm_pgoff, +which breaks the former. + +This patch fixes the problem by moving the vm_pgoff assignment to a +function that is used only for GEM mmap path, so that the PRIME path +retains the original offset. + +Cc: Daniel Kurtz +Signed-off-by: Ørjan Eide +Signed-off-by: Tomasz Figa +Signed-off-by: Sean Paul +Signed-off-by: Thierry Escande +Tested-by: Heiko Stuebner +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20180130202913.28724-4-thierry.escande@collabora.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c +@@ -262,7 +262,6 @@ static int rockchip_drm_gem_object_mmap( + * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap(). + */ + vma->vm_flags &= ~VM_PFNMAP; +- vma->vm_pgoff = 0; + + if (rk_obj->pages) + ret = rockchip_drm_gem_object_mmap_iommu(obj, vma); +@@ -297,6 +296,12 @@ int rockchip_gem_mmap(struct file *filp, + if (ret) + return ret; + ++ /* ++ * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the ++ * whole buffer from the start. ++ */ ++ vma->vm_pgoff = 0; ++ + obj = vma->vm_private_data; + + return rockchip_drm_gem_object_mmap(obj, vma); diff --git a/queue-4.16/drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch b/queue-4.16/drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch new file mode 100644 index 00000000000..70b89a130ee --- /dev/null +++ b/queue-4.16/drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch @@ -0,0 +1,89 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Dhinakaran Pandiyan +Date: Fri, 2 Feb 2018 21:12:53 -0800 +Subject: drm/vblank: Data type fixes for 64-bit vblank sequences. + +From: Dhinakaran Pandiyan + +[ Upstream commit 3b765c0b765d2cc03ef02276f1af2658a03b3ced ] + +drm_vblank_count() has an u32 type returning what is a 64-bit vblank count. +The effect of this is when drm_wait_vblank_ioctl() tries to widen the user +space requested vblank sequence using this clipped 32-bit count(when the +value is >= 2^32) as reference, the requested sequence remains a 32-bit +value and gets queued like that. However, the code that checks if the +requested sequence has passed compares this against the 64-bit vblank +count. + +With drm_vblank_count() returning all bits of the vblank count, update +drm_crtc_accurate_vblank_count() so that drm_crtc_arm_vblank_event() queues +the correct sequence. Otherwise, this leads to prolonged waits for a vblank +sequence when the current count is >=2^32. + +Finally, fix drm_wait_one_vblank() too. + +v2: Commit message fix (Keith) + Squash commits (Rodrigo) + +Fixes: 570e86963a51 ("drm: Widen vblank count to 64-bits [v3]") +Cc: Keith Packard +Cc: Michel Dänzer +Cc: Daniel Vetter +Cc: Rodrigo Vivi +Signed-off-by: Dhinakaran Pandiyan +Acked-by: Daniel Vetter +Reviewed-by: Keith Packard +Signed-off-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20180203051302.9974-1-dhinakaran.pandiyan@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_vblank.c | 8 ++++---- + include/drm/drm_vblank.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/drm_vblank.c ++++ b/drivers/gpu/drm/drm_vblank.c +@@ -271,7 +271,7 @@ static void drm_update_vblank_count(stru + store_vblank(dev, pipe, diff, t_vblank, cur_vblank); + } + +-static u32 drm_vblank_count(struct drm_device *dev, unsigned int pipe) ++static u64 drm_vblank_count(struct drm_device *dev, unsigned int pipe) + { + struct drm_vblank_crtc *vblank = &dev->vblank[pipe]; + +@@ -292,11 +292,11 @@ static u32 drm_vblank_count(struct drm_d + * This is mostly useful for hardware that can obtain the scanout position, but + * doesn't have a hardware frame counter. + */ +-u32 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc) ++u64 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc) + { + struct drm_device *dev = crtc->dev; + unsigned int pipe = drm_crtc_index(crtc); +- u32 vblank; ++ u64 vblank; + unsigned long flags; + + WARN_ONCE(drm_debug & DRM_UT_VBL && !dev->driver->get_vblank_timestamp, +@@ -1055,7 +1055,7 @@ void drm_wait_one_vblank(struct drm_devi + { + struct drm_vblank_crtc *vblank = &dev->vblank[pipe]; + int ret; +- u32 last; ++ u64 last; + + if (WARN_ON(pipe >= dev->num_crtcs)) + return; +--- a/include/drm/drm_vblank.h ++++ b/include/drm/drm_vblank.h +@@ -179,7 +179,7 @@ void drm_crtc_wait_one_vblank(struct drm + void drm_crtc_vblank_off(struct drm_crtc *crtc); + void drm_crtc_vblank_reset(struct drm_crtc *crtc); + void drm_crtc_vblank_on(struct drm_crtc *crtc); +-u32 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc); ++u64 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc); + + bool drm_calc_vbltimestamp_from_scanoutpos(struct drm_device *dev, + unsigned int pipe, int *max_error, diff --git a/queue-4.16/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch b/queue-4.16/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch new file mode 100644 index 00000000000..f5ea4173e6c --- /dev/null +++ b/queue-4.16/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Thomas Hellstrom +Date: Thu, 22 Mar 2018 10:35:18 +0100 +Subject: drm/vmwgfx: Unpin the screen object backup buffer when not used + +From: Thomas Hellstrom + +[ Upstream commit 20fb5a635a0c8478ac98f15cfafc2ea83df29565 ] + +We were relying on the pinned screen object backup buffer to be destroyed +when not used. But if we hold a copy of the atomic state, like when +hibernating, the backup buffer might not be destroyed since it's +refcounted by the atomic state. This causes us to hibernate with a +buffer pinned in VRAM. + +Fix this by only having the buffer pinned when it is actually used by a +screen object. + +Signed-off-by: Thomas Hellstrom +Reviewed-by: Brian Paul +Reviewed-by: Sinclair Yeh +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +@@ -453,7 +453,11 @@ vmw_sou_primary_plane_cleanup_fb(struct + struct drm_plane_state *old_state) + { + struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state); ++ struct drm_crtc *crtc = plane->state->crtc ? ++ plane->state->crtc : old_state->crtc; + ++ if (vps->dmabuf) ++ vmw_dmabuf_unpin(vmw_priv(crtc->dev), vps->dmabuf, false); + vmw_dmabuf_unreference(&vps->dmabuf); + vps->dmabuf_size = 0; + +@@ -491,10 +495,17 @@ vmw_sou_primary_plane_prepare_fb(struct + } + + size = new_state->crtc_w * new_state->crtc_h * 4; ++ dev_priv = vmw_priv(crtc->dev); + + if (vps->dmabuf) { +- if (vps->dmabuf_size == size) +- return 0; ++ if (vps->dmabuf_size == size) { ++ /* ++ * Note that this might temporarily up the pin-count ++ * to 2, until cleanup_fb() is called. ++ */ ++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, ++ true); ++ } + + vmw_dmabuf_unreference(&vps->dmabuf); + vps->dmabuf_size = 0; +@@ -504,7 +515,6 @@ vmw_sou_primary_plane_prepare_fb(struct + if (!vps->dmabuf) + return -ENOMEM; + +- dev_priv = vmw_priv(crtc->dev); + vmw_svga_enable(dev_priv); + + /* After we have alloced the backing store might not be able to +@@ -515,13 +525,16 @@ vmw_sou_primary_plane_prepare_fb(struct + &vmw_vram_ne_placement, + false, &vmw_dmabuf_bo_free); + vmw_overlay_resume_all(dev_priv); +- +- if (ret != 0) ++ if (ret) { + vps->dmabuf = NULL; /* vmw_dmabuf_init frees on error */ +- else +- vps->dmabuf_size = size; ++ return ret; ++ } + +- return ret; ++ /* ++ * TTM already thinks the buffer is pinned, but make sure the ++ * pin_count is upped. ++ */ ++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, true); + } + + diff --git a/queue-4.16/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch b/queue-4.16/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch new file mode 100644 index 00000000000..4606f32e591 --- /dev/null +++ b/queue-4.16/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Icenowy Zheng +Date: Fri, 16 Mar 2018 22:02:12 +0800 +Subject: dt-bindings: add device tree binding for Allwinner H6 main CCU + +From: Icenowy Zheng + +[ Upstream commit 2e08e4d2ff488424919d69dd211ac860a019ac1d ] + +The Allwinner H6 main CCU uses the internal oscillator of the SoC, which +is different with old SoCs' main CCU. + +Add device tree binding for the Allwinner H6 main CCU. + +Signed-off-by: Icenowy Zheng +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/clock/sunxi-ccu.txt | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/Documentation/devicetree/bindings/clock/sunxi-ccu.txt ++++ b/Documentation/devicetree/bindings/clock/sunxi-ccu.txt +@@ -20,6 +20,7 @@ Required properties : + - "allwinner,sun50i-a64-ccu" + - "allwinner,sun50i-a64-r-ccu" + - "allwinner,sun50i-h5-ccu" ++ - "allwinner,sun50i-h6-ccu" + - "nextthing,gr8-ccu" + + - reg: Must contain the registers base address and length +@@ -31,6 +32,9 @@ Required properties : + - #clock-cells : must contain 1 + - #reset-cells : must contain 1 + ++For the main CCU on H6, one more clock is needed: ++- "iosc": the SoC's internal frequency oscillator ++ + For the PRCM CCUs on A83T/H3/A64, two more clocks are needed: + - "pll-periph": the SoC's peripheral PLL from the main CCU + - "iosc": the SoC's internal frequency oscillator diff --git a/queue-4.16/dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch b/queue-4.16/dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch new file mode 100644 index 00000000000..74c08ace01f --- /dev/null +++ b/queue-4.16/dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Archit Taneja +Date: Wed, 17 Jan 2018 15:04:46 +0530 +Subject: dt-bindings: display: msm/dsi: Fix the PHY regulator supply props + +From: Archit Taneja + +[ Upstream commit 8c4905fd4939c59e0f7993ba34883e328eef4b59 ] + +The PHY regulator supply names vary across different PHY versions. +Mention explicitly which PHYs require which supplies. + +Cc: Rob Herring +Cc: devicetree@vger.kernel.org +Signed-off-by: Archit Taneja +Reviewed-by: Rob Herring +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/msm/dsi.txt | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/Documentation/devicetree/bindings/display/msm/dsi.txt ++++ b/Documentation/devicetree/bindings/display/msm/dsi.txt +@@ -102,7 +102,11 @@ Required properties: + - clocks: Phandles to device clocks. See [1] for details on clock bindings. + - clock-names: the following clocks are required: + * "iface" ++ For 28nm HPM/LP, 28nm 8960 PHYs: + - vddio-supply: phandle to vdd-io regulator device node ++ For 20nm PHY: ++- vddio-supply: phandle to vdd-io regulator device node ++- vcca-supply: phandle to vcca regulator device node + + Optional properties: + - qcom,dsi-phy-regulator-ldo-mode: Boolean value indicating if the LDO mode PHY diff --git a/queue-4.16/efi-arm-only-register-page-tables-when-they-exist.patch b/queue-4.16/efi-arm-only-register-page-tables-when-they-exist.patch new file mode 100644 index 00000000000..10879e8d8a7 --- /dev/null +++ b/queue-4.16/efi-arm-only-register-page-tables-when-they-exist.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Mark Rutland +Date: Thu, 8 Mar 2018 08:00:09 +0000 +Subject: efi/arm*: Only register page tables when they exist + +From: Mark Rutland + +[ Upstream commit 6b31a2fa1e8f7bc6c2a474b4a12dad7a145cf83d ] + +Currently the arm/arm64 runtime code registers the runtime servies +pagetables with ptdump regardless of whether runtime services page +tables have been created. + +As efi_mm.pgd is NULL in these cases, attempting to dump the efi page +tables results in a NULL pointer dereference in the ptdump code: + +/sys/kernel/debug# cat efi_page_tables +[ 479.522600] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[ 479.522715] Mem abort info: +[ 479.522764] ESR = 0x96000006 +[ 479.522850] Exception class = DABT (current EL), IL = 32 bits +[ 479.522899] SET = 0, FnV = 0 +[ 479.522937] EA = 0, S1PTW = 0 +[ 479.528200] Data abort info: +[ 479.528230] ISV = 0, ISS = 0x00000006 +[ 479.528317] CM = 0, WnR = 0 +[ 479.528317] user pgtable: 4k pages, 48-bit VAs, pgd = 0000000064ab0cb0 +[ 479.528449] [0000000000000000] *pgd=00000000fbbe4003, *pud=00000000fb66e003, *pmd=0000000000000000 +[ 479.528600] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 479.528664] Modules linked in: +[ 479.528699] CPU: 0 PID: 2457 Comm: cat Not tainted 4.15.0-rc3-00065-g2ad2ee7ecb5c-dirty #7 +[ 479.528799] Hardware name: FVP Base (DT) +[ 479.528899] pstate: 00400009 (nzcv daif +PAN -UAO) +[ 479.528941] pc : walk_pgd.isra.1+0x20/0x1d0 +[ 479.529011] lr : ptdump_walk_pgd+0x30/0x50 +[ 479.529105] sp : ffff00000bf4bc20 +[ 479.529185] x29: ffff00000bf4bc20 x28: 0000ffff9d22e000 +[ 479.529271] x27: 0000000000020000 x26: ffff80007b4c63c0 +[ 479.529358] x25: 00000000014000c0 x24: ffff80007c098900 +[ 479.529445] x23: ffff00000bf4beb8 x22: 0000000000000000 +[ 479.529532] x21: ffff00000bf4bd70 x20: 0000000000000001 +[ 479.529618] x19: ffff00000bf4bcb0 x18: 0000000000000000 +[ 479.529760] x17: 000000000041a1c8 x16: ffff0000082139d8 +[ 479.529800] x15: 0000ffff9d3c6030 x14: 0000ffff9d2527f4 +[ 479.529924] x13: 00000000000003f3 x12: 0000000000000038 +[ 479.530000] x11: 0000000000000003 x10: 0101010101010101 +[ 479.530099] x9 : 0000000017e94050 x8 : 000000000000003f +[ 479.530226] x7 : 0000000000000000 x6 : 0000000000000000 +[ 479.530313] x5 : 0000000000000001 x4 : 0000000000000000 +[ 479.530416] x3 : ffff000009069fd8 x2 : 0000000000000000 +[ 479.530500] x1 : 0000000000000000 x0 : 0000000000000000 +[ 479.530599] Process cat (pid: 2457, stack limit = 0x000000005d1b0e6f) +[ 479.530660] Call trace: +[ 479.530746] walk_pgd.isra.1+0x20/0x1d0 +[ 479.530833] ptdump_walk_pgd+0x30/0x50 +[ 479.530907] ptdump_show+0x10/0x20 +[ 479.530920] seq_read+0xc8/0x470 +[ 479.531023] full_proxy_read+0x60/0x90 +[ 479.531100] __vfs_read+0x18/0x100 +[ 479.531180] vfs_read+0x88/0x160 +[ 479.531267] SyS_read+0x48/0xb0 +[ 479.531299] el0_svc_naked+0x20/0x24 +[ 479.531400] Code: 91400420 f90033a0 a90707a2 f9403fa0 (f9400000) +[ 479.531499] ---[ end trace bfe8e28d8acb2b67 ]--- +Segmentation fault + +Let's avoid this problem by only registering the tables after their +successful creation, which is also less confusing when EFI runtime +services are not in use. + +Reported-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Ard Biesheuvel +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20180308080020.22828-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/arm-runtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/firmware/efi/arm-runtime.c ++++ b/drivers/firmware/efi/arm-runtime.c +@@ -54,6 +54,9 @@ static struct ptdump_info efi_ptdump_inf + + static int __init ptdump_init(void) + { ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) ++ return 0; ++ + return ptdump_debugfs_register(&efi_ptdump_info, "efi_page_tables"); + } + device_initcall(ptdump_init); diff --git a/queue-4.16/enic-enable-rq-before-updating-rq-descriptors.patch b/queue-4.16/enic-enable-rq-before-updating-rq-descriptors.patch new file mode 100644 index 00000000000..7afa3a88d44 --- /dev/null +++ b/queue-4.16/enic-enable-rq-before-updating-rq-descriptors.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Govindarajulu Varadarajan +Date: Thu, 1 Mar 2018 11:07:23 -0800 +Subject: enic: enable rq before updating rq descriptors + +From: Govindarajulu Varadarajan + +[ Upstream commit e8588e268509292550634d9a35f2723a207683b2 ] + +rq should be enabled before posting the buffers to rq desc. If not hw sees +stale value and casuses DMAR errors. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1898,6 +1898,8 @@ static int enic_open(struct net_device * + } + + for (i = 0; i < enic->rq_count; i++) { ++ /* enable rq before updating rq desc */ ++ vnic_rq_enable(&enic->rq[i]); + vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf); + /* Need at least one buffer on ring to get going */ + if (vnic_rq_desc_used(&enic->rq[i]) == 0) { +@@ -1909,8 +1911,6 @@ static int enic_open(struct net_device * + + for (i = 0; i < enic->wq_count; i++) + vnic_wq_enable(&enic->wq[i]); +- for (i = 0; i < enic->rq_count; i++) +- vnic_rq_enable(&enic->rq[i]); + + if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) + enic_dev_add_station_addr(enic); +@@ -1936,8 +1936,12 @@ static int enic_open(struct net_device * + return 0; + + err_out_free_rq: +- for (i = 0; i < enic->rq_count; i++) ++ for (i = 0; i < enic->rq_count; i++) { ++ err = vnic_rq_disable(&enic->rq[i]); ++ if (err) ++ return err; + vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); ++ } + enic_dev_notify_unset(enic); + err_out_free_intr: + enic_unset_affinity_hint(enic); diff --git a/queue-4.16/ext4-don-t-complain-about-incorrect-features-when-probing.patch b/queue-4.16/ext4-don-t-complain-about-incorrect-features-when-probing.patch new file mode 100644 index 00000000000..adb35798b39 --- /dev/null +++ b/queue-4.16/ext4-don-t-complain-about-incorrect-features-when-probing.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Eric Sandeen +Date: Thu, 22 Mar 2018 11:59:00 -0400 +Subject: ext4: don't complain about incorrect features when probing + +From: Eric Sandeen + +[ Upstream commit 0d9366d67bcf066b028e57d09c9a86ce879bcc28 ] + +If mount is auto-probing for filesystem type, it will try various +filesystems in order, with the MS_SILENT flag set. We get +that flag as the silent arg to ext4_fill_super. + +If we're probing (silent==1) then don't complain about feature +incompatibilities that are found if it looks like it's actually +a different valid extN type - failed probes should be silent +in this case. + +If the on-disk features are unknown even to ext4, then complain. + +Reported-by: Joakim Tjernlund +Tested-by: Joakim Tjernlund +Signed-off-by: Eric Sandeen +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3663,6 +3663,12 @@ static int ext4_fill_super(struct super_ + ext4_msg(sb, KERN_INFO, "mounting ext2 file system " + "using the ext4 subsystem"); + else { ++ /* ++ * If we're probing be silent, if this looks like ++ * it's actually an ext[34] filesystem. ++ */ ++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb))) ++ goto failed_mount; + ext4_msg(sb, KERN_ERR, "couldn't mount as ext2 due " + "to feature incompatibilities"); + goto failed_mount; +@@ -3674,6 +3680,12 @@ static int ext4_fill_super(struct super_ + ext4_msg(sb, KERN_INFO, "mounting ext3 file system " + "using the ext4 subsystem"); + else { ++ /* ++ * If we're probing be silent, if this looks like ++ * it's actually an ext4 filesystem. ++ */ ++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb))) ++ goto failed_mount; + ext4_msg(sb, KERN_ERR, "couldn't mount as ext3 due " + "to feature incompatibilities"); + goto failed_mount; diff --git a/queue-4.16/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch b/queue-4.16/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch new file mode 100644 index 00000000000..d12fcf59469 --- /dev/null +++ b/queue-4.16/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Chao Yu +Date: Sat, 27 Jan 2018 17:29:49 +0800 +Subject: f2fs: fix to check extent cache in f2fs_drop_extent_tree + +From: Chao Yu + +[ Upstream commit bf617f7a92edc6bb2909db2bfa4576f50b280ee5 ] + +If noextent_cache mount option is on, we will never initialize extent tree +in inode, but still we're going to access it in f2fs_drop_extent_tree, +result in kernel panic as below: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 + IP: _raw_write_lock+0xc/0x30 + Call Trace: + ? f2fs_drop_extent_tree+0x41/0x70 [f2fs] + f2fs_fallocate+0x5a0/0xdd0 [f2fs] + ? common_file_perm+0x47/0xc0 + ? apparmor_file_permission+0x1a/0x20 + vfs_fallocate+0x15b/0x290 + SyS_fallocate+0x44/0x70 + do_syscall_64+0x6e/0x160 + entry_SYSCALL64_slow_path+0x25/0x25 + +This patch fixes to check extent cache status before using in +f2fs_drop_extent_tree. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -706,6 +706,9 @@ void f2fs_drop_extent_tree(struct inode + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct extent_tree *et = F2FS_I(inode)->extent_tree; + ++ if (!f2fs_may_extent_tree(inode)) ++ return; ++ + set_inode_flag(inode, FI_NO_EXTENT); + + write_lock(&et->lock); diff --git a/queue-4.16/f2fs-fix-to-clear-cp_trimmed_flag.patch b/queue-4.16/f2fs-fix-to-clear-cp_trimmed_flag.patch new file mode 100644 index 00000000000..5e04c9b1d55 --- /dev/null +++ b/queue-4.16/f2fs-fix-to-clear-cp_trimmed_flag.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Chao Yu +Date: Wed, 31 Jan 2018 09:30:34 +0800 +Subject: f2fs: fix to clear CP_TRIMMED_FLAG + +From: Chao Yu + +[ Upstream commit cd36d7a17f9da68be9aa67185ba3ad7969934a19 ] + +Once CP_TRIMMED_FLAG is set, after a reboot, we will never issue discard +before LBA becomes invalid again, fix it by clearing the flag in +checkpoint without CP_TRIMMED reason. + +Fixes: 1f43e2ad7bff ("f2fs: introduce CP_TRIMMED_FLAG to avoid unneeded discard") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1136,6 +1136,8 @@ static void update_ckpt_flags(struct f2f + + if (cpc->reason & CP_TRIMMED) + __set_ckpt_flags(ckpt, CP_TRIMMED_FLAG); ++ else ++ __clear_ckpt_flags(ckpt, CP_TRIMMED_FLAG); + + if (cpc->reason & CP_UMOUNT) + __set_ckpt_flags(ckpt, CP_UMOUNT_FLAG); diff --git a/queue-4.16/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch b/queue-4.16/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch new file mode 100644 index 00000000000..b5720dffc07 --- /dev/null +++ b/queue-4.16/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Chao Yu +Date: Sun, 25 Feb 2018 23:38:21 +0800 +Subject: f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range + +From: Chao Yu + +[ Upstream commit 17cd07ae95073c298af92c1ba14ac58ce84de33b ] + +As Jayashree Mohan reported: + +A simple workload to reproduce this would be : +1. create foo +2. Write (8K - 16K) // foo size = 16K now +3. fsync() +4. falloc zero_range , keep_size (4202496 - 4210688) // foo size must be 16K +5. fdatasync() +Crash now + +On recovery, we see that the file size is 4210688 and not 16K, which +violates the semantics of keep_size flag. We have a test case to +reproduce this using CrashMonkey on 4.15 kernel. Try this out by +simply running : + ./c_harness -f /dev/sda -d /dev/cow_ram0 -t f2fs -e 102400 -P -v + tests/generic_468_zero.so + +The root cause is that we miss to set KEEP_SIZE bit correctly in zero_range +when zeroing block cross EOF with FALLOC_FL_KEEP_SIZE, let's fix this +missing case. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1348,8 +1348,12 @@ static int f2fs_zero_range(struct inode + } + + out: +- if (!(mode & FALLOC_FL_KEEP_SIZE) && i_size_read(inode) < new_size) +- f2fs_i_size_write(inode, new_size); ++ if (new_size > i_size_read(inode)) { ++ if (mode & FALLOC_FL_KEEP_SIZE) ++ file_set_keep_isize(inode); ++ else ++ f2fs_i_size_write(inode, new_size); ++ } + out_sem: + up_write(&F2FS_I(inode)->i_mmap_sem); + diff --git a/queue-4.16/f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch b/queue-4.16/f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch new file mode 100644 index 00000000000..4bc4366ec3d --- /dev/null +++ b/queue-4.16/f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch @@ -0,0 +1,127 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Gao Xiang +Date: Sat, 10 Feb 2018 12:12:51 +0800 +Subject: f2fs: flush cp pack except cp pack 2 page at first + +From: Gao Xiang + +[ Upstream commit 46706d5917f4457a6befe7a39a15c89dbb1ce9ca ] + +Previously, we attempt to flush the whole cp pack in a single bio, +however, when suddenly powering off at this time, we could get into +an extreme scenario that cp pack 1 page and cp pack 2 page are updated +and latest, but payload or current summaries are still partially +outdated. (see reliable write in the UFS specification) + +This patch submits the whole cp pack except cp pack 2 page at first, +and then writes the cp pack 2 page with an extra independent +bio with pre-io barrier. + +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 69 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 46 insertions(+), 23 deletions(-) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1162,6 +1162,39 @@ static void update_ckpt_flags(struct f2f + spin_unlock_irqrestore(&sbi->cp_lock, flags); + } + ++static void commit_checkpoint(struct f2fs_sb_info *sbi, ++ void *src, block_t blk_addr) ++{ ++ struct writeback_control wbc = { ++ .for_reclaim = 0, ++ }; ++ ++ /* ++ * pagevec_lookup_tag and lock_page again will take ++ * some extra time. Therefore, update_meta_pages and ++ * sync_meta_pages are combined in this function. ++ */ ++ struct page *page = grab_meta_page(sbi, blk_addr); ++ int err; ++ ++ memcpy(page_address(page), src, PAGE_SIZE); ++ set_page_dirty(page); ++ ++ f2fs_wait_on_page_writeback(page, META, true); ++ f2fs_bug_on(sbi, PageWriteback(page)); ++ if (unlikely(!clear_page_dirty_for_io(page))) ++ f2fs_bug_on(sbi, 1); ++ ++ /* writeout cp pack 2 page */ ++ err = __f2fs_write_meta_page(page, &wbc, FS_CP_META_IO); ++ f2fs_bug_on(sbi, err); ++ ++ f2fs_put_page(page, 0); ++ ++ /* submit checkpoint (with barrier if NOBARRIER is not set) */ ++ f2fs_submit_merged_write(sbi, META_FLUSH); ++} ++ + static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc) + { + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); +@@ -1264,16 +1297,6 @@ static int do_checkpoint(struct f2fs_sb_ + } + } + +- /* need to wait for end_io results */ +- wait_on_all_pages_writeback(sbi); +- if (unlikely(f2fs_cp_error(sbi))) +- return -EIO; +- +- /* flush all device cache */ +- err = f2fs_flush_device_cache(sbi); +- if (err) +- return err; +- + /* write out checkpoint buffer at block 0 */ + update_meta_page(sbi, ckpt, start_blk++); + +@@ -1301,26 +1324,26 @@ static int do_checkpoint(struct f2fs_sb_ + start_blk += NR_CURSEG_NODE_TYPE; + } + +- /* writeout checkpoint block */ +- update_meta_page(sbi, ckpt, start_blk); ++ /* update user_block_counts */ ++ sbi->last_valid_block_count = sbi->total_valid_block_count; ++ percpu_counter_set(&sbi->alloc_valid_block_count, 0); + +- /* wait for previous submitted node/meta pages writeback */ ++ /* Here, we have one bio having CP pack except cp pack 2 page */ ++ sync_meta_pages(sbi, META, LONG_MAX, FS_CP_META_IO); ++ ++ /* wait for previous submitted meta pages writeback */ + wait_on_all_pages_writeback(sbi); + + if (unlikely(f2fs_cp_error(sbi))) + return -EIO; + +- filemap_fdatawait_range(NODE_MAPPING(sbi), 0, LLONG_MAX); +- filemap_fdatawait_range(META_MAPPING(sbi), 0, LLONG_MAX); +- +- /* update user_block_counts */ +- sbi->last_valid_block_count = sbi->total_valid_block_count; +- percpu_counter_set(&sbi->alloc_valid_block_count, 0); +- +- /* Here, we only have one bio having CP pack */ +- sync_meta_pages(sbi, META_FLUSH, LONG_MAX, FS_CP_META_IO); ++ /* flush all device cache */ ++ err = f2fs_flush_device_cache(sbi); ++ if (err) ++ return err; + +- /* wait for previous submitted meta pages writeback */ ++ /* barrier and flush checkpoint cp pack 2 page if it can */ ++ commit_checkpoint(sbi, ckpt, start_blk); + wait_on_all_pages_writeback(sbi); + + release_ino_entry(sbi, false); diff --git a/queue-4.16/fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch b/queue-4.16/fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch new file mode 100644 index 00000000000..31a36002900 --- /dev/null +++ b/queue-4.16/fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch @@ -0,0 +1,96 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jan Kara +Date: Wed, 21 Feb 2018 14:10:59 +0100 +Subject: fanotify: Avoid lost events due to ENOMEM for unlimited queues + +From: Jan Kara + +[ Upstream commit 1f5eaa90010ed7cf0ae90a526c48657d02c6086f ] + +Fanotify queues of unlimited length do not expect events can be lost. +Since these queues are used for system auditing and other security +related tasks, loosing events can even have security implications. +Currently, since the allocation is small (32-bytes), it cannot fail +however when we start accounting events in memcgs, allocation can start +failing. So avoid loosing events due to failure to allocate memory by +making event allocation use __GFP_NOFAIL. + +Reviewed-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fanotify/fanotify.c | 19 ++++++++++++++----- + fs/notify/fanotify/fanotify.h | 3 ++- + fs/notify/fanotify/fanotify_user.c | 2 +- + 3 files changed, 17 insertions(+), 7 deletions(-) + +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -135,23 +135,32 @@ static bool fanotify_should_send_event(s + return false; + } + +-struct fanotify_event_info *fanotify_alloc_event(struct inode *inode, u32 mask, ++struct fanotify_event_info *fanotify_alloc_event(struct fsnotify_group *group, ++ struct inode *inode, u32 mask, + const struct path *path) + { + struct fanotify_event_info *event; ++ gfp_t gfp = GFP_KERNEL; ++ ++ /* ++ * For queues with unlimited length lost events are not expected and ++ * can possibly have security implications. Avoid losing events when ++ * memory is short. ++ */ ++ if (group->max_events == UINT_MAX) ++ gfp |= __GFP_NOFAIL; + + if (fanotify_is_perm_event(mask)) { + struct fanotify_perm_event_info *pevent; + +- pevent = kmem_cache_alloc(fanotify_perm_event_cachep, +- GFP_KERNEL); ++ pevent = kmem_cache_alloc(fanotify_perm_event_cachep, gfp); + if (!pevent) + return NULL; + event = &pevent->fae; + pevent->response = 0; + goto init; + } +- event = kmem_cache_alloc(fanotify_event_cachep, GFP_KERNEL); ++ event = kmem_cache_alloc(fanotify_event_cachep, gfp); + if (!event) + return NULL; + init: __maybe_unused +@@ -206,7 +215,7 @@ static int fanotify_handle_event(struct + return 0; + } + +- event = fanotify_alloc_event(inode, mask, data); ++ event = fanotify_alloc_event(group, inode, mask, data); + ret = -ENOMEM; + if (unlikely(!event)) + goto finish; +--- a/fs/notify/fanotify/fanotify.h ++++ b/fs/notify/fanotify/fanotify.h +@@ -52,5 +52,6 @@ static inline struct fanotify_event_info + return container_of(fse, struct fanotify_event_info, fse); + } + +-struct fanotify_event_info *fanotify_alloc_event(struct inode *inode, u32 mask, ++struct fanotify_event_info *fanotify_alloc_event(struct fsnotify_group *group, ++ struct inode *inode, u32 mask, + const struct path *path); +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -757,7 +757,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned + group->fanotify_data.user = user; + atomic_inc(&user->fanotify_listeners); + +- oevent = fanotify_alloc_event(NULL, FS_Q_OVERFLOW, NULL); ++ oevent = fanotify_alloc_event(group, NULL, FS_Q_OVERFLOW, NULL); + if (unlikely(!oevent)) { + fd = -ENOMEM; + goto out_destroy_group; diff --git a/queue-4.16/firmware-dmi_scan-fix-uuid-length-safety-check.patch b/queue-4.16/firmware-dmi_scan-fix-uuid-length-safety-check.patch new file mode 100644 index 00000000000..6cbb8f96f6a --- /dev/null +++ b/queue-4.16/firmware-dmi_scan-fix-uuid-length-safety-check.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Jean Delvare +Date: Fri, 13 Apr 2018 15:37:59 +0200 +Subject: firmware: dmi_scan: Fix UUID length safety check + +From: Jean Delvare + +[ Upstream commit 90fe6f8ff00a07641ca893d64f75ca22ce77cca2 ] + +The test which ensures that the DMI type 1 structure is long enough +to hold the UUID is off by one. It would fail if the structure is +exactly 24 bytes long, while that's sufficient to hold the UUID. + +I don't expect this bug to cause problem in practice because all +implementations I have seen had length 8, 25 or 27 bytes, in line +with the SMBIOS specifications. But let's fix it still. + +Signed-off-by: Jean Delvare +Fixes: a814c3597a6b ("firmware: dmi_scan: Check DMI structure length") +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/dmi_scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -186,7 +186,7 @@ static void __init dmi_save_uuid(const s + char *s; + int is_ff = 1, is_00 = 1, i; + +- if (dmi_ident[slot] || dm->length <= index + 16) ++ if (dmi_ident[slot] || dm->length < index + 16) + return; + + d = (u8 *) dm + index; diff --git a/queue-4.16/firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch b/queue-4.16/firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch new file mode 100644 index 00000000000..f6df41a159c --- /dev/null +++ b/queue-4.16/firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch @@ -0,0 +1,68 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "Luis R. Rodriguez" +Date: Sat, 10 Mar 2018 06:14:56 -0800 +Subject: firmware: fix checking for return values for fw_add_devm_name() + +From: "Luis R. Rodriguez" + +[ Upstream commit d15d7311550983be97dca44ad68cbc2ca001297b ] + +Currently fw_add_devm_name() returns 1 if the firmware cache +was already set. This makes it complicated for us to check for +correctness. It is actually non-fatal if the firmware cache +is already setup, so just return 0, and simplify the checkers. + +fw_add_devm_name() adds device's name onto the devres for the +device so that prior to suspend we cache the firmware onto memory, +so that on resume the firmware is reliably available. We never +were checking for success for this call though, meaning in some +really rare cases we my have never setup the firmware cache for +a device, which could in turn make resume fail. + +This is all theoretical, no known issues have been reported. +This small issue has been present way since the addition of the +devres firmware cache names on v3.7. + +Fixes: f531f05ae9437 ("firmware loader: store firmware name into devres list") +Signed-off-by: Luis R. Rodriguez +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/firmware_class.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -524,7 +524,7 @@ static int fw_add_devm_name(struct devic + + fwn = fw_find_devm_name(dev, name); + if (fwn) +- return 1; ++ return 0; + + fwn = devres_alloc(fw_name_devm_release, sizeof(struct fw_name_devm), + GFP_KERNEL); +@@ -552,6 +552,7 @@ static int assign_fw(struct firmware *fw + unsigned int opt_flags) + { + struct fw_priv *fw_priv = fw->priv; ++ int ret; + + mutex_lock(&fw_lock); + if (!fw_priv->size || fw_state_is_aborted(fw_priv)) { +@@ -568,8 +569,13 @@ static int assign_fw(struct firmware *fw + */ + /* don't cache firmware handled without uevent */ + if (device && (opt_flags & FW_OPT_UEVENT) && +- !(opt_flags & FW_OPT_NOCACHE)) +- fw_add_devm_name(device, fw_priv->fw_name); ++ !(opt_flags & FW_OPT_NOCACHE)) { ++ ret = fw_add_devm_name(device, fw_priv->fw_name); ++ if (ret) { ++ mutex_unlock(&fw_lock); ++ return ret; ++ } ++ } + + /* + * After caching firmware image is started, let it piggyback diff --git a/queue-4.16/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch b/queue-4.16/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch new file mode 100644 index 00000000000..34b2777bf49 --- /dev/null +++ b/queue-4.16/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Carlos Maiolino +Date: Tue, 10 Apr 2018 22:39:04 -0700 +Subject: Force log to disk before reading the AGF during a fstrim + +From: Carlos Maiolino + +[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ] + +Forcing the log to disk after reading the agf is wrong, we might be +calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held. + +This can cause a deadlock when racing a fstrim with a filesystem +shutdown. + +The deadlock has been identified due a miscalculation bug in device-mapper +dm-thin, which returns lack of space to its users earlier than the device itself +really runs out of space, changing the device-mapper volume into an error state. + +The problem happened while filling the filesystem with a single file, +triggering the bug in device-mapper, consequently causing an IO error +and shutting down the filesystem. + +If such file is removed, and fstrim executed before the XFS finishes the +shut down process, the fstrim process will end up holding the buffer +lock, and going to sleep on the cil wait queue. + +At this point, the shut down process will try to wake up all the threads +waiting on the cil wait queue, but for this, it will try to hold the +same buffer log already held my the fstrim, locking up the filesystem. + +Signed-off-by: Carlos Maiolino +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_discard.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/xfs/xfs_discard.c ++++ b/fs/xfs/xfs_discard.c +@@ -50,19 +50,19 @@ xfs_trim_extents( + + pag = xfs_perag_get(mp, agno); + +- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); +- if (error || !agbp) +- goto out_put_perag; +- +- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); +- + /* + * Force out the log. This means any transactions that might have freed +- * space before we took the AGF buffer lock are now on disk, and the ++ * space before we take the AGF buffer lock are now on disk, and the + * volatile disk cache is flushed. + */ + xfs_log_force(mp, XFS_LOG_SYNC); + ++ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); ++ if (error || !agbp) ++ goto out_put_perag; ++ ++ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); ++ + /* + * Look up the longest btree in the AGF and start with it. + */ diff --git a/queue-4.16/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch b/queue-4.16/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch new file mode 100644 index 00000000000..ab594232c42 --- /dev/null +++ b/queue-4.16/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Danilo Krummrich +Date: Tue, 10 Apr 2018 16:31:38 -0700 +Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table + +From: Danilo Krummrich + +[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ] + +proc_sys_link_fill_cache() does not take currently unregistering sysctl +tables into account, which might result into a page fault in +sysctl_follow_link() - add a check to fix it. + +This bug has been present since v3.4. + +Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: Danilo Krummrich +Acked-by: Kees Cook +Reviewed-by: Andrew Morton +Cc: "Luis R . Rodriguez" +Cc: "Eric W. Biederman" +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -707,7 +707,10 @@ static bool proc_sys_link_fill_cache(str + struct ctl_table *table) + { + bool ret = true; ++ + head = sysctl_head_grab(head); ++ if (IS_ERR(head)) ++ return false; + + if (S_ISLNK(table->mode)) { + /* It is not an error if we can not follow the link ignore it */ diff --git a/queue-4.16/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch b/queue-4.16/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch new file mode 100644 index 00000000000..1a408ba8ae1 --- /dev/null +++ b/queue-4.16/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: David Howells +Date: Wed, 4 Apr 2018 13:41:26 +0100 +Subject: fscache: Fix hanging wait on page discarded by writeback + +From: David Howells + +[ Upstream commit 2c98425720233ae3e135add0c7e869b32913502f ] + +If the fscache asynchronous write operation elects to discard a page that's +pending storage to the cache because the page would be over the store limit +then it needs to wake the page as someone may be waiting on completion of +the write. + +The problem is that the store limit may be updated by a different +asynchronous operation - and so may miss the write - and that the store +limit may not even get updated until later by the netfs. + +Fix the kernel hang by making fscache_write_op() mark as written any pages +that are over the limit. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fscache/page.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/fscache/page.c ++++ b/fs/fscache/page.c +@@ -776,6 +776,7 @@ static void fscache_write_op(struct fsca + + _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage)); + ++again: + spin_lock(&object->lock); + cookie = object->cookie; + +@@ -816,10 +817,6 @@ static void fscache_write_op(struct fsca + goto superseded; + page = results[0]; + _debug("gang %d [%lx]", n, page->index); +- if (page->index >= op->store_limit) { +- fscache_stat(&fscache_n_store_pages_over_limit); +- goto superseded; +- } + + radix_tree_tag_set(&cookie->stores, page->index, + FSCACHE_COOKIE_STORING_TAG); +@@ -829,6 +826,9 @@ static void fscache_write_op(struct fsca + spin_unlock(&cookie->stores_lock); + spin_unlock(&object->lock); + ++ if (page->index >= op->store_limit) ++ goto discard_page; ++ + fscache_stat(&fscache_n_store_pages); + fscache_stat(&fscache_n_cop_write_page); + ret = object->cache->ops->write_page(op, page); +@@ -844,6 +844,11 @@ static void fscache_write_op(struct fsca + _leave(""); + return; + ++discard_page: ++ fscache_stat(&fscache_n_store_pages_over_limit); ++ fscache_end_page_write(object, page); ++ goto again; ++ + superseded: + /* this writer is going away and there aren't any more things to + * write */ diff --git a/queue-4.16/genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch b/queue-4.16/genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch new file mode 100644 index 00000000000..f75fb2fc9b8 --- /dev/null +++ b/queue-4.16/genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Thomas Gleixner +Date: Wed, 4 Apr 2018 12:40:07 +0200 +Subject: genirq/affinity: Don't return with empty affinity masks on error + +From: Thomas Gleixner + +[ Upstream commit 0211e12dd0a5385ecffd3557bc570dbad7fcf245 ] + +When the allocation of node_to_possible_cpumask fails, then +irq_create_affinity_masks() returns with a pointer to the empty affinity +masks array, which will cause malfunction. + +Reorder the allocations so the masks array allocation comes last and every +failure path returns NULL. + +Fixes: 9a0ef98e186d ("genirq/affinity: Assign vectors to all present CPUs") +Signed-off-by: Thomas Gleixner +Cc: Christoph Hellwig +Cc: Ming Lei +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/affinity.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/kernel/irq/affinity.c ++++ b/kernel/irq/affinity.c +@@ -108,7 +108,7 @@ irq_create_affinity_masks(int nvecs, con + int affv = nvecs - affd->pre_vectors - affd->post_vectors; + int last_affv = affv + affd->pre_vectors; + nodemask_t nodemsk = NODE_MASK_NONE; +- struct cpumask *masks; ++ struct cpumask *masks = NULL; + cpumask_var_t nmsk, *node_to_possible_cpumask; + + /* +@@ -121,13 +121,13 @@ irq_create_affinity_masks(int nvecs, con + if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL)) + return NULL; + +- masks = kcalloc(nvecs, sizeof(*masks), GFP_KERNEL); +- if (!masks) +- goto out; +- + node_to_possible_cpumask = alloc_node_to_possible_cpumask(); + if (!node_to_possible_cpumask) +- goto out; ++ goto outcpumsk; ++ ++ masks = kcalloc(nvecs, sizeof(*masks), GFP_KERNEL); ++ if (!masks) ++ goto outnodemsk; + + /* Fill out vectors at the beginning that don't need affinity */ + for (curvec = 0; curvec < affd->pre_vectors; curvec++) +@@ -192,8 +192,9 @@ done: + /* Fill out vectors at the end that don't need affinity */ + for (; curvec < nvecs; curvec++) + cpumask_copy(masks + curvec, irq_default_affinity); ++outnodemsk: + free_node_to_possible_cpumask(node_to_possible_cpumask); +-out: ++outcpumsk: + free_cpumask_var(nmsk); + return masks; + } diff --git a/queue-4.16/gfs2-check-for-the-end-of-metadata-in-punch_hole.patch b/queue-4.16/gfs2-check-for-the-end-of-metadata-in-punch_hole.patch new file mode 100644 index 00000000000..0a4823e84de --- /dev/null +++ b/queue-4.16/gfs2-check-for-the-end-of-metadata-in-punch_hole.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Andreas Gruenbacher +Date: Fri, 23 Mar 2018 07:33:25 -0700 +Subject: gfs2: Check for the end of metadata in punch_hole + +From: Andreas Gruenbacher + +[ Upstream commit bb491ce67aa7c1635e5ae4f2f304a7d13d3dbe71 ] + +When punching a hole or truncating an inode down to a given size, also +check if the truncate point / start of the hole is within the range we +have metadata for. Otherwise, we can end up freeing blocks that +shouldn't be freed, corrupting the inode, or crashing the machine when +trying to punch a hole into the void. + +When growing an inode via truncate, we set the new size but we don't +allocate additional levels of indirect blocks and grow the inode height. +When shrinking that inode again, the new size may still point beyond the +end of the inode's metadata. + +Fixes xfstest generic/476. + +Debugged-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/bmap.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1344,6 +1344,7 @@ static inline bool walk_done(struct gfs2 + static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length) + { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); ++ u64 maxsize = sdp->sd_heightsize[ip->i_height]; + struct metapath mp = {}; + struct buffer_head *dibh, *bh; + struct gfs2_holder rd_gh; +@@ -1359,6 +1360,14 @@ static int punch_hole(struct gfs2_inode + u64 prev_bnr = 0; + __be64 *start, *end; + ++ if (offset >= maxsize) { ++ /* ++ * The starting point lies beyond the allocated meta-data; ++ * there are no blocks do deallocate. ++ */ ++ return 0; ++ } ++ + /* + * The start position of the hole is defined by lblock, start_list, and + * start_aligned. The end position of the hole is defined by lend, +@@ -1372,7 +1381,6 @@ static int punch_hole(struct gfs2_inode + */ + + if (length) { +- u64 maxsize = sdp->sd_heightsize[ip->i_height]; + u64 end_offset = offset + length; + u64 lend; + diff --git a/queue-4.16/gfs2-fix-fallocate-chunk-size.patch b/queue-4.16/gfs2-fix-fallocate-chunk-size.patch new file mode 100644 index 00000000000..19e05603fba --- /dev/null +++ b/queue-4.16/gfs2-fix-fallocate-chunk-size.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Andreas Gruenbacher +Date: Tue, 20 Feb 2018 08:03:24 -0700 +Subject: gfs2: Fix fallocate chunk size + +From: Andreas Gruenbacher + +[ Upstream commit 174d1232ebc84fcde8f5889d1171c9c7e74a10a7 ] + +The chunk size of allocations in __gfs2_fallocate is calculated +incorrectly. The size can collapse, causing __gfs2_fallocate to +allocate one block at a time, which is very inefficient. This needs +fixing in two places: + +In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate +that there is no quota limit. This fixes callers that rely on +ap->allowed to be set even when quotas are off. + +In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the +loop to make sure that allocation limits from one resource group won't +spill over into another resource group. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/file.c | 5 +++-- + fs/gfs2/quota.h | 2 ++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -809,7 +809,7 @@ static long __gfs2_fallocate(struct file + struct gfs2_inode *ip = GFS2_I(inode); + struct gfs2_alloc_parms ap = { .aflags = 0, }; + unsigned int data_blocks = 0, ind_blocks = 0, rblocks; +- loff_t bytes, max_bytes, max_blks = UINT_MAX; ++ loff_t bytes, max_bytes, max_blks; + int error; + const loff_t pos = offset; + const loff_t count = len; +@@ -861,7 +861,8 @@ static long __gfs2_fallocate(struct file + return error; + /* ap.allowed tells us how many blocks quota will allow + * us to write. Check if this reduces max_blks */ +- if (ap.allowed && ap.allowed < max_blks) ++ max_blks = UINT_MAX; ++ if (ap.allowed) + max_blks = ap.allowed; + + error = gfs2_inplace_reserve(ip, &ap); +--- a/fs/gfs2/quota.h ++++ b/fs/gfs2/quota.h +@@ -45,6 +45,8 @@ static inline int gfs2_quota_lock_check( + { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + int ret; ++ ++ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ + if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + return 0; + ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); diff --git a/queue-4.16/hv_netvsc-fix-the-return-status-in-rx-path.patch b/queue-4.16/hv_netvsc-fix-the-return-status-in-rx-path.patch new file mode 100644 index 00000000000..6654062ed99 --- /dev/null +++ b/queue-4.16/hv_netvsc-fix-the-return-status-in-rx-path.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Haiyang Zhang +Date: Thu, 22 Mar 2018 12:01:13 -0700 +Subject: hv_netvsc: Fix the return status in RX path + +From: Haiyang Zhang + +[ Upstream commit 5c71dadbb45970a8f0544a27ae8f1cbd9750e516 ] + +As defined in hyperv_net.h, the NVSP_STAT_SUCCESS is one not zero. +Some functions returns 0 when it actually means NVSP_STAT_SUCCESS. +This patch fixes them. + +In netvsc_receive(), it puts the last RNDIS packet's receive status +for all packets in a vmxferpage which may contain multiple RNDIS +packets. +This patch puts NVSP_STAT_FAIL in the receive completion if one of +the packets in a vmxferpage fails. + +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 8 ++++++-- + drivers/net/hyperv/netvsc_drv.c | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 ++-- + 3 files changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1078,10 +1078,14 @@ static int netvsc_receive(struct net_dev + void *data = recv_buf + + vmxferpage_packet->ranges[i].byte_offset; + u32 buflen = vmxferpage_packet->ranges[i].byte_count; ++ int ret; + + /* Pass it to the upper layer */ +- status = rndis_filter_receive(ndev, net_device, +- channel, data, buflen); ++ ret = rndis_filter_receive(ndev, net_device, ++ channel, data, buflen); ++ ++ if (unlikely(ret != NVSP_STAT_SUCCESS)) ++ status = NVSP_STAT_FAIL; + } + + enq_receive_complete(ndev, net_device, q_idx, +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -831,7 +831,7 @@ int netvsc_recv_callback(struct net_devi + u64_stats_update_end(&rx_stats->syncp); + + napi_gro_receive(&nvchan->napi, skb); +- return 0; ++ return NVSP_STAT_SUCCESS; + } + + static void netvsc_get_drvinfo(struct net_device *net, +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -434,10 +434,10 @@ int rndis_filter_receive(struct net_devi + "unhandled rndis message (type %u len %u)\n", + rndis_msg->ndis_msg_type, + rndis_msg->msg_len); +- break; ++ return NVSP_STAT_FAIL; + } + +- return 0; ++ return NVSP_STAT_SUCCESS; + } + + static int rndis_filter_query_device(struct rndis_device *dev, diff --git a/queue-4.16/hwmon-nct6775-fix-writing-pwmx_mode.patch b/queue-4.16/hwmon-nct6775-fix-writing-pwmx_mode.patch new file mode 100644 index 00000000000..3f40b4b9cf5 --- /dev/null +++ b/queue-4.16/hwmon-nct6775-fix-writing-pwmx_mode.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Guenter Roeck +Date: Mon, 26 Mar 2018 19:50:31 -0700 +Subject: hwmon: (nct6775) Fix writing pwmX_mode + +From: Guenter Roeck + +[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ] + +pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip +register bit is set to 1 for DC mode. This got mixed up, and writing +1 into pwmX_mode resulted in DC mode enabled. Fix it up by using +the ABI definition throughout the driver for consistency. + +Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/nct6775.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -1469,7 +1469,7 @@ static void nct6775_update_pwm(struct de + duty_is_dc = data->REG_PWM_MODE[i] && + (nct6775_read_value(data, data->REG_PWM_MODE[i]) + & data->PWM_MODE_MASK[i]); +- data->pwm_mode[i] = duty_is_dc; ++ data->pwm_mode[i] = !duty_is_dc; + + fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]); + for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) { +@@ -2350,7 +2350,7 @@ show_pwm_mode(struct device *dev, struct + struct nct6775_data *data = nct6775_update_device(dev); + struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr); + +- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]); ++ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]); + } + + static ssize_t +@@ -2371,9 +2371,9 @@ store_pwm_mode(struct device *dev, struc + if (val > 1) + return -EINVAL; + +- /* Setting DC mode is not supported for all chips/channels */ ++ /* Setting DC mode (0) is not supported for all chips/channels */ + if (data->REG_PWM_MODE[nr] == 0) { +- if (val) ++ if (!val) + return -EINVAL; + return count; + } +@@ -2382,7 +2382,7 @@ store_pwm_mode(struct device *dev, struc + data->pwm_mode[nr] = val; + reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]); + reg &= ~data->PWM_MODE_MASK[nr]; +- if (val) ++ if (!val) + reg |= data->PWM_MODE_MASK[nr]; + nct6775_write_value(data, data->REG_PWM_MODE[nr], reg); + mutex_unlock(&data->update_lock); diff --git a/queue-4.16/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch b/queue-4.16/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..2a1fbe0bcd9 --- /dev/null +++ b/queue-4.16/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:55:47 -0800 +Subject: hwmon: (pmbus/adm1275) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ] + +A negative page register value means that no page needs to be +selected. This is used by status register read operations and needs +to be accepted. The failure to do so so results in missed status +and limit registers. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/adm1275.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -154,7 +154,7 @@ static int adm1275_read_word_data(struct + const struct adm1275_data *data = to_adm1275_data(info); + int ret = 0; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { +@@ -240,7 +240,7 @@ static int adm1275_write_word_data(struc + const struct adm1275_data *data = to_adm1275_data(info); + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.16/hwmon-pmbus-max8688-accept-negative-page-register-values.patch b/queue-4.16/hwmon-pmbus-max8688-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..e5b65eae6da --- /dev/null +++ b/queue-4.16/hwmon-pmbus-max8688-accept-negative-page-register-values.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:49:47 -0800 +Subject: hwmon: (pmbus/max8688) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ] + +A negative page register value means that no page needs to be +selected. This is used by status register evaluations and needs +to be accepted. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/max8688.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/pmbus/max8688.c ++++ b/drivers/hwmon/pmbus/max8688.c +@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct + { + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.16/hwrng-bcm2835-handle-deferred-clock-properly.patch b/queue-4.16/hwrng-bcm2835-handle-deferred-clock-properly.patch new file mode 100644 index 00000000000..6c476f2f84b --- /dev/null +++ b/queue-4.16/hwrng-bcm2835-handle-deferred-clock-properly.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Stefan Wahren +Date: Mon, 12 Feb 2018 21:11:36 +0100 +Subject: hwrng: bcm2835 - Handle deferred clock properly + +From: Stefan Wahren + +[ Upstream commit 7b4c5d30d0bd2b22c09d4d993a76e0973a873891 ] + +In case the probe of the clock is deferred, we would assume it is +optional. This is wrong, so defer the probe of this driver until +the clock is available. + +Fixes: 791af4f4907a ("hwrng: bcm2835 - Manage an optional clock") +Signed-off-by: Stefan Wahren +Acked-by: Florian Fainelli +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/bcm2835-rng.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/hw_random/bcm2835-rng.c ++++ b/drivers/char/hw_random/bcm2835-rng.c +@@ -163,6 +163,8 @@ static int bcm2835_rng_probe(struct plat + + /* Clock is optional on most platforms */ + priv->clk = devm_clk_get(dev, NULL); ++ if (IS_ERR(priv->clk) && PTR_ERR(priv->clk) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + + priv->rng.name = pdev->name; + priv->rng.init = bcm2835_rng_init; diff --git a/queue-4.16/hwrng-stm32-add-reset-during-probe.patch b/queue-4.16/hwrng-stm32-add-reset-during-probe.patch new file mode 100644 index 00000000000..b51dd3204bb --- /dev/null +++ b/queue-4.16/hwrng-stm32-add-reset-during-probe.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "lionel.debieve@st.com" +Date: Thu, 15 Feb 2018 14:03:08 +0100 +Subject: hwrng: stm32 - add reset during probe + +From: "lionel.debieve@st.com" + +[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ] + +Avoid issue when probing the RNG without +reset if bad status has been detected previously + +Signed-off-by: Lionel Debieve +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/stm32-rng.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #define RNG_CR 0x00 +@@ -46,6 +47,7 @@ struct stm32_rng_private { + struct hwrng rng; + void __iomem *base; + struct clk *clk; ++ struct reset_control *rst; + }; + + static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) +@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platfo + if (IS_ERR(priv->clk)) + return PTR_ERR(priv->clk); + ++ priv->rst = devm_reset_control_get(&ofdev->dev, NULL); ++ if (!IS_ERR(priv->rst)) { ++ reset_control_assert(priv->rst); ++ udelay(2); ++ reset_control_deassert(priv->rst); ++ } ++ + dev_set_drvdata(dev, priv); + + priv->rng.name = dev_driver_string(dev), diff --git a/queue-4.16/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch b/queue-4.16/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch new file mode 100644 index 00000000000..47a0777e6d4 --- /dev/null +++ b/queue-4.16/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Javier Martinez Canillas +Date: Sun, 3 Dec 2017 22:40:50 +0100 +Subject: i2c: core: report OF style module alias for devices registered via OF + +From: Javier Martinez Canillas + +[ Upstream commit af503716ac1444db61d80cb6d17cfe62929c21df ] + +The buses should honor the firmware interface used to register the device, +but the I2C core reports a MODALIAS of the form i2c: even for I2C +devices registered via OF. + +This means that user-space will never get an OF stype uevent MODALIAS even +when the drivers modules contain aliases exported from both the I2C and OF +device ID tables. For example, an Atmel maXTouch Touchscreen registered by +a DT node with compatible "atmel,maxtouch" has the following module alias: + +$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias +i2c:maxtouch + +So udev won't be able to auto-load a module for an OF-only device driver. +Many OF-only drivers duplicate the OF device ID table entries in an I2C ID +table only has a workaround for how the I2C core reports the module alias. + +This patch changes the I2C core to report an OF related MODALIAS uevent if +the device was registered via OF. So for the previous example, after this +patch, the reported MODALIAS for the Atmel maXTouch will be the following: + +$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias +of:NtrackpadTCatmel,maxtouch + +NOTE: This patch may break out-of-tree drivers that were relying on this + behavior, and only had an I2C device ID table even when the device + was registered via OF. There are no remaining drivers in mainline + that do this, but out-of-tree drivers have to be fixed and define + a proper OF device ID table to have module auto-loading working. + +Signed-off-by: Javier Martinez Canillas +Tested-by: Dmitry Mastykin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core-base.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -124,6 +124,10 @@ static int i2c_device_uevent(struct devi + struct i2c_client *client = to_i2c_client(dev); + int rc; + ++ rc = of_device_uevent_modalias(dev, env); ++ if (rc != -ENODEV) ++ return rc; ++ + rc = acpi_device_uevent_modalias(dev, env); + if (rc != -ENODEV) + return rc; +@@ -439,6 +443,10 @@ show_modalias(struct device *dev, struct + struct i2c_client *client = to_i2c_client(dev); + int len; + ++ len = of_device_modalias(dev, buf, PAGE_SIZE); ++ if (len != -ENODEV) ++ return len; ++ + len = acpi_device_modalias(dev, buf, PAGE_SIZE -1); + if (len != -ENODEV) + return len; diff --git a/queue-4.16/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch b/queue-4.16/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch new file mode 100644 index 00000000000..91eb0c4b9ad --- /dev/null +++ b/queue-4.16/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Gregory CLEMENT +Date: Wed, 14 Mar 2018 18:03:40 +0100 +Subject: i2c: mv64xxx: Apply errata delay only in standard mode + +From: Gregory CLEMENT + +[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ] + +The errata FE-8471889 description has been updated. There is still a +timing violation for repeated start. But the errata now states that it +was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz) +there is no issue. + +This patch limit the errata fix to the Standard mode. + +It has been tesed successfully on the clearfog (Aramda 388 based board). + +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -845,12 +845,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat + */ + if (of_device_is_compatible(np, "marvell,mv78230-i2c")) { + drv_data->offload_enabled = true; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) { + drv_data->offload_enabled = false; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c")) diff --git a/queue-4.16/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch b/queue-4.16/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch new file mode 100644 index 00000000000..9b7d9f986ed --- /dev/null +++ b/queue-4.16/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Filip Sadowski +Date: Fri, 29 Dec 2017 08:50:05 -0500 +Subject: i40e: Add delay after EMP reset for firmware to recover + +From: Filip Sadowski + +[ Upstream commit 1fa51a650e1deb50410677f1bd6c0ce17aa48a49 ] + +This patch adds necessary delay for 4.33 firmware to recover after +EMP reset. Without this patch driver occasionally reinitializes +structures too quickly to communicate with firmware after EMP reset +causing AdminQ to timeout. + +Signed-off-by: Filip Sadowski +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -9215,6 +9215,17 @@ static void i40e_rebuild(struct i40e_pf + } + i40e_get_oem_version(&pf->hw); + ++ if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && ++ ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) || ++ hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) { ++ /* The following delay is necessary for 4.33 firmware and older ++ * to recover after EMP reset. 200 ms should suffice but we ++ * put here 300 ms to be sure that FW is ready to operate ++ * after reset. ++ */ ++ mdelay(300); ++ } ++ + /* re-verify the eeprom if we just had an EMP reset */ + if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state)) + i40e_verify_eeprom(pf); diff --git a/queue-4.16/i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch b/queue-4.16/i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch new file mode 100644 index 00000000000..d28d6665792 --- /dev/null +++ b/queue-4.16/i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jacob Keller +Date: Fri, 16 Mar 2018 01:26:35 -0700 +Subject: i40e: hold the RTNL lock while changing interrupt schemes + +From: Jacob Keller + +[ Upstream commit f0ee70a042e267a517e943220e18ae62d3c1995a ] + +When we suspend and resume, we need to clear and re-enable the interrupt +scheme. This was previously not done while holding the RTNL lock, which +could be problematic, because we are actually destroying and re-creating +queues. + +Hold the RTNL lock for the entire sequence of preparing for reset, and +when resuming. This additionally protects the flags related to interrupt +scheme under RTNL lock so that their modification is properly threaded. + +This is part of a larger effort to remove the need for cmpxchg64 in +i40e_set_priv_flags(). + +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14216,7 +14216,13 @@ static int __maybe_unused i40e_suspend(s + if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE)) + i40e_enable_mc_magic_wake(pf); + +- i40e_prep_for_reset(pf, false); ++ /* Since we're going to destroy queues during the ++ * i40e_clear_interrupt_scheme() we should hold the RTNL lock for this ++ * whole section ++ */ ++ rtnl_lock(); ++ ++ i40e_prep_for_reset(pf, true); + + wr32(hw, I40E_PFPM_APM, (pf->wol_en ? I40E_PFPM_APM_APME_MASK : 0)); + wr32(hw, I40E_PFPM_WUFC, (pf->wol_en ? I40E_PFPM_WUFC_MAG_MASK : 0)); +@@ -14228,6 +14234,8 @@ static int __maybe_unused i40e_suspend(s + */ + i40e_clear_interrupt_scheme(pf); + ++ rtnl_unlock(); ++ + return 0; + } + +@@ -14245,6 +14253,11 @@ static int __maybe_unused i40e_resume(st + if (!test_bit(__I40E_SUSPENDED, pf->state)) + return 0; + ++ /* We need to hold the RTNL lock prior to restoring interrupt schemes, ++ * since we're going to be restoring queues ++ */ ++ rtnl_lock(); ++ + /* We cleared the interrupt scheme when we suspended, so we need to + * restore it now to resume device functionality. + */ +@@ -14255,7 +14268,9 @@ static int __maybe_unused i40e_resume(st + } + + clear_bit(__I40E_DOWN, pf->state); +- i40e_reset_and_rebuild(pf, false, false); ++ i40e_reset_and_rebuild(pf, false, true); ++ ++ rtnl_unlock(); + + /* Clear suspended state last after everything is recovered */ + clear_bit(__I40E_SUSPENDED, pf->state); diff --git a/queue-4.16/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch b/queue-4.16/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch new file mode 100644 index 00000000000..c45f88fe98c --- /dev/null +++ b/queue-4.16/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch @@ -0,0 +1,61 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Parav Pandit +Date: Tue, 13 Mar 2018 16:06:14 +0200 +Subject: IB/core: Honor port_num while resolving GID for IB link layer + +From: Parav Pandit + +[ Upstream commit 563c4ba3bd2b8b0b21c65669ec2226b1cfa1138b ] + +ah_attr contains the port number to which cm_id is bound. However, while +searching for GID table for matching GID entry, the port number is +ignored. + +This could cause the wrong GID to be used when the ah_attr is converted to +an AH. + +Reviewed-by: Daniel Jurgens +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/multicast.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/core/multicast.c ++++ b/drivers/infiniband/core/multicast.c +@@ -724,21 +724,19 @@ int ib_init_ah_from_mcmember(struct ib_d + { + int ret; + u16 gid_index; +- u8 p; + +- if (rdma_protocol_roce(device, port_num)) { +- ret = ib_find_cached_gid_by_port(device, &rec->port_gid, +- gid_type, port_num, +- ndev, +- &gid_index); +- } else if (rdma_protocol_ib(device, port_num)) { +- ret = ib_find_cached_gid(device, &rec->port_gid, +- IB_GID_TYPE_IB, NULL, &p, +- &gid_index); +- } else { +- ret = -EINVAL; +- } ++ /* GID table is not based on the netdevice for IB link layer, ++ * so ignore ndev during search. ++ */ ++ if (rdma_protocol_ib(device, port_num)) ++ ndev = NULL; ++ else if (!rdma_protocol_roce(device, port_num)) ++ return -EINVAL; + ++ ret = ib_find_cached_gid_by_port(device, &rec->port_gid, ++ gid_type, port_num, ++ ndev, ++ &gid_index); + if (ret) + return ret; + diff --git a/queue-4.16/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch b/queue-4.16/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch new file mode 100644 index 00000000000..5b0cfdc0cb7 --- /dev/null +++ b/queue-4.16/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Honggang Li +Date: Fri, 16 Mar 2018 10:37:13 +0800 +Subject: IB/mlx5: Set the default active rate and width to QDR and 4X + +From: Honggang Li + +[ Upstream commit 7672ed33c4c15dbe9d56880683baaba4227cf940 ] + +Before commit f1b65df5a232 ("IB/mlx5: Add support for active_width and +active_speed in RoCE"), the mlx5_ib driver set the default active_width +and active_speed to IB_WIDTH_4X and IB_SPEED_QDR. + +When the RoCE port is down, the RoCE port does not negotiate the active +width with the remote side, causing the active width to be zero. When +running userspace ibstat to view the port status, ibstat will panic as it +reads an invalid width from sys file. + +This patch restores the original behavior. + +Fixes: f1b65df5a232 ("IB/mlx5: Add support for active_width and active_speed in RoCE"). +Signed-off-by: Honggang Li +Reviewed-by: Hal Rosenstock +Reviewed-by: Noa Osherovich +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -388,6 +388,9 @@ static int mlx5_query_port_roce(struct i + if (err) + goto out; + ++ props->active_width = IB_WIDTH_4X; ++ props->active_speed = IB_SPEED_QDR; ++ + translate_eth_proto_oper(eth_prot_oper, &props->active_speed, + &props->active_width); + diff --git a/queue-4.16/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch b/queue-4.16/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch new file mode 100644 index 00000000000..8a1c0509fbb --- /dev/null +++ b/queue-4.16/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Mikhail Malygin +Date: Mon, 2 Apr 2018 12:26:59 +0300 +Subject: IB/rxe: Fix for oops in rxe_register_device on ppc64le arch + +From: Mikhail Malygin + +[ Upstream commit efc365e7290d040fbd43f60b0e97653489a739d4 ] + +On ppc64le arch rxe_add command causes oops in kernel log: + +[ 92.495140] Oops: Kernel access of bad area, sig: 11 [#1] +[ 92.499710] SMP NR_CPUS=2048 NUMA pSeries +[ 92.499792] Modules linked in: ipt_MASQUERADE(E) nf_nat_masquerade_ipv4(E) nf_conntrack_netlink(E) nfnetlink(E) xfrm_user(E) iptable +_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) xt_addrtype(E) iptable_filter(E) ip_tables(E) xt_conntrack(E) x_tables(E) + nf_nat(E) nf_conntrack(E) br_netfilter(E) bridge(E) stp(E) llc(E) overlay(E) af_packet(E) rpcrdma(E) ib_isert(E) iscsi_target_mod(E) i +b_iser(E) libiscsi(E) ib_srpt(E) target_core_mod(E) ib_srp(E) ib_ipoib(E) rdma_ucm(E) ib_ucm(E) ib_uverbs(E) ib_umad(E) bochs_drm(E) tt +m(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) drm(E) agpgart(E) virtio_rng(E) virtio_console(E) rtc_ +generic(E) dm_ec(OEN) ttln_rdma(OEN) rdma_cm(E) configfs(E) iw_cm(E) ib_cm(E) rdma_rxe(E) ip6_udp_tunnel(E) udp_tunnel(E) ib_core(E) ql +a2xxx(E) +[ 92.499832] scsi_transport_fc(E) nvme_fc(E) nvme_fabrics(E) nvme_core(E) ipmi_watchdog(E) ipmi_ssif(E) ipmi_poweroff(E) ipmi_powernv(EX) ipmi_devintf(E) ipmi_msghandler(E) dummy(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_service_time(E) scsi_transport_iscsi(E) sd_mod(E) sr_mod(E) cdrom(E) hid_generic(E) usbhid(E) virtio_blk(E) virtio_scsi(E) virtio_net(E) ibmvscsi(EX) scsi_transport_srp(E) xhci_pci(E) xhci_hcd(E) usbcore(E) usb_common(E) virtio_pci(E) virtio_ring(E) virtio(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) autofs4(E) +[ 92.499834] Supported: No, Unsupported modules are loaded +[ 92.499839] CPU: 3 PID: 5576 Comm: sh Tainted: G OE NX 4.4.120-ttln.17-default #1 +[ 92.499841] task: c0000000afe8a490 ti: c0000000beba8000 task.ti: c0000000beba8000 +[ 92.499842] NIP: c00000000008ba3c LR: c000000000027644 CTR: c00000000008ba10 +[ 92.499844] REGS: c0000000bebab750 TRAP: 0300 Tainted: G OE NX (4.4.120-ttln.17-default) +[ 92.499850] MSR: 8000000000009033 CR: 28424428 XER: 20000000 +[ 92.499871] CFAR: 0000000000002424 DAR: 0000000000000208 DSISR: 40000000 SOFTE: 1 + GPR00: c000000000027644 c0000000bebab9d0 c000000000f09700 0000000000000000 + GPR04: d0000000043d7192 0000000000000002 000000000000001a fffffffffffffffe + GPR08: 000000000000009c c00000000008ba10 d0000000043e5848 d0000000043d3828 + GPR12: c00000000008ba10 c000000007a02400 0000000010062e38 0000010020388860 + GPR16: 0000000000000000 0000000000000000 00000100203885f0 00000000100f6c98 + GPR20: c0000000b3f1fcc0 c0000000b3f1fc48 c0000000b3f1fbd0 c0000000b3f1fb58 + GPR24: c0000000b3f1fae0 c0000000b3f1fa68 00000000000005dc c0000000b3f1f9f0 + GPR28: d0000000043e5848 c0000000b3f1f900 c0000000b3f1f320 c0000000b3f1f000 +[ 92.499881] NIP [c00000000008ba3c] dma_get_required_mask_pSeriesLP+0x2c/0x1a0 +[ 92.499885] LR [c000000000027644] dma_get_required_mask+0x44/0xac +[ 92.499886] Call Trace: +[ 92.499891] [c0000000bebab9d0] [c0000000bebaba30] 0xc0000000bebaba30 (unreliable) +[ 92.499894] [c0000000bebaba10] [c000000000027644] dma_get_required_mask+0x44/0xac +[ 92.499904] [c0000000bebaba30] [d0000000043cb4b4] rxe_register_device+0xc4/0x430 [rdma_rxe] +[ 92.499910] [c0000000bebabab0] [d0000000043c06c8] rxe_add+0x448/0x4e0 [rdma_rxe] +[ 92.499915] [c0000000bebabb30] [d0000000043d28dc] rxe_net_add+0x4c/0xf0 [rdma_rxe] +[ 92.499921] [c0000000bebabb60] [d0000000043d305c] rxe_param_set_add+0x6c/0x1ac [rdma_rxe] +[ 92.499924] [c0000000bebabbf0] [c0000000000e78c0] param_attr_store+0xa0/0x180 +[ 92.499927] [c0000000bebabc70] [c0000000000e6448] module_attr_store+0x48/0x70 +[ 92.499932] [c0000000bebabc90] [c000000000391f60] sysfs_kf_write+0x70/0xb0 +[ 92.499935] [c0000000bebabcb0] [c000000000390f1c] kernfs_fop_write+0x18c/0x1e0 +[ 92.499939] [c0000000bebabd00] [c0000000002e22ac] __vfs_write+0x4c/0x1d0 +[ 92.499942] [c0000000bebabd90] [c0000000002e2f94] vfs_write+0xc4/0x200 +[ 92.499945] [c0000000bebabde0] [c0000000002e488c] SyS_write+0x6c/0x110 +[ 92.499948] [c0000000bebabe30] [c000000000009384] system_call+0x38/0xe4 +[ 92.499949] Instruction dump: +[ 92.499954] 4e800020 3c4c00e8 3842dcf0 7c0802a6 f8010010 60000000 7c0802a6 fba1ffe8 +[ 92.499958] fbc1fff0 fbe1fff8 f8010010 f821ffc1 7c7e1b78 2fa90000 419e0078 +[ 92.499962] ---[ end trace bed077e15eb420cf ]--- + +It fails in dma_get_required_mask, that has ppc-specific implementation, +and fail if provided device argument is NULL + +Signed-off-by: Mikhail Malygin +Reviewed-by: Yonatan Cohen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -1206,7 +1206,7 @@ int rxe_register_device(struct rxe_dev * + rxe->ndev->dev_addr); + dev->dev.dma_ops = &dma_virt_ops; + dma_coerce_mask_and_coherent(&dev->dev, +- dma_get_required_mask(dev->dev.parent)); ++ dma_get_required_mask(&dev->dev)); + + dev->uverbs_abi_ver = RXE_UVERBS_ABI_VERSION; + dev->uverbs_cmd_mask = BIT_ULL(IB_USER_VERBS_CMD_GET_CONTEXT) diff --git a/queue-4.16/ibmvnic-allocate-statistics-buffers-during-probe.patch b/queue-4.16/ibmvnic-allocate-statistics-buffers-during-probe.patch new file mode 100644 index 00000000000..931a88ada80 --- /dev/null +++ b/queue-4.16/ibmvnic-allocate-statistics-buffers-during-probe.patch @@ -0,0 +1,77 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Thomas Falcon +Date: Mon, 26 Feb 2018 18:10:56 -0600 +Subject: ibmvnic: Allocate statistics buffers during probe + +From: Thomas Falcon + +[ Upstream commit 53cc7721fdf12e649994cfb7d8f562acb0e4510b ] + +Currently, buffers holding individual queue statistics are allocated +when the device is opened. If an ibmvnic interface is hotplugged or +initialized but never opened, an attempt to get statistics with +ethtool will result in a kernel panic. + +Since the driver allocates a constant number, the maximum supported +queues, of buffers, these can be allocated during device probe and +freed when the device is hot-unplugged or the module is removed. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -812,8 +812,6 @@ static void release_resources(struct ibm + release_tx_pools(adapter); + release_rx_pools(adapter); + +- release_stats_token(adapter); +- release_stats_buffers(adapter); + release_error_buffers(adapter); + + if (adapter->napi) { +@@ -953,14 +951,6 @@ static int init_resources(struct ibmvnic + if (rc) + return rc; + +- rc = init_stats_buffers(adapter); +- if (rc) +- return rc; +- +- rc = init_stats_token(adapter); +- if (rc) +- return rc; +- + adapter->vpd = kzalloc(sizeof(*adapter->vpd), GFP_KERNEL); + if (!adapter->vpd) + return -ENOMEM; +@@ -4390,6 +4380,14 @@ static int ibmvnic_init(struct ibmvnic_a + release_crq_queue(adapter); + } + ++ rc = init_stats_buffers(adapter); ++ if (rc) ++ return rc; ++ ++ rc = init_stats_token(adapter); ++ if (rc) ++ return rc; ++ + return rc; + } + +@@ -4497,6 +4495,9 @@ static int ibmvnic_remove(struct vio_dev + release_sub_crqs(adapter); + release_crq_queue(adapter); + ++ release_stats_token(adapter); ++ release_stats_buffers(adapter); ++ + adapter->state = VNIC_REMOVED; + + mutex_unlock(&adapter->reset_lock); diff --git a/queue-4.16/ibmvnic-fix-reset-return-from-closed-state.patch b/queue-4.16/ibmvnic-fix-reset-return-from-closed-state.patch new file mode 100644 index 00000000000..c5e6a2aa2e3 --- /dev/null +++ b/queue-4.16/ibmvnic-fix-reset-return-from-closed-state.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: John Allen +Date: Wed, 14 Mar 2018 10:41:29 -0500 +Subject: ibmvnic: Fix reset return from closed state + +From: John Allen + +[ Upstream commit e676d81c8990f511d60698a1a8abaa438b3f9d3d ] + +The case in which we handle a reset from the state where the device is +closed seems to be bugged for all types of reset. For most types of reset +we currently exit the reset routine correctly, but don't set the state to +indicate that we are back in the "closed" state. For some specific cases, +we don't exit the reset routine at all and resetting will cause a closed +device to be opened. + +This patch fixes the problem by unconditionally checking the reset_state +and correctly setting the adapter state before returning. + +Signed-off-by: John Allen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1699,12 +1699,14 @@ static int do_reset(struct ibmvnic_adapt + rc = reset_rx_pools(adapter); + if (rc) + return rc; +- +- if (reset_state == VNIC_CLOSED) +- return 0; + } + } + ++ adapter->state = VNIC_CLOSED; ++ ++ if (reset_state == VNIC_CLOSED) ++ return 0; ++ + rc = __ibmvnic_open(netdev); + if (rc) { + if (list_empty(&adapter->rwi_list)) diff --git a/queue-4.16/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch b/queue-4.16/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch new file mode 100644 index 00000000000..1cbd33bc370 --- /dev/null +++ b/queue-4.16/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Thomas Falcon +Date: Fri, 6 Apr 2018 18:37:03 -0500 +Subject: ibmvnic: Zero used TX descriptor counter on reset + +From: Thomas Falcon + +[ Upstream commit 41f714672f93608751dbd2fa2291d476a8ff0150 ] + +The counter that tracks used TX descriptors pending completion +needs to be zeroed as part of a device reset. This change fixes +a bug causing transmit queues to be stopped unnecessarily and in +some cases a transmit queue stall and timeout reset. If the counter +is not reset, the remaining descriptors will not be "removed", +effectively reducing queue capacity. If the queue is over half full, +it will cause the queue to stall if stopped. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2266,6 +2266,7 @@ static int reset_one_sub_crq_queue(struc + } + + memset(scrq->msgs, 0, 4 * PAGE_SIZE); ++ atomic_set(&scrq->used, 0); + scrq->cur = 0; + + rc = h_reg_sub_crq(adapter->vdev->unit_address, scrq->msg_token, diff --git a/queue-4.16/ieee802154-ca8210-fix-uninitialised-data-read.patch b/queue-4.16/ieee802154-ca8210-fix-uninitialised-data-read.patch new file mode 100644 index 00000000000..de4449315e7 --- /dev/null +++ b/queue-4.16/ieee802154-ca8210-fix-uninitialised-data-read.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Harry Morris +Date: Wed, 28 Mar 2018 11:54:27 +0100 +Subject: ieee802154: ca8210: fix uninitialised data read + +From: Harry Morris + +[ Upstream commit 86674a97f5055f4c7f406563408096e8cf9364ff ] + +In ca8210_test_int_user_write() a user can request the transfer of a +frame with a length field (command.length) that is longer than the +actual buffer provided (len). In this scenario the driver will copy +the buffer contents into the uninitialised command[] buffer, then +transfer bytes over the SPI even though only bytes +had been populated, potentially leaking sensitive kernel memory. + +Also the first 6 bytes of the command buffer must be initialised in case +a malformed, short packet is written and the uninitialised bytes are +read in ca8210_test_check_upstream. + +Reported-by: Domen Puncer Kugler +Signed-off-by: Harry Morris +Tested-by: Harry Morris +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_writ + struct ca8210_priv *priv = filp->private_data; + u8 command[CA8210_SPI_BUF_SIZE]; + +- if (len > CA8210_SPI_BUF_SIZE) { ++ memset(command, SPI_IDLE, 6); ++ if (len > CA8210_SPI_BUF_SIZE || len < 2) { + dev_warn( + &priv->spi->dev, +- "userspace requested erroneously long write (%zu)\n", ++ "userspace requested erroneous write length (%zu)\n", + len + ); +- return -EMSGSIZE; ++ return -EBADE; + } + + ret = copy_from_user(command, in_buf, len); +@@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_writ + ); + return -EIO; + } ++ if (len != command[1] + 2) { ++ dev_err( ++ &priv->spi->dev, ++ "write len does not match packet length field\n" ++ ); ++ return -EBADE; ++ } + + ret = ca8210_test_check_upstream(command, priv->spi); + if (ret == 0) { diff --git a/queue-4.16/ima-clear-ima_hash.patch b/queue-4.16/ima-clear-ima_hash.patch new file mode 100644 index 00000000000..3edc8b4fcbc --- /dev/null +++ b/queue-4.16/ima-clear-ima_hash.patch @@ -0,0 +1,30 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Mimi Zohar +Date: Sat, 10 Mar 2018 23:07:34 -0500 +Subject: ima: clear IMA_HASH + +From: Mimi Zohar + +[ Upstream commit a9a4935d44b58c858a81393694bc232a96cdcbd4 ] + +The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly. + +Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions") +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -384,7 +384,7 @@ int ima_match_policy(struct inode *inode + action |= entry->action & IMA_DO_MASK; + if (entry->action & IMA_APPRAISE) { + action |= get_subaction(entry, func); +- action ^= IMA_HASH; ++ action &= ~IMA_HASH; + } + + if (entry->action & IMA_DO_MASK) diff --git a/queue-4.16/ima-fallback-to-the-builtin-hash-algorithm.patch b/queue-4.16/ima-fallback-to-the-builtin-hash-algorithm.patch new file mode 100644 index 00000000000..a69c841f391 --- /dev/null +++ b/queue-4.16/ima-fallback-to-the-builtin-hash-algorithm.patch @@ -0,0 +1,119 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Petr Vorel +Date: Fri, 23 Mar 2018 14:41:08 +0100 +Subject: ima: Fallback to the builtin hash algorithm + +From: Petr Vorel + +[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ] + +IMA requires having it's hash algorithm be compiled-in due to it's +early use. The default IMA algorithm is protected by Kconfig to be +compiled-in. + +The ima_hash kernel parameter allows to choose the hash algorithm. When +the specified algorithm is not available or available as a module, IMA +initialization fails, which leads to a kernel panic (mknodat syscall calls +ima_post_path_mknod()). Therefore as fallback we force IMA to use +the default builtin Kconfig hash algorithm. + +Fixed crash: + +$ grep CONFIG_CRYPTO_MD4 .config +CONFIG_CRYPTO_MD4=m + +[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4 +... +[ 1.545190] ima: Can not allocate md4 (reason: -2) +... +[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 2.611903] IP: ima_match_policy+0x23/0x390 +[ 2.612967] PGD 0 P4D 0 +[ 2.613080] Oops: 0000 [#1] SMP +[ 2.613080] Modules linked in: autofs4 +[ 2.613080] Supported: Yes +[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1 +[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000 +[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390 +[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296 +[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004 +[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728 +[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000 +[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000 +[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 +[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0 +[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2.613080] Call Trace: +[ 2.613080] ? shmem_mknod+0xbf/0xd0 +[ 2.613080] ima_post_path_mknod+0x1c/0x40 +[ 2.613080] SyS_mknod+0x210/0x220 +[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5 +[ 2.613080] RIP: 0033:0x7f5c1bfde570 +[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 +[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570 +[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f +[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000 +[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660 +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002 +[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20 +[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88 +[ 2.613080] CR2: 0000000000000000 +[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]--- +[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 2.673052] +[ 2.675337] Kernel Offset: disabled +[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 + +Signed-off-by: Petr Vorel +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_crypto.c | 2 ++ + security/integrity/ima/ima_main.c | 13 +++++++++++++ + 2 files changed, 15 insertions(+) + +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -73,6 +73,8 @@ int __init ima_init_crypto(void) + hash_algo_name[ima_hash_algo], rc); + return rc; + } ++ pr_info("Allocated hash algorithm: %s\n", ++ hash_algo_name[ima_hash_algo]); + return 0; + } + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -16,6 +16,9 @@ + * implements the IMA hooks: ima_bprm_check, ima_file_mmap, + * and ima_file_check. + */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include + #include + #include +@@ -472,6 +475,16 @@ static int __init init_ima(void) + ima_init_template_list(); + hash_setup(CONFIG_IMA_DEFAULT_HASH); + error = ima_init(); ++ ++ if (error && strcmp(hash_algo_name[ima_hash_algo], ++ CONFIG_IMA_DEFAULT_HASH) != 0) { ++ pr_info("Allocating %s failed, going to use default hash algorithm %s\n", ++ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); ++ hash_setup_done = 0; ++ hash_setup(CONFIG_IMA_DEFAULT_HASH); ++ error = ima_init(); ++ } ++ + if (!error) { + ima_initialized = 1; + ima_update_policy_flag(); diff --git a/queue-4.16/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch b/queue-4.16/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch new file mode 100644 index 00000000000..1eb24f00224 --- /dev/null +++ b/queue-4.16/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jiandi An +Date: Tue, 6 Mar 2018 23:26:26 -0600 +Subject: ima: Fix Kconfig to select TPM 2.0 CRB interface + +From: Jiandi An + +[ Upstream commit fac37c628fd5d68fd7298d9b57ae8601ee1b4723 ] + +TPM_CRB driver provides TPM CRB 2.0 support. If it is built as a +module, the TPM chip is registered after IMA init. tpm_pcr_read() in +IMA fails and displays the following message even though eventually +there is a TPM chip on the system. + +ima: No TPM chip found, activating TPM-bypass! (rc=-19) + +Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel +and initializes before IMA. + +Signed-off-by: Jiandi An +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -10,6 +10,7 @@ config IMA + select CRYPTO_HASH_INFO + select TCG_TPM if HAS_IOMEM && !UML + select TCG_TIS if TCG_TPM && X86 ++ select TCG_CRB if TCG_TPM && ACPI + select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES + help + The Trusted Computing Group(TCG) runtime Integrity diff --git a/queue-4.16/intel_th-use-correct-method-of-finding-hub.patch b/queue-4.16/intel_th-use-correct-method-of-finding-hub.patch new file mode 100644 index 00000000000..d339532d915 --- /dev/null +++ b/queue-4.16/intel_th-use-correct-method-of-finding-hub.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Alexander Shishkin +Date: Thu, 1 Mar 2018 10:15:32 +0200 +Subject: intel_th: Use correct method of finding hub + +From: Alexander Shishkin + +[ Upstream commit 9ad577087165478c9d9be82b15ed9bf2db5835f5 ] + +Since commit 8edc514b01e9 ("intel_th: Make SOURCE devices children of the +root device") the hub is not the parent of SOURCE devices any more, so the +new helper function should be used for that instead of always using the +parent. The intel_th_set_output() path, however, still uses the old +logic, leading to the hub driver structure being aliased with something +else, like struct pci_driver or struct acpi_driver, and an incorrect call +to an address inferred from that, potentially resulting in a crash. + +Fixes: 8edc514b01e9 ("intel_th: Make SOURCE devices children of the root device") +Signed-off-by: Alexander Shishkin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -935,7 +935,7 @@ EXPORT_SYMBOL_GPL(intel_th_trace_disable + int intel_th_set_output(struct intel_th_device *thdev, + unsigned int master) + { +- struct intel_th_device *hub = to_intel_th_device(thdev->dev.parent); ++ struct intel_th_device *hub = to_intel_th_hub(thdev); + struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver); + + if (!hubdrv->set_output) diff --git a/queue-4.16/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch b/queue-4.16/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch new file mode 100644 index 00000000000..aab5d53feb4 --- /dev/null +++ b/queue-4.16/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sebastian Andrzej Siewior +Date: Thu, 22 Mar 2018 16:22:33 +0100 +Subject: iommu/amd: Take into account that alloc_dev_data() may return NULL + +From: Sebastian Andrzej Siewior + +[ Upstream commit 39ffe39545cd5cb5b8cee9f0469165cf24dc62c2 ] + +find_dev_data() does not check whether the return value alloc_dev_data() +is NULL. This was okay once because the pointer was returned once as-is. +Since commit df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred +call-back") the pointer may be used within find_dev_data() so a NULL +check is required. + +Cc: Baoquan He +Fixes: df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred call-back") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -310,6 +310,8 @@ static struct iommu_dev_data *find_dev_d + + if (dev_data == NULL) { + dev_data = alloc_dev_data(devid); ++ if (!dev_data) ++ return NULL; + + if (translation_pre_enabled(iommu)) + dev_data->defer_attach = true; diff --git a/queue-4.16/iommu-mediatek-fix-protect-memory-setting.patch b/queue-4.16/iommu-mediatek-fix-protect-memory-setting.patch new file mode 100644 index 00000000000..3b6a27ae1f1 --- /dev/null +++ b/queue-4.16/iommu-mediatek-fix-protect-memory-setting.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Yong Wu +Date: Sun, 18 Mar 2018 09:52:54 +0800 +Subject: iommu/mediatek: Fix protect memory setting + +From: Yong Wu + +[ Upstream commit 70ca608b2ec6dafa6bb1c2b0691852fc78f8f717 ] + +In MediaTek's IOMMU design, When a iommu translation fault occurs +(HW can NOT translate the destination address to a valid physical +address), the IOMMU HW output the dirty data into a special memory +to avoid corrupting the main memory, this is called "protect memory". +the register(0x114) for protect memory is a little different between +mt8173 and mt2712. + +In the mt8173, bit[30:6] in the register represents [31:7] of the +physical address. In the 4GB mode, the register bit[31] should be 1. +While in the mt2712, the bits don't shift. bit[31:7] in the register +represents [31:7] in the physical address, and bit[1:0] in the +register represents bit[33:32] of the physical address if it has. + +Fixes: e6dec9230862 ("iommu/mediatek: Add mt2712 IOMMU support") +Reported-by: Honghui Zhang +Signed-off-by: Yong Wu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/mtk_iommu.c | 15 ++++++++++----- + drivers/iommu/mtk_iommu.h | 1 + + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -60,7 +60,7 @@ + (((prot) & 0x3) << F_MMU_TF_PROTECT_SEL_SHIFT(data)) + + #define REG_MMU_IVRP_PADDR 0x114 +-#define F_MMU_IVRP_PA_SET(pa, ext) (((pa) >> 1) | ((!!(ext)) << 31)) ++ + #define REG_MMU_VLD_PA_RNG 0x118 + #define F_MMU_VLD_PA_RNG(EA, SA) (((EA) << 8) | (SA)) + +@@ -539,8 +539,13 @@ static int mtk_iommu_hw_init(const struc + F_INT_PRETETCH_TRANSATION_FIFO_FAULT; + writel_relaxed(regval, data->base + REG_MMU_INT_MAIN_CONTROL); + +- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB), +- data->base + REG_MMU_IVRP_PADDR); ++ if (data->m4u_plat == M4U_MT8173) ++ regval = (data->protect_base >> 1) | (data->enable_4GB << 31); ++ else ++ regval = lower_32_bits(data->protect_base) | ++ upper_32_bits(data->protect_base); ++ writel_relaxed(regval, data->base + REG_MMU_IVRP_PADDR); ++ + if (data->enable_4GB && data->m4u_plat != M4U_MT8173) { + /* + * If 4GB mode is enabled, the validate PA range is from +@@ -695,6 +700,7 @@ static int __maybe_unused mtk_iommu_susp + reg->ctrl_reg = readl_relaxed(base + REG_MMU_CTRL_REG); + reg->int_control0 = readl_relaxed(base + REG_MMU_INT_CONTROL0); + reg->int_main_control = readl_relaxed(base + REG_MMU_INT_MAIN_CONTROL); ++ reg->ivrp_paddr = readl_relaxed(base + REG_MMU_IVRP_PADDR); + clk_disable_unprepare(data->bclk); + return 0; + } +@@ -717,8 +723,7 @@ static int __maybe_unused mtk_iommu_resu + writel_relaxed(reg->ctrl_reg, base + REG_MMU_CTRL_REG); + writel_relaxed(reg->int_control0, base + REG_MMU_INT_CONTROL0); + writel_relaxed(reg->int_main_control, base + REG_MMU_INT_MAIN_CONTROL); +- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB), +- base + REG_MMU_IVRP_PADDR); ++ writel_relaxed(reg->ivrp_paddr, base + REG_MMU_IVRP_PADDR); + if (data->m4u_dom) + writel(data->m4u_dom->cfg.arm_v7s_cfg.ttbr[0], + base + REG_MMU_PT_BASE_ADDR); +--- a/drivers/iommu/mtk_iommu.h ++++ b/drivers/iommu/mtk_iommu.h +@@ -32,6 +32,7 @@ struct mtk_iommu_suspend_reg { + u32 ctrl_reg; + u32 int_control0; + u32 int_main_control; ++ u32 ivrp_paddr; + }; + + enum mtk_iommu_plat { diff --git a/queue-4.16/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch b/queue-4.16/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch new file mode 100644 index 00000000000..5c9a2b0def0 --- /dev/null +++ b/queue-4.16/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Kamlakant Patel +Date: Tue, 13 Mar 2018 16:32:27 +0530 +Subject: ipmi_ssif: Fix kernel panic at msg_done_handler + +From: Kamlakant Patel + +[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ] + +This happens when BMC doesn't return any data and the code is trying +to print the value of data[2]. + +Getting following crash: +[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002 +[ 484.736496] pgd = ffff0000094a2000 +[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000 +[ 484.748158] Internal error: Oops: 96000005 [#1] SMP +[...] +[ 485.101451] Call trace: +[...] +[ 485.188473] [] msg_done_handler+0x668/0x700 [ipmi_ssif] +[ 485.195249] [] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif] +[ 485.202038] [] kthread+0x108/0x138 +[ 485.206994] [] ret_from_fork+0x10/0x30 +[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3) + +Adding a check to validate the data len before printing data[2] to fix this issue. + +Signed-off-by: Kamlakant Patel +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -761,7 +761,7 @@ static void msg_done_handler(struct ssif + ssif_info->ssif_state = SSIF_NORMAL; + ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Error getting flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +@@ -783,7 +783,7 @@ static void msg_done_handler(struct ssif + if ((result < 0) || (len < 3) || (data[2] != 0)) { + /* Error clearing flags */ + pr_warn(PFX "Error clearing flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) { + pr_warn(PFX "Invalid response clearing flags: %x %x\n", diff --git a/queue-4.16/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch b/queue-4.16/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch new file mode 100644 index 00000000000..7efdb8e9475 --- /dev/null +++ b/queue-4.16/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Luca Coelho +Date: Mon, 18 Dec 2017 20:13:07 +0200 +Subject: iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq + +From: Luca Coelho + +[ Upstream commit 9a233bb8025105db9a60b5d761005cc5a6c77f3d ] + +Sometimes iwl_mvm_disable_txq() may be called with mac80211_queue == +IEEE80211_INVAL_HW_QUEUE, and this would cause us to use BIT(0xFF) +which is way too large for the u16 we used to store it in +hw_queue_to_mac820211. If this happens the following UBSAN warning +will be generated: + +[ 167.185167] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/mvm/utils.c:838:5 +[ 167.185171] shift exponent 255 is too large for 64-bit type 'long unsigned int' + +Fix that by checking that it is not IEEE80211_INVAL_HW_QUEUE and, +while at it, add a warning if the queue number is larger than +IEEE80211_MAX_QUEUES. + +Fixes: 34e10860ae8d ("iwlwifi: mvm: remove references to queue_info in new TX path") +Reported-by: Paul Menzel +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +@@ -800,12 +800,19 @@ int iwl_mvm_disable_txq(struct iwl_mvm * + .scd_queue = queue, + .action = SCD_CFG_DISABLE_QUEUE, + }; +- bool remove_mac_queue = true; ++ bool remove_mac_queue = mac80211_queue != IEEE80211_INVAL_HW_QUEUE; + int ret; + ++ if (WARN_ON(remove_mac_queue && mac80211_queue >= IEEE80211_MAX_QUEUES)) ++ return -EINVAL; ++ + if (iwl_mvm_has_new_tx_api(mvm)) { + spin_lock_bh(&mvm->queue_info_lock); +- mvm->hw_queue_to_mac80211[queue] &= ~BIT(mac80211_queue); ++ ++ if (remove_mac_queue) ++ mvm->hw_queue_to_mac80211[queue] &= ++ ~BIT(mac80211_queue); ++ + spin_unlock_bh(&mvm->queue_info_lock); + + iwl_trans_txq_free(mvm->trans, queue); diff --git a/queue-4.16/iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch b/queue-4.16/iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch new file mode 100644 index 00000000000..7718567f969 --- /dev/null +++ b/queue-4.16/iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sara Sharon +Date: Tue, 19 Dec 2017 09:19:32 +0200 +Subject: iwlwifi: mvm: take RCU lock before dereferencing + +From: Sara Sharon + +[ Upstream commit f4f155e5ec04d381b2f0870817d93dbdc259aa63 ] + +RCU isn't properly locked. + +Fixes: 46d372af9935 ("iwlwifi: mvm: rs: new rate scale API - add FW notifications") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c +@@ -234,13 +234,15 @@ void iwl_mvm_tlc_update_notif(struct iwl + struct iwl_mvm_sta *mvmsta; + struct iwl_lq_sta_rs_fw *lq_sta; + ++ rcu_read_lock(); ++ + notif = (void *)pkt->data; + mvmsta = iwl_mvm_sta_from_staid_rcu(mvm, notif->sta_id); + + if (!mvmsta) { + IWL_ERR(mvm, "Invalid sta id (%d) in FW TLC notification\n", + notif->sta_id); +- return; ++ goto out; + } + + lq_sta = &mvmsta->lq_sta.rs_fw; +@@ -251,6 +253,8 @@ void iwl_mvm_tlc_update_notif(struct iwl + IWL_DEBUG_RATE(mvm, "new rate_n_flags: 0x%X\n", + lq_sta->last_rate_n_flags); + } ++out: ++ rcu_read_unlock(); + } + + void rs_fw_rate_init(struct iwl_mvm *mvm, struct ieee80211_sta *sta, diff --git a/queue-4.16/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch b/queue-4.16/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch new file mode 100644 index 00000000000..9da2405da12 --- /dev/null +++ b/queue-4.16/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jacob Keller +Date: Mon, 29 Jan 2018 15:57:48 -0800 +Subject: ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode + +From: Jacob Keller + +[ Upstream commit 6704a3abf4cf4181a1ee64f5db4969347b88ca1d ] + +On hardware which supports timestamping all packets, the timestamps are +recorded in the packet buffer, and the driver no longer uses or reads +the registers. This makes the logic for checking and clearing Rx +timestamp hangs meaningless. + +If we run the ixgbe_ptp_rx_hang() function in this case, then the driver +will continuously spam the log output with "Clearing Rx timestamp hang". +These messages are spurious, and confusing to end users. + +The original code in commit a9763f3cb54c ("ixgbe: Update PTP to support +X550EM_x devices", 2015-12-03) did have a flag PTP_RX_TIMESTAMP_IN_REGISTER +which was intended to be used to avoid the Rx timestamp hang check, +however it did not actually check the flag before calling the function. + +Do so now in order to stop the checks and prevent the spurious log +messages. + +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices", 2015-12-03) +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -7711,7 +7711,8 @@ static void ixgbe_service_task(struct wo + + if (test_bit(__IXGBE_PTP_RUNNING, &adapter->state)) { + ixgbe_ptp_overflow_check(adapter); +- ixgbe_ptp_rx_hang(adapter); ++ if (adapter->flags & IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER) ++ ixgbe_ptp_rx_hang(adapter); + ixgbe_ptp_tx_hang(adapter); + } + diff --git a/queue-4.16/kasan-fix-invalid-free-test-crashing-the-kernel.patch b/queue-4.16/kasan-fix-invalid-free-test-crashing-the-kernel.patch new file mode 100644 index 00000000000..cab5c29d9f6 --- /dev/null +++ b/queue-4.16/kasan-fix-invalid-free-test-crashing-the-kernel.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Andrey Konovalov +Date: Tue, 10 Apr 2018 16:30:35 -0700 +Subject: kasan: fix invalid-free test crashing the kernel + +From: Andrey Konovalov + +[ Upstream commit 91c93ed07f04f5b32a30321d522d8ca9504745bf ] + +When an invalid-free is triggered by one of the KASAN tests, the object +doesn't actually get freed. This later leads to a BUG failure in +kmem_cache_destroy that checks that there are no allocated objects in +the cache that is being destroyed. + +Fix this by calling kmem_cache_free with the proper object address after +the call that triggers invalid-free. + +Link: http://lkml.kernel.org/r/286eaefc0a6c3fa9b83b87e7d6dc0fbb5b5c9926.1519924383.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Acked-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Geert Uytterhoeven +Cc: Nick Terrell +Cc: Chris Mason +Cc: Yury Norov +Cc: Al Viro +Cc: "Luis R . Rodriguez" +Cc: Palmer Dabbelt +Cc: "Paul E . McKenney" +Cc: Jeff Layton +Cc: "Jason A . Donenfeld" +Cc: Kostya Serebryany +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_kasan.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -567,7 +567,15 @@ static noinline void __init kmem_cache_i + return; + } + ++ /* Trigger invalid free, the object doesn't get freed */ + kmem_cache_free(cache, p + 1); ++ ++ /* ++ * Properly free the object to prevent the "Objects remaining in ++ * test_cache on __kmem_cache_shutdown" BUG failure. ++ */ ++ kmem_cache_free(cache, p); ++ + kmem_cache_destroy(cache); + } + diff --git a/queue-4.16/kasan-slub-fix-handling-of-kasan_slab_free-hook.patch b/queue-4.16/kasan-slub-fix-handling-of-kasan_slab_free-hook.patch new file mode 100644 index 00000000000..5e1883a009e --- /dev/null +++ b/queue-4.16/kasan-slub-fix-handling-of-kasan_slab_free-hook.patch @@ -0,0 +1,141 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Andrey Konovalov +Date: Tue, 10 Apr 2018 16:30:31 -0700 +Subject: kasan, slub: fix handling of kasan_slab_free hook + +From: Andrey Konovalov + +[ Upstream commit c3895391df385c6628638f014c87e16f5e2efd45 ] + +The kasan_slab_free hook's return value denotes whether the reuse of a +slab object must be delayed (e.g. when the object is put into memory +qurantine). + +The current way SLUB handles this hook is by ignoring its return value +and hardcoding checks similar (but not exactly the same) to the ones +performed in kasan_slab_free, which is prone to making mistakes. + +The main difference between the hardcoded checks and the ones in +kasan_slab_free is whether we want to perform a free in case when an +invalid-free or a double-free was detected (we don't). + +This patch changes the way SLUB handles this by: +1. taking into account the return value of kasan_slab_free for each of + the objects, that are being freed; +2. reconstructing the freelist of objects to exclude the ones, whose + reuse must be delayed. + +[andreyknvl@google.com: eliminate unnecessary branch in slab_free] + Link: http://lkml.kernel.org/r/a62759a2545fddf69b0c034547212ca1eb1b3ce2.1520359686.git.andreyknvl@google.com +Link: http://lkml.kernel.org/r/083f58501e54731203801d899632d76175868e97.1519400992.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Acked-by: Andrey Ryabinin +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Kostya Serebryany +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 57 ++++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 34 insertions(+), 23 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1362,10 +1362,8 @@ static __always_inline void kfree_hook(v + kasan_kfree_large(x, _RET_IP_); + } + +-static __always_inline void *slab_free_hook(struct kmem_cache *s, void *x) ++static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x) + { +- void *freeptr; +- + kmemleak_free_recursive(x, s->flags); + + /* +@@ -1385,17 +1383,12 @@ static __always_inline void *slab_free_h + if (!(s->flags & SLAB_DEBUG_OBJECTS)) + debug_check_no_obj_freed(x, s->object_size); + +- freeptr = get_freepointer(s, x); +- /* +- * kasan_slab_free() may put x into memory quarantine, delaying its +- * reuse. In this case the object's freelist pointer is changed. +- */ +- kasan_slab_free(s, x, _RET_IP_); +- return freeptr; ++ /* KASAN might put x into memory quarantine, delaying its reuse */ ++ return kasan_slab_free(s, x, _RET_IP_); + } + +-static inline void slab_free_freelist_hook(struct kmem_cache *s, +- void *head, void *tail) ++static inline bool slab_free_freelist_hook(struct kmem_cache *s, ++ void **head, void **tail) + { + /* + * Compiler cannot detect this function can be removed if slab_free_hook() +@@ -1406,13 +1399,33 @@ static inline void slab_free_freelist_ho + defined(CONFIG_DEBUG_OBJECTS_FREE) || \ + defined(CONFIG_KASAN) + +- void *object = head; +- void *tail_obj = tail ? : head; +- void *freeptr; ++ void *object; ++ void *next = *head; ++ void *old_tail = *tail ? *tail : *head; ++ ++ /* Head and tail of the reconstructed freelist */ ++ *head = NULL; ++ *tail = NULL; + + do { +- freeptr = slab_free_hook(s, object); +- } while ((object != tail_obj) && (object = freeptr)); ++ object = next; ++ next = get_freepointer(s, object); ++ /* If object's reuse doesn't have to be delayed */ ++ if (!slab_free_hook(s, object)) { ++ /* Move object to the new freelist */ ++ set_freepointer(s, object, *head); ++ *head = object; ++ if (!*tail) ++ *tail = object; ++ } ++ } while (object != old_tail); ++ ++ if (*head == *tail) ++ *tail = NULL; ++ ++ return *head != NULL; ++#else ++ return true; + #endif + } + +@@ -2965,14 +2978,12 @@ static __always_inline void slab_free(st + void *head, void *tail, int cnt, + unsigned long addr) + { +- slab_free_freelist_hook(s, head, tail); + /* +- * slab_free_freelist_hook() could have put the items into quarantine. +- * If so, no need to free them. ++ * With KASAN enabled slab_free_freelist_hook modifies the freelist ++ * to remove objects, whose reuse must be delayed. + */ +- if (s->flags & SLAB_KASAN && !(s->flags & SLAB_TYPESAFE_BY_RCU)) +- return; +- do_slab_free(s, page, head, tail, cnt, addr); ++ if (slab_free_freelist_hook(s, &head, &tail)) ++ do_slab_free(s, page, head, tail, cnt, addr); + } + + #ifdef CONFIG_KASAN diff --git a/queue-4.16/kdb-make-mdr-command-repeat.patch b/queue-4.16/kdb-make-mdr-command-repeat.patch new file mode 100644 index 00000000000..bd71de1583a --- /dev/null +++ b/queue-4.16/kdb-make-mdr-command-repeat.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Randy Dunlap +Date: Fri, 8 Dec 2017 10:19:19 -0800 +Subject: kdb: make "mdr" command repeat + +From: Randy Dunlap + +[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ] + +The "mdr" command should repeat (continue) when only Enter/Return +is pressed, so make it do so. + +Signed-off-by: Randy Dunlap +Cc: Daniel Thompson +Cc: Jason Wessel +Cc: kgdb-bugreport@lists.sourceforge.net +Signed-off-by: Jason Wessel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1566,6 +1566,7 @@ static int kdb_md(int argc, const char * + int symbolic = 0; + int valid = 0; + int phys = 0; ++ int raw = 0; + + kdbgetintenv("MDCOUNT", &mdcount); + kdbgetintenv("RADIX", &radix); +@@ -1575,9 +1576,10 @@ static int kdb_md(int argc, const char * + repeat = mdcount * 16 / bytesperword; + + if (strcmp(argv[0], "mdr") == 0) { +- if (argc != 2) ++ if (argc == 2 || (argc == 0 && last_addr != 0)) ++ valid = raw = 1; ++ else + return KDB_ARGCOUNT; +- valid = 1; + } else if (isdigit(argv[0][2])) { + bytesperword = (int)(argv[0][2] - '0'); + if (bytesperword == 0) { +@@ -1613,7 +1615,10 @@ static int kdb_md(int argc, const char * + radix = last_radix; + bytesperword = last_bytesperword; + repeat = last_repeat; +- mdcount = ((repeat * bytesperword) + 15) / 16; ++ if (raw) ++ mdcount = repeat; ++ else ++ mdcount = ((repeat * bytesperword) + 15) / 16; + } + + if (argc) { +@@ -1630,7 +1635,10 @@ static int kdb_md(int argc, const char * + diag = kdbgetularg(argv[nextarg], &val); + if (!diag) { + mdcount = (int) val; +- repeat = mdcount * 16 / bytesperword; ++ if (raw) ++ repeat = mdcount; ++ else ++ repeat = mdcount * 16 / bytesperword; + } + } + if (argc >= nextarg+1) { +@@ -1640,8 +1648,15 @@ static int kdb_md(int argc, const char * + } + } + +- if (strcmp(argv[0], "mdr") == 0) +- return kdb_mdr(addr, mdcount); ++ if (strcmp(argv[0], "mdr") == 0) { ++ int ret; ++ last_addr = addr; ++ ret = kdb_mdr(addr, mdcount); ++ last_addr += mdcount; ++ last_repeat = mdcount; ++ last_bytesperword = bytesperword; // to make REPEAT happy ++ return ret; ++ } + + switch (radix) { + case 10: diff --git a/queue-4.16/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch b/queue-4.16/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch new file mode 100644 index 00000000000..a7d41fb3e20 --- /dev/null +++ b/queue-4.16/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Vitaly Kuznetsov +Date: Fri, 9 Feb 2018 14:01:33 +0100 +Subject: KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use + +From: Vitaly Kuznetsov + +[ Upstream commit 0bcc3fb95b97ac2ca223a5a870287b37f56265ac ] + +Devices which use level-triggered interrupts under Windows 2016 with +Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV +unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC +version which has no EOI register so EOI never happens. + +The issue was discovered and discussed a while ago: +https://www.spinics.net/lists/kvm/msg148098.html + +While this is a guest OS bug (it should check that IOAPIC has the required +capabilities before disabling EOI broadcast) we can workaround it in KVM: +advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcp + if (!lapic_in_kernel(vcpu)) + return; + ++ /* ++ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) ++ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with ++ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC ++ * version first and level-triggered interrupts never get EOIed in ++ * IOAPIC. ++ */ + feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); +- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31)))) ++ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && ++ !ioapic_in_kernel(vcpu->kvm)) + v |= APIC_LVR_DIRECTED_EOI; + kvm_lapic_set_reg(apic, APIC_LVR, v); + } diff --git a/queue-4.16/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch b/queue-4.16/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch new file mode 100644 index 00000000000..e770e62a962 --- /dev/null +++ b/queue-4.16/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch @@ -0,0 +1,83 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Sean Christopherson +Date: Fri, 23 Mar 2018 09:34:00 -0700 +Subject: KVM: VMX: raise internal error for exception during invalid protected mode state + +From: Sean Christopherson + +[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ] + +Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter +an exception in Protected Mode while emulating guest due to invalid +guest state. Unlike Big RM, KVM doesn't support emulating exceptions +in PM, i.e. PM exceptions are always injected via the VMCS. Because +we will never do VMRESUME due to emulation_required, the exception is +never realized and we'll keep emulating the faulting instruction over +and over until we receive a signal. + +Exit to userspace iff there is a pending exception, i.e. don't exit +simply on a requested event. The purpose of this check and exit is to +aid in debugging a guest that is in all likelihood already doomed. +Invalid guest state in PM is extremely limited in normal operation, +e.g. it generally only occurs for a few instructions early in BIOS, +and any exception at this time is all but guaranteed to be fatal. +Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly +handled/emulated, while checking for vectored interrupts, e.g. INTR +and NMI, without hitting false positives would add a fair amount of +complexity for almost no benefit (getting hit by lightning seems +more likely than encountering this specific scenario). + +Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an +exception via the VMCS and emulation_required is true. + +Signed-off-by: Sean Christopherson +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2561,6 +2561,8 @@ static void vmx_queue_exception(struct k + return; + } + ++ WARN_ON_ONCE(vmx->emulation_required); ++ + if (kvm_exception_is_soft(nr)) { + vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, + vmx->vcpu.arch.event_exit_inst_len); +@@ -6854,12 +6856,12 @@ static int handle_invalid_guest_state(st + goto out; + } + +- if (err != EMULATE_DONE) { +- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; +- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; +- vcpu->run->internal.ndata = 0; +- return 0; +- } ++ if (err != EMULATE_DONE) ++ goto emulation_error; ++ ++ if (vmx->emulation_required && !vmx->rmode.vm86_active && ++ vcpu->arch.exception.pending) ++ goto emulation_error; + + if (vcpu->arch.halt_request) { + vcpu->arch.halt_request = 0; +@@ -6875,6 +6877,12 @@ static int handle_invalid_guest_state(st + + out: + return ret; ++ ++emulation_error: ++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; ++ vcpu->run->internal.ndata = 0; ++ return 0; + } + + static int __grow_ple_window(int val) diff --git a/queue-4.16/lan78xx-connect-phy-early.patch b/queue-4.16/lan78xx-connect-phy-early.patch new file mode 100644 index 00000000000..25b60e7bf07 --- /dev/null +++ b/queue-4.16/lan78xx-connect-phy-early.patch @@ -0,0 +1,174 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Alexander Graf +Date: Wed, 4 Apr 2018 00:19:35 +0200 +Subject: lan78xx: Connect phy early + +From: Alexander Graf + +[ Upstream commit 92571a1aae40d291158d16e7142637908220f470 ] + +When using wicked with a lan78xx device attached to the system, we +end up with ethtool commands issued on the device before an ifup +got issued. That lead to the following crash: + + Unable to handle kernel NULL pointer dereference at virtual address 0000039c + pgd = ffff800035b30000 + [0000039c] *pgd=0000000000000000 + Internal error: Oops: 96000004 [#1] SMP + Modules linked in: [...] + Supported: Yes + CPU: 3 PID: 638 Comm: wickedd Tainted: G E 4.12.14-0-default #1 + Hardware name: raspberrypi rpi/rpi, BIOS 2018.03-rc2 02/21/2018 + task: ffff800035e74180 task.stack: ffff800036718000 + PC is at phy_ethtool_ksettings_get+0x20/0x98 + LR is at lan78xx_get_link_ksettings+0x44/0x60 [lan78xx] + pc : [] lr : [] pstate: 20000005 + sp : ffff80003671bb20 + x29: ffff80003671bb20 x28: ffff800035e74180 + x27: ffff000008912000 x26: 000000000000001d + x25: 0000000000000124 x24: ffff000008f74d00 + x23: 0000004000114809 x22: 0000000000000000 + x21: ffff80003671bbd0 x20: 0000000000000000 + x19: ffff80003671bbd0 x18: 000000000000040d + x17: 0000000000000001 x16: 0000000000000000 + x15: 0000000000000000 x14: ffffffffffffffff + x13: 0000000000000000 x12: 0000000000000020 + x11: 0101010101010101 x10: fefefefefefefeff + x9 : 7f7f7f7f7f7f7f7f x8 : fefefeff31677364 + x7 : 0000000080808080 x6 : ffff80003671bc9c + x5 : ffff80003671b9f8 x4 : ffff80002c296190 + x3 : 0000000000000000 x2 : 0000000000000000 + x1 : ffff80003671bbd0 x0 : ffff80003671bc00 + Process wickedd (pid: 638, stack limit = 0xffff800036718000) + Call trace: + Exception stack(0xffff80003671b9e0 to 0xffff80003671bb20) + b9e0: ffff80003671bc00 ffff80003671bbd0 0000000000000000 0000000000000000 + ba00: ffff80002c296190 ffff80003671b9f8 ffff80003671bc9c 0000000080808080 + ba20: fefefeff31677364 7f7f7f7f7f7f7f7f fefefefefefefeff 0101010101010101 + ba40: 0000000000000020 0000000000000000 ffffffffffffffff 0000000000000000 + ba60: 0000000000000000 0000000000000001 000000000000040d ffff80003671bbd0 + ba80: 0000000000000000 ffff80003671bbd0 0000000000000000 0000004000114809 + baa0: ffff000008f74d00 0000000000000124 000000000000001d ffff000008912000 + bac0: ffff800035e74180 ffff80003671bb20 ffff000000dcca84 ffff80003671bb20 + bae0: ffff0000086f7f30 0000000020000005 ffff80002c296000 ffff800035223900 + bb00: 0000ffffffffffff 0000000000000000 ffff80003671bb20 ffff0000086f7f30 + [] phy_ethtool_ksettings_get+0x20/0x98 + [] lan78xx_get_link_ksettings+0x44/0x60 [lan78xx] + [] ethtool_get_settings+0x68/0x210 + [] dev_ethtool+0x214/0x2180 + [] dev_ioctl+0x400/0x630 + [] sock_do_ioctl+0x70/0x88 + [] sock_ioctl+0x208/0x368 + [] do_vfs_ioctl+0xb0/0x848 + [] SyS_ioctl+0x8c/0xa8 + Exception stack(0xffff80003671bec0 to 0xffff80003671c000) + bec0: 0000000000000009 0000000000008946 0000fffff4e841d0 0000aa0032687465 + bee0: 0000aaaafa2319d4 0000fffff4e841d4 0000000032687465 0000000032687465 + bf00: 000000000000001d 7f7fff7f7f7f7f7f 72606b622e71ff4c 7f7f7f7f7f7f7f7f + bf20: 0101010101010101 0000000000000020 ffffffffffffffff 0000ffff7f510c68 + bf40: 0000ffff7f6a9d18 0000ffff7f44ce30 000000000000040d 0000ffff7f6f98f0 + bf60: 0000fffff4e842c0 0000000000000001 0000aaaafa2c2e00 0000ffff7f6ab000 + bf80: 0000fffff4e842c0 0000ffff7f62a000 0000aaaafa2b9f20 0000aaaafa2c2e00 + bfa0: 0000fffff4e84818 0000fffff4e841a0 0000ffff7f5ad0cc 0000fffff4e841a0 + bfc0: 0000ffff7f44ce3c 0000000080000000 0000000000000009 000000000000001d + bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + +The culprit is quite simple: The driver tries to access the phy left and right, +but only actually has a working reference to it when the device is up. + +The fix thus is quite simple too: Get a reference to the phy on probe already +and keep it even when the device is going down. + +With this patch applied, I can successfully run wicked on my system and bring +the interface up and down as many times as I want, without getting NULL pointer +dereferences in between. + +Signed-off-by: Alexander Graf +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2083,10 +2083,6 @@ static int lan78xx_phy_init(struct lan78 + + dev->fc_autoneg = phydev->autoneg; + +- phy_start(phydev); +- +- netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); +- + return 0; + + error: +@@ -2523,9 +2519,9 @@ static int lan78xx_open(struct net_devic + if (ret < 0) + goto done; + +- ret = lan78xx_phy_init(dev); +- if (ret < 0) +- goto done; ++ phy_start(net->phydev); ++ ++ netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); + + /* for Link Check */ + if (dev->urb_intr) { +@@ -2586,13 +2582,8 @@ static int lan78xx_stop(struct net_devic + if (timer_pending(&dev->stat_monitor)) + del_timer_sync(&dev->stat_monitor); + +- phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0); +- phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0); +- +- phy_stop(net->phydev); +- phy_disconnect(net->phydev); +- +- net->phydev = NULL; ++ if (net->phydev) ++ phy_stop(net->phydev); + + clear_bit(EVENT_DEV_OPEN, &dev->flags); + netif_stop_queue(net); +@@ -3507,8 +3498,13 @@ static void lan78xx_disconnect(struct us + return; + + udev = interface_to_usbdev(intf); +- + net = dev->net; ++ ++ phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0); ++ phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0); ++ ++ phy_disconnect(net->phydev); ++ + unregister_netdev(net); + + cancel_delayed_work_sync(&dev->wq); +@@ -3664,8 +3660,14 @@ static int lan78xx_probe(struct usb_inte + pm_runtime_set_autosuspend_delay(&udev->dev, + DEFAULT_AUTOSUSPEND_DELAY); + ++ ret = lan78xx_phy_init(dev); ++ if (ret < 0) ++ goto out4; ++ + return 0; + ++out4: ++ unregister_netdev(netdev); + out3: + lan78xx_unbind(dev, intf); + out2: +@@ -4013,7 +4015,7 @@ static int lan78xx_reset_resume(struct u + + lan78xx_reset(dev); + +- lan78xx_phy_init(dev); ++ phy_start(dev->net->phydev); + + return lan78xx_resume(intf); + } diff --git a/queue-4.16/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch b/queue-4.16/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch new file mode 100644 index 00000000000..197a0bb7a86 --- /dev/null +++ b/queue-4.16/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Greg Ungerer +Date: Wed, 28 Mar 2018 17:12:18 +1000 +Subject: m68k: set dma and coherent masks for platform FEC ethernets + +From: Greg Ungerer + +[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ] + +As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no +coherent_dma_mask") the Freescale FEC driver is issuing the following +warning on driver initialization on ColdFire systems: + +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4 +Stack from 41833dd8: + 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000 + 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d + 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000 + 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8 + 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c + 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000 +Call Trace: + [<40025534>] 0x40025534 + [<4004e514>] 0x4004e514 + [<400255de>] 0x400255de + [<40159e20>] 0x40159e20 + [<40159e20>] 0x40159e20 + +It is not fatal, the driver and the system continue to function normally. + +As per the warning the coherent_dma_mask is not set on this device. +There is nothing special about the DMA memory coherency on this hardware +so we can just set the mask to 32bits in the platform data for the FEC +ethernet devices. + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/coldfire/device.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/m68k/coldfire/device.c ++++ b/arch/m68k/coldfire/device.c +@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 = + .id = 0, + .num_resources = ARRAY_SIZE(mcf_fec0_resources), + .resource = mcf_fec0_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec0.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + + #ifdef MCFFEC_BASE1 +@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 = + .id = 1, + .num_resources = ARRAY_SIZE(mcf_fec1_resources), + .resource = mcf_fec1_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec1.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + #endif /* MCFFEC_BASE1 */ + #endif /* CONFIG_FEC */ diff --git a/queue-4.16/max17042-propagate-of_node-to-power-supply-device.patch b/queue-4.16/max17042-propagate-of_node-to-power-supply-device.patch new file mode 100644 index 00000000000..656bb40916f --- /dev/null +++ b/queue-4.16/max17042-propagate-of_node-to-power-supply-device.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Pierre Bourdon +Date: Tue, 20 Feb 2018 16:03:18 +0100 +Subject: max17042: propagate of_node to power supply device + +From: Pierre Bourdon + +[ Upstream commit 66ec32fc7cd116dab5c02603ea8ec28ff92da3b5 ] + +max17042_get_status uses the core power_supply_am_i_supplied. That +function relies on DT properties to figure out the power supply +topology, and will error out without DT. + +Fixes max17042 battery status being reported as "unknown". + +Signed-off-by: Pierre Bourdon +Signed-off-by: Andre Heider +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/max17042_battery.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -1053,6 +1053,7 @@ static int max17042_probe(struct i2c_cli + + i2c_set_clientdata(client, chip); + psy_cfg.drv_data = chip; ++ psy_cfg.of_node = dev->of_node; + + /* When current is not measured, + * CURRENT_NOW and CURRENT_AVG properties should be invisible. */ diff --git a/queue-4.16/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch b/queue-4.16/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch new file mode 100644 index 00000000000..e530a96a7aa --- /dev/null +++ b/queue-4.16/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Mathias Kresin +Date: Thu, 11 May 2017 08:18:24 +0200 +Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset + +From: Mathias Kresin + +[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ] + +According to the QCA u-boot source the "PCIE Phase Lock Loop +Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the +QCA955X and QCA956X at offset 0x10. + +Since the PCIE PLL config register is only defined for the AR724x fix +only this value. The value is wrong since the day it was added and isn't +used by any driver yet. + +Signed-off-by: Mathias Kresin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16048/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h ++++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h +@@ -167,7 +167,7 @@ + #define AR71XX_AHB_DIV_MASK 0x7 + + #define AR724X_PLL_REG_CPU_CONFIG 0x00 +-#define AR724X_PLL_REG_PCIE_CONFIG 0x18 ++#define AR724X_PLL_REG_PCIE_CONFIG 0x10 + + #define AR724X_PLL_FB_SHIFT 0 + #define AR724X_PLL_FB_MASK 0x3ff diff --git a/queue-4.16/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch b/queue-4.16/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch new file mode 100644 index 00000000000..7b85dbdfaab --- /dev/null +++ b/queue-4.16/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch @@ -0,0 +1,70 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Joe Perches +Date: Tue, 5 Dec 2017 23:04:58 -0800 +Subject: MIPS: Octeon: Fix logging messages with spurious periods after newlines + +From: Joe Perches + +[ Upstream commit db6775ca6e0353d2618ca7d5e210fc36ad43bbd4 ] + +Using a period after a newline causes bad output. + +Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") +Signed-off-by: Joe Perches +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17886/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/cavium-octeon/octeon-irq.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2271,7 +2271,7 @@ static int __init octeon_irq_init_cib(st + + parent_irq = irq_of_parse_and_map(ciu_node, 0); + if (!parent_irq) { +- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.", ++ pr_err("ERROR: Couldn't acquire parent_irq for %s\n", + ciu_node->name); + return -EINVAL; + } +@@ -2283,7 +2283,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 0, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->raw_reg = (u64)phys_to_virt( +@@ -2291,7 +2291,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 1, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->en_reg = (u64)phys_to_virt( +@@ -2299,7 +2299,7 @@ static int __init octeon_irq_init_cib(st + + r = of_property_read_u32(ciu_node, "cavium,max-bits", &val); + if (r) { +- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.", ++ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n", + ciu_node->name); + return r; + } +@@ -2309,7 +2309,7 @@ static int __init octeon_irq_init_cib(st + &octeon_irq_domain_cib_ops, + host_data); + if (!cib_domain) { +- pr_err("ERROR: Couldn't irq_domain_add_linear()\n."); ++ pr_err("ERROR: Couldn't irq_domain_add_linear()\n"); + return -ENOMEM; + } + diff --git a/queue-4.16/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch b/queue-4.16/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch new file mode 100644 index 00000000000..053fca5a7f0 --- /dev/null +++ b/queue-4.16/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch @@ -0,0 +1,78 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Huang Ying +Date: Thu, 5 Apr 2018 16:23:20 -0700 +Subject: mm: fix races between address_space dereference and free in page_evicatable + +From: Huang Ying + +[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ] + +When page_mapping() is called and the mapping is dereferenced in +page_evicatable() through shrink_active_list(), it is possible for the +inode to be truncated and the embedded address space to be freed at the +same time. This may lead to the following race. + +CPU1 CPU2 + +truncate(inode) shrink_active_list() + ... page_evictable(page) + truncate_inode_page(mapping, page); + delete_from_page_cache(page) + spin_lock_irqsave(&mapping->tree_lock, flags); + __delete_from_page_cache(page, NULL) + page_cache_tree_delete(..) + ... mapping = page_mapping(page); + page->mapping = NULL; + ... + spin_unlock_irqrestore(&mapping->tree_lock, flags); + page_cache_free_page(mapping, page) + put_page(page) + if (put_page_testzero(page)) -> false +- inode now has no pages and can be freed including embedded address_space + + mapping_unevictable(mapping) + test_bit(AS_UNEVICTABLE, &mapping->flags); +- we've dereferenced mapping which is potentially already free. + +Similar race exists between swap cache freeing and page_evicatable() +too. + +The address_space in inode and swap cache will be freed after a RCU +grace period. So the races are fixed via enclosing the page_mapping() +and address_space usage in rcu_read_lock/unlock(). Some comments are +added in code to make it clear what is protected by the RCU read lock. + +Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Reviewed-by: Jan Kara +Reviewed-by: Andrew Morton +Cc: Mel Gorman +Cc: Minchan Kim +Cc: "Huang, Ying" +Cc: Johannes Weiner +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -3896,7 +3896,13 @@ int node_reclaim(struct pglist_data *pgd + */ + int page_evictable(struct page *page) + { +- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ int ret; ++ ++ /* Prevent address_space of inode and swap cache from being freed */ ++ rcu_read_lock(); ++ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ rcu_read_unlock(); ++ return ret; + } + + #ifdef CONFIG_SHMEM diff --git a/queue-4.16/mm-ksm-fix-interaction-with-thp.patch b/queue-4.16/mm-ksm-fix-interaction-with-thp.patch new file mode 100644 index 00000000000..00f77ac479a --- /dev/null +++ b/queue-4.16/mm-ksm-fix-interaction-with-thp.patch @@ -0,0 +1,103 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Claudio Imbrenda +Date: Thu, 5 Apr 2018 16:25:41 -0700 +Subject: mm/ksm: fix interaction with THP + +From: Claudio Imbrenda + +[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ] + +This patch fixes a corner case for KSM. When two pages belong or +belonged to the same transparent hugepage, and they should be merged, +KSM fails to split the page, and therefore no merging happens. + +This bug can be reproduced by: +* making sure ksm is running (in case disabling ksmtuned) +* enabling transparent hugepages +* allocating a THP-aligned 1-THP-sized buffer + e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21) +* filling it with the same values + e.g. memset(p, 42, 1<<21) +* performing madvise to make it mergeable + e.g. madvise(p, 1<<21, MADV_MERGEABLE) +* waiting for KSM to perform a few scans + +The expected outcome is that the all the pages get merged (1 shared and +the rest sharing); the actual outcome is that no pages get merged (1 +unshared and the rest volatile) + +The reason of this behaviour is that we increase the reference count +once for both pages we want to merge, but if they belong to the same +hugepage (or compound page), the reference counter used in both cases is +the one of the head of the compound page. This means that +split_huge_page will find a value of the reference counter too high and +will fail. + +This patch solves this problem by testing if the two pages to merge +belong to the same hugepage when attempting to merge them. If so, the +hugepage is split safely. This means that the hugepage is not split if +not necessary. + +Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com +Signed-off-by: Claudio Imbrenda +Co-authored-by: Gerald Schaefer +Reviewed-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Minchan Kim +Cc: Kirill A. Shutemov +Cc: Hugh Dickins +Cc: Christian Borntraeger +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/ksm.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -2089,8 +2089,22 @@ static void cmp_and_merge_page(struct pa + tree_rmap_item = + unstable_tree_search_insert(rmap_item, page, &tree_page); + if (tree_rmap_item) { ++ bool split; ++ + kpage = try_to_merge_two_pages(rmap_item, page, + tree_rmap_item, tree_page); ++ /* ++ * If both pages we tried to merge belong to the same compound ++ * page, then we actually ended up increasing the reference ++ * count of the same compound page twice, and split_huge_page ++ * failed. ++ * Here we set a flag if that happened, and we use it later to ++ * try split_huge_page again. Since we call put_page right ++ * afterwards, the reference count will be correct and ++ * split_huge_page should succeed. ++ */ ++ split = PageTransCompound(page) ++ && compound_head(page) == compound_head(tree_page); + put_page(tree_page); + if (kpage) { + /* +@@ -2117,6 +2131,20 @@ static void cmp_and_merge_page(struct pa + break_cow(tree_rmap_item); + break_cow(rmap_item); + } ++ } else if (split) { ++ /* ++ * We are here if we tried to merge two pages and ++ * failed because they both belonged to the same ++ * compound page. We will split the page now, but no ++ * merging will take place. ++ * We do not want to add the cost of a full lock; if ++ * the page is locked, it is better to skip it and ++ * perhaps try again later. ++ */ ++ if (!trylock_page(page)) ++ return; ++ split_huge_page(page); ++ unlock_page(page); + } + } + } diff --git a/queue-4.16/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch b/queue-4.16/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch new file mode 100644 index 00000000000..6362555f8fd --- /dev/null +++ b/queue-4.16/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Yang Shi +Date: Thu, 5 Apr 2018 16:22:35 -0700 +Subject: mm: thp: fix potential clearing to referenced flag in page_idle_clear_pte_refs_one() + +From: Yang Shi + +[ Upstream commit f0849ac0b8e072073ec5fcc7fadd05a77434364e ] + +For PTE-mapped THP, the compound THP has not been split to normal 4K +pages yet, the whole THP is considered referenced if any one of sub page +is referenced. + +When walking PTE-mapped THP by pvmw, all relevant PTEs will be checked +to retrieve referenced bit. But, the current code just returns the +result of the last PTE. If the last PTE has not referenced, the +referenced flag will be cleared. + +Just set referenced when ptep{pmdp}_clear_young_notify() returns true. + +Link: http://lkml.kernel.org/r/1518212451-87134-1-git-send-email-yang.shi@linux.alibaba.com +Signed-off-by: Yang Shi +Reported-by: Gang Deng +Suggested-by: Kirill A. Shutemov +Reviewed-by: Andrew Morton +Cc: "Kirill A. Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_idle.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/mm/page_idle.c ++++ b/mm/page_idle.c +@@ -65,11 +65,15 @@ static bool page_idle_clear_pte_refs_one + while (page_vma_mapped_walk(&pvmw)) { + addr = pvmw.address; + if (pvmw.pte) { +- referenced = ptep_clear_young_notify(vma, addr, +- pvmw.pte); ++ /* ++ * For PTE-mapped THP, one sub page is referenced, ++ * the whole THP is referenced. ++ */ ++ if (ptep_clear_young_notify(vma, addr, pvmw.pte)) ++ referenced = true; + } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) { +- referenced = pmdp_clear_young_notify(vma, addr, +- pvmw.pmd); ++ if (pmdp_clear_young_notify(vma, addr, pvmw.pmd)) ++ referenced = true; + } else { + /* unexpected pmd-mapped page? */ + WARN_ON_ONCE(1); diff --git a/queue-4.16/mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch b/queue-4.16/mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch new file mode 100644 index 00000000000..3a1a7b2f578 --- /dev/null +++ b/queue-4.16/mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Lorenzo Bianconi +Date: Sat, 17 Mar 2018 12:29:27 +0100 +Subject: mt76x2: fix possible NULL pointer dereferencing in mt76x2_tx() + +From: Lorenzo Bianconi + +[ Upstream commit 6958b027435aa54d82bbef09a007fd287f439977 ] + +Fix a theoretical NULL pointer dereferencing in mt76x2_tx routine that +can occurs for injected frames in a monitor vif since vif pointer could +be NULL for that interfaces + +Fixes: 23405236460b ("mt76: fix transmission of encrypted mgmt frames") +Signed-off-by: Lorenzo Bianconi +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76x2_tx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x2_tx.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_tx.c +@@ -36,9 +36,12 @@ void mt76x2_tx(struct ieee80211_hw *hw, + + msta = (struct mt76x2_sta *) control->sta->drv_priv; + wcid = &msta->wcid; ++ /* sw encrypted frames */ ++ if (!info->control.hw_key && wcid->hw_key_idx != -1) ++ control->sta = NULL; + } + +- if (vif || (!info->control.hw_key && wcid->hw_key_idx != -1)) { ++ if (vif && !control->sta) { + struct mt76x2_vif *mvif; + + mvif = (struct mt76x2_vif *) vif->drv_priv; diff --git a/queue-4.16/mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch b/queue-4.16/mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch new file mode 100644 index 00000000000..56d6470671d --- /dev/null +++ b/queue-4.16/mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Lorenzo Bianconi +Date: Sat, 17 Mar 2018 15:01:39 +0100 +Subject: mt76x2: fix warning in ieee80211_get_key_rx_seq() + +From: Lorenzo Bianconi + +[ Upstream commit c03a5aacde0c86f6dabab8f17a6d1911ee13b6c4 ] + +Fall back to software encryption for hw unsupported ciphers in order +to fix the following warning in ieee80211_get_key_rx_seq routine: + +WARNING: CPU: 1 PID: 1277 at backports-2017-11-01/net/mac80211/key.c: +1010 mt76_wcid_key_setup+0x6c/0x138 [mt76] +CPU: 1 PID: 1277 Comm: hostapd Tainted: G W 4.9.86 #0 +Stack : 00000000 00000000 80527b4a 00000042 80523824 00000000 00000000 80520000 + 8fd79a9c 804bbda7 80454c84 00000001 000004fd 80523824 8f7e4ba0 8eceda12 + 00000010 8006af94 00000001 80520000 804c1f04 804c1f08 80459890 8ec999b4 + 00000003 800a7840 8f7e4ba0 8eceda12 8121de20 00000000 00000001 00c999b4 + 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + ... +Call Trace: +[<8000f52c>] show_stack+0x70/0x8c +[<801d8d04>] dump_stack+0x94/0xd0 +[<8002bcd4>] __warn+0x110/0x118 +[<8002bd70>] warn_slowpath_null+0x1c/0x2c +[<8f0415cc>] mt76_wcid_key_setup+0x6c/0x138 [mt76] +[<8f1311b4>] mt76x2_dma_cleanup+0xa38/0x1048 [mt76x2e] + +Fixes: 30ce7f4456ae ("mt76: validate rx CCMP PN") +Signed-off-by: Lorenzo Bianconi +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76x2_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x2_main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_main.c +@@ -336,6 +336,17 @@ mt76x2_set_key(struct ieee80211_hw *hw, + int idx = key->keyidx; + int ret; + ++ /* fall back to sw encryption for unsupported ciphers */ ++ switch (key->cipher) { ++ case WLAN_CIPHER_SUITE_WEP40: ++ case WLAN_CIPHER_SUITE_WEP104: ++ case WLAN_CIPHER_SUITE_TKIP: ++ case WLAN_CIPHER_SUITE_CCMP: ++ break; ++ default: ++ return -EOPNOTSUPP; ++ } ++ + /* + * The hardware does not support per-STA RX GTK, fall back + * to software mode for these. diff --git a/queue-4.16/net-bgmac-correctly-annotate-register-space.patch b/queue-4.16/net-bgmac-correctly-annotate-register-space.patch new file mode 100644 index 00000000000..4360dea3c38 --- /dev/null +++ b/queue-4.16/net-bgmac-correctly-annotate-register-space.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 10:26:29 -0700 +Subject: net: bgmac: Correctly annotate register space + +From: Florian Fainelli + +[ Upstream commit 16a1c0646e55c3345bce8e4edfc06ad119d27c04 ] + +All the members: base, idm_base and nicpm_base should be annotated with +__iomem since they are pointers to register space. This fixes a bunch of +sparse reported warnings. + +Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support") +Fixes: dd5c5d037f5e ("net: ethernet: bgmac: add NS2 support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.h ++++ b/drivers/net/ethernet/broadcom/bgmac.h +@@ -479,9 +479,9 @@ struct bgmac_rx_header { + struct bgmac { + union { + struct { +- void *base; +- void *idm_base; +- void *nicpm_base; ++ void __iomem *base; ++ void __iomem *idm_base; ++ void __iomem *nicpm_base; + } plat; + struct { + struct bcma_device *core; diff --git a/queue-4.16/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch b/queue-4.16/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch new file mode 100644 index 00000000000..c363f640764 --- /dev/null +++ b/queue-4.16/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 10:26:30 -0700 +Subject: net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() + +From: Florian Fainelli + +[ Upstream commit 60d6e6f0b9e422dd01aeda39257ee0428e5e2a3f ] + +bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian +32-bit word without using proper accessors, fix this, and because a +length cannot be negative, use unsigned int while at it. + +Fixes: 9cde94506eac ("bgmac: implement scatter/gather support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -533,7 +533,8 @@ static void bgmac_dma_tx_ring_free(struc + int i; + + for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) { +- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN; ++ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1); ++ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN; + + slot = &ring->slots[i]; + dev_kfree_skb(slot->skb); diff --git a/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch new file mode 100644 index 00000000000..2e4f9b29e56 --- /dev/null +++ b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Fuyun Liang +Date: Sat, 24 Mar 2018 11:32:44 +0800 +Subject: net: hns3: fix for returning wrong value problem in hns3_get_rss_indir_size + +From: Fuyun Liang + +[ Upstream commit da44a00f06df1f823ea449065e79581ee624de4b ] + +The return type of hns3_get_rss_indir_size is u32. But a negative value is +returned. This patch fixes it by replacing the negative value with zero. + +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -709,7 +709,7 @@ static u32 hns3_get_rss_indir_size(struc + + if (!h->ae_algo || !h->ae_algo->ops || + !h->ae_algo->ops->get_rss_indir_size) +- return -EOPNOTSUPP; ++ return 0; + + return h->ae_algo->ops->get_rss_indir_size(h); + } diff --git a/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch new file mode 100644 index 00000000000..6391758eb3d --- /dev/null +++ b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Fuyun Liang +Date: Sat, 24 Mar 2018 11:32:43 +0800 +Subject: net: hns3: fix for returning wrong value problem in hns3_get_rss_key_size + +From: Fuyun Liang + +[ Upstream commit 3bd6d258b1d5f76744567855d1376358a94f127d ] + +The return type of hns3_get_rss_key_size is u32. But a negative value is +returned. This patch fixes it by replacing the negative value with zero. + +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -698,7 +698,7 @@ static u32 hns3_get_rss_key_size(struct + + if (!h->ae_algo || !h->ae_algo->ops || + !h->ae_algo->ops->get_rss_key_size) +- return -EOPNOTSUPP; ++ return 0; + + return h->ae_algo->ops->get_rss_key_size(h); + } diff --git a/queue-4.16/net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch b/queue-4.16/net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch new file mode 100644 index 00000000000..3b1e12fd9a5 --- /dev/null +++ b/queue-4.16/net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Fuyun Liang +Date: Sat, 24 Mar 2018 11:32:45 +0800 +Subject: net: hns3: fix for the wrong shift problem in hns3_set_txbd_baseinfo + +From: Fuyun Liang + +[ Upstream commit 3c8f5c0339515202e8662b6e3ae36a7b16610caf ] + +Third parameter of hnae_set_field is shift, But a mask is given. This +patch fixes it by replacing HNS3_TXD_BDTYPE_M with HNS3_TXD_BDTYPE_S. + +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -747,7 +747,7 @@ static void hns3_set_txbd_baseinfo(u16 * + { + /* Config bd buffer end */ + hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_BDTYPE_M, +- HNS3_TXD_BDTYPE_M, 0); ++ HNS3_TXD_BDTYPE_S, 0); + hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_FE_B, !!frag_end); + hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_VLD_B, 1); + hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_SC_M, HNS3_TXD_SC_S, 0); diff --git a/queue-4.16/net-mlx5-protect-from-command-bit-overflow.patch b/queue-4.16/net-mlx5-protect-from-command-bit-overflow.patch new file mode 100644 index 00000000000..5f46b2f0585 --- /dev/null +++ b/queue-4.16/net-mlx5-protect-from-command-bit-overflow.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Leon Romanovsky +Date: Tue, 2 Jan 2018 16:49:56 +0200 +Subject: net/mlx5: Protect from command bit overflow + +From: Leon Romanovsky + +[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ] + +The system with CONFIG_UBSAN enabled on produces the following error +during driver initialization. The reason to it that max_reg_cmds can be +larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long. + +================================================================================ +UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42 +signed integer overflow: +-2147483648 - 1 cannot be represented in type 'int' +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xe9/0x18f + ? dma_virt_alloc+0x81/0x81 + ubsan_epilogue+0xe/0x4e + handle_overflow+0x187/0x20c + mlx5_cmd_init+0x73a/0x12b0 + mlx5_load_one+0x1c3d/0x1d30 + init_one+0xd02/0xf10 + pci_device_probe+0x26c/0x3b0 + driver_probe_device+0x622/0xb40 + __driver_attach+0x175/0x1b0 + bus_for_each_dev+0xef/0x190 + bus_add_driver+0x2db/0x490 + driver_register+0x16b/0x1e0 + __pci_register_driver+0x177/0x1b0 + init+0x6d/0x92 + do_one_initcall+0x15b/0x270 + kernel_init_freeable+0x2d8/0x3d0 + kernel_init+0x14/0x190 + ret_from_fork+0x24/0x30 +================================================================================ + +Signed-off-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1802,7 +1802,7 @@ int mlx5_cmd_init(struct mlx5_core_dev * + + cmd->checksum_disabled = 1; + cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; +- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1; ++ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; + + cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; + if (cmd->cmdif_rev > CMD_IF_REV) { diff --git a/queue-4.16/net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch b/queue-4.16/net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch new file mode 100644 index 00000000000..340e0c647ff --- /dev/null +++ b/queue-4.16/net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch @@ -0,0 +1,126 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Eran Ben Elisha +Date: Tue, 16 Jan 2018 17:25:06 +0200 +Subject: net/mlx5e: Move all TX timeout logic to be under state lock + +From: Eran Ben Elisha + +[ Upstream commit bfc647d52e67dc756c605e9a50d45b71054c2533 ] + +Driver callback for handling TX timeout should access some internal +resources (SQ, CQ) in order to decide if the tx timeout work should be +scheduled. These resources might be unavailable if channels are closed +in parallel (ifdown for example). + +The state lock is the mechanism to protect from such races. +Move all TX timeout logic to be in the work under a state lock. + +In addition, Move the work from the global WQ to mlx5e WQ to make sure +this work is flushed when device is detached.. + +Also, move the mlx5e_tx_timeout_work code to be next to the TX timeout +NDO for better code locality. + +Fixes: 3947ca185999 ("net/mlx5e: Implement ndo_tx_timeout callback") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 61 ++++++++++++---------- + 1 file changed, 34 insertions(+), 27 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -153,26 +153,6 @@ static void mlx5e_update_carrier_work(st + mutex_unlock(&priv->state_lock); + } + +-static void mlx5e_tx_timeout_work(struct work_struct *work) +-{ +- struct mlx5e_priv *priv = container_of(work, struct mlx5e_priv, +- tx_timeout_work); +- int err; +- +- rtnl_lock(); +- mutex_lock(&priv->state_lock); +- if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) +- goto unlock; +- mlx5e_close_locked(priv->netdev); +- err = mlx5e_open_locked(priv->netdev); +- if (err) +- netdev_err(priv->netdev, "mlx5e_open_locked failed recovering from a tx_timeout, err(%d).\n", +- err); +-unlock: +- mutex_unlock(&priv->state_lock); +- rtnl_unlock(); +-} +- + void mlx5e_update_stats(struct mlx5e_priv *priv) + { + int i; +@@ -3632,13 +3612,19 @@ static bool mlx5e_tx_timeout_eq_recover( + return true; + } + +-static void mlx5e_tx_timeout(struct net_device *dev) ++static void mlx5e_tx_timeout_work(struct work_struct *work) + { +- struct mlx5e_priv *priv = netdev_priv(dev); ++ struct mlx5e_priv *priv = container_of(work, struct mlx5e_priv, ++ tx_timeout_work); ++ struct net_device *dev = priv->netdev; + bool reopen_channels = false; +- int i; ++ int i, err; + +- netdev_err(dev, "TX timeout detected\n"); ++ rtnl_lock(); ++ mutex_lock(&priv->state_lock); ++ ++ if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) ++ goto unlock; + + for (i = 0; i < priv->channels.num * priv->channels.params.num_tc; i++) { + struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, i); +@@ -3646,7 +3632,9 @@ static void mlx5e_tx_timeout(struct net_ + + if (!netif_xmit_stopped(dev_queue)) + continue; +- netdev_err(dev, "TX timeout on queue: %d, SQ: 0x%x, CQ: 0x%x, SQ Cons: 0x%x SQ Prod: 0x%x, usecs since last trans: %u\n", ++ ++ netdev_err(dev, ++ "TX timeout on queue: %d, SQ: 0x%x, CQ: 0x%x, SQ Cons: 0x%x SQ Prod: 0x%x, usecs since last trans: %u\n", + i, sq->sqn, sq->cq.mcq.cqn, sq->cc, sq->pc, + jiffies_to_usecs(jiffies - dev_queue->trans_start)); + +@@ -3659,8 +3647,27 @@ static void mlx5e_tx_timeout(struct net_ + } + } + +- if (reopen_channels && test_bit(MLX5E_STATE_OPENED, &priv->state)) +- schedule_work(&priv->tx_timeout_work); ++ if (!reopen_channels) ++ goto unlock; ++ ++ mlx5e_close_locked(dev); ++ err = mlx5e_open_locked(dev); ++ if (err) ++ netdev_err(priv->netdev, ++ "mlx5e_open_locked failed recovering from a tx_timeout, err(%d).\n", ++ err); ++ ++unlock: ++ mutex_unlock(&priv->state_lock); ++ rtnl_unlock(); ++} ++ ++static void mlx5e_tx_timeout(struct net_device *dev) ++{ ++ struct mlx5e_priv *priv = netdev_priv(dev); ++ ++ netdev_err(dev, "TX timeout detected\n"); ++ queue_work(priv->wq, &priv->tx_timeout_work); + } + + static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog) diff --git a/queue-4.16/net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch b/queue-4.16/net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..c71948aca02 --- /dev/null +++ b/queue-4.16/net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Colin Ian King +Date: Fri, 23 Mar 2018 23:51:57 +0000 +Subject: net: qualcomm: rmnet: check for null ep to avoid null pointer dereference + +From: Colin Ian King + +[ Upstream commit 0c29ba1b43df1eb7d8beb03fc929d2dac4c15f7e ] + +The call to rmnet_get_endpoint can potentially return NULL so check +for this to avoid any subsequent null pointer dereferences on a NULL +ep. + +Detected by CoverityScan, CID#1465385 ("Dereference null return value") + +Fixes: 23790ef12082 ("net: qualcomm: rmnet: Allow to configure flags for existing devices") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +@@ -307,6 +307,8 @@ static int rmnet_changelink(struct net_d + if (data[IFLA_VLAN_ID]) { + mux_id = nla_get_u16(data[IFLA_VLAN_ID]); + ep = rmnet_get_endpoint(port, priv->mux_id); ++ if (!ep) ++ return -ENODEV; + + hlist_del_init_rcu(&ep->hlnode); + hlist_add_head_rcu(&ep->hlnode, &port->muxed_ep[mux_id]); diff --git a/queue-4.16/net-smc-pay-attention-to-max_order-for-cq-entries.patch b/queue-4.16/net-smc-pay-attention-to-max_order-for-cq-entries.patch new file mode 100644 index 00000000000..239fd3b86c1 --- /dev/null +++ b/queue-4.16/net-smc-pay-attention-to-max_order-for-cq-entries.patch @@ -0,0 +1,106 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Ursula Braun +Date: Wed, 14 Mar 2018 11:01:00 +0100 +Subject: net/smc: pay attention to MAX_ORDER for CQ entries + +From: Ursula Braun + +[ Upstream commit c9f4c6cf53bfafb639386a4c094929f13f573e04 ] + +smc allocates a certain number of CQ entries for used RoCE devices. For +mlx5 devices the chosen constant number results in a large allocation +causing this warning: + +[13355.124656] WARNING: CPU: 3 PID: 16535 at mm/page_alloc.c:3883 __alloc_pages_nodemask+0x2be/0x10c0 +[13355.124657] Modules linked in: smc_diag(O) smc(O) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter mlx5_ib ib_core sunrpc mlx5_core s390_trng rng_core ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common ptp pps_core eadm_sch dm_multipath dm_mod vhost_net tun vhost tap sch_fq_codel kvm ip_tables x_tables autofs4 [last unloaded: smc] +[13355.124672] CPU: 3 PID: 16535 Comm: kworker/3:0 Tainted: G O 4.14.0uschi #1 +[13355.124673] Hardware name: IBM 3906 M04 704 (LPAR) +[13355.124675] Workqueue: events smc_listen_work [smc] +[13355.124677] task: 00000000e2f22100 task.stack: 0000000084720000 +[13355.124678] Krnl PSW : 0704c00180000000 000000000029da76 (__alloc_pages_nodemask+0x2be/0x10c0) +[13355.124681] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 +[13355.124682] Krnl GPRS: 0000000000000000 00550e00014080c0 0000000000000000 0000000000000001 +[13355.124684] 000000000029d8b6 00000000f3bfd710 0000000000000000 00000000014080c0 +[13355.124685] 0000000000000009 00000000ec277a00 0000000000200000 0000000000000000 +[13355.124686] 0000000000000000 00000000000001ff 000000000029d8b6 0000000084723720 +[13355.124708] Krnl Code: 000000000029da6a: a7110200 tmll %r1,512 + 000000000029da6e: a774ff29 brc 7,29d8c0 + #000000000029da72: a7f40001 brc 15,29da74 + >000000000029da76: a7f4ff25 brc 15,29d8c0 + 000000000029da7a: a7380000 lhi %r3,0 + 000000000029da7e: a7f4fef1 brc 15,29d860 + 000000000029da82: 5820f0c4 l %r2,196(%r15) + 000000000029da86: a53e0048 llilh %r3,72 +[13355.124720] Call Trace: +[13355.124722] ([<000000000029d8b6>] __alloc_pages_nodemask+0xfe/0x10c0) +[13355.124724] [<000000000013bd1e>] s390_dma_alloc+0x6e/0x148 +[13355.124733] [<000003ff802eeba6>] mlx5_dma_zalloc_coherent_node+0x8e/0xe0 [mlx5_core] +[13355.124740] [<000003ff802eee18>] mlx5_buf_alloc_node+0x70/0x108 [mlx5_core] +[13355.124744] [<000003ff804eb410>] mlx5_ib_create_cq+0x558/0x898 [mlx5_ib] +[13355.124749] [<000003ff80407d40>] ib_create_cq+0x48/0x88 [ib_core] +[13355.124751] [<000003ff80109fba>] smc_ib_setup_per_ibdev+0x52/0x118 [smc] +[13355.124753] [<000003ff8010bcb6>] smc_conn_create+0x65e/0x728 [smc] +[13355.124755] [<000003ff801081a2>] smc_listen_work+0x2d2/0x540 [smc] +[13355.124756] [<0000000000162c66>] process_one_work+0x1be/0x440 +[13355.124758] [<0000000000162f40>] worker_thread+0x58/0x458 +[13355.124759] [<0000000000169e7e>] kthread+0x14e/0x168 +[13355.124760] [<00000000009ce8be>] kernel_thread_starter+0x6/0xc +[13355.124762] [<00000000009ce8b8>] kernel_thread_starter+0x0/0xc +[13355.124762] Last Breaking-Event-Address: +[13355.124764] [<000000000029da72>] __alloc_pages_nodemask+0x2ba/0x10c0 +[13355.124764] ---[ end trace 34be38b581c0b585 ]--- + +This patch reduces the smc constant for the maximum number of allocated +completion queue entries SMC_MAX_CQE by 2 to avoid high round up values +in the mlx5 code, and reduces the number of allocated completion queue +entries even more, if the final allocation for an mlx5 device hits the +MAX_ORDER limit. + +Reported-by: Ihnken Menssen +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_ib.c | 10 +++++++++- + net/smc/smc_wr.h | 1 - + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -23,6 +23,8 @@ + #include "smc_wr.h" + #include "smc.h" + ++#define SMC_MAX_CQE 32766 /* max. # of completion queue elements */ ++ + #define SMC_QP_MIN_RNR_TIMER 5 + #define SMC_QP_TIMEOUT 15 /* 4096 * 2 ** timeout usec */ + #define SMC_QP_RETRY_CNT 7 /* 7: infinite */ +@@ -438,9 +440,15 @@ out: + long smc_ib_setup_per_ibdev(struct smc_ib_device *smcibdev) + { + struct ib_cq_init_attr cqattr = { +- .cqe = SMC_WR_MAX_CQE, .comp_vector = 0 }; ++ .cqe = SMC_MAX_CQE, .comp_vector = 0 }; ++ int cqe_size_order, smc_order; + long rc; + ++ /* the calculated number of cq entries fits to mlx5 cq allocation */ ++ cqe_size_order = cache_line_size() == 128 ? 7 : 6; ++ smc_order = MAX_ORDER - cqe_size_order - 1; ++ if (SMC_MAX_CQE + 2 > (0x00000001 << smc_order) * PAGE_SIZE) ++ cqattr.cqe = (0x00000001 << smc_order) * PAGE_SIZE - 2; + smcibdev->roce_cq_send = ib_create_cq(smcibdev->ibdev, + smc_wr_tx_cq_handler, NULL, + smcibdev, &cqattr); +--- a/net/smc/smc_wr.h ++++ b/net/smc/smc_wr.h +@@ -19,7 +19,6 @@ + #include "smc.h" + #include "smc_core.h" + +-#define SMC_WR_MAX_CQE 32768 /* max. # of completion queue elements */ + #define SMC_WR_BUF_CNT 16 /* # of ctrl buffers per link */ + + #define SMC_WR_TX_WAIT_FREE_SLOT_TIME (10 * HZ) diff --git a/queue-4.16/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch b/queue-4.16/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch new file mode 100644 index 00000000000..494fe138bcc --- /dev/null +++ b/queue-4.16/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Niklas Cassel +Date: Mon, 19 Feb 2018 18:11:13 +0100 +Subject: net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing() + +From: Niklas Cassel + +[ Upstream commit 13138de01400762f706c5e956e70660770d61962 ] + +stmmac_mac_config_rx_queues_routing() incorrectly calls rx_queue_prio() +instead of rx_queue_routing(). + +This looks like a copy paste issue, since +stmmac_mac_config_rx_queues_prio() already calls rx_queue_prio(), +and both stmmac_mac_config_rx_queues_routing() and +stmmac_mac_config_rx_queues_prio() are very similar in structure. + +Fixes: abe80fdc6ee6 ("net: stmmac: RX queue routing configuration") +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2435,7 +2435,7 @@ static void stmmac_mac_config_rx_queues_ + continue; + + packet = priv->plat->rx_queues_cfg[queue].pkt_route; +- priv->hw->mac->rx_queue_prio(priv->hw, packet, queue); ++ priv->hw->mac->rx_queue_routing(priv->hw, packet, queue); + } + } + diff --git a/queue-4.16/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch b/queue-4.16/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch new file mode 100644 index 00000000000..51f797df380 --- /dev/null +++ b/queue-4.16/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:08 +0100 +Subject: net: stmmac: ensure that the device has released ownership before reading data + +From: Niklas Cassel + +[ Upstream commit a6b25da5e7ba212af5826a662e6a035a79bffabd ] + +According to Documentation/memory-barriers.txt, we need to use a +dma_rmb() after reading the status/own bit, to ensure that all +descriptor fields are read after reading the own bit. + +This way, we ensure that the DMA engine is done with the DMA +descriptor before we read the other descriptor fields, e.g. reading +the tx hardware timestamp (if PTP is enabled). + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1843,6 +1843,11 @@ static void stmmac_tx_clean(struct stmma + if (unlikely(status & tx_dma_own)) + break; + ++ /* Make sure descriptor fields are read after reading ++ * the own bit. ++ */ ++ dma_rmb(); ++ + /* Just consider the last segment and ...*/ + if (likely(!(status & tx_not_ls))) { + /* ... verify the status error condition */ diff --git a/queue-4.16/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch b/queue-4.16/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch new file mode 100644 index 00000000000..360b17c6c79 --- /dev/null +++ b/queue-4.16/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:06 +0100 +Subject: net: stmmac: ensure that the MSS desc is the last desc to set the own bit + +From: Niklas Cassel + +[ Upstream commit 15d2ee42a3087089e73ad52fd8c1b37ab496b87c ] + +A dma_wmb() is used to guarantee the ordering, with respect to +other writes, to cache coherent DMA memory. + +There is a dma_wmb() in prepare_tx_desc()/prepare_tso_tx_desc() which +ensures that TDES0/1/2 is written before TDES3 (which contains the own +bit), for First Desc. + +However, in the rare case that MSS changes, there will be a MSS +context descriptor in front of the regular DMA descriptors: + + <- DMA Next Descriptor + + + + +Thus, for this special case, we need a dma_wmb() +after prepare_tso_tx_desc()/before writing the own bit to the MSS desc, +so that we flush the write to TDES3 for First Desc, +in order to ensure that the MSS descriptor is the last descriptor to +set the own bit. + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2985,8 +2985,15 @@ static netdev_tx_t stmmac_tso_xmit(struc + tcp_hdrlen(skb) / 4, (skb->len - proto_hdr_len)); + + /* If context desc is used to change MSS */ +- if (mss_desc) ++ if (mss_desc) { ++ /* Make sure that first descriptor has been completely ++ * written, including its own bit. This is because MSS is ++ * actually before first descriptor, so we need to make ++ * sure that MSS's own bit is the last thing written. ++ */ ++ dma_wmb(); + priv->hw->desc->set_tx_owner(mss_desc); ++ } + + /* The own bit must be the latest setting done when prepare the + * descriptor and then barrier is needed to make sure that diff --git a/queue-4.16/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch b/queue-4.16/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch new file mode 100644 index 00000000000..0254ebcca9b --- /dev/null +++ b/queue-4.16/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Richard Haines +Date: Mon, 13 Nov 2017 20:54:22 +0000 +Subject: netlabel: If PF_INET6, check sk_buff ip header version + +From: Richard Haines + +[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ] + +When resolving a fallback label, check the sk_buff version as it +is possible (e.g. SCTP) to have family = PF_INET6 while +receiving ip_hdr(skb)->version = 4. + +Signed-off-by: Richard Haines +Acked-by: Paul Moore +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netlabel/netlabel_unlabeled.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct + iface = rcu_dereference(netlbl_unlhsh_def); + if (iface == NULL || !iface->valid) + goto unlabel_getattr_nolabel; ++ ++#if IS_ENABLED(CONFIG_IPV6) ++ /* When resolving a fallback label, check the sk_buff version as ++ * it is possible (e.g. SCTP) to have family = PF_INET6 while ++ * receiving ip_hdr(skb)->version = 4. ++ */ ++ if (family == PF_INET6 && ip_hdr(skb)->version == 4) ++ family = PF_INET; ++#endif /* IPv6 */ ++ + switch (family) { + case PF_INET: { + struct iphdr *hdr4; diff --git a/queue-4.16/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch b/queue-4.16/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch new file mode 100644 index 00000000000..1fd88443c0d --- /dev/null +++ b/queue-4.16/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Johannes Thumshirn +Date: Thu, 12 Apr 2018 09:16:06 -0600 +Subject: nvme: don't send keep-alives to the discovery controller + +From: Johannes Thumshirn + +[ Upstream commit 74c6c71530847808d4e3be7b205719270efee80c ] + +NVMe over Fabrics 1.0 Section 5.2 "Discovery Controller Properties and +Command Support" Figure 31 "Discovery Controller – Admin Commands" +explicitly listst all commands but "Get Log Page" and "Identify" as +reserved, but NetApp report the Linux host is sending Keep Alive +commands to the discovery controller, which is a violation of the +Spec. + +We're already checking for discovery controllers when configuring the +keep alive timeout but when creating a discovery controller we're not +hard wiring the keep alive timeout to 0 and thus remain on +NVME_DEFAULT_KATO for the discovery controller. + +This can be easily remproduced when issuing a direct connect to the +discovery susbsystem using: +'nvme connect [...] --nqn=nqn.2014-08.org.nvmexpress.discovery' + +Signed-off-by: Johannes Thumshirn +Fixes: 07bfcd09a288 ("nvme-fabrics: add a generic NVMe over Fabrics library") +Reported-by: Martin George +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -608,8 +608,10 @@ static int nvmf_parse_options(struct nvm + opts->discovery_nqn = + !(strcmp(opts->subsysnqn, + NVME_DISC_SUBSYS_NAME)); +- if (opts->discovery_nqn) ++ if (opts->discovery_nqn) { ++ opts->kato = 0; + opts->nr_io_queues = 0; ++ } + break; + case NVMF_OPT_TRADDR: + p = match_strdup(args); diff --git a/queue-4.16/nvme-expand-nvmf_check_if_ready-checks.patch b/queue-4.16/nvme-expand-nvmf_check_if_ready-checks.patch new file mode 100644 index 00000000000..ce8d5baf739 --- /dev/null +++ b/queue-4.16/nvme-expand-nvmf_check_if_ready-checks.patch @@ -0,0 +1,327 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: James Smart +Date: Thu, 12 Apr 2018 09:16:15 -0600 +Subject: nvme: expand nvmf_check_if_ready checks + +From: James Smart + +[ Upstream commit bb06ec31452fb2da1594f88035c2ecea4e0652f4 ] + +The nvmf_check_if_ready() checks that were added are very simplistic. +As such, the routine allows a lot of cases to fail ios during windows +of reset or re-connection. In cases where there are not multi-path +options present, the error goes back to the callee - the filesystem +or application. Not good. + +The common routine was rewritten and calling syntax slightly expanded +so that per-transport is_ready routines don't need to be present. +The transports now call the routine directly. The routine is now a +fabrics routine rather than an inline function. + +The routine now looks at controller state to decide the action to +take. Some states mandate io failure. Others define the condition where +a command can be accepted. When the decision is unclear, a generic +queue-or-reject check is made to look for failfast or multipath ios and +only fails the io if it is so marked. Otherwise, the io will be queued +and wait for the controller state to resolve. + +Admin commands issued via ioctl share a live admin queue with commands +from the transport for controller init. The ioctls could be intermixed +with the initialization commands. It's possible for the ioctl cmd to +be issued prior to the controller being enabled. To block this, the +ioctl admin commands need to be distinguished from admin commands used +for controller init. Added a USERCMD nvme_req(req)->rq_flags bit to +reflect this division and set it on ioctls requests. As the +nvmf_check_if_ready() routine is called prior to nvme_setup_cmd(), +ensure that commands allocated by the ioctl path (actually anything +in core.c) preps the nvme_req(req) before starting the io. This will +preserve the USERCMD flag during execution and/or retry. + +Signed-off-by: James Smart +Reviewed-by: Sagi Grimberg +Reviewed-by: Johannes Thumshirn +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 17 ++++++--- + drivers/nvme/host/fabrics.c | 79 ++++++++++++++++++++++++++++++++++++++++++++ + drivers/nvme/host/fabrics.h | 33 +----------------- + drivers/nvme/host/fc.c | 12 +----- + drivers/nvme/host/nvme.h | 1 + drivers/nvme/host/rdma.c | 14 +------ + drivers/nvme/target/loop.c | 11 +----- + 7 files changed, 101 insertions(+), 66 deletions(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -379,6 +379,15 @@ static void nvme_put_ns(struct nvme_ns * + kref_put(&ns->kref, nvme_free_ns); + } + ++static inline void nvme_clear_nvme_request(struct request *req) ++{ ++ if (!(req->rq_flags & RQF_DONTPREP)) { ++ nvme_req(req)->retries = 0; ++ nvme_req(req)->flags = 0; ++ req->rq_flags |= RQF_DONTPREP; ++ } ++} ++ + struct request *nvme_alloc_request(struct request_queue *q, + struct nvme_command *cmd, blk_mq_req_flags_t flags, int qid) + { +@@ -395,6 +404,7 @@ struct request *nvme_alloc_request(struc + return req; + + req->cmd_flags |= REQ_FAILFAST_DRIVER; ++ nvme_clear_nvme_request(req); + nvme_req(req)->cmd = cmd; + + return req; +@@ -611,11 +621,7 @@ blk_status_t nvme_setup_cmd(struct nvme_ + { + blk_status_t ret = BLK_STS_OK; + +- if (!(req->rq_flags & RQF_DONTPREP)) { +- nvme_req(req)->retries = 0; +- nvme_req(req)->flags = 0; +- req->rq_flags |= RQF_DONTPREP; +- } ++ nvme_clear_nvme_request(req); + + switch (req_op(req)) { + case REQ_OP_DRV_IN: +@@ -745,6 +751,7 @@ static int nvme_submit_user_cmd(struct r + return PTR_ERR(req); + + req->timeout = timeout ? timeout : ADMIN_TIMEOUT; ++ nvme_req(req)->flags |= NVME_REQ_USERCMD; + + if (ubuffer && bufflen) { + ret = blk_rq_map_user(q, req, NULL, ubuffer, bufflen, +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -536,6 +536,85 @@ static struct nvmf_transport_ops *nvmf_l + return NULL; + } + ++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, struct request *rq, ++ bool queue_live, bool is_connected) ++{ ++ struct nvme_command *cmd = nvme_req(rq)->cmd; ++ ++ if (likely(ctrl->state == NVME_CTRL_LIVE && is_connected)) ++ return BLK_STS_OK; ++ ++ switch (ctrl->state) { ++ case NVME_CTRL_DELETING: ++ goto reject_io; ++ ++ case NVME_CTRL_NEW: ++ case NVME_CTRL_CONNECTING: ++ if (!is_connected) ++ /* ++ * This is the case of starting a new ++ * association but connectivity was lost ++ * before it was fully created. We need to ++ * error the commands used to initialize the ++ * controller so the reconnect can go into a ++ * retry attempt. The commands should all be ++ * marked REQ_FAILFAST_DRIVER, which will hit ++ * the reject path below. Anything else will ++ * be queued while the state settles. ++ */ ++ goto reject_or_queue_io; ++ ++ if ((queue_live && ++ !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) || ++ (!queue_live && blk_rq_is_passthrough(rq) && ++ cmd->common.opcode == nvme_fabrics_command && ++ cmd->fabrics.fctype == nvme_fabrics_type_connect)) ++ /* ++ * If queue is live, allow only commands that ++ * are internally generated pass through. These ++ * are commands on the admin queue to initialize ++ * the controller. This will reject any ioctl ++ * admin cmds received while initializing. ++ * ++ * If the queue is not live, allow only a ++ * connect command. This will reject any ioctl ++ * admin cmd as well as initialization commands ++ * if the controller reverted the queue to non-live. ++ */ ++ return BLK_STS_OK; ++ ++ /* ++ * fall-thru to the reject_or_queue_io clause ++ */ ++ break; ++ ++ /* these cases fall-thru ++ * case NVME_CTRL_LIVE: ++ * case NVME_CTRL_RESETTING: ++ */ ++ default: ++ break; ++ } ++ ++reject_or_queue_io: ++ /* ++ * Any other new io is something we're not in a state to send ++ * to the device. Default action is to busy it and retry it ++ * after the controller state is recovered. However, anything ++ * marked for failfast or nvme multipath is immediately failed. ++ * Note: commands used to initialize the controller will be ++ * marked for failfast. ++ * Note: nvme cli/ioctl commands are marked for failfast. ++ */ ++ if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) ++ return BLK_STS_RESOURCE; ++ ++reject_io: ++ nvme_req(rq)->status = NVME_SC_ABORT_REQ; ++ return BLK_STS_IOERR; ++} ++EXPORT_SYMBOL_GPL(nvmf_check_if_ready); ++ + static const match_table_t opt_tokens = { + { NVMF_OPT_TRANSPORT, "transport=%s" }, + { NVMF_OPT_TRADDR, "traddr=%s" }, +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -157,36 +157,7 @@ void nvmf_unregister_transport(struct nv + void nvmf_free_options(struct nvmf_ctrl_options *opts); + int nvmf_get_address(struct nvme_ctrl *ctrl, char *buf, int size); + bool nvmf_should_reconnect(struct nvme_ctrl *ctrl); +- +-static inline blk_status_t nvmf_check_init_req(struct nvme_ctrl *ctrl, +- struct request *rq) +-{ +- struct nvme_command *cmd = nvme_req(rq)->cmd; +- +- /* +- * We cannot accept any other command until the connect command has +- * completed, so only allow connect to pass. +- */ +- if (!blk_rq_is_passthrough(rq) || +- cmd->common.opcode != nvme_fabrics_command || +- cmd->fabrics.fctype != nvme_fabrics_type_connect) { +- /* +- * Connecting state means transport disruption or initial +- * establishment, which can take a long time and even might +- * fail permanently, fail fast to give upper layers a chance +- * to failover. +- * Deleting state means that the ctrl will never accept commands +- * again, fail it permanently. +- */ +- if (ctrl->state == NVME_CTRL_CONNECTING || +- ctrl->state == NVME_CTRL_DELETING) { +- nvme_req(rq)->status = NVME_SC_ABORT_REQ; +- return BLK_STS_IOERR; +- } +- return BLK_STS_RESOURCE; /* try again later */ +- } +- +- return BLK_STS_OK; +-} ++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, ++ struct request *rq, bool queue_live, bool is_connected); + + #endif /* _NVME_FABRICS_H */ +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2284,14 +2284,6 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl + return BLK_STS_OK; + } + +-static inline blk_status_t nvme_fc_is_ready(struct nvme_fc_queue *queue, +- struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_FC_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t + nvme_fc_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) +@@ -2307,7 +2299,9 @@ nvme_fc_queue_rq(struct blk_mq_hw_ctx *h + u32 data_len; + blk_status_t ret; + +- ret = nvme_fc_is_ready(queue, rq); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, ++ test_bit(NVME_FC_Q_LIVE, &queue->flags), ++ ctrl->rport->remoteport.port_state == FC_OBJSTATE_ONLINE); + if (unlikely(ret)) + return ret; + +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -109,6 +109,7 @@ struct nvme_request { + + enum { + NVME_REQ_CANCELLED = (1 << 0), ++ NVME_REQ_USERCMD = (1 << 1), + }; + + static inline struct nvme_request *nvme_req(struct request *req) +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1594,17 +1594,6 @@ nvme_rdma_timeout(struct request *rq, bo + return BLK_EH_HANDLED; + } + +-/* +- * We cannot accept any other command until the Connect command has completed. +- */ +-static inline blk_status_t +-nvme_rdma_is_ready(struct nvme_rdma_queue *queue, struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_RDMA_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t nvme_rdma_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -1620,7 +1609,8 @@ static blk_status_t nvme_rdma_queue_rq(s + + WARN_ON_ONCE(rq->tag < 0); + +- ret = nvme_rdma_is_ready(queue, rq); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, ++ test_bit(NVME_RDMA_Q_LIVE, &queue->flags), true); + if (unlikely(ret)) + return ret; + +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -149,14 +149,6 @@ nvme_loop_timeout(struct request *rq, bo + return BLK_EH_HANDLED; + } + +-static inline blk_status_t nvme_loop_is_ready(struct nvme_loop_queue *queue, +- struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_LOOP_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t nvme_loop_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -166,7 +158,8 @@ static blk_status_t nvme_loop_queue_rq(s + struct nvme_loop_iod *iod = blk_mq_rq_to_pdu(req); + blk_status_t ret; + +- ret = nvme_loop_is_ready(queue, req); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, req, ++ test_bit(NVME_LOOP_Q_LIVE, &queue->flags), true); + if (unlikely(ret)) + return ret; + diff --git a/queue-4.16/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch b/queue-4.16/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch new file mode 100644 index 00000000000..6671589c54b --- /dev/null +++ b/queue-4.16/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "Jarosław Janik" +Date: Sun, 11 Mar 2018 19:51:56 +0100 +Subject: nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A + +From: "Jarosław Janik" + +[ Upstream commit 467c77d4cbefaaf65e2f44fe102d543a52fcae5b ] + +Yet another "incompatible" Samsung NVMe SSD 960 EVO and Asus motherboard +combination. 960 EVO device disappears from PCIe bus within few minutes +after boot-up when APST is in use and never gets back. Forcing +NVME_QUIRK_NO_APST is the only way to make this drive work with this +particular motherboard. NVME_QUIRK_NO_DEEPEST_PS doesn't work, upgrading +motherboard's BIOS didn't help either. +Since this is a desktop motherboard, the only drawback of not using APST +is increased device temperature. + +Signed-off-by: Jarosław Janik +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2470,10 +2470,13 @@ static unsigned long check_vendor_combin + } else if (pdev->vendor == 0x144d && pdev->device == 0xa804) { + /* + * Samsung SSD 960 EVO drops off the PCIe bus after system +- * suspend on a Ryzen board, ASUS PRIME B350M-A. ++ * suspend on a Ryzen board, ASUS PRIME B350M-A, as well as ++ * within few minutes after bootup on a Coffee Lake board - ++ * ASUS PRIME Z370-A + */ + if (dmi_match(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC.") && +- dmi_match(DMI_BOARD_NAME, "PRIME B350M-A")) ++ (dmi_match(DMI_BOARD_NAME, "PRIME B350M-A") || ++ dmi_match(DMI_BOARD_NAME, "PRIME Z370-A"))) + return NVME_QUIRK_NO_APST; + } + diff --git a/queue-4.16/nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch b/queue-4.16/nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch new file mode 100644 index 00000000000..1a2a1005f7b --- /dev/null +++ b/queue-4.16/nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: James Smart +Date: Wed, 28 Feb 2018 14:49:10 -0800 +Subject: nvme_fc: fix abort race on teardown with lld reject + +From: James Smart + +[ Upstream commit b12740d316fa89f3f6191b71f986cf3b9383d379 ] + +Another abort race: An io request is started, becomes active, +and is attempted to be started with the lldd. At the same time +the controller is stopped/torndown and an itterator is run to +abort the ios. As the io is active, it is added to the outstanding +aborted io count. However on the original io request thread, the +driver ends up rejecting the io due to the condition that induced +the controller teardown. The driver reject path didn't check whether +it was in the outstanding io count. This left the count outstanding +stopping controller teardown. + +Correct by, in the driver reject case, setting the state to +inactive and checking whether it was in the outstanding io count. + +Signed-off-by: James Smart +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2191,7 +2191,7 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl + struct nvme_fc_cmd_iu *cmdiu = &op->cmd_iu; + struct nvme_command *sqe = &cmdiu->sqe; + u32 csn; +- int ret; ++ int ret, opstate; + + /* + * before attempting to send the io, check to see if we believe +@@ -2269,6 +2269,9 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl + queue->lldd_handle, &op->fcp_req); + + if (ret) { ++ opstate = atomic_xchg(&op->state, FCPOP_STATE_COMPLETE); ++ __nvme_fc_fcpop_chk_teardowns(ctrl, op, opstate); ++ + if (!(op->flags & FCOP_FLAGS_AEN)) + nvme_fc_unmap_data(ctrl, op->rq, op); + diff --git a/queue-4.16/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch b/queue-4.16/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch new file mode 100644 index 00000000000..29661f6a039 --- /dev/null +++ b/queue-4.16/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch @@ -0,0 +1,133 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Jun Piao +Date: Thu, 5 Apr 2018 16:18:48 -0700 +Subject: ocfs2/dlm: don't handle migrate lockres if already in shutdown + +From: Jun Piao + +[ Upstream commit bb34f24c7d2c98d0c81838a7700e6068325b17a0 ] + +We should not handle migrate lockres if we are already in +'DLM_CTXT_IN_SHUTDOWN', as that will cause lockres remains after leaving +dlm domain. At last other nodes will get stuck into infinite loop when +requsting lock from us. + +The problem is caused by concurrency umount between nodes. Before +receiveing N1's DLM_BEGIN_EXIT_DOMAIN_MSG, N2 has picked up N1 as the +migrate target. So N2 will continue sending lockres to N1 even though +N1 has left domain. + + N1 N2 (owner) + touch file + + access the file, + and get pr lock + + begin leave domain and + pick up N1 as new owner + + begin leave domain and + migrate all lockres done + + begin migrate lockres to N1 + + end leave domain, but + the lockres left + unexpectedly, because + migrate task has passed + +[piaojun@huawei.com: v3] + Link: http://lkml.kernel.org/r/5A9CBD19.5020107@huawei.com +Link: http://lkml.kernel.org/r/5A99F028.2090902@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Yiwen Jiang +Reviewed-by: Joseph Qi +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dlm/dlmdomain.c | 14 -------------- + fs/ocfs2/dlm/dlmdomain.h | 25 ++++++++++++++++++++++++- + fs/ocfs2/dlm/dlmrecovery.c | 9 +++++++++ + 3 files changed, 33 insertions(+), 15 deletions(-) + +--- a/fs/ocfs2/dlm/dlmdomain.c ++++ b/fs/ocfs2/dlm/dlmdomain.c +@@ -675,20 +675,6 @@ static void dlm_leave_domain(struct dlm_ + spin_unlock(&dlm->spinlock); + } + +-int dlm_shutting_down(struct dlm_ctxt *dlm) +-{ +- int ret = 0; +- +- spin_lock(&dlm_domain_lock); +- +- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) +- ret = 1; +- +- spin_unlock(&dlm_domain_lock); +- +- return ret; +-} +- + void dlm_unregister_domain(struct dlm_ctxt *dlm) + { + int leave = 0; +--- a/fs/ocfs2/dlm/dlmdomain.h ++++ b/fs/ocfs2/dlm/dlmdomain.h +@@ -28,7 +28,30 @@ + extern spinlock_t dlm_domain_lock; + extern struct list_head dlm_domains; + +-int dlm_shutting_down(struct dlm_ctxt *dlm); ++static inline int dlm_joined(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_JOINED) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ ++static inline int dlm_shutting_down(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ + void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm, + int node_num); + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1378,6 +1378,15 @@ int dlm_mig_lockres_handler(struct o2net + if (!dlm_grab(dlm)) + return -EINVAL; + ++ if (!dlm_joined(dlm)) { ++ mlog(ML_ERROR, "Domain %s not joined! " ++ "lockres %.*s, master %u\n", ++ dlm->name, mres->lockname_len, ++ mres->lockname, mres->master); ++ dlm_put(dlm); ++ return -EINVAL; ++ } ++ + BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION))); + + real_master = mres->master; diff --git a/queue-4.16/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch b/queue-4.16/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch new file mode 100644 index 00000000000..6594548774f --- /dev/null +++ b/queue-4.16/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Helge Deller +Date: Sun, 25 Mar 2018 14:04:22 +0200 +Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode + +From: Helge Deller + +[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ] + +Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy +I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card. + +To avoid such instability, this patch switches the LBA PCI bus from Hard Fail +mode into Soft Fail mode. In this mode the bus will return -1UL for timed out +MMIO transactions, which is exactly how the x86 (and most other architectures) +PCI busses behave. + +This patch is based on a proposal by Grant Grundler and Kyle McMartin 10 +years ago: +https://www.spinics.net/lists/linux-parisc/msg01027.html + +Cc: Carlo Pisani +Cc: Kyle McMartin +Reviewed-by: Grant Grundler +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/lba_pci.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -1403,9 +1403,27 @@ lba_hw_init(struct lba_device *d) + WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG); + } + +- /* Set HF mode as the default (vs. -1 mode). */ ++ ++ /* ++ * Hard Fail vs. Soft Fail on PCI "Master Abort". ++ * ++ * "Master Abort" means the MMIO transaction timed out - usually due to ++ * the device not responding to an MMIO read. We would like HF to be ++ * enabled to find driver problems, though it means the system will ++ * crash with a HPMC. ++ * ++ * In SoftFail mode "~0L" is returned as a result of a timeout on the ++ * pci bus. This is like how PCI busses on x86 and most other ++ * architectures behave. In order to increase compatibility with ++ * existing (x86) PCI hardware and existing Linux drivers we enable ++ * Soft Faul mode on PA-RISC now too. ++ */ + stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL); ++#if defined(ENABLE_HARDFAIL) + WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#else ++ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#endif + + /* + ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal diff --git a/queue-4.16/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch b/queue-4.16/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch new file mode 100644 index 00000000000..3efbc84a67b --- /dev/null +++ b/queue-4.16/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Thomas Vincent-Cross +Date: Tue, 27 Feb 2018 20:20:36 +1100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 + +From: Thomas Vincent-Cross + +[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ] + +Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 +Signed-off-by: Thomas Vincent-Cross +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3903,6 +3903,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); diff --git a/queue-4.16/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch b/queue-4.16/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch new file mode 100644 index 00000000000..9c341cf4abc --- /dev/null +++ b/queue-4.16/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "Rafael J. Wysocki" +Date: Sat, 3 Mar 2018 10:53:24 +0100 +Subject: PCI: Restore config space on runtime resume despite being unbound + +From: "Rafael J. Wysocki" + +[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ] + +We leave PCI devices not bound to a driver in D0 during runtime suspend. +But they may have a parent which is bound and can be transitioned to +D3cold at runtime. Once the parent goes to D3cold, the unbound child +may go to D3cold as well. When the child goes to D3cold, its internal +state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost. + +One example are recent hybrid graphics laptops which cut power to the +discrete GPU when the root port above it goes to ACPI power state D3. +Users may provoke this by unbinding the GPU driver and allowing runtime +PM on the GPU via sysfs: The PM core will then treat the GPU as +"suspended", which in turn allows the root port to runtime suspend, +causing the power resources listed in its _PR3 object to be powered off. +The GPU's BARs will be uninitialized when a driver later probes it. + +Another example are hybrid graphics laptops where the GPU itself (rather +than the root port) is capable of runtime suspending to D3cold. If the +GPU's integrated HDA controller is not bound and the GPU's driver +decides to runtime suspend to D3cold, the HDA controller's BARs will be +uninitialized when a driver later probes it. + +Fix by saving and restoring config space over a runtime suspend cycle +even if the device is not bound. + +Acked-by: Bjorn Helgaas +Tested-by: Peter Wu # Nvidia Optimus +Tested-by: Lukas Wunner # MacBook Pro +Signed-off-by: Rafael J. Wysocki +[lukas: add commit message, bikeshed code comments for clarity] +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-driver.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1225,11 +1225,14 @@ static int pci_pm_runtime_suspend(struct + int error; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * If pci_dev->driver is not set (unbound), we leave the device in D0, ++ * but it may go to D3cold when the bridge above it runtime suspends. ++ * Save its config space in case that happens. + */ +- if (!pci_dev->driver) ++ if (!pci_dev->driver) { ++ pci_save_state(pci_dev); + return 0; ++ } + + if (!pm || !pm->runtime_suspend) + return -ENOSYS; +@@ -1277,16 +1280,18 @@ static int pci_pm_runtime_resume(struct + const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * Restoring config space is necessary even if the device is not bound ++ * to a driver because although we left it in D0, it may have gone to ++ * D3cold when the bridge above it runtime suspended. + */ ++ pci_restore_standard_config(pci_dev); ++ + if (!pci_dev->driver) + return 0; + + if (!pm || !pm->runtime_resume) + return -ENOSYS; + +- pci_restore_standard_config(pci_dev); + pci_fixup_device(pci_fixup_resume_early, pci_dev); + pci_enable_wake(pci_dev, PCI_D0, false); + pci_fixup_device(pci_fixup_resume, pci_dev); diff --git a/queue-4.16/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch b/queue-4.16/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch new file mode 100644 index 00000000000..7cb96ee7cf2 --- /dev/null +++ b/queue-4.16/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "Rafael J. Wysocki" +Date: Wed, 21 Feb 2018 13:24:16 +0100 +Subject: PCMCIA / PM: Avoid noirq suspend aborts during suspend-to-idle + +From: "Rafael J. Wysocki" + +[ Upstream commit dbdd0f58fd2cdde5cf945c9da67a2d52d32ba550 ] + +There is a problem with PCMCIA system resume callbacks with respect +to suspend-to-idle in which the ->suspend_noirq() callback may be +invoked after the ->resume_noirq() one without resuming the system +entirely in some cases. This doesn't work for PCMCIA because of +the lack of symmetry between its system suspend and system resume +"noirq" callbacks. + +The system resume handling in PCMCIA is split between +socket_early_resume() and socket_late_resume() which are called in +different phases of system resume and both need to run for +socket_suspend() (invoked by the system suspend "noirq" callback) +to work. Specifically, socket_suspend() returns an error when +called after socket_early_resume() without socket_late_resume(), +so if the suspend-to-idle core detects a spurious wakeup event and +attempts to put the system back to sleep, that is aborted by the +error coming from socket_suspend(). + +Avoid that by using a new socket state flag, SOCKET_IN_RESUME, +to indicate that socket_early_resume() has already run for the +socket in which case socket_suspend() will do minimum handling +and return 0. + +This change has been tested on my venerable Toshiba Portege R500 +(which is where the problem has been discovered in the first place), +but admittedly I have no PCMCIA cards to test along with the socket +itself. + +Fixes: 33e4f80ee69b (ACPI / PM: Ignore spurious SCI wakeups from suspend-to-idle) +Signed-off-by: Rafael J. Wysocki +[linux@dominikbrodowski.net: follow same codepaths for both suspend variants; call ->suspend()] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pcmcia/cs.c | 10 +++++++--- + drivers/pcmcia/cs_internal.h | 1 + + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -452,17 +452,20 @@ static int socket_insert(struct pcmcia_s + + static int socket_suspend(struct pcmcia_socket *skt) + { +- if (skt->state & SOCKET_SUSPEND) ++ if ((skt->state & SOCKET_SUSPEND) && !(skt->state & SOCKET_IN_RESUME)) + return -EBUSY; + + mutex_lock(&skt->ops_mutex); +- skt->suspended_state = skt->state; ++ /* store state on first suspend, but not after spurious wakeups */ ++ if (!(skt->state & SOCKET_IN_RESUME)) ++ skt->suspended_state = skt->state; + + skt->socket = dead_socket; + skt->ops->set_socket(skt, &skt->socket); + if (skt->ops->suspend) + skt->ops->suspend(skt); + skt->state |= SOCKET_SUSPEND; ++ skt->state &= ~SOCKET_IN_RESUME; + mutex_unlock(&skt->ops_mutex); + return 0; + } +@@ -475,6 +478,7 @@ static int socket_early_resume(struct pc + skt->ops->set_socket(skt, &skt->socket); + if (skt->state & SOCKET_PRESENT) + skt->resume_status = socket_setup(skt, resume_delay); ++ skt->state |= SOCKET_IN_RESUME; + mutex_unlock(&skt->ops_mutex); + return 0; + } +@@ -484,7 +488,7 @@ static int socket_late_resume(struct pcm + int ret = 0; + + mutex_lock(&skt->ops_mutex); +- skt->state &= ~SOCKET_SUSPEND; ++ skt->state &= ~(SOCKET_SUSPEND | SOCKET_IN_RESUME); + mutex_unlock(&skt->ops_mutex); + + if (!(skt->state & SOCKET_PRESENT)) { +--- a/drivers/pcmcia/cs_internal.h ++++ b/drivers/pcmcia/cs_internal.h +@@ -70,6 +70,7 @@ struct pccard_resource_ops { + /* Flags in socket state */ + #define SOCKET_PRESENT 0x0008 + #define SOCKET_INUSE 0x0010 ++#define SOCKET_IN_RESUME 0x0040 + #define SOCKET_SUSPEND 0x0080 + #define SOCKET_WIN_REQ(i) (0x0100<<(i)) + #define SOCKET_CARDBUS 0x8000 diff --git a/queue-4.16/perf-clang-add-support-for-recent-clang-versions.patch b/queue-4.16/perf-clang-add-support-for-recent-clang-versions.patch new file mode 100644 index 00000000000..c148a5b1884 --- /dev/null +++ b/queue-4.16/perf-clang-add-support-for-recent-clang-versions.patch @@ -0,0 +1,122 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Sandipan Das +Date: Wed, 4 Apr 2018 23:34:18 +0530 +Subject: perf clang: Add support for recent clang versions + +From: Sandipan Das + +[ Upstream commit 7854e499f33fd9c7e63288692ffb754d9b1d02fd ] + +The clang API calls used by perf have changed in recent releases and +builds succeed with libclang-3.9 only. This introduces compatibility +with libclang-4.0 and above. + +Without this patch, we will see the following compilation errors with +libclang-4.0+: + + util/c++/clang.cpp: In function ‘clang::CompilerInvocation* perf::createCompilerInvocation(llvm::opt::ArgStringList, llvm::StringRef&, clang::DiagnosticsEngine&)’: + util/c++/clang.cpp:62:33: error: ‘IK_C’ was not declared in this scope + Opts.Inputs.emplace_back(Path, IK_C); + ^~~~ + util/c++/clang.cpp: In function ‘std::unique_ptr perf::getModuleFromSource(llvm::opt::ArgStringList, llvm::StringRef, llvm::IntrusiveRefCntPtr)’: + util/c++/clang.cpp:75:26: error: no matching function for call to ‘clang::CompilerInstance::setInvocation(clang::CompilerInvocation*)’ + Clang.setInvocation(&*CI); + ^ + In file included from util/c++/clang.cpp:14:0: + /usr/include/clang/Frontend/CompilerInstance.h:231:8: note: candidate: void clang::CompilerInstance::setInvocation(std::shared_ptr) + void setInvocation(std::shared_ptr Value); + ^~~~~~~~~~~~~ + +Committer testing: + +Tested on Fedora 27 after installing the clang-devel and llvm-devel +packages, versions: + + # rpm -qa | egrep llvm\|clang + llvm-5.0.1-6.fc27.x86_64 + clang-libs-5.0.1-5.fc27.x86_64 + clang-5.0.1-5.fc27.x86_64 + clang-tools-extra-5.0.1-5.fc27.x86_64 + llvm-libs-5.0.1-6.fc27.x86_64 + llvm-devel-5.0.1-6.fc27.x86_64 + clang-devel-5.0.1-5.fc27.x86_64 + # + +Make sure you don't have some older version lying around in /usr/local, +etc, then: + + $ make LIBCLANGLLVM=1 -C tools/perf install-bin + +And in the end perf will be linked agains these libraries: + + # ldd ~/bin/perf | egrep -i llvm\|clang + libclangAST.so.5 => /lib64/libclangAST.so.5 (0x00007f8bb2eb4000) + libclangBasic.so.5 => /lib64/libclangBasic.so.5 (0x00007f8bb29e3000) + libclangCodeGen.so.5 => /lib64/libclangCodeGen.so.5 (0x00007f8bb23f7000) + libclangDriver.so.5 => /lib64/libclangDriver.so.5 (0x00007f8bb2060000) + libclangFrontend.so.5 => /lib64/libclangFrontend.so.5 (0x00007f8bb1d06000) + libclangLex.so.5 => /lib64/libclangLex.so.5 (0x00007f8bb1a3e000) + libclangTooling.so.5 => /lib64/libclangTooling.so.5 (0x00007f8bb17d4000) + libclangEdit.so.5 => /lib64/libclangEdit.so.5 (0x00007f8bb15c5000) + libclangSema.so.5 => /lib64/libclangSema.so.5 (0x00007f8bb0cc9000) + libclangAnalysis.so.5 => /lib64/libclangAnalysis.so.5 (0x00007f8bb0a23000) + libclangParse.so.5 => /lib64/libclangParse.so.5 (0x00007f8bb0725000) + libclangSerialization.so.5 => /lib64/libclangSerialization.so.5 (0x00007f8bb039a000) + libLLVM-5.0.so => /lib64/libLLVM-5.0.so (0x00007f8bace98000) + libclangASTMatchers.so.5 => /lib64/../lib64/libclangASTMatchers.so.5 (0x00007f8bab735000) + libclangFormat.so.5 => /lib64/../lib64/libclangFormat.so.5 (0x00007f8bab4b2000) + libclangRewrite.so.5 => /lib64/../lib64/libclangRewrite.so.5 (0x00007f8bab2a1000) + libclangToolingCore.so.5 => /lib64/../lib64/libclangToolingCore.so.5 (0x00007f8bab08e000) + # + +Signed-off-by: Sandipan Das +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Naveen N. Rao +Fixes: 00b86691c77c ("perf clang: Add builtin clang support ant test case") +Link: http://lkml.kernel.org/r/20180404180419.19056-2-sandipan@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/c++/clang.cpp | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/c++/clang.cpp ++++ b/tools/perf/util/c++/clang.cpp +@@ -9,6 +9,7 @@ + * Copyright (C) 2016 Huawei Inc. + */ + ++#include "clang/Basic/Version.h" + #include "clang/CodeGen/CodeGenAction.h" + #include "clang/Frontend/CompilerInvocation.h" + #include "clang/Frontend/CompilerInstance.h" +@@ -58,7 +59,8 @@ createCompilerInvocation(llvm::opt::ArgS + + FrontendOptions& Opts = CI->getFrontendOpts(); + Opts.Inputs.clear(); +- Opts.Inputs.emplace_back(Path, IK_C); ++ Opts.Inputs.emplace_back(Path, ++ FrontendOptions::getInputKindForExtension("c")); + return CI; + } + +@@ -71,10 +73,17 @@ getModuleFromSource(llvm::opt::ArgString + + Clang.setVirtualFileSystem(&*VFS); + ++#if CLANG_VERSION_MAJOR < 4 + IntrusiveRefCntPtr CI = + createCompilerInvocation(std::move(CFlags), Path, + Clang.getDiagnostics()); + Clang.setInvocation(&*CI); ++#else ++ std::shared_ptr CI( ++ createCompilerInvocation(std::move(CFlags), Path, ++ Clang.getDiagnostics())); ++ Clang.setInvocation(CI); ++#endif + + std::unique_ptr Act(new EmitLLVMOnlyAction(&*LLVMCtx)); + if (!Clang.ExecuteAction(*Act)) diff --git a/queue-4.16/perf-core-fix-installing-cgroup-events-on-cpu.patch b/queue-4.16/perf-core-fix-installing-cgroup-events-on-cpu.patch new file mode 100644 index 00000000000..de9e6079a4a --- /dev/null +++ b/queue-4.16/perf-core-fix-installing-cgroup-events-on-cpu.patch @@ -0,0 +1,112 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "leilei.lin" +Date: Tue, 6 Mar 2018 17:36:37 +0800 +Subject: perf/core: Fix installing cgroup events on CPU + +From: "leilei.lin" + +[ Upstream commit 33801b94741d6c3be9713c10aa627477216c21e2 ] + +There's two problems when installing cgroup events on CPUs: firstly +list_update_cgroup_event() only tries to set cpuctx->cgrp for the +first event, if that mismatches on @cgrp we'll not try again for later +additions. + +Secondly, when we install a cgroup event into an active context, only +issue an event reprogram when the event matches the current cgroup +context. This avoids a pointless event reprogramming. + +Signed-off-by: leilei.lin +[ Improved the changelog and comments. ] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: brendan.d.gregg@gmail.com +Cc: eranian@gmail.com +Cc: linux-kernel@vger.kernel.org +Cc: yang_oliver@hotmail.com +Link: http://lkml.kernel.org/r/20180306093637.28247-1-linxiulei@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 46 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -948,27 +948,39 @@ list_update_cgroup_event(struct perf_eve + if (!is_cgroup_event(event)) + return; + +- if (add && ctx->nr_cgroups++) +- return; +- else if (!add && --ctx->nr_cgroups) +- return; + /* + * Because cgroup events are always per-cpu events, + * this will always be called from the right CPU. + */ + cpuctx = __get_cpu_context(ctx); +- cpuctx_entry = &cpuctx->cgrp_cpuctx_entry; +- /* cpuctx->cgrp is NULL unless a cgroup event is active in this CPU .*/ +- if (add) { ++ ++ /* ++ * Since setting cpuctx->cgrp is conditional on the current @cgrp ++ * matching the event's cgroup, we must do this for every new event, ++ * because if the first would mismatch, the second would not try again ++ * and we would leave cpuctx->cgrp unset. ++ */ ++ if (add && !cpuctx->cgrp) { + struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx); + +- list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list)); + if (cgroup_is_descendant(cgrp->css.cgroup, event->cgrp->css.cgroup)) + cpuctx->cgrp = cgrp; +- } else { +- list_del(cpuctx_entry); +- cpuctx->cgrp = NULL; + } ++ ++ if (add && ctx->nr_cgroups++) ++ return; ++ else if (!add && --ctx->nr_cgroups) ++ return; ++ ++ /* no cgroup running */ ++ if (!add) ++ cpuctx->cgrp = NULL; ++ ++ cpuctx_entry = &cpuctx->cgrp_cpuctx_entry; ++ if (add) ++ list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list)); ++ else ++ list_del(cpuctx_entry); + } + + #else /* !CONFIG_CGROUP_PERF */ +@@ -2328,6 +2340,18 @@ static int __perf_install_in_context(vo + raw_spin_lock(&task_ctx->lock); + } + ++#ifdef CONFIG_CGROUP_PERF ++ if (is_cgroup_event(event)) { ++ /* ++ * If the current cgroup doesn't match the event's ++ * cgroup, we should not try to schedule it. ++ */ ++ struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx); ++ reprogram = cgroup_is_descendant(cgrp->css.cgroup, ++ event->cgrp->css.cgroup); ++ } ++#endif ++ + if (reprogram) { + ctx_sched_out(ctx, cpuctx, EVENT_TIME); + add_event_to_ctx(event, ctx); diff --git a/queue-4.16/perf-core-fix-perf_output_read_group.patch b/queue-4.16/perf-core-fix-perf_output_read_group.patch new file mode 100644 index 00000000000..31391a2a28e --- /dev/null +++ b/queue-4.16/perf-core-fix-perf_output_read_group.patch @@ -0,0 +1,78 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Peter Zijlstra +Date: Fri, 9 Mar 2018 12:52:04 +0100 +Subject: perf/core: Fix perf_output_read_group() + +From: Peter Zijlstra + +[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ] + +Mark reported his arm64 perf fuzzer runs sometimes splat like: + + armv8pmu_read_counter+0x1e8/0x2d8 + armpmu_event_update+0x8c/0x188 + armpmu_read+0xc/0x18 + perf_output_read+0x550/0x11e8 + perf_event_read_event+0x1d0/0x248 + perf_event_exit_task+0x468/0xbb8 + do_exit+0x690/0x1310 + do_group_exit+0xd0/0x2b0 + get_signal+0x2e8/0x17a8 + do_signal+0x144/0x4f8 + do_notify_resume+0x148/0x1e8 + work_pending+0x8/0x14 + +which asserts that we only call pmu::read() on ACTIVE events. + +The above callchain does: + + perf_event_exit_task() + perf_event_exit_task_context() + task_ctx_sched_out() // INACTIVE + perf_event_exit_event() + perf_event_set_state(EXIT) // EXIT + sync_child_event() + perf_event_read_event() + perf_output_read() + perf_output_read_group() + leader->pmu->read() + +Which results in doing a pmu::read() on an !ACTIVE event. + +I _think_ this is 'new' since we added attr.inherit_stat, which added +the perf_event_read_event() to the exit path, without that +perf_event_read_output() would only trigger from samples and for +@event to trigger a sample, it's leader _must_ be ACTIVE too. + +Still, adding this check makes it consistent with the @sub case for +the siblings. + +Reported-and-Tested-by: Mark Rutland +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5770,7 +5770,8 @@ static void perf_output_read_group(struc + if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) + values[n++] = running; + +- if (leader != event) ++ if ((leader != event) && ++ (leader->state == PERF_EVENT_STATE_ACTIVE)) + leader->pmu->read(leader); + + values[n++] = perf_event_count(leader); diff --git a/queue-4.16/perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch b/queue-4.16/perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch new file mode 100644 index 00000000000..5082b33a3f2 --- /dev/null +++ b/queue-4.16/perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Kan Liang +Date: Mon, 26 Mar 2018 09:42:09 -0400 +Subject: perf mmap: Fix accessing unmapped mmap in perf_mmap__read_done() + +From: Kan Liang + +[ Upstream commit f58385f629c87a9e210108b39c1f4950d0363ad2 ] + +There is a segmentation fault when running 'perf trace'. For example: + + [root@jouet e]# perf trace -e *chdir -o /tmp/bla perf report --ignore-vmlinux -i ../perf.data + +The perf_mmap__consume() could unmap the mmap. It needs to check the +refcnt in perf_mmap__read_done(). + +Reported-by: Arnaldo Carvalho de Melo +Signed-off-by: Kan Liang +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Wang Nan +Fixes: ee023de05f35 ("perf mmap: Introduce perf_mmap__read_done()") +Link: http://lkml.kernel.org/r/1522071729-16776-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/mmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/tools/perf/util/mmap.c ++++ b/tools/perf/util/mmap.c +@@ -344,5 +344,11 @@ out: + */ + void perf_mmap__read_done(struct perf_mmap *map) + { ++ /* ++ * Check if event was unmapped due to a POLLHUP/POLLERR. ++ */ ++ if (!refcount_read(&map->refcnt)) ++ return; ++ + map->prev = perf_mmap__read_head(map); + } diff --git a/queue-4.16/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch b/queue-4.16/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch new file mode 100644 index 00000000000..27df9a8e77e --- /dev/null +++ b/queue-4.16/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch @@ -0,0 +1,101 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jiri Olsa +Date: Fri, 16 Feb 2018 13:36:19 +0100 +Subject: perf report: Fix memory corruption in --branch-history mode --branch-history + +From: Jiri Olsa + +[ Upstream commit e3ebaa465136ecfedf9c6f4671df02bf625f8125 ] + +Jin Yao reported memory corrupton in perf report with +branch info used for stack trace: + + > Following command lines will cause perf crash. + + > perf record -j call -g -a + > perf report --branch-history + > + > *** Error in `perf': double free or corruption (!prev): 0x00000000104aa040 *** + > ======= Backtrace: ========= + > /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f6b37254725] + > /lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7f6b3725cf4a] + > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f6b37260abc] + > perf[0x51b914] + > perf(hist_entry_iter__add+0x1e5)[0x51f305] + > perf[0x43cf01] + > perf[0x4fa3bf] + > perf[0x4fa923] + > perf[0x4fd396] + > perf[0x4f9614] + > perf(perf_session__process_events+0x89e)[0x4fc38e] + > perf(cmd_report+0x15d2)[0x43f202] + > perf[0x4a059f] + > perf(main+0x631)[0x427b71] + > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6b371fd830] + > perf(_start+0x29)[0x427d89] + +For the cumulative output, we allocate the he_cache array based on the +--max-stack option value and populate it with data from 'callchain_cursor'. + +The --max-stack option value does not ensure now the limit for number of +callchain_cursor nodes, so the cumulative iter code will allocate smaller array +than it's actually needed and cause above corruption. + +I think the --max-stack limit does not apply here anyway, because we add +callchain data as normal hist entries, while the --max-stack control the limit +of single entry callchain depth. + +Using the callchain_cursor.nr as he_cache array count to fix this. Also +removing struct hist_entry_iter::max_stack, because there's no longer any use +for it. + +We need more fixes to ensure that the branch stack code follows properly the +logic of --max-stack, which is not the case at the moment. + +Original-patch-by: Jin Yao +Signed-off-by: Jiri Olsa +Reported-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180216123619.GA9945@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/hist.c | 4 +--- + tools/perf/util/hist.h | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -879,7 +879,7 @@ iter_prepare_cumulative_entry(struct his + * cumulated only one time to prevent entries more than 100% + * overhead. + */ +- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1)); ++ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1)); + if (he_cache == NULL) + return -ENOMEM; + +@@ -1045,8 +1045,6 @@ int hist_entry_iter__add(struct hist_ent + if (err) + return err; + +- iter->max_stack = max_stack_depth; +- + err = iter->ops->prepare_entry(iter, al); + if (err) + goto out; +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -107,7 +107,6 @@ struct hist_entry_iter { + int curr; + + bool hide_unresolved; +- int max_stack; + + struct perf_evsel *evsel; + struct perf_sample *sample; diff --git a/queue-4.16/perf-report-fix-wrong-jump-arrow.patch b/queue-4.16/perf-report-fix-wrong-jump-arrow.patch new file mode 100644 index 00000000000..cf2afa795a1 --- /dev/null +++ b/queue-4.16/perf-report-fix-wrong-jump-arrow.patch @@ -0,0 +1,124 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jin Yao +Date: Mon, 29 Jan 2018 18:57:53 +0800 +Subject: perf report: Fix wrong jump arrow + +From: Jin Yao + +[ Upstream commit b40982e8468b46b8f7f5bba5a7e541ec04a29d7d ] + +When we use perf report interactive annotate view, we can see +the position of jump arrow is not correct. For example, + +1. perf record -b ... +2. perf report +3. In interactive mode, select Annotate 'function' + +Percent│ IPC Cycle + │ if (flag) + 1.37 │0.4┌── 1 ↓ je 82 + │ │ x += x / y + y / x; + 0.00 │0.4│ 1310 movsd (%rsp),%xmm0 + 0.00 │0.4│ 565 movsd 0x8(%rsp),%xmm4 + │0.4│ movsd 0x8(%rsp),%xmm1 + │0.4│ movsd (%rsp),%xmm3 + │0.4│ divsd %xmm4,%xmm0 + 0.00 │0.4│ 579 divsd %xmm3,%xmm1 + │0.4│ movsd (%rsp),%xmm2 + │0.4│ addsd %xmm1,%xmm0 + │0.4│ addsd %xmm2,%xmm0 + 0.00 │0.4│ movsd %xmm0,(%rsp) + │ │ volatile double x = 1212121212, y = 121212; + │ │ + │ │ s_randseed = time(0); + │ │ srand(s_randseed); + │ │ + │ │ for (i = 0; i < 2000000000; i++) { + 1.37 │0.4└─→ 82: sub $0x1,%ebx + 28.21 │0.48 17 ↑ jne 38 + +The jump arrow in above example is not correct. It should add the +width of IPC and Cycle. + +With this patch, the result is: + +Percent│ IPC Cycle + │ if (flag) + 1.37 │0.48 1 ┌──je 82 + │ │ x += x / y + y / x; + 0.00 │0.48 1310 │ movsd (%rsp),%xmm0 + 0.00 │0.48 565 │ movsd 0x8(%rsp),%xmm4 + │0.48 │ movsd 0x8(%rsp),%xmm1 + │0.48 │ movsd (%rsp),%xmm3 + │0.48 │ divsd %xmm4,%xmm0 + 0.00 │0.48 579 │ divsd %xmm3,%xmm1 + │0.48 │ movsd (%rsp),%xmm2 + │0.48 │ addsd %xmm1,%xmm0 + │0.48 │ addsd %xmm2,%xmm0 + 0.00 │0.48 │ movsd %xmm0,(%rsp) + │ │ volatile double x = 1212121212, y = 121212; + │ │ + │ │ s_randseed = time(0); + │ │ srand(s_randseed); + │ │ + │ │ for (i = 0; i < 2000000000; i++) { + 1.37 │0.48 82:└─→sub $0x1,%ebx + 28.21 │0.48 17 ↑ jne 38 + +Committer notes: + +Please note that only from LBRv5 (according to Jiri) onwards, i.e. >= +Skylake is that we'll have the cycles counts in each branch record +entry, so to see the Cycles and IPC columns, and be able to test this +patch, one need a capable hardware. + +While applying this I first tested it on a Broadwell class machine and +couldn't get those columns, will add code to the annotate browser to +warn the user about that, i.e. you have branch records, but no cycles, +use a more recent hardware to get the cycles and IPC columns. + +Signed-off-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1517223473-14750-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/ui/browsers/annotate.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -319,6 +319,7 @@ static void annotate_browser__draw_curre + struct map_symbol *ms = ab->b.priv; + struct symbol *sym = ms->sym; + u8 pcnt_width = annotate_browser__pcnt_width(ab); ++ int width = 0; + + /* PLT symbols contain external offsets */ + if (strstr(sym->name, "@plt")) +@@ -365,13 +366,17 @@ static void annotate_browser__draw_curre + to = (u64)btarget->idx; + } + ++ if (ab->have_cycles) ++ width = IPC_WIDTH + CYCLES_WIDTH; ++ + ui_browser__set_color(browser, HE_COLORSET_JUMP_ARROWS); +- __ui_browser__line_arrow(browser, pcnt_width + 2 + ab->addr_width, ++ __ui_browser__line_arrow(browser, ++ pcnt_width + 2 + ab->addr_width + width, + from, to); + + if (is_fused(ab, cursor)) { + ui_browser__mark_fused(browser, +- pcnt_width + 3 + ab->addr_width, ++ pcnt_width + 3 + ab->addr_width + width, + from - 1, + to > from ? true : false); + } diff --git a/queue-4.16/perf-stat-fix-core-dump-when-flag-t-is-used.patch b/queue-4.16/perf-stat-fix-core-dump-when-flag-t-is-used.patch new file mode 100644 index 00000000000..8fba2e5fcbb --- /dev/null +++ b/queue-4.16/perf-stat-fix-core-dump-when-flag-t-is-used.patch @@ -0,0 +1,116 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Thomas Richter +Date: Thu, 8 Mar 2018 15:57:35 +0100 +Subject: perf stat: Fix core dump when flag T is used + +From: Thomas Richter + +[ Upstream commit fca32340a5e8b896f57d41fd94b8b1701df25eb1 ] + +Executing command 'perf stat -T -- ls' dumps core on x86 and s390. + +Here is the call back chain (done on x86): + + # gdb ./perf + .... + (gdb) r stat -T -- ls +... +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 +(gdb) where + #0 0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 + #1 0x00007ffff56ae484 in asprintf () from /lib64/libc.so.6 + #2 0x00000000004f1982 in __parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930, auto_merge_stats=false) at util/parse-events.c:1233 + #3 0x00000000004f1c8e in parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930) at util/parse-events.c:1288 + #4 0x0000000000537ce3 in parse_events_parse (_parse_state=0x7fffffffd580, + scanner=0xbf4210) at util/parse-events.y:234 + #5 0x00000000004f2c7a in parse_events__scanner (str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", + parse_state=0x7fffffffd580, start_token=258) at util/parse-events.c:1673 + #6 0x00000000004f2e23 in parse_events (evlist=0xbe9990, str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", err=0x0) + at util/parse-events.c:1713 + #7 0x000000000044e137 in add_default_attributes () at builtin-stat.c:2281 + #8 0x000000000044f7b5 in cmd_stat (argc=1, argv=0x7fffffffe3b0) at + builtin-stat.c:2828 + #9 0x00000000004c8b0f in run_builtin (p=0xab01a0 , argc=4, + argv=0x7fffffffe3b0) at perf.c:297 + #10 0x00000000004c8d7c in handle_internal_command (argc=4, + argv=0x7fffffffe3b0) at perf.c:349 + #11 0x00000000004c8ece in run_argv (argcp=0x7fffffffe20c, + argv=0x7fffffffe200) at perf.c:393 + #12 0x00000000004c929c in main (argc=4, argv=0x7fffffffe3b0) at perf.c:537 +(gdb) + +It turns out that a NULL pointer is referenced. Here are the +function calls: + + ... + cmd_stat() + +---> add_default_attributes() + +---> parse_events(evsel_list, transaction_attrs, NULL); + 3rd parameter set to NULL + +Function parse_events(xx, xx, struct parse_events_error *err) dives +into a bison generated scanner and creates +parser state information for it first: + + struct parse_events_state parse_state = { + .list = LIST_HEAD_INIT(parse_state.list), + .idx = evlist->nr_entries, + .error = err, <--- NULL POINTER !!! + .evlist = evlist, + }; + +Now various functions inside the bison scanner are called to end up in +__parse_events_add_pmu(struct parse_events_state *parse_state, ..) with +first parameter being a pointer to above structure definition. + +Now the PMU event name is not found (because being executed in a VM) and +this function tries to create an error message with + + asprintf(&parse_state->error.str, ....) + +which references a NULL pointer and dumps core. + +Fix this by providing a pointer to the necessary error information +instead of NULL. Technically only the else part is needed to avoid the +core dump, just lets be safe... + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180308145735.64717-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-stat.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -2274,11 +2274,16 @@ static int add_default_attributes(void) + return 0; + + if (transaction_run) { ++ struct parse_events_error errinfo; ++ + if (pmu_have_event("cpu", "cycles-ct") && + pmu_have_event("cpu", "el-start")) +- err = parse_events(evsel_list, transaction_attrs, NULL); ++ err = parse_events(evsel_list, transaction_attrs, ++ &errinfo); + else +- err = parse_events(evsel_list, transaction_limited_attrs, NULL); ++ err = parse_events(evsel_list, ++ transaction_limited_attrs, ++ &errinfo); + if (err) { + fprintf(stderr, "Cannot set up transaction events\n"); + return -1; diff --git a/queue-4.16/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch b/queue-4.16/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch new file mode 100644 index 00000000000..4a24a473342 --- /dev/null +++ b/queue-4.16/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Thomas Richter +Date: Wed, 14 Feb 2018 08:03:03 +0100 +Subject: perf test: Fix test case inet_pton to accept inlines. + +From: Thomas Richter + +[ Upstream commit 0f19a038afdc592176c9a302f0d08be6a68ad74a ] + +Using Fedora 27 and latest Linux kernel the test case +trace+probe_libc_inet_pton.sh fails again on s390. This time is the +inlining of functions which does not match. After an update of the +glibc (from 2.26-16 to 2.26-24) the output is different + +The expected output is: + + __inet_pton (/usr/lib64/libc-2.26.so) + gaih_inet (inlined) + .... + +The actual output is: + + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.061/0.061/0.061/0.000 ms + 0.000 probe_libc:inet_pton:(3ffb2140448)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + ... + +Fix this by being less strict on 'inlined' verses library name and +accept both + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180214070303.55757-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/trace+probe_libc_inet_pton.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh ++++ b/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh +@@ -21,12 +21,12 @@ trace_libc_inet_pton_backtrace() { + expected[3]=".*packets transmitted.*" + expected[4]="rtt min.*" + expected[5]="[0-9]+\.[0-9]+[[:space:]]+probe_libc:inet_pton:\([[:xdigit:]]+\)" +- expected[6]=".*inet_pton[[:space:]]\($libc\)$" ++ expected[6]=".*inet_pton[[:space:]]\($libc|inlined\)$" + case "$(uname -m)" in + s390x) + eventattr='call-graph=dwarf' +- expected[7]="gaih_inet[[:space:]]\(inlined\)$" +- expected[8]="__GI_getaddrinfo[[:space:]]\(inlined\)$" ++ expected[7]="gaih_inet.*[[:space:]]\($libc|inlined\)$" ++ expected[8]="__GI_getaddrinfo[[:space:]]\($libc|inlined\)$" + expected[9]="main[[:space:]]\(.*/bin/ping.*\)$" + expected[10]="__libc_start_main[[:space:]]\($libc\)$" + expected[11]="_start[[:space:]]\(.*/bin/ping.*\)$" diff --git a/queue-4.16/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch b/queue-4.16/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch new file mode 100644 index 00000000000..4712af4afcc --- /dev/null +++ b/queue-4.16/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch @@ -0,0 +1,209 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jiri Olsa +Date: Tue, 6 Feb 2018 19:18:12 +0100 +Subject: perf tests: Fix dwarf unwind for stripped binaries + +From: Jiri Olsa + +[ Upstream commit fdf7c49c200d1b9909e2204cec5bd68b48605c71 ] + +When we strip the perf binary, dwarf unwind test stop +to work. The reason is that strip will remove static +function symbols, which we need to check for unwind. + +This change will keep this test working in cases where +the global symbols are put into dynamic symbol table, +which is the case on x86. It still won't work on powerpc. + +Making those 5 local functions global, and adding +'test_dwarf_unwind__' to their names. + +Committer testing: + +Before: + + # perf test dwarf + 58: DWARF unwind : Ok + # strip ~/bin/perf + # perf test dwarf + 58: DWARF unwind : FAILED! + # perf test -v dwarf + 58: DWARF unwind : + --- start --- + test child forked, pid 6590 + unwind: thread map already set, dso=/home/acme/bin/perf + + unwind: access_mem addr 0x7ffce6c48098 val 48563f, offset 1144 + unwind: test__dwarf_unwind:ip = 0x4a54e5 (0xa54e5) + got: test__dwarf_unwind 0xa54e5, expecting test__dwarf_unwind + unwind: '':ip = 0x4a50bb (0xa50bb) + failed: got unresolved address 0xa50bb + unwind failed + test child finished with -1 + ---- end ---- + DWARF unwind: FAILED! + # + +After: + + # perf test dwarf + 58: DWARF unwind : Ok + # strip ~/bin/perf + # perf test dwarf + 58: DWARF unwind : Ok + # + # perf test -v dwarf + 58: DWARF unwind : + --- start --- + test child forked, pid 7219 + unwind: thread map already set, dso=/home/acme/bin/perf + + unwind: access_mem addr 0x7fff007da2c8 val 48575f, offset 1144 + unwind: test__arch_unwind_sample:ip = 0x589044 (0x189044) + got: test__arch_unwind_sample 0x189044, expecting test__arch_unwind_sample + unwind: test_dwarf_unwind__thread:ip = 0x4a52f7 (0xa52f7) + got: test_dwarf_unwind__thread 0xa52f7, expecting test_dwarf_unwind__thread + unwind: test_dwarf_unwind__compare:ip = 0x4a5468 (0xa5468) + got: test_dwarf_unwind__compare 0xa5468, expecting test_dwarf_unwind__compare + unwind: bsearch:ip = 0x7f6608ae94d8 (0x394d8) + got: bsearch 0x394d8, expecting bsearch + unwind: test_dwarf_unwind__krava_3:ip = 0x4a54d1 (0xa54d1) + got: test_dwarf_unwind__krava_3 0xa54d1, expecting test_dwarf_unwind__krava_3 + unwind: test_dwarf_unwind__krava_2:ip = 0x4a550b (0xa550b) + got: test_dwarf_unwind__krava_2 0xa550b, expecting test_dwarf_unwind__krava_2 + unwind: test_dwarf_unwind__krava_1:ip = 0x4a554b (0xa554b) + got: test_dwarf_unwind__krava_1 0xa554b, expecting test_dwarf_unwind__krava_1 + unwind: test__dwarf_unwind:ip = 0x4a5605 (0xa5605) + got: test__dwarf_unwind 0xa5605, expecting test__dwarf_unwind + test child finished with 0 + ---- end ---- + DWARF unwind: Ok + # + +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180206181813.10943-17-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/dwarf-unwind.c | 46 ++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +--- a/tools/perf/tests/dwarf-unwind.c ++++ b/tools/perf/tests/dwarf-unwind.c +@@ -37,6 +37,19 @@ static int init_live_machine(struct mach + mmap_handler, machine, true, 500); + } + ++/* ++ * We need to keep these functions global, despite the ++ * fact that they are used only locally in this object, ++ * in order to keep them around even if the binary is ++ * stripped. If they are gone, the unwind check for ++ * symbol fails. ++ */ ++int test_dwarf_unwind__thread(struct thread *thread); ++int test_dwarf_unwind__compare(void *p1, void *p2); ++int test_dwarf_unwind__krava_3(struct thread *thread); ++int test_dwarf_unwind__krava_2(struct thread *thread); ++int test_dwarf_unwind__krava_1(struct thread *thread); ++ + #define MAX_STACK 8 + + static int unwind_entry(struct unwind_entry *entry, void *arg) +@@ -45,12 +58,12 @@ static int unwind_entry(struct unwind_en + char *symbol = entry->sym ? entry->sym->name : NULL; + static const char *funcs[MAX_STACK] = { + "test__arch_unwind_sample", +- "unwind_thread", +- "compare", ++ "test_dwarf_unwind__thread", ++ "test_dwarf_unwind__compare", + "bsearch", +- "krava_3", +- "krava_2", +- "krava_1", ++ "test_dwarf_unwind__krava_3", ++ "test_dwarf_unwind__krava_2", ++ "test_dwarf_unwind__krava_1", + "test__dwarf_unwind" + }; + /* +@@ -77,7 +90,7 @@ static int unwind_entry(struct unwind_en + return strcmp((const char *) symbol, funcs[idx]); + } + +-static noinline int unwind_thread(struct thread *thread) ++noinline int test_dwarf_unwind__thread(struct thread *thread) + { + struct perf_sample sample; + unsigned long cnt = 0; +@@ -108,7 +121,7 @@ static noinline int unwind_thread(struct + + static int global_unwind_retval = -INT_MAX; + +-static noinline int compare(void *p1, void *p2) ++noinline int test_dwarf_unwind__compare(void *p1, void *p2) + { + /* Any possible value should be 'thread' */ + struct thread *thread = *(struct thread **)p1; +@@ -117,17 +130,17 @@ static noinline int compare(void *p1, vo + /* Call unwinder twice for both callchain orders. */ + callchain_param.order = ORDER_CALLER; + +- global_unwind_retval = unwind_thread(thread); ++ global_unwind_retval = test_dwarf_unwind__thread(thread); + if (!global_unwind_retval) { + callchain_param.order = ORDER_CALLEE; +- global_unwind_retval = unwind_thread(thread); ++ global_unwind_retval = test_dwarf_unwind__thread(thread); + } + } + + return p1 - p2; + } + +-static noinline int krava_3(struct thread *thread) ++noinline int test_dwarf_unwind__krava_3(struct thread *thread) + { + struct thread *array[2] = {thread, thread}; + void *fp = &bsearch; +@@ -141,18 +154,19 @@ static noinline int krava_3(struct threa + size_t, int (*)(void *, void *)); + + _bsearch = fp; +- _bsearch(array, &thread, 2, sizeof(struct thread **), compare); ++ _bsearch(array, &thread, 2, sizeof(struct thread **), ++ test_dwarf_unwind__compare); + return global_unwind_retval; + } + +-static noinline int krava_2(struct thread *thread) ++noinline int test_dwarf_unwind__krava_2(struct thread *thread) + { +- return krava_3(thread); ++ return test_dwarf_unwind__krava_3(thread); + } + +-static noinline int krava_1(struct thread *thread) ++noinline int test_dwarf_unwind__krava_1(struct thread *thread) + { +- return krava_2(thread); ++ return test_dwarf_unwind__krava_2(thread); + } + + int test__dwarf_unwind(struct test *test __maybe_unused, int subtest __maybe_unused) +@@ -189,7 +203,7 @@ int test__dwarf_unwind(struct test *test + goto out; + } + +- err = krava_1(thread); ++ err = test_dwarf_unwind__krava_1(thread); + thread__put(thread); + + out: diff --git a/queue-4.16/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch b/queue-4.16/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch new file mode 100644 index 00000000000..fb6ac9bf44e --- /dev/null +++ b/queue-4.16/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jiri Olsa +Date: Thu, 15 Feb 2018 13:26:35 +0100 +Subject: perf tests: Use arch__compare_symbol_names to compare symbols + +From: Jiri Olsa + +[ Upstream commit ab6e9a99345131cd8e54268d1d0dc04a33f7ed11 ] + +The symbol search called by machine__find_kernel_symbol_by_name is using +internally arch__compare_symbol_names function to compare 2 symbol +names, because different archs have different ways of comparing symbols. +Mostly for skipping '.' prefixes and similar. + +In test 1 when we try to find matching symbols in kallsyms and vmlinux, +by address and by symbol name. When either is found we compare the pair +symbol names by simple strcmp, which is not good enough for reasons +explained in previous paragraph. + +On powerpc this can cause lockup, because even thought we found the +pair, the compared names are different and don't match simple strcmp. +Following code path is executed, that leads to lockup: + + - we find the pair in kallsyms by sym->start +next_pair: + - we compare the names and it fails + - we find the pair by sym->name + - the pair addresses match so we call goto next_pair + because we assume the names match in this case + +Signed-off-by: Jiri Olsa +Tested-by: Naveen N. Rao +Acked-by: Naveen N. Rao +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 031b84c407c3 ("perf probe ppc: Enable matching against dot symbols automatically") +Link: http://lkml.kernel.org/r/20180215122635.24029-10-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/vmlinux-kallsyms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/vmlinux-kallsyms.c ++++ b/tools/perf/tests/vmlinux-kallsyms.c +@@ -125,7 +125,7 @@ int test__vmlinux_matches_kallsyms(struc + + if (pair && UM(pair->start) == mem_start) { + next_pair: +- if (strcmp(sym->name, pair->name) == 0) { ++ if (arch__compare_symbol_names(sym->name, pair->name) == 0) { + /* + * kallsyms don't have the symbol end, so we + * set that by using the next symbol start - 1, diff --git a/queue-4.16/perf-tools-fix-perf-builds-with-clang-support.patch b/queue-4.16/perf-tools-fix-perf-builds-with-clang-support.patch new file mode 100644 index 00000000000..f763c347bc0 --- /dev/null +++ b/queue-4.16/perf-tools-fix-perf-builds-with-clang-support.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Sandipan Das +Date: Wed, 4 Apr 2018 23:34:17 +0530 +Subject: perf tools: Fix perf builds with clang support + +From: Sandipan Das + +[ Upstream commit c2fb54a183cfe77c6fdc9d71e2d5299c1c302a6e ] + +For libclang, some distro packages provide static libraries (.a) while +some provide shared libraries (.so). Currently, perf code can only be +linked with static libraries. This makes perf build possible for both +cases. + +Signed-off-by: Sandipan Das +Cc: Jiri Olsa +Cc: Naveen N. Rao +Fixes: d58ac0bf8d1e ("perf build: Add clang and llvm compile and linking support") +Link: http://lkml.kernel.org/r/20180404180419.19056-1-sandipan@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/Makefile.perf | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -364,7 +364,8 @@ LIBS = -Wl,--whole-archive $(PERFLIBS) $ + + ifeq ($(USE_CLANG), 1) + CLANGLIBS_LIST = AST Basic CodeGen Driver Frontend Lex Tooling Edit Sema Analysis Parse Serialization +- LIBCLANG = $(foreach l,$(CLANGLIBS_LIST),$(wildcard $(shell $(LLVM_CONFIG) --libdir)/libclang$(l).a)) ++ CLANGLIBS_NOEXT_LIST = $(foreach l,$(CLANGLIBS_LIST),$(shell $(LLVM_CONFIG) --libdir)/libclang$(l)) ++ LIBCLANG = $(foreach l,$(CLANGLIBS_NOEXT_LIST),$(wildcard $(l).a $(l).so)) + LIBS += -Wl,--start-group $(LIBCLANG) -Wl,--end-group + endif + diff --git a/queue-4.16/perf-top-fix-top.call-graph-config-option-reading.patch b/queue-4.16/perf-top-fix-top.call-graph-config-option-reading.patch new file mode 100644 index 00000000000..aab8f41b7d6 --- /dev/null +++ b/queue-4.16/perf-top-fix-top.call-graph-config-option-reading.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Yisheng Xie +Date: Mon, 12 Mar 2018 19:25:56 +0800 +Subject: perf top: Fix top.call-graph config option reading + +From: Yisheng Xie + +[ Upstream commit a3a4a3b37c9b911af4c375b2475cea0fd2b84d38 ] + +When trying to add the "call-graph" variable for top into the +.perfconfig file, like: + + [top] + call-graph = fp + +I that perf_top_config() do not parse this variable. + +Fix it by calling perf_default_config() when the top.call-graph variable +is set. + +Signed-off-by: Yisheng Xie +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Fixes: b8cbb349061e ("perf config: Bring perf_default_config to the very beginning at main()") +Link: http://lkml.kernel.org/r/1520853957-36106-1-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-top.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1224,8 +1224,10 @@ parse_callchain_opt(const struct option + + static int perf_top_config(const char *var, const char *value, void *cb __maybe_unused) + { +- if (!strcmp(var, "top.call-graph")) +- var = "call-graph.record-mode"; /* fall-through */ ++ if (!strcmp(var, "top.call-graph")) { ++ var = "call-graph.record-mode"; ++ return perf_default_config(var, value, cb); ++ } + if (!strcmp(var, "top.children")) { + symbol_conf.cumulate_callchain = perf_config_bool(var, value); + return 0; diff --git a/queue-4.16/perf-x86-intel-fix-event-update-for-auto-reload.patch b/queue-4.16/perf-x86-intel-fix-event-update-for-auto-reload.patch new file mode 100644 index 00000000000..36e2b683c62 --- /dev/null +++ b/queue-4.16/perf-x86-intel-fix-event-update-for-auto-reload.patch @@ -0,0 +1,238 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Kan Liang +Date: Mon, 12 Feb 2018 14:20:31 -0800 +Subject: perf/x86/intel: Fix event update for auto-reload + +From: Kan Liang + +[ Upstream commit d31fc13fdcb20e1c317f9a7dd6273c18fbd58308 ] + +There is a bug when reading event->count with large PEBS enabled. + +Here is an example: + + # ./read_count + 0x71f0 + 0x122c0 + 0x1000000001c54 + 0x100000001257d + 0x200000000bdc5 + +In fixed period mode, the auto-reload mechanism could be enabled for +PEBS events, but the calculation of event->count does not take the +auto-reload values into account. + +Anyone who reads event->count will get the wrong result, e.g x86_pmu_read(). + +This bug was introduced with the auto-reload mechanism enabled since +commit: + + 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") + +Introduce intel_pmu_save_and_restart_reload() to calculate the +event->count only for auto-reload. + +Since the counter increments a negative counter value and overflows on +the sign switch, giving the interval: + + [-period, 0] + +the difference between two consequtive reads is: + + A) value2 - value1; + when no overflows have happened in between, + B) (0 - value1) + (value2 - (-period)); + when one overflow happened in between, + C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); + when @n overflows happened in between. + +Here A) is the obvious difference, B) is the extension to the discrete +interval, where the first term is to the top of the interval and the +second term is from the bottom of the next interval and C) the extension +to multiple intervals, where the middle term is the whole intervals +covered. + +The equation for all cases is: + + value2 - value1 + n * period + +Previously the event->count is updated right before the sample output. +But for case A, there is no PEBS record ready. It needs to be specially +handled. + +Remove the auto-reload code from x86_perf_event_set_period() since +we'll not longer call that function in this case. + +Based-on-code-from: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Fixes: 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") +Link: http://lkml.kernel.org/r/1518474035-21006-2-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 15 ++----- + arch/x86/events/intel/ds.c | 92 +++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 94 insertions(+), 13 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1162,16 +1162,13 @@ int x86_perf_event_set_period(struct per + + per_cpu(pmc_prev_left[idx], smp_processor_id()) = left; + +- if (!(hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) || +- local64_read(&hwc->prev_count) != (u64)-left) { +- /* +- * The hw event starts counting from this event offset, +- * mark it to be able to extra future deltas: +- */ +- local64_set(&hwc->prev_count, (u64)-left); ++ /* ++ * The hw event starts counting from this event offset, ++ * mark it to be able to extra future deltas: ++ */ ++ local64_set(&hwc->prev_count, (u64)-left); + +- wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); +- } ++ wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); + + /* + * Due to erratum on certan cpu we need +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1315,17 +1315,84 @@ get_next_pebs_record_by_bit(void *base, + return NULL; + } + ++/* ++ * Special variant of intel_pmu_save_and_restart() for auto-reload. ++ */ ++static int ++intel_pmu_save_and_restart_reload(struct perf_event *event, int count) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ int shift = 64 - x86_pmu.cntval_bits; ++ u64 period = hwc->sample_period; ++ u64 prev_raw_count, new_raw_count; ++ s64 new, old; ++ ++ WARN_ON(!period); ++ ++ /* ++ * drain_pebs() only happens when the PMU is disabled. ++ */ ++ WARN_ON(this_cpu_read(cpu_hw_events.enabled)); ++ ++ prev_raw_count = local64_read(&hwc->prev_count); ++ rdpmcl(hwc->event_base_rdpmc, new_raw_count); ++ local64_set(&hwc->prev_count, new_raw_count); ++ ++ /* ++ * Since the counter increments a negative counter value and ++ * overflows on the sign switch, giving the interval: ++ * ++ * [-period, 0] ++ * ++ * the difference between two consequtive reads is: ++ * ++ * A) value2 - value1; ++ * when no overflows have happened in between, ++ * ++ * B) (0 - value1) + (value2 - (-period)); ++ * when one overflow happened in between, ++ * ++ * C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); ++ * when @n overflows happened in between. ++ * ++ * Here A) is the obvious difference, B) is the extension to the ++ * discrete interval, where the first term is to the top of the ++ * interval and the second term is from the bottom of the next ++ * interval and C) the extension to multiple intervals, where the ++ * middle term is the whole intervals covered. ++ * ++ * An equivalent of C, by reduction, is: ++ * ++ * value2 - value1 + n * period ++ */ ++ new = ((s64)(new_raw_count << shift) >> shift); ++ old = ((s64)(prev_raw_count << shift) >> shift); ++ local64_add(new - old + count * period, &event->count); ++ ++ perf_event_update_userpage(event); ++ ++ return 0; ++} ++ + static void __intel_pmu_pebs_event(struct perf_event *event, + struct pt_regs *iregs, + void *base, void *top, + int bit, int count) + { ++ struct hw_perf_event *hwc = &event->hw; + struct perf_sample_data data; + struct pt_regs regs; + void *at = get_next_pebs_record_by_bit(base, top, bit); + +- if (!intel_pmu_save_and_restart(event) && +- !(event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)) ++ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) { ++ /* ++ * Now, auto-reload is only enabled in fixed period mode. ++ * The reload value is always hwc->sample_period. ++ * May need to change it, if auto-reload is enabled in ++ * freq mode later. ++ */ ++ intel_pmu_save_and_restart_reload(event, count); ++ } else if (!intel_pmu_save_and_restart(event)) + return; + + while (count > 1) { +@@ -1377,8 +1444,11 @@ static void intel_pmu_drain_pebs_core(st + return; + + n = top - at; +- if (n <= 0) ++ if (n <= 0) { ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); + return; ++ } + + __intel_pmu_pebs_event(event, iregs, at, top, 0, n); + } +@@ -1401,8 +1471,22 @@ static void intel_pmu_drain_pebs_nhm(str + + ds->pebs_index = ds->pebs_buffer_base; + +- if (unlikely(base >= top)) ++ if (unlikely(base >= top)) { ++ /* ++ * The drain_pebs() could be called twice in a short period ++ * for auto-reload event in pmu::read(). There are no ++ * overflows have happened in between. ++ * It needs to call intel_pmu_save_and_restart_reload() to ++ * update the event->count for this case. ++ */ ++ for_each_set_bit(bit, (unsigned long *)&cpuc->pebs_enabled, ++ x86_pmu.max_pebs_events) { ++ event = cpuc->events[bit]; ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); ++ } + return; ++ } + + for (at = base; at < top; at += x86_pmu.pebs_record_size) { + struct pebs_record_nhm *p = at; diff --git a/queue-4.16/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch b/queue-4.16/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch new file mode 100644 index 00000000000..cd992665c97 --- /dev/null +++ b/queue-4.16/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Kan Liang +Date: Thu, 1 Mar 2018 12:54:54 -0500 +Subject: perf/x86/intel: Fix large period handling on Broadwell CPUs + +From: Kan Liang + +[ Upstream commit f605cfca8c39ffa2b98c06d2b9f30ba64f1e54e3 ] + +Large fixed period values could be truncated on Broadwell, for example: + + perf record -e cycles -c 10000000000 + +Here the fixed period is 0x2540BE400, but the period which finally applied is +0x540BE400 - which is wrong. + +The reason is that x86_pmu::limit_period() uses an u32 parameter, so the +high 32 bits of 'period' get truncated. + +This bug was introduced in: + + commit 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") + +It's safe to use u64 instead of u32: + + - Although the 'left' is s64, the value of 'left' must be positive when + calling limit_period(). + + - bdw_limit_period() only modifies the lowest 6 bits, it doesn't touch + the higher 32 bits. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") +Link: http://lkml.kernel.org/r/1519926894-3520-1-git-send-email-kan.liang@linux.intel.com +[ Rewrote unacceptably bad changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 2 +- + arch/x86/events/perf_event.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3196,7 +3196,7 @@ glp_get_event_constraints(struct cpu_hw_ + * Therefore the effective (average) period matches the requested period, + * despite coarser hardware granularity. + */ +-static unsigned bdw_limit_period(struct perf_event *event, unsigned left) ++static u64 bdw_limit_period(struct perf_event *event, u64 left) + { + if ((event->hw.config & INTEL_ARCH_EVENT_MASK) == + X86_CONFIG(.event=0xc0, .umask=0x01)) { +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -557,7 +557,7 @@ struct x86_pmu { + struct x86_pmu_quirk *quirks; + int perfctr_second_write; + bool late_ack; +- unsigned (*limit_period)(struct perf_event *event, unsigned l); ++ u64 (*limit_period)(struct perf_event *event, u64 l); + + /* + * sysfs attrs diff --git a/queue-4.16/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch b/queue-4.16/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch new file mode 100644 index 00000000000..6e569b72935 --- /dev/null +++ b/queue-4.16/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Kan Liang +Date: Tue, 20 Feb 2018 02:11:50 -0800 +Subject: perf/x86/intel: Properly save/restore the PMU state in the NMI handler + +From: Kan Liang + +[ Upstream commit 82d71ed0277efc45360828af8c4e4d40e1b45352 ] + +The PMU is disabled in intel_pmu_handle_irq(), but cpuc->enabled is not updated +accordingly. + +This is fine in current usage because no-one checks it - but fix it +for future code: for example, the drain_pebs() will be modified to +fix an auto-reload bug. + +Properly save/restore the old PMU state. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: kernel test robot +Link: http://lkml.kernel.org/r/6f44ee84-56f8-79f1-559b-08e371eaeb78@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2201,16 +2201,23 @@ static int intel_pmu_handle_irq(struct p + int bit, loops; + u64 status; + int handled; ++ int pmu_enabled; + + cpuc = this_cpu_ptr(&cpu_hw_events); + + /* ++ * Save the PMU state. ++ * It needs to be restored when leaving the handler. ++ */ ++ pmu_enabled = cpuc->enabled; ++ /* + * No known reason to not always do late ACK, + * but just in case do it opt-in. + */ + if (!x86_pmu.late_ack) + apic_write(APIC_LVTPC, APIC_DM_NMI); + intel_bts_disable_local(); ++ cpuc->enabled = 0; + __intel_pmu_disable_all(); + handled = intel_pmu_drain_bts_buffer(); + handled += intel_bts_interrupt(); +@@ -2320,7 +2327,8 @@ again: + + done: + /* Only restore PMU state when it's active. See x86_pmu_disable(). */ +- if (cpuc->enabled) ++ cpuc->enabled = pmu_enabled; ++ if (pmu_enabled) + __intel_pmu_enable_all(0, true); + intel_bts_enable_local(); + diff --git a/queue-4.16/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch b/queue-4.16/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch new file mode 100644 index 00000000000..7a1abecf4f1 --- /dev/null +++ b/queue-4.16/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch @@ -0,0 +1,72 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Vivek Gautam +Date: Tue, 16 Jan 2018 16:26:56 +0530 +Subject: phy: qcom-qmp: Fix phy pipe clock gating + +From: Vivek Gautam + +[ Upstream commit f8ba22a39e985c93e278709b1d5f20857a26b49b ] + +Pipe clock comes out of the phy and is available as long as +the phy is turned on. Clock controller fails to gate this +clock after the phy is turned off and generates a warning. + +/ # [ 33.048561] gcc_usb3_phy_pipe_clk status stuck at 'on' +[ 33.048585] ------------[ cut here ]------------ +[ 33.052621] WARNING: CPU: 1 PID: 18 at ../drivers/clk/qcom/clk-branch.c:97 clk_branch_wait+0xf0/0x108 +[ 33.057384] Modules linked in: +[ 33.066497] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G W 4.12.0-rc7-00024-gfe926e34c36d-dirty #96 +[ 33.069451] Hardware name: Qualcomm Technologies, Inc. DB820c (DT) +... +[ 33.278565] [] clk_branch_wait+0xf0/0x108 +[ 33.286375] [] clk_branch2_disable+0x28/0x34 +[ 33.291761] [] clk_core_disable+0x5c/0x88 +[ 33.297660] [] clk_core_disable_lock+0x20/0x34 +[ 33.303129] [] clk_disable+0x1c/0x24 +[ 33.309384] [] qcom_qmp_phy_poweroff+0x20/0x48 +[ 33.314328] [] phy_power_off+0x80/0xdc +[ 33.320492] [] dwc3_core_exit+0x94/0xa0 +[ 33.325784] [] dwc3_suspend_common+0x50/0x60 +[ 33.331080] [] dwc3_runtime_suspend+0x48/0x6c +[ 33.336810] [] pm_generic_runtime_suspend+0x28/0x38 +[ 33.342627] [] __rpm_callback+0x150/0x254 +[ 33.349222] [] rpm_callback+0x24/0x78 +[ 33.354604] [] rpm_suspend+0xe0/0x4e4 +[ 33.359813] [] pm_runtime_work+0xdc/0xf0 +[ 33.365028] [] process_one_work+0x12c/0x28c +[ 33.370576] [] worker_thread+0x58/0x3b8 +[ 33.376393] [] kthread+0x100/0x12c +[ 33.381776] [] ret_from_fork+0x10/0x50 + +Fix this by disabling it as the first thing in phy_exit(). + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Vivek Gautam +Signed-off-by: Manu Gautam +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c +@@ -751,8 +751,6 @@ static int qcom_qmp_phy_poweroff(struct + struct qmp_phy *qphy = phy_get_drvdata(phy); + struct qcom_qmp *qmp = qphy->qmp; + +- clk_disable_unprepare(qphy->pipe_clk); +- + regulator_bulk_disable(qmp->cfg->num_vregs, qmp->vregs); + + return 0; +@@ -936,6 +934,8 @@ static int qcom_qmp_phy_exit(struct phy + const struct qmp_phy_cfg *cfg = qmp->cfg; + int i = cfg->num_clks; + ++ clk_disable_unprepare(qphy->pipe_clk); ++ + /* PHY reset */ + qphy_setbits(qphy->pcs, cfg->regs[QPHY_SW_RESET], SW_RESET); + diff --git a/queue-4.16/phy-rockchip-emmc-retry-calpad-busy-trimming.patch b/queue-4.16/phy-rockchip-emmc-retry-calpad-busy-trimming.patch new file mode 100644 index 00000000000..30577f4f5ae --- /dev/null +++ b/queue-4.16/phy-rockchip-emmc-retry-calpad-busy-trimming.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Shawn Lin +Date: Thu, 11 Jan 2018 10:40:26 +0800 +Subject: phy: rockchip-emmc: retry calpad busy trimming + +From: Shawn Lin + +[ Upstream commit a4781c2a74b249cad814ceea7272997bbd20051e ] + +It turns out that 5us isn't enough for all cases, so let's +retry some more times to wait for caldone. + +Signed-off-by: Shawn Lin +Tested-by: Ziyuan Xu +Signed-off-by: Caesar Wang +Reviewed-by: Douglas Anderson +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-emmc.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/drivers/phy/rockchip/phy-rockchip-emmc.c ++++ b/drivers/phy/rockchip/phy-rockchip-emmc.c +@@ -76,6 +76,10 @@ + #define PHYCTRL_OTAPDLYSEL_MASK 0xf + #define PHYCTRL_OTAPDLYSEL_SHIFT 0x7 + ++#define PHYCTRL_IS_CALDONE(x) \ ++ ((((x) >> PHYCTRL_CALDONE_SHIFT) & \ ++ PHYCTRL_CALDONE_MASK) == PHYCTRL_CALDONE_DONE) ++ + struct rockchip_emmc_phy { + unsigned int reg_offset; + struct regmap *reg_base; +@@ -90,6 +94,7 @@ static int rockchip_emmc_phy_power(struc + unsigned int freqsel = PHYCTRL_FREQSEL_200M; + unsigned long rate; + unsigned long timeout; ++ int ret; + + /* + * Keep phyctrl_pdb and phyctrl_endll low to allow +@@ -160,17 +165,19 @@ static int rockchip_emmc_phy_power(struc + PHYCTRL_PDB_SHIFT)); + + /* +- * According to the user manual, it asks driver to +- * wait 5us for calpad busy trimming ++ * According to the user manual, it asks driver to wait 5us for ++ * calpad busy trimming. However it is documented that this value is ++ * PVT(A.K.A process,voltage and temperature) relevant, so some ++ * failure cases are found which indicates we should be more tolerant ++ * to calpad busy trimming. + */ +- udelay(5); +- regmap_read(rk_phy->reg_base, +- rk_phy->reg_offset + GRF_EMMCPHY_STATUS, +- &caldone); +- caldone = (caldone >> PHYCTRL_CALDONE_SHIFT) & PHYCTRL_CALDONE_MASK; +- if (caldone != PHYCTRL_CALDONE_DONE) { +- pr_err("rockchip_emmc_phy_power: caldone timeout.\n"); +- return -ETIMEDOUT; ++ ret = regmap_read_poll_timeout(rk_phy->reg_base, ++ rk_phy->reg_offset + GRF_EMMCPHY_STATUS, ++ caldone, PHYCTRL_IS_CALDONE(caldone), ++ 0, 50); ++ if (ret) { ++ pr_err("%s: caldone failed, ret=%d\n", __func__, ret); ++ return ret; + } + + /* Set the frequency of the DLL operation */ diff --git a/queue-4.16/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch b/queue-4.16/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch new file mode 100644 index 00000000000..e1cdfbb1a74 --- /dev/null +++ b/queue-4.16/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Niklas Cassel +Date: Thu, 22 Feb 2018 16:22:46 +0100 +Subject: pinctrl: artpec6: dt: add missing pin group uart5nocts + +From: Niklas Cassel + +[ Upstream commit 7e065fb9ccce89fe667fdbd9a177eaec59a359fc ] + +Add missing pin group uart5nocts (all pins except cts), which has been +supported by the artpec6 pinctrl driver since its initial submission. + +Fixes: 00df0582eab1 ("pinctrl: Add pincontrol driver for ARTPEC-6 SoC") +Signed-off-by: Niklas Cassel +Reviewed-by: Rob Herring +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt ++++ b/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt +@@ -20,7 +20,8 @@ Required subnode-properties: + gpio: cpuclkoutgrp0, udlclkoutgrp0, i2c1grp0, i2c2grp0, + i2c3grp0, i2s0grp0, i2s1grp0, i2srefclkgrp0, spi0grp0, + spi1grp0, pciedebuggrp0, uart0grp0, uart0grp1, uart1grp0, +- uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0 ++ uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0, ++ uart5nocts + cpuclkout: cpuclkoutgrp0 + udlclkout: udlclkoutgrp0 + i2c1: i2c1grp0 +@@ -37,7 +38,7 @@ Required subnode-properties: + uart2: uart2grp0, uart2grp1 + uart3: uart3grp0 + uart4: uart4grp0 +- uart5: uart5grp0 ++ uart5: uart5grp0, uart5nocts + nand: nandgrp0 + sdio0: sdio0grp0 + sdio1: sdio1grp0 diff --git a/queue-4.16/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch b/queue-4.16/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch new file mode 100644 index 00000000000..1b3b654f104 --- /dev/null +++ b/queue-4.16/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Richard Fitzgerald +Date: Wed, 28 Feb 2018 15:53:06 +0000 +Subject: pinctrl: devicetree: Fix dt_to_map_one_config handling of hogs + +From: Richard Fitzgerald + +[ Upstream commit b89405b6102fcc3746f43697b826028caa94c823 ] + +When dt_to_map_one_config() is called with a pinctrl_dev passed +in, it should only be using this if the node being looked up +is a hog. The code was always using the passed pinctrl_dev +without checking whether the dt node referred to it. + +A pin controller can have pinctrl-n dependencies on other pin +controllers in these cases: + +- the pin controller hardware is external, for example I2C, so + needs other pin controller(s) to be setup to communicate with + the hardware device. + +- it is a child of a composite MFD so its of_node is shared with + the parent MFD and other children of that MFD. Any part of that + MFD could have dependencies on other pin controllers. + +Because of this, dt_to_map_one_config() can't assume that if it +has a pinctrl_dev passed in then the node it looks up must be +a hog. It could be a reference to some other pin controller. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/devicetree.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -122,8 +122,10 @@ static int dt_to_map_one_config(struct p + /* OK let's just assume this will appear later then */ + return -EPROBE_DEFER; + } +- if (!pctldev) +- pctldev = get_pinctrl_dev_from_of_node(np_pctldev); ++ /* If we're creating a hog we can use the passed pctldev */ ++ if (pctldev && (np_pctldev == p->dev->of_node)) ++ break; ++ pctldev = get_pinctrl_dev_from_of_node(np_pctldev); + if (pctldev) + break; + /* Do not defer probing of hogs (circular loop) */ diff --git a/queue-4.16/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch b/queue-4.16/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch new file mode 100644 index 00000000000..cac64ff8da2 --- /dev/null +++ b/queue-4.16/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch @@ -0,0 +1,92 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: "Jan Kundrát" +Date: Thu, 25 Jan 2018 18:29:15 +0100 +Subject: pinctrl: mcp23s08: spi: Fix regmap debugfs entries + +From: "Jan Kundrát" + +[ Upstream commit 9b3e4207661e67f04c72af15e29f74cd944f5964 ] + +The SPI version of this chip allows several devices to be present on the +same SPI bus via a local address. If this is in action and if the kernel +has debugfs, however, the code attempts to create duplicate entries for +the regmap's debugfs: + + mcp23s08 spi1.1: Failed to create debugfs directory + +This patch simply assigns a local name matching the device logical +address to the `struct regmap_config`. + +No changes are needed for MCP23S18 because that device does not support +any logical addressing. Similarly, I2C devices do not need any action, +either, because they are already different in their I2C address. + +A similar problem is present for the pinctrl debugfs instance, but that +one is not addressed by this patch. + +Signed-off-by: Jan Kundrát +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -771,6 +771,7 @@ static int mcp23s08_probe_one(struct mcp + { + int status, ret; + bool mirror = false; ++ struct regmap_config *one_regmap_config = NULL; + + mutex_init(&mcp->lock); + +@@ -791,22 +792,36 @@ static int mcp23s08_probe_one(struct mcp + switch (type) { + #ifdef CONFIG_SPI_MASTER + case MCP_TYPE_S08: +- mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, +- &mcp23x08_regmap); +- mcp->reg_shift = 0; +- mcp->chip.ngpio = 8; +- mcp->chip.label = "mcp23s08"; +- break; +- + case MCP_TYPE_S17: ++ switch (type) { ++ case MCP_TYPE_S08: ++ one_regmap_config = ++ devm_kmemdup(dev, &mcp23x08_regmap, ++ sizeof(struct regmap_config), GFP_KERNEL); ++ mcp->reg_shift = 0; ++ mcp->chip.ngpio = 8; ++ mcp->chip.label = "mcp23s08"; ++ break; ++ case MCP_TYPE_S17: ++ one_regmap_config = ++ devm_kmemdup(dev, &mcp23x17_regmap, ++ sizeof(struct regmap_config), GFP_KERNEL); ++ mcp->reg_shift = 1; ++ mcp->chip.ngpio = 16; ++ mcp->chip.label = "mcp23s17"; ++ break; ++ } ++ if (!one_regmap_config) ++ return -ENOMEM; ++ ++ one_regmap_config->name = devm_kasprintf(dev, GFP_KERNEL, "%d", (addr & ~0x40) >> 1); + mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, +- &mcp23x17_regmap); +- mcp->reg_shift = 1; +- mcp->chip.ngpio = 16; +- mcp->chip.label = "mcp23s17"; ++ one_regmap_config); + break; + + case MCP_TYPE_S18: ++ if (!one_regmap_config) ++ return -ENOMEM; + mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, + &mcp23x17_regmap); + mcp->reg_shift = 1; diff --git a/queue-4.16/pinctrl-msm-use-dynamic-gpio-numbering.patch b/queue-4.16/pinctrl-msm-use-dynamic-gpio-numbering.patch new file mode 100644 index 00000000000..0b489cd7717 --- /dev/null +++ b/queue-4.16/pinctrl-msm-use-dynamic-gpio-numbering.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Bjorn Andersson +Date: Sun, 28 Jan 2018 16:59:48 -0800 +Subject: pinctrl: msm: Use dynamic GPIO numbering + +From: Bjorn Andersson + +[ Upstream commit a7aa75a2a7dba32594291a71c3704000a2fd7089 ] + +The base of the TLMM gpiochip should not be statically defined as 0, fix +this to not artificially restrict the existence of multiple pinctrl-msm +devices. + +Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver") +Reported-by: Timur Tabi +Signed-off-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -818,7 +818,7 @@ static int msm_gpio_init(struct msm_pinc + return -EINVAL; + + chip = &pctrl->chip; +- chip->base = 0; ++ chip->base = -1; + chip->ngpio = ngpio; + chip->label = dev_name(pctrl->dev); + chip->parent = pctrl->dev; diff --git a/queue-4.16/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch b/queue-4.16/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch new file mode 100644 index 00000000000..583a0cb5ec7 --- /dev/null +++ b/queue-4.16/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch @@ -0,0 +1,191 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Takeshi Kihara +Date: Fri, 16 Feb 2018 15:25:03 +0100 +Subject: pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group + +From: Takeshi Kihara + +[ Upstream commit b418c4609d5052d174668ad6d13efe023c45c595 ] + +This patch fixes MOD_SEL1 bit20 and MOD_SEL2 bit20, bit21 pin assignment +for SSI pins group. + +This is a correction to the incorrect implementation of MOD_SEL register +pin assignment for R8A7796 SoC specification of R-Car Gen3 Hardware +User's Manual Rev.0.51E or later. + +Fixes: f9aece7344bd ("pinctrl: sh-pfc: Initial R8A7796 PFC support") +Signed-off-by: Takeshi Kihara +Signed-off-by: Ulrich Hecht +Reviewed-by: Simon Horman +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 40 +++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c ++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c +@@ -1,7 +1,7 @@ + /* + * R8A7796 processor support - PFC hardware block. + * +- * Copyright (C) 2016 Renesas Electronics Corp. ++ * Copyright (C) 2016-2017 Renesas Electronics Corp. + * + * This file is based on the drivers/pinctrl/sh-pfc/pfc-r8a7795.c + * +@@ -477,7 +477,7 @@ FM(IP16_31_28) IP16_31_28 FM(IP17_31_28) + #define MOD_SEL1_26 FM(SEL_TIMER_TMU_0) FM(SEL_TIMER_TMU_1) + #define MOD_SEL1_25_24 FM(SEL_SSP1_1_0) FM(SEL_SSP1_1_1) FM(SEL_SSP1_1_2) FM(SEL_SSP1_1_3) + #define MOD_SEL1_23_22_21 FM(SEL_SSP1_0_0) FM(SEL_SSP1_0_1) FM(SEL_SSP1_0_2) FM(SEL_SSP1_0_3) FM(SEL_SSP1_0_4) F_(0, 0) F_(0, 0) F_(0, 0) +-#define MOD_SEL1_20 FM(SEL_SSI_0) FM(SEL_SSI_1) ++#define MOD_SEL1_20 FM(SEL_SSI1_0) FM(SEL_SSI1_1) + #define MOD_SEL1_19 FM(SEL_SPEED_PULSE_0) FM(SEL_SPEED_PULSE_1) + #define MOD_SEL1_18_17 FM(SEL_SIMCARD_0) FM(SEL_SIMCARD_1) FM(SEL_SIMCARD_2) FM(SEL_SIMCARD_3) + #define MOD_SEL1_16 FM(SEL_SDHI2_0) FM(SEL_SDHI2_1) +@@ -1218,7 +1218,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_11_8, HSCK0), + PINMUX_IPSR_MSEL(IP13_11_8, MSIOF1_SCK_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP13_11_8, AUDIO_CLKB_A, SEL_ADG_B_0), +- PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI1_1), + PINMUX_IPSR_MSEL(IP13_11_8, TS_SCK0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_11_8, STP_ISCLK_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_11_8, RIF0_CLK_C, SEL_DRIF0_2), +@@ -1226,14 +1226,14 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP13_15_12, HRX0), + PINMUX_IPSR_MSEL(IP13_15_12, MSIOF1_RXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP13_15_12, TS_SDEN0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_15_12, STP_ISEN_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_15_12, RIF0_D0_C, SEL_DRIF0_2), + + PINMUX_IPSR_GPSR(IP13_19_16, HTX0), + PINMUX_IPSR_MSEL(IP13_19_16, MSIOF1_TXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP13_19_16, TS_SDAT0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_19_16, STP_ISD_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_19_16, RIF0_D1_C, SEL_DRIF0_2), +@@ -1241,7 +1241,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_23_20, HCTS0_N), + PINMUX_IPSR_MSEL(IP13_23_20, RX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_23_20, MSIOF1_SYNC_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_23_20, TS_SPSYNC0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_23_20, STP_ISSYNC_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_23_20, RIF0_SYNC_C, SEL_DRIF0_2), +@@ -1250,7 +1250,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_27_24, HRTS0_N), + PINMUX_IPSR_MSEL(IP13_27_24, TX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_27_24, MSIOF1_SS1_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_27_24, STP_IVCXO27_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_27_24, BPFCLK_A, SEL_FM_0), + PINMUX_IPSR_GPSR(IP13_27_24, AUDIO_CLKOUT2_A), +@@ -1265,7 +1265,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_3_0, RX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_3_0, NFWP_N_A, SEL_NDF_0), + PINMUX_IPSR_MSEL(IP14_3_0, AUDIO_CLKA_C, SEL_ADG_A_2), +- PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_3_0, STP_IVCXO27_0_C, SEL_SSP1_0_2), + PINMUX_IPSR_GPSR(IP14_3_0, AUDIO_CLKOUT3_A), + PINMUX_IPSR_MSEL(IP14_3_0, TCLK1_B, SEL_TIMER_TMU_1), +@@ -1274,7 +1274,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_7_4, TX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_7_4, MSIOF1_SS2_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP14_7_4, AUDIO_CLKC_A, SEL_ADG_C_0), +- PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_7_4, STP_OPWM_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_GPSR(IP14_7_4, AUDIO_CLKOUT_D), + PINMUX_IPSR_MSEL(IP14_7_4, SPEEDIN_B, SEL_SPEED_PULSE_1), +@@ -1302,10 +1302,10 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_31_28, MSIOF1_SS2_F, SEL_MSIOF1_5), + + /* IPSR15 */ +- PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI1_0), + +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI_0), +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI2_0), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI1_1), + + PINMUX_IPSR_GPSR(IP15_11_8, SSI_SCK349), + PINMUX_IPSR_MSEL(IP15_11_8, MSIOF1_SS1_A, SEL_MSIOF1_0), +@@ -1391,11 +1391,11 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP16_27_24, RIF1_D1_A, SEL_DRIF1_0), + PINMUX_IPSR_MSEL(IP16_27_24, RIF3_D1_A, SEL_DRIF3_0), + +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK2_B, SEL_HSCIF2_1), + PINMUX_IPSR_MSEL(IP16_31_28, MSIOF1_SS1_C, SEL_MSIOF1_2), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK1_A, SEL_HSCIF1_0), +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI1_1), + PINMUX_IPSR_GPSR(IP16_31_28, SCK1), + PINMUX_IPSR_MSEL(IP16_31_28, STP_IVCXO27_1_A, SEL_SSP1_1_0), + PINMUX_IPSR_MSEL(IP16_31_28, SCK5_A, SEL_SCIF5_0), +@@ -1427,7 +1427,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_19_16, USB1_PWEN), + PINMUX_IPSR_MSEL(IP17_19_16, SIM0_CLK_C, SEL_SIMCARD_2), +- PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_19_16, TS_SCK0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_19_16, STP_ISCLK_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_19_16, FMCLK_B, SEL_FM_1), +@@ -1437,7 +1437,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_23_20, USB1_OVC), + PINMUX_IPSR_MSEL(IP17_23_20, MSIOF1_SS2_C, SEL_MSIOF1_2), +- PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_23_20, TS_SDAT0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_23_20, STP_ISD_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_23_20, FMIN_B, SEL_FM_1), +@@ -1447,7 +1447,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_27_24, USB30_PWEN), + PINMUX_IPSR_GPSR(IP17_27_24, AUDIO_CLKOUT_B), +- PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_27_24, TS_SDEN1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_27_24, STP_ISEN_1_D, SEL_SSP1_1_3), + PINMUX_IPSR_MSEL(IP17_27_24, STP_OPWM_0_E, SEL_SSP1_0_4), +@@ -1459,7 +1459,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_31_28, USB30_OVC), + PINMUX_IPSR_GPSR(IP17_31_28, AUDIO_CLKOUT1_B), +- PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_31_28, TS_SPSYNC1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_ISSYNC_1_D, SEL_SSP1_1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_IVCXO27_0_E, SEL_SSP1_0_4), +@@ -1470,7 +1470,7 @@ static const u16 pinmux_data[] = { + /* IPSR18 */ + PINMUX_IPSR_GPSR(IP18_3_0, GP6_30), + PINMUX_IPSR_GPSR(IP18_3_0, AUDIO_CLKOUT2_B), +- PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_3_0, TS_SDEN0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_3_0, STP_ISEN_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_3_0, RIF2_D0_B, SEL_DRIF2_1), +@@ -1480,7 +1480,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP18_7_4, GP6_31), + PINMUX_IPSR_GPSR(IP18_7_4, AUDIO_CLKOUT3_B), +- PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_7_4, TS_SPSYNC0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_7_4, STP_ISSYNC_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_7_4, RIF2_D1_B, SEL_DRIF2_1), diff --git a/queue-4.16/platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch b/queue-4.16/platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch new file mode 100644 index 00000000000..e134e7a91d8 --- /dev/null +++ b/queue-4.16/platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Dan Carpenter +Date: Fri, 16 Mar 2018 15:10:15 +0300 +Subject: platform/x86: dell-smbios: Fix memory leaks in build_tokens_sysfs() + +From: Dan Carpenter + +[ Upstream commit 0e5b09b165510e2ea5c526e962c4edadd849ef4c ] + +We're freeing "value_name" which is NULL, so that's a no-op, but we +intended to free "location_name" instead. And then we don't free the +names in token_location_attrs[0] and token_value_attrs[0]. + +Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens") +Signed-off-by: Dan Carpenter +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell-smbios-base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/dell-smbios-base.c ++++ b/drivers/platform/x86/dell-smbios-base.c +@@ -514,7 +514,7 @@ static int build_tokens_sysfs(struct pla + continue; + + loop_fail_create_value: +- kfree(value_name); ++ kfree(location_name); + goto out_unwind_strings; + } + smbios_attribute_group.attrs = token_attrs; +@@ -525,7 +525,7 @@ loop_fail_create_value: + return 0; + + out_unwind_strings: +- for (i = i-1; i > 0; i--) { ++ while (i--) { + kfree(token_location_attrs[i].attr.name); + kfree(token_value_attrs[i].attr.name); + } diff --git a/queue-4.16/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch b/queue-4.16/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch new file mode 100644 index 00000000000..66730261f14 --- /dev/null +++ b/queue-4.16/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Ladislav Michl +Date: Thu, 22 Feb 2018 18:21:36 +0100 +Subject: power: supply: ltc2941-battery-gauge: Fix temperature units + +From: Ladislav Michl + +[ Upstream commit dde5953f05a89eb63a0d666ffe51d447b2ac3e05 ] + +Temperature is measured in tenths of degree Celsius. + +Fixes: 085bc24d1553 ("Add LTC2941/LTC2943 Battery Gauge Driver") +Signed-off-by: Ladislav Michl +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/ltc2941-battery-gauge.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/power/supply/ltc2941-battery-gauge.c ++++ b/drivers/power/supply/ltc2941-battery-gauge.c +@@ -317,15 +317,15 @@ static int ltc294x_get_temperature(const + + if (info->id == LTC2942_ID) { + reg = LTC2942_REG_TEMPERATURE_MSB; +- value = 60000; /* Full-scale is 600 Kelvin */ ++ value = 6000; /* Full-scale is 600 Kelvin */ + } else { + reg = LTC2943_REG_TEMPERATURE_MSB; +- value = 51000; /* Full-scale is 510 Kelvin */ ++ value = 5100; /* Full-scale is 510 Kelvin */ + } + ret = ltc294x_read_regs(info->client, reg, &datar[0], 2); + value *= (datar[0] << 8) | datar[1]; +- /* Convert to centidegrees */ +- *val = value / 0xFFFF - 27215; ++ /* Convert to tenths of degree Celsius */ ++ *val = value / 0xFFFF - 2722; + return ret; + } + diff --git a/queue-4.16/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch b/queue-4.16/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch new file mode 100644 index 00000000000..edfbbfb9618 --- /dev/null +++ b/queue-4.16/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Nicholas Piggin +Date: Thu, 5 Apr 2018 16:10:00 +1000 +Subject: powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep + +From: Nicholas Piggin + +[ Upstream commit c1b25a17d24925b0961c319cfc3fd7e1dc778914 ] + +POWER8 restores AMOR when waking from deep sleep, but POWER9 does not, +because it does not go through the subcore restore. + +Have POWER9 restore it in core restore. + +Fixes: ee97b6b99f42 ("powerpc/mm/radix: Setup AMOR in HV mode to allow key 0") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/idle_book3s.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/kernel/idle_book3s.S ++++ b/arch/powerpc/kernel/idle_book3s.S +@@ -834,6 +834,8 @@ BEGIN_FTR_SECTION + mtspr SPRN_PTCR,r4 + ld r4,_RPR(r1) + mtspr SPRN_RPR,r4 ++ ld r4,_AMOR(r1) ++ mtspr SPRN_AMOR,r4 + END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + + ld r4,_TSCR(r1) diff --git a/queue-4.16/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch b/queue-4.16/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch new file mode 100644 index 00000000000..dba2d2d1fc4 --- /dev/null +++ b/queue-4.16/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Nicholas Piggin +Date: Tue, 27 Mar 2018 01:01:16 +1000 +Subject: powerpc/64s: sreset panic if there is no debugger or crash dump handlers + +From: Nicholas Piggin + +[ Upstream commit d40b6768e45bd9213139b2d91d30c7692b6007b1 ] + +system_reset_exception does most of its own crash handling now, +invoking the debugger or crash dumps if they are registered. If not, +then it goes through to die() to print stack traces, and then is +supposed to panic (according to comments). + +However after die() prints oopses, it does its own handling which +doesn't allow system_reset_exception to panic (e.g., it may just +kill the current process). This patch causes sreset exceptions to +return from die after it prints messages but before acting. + +This also stops die from invoking the debugger on 0x100 crashes. +system_reset_exception similarly calls the debugger. It had been +thought this was harmless (because if the debugger was disabled, +neither call would fire, and if it was enabled the first call +would return). However in some cases like xmon 'X' command, the +debugger returns 0, which currently causes it to be entered +again (first in system_reset_exception, then in die), which is +confusing. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -208,6 +208,12 @@ static void oops_end(unsigned long flags + } + raw_local_irq_restore(flags); + ++ /* ++ * system_reset_excption handles debugger, crash dump, panic, for 0x100 ++ */ ++ if (TRAP(regs) == 0x100) ++ return; ++ + crash_fadump(regs, "die oops"); + + if (kexec_should_crash(current)) +@@ -272,8 +278,13 @@ void die(const char *str, struct pt_regs + { + unsigned long flags; + +- if (debugger(regs)) +- return; ++ /* ++ * system_reset_excption handles debugger, crash dump, panic, for 0x100 ++ */ ++ if (TRAP(regs) != 0x100) { ++ if (debugger(regs)) ++ return; ++ } + + flags = oops_begin(regs); + if (__die(str, regs, err)) diff --git a/queue-4.16/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch b/queue-4.16/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch new file mode 100644 index 00000000000..c9d1a8054d5 --- /dev/null +++ b/queue-4.16/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Mathieu Malaterre +Date: Sun, 25 Feb 2018 18:22:29 +0100 +Subject: powerpc: Add missing prototype for arch_irq_work_raise() + +From: Mathieu Malaterre + +[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ] + +In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new +function arch_irq_work_raise() was added without a prototype in header +irq_work.h. + +Fix the following warning (treated as error in W=1): + arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’ + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/irq_work.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/include/asm/irq_work.h ++++ b/arch/powerpc/include/asm/irq_work.h +@@ -6,5 +6,6 @@ static inline bool arch_irq_work_has_int + { + return true; + } ++extern void arch_irq_work_raise(void); + + #endif /* _ASM_POWERPC_IRQ_WORK_H */ diff --git a/queue-4.16/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch b/queue-4.16/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch new file mode 100644 index 00000000000..266abf75e2c --- /dev/null +++ b/queue-4.16/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Anshuman Khandual +Date: Thu, 29 Mar 2018 11:53:37 +0530 +Subject: powerpc/fscr: Enable interrupts earlier before calling get_user() + +From: Anshuman Khandual + +[ Upstream commit 709b973c844c0b4d115ac3a227a2e5a68722c912 ] + +The function get_user() can sleep while trying to fetch instruction +from user address space and causes the following warning from the +scheduler. + +BUG: sleeping function called from invalid context + +Though interrupts get enabled back but it happens bit later after +get_user() is called. This change moves enabling these interrupts +earlier covering the function get_user(). While at this, lets check +for kernel mode and crash as this interrupt should not have been +triggered from the kernel context. + +Signed-off-by: Anshuman Khandual +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1612,6 +1612,22 @@ void facility_unavailable_exception(stru + value = mfspr(SPRN_FSCR); + + status = value >> 56; ++ if ((hv || status >= 2) && ++ (status < ARRAY_SIZE(facility_strings)) && ++ facility_strings[status]) ++ facility = facility_strings[status]; ++ ++ /* We should not have taken this interrupt in kernel */ ++ if (!user_mode(regs)) { ++ pr_emerg("Facility '%s' unavailable (%d) exception in kernel mode at %lx\n", ++ facility, status, regs->nip); ++ die("Unexpected facility unavailable exception", regs, SIGABRT); ++ } ++ ++ /* We restore the interrupt state now */ ++ if (!arch_irq_disabled_regs(regs)) ++ local_irq_enable(); ++ + if (status == FSCR_DSCR_LG) { + /* + * User is accessing the DSCR register using the problem +@@ -1678,25 +1694,11 @@ void facility_unavailable_exception(stru + return; + } + +- if ((hv || status >= 2) && +- (status < ARRAY_SIZE(facility_strings)) && +- facility_strings[status]) +- facility = facility_strings[status]; +- +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); +- + pr_err_ratelimited("%sFacility '%s' unavailable (%d), exception at 0x%lx, MSR=%lx\n", + hv ? "Hypervisor " : "", facility, status, regs->nip, regs->msr); + + out: +- if (user_mode(regs)) { +- _exception(SIGILL, regs, ILL_ILLOPC, regs->nip); +- return; +- } +- +- die("Unexpected facility unavailable exception", regs, SIGABRT); ++ _exception(SIGILL, regs, ILL_ILLOPC, regs->nip); + } + #endif + diff --git a/queue-4.16/powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch b/queue-4.16/powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch new file mode 100644 index 00000000000..a552c6fdf0a --- /dev/null +++ b/queue-4.16/powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch @@ -0,0 +1,183 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Christophe Leroy +Date: Thu, 22 Feb 2018 15:27:26 +0100 +Subject: powerpc/mm/slice: Fix hugepage allocation at hint address on 8xx + +From: Christophe Leroy + +[ Upstream commit aa0ab02ba992eb956934b21373e0138211486ddd ] + +On the 8xx, the page size is set in the PMD entry and applies to +all pages of the page table pointed by the said PMD entry. + +When an app has some regular pages allocated (e.g. see below) and tries +to mmap() a huge page at a hint address covered by the same PMD entry, +the kernel accepts the hint allthough the 8xx cannot handle different +page sizes in the same PMD entry. + +10000000-10001000 r-xp 00000000 00:0f 2597 /root/malloc +10010000-10011000 rwxp 00000000 00:0f 2597 /root/malloc + +mmap(0x10080000, 524288, PROT_READ|PROT_WRITE, + MAP_PRIVATE|MAP_ANONYMOUS|0x40000, -1, 0) = 0x10080000 + +This results the app remaining forever in do_page_fault()/hugetlb_fault() +and when interrupting that app, we get the following warning: + +[162980.035629] WARNING: CPU: 0 PID: 2777 at arch/powerpc/mm/hugetlbpage.c:354 hugetlb_free_pgd_range+0xc8/0x1e4 +[162980.035699] CPU: 0 PID: 2777 Comm: malloc Tainted: G W 4.14.6 #85 +[162980.035744] task: c67e2c00 task.stack: c668e000 +[162980.035783] NIP: c000fe18 LR: c00e1eec CTR: c00f90c0 +[162980.035830] REGS: c668fc20 TRAP: 0700 Tainted: G W (4.14.6) +[162980.035854] MSR: 00029032 CR: 24044224 XER: 20000000 +[162980.036003] +[162980.036003] GPR00: c00e1eec c668fcd0 c67e2c00 00000010 c6869410 10080000 00000000 77fb4000 +[162980.036003] GPR08: ffff0001 0683c001 00000000 ffffff80 44028228 10018a34 00004008 418004fc +[162980.036003] GPR16: c668e000 00040100 c668e000 c06c0000 c668fe78 c668e000 c6835ba0 c668fd48 +[162980.036003] GPR24: 00000000 73ffffff 74000000 00000001 77fb4000 100fffff 10100000 10100000 +[162980.036743] NIP [c000fe18] hugetlb_free_pgd_range+0xc8/0x1e4 +[162980.036839] LR [c00e1eec] free_pgtables+0x12c/0x150 +[162980.036861] Call Trace: +[162980.036939] [c668fcd0] [c00f0774] unlink_anon_vmas+0x1c4/0x214 (unreliable) +[162980.037040] [c668fd10] [c00e1eec] free_pgtables+0x12c/0x150 +[162980.037118] [c668fd40] [c00eabac] exit_mmap+0xe8/0x1b4 +[162980.037210] [c668fda0] [c0019710] mmput.part.9+0x20/0xd8 +[162980.037301] [c668fdb0] [c001ecb0] do_exit+0x1f0/0x93c +[162980.037386] [c668fe00] [c001f478] do_group_exit+0x40/0xcc +[162980.037479] [c668fe10] [c002a76c] get_signal+0x47c/0x614 +[162980.037570] [c668fe70] [c0007840] do_signal+0x54/0x244 +[162980.037654] [c668ff30] [c0007ae8] do_notify_resume+0x34/0x88 +[162980.037744] [c668ff40] [c000dae8] do_user_signal+0x74/0xc4 +[162980.037781] Instruction dump: +[162980.037821] 7fdff378 81370000 54a3463a 80890020 7d24182e 7c841a14 712a0004 4082ff94 +[162980.038014] 2f890000 419e0010 712a0ff0 408200e0 <0fe00000> 54a9000a 7f984840 419d0094 +[162980.038216] ---[ end trace c0ceeca8e7a5800a ]--- +[162980.038754] BUG: non-zero nr_ptes on freeing mm: 1 +[162985.363322] BUG: non-zero nr_ptes on freeing mm: -1 + +In order to fix this, this patch uses the address space "slices" +implemented for BOOK3S/64 and enhanced to support PPC32 by the +preceding patch. + +This patch modifies the context.id on the 8xx to be in the range +[1:16] instead of [0:15] in order to identify context.id == 0 as +not initialised contexts as done on BOOK3S + +This patch activates CONFIG_PPC_MM_SLICES when CONFIG_HUGETLB_PAGE is +selected for the 8xx + +Alltough we could in theory have as many slices as PMD entries, the +current slices implementation limits the number of low slices to 16. +This limitation is not preventing us to fix the initial issue allthough +it is suboptimal. It will be cured in a subsequent patch. + +Fixes: 4b91428699477 ("powerpc/8xx: Implement support of hugepages") +Signed-off-by: Christophe Leroy +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/mmu-8xx.h | 6 ++++++ + arch/powerpc/kernel/setup-common.c | 2 ++ + arch/powerpc/mm/8xx_mmu.c | 2 +- + arch/powerpc/mm/hugetlbpage.c | 2 ++ + arch/powerpc/mm/mmu_context_nohash.c | 18 ++++++++++++++++-- + arch/powerpc/platforms/Kconfig.cputype | 1 + + 6 files changed, 28 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/include/asm/mmu-8xx.h ++++ b/arch/powerpc/include/asm/mmu-8xx.h +@@ -191,6 +191,12 @@ typedef struct { + unsigned int id; + unsigned int active; + unsigned long vdso_base; ++#ifdef CONFIG_PPC_MM_SLICES ++ u16 user_psize; /* page size index */ ++ u64 low_slices_psize; /* page size encodings */ ++ unsigned char high_slices_psize[0]; ++ unsigned long slb_addr_limit; ++#endif + } mm_context_t; + + #define PHYS_IMMR_BASE (mfspr(SPRN_IMMR) & 0xfff80000) +--- a/arch/powerpc/kernel/setup-common.c ++++ b/arch/powerpc/kernel/setup-common.c +@@ -919,6 +919,8 @@ void __init setup_arch(char **cmdline_p) + #ifdef CONFIG_PPC64 + if (!radix_enabled()) + init_mm.context.slb_addr_limit = DEFAULT_MAP_WINDOW_USER64; ++#elif defined(CONFIG_PPC_8xx) ++ init_mm.context.slb_addr_limit = DEFAULT_MAP_WINDOW; + #else + #error "context.addr_limit not initialized." + #endif +--- a/arch/powerpc/mm/8xx_mmu.c ++++ b/arch/powerpc/mm/8xx_mmu.c +@@ -192,7 +192,7 @@ void set_context(unsigned long id, pgd_t + mtspr(SPRN_M_TW, __pa(pgd) - offset); + + /* Update context */ +- mtspr(SPRN_M_CASID, id); ++ mtspr(SPRN_M_CASID, id - 1); + /* sync */ + mb(); + } +--- a/arch/powerpc/mm/hugetlbpage.c ++++ b/arch/powerpc/mm/hugetlbpage.c +@@ -553,9 +553,11 @@ unsigned long hugetlb_get_unmapped_area( + struct hstate *hstate = hstate_file(file); + int mmu_psize = shift_to_mmu_psize(huge_page_shift(hstate)); + ++#ifdef CONFIG_PPC_RADIX_MMU + if (radix_enabled()) + return radix__hugetlb_get_unmapped_area(file, addr, len, + pgoff, flags); ++#endif + return slice_get_unmapped_area(addr, len, flags, mmu_psize, 1); + } + #endif +--- a/arch/powerpc/mm/mmu_context_nohash.c ++++ b/arch/powerpc/mm/mmu_context_nohash.c +@@ -331,6 +331,20 @@ int init_new_context(struct task_struct + { + pr_hard("initing context for mm @%p\n", mm); + ++#ifdef CONFIG_PPC_MM_SLICES ++ if (!mm->context.slb_addr_limit) ++ mm->context.slb_addr_limit = DEFAULT_MAP_WINDOW; ++ ++ /* ++ * We have MMU_NO_CONTEXT set to be ~0. Hence check ++ * explicitly against context.id == 0. This ensures that we properly ++ * initialize context slice details for newly allocated mm's (which will ++ * have id == 0) and don't alter context slice inherited via fork (which ++ * will have id != 0). ++ */ ++ if (mm->context.id == 0) ++ slice_set_user_psize(mm, mmu_virtual_psize); ++#endif + mm->context.id = MMU_NO_CONTEXT; + mm->context.active = 0; + return 0; +@@ -428,8 +442,8 @@ void __init mmu_context_init(void) + * -- BenH + */ + if (mmu_has_feature(MMU_FTR_TYPE_8xx)) { +- first_context = 0; +- last_context = 15; ++ first_context = 1; ++ last_context = 16; + no_selective_tlbil = true; + } else if (mmu_has_feature(MMU_FTR_TYPE_47x)) { + first_context = 1; +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -326,6 +326,7 @@ config PPC_BOOK3E_MMU + config PPC_MM_SLICES + bool + default y if PPC_BOOK3S_64 ++ default y if PPC_8xx && HUGETLB_PAGE + default n + + config PPC_HAVE_PMU_SUPPORT diff --git a/queue-4.16/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch b/queue-4.16/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch new file mode 100644 index 00000000000..167326a69d0 --- /dev/null +++ b/queue-4.16/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Michael Ellerman +Date: Fri, 30 Mar 2018 23:27:25 +1100 +Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask() + +From: Michael Ellerman + +[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ] + +In mpic_physmask() we loop over all CPUs up to 32, then get the hard +SMP processor id of that CPU. + +Currently that's possibly walking off the end of the paca array, but +in a future patch we will change the paca array to be an array of +pointers, and in that case we will get a NULL for missing CPUs and +oops. eg: + + Unable to handle kernel paging request for data at address 0x88888888888888b8 + Faulting instruction address: 0xc00000000004e380 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP .mpic_set_affinity+0x60/0x1a0 + LR .irq_do_set_affinity+0x48/0x100 + +Fix it by checking the CPU is possible, this also fixes the code if +there are gaps in the CPU numbering which probably never happens on +mpic systems but who knows. + +Debugged-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/mpic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/mpic.c ++++ b/arch/powerpc/sysdev/mpic.c +@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpum + int i; + u32 mask = 0; + +- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1) ++ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1) + mask |= (cpumask & 1) << get_hard_smp_processor_id(i); + return mask; + } diff --git a/queue-4.16/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch b/queue-4.16/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch new file mode 100644 index 00000000000..2fc6ac9e0c0 --- /dev/null +++ b/queue-4.16/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch @@ -0,0 +1,72 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Michael Ellerman +Date: Wed, 21 Mar 2018 17:10:24 +0530 +Subject: powerpc/perf: Fix kernel address leak via sampling registers + +From: Michael Ellerman + +[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ] + +Current code in power_pmu_disable() does not clear the sampling +registers like Sampling Instruction Address Register (SIAR) and +Sampling Data Address Register (SDAR) after disabling the PMU. Since +these are userspace readable and could contain kernel addresses, add +code to explicitly clear the content of these registers. + +Also add a "context synchronizing instruction" to enforce no further +updates to these registers as suggested by Power ISA v3.0B. From +section 9.4, on page 1108: + + "If an mtspr instruction is executed that changes the value of a + Performance Monitor register other than SIAR, SDAR, and SIER, the + change is not guaranteed to have taken effect until after a + subsequent context synchronizing instruction has been executed (see + Chapter 11. "Synchronization Requirements for Context Alterations" + on page 1133)." + +Signed-off-by: Madhavan Srinivasan +[mpe: Massage change log and add ISA reference] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1236,6 +1236,7 @@ static void power_pmu_disable(struct pmu + */ + write_mmcr0(cpuhw, val); + mb(); ++ isync(); + + /* + * Disable instruction sampling if it was enabled +@@ -1244,12 +1245,26 @@ static void power_pmu_disable(struct pmu + mtspr(SPRN_MMCRA, + cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE); + mb(); ++ isync(); + } + + cpuhw->disabled = 1; + cpuhw->n_added = 0; + + ebb_switch_out(mmcr0); ++ ++#ifdef CONFIG_PPC64 ++ /* ++ * These are readable by userspace, may contain kernel ++ * addresses and are not switched by context switch, so clear ++ * them now to avoid leaking anything to userspace in general ++ * including to another process. ++ */ ++ if (ppmu->flags & PPMU_ARCH_207S) { ++ mtspr(SPRN_SDAR, 0); ++ mtspr(SPRN_SIAR, 0); ++ } ++#endif + } + + local_irq_restore(flags); diff --git a/queue-4.16/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch b/queue-4.16/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch new file mode 100644 index 00000000000..1dd975afc38 --- /dev/null +++ b/queue-4.16/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Madhavan Srinivasan +Date: Wed, 21 Mar 2018 17:10:25 +0530 +Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer + +From: Madhavan Srinivasan + +[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] + +The current Branch History Rolling Buffer (BHRB) code does not check +for any privilege levels before updating the data from BHRB. This +could leak kernel addresses to userspace even when profiling only with +userspace privileges. Add proper checks to prevent it. + +Acked-by: Balbir Singh +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct c + /* invalid entry */ + continue; + ++ /* ++ * BHRB rolling buffer could very much contain the kernel ++ * addresses at this point. Check the privileges before ++ * exporting it to userspace (avoid exposure of regions ++ * where we could have speculative execution) ++ */ ++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && ++ is_kernel_addr(addr)) ++ continue; ++ + /* Branches are read most recent first (ie. mfbhrb 0 is + * the most recent branch). + * There are two types of valid entries: diff --git a/queue-4.16/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch b/queue-4.16/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch new file mode 100644 index 00000000000..768c084826d --- /dev/null +++ b/queue-4.16/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch @@ -0,0 +1,370 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Alistair Popple +Date: Fri, 2 Mar 2018 16:18:45 +1100 +Subject: powerpc/powernv/npu: Fix deadlock in mmio_invalidate() + +From: Alistair Popple + +[ Upstream commit 2b74e2a9b39df40a2b489af2d24079617c61ee0e ] + +When sending TLB invalidates to the NPU we need to send extra flushes due +to a hardware issue. The original implementation would lock the all the +ATSD MMIO registers sequentially before unlocking and relocking each of +them sequentially to do the extra flush. + +This introduced a deadlock as it is possible for one thread to hold one +ATSD register whilst waiting for another register to be freed while the +other thread is holding that register waiting for the one in the first +thread to be freed. + +For example if there are two threads and two ATSD registers: + + Thread A Thread B + ---------------------- + Acquire 1 + Acquire 2 + Release 1 Acquire 1 + Wait 1 Wait 2 + +Both threads will be stuck waiting to acquire a register resulting in an +RCU stall warning or soft lockup. + +This patch solves the deadlock by refactoring the code to ensure registers +are not released between flushes and to ensure all registers are either +acquired or released together and in order. + +Fixes: bbd5ff50afff ("powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD") +Signed-off-by: Alistair Popple +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/npu-dma.c | 227 +++++++++++++++++++------------ + 1 file changed, 140 insertions(+), 87 deletions(-) + +--- a/arch/powerpc/platforms/powernv/npu-dma.c ++++ b/arch/powerpc/platforms/powernv/npu-dma.c +@@ -417,6 +417,11 @@ struct npu_context { + void *priv; + }; + ++struct mmio_atsd_reg { ++ struct npu *npu; ++ int reg; ++}; ++ + /* + * Find a free MMIO ATSD register and mark it in use. Return -ENOSPC + * if none are available. +@@ -426,7 +431,7 @@ static int get_mmio_atsd_reg(struct npu + int i; + + for (i = 0; i < npu->mmio_atsd_count; i++) { +- if (!test_and_set_bit(i, &npu->mmio_atsd_usage)) ++ if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage)) + return i; + } + +@@ -435,86 +440,90 @@ static int get_mmio_atsd_reg(struct npu + + static void put_mmio_atsd_reg(struct npu *npu, int reg) + { +- clear_bit(reg, &npu->mmio_atsd_usage); ++ clear_bit_unlock(reg, &npu->mmio_atsd_usage); + } + + /* MMIO ATSD register offsets */ + #define XTS_ATSD_AVA 1 + #define XTS_ATSD_STAT 2 + +-static int mmio_launch_invalidate(struct npu *npu, unsigned long launch, +- unsigned long va) ++static void mmio_launch_invalidate(struct mmio_atsd_reg *mmio_atsd_reg, ++ unsigned long launch, unsigned long va) + { +- int mmio_atsd_reg; +- +- do { +- mmio_atsd_reg = get_mmio_atsd_reg(npu); +- cpu_relax(); +- } while (mmio_atsd_reg < 0); ++ struct npu *npu = mmio_atsd_reg->npu; ++ int reg = mmio_atsd_reg->reg; + + __raw_writeq(cpu_to_be64(va), +- npu->mmio_atsd_regs[mmio_atsd_reg] + XTS_ATSD_AVA); ++ npu->mmio_atsd_regs[reg] + XTS_ATSD_AVA); + eieio(); +- __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[mmio_atsd_reg]); +- +- return mmio_atsd_reg; ++ __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[reg]); + } + +-static int mmio_invalidate_pid(struct npu *npu, unsigned long pid, bool flush) ++static void mmio_invalidate_pid(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], ++ unsigned long pid, bool flush) + { ++ int i; + unsigned long launch; + +- /* IS set to invalidate matching PID */ +- launch = PPC_BIT(12); ++ for (i = 0; i <= max_npu2_index; i++) { ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; ++ ++ /* IS set to invalidate matching PID */ ++ launch = PPC_BIT(12); + +- /* PRS set to process-scoped */ +- launch |= PPC_BIT(13); ++ /* PRS set to process-scoped */ ++ launch |= PPC_BIT(13); + +- /* AP */ +- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); ++ /* AP */ ++ launch |= (u64) ++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); + +- /* PID */ +- launch |= pid << PPC_BITLSHIFT(38); ++ /* PID */ ++ launch |= pid << PPC_BITLSHIFT(38); + +- /* No flush */ +- launch |= !flush << PPC_BITLSHIFT(39); ++ /* No flush */ ++ launch |= !flush << PPC_BITLSHIFT(39); + +- /* Invalidating the entire process doesn't use a va */ +- return mmio_launch_invalidate(npu, launch, 0); ++ /* Invalidating the entire process doesn't use a va */ ++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, 0); ++ } + } + +-static int mmio_invalidate_va(struct npu *npu, unsigned long va, +- unsigned long pid, bool flush) ++static void mmio_invalidate_va(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], ++ unsigned long va, unsigned long pid, bool flush) + { ++ int i; + unsigned long launch; + +- /* IS set to invalidate target VA */ +- launch = 0; ++ for (i = 0; i <= max_npu2_index; i++) { ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; + +- /* PRS set to process scoped */ +- launch |= PPC_BIT(13); ++ /* IS set to invalidate target VA */ ++ launch = 0; + +- /* AP */ +- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); ++ /* PRS set to process scoped */ ++ launch |= PPC_BIT(13); + +- /* PID */ +- launch |= pid << PPC_BITLSHIFT(38); ++ /* AP */ ++ launch |= (u64) ++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); + +- /* No flush */ +- launch |= !flush << PPC_BITLSHIFT(39); ++ /* PID */ ++ launch |= pid << PPC_BITLSHIFT(38); + +- return mmio_launch_invalidate(npu, launch, va); ++ /* No flush */ ++ launch |= !flush << PPC_BITLSHIFT(39); ++ ++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, va); ++ } + } + + #define mn_to_npu_context(x) container_of(x, struct npu_context, mn) + +-struct mmio_atsd_reg { +- struct npu *npu; +- int reg; +-}; +- + static void mmio_invalidate_wait( +- struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], bool flush) ++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) + { + struct npu *npu; + int i, reg; +@@ -529,16 +538,67 @@ static void mmio_invalidate_wait( + reg = mmio_atsd_reg[i].reg; + while (__raw_readq(npu->mmio_atsd_regs[reg] + XTS_ATSD_STAT)) + cpu_relax(); ++ } ++} ++ ++/* ++ * Acquires all the address translation shootdown (ATSD) registers required to ++ * launch an ATSD on all links this npu_context is active on. ++ */ ++static void acquire_atsd_reg(struct npu_context *npu_context, ++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) ++{ ++ int i, j; ++ struct npu *npu; ++ struct pci_dev *npdev; ++ struct pnv_phb *nphb; ++ ++ for (i = 0; i <= max_npu2_index; i++) { ++ mmio_atsd_reg[i].reg = -1; ++ for (j = 0; j < NV_MAX_LINKS; j++) { ++ /* ++ * There are no ordering requirements with respect to ++ * the setup of struct npu_context, but to ensure ++ * consistent behaviour we need to ensure npdev[][] is ++ * only read once. ++ */ ++ npdev = READ_ONCE(npu_context->npdev[i][j]); ++ if (!npdev) ++ continue; ++ ++ nphb = pci_bus_to_host(npdev->bus)->private_data; ++ npu = &nphb->npu; ++ mmio_atsd_reg[i].npu = npu; ++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu); ++ while (mmio_atsd_reg[i].reg < 0) { ++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu); ++ cpu_relax(); ++ } ++ break; ++ } ++ } ++} + +- put_mmio_atsd_reg(npu, reg); ++/* ++ * Release previously acquired ATSD registers. To avoid deadlocks the registers ++ * must be released in the same order they were acquired above in ++ * acquire_atsd_reg. ++ */ ++static void release_atsd_reg(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) ++{ ++ int i; + ++ for (i = 0; i <= max_npu2_index; i++) { + /* +- * The GPU requires two flush ATSDs to ensure all entries have +- * been flushed. We use PID 0 as it will never be used for a +- * process on the GPU. ++ * We can't rely on npu_context->npdev[][] being the same here ++ * as when acquire_atsd_reg() was called, hence we use the ++ * values stored in mmio_atsd_reg during the acquire phase ++ * rather than re-reading npdev[][]. + */ +- if (flush) +- mmio_invalidate_pid(npu, 0, true); ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; ++ ++ put_mmio_atsd_reg(mmio_atsd_reg[i].npu, mmio_atsd_reg[i].reg); + } + } + +@@ -549,10 +609,6 @@ static void mmio_invalidate_wait( + static void mmio_invalidate(struct npu_context *npu_context, int va, + unsigned long address, bool flush) + { +- int i, j; +- struct npu *npu; +- struct pnv_phb *nphb; +- struct pci_dev *npdev; + struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]; + unsigned long pid = npu_context->mm->context.id; + +@@ -568,37 +624,25 @@ static void mmio_invalidate(struct npu_c + * Loop over all the NPUs this process is active on and launch + * an invalidate. + */ +- for (i = 0; i <= max_npu2_index; i++) { +- mmio_atsd_reg[i].reg = -1; +- for (j = 0; j < NV_MAX_LINKS; j++) { +- npdev = npu_context->npdev[i][j]; +- if (!npdev) +- continue; ++ acquire_atsd_reg(npu_context, mmio_atsd_reg); ++ if (va) ++ mmio_invalidate_va(mmio_atsd_reg, address, pid, flush); ++ else ++ mmio_invalidate_pid(mmio_atsd_reg, pid, flush); + +- nphb = pci_bus_to_host(npdev->bus)->private_data; +- npu = &nphb->npu; +- mmio_atsd_reg[i].npu = npu; +- +- if (va) +- mmio_atsd_reg[i].reg = +- mmio_invalidate_va(npu, address, pid, +- flush); +- else +- mmio_atsd_reg[i].reg = +- mmio_invalidate_pid(npu, pid, flush); +- +- /* +- * The NPU hardware forwards the shootdown to all GPUs +- * so we only have to launch one shootdown per NPU. +- */ +- break; +- } ++ mmio_invalidate_wait(mmio_atsd_reg); ++ if (flush) { ++ /* ++ * The GPU requires two flush ATSDs to ensure all entries have ++ * been flushed. We use PID 0 as it will never be used for a ++ * process on the GPU. ++ */ ++ mmio_invalidate_pid(mmio_atsd_reg, 0, true); ++ mmio_invalidate_wait(mmio_atsd_reg); ++ mmio_invalidate_pid(mmio_atsd_reg, 0, true); ++ mmio_invalidate_wait(mmio_atsd_reg); + } +- +- mmio_invalidate_wait(mmio_atsd_reg, flush); +- if (flush) +- /* Wait for the flush to complete */ +- mmio_invalidate_wait(mmio_atsd_reg, false); ++ release_atsd_reg(mmio_atsd_reg); + } + + static void pnv_npu2_mn_release(struct mmu_notifier *mn, +@@ -741,7 +785,16 @@ struct npu_context *pnv_npu2_init_contex + if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index", + &nvlink_index))) + return ERR_PTR(-ENODEV); +- npu_context->npdev[npu->index][nvlink_index] = npdev; ++ ++ /* ++ * npdev is a pci_dev pointer setup by the PCI code. We assign it to ++ * npdev[][] to indicate to the mmu notifiers that an invalidation ++ * should also be sent over this nvlink. The notifiers don't use any ++ * other fields in npu_context, so we just need to ensure that when they ++ * deference npu_context->npdev[][] it is either a valid pointer or ++ * NULL. ++ */ ++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], npdev); + + if (!nphb->npu.nmmu_flush) { + /* +@@ -793,7 +846,7 @@ void pnv_npu2_destroy_context(struct npu + if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index", + &nvlink_index))) + return; +- npu_context->npdev[npu->index][nvlink_index] = NULL; ++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], NULL); + opal_npu_destroy_context(nphb->opal_id, npu_context->mm->context.id, + PCI_DEVID(gpdev->bus->number, gpdev->devfn)); + kref_put(&npu_context->kref, pnv_npu2_release_context); diff --git a/queue-4.16/powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch b/queue-4.16/powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch new file mode 100644 index 00000000000..5fe9efb664d --- /dev/null +++ b/queue-4.16/powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch @@ -0,0 +1,73 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sukadev Bhattiprolu +Date: Fri, 9 Feb 2018 11:49:06 -0600 +Subject: powerpc/vas: Fix cleanup when VAS is not configured + +From: Sukadev Bhattiprolu + +[ Upstream commit 45ddea8a73a25461387eb8e87f3e0ecca084799b ] + +When VAS is not configured, unregister the platform driver. Also simplify +cleanup by delaying vas debugfs init until we know VAS is configured. + +Signed-off-by: Sukadev Bhattiprolu +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/vas-debug.c | 11 +++++++++++ + arch/powerpc/platforms/powernv/vas.c | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/platforms/powernv/vas-debug.c ++++ b/arch/powerpc/platforms/powernv/vas-debug.c +@@ -179,6 +179,7 @@ void vas_instance_init_dbgdir(struct vas + { + struct dentry *d; + ++ vas_init_dbgdir(); + if (!vas_debugfs) + return; + +@@ -201,8 +202,18 @@ free_name: + vinst->dbgdir = NULL; + } + ++/* ++ * Set up the "root" VAS debugfs dir. Return if we already set it up ++ * (or failed to) in an earlier instance of VAS. ++ */ + void vas_init_dbgdir(void) + { ++ static bool first_time = true; ++ ++ if (!first_time) ++ return; ++ ++ first_time = false; + vas_debugfs = debugfs_create_dir("vas", NULL); + if (IS_ERR(vas_debugfs)) + vas_debugfs = NULL; +--- a/arch/powerpc/platforms/powernv/vas.c ++++ b/arch/powerpc/platforms/powernv/vas.c +@@ -160,8 +160,6 @@ static int __init vas_init(void) + int found = 0; + struct device_node *dn; + +- vas_init_dbgdir(); +- + platform_driver_register(&vas_driver); + + for_each_compatible_node(dn, NULL, "ibm,vas") { +@@ -169,8 +167,10 @@ static int __init vas_init(void) + found++; + } + +- if (!found) ++ if (!found) { ++ platform_driver_unregister(&vas_driver); + return -ENODEV; ++ } + + pr_devel("Found %d instances\n", found); + diff --git a/queue-4.16/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch b/queue-4.16/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch new file mode 100644 index 00000000000..bf04319c40d --- /dev/null +++ b/queue-4.16/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Tejun Heo +Date: Tue, 9 Jan 2018 10:38:17 -0800 +Subject: rcu: Call touch_nmi_watchdog() while printing stall warnings + +From: Tejun Heo + +[ Upstream commit 3caa973b7a260e7a2a69edc94c300ab9c65148c3 ] + +When RCU stall warning triggers, it can print out a lot of messages +while holding spinlocks. If the console device is slow (e.g. an +actual or IPMI serial console), it may end up triggering NMI hard +lockup watchdog like the following. + +--- + kernel/rcu/tree_plugin.h | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -560,8 +560,14 @@ static void rcu_print_detail_task_stall_ + } + t = list_entry(rnp->gp_tasks->prev, + struct task_struct, rcu_node_entry); +- list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) ++ list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) { ++ /* ++ * We could be printing a lot while holding a spinlock. ++ * Avoid triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); + sched_show_task(t); ++ } + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + } + +@@ -1677,6 +1683,12 @@ static void print_cpu_stall_info(struct + char *ticks_title; + unsigned long ticks_value; + ++ /* ++ * We could be printing a lot while holding a spinlock. Avoid ++ * triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); ++ + if (rsp->gpnum == rdp->gpnum) { + ticks_title = "ticks this GP"; + ticks_value = rdp->ticks_this_gp; diff --git a/queue-4.16/regmap-correct-comparison-in-regmap_cached.patch b/queue-4.16/regmap-correct-comparison-in-regmap_cached.patch new file mode 100644 index 00000000000..47bf9a77f71 --- /dev/null +++ b/queue-4.16/regmap-correct-comparison-in-regmap_cached.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Charles Keepax +Date: Mon, 12 Feb 2018 18:15:44 +0000 +Subject: regmap: Correct comparison in regmap_cached + +From: Charles Keepax + +[ Upstream commit 71df179363a5a733a8932e9afb869760d7559383 ] + +The cache pointer points to the actual memory used by the cache, as the +comparison here is looking for the type of the cache it should check +against cache_type. + +Fixes: 1ea975cf1ef5 ("regmap: Add a function to check if a regmap register is cached") +Signed-off-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -99,7 +99,7 @@ bool regmap_cached(struct regmap *map, u + int ret; + unsigned int val; + +- if (map->cache == REGCACHE_NONE) ++ if (map->cache_type == REGCACHE_NONE) + return false; + + if (!map->cache_ops) diff --git a/queue-4.16/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch b/queue-4.16/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch new file mode 100644 index 00000000000..ddb3fa7d0ca --- /dev/null +++ b/queue-4.16/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 21:33:11 +0100 +Subject: regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' + +From: Christophe Jaillet + +[ Upstream commit ed8cffda27dea6fd3dafb3ee881c5a786edac9ca ] + +Re-order error handling code and gotos to avoid leaks in error handling +paths. + +Fixes: 9f946099fe19 ("regulator: gpio: fix parsing of gpio list") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/gpio-regulator.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/regulator/gpio-regulator.c ++++ b/drivers/regulator/gpio-regulator.c +@@ -271,8 +271,7 @@ static int gpio_regulator_probe(struct p + drvdata->desc.name = kstrdup(config->supply_name, GFP_KERNEL); + if (drvdata->desc.name == NULL) { + dev_err(&pdev->dev, "Failed to allocate supply name\n"); +- ret = -ENOMEM; +- goto err; ++ return -ENOMEM; + } + + if (config->nr_gpios != 0) { +@@ -292,7 +291,7 @@ static int gpio_regulator_probe(struct p + dev_err(&pdev->dev, + "Could not obtain regulator setting GPIOs: %d\n", + ret); +- goto err_memstate; ++ goto err_memgpio; + } + } + +@@ -303,7 +302,7 @@ static int gpio_regulator_probe(struct p + if (drvdata->states == NULL) { + dev_err(&pdev->dev, "Failed to allocate state data\n"); + ret = -ENOMEM; +- goto err_memgpio; ++ goto err_stategpio; + } + drvdata->nr_states = config->nr_states; + +@@ -324,7 +323,7 @@ static int gpio_regulator_probe(struct p + default: + dev_err(&pdev->dev, "No regulator type set\n"); + ret = -EINVAL; +- goto err_memgpio; ++ goto err_memstate; + } + + /* build initial state from gpio init data. */ +@@ -361,22 +360,21 @@ static int gpio_regulator_probe(struct p + if (IS_ERR(drvdata->dev)) { + ret = PTR_ERR(drvdata->dev); + dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret); +- goto err_stategpio; ++ goto err_memstate; + } + + platform_set_drvdata(pdev, drvdata); + + return 0; + +-err_stategpio: +- gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memstate: + kfree(drvdata->states); ++err_stategpio: ++ gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memgpio: + kfree(drvdata->gpios); + err_name: + kfree(drvdata->desc.name); +-err: + return ret; + } + diff --git a/queue-4.16/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch b/queue-4.16/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch new file mode 100644 index 00000000000..4cc9998dd8b --- /dev/null +++ b/queue-4.16/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch @@ -0,0 +1,30 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Christophe JAILLET +Date: Fri, 26 Jan 2018 23:13:44 +0100 +Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' + +From: Christophe JAILLET + +[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ] + +If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must +release the reference on the current 'child' node before returning. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/of_regulator.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -321,6 +321,7 @@ int of_regulator_match(struct device *de + dev_err(dev, + "failed to parse DT for regulator %s\n", + child->name); ++ of_node_put(child); + return -EINVAL; + } + match->of_node = of_node_get(child); diff --git a/queue-4.16/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch b/queue-4.16/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch new file mode 100644 index 00000000000..af24e8f1164 --- /dev/null +++ b/queue-4.16/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Christophe JAILLET +Date: Wed, 14 Mar 2018 20:56:37 +0100 +Subject: remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()' + +From: Christophe JAILLET + +[ Upstream commit de6f83f85be94e0b7d0d324c29ccc9d78a6bb4e7 ] + +If 'of_device_get_match_data()' fails, we must undo the previous +'rproc_alloc()' call. + +Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/imx_rproc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -339,8 +339,10 @@ static int imx_rproc_probe(struct platfo + } + + dcfg = of_device_get_match_data(dev); +- if (!dcfg) +- return -EINVAL; ++ if (!dcfg) { ++ ret = -EINVAL; ++ goto err_put_rproc; ++ } + + priv = rproc->priv; + priv->rproc = rproc; diff --git a/queue-4.16/riscv-spinlock-strengthen-implementations-with-fences.patch b/queue-4.16/riscv-spinlock-strengthen-implementations-with-fences.patch new file mode 100644 index 00000000000..0f86f804c72 --- /dev/null +++ b/queue-4.16/riscv-spinlock-strengthen-implementations-with-fences.patch @@ -0,0 +1,210 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Andrea Parri +Date: Fri, 9 Mar 2018 13:13:20 +0100 +Subject: riscv/spinlock: Strengthen implementations with fences + +From: Andrea Parri + +[ Upstream commit 0123f4d76ca63b7b895f40089be0ce4809e392d8 ] + +Current implementations map locking operations using .rl and .aq +annotations. However, this mapping is unsound w.r.t. the kernel +memory consistency model (LKMM) [1]: + +Referring to the "unlock-lock-read-ordering" test reported below, +Daniel wrote: + + "I think an RCpc interpretation of .aq and .rl would in fact + allow the two normal loads in P1 to be reordered [...] + + The intuition would be that the amoswap.w.aq can forward from + the amoswap.w.rl while that's still in the store buffer, and + then the lw x3,0(x4) can also perform while the amoswap.w.rl + is still in the store buffer, all before the l1 x1,0(x2) + executes. That's not forbidden unless the amoswaps are RCsc, + unless I'm missing something. + + Likewise even if the unlock()/lock() is between two stores. + A control dependency might originate from the load part of + the amoswap.w.aq, but there still would have to be something + to ensure that this load part in fact performs after the store + part of the amoswap.w.rl performs globally, and that's not + automatic under RCpc." + +Simulation of the RISC-V memory consistency model confirmed this +expectation. + +In order to "synchronize" LKMM and RISC-V's implementation, this +commit strengthens the implementations of the locking operations +by replacing .rl and .aq with the use of ("lightweigth") fences, +resp., "fence rw, w" and "fence r , rw". + +C unlock-lock-read-ordering + +{} +/* s initially owned by P1 */ + +P0(int *x, int *y) +{ + WRITE_ONCE(*x, 1); + smp_wmb(); + WRITE_ONCE(*y, 1); +} + +P1(int *x, int *y, spinlock_t *s) +{ + int r0; + int r1; + + r0 = READ_ONCE(*y); + spin_unlock(s); + spin_lock(s); + r1 = READ_ONCE(*x); +} + +exists (1:r0=1 /\ 1:r1=0) + +[1] https://marc.info/?l=linux-kernel&m=151930201102853&w=2 + https://groups.google.com/a/groups.riscv.org/forum/#!topic/isa-dev/hKywNHBkAXM + https://marc.info/?l=linux-kernel&m=151633436614259&w=2 + +Signed-off-by: Andrea Parri +Cc: Palmer Dabbelt +Cc: Albert Ou +Cc: Daniel Lustig +Cc: Alan Stern +Cc: Will Deacon +Cc: Peter Zijlstra +Cc: Boqun Feng +Cc: Nicholas Piggin +Cc: David Howells +Cc: Jade Alglave +Cc: Luc Maranget +Cc: "Paul E. McKenney" +Cc: Akira Yokosawa +Cc: Ingo Molnar +Cc: Linus Torvalds +Cc: linux-riscv@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/fence.h | 12 ++++++++++++ + arch/riscv/include/asm/spinlock.h | 29 +++++++++++++++-------------- + 2 files changed, 27 insertions(+), 14 deletions(-) + create mode 100644 arch/riscv/include/asm/fence.h + +--- /dev/null ++++ b/arch/riscv/include/asm/fence.h +@@ -0,0 +1,12 @@ ++#ifndef _ASM_RISCV_FENCE_H ++#define _ASM_RISCV_FENCE_H ++ ++#ifdef CONFIG_SMP ++#define RISCV_ACQUIRE_BARRIER "\tfence r , rw\n" ++#define RISCV_RELEASE_BARRIER "\tfence rw, w\n" ++#else ++#define RISCV_ACQUIRE_BARRIER ++#define RISCV_RELEASE_BARRIER ++#endif ++ ++#endif /* _ASM_RISCV_FENCE_H */ +--- a/arch/riscv/include/asm/spinlock.h ++++ b/arch/riscv/include/asm/spinlock.h +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + /* + * Simple spin lock operations. These provide no fairness guarantees. +@@ -28,10 +29,7 @@ + + static inline void arch_spin_unlock(arch_spinlock_t *lock) + { +- __asm__ __volatile__ ( +- "amoswap.w.rl x0, x0, %0" +- : "=A" (lock->lock) +- :: "memory"); ++ smp_store_release(&lock->lock, 0); + } + + static inline int arch_spin_trylock(arch_spinlock_t *lock) +@@ -39,7 +37,8 @@ static inline int arch_spin_trylock(arch + int tmp = 1, busy; + + __asm__ __volatile__ ( +- "amoswap.w.aq %0, %2, %1" ++ " amoswap.w %0, %2, %1\n" ++ RISCV_ACQUIRE_BARRIER + : "=r" (busy), "+A" (lock->lock) + : "r" (tmp) + : "memory"); +@@ -68,8 +67,9 @@ static inline void arch_read_lock(arch_r + "1: lr.w %1, %0\n" + " bltz %1, 1b\n" + " addi %1, %1, 1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + : "+A" (lock->lock), "=&r" (tmp) + :: "memory"); + } +@@ -82,8 +82,9 @@ static inline void arch_write_lock(arch_ + "1: lr.w %1, %0\n" + " bnez %1, 1b\n" + " li %1, -1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + : "+A" (lock->lock), "=&r" (tmp) + :: "memory"); + } +@@ -96,8 +97,9 @@ static inline int arch_read_trylock(arch + "1: lr.w %1, %0\n" + " bltz %1, 1f\n" + " addi %1, %1, 1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + "1:\n" + : "+A" (lock->lock), "=&r" (busy) + :: "memory"); +@@ -113,8 +115,9 @@ static inline int arch_write_trylock(arc + "1: lr.w %1, %0\n" + " bnez %1, 1f\n" + " li %1, -1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + "1:\n" + : "+A" (lock->lock), "=&r" (busy) + :: "memory"); +@@ -125,7 +128,8 @@ static inline int arch_write_trylock(arc + static inline void arch_read_unlock(arch_rwlock_t *lock) + { + __asm__ __volatile__( +- "amoadd.w.rl x0, %1, %0" ++ RISCV_RELEASE_BARRIER ++ " amoadd.w x0, %1, %0\n" + : "+A" (lock->lock) + : "r" (-1) + : "memory"); +@@ -133,10 +137,7 @@ static inline void arch_read_unlock(arch + + static inline void arch_write_unlock(arch_rwlock_t *lock) + { +- __asm__ __volatile__ ( +- "amoswap.w.rl x0, x0, %0" +- : "=A" (lock->lock) +- :: "memory"); ++ smp_store_release(&lock->lock, 0); + } + + #endif /* _ASM_RISCV_SPINLOCK_H */ diff --git a/queue-4.16/rsi-fix-kernel-panic-observed-on-64bit-machine.patch b/queue-4.16/rsi-fix-kernel-panic-observed-on-64bit-machine.patch new file mode 100644 index 00000000000..14b22328bce --- /dev/null +++ b/queue-4.16/rsi-fix-kernel-panic-observed-on-64bit-machine.patch @@ -0,0 +1,154 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Amitkumar Karwar +Date: Tue, 20 Mar 2018 19:10:41 +0530 +Subject: rsi: fix kernel panic observed on 64bit machine + +From: Amitkumar Karwar + +[ Upstream commit 864db4d5085349fcfa1f260b5bcd2adde3d7f2ed ] + +Following kernel panic is observed on 64bit machine while loading +the driver. It is fixed if we pass dynamically allocated memory to +SDIO for DMA. + +BUG: unable to handle kernel paging request at ffffeb04000172e0 +IP: sg_miter_stop+0x56/0x70 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +Modules linked in: rsi_sdio(OE+) rsi_91x(OE) btrsi(OE) rfcomm bluetooth +ecdh_generic mac80211 mmc_block fuse xt_CHECKSUM iptable_mangle +drm_kms_helper mmc_core serio_raw drm firewire_ohci tg3 +CPU: 0 PID: 4003 Comm: insmod Tainted: G OE 4.16.0-rc1+ #27 +Hardware name: Dell Inc. Latitude E5500 /0DW634, BIOS +A19 06/13/2013 +RIP: 0010:sg_miter_stop+0x56/0x70 +RSP: 0018:ffff88007d003e78 EFLAGS: 00010002 +RAX: 0000000000000003 RBX: 0000000000000004 RCX: 0000000000000000 +RDX: ffffeb04000172c0 RSI: ffff88002f58002c RDI: ffff88007d003e80 +RBP: 0000000000000004 R08: ffff88007d003e80 R09: 0000000000000008 +R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000004 +R13: ffff88002f580028 R14: 0000000000000000 R15: 0000000000000004 +FS: 00007f35c29db700(0000) GS:ffff88007d000000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffeb04000172e0 CR3: 000000007038e000 CR4: 00000000000406f0 +Call Trace: + +sg_copy_buffer+0xc6/0xf0 +sdhci_tasklet_finish+0x170/0x260 [sdhci] +tasklet_action+0xf4/0x100 +__do_softirq+0xef/0x26e +irq_exit+0xbe/0xd0 +do_IRQ+0x4a/0xc0 +common_interrupt+0xa2/0xa2 + + +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 32 +++++++++++++++++++++----------- + drivers/net/wireless/rsi/rsi_sdio.h | 2 ++ + 2 files changed, 23 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -636,11 +636,14 @@ static int rsi_sdio_master_reg_read(stru + u32 *read_buf, u16 size) + { + u32 addr_on_bus, *data; +- u32 align[2] = {}; + u16 ms_addr; + int status; + +- data = PTR_ALIGN(&align[0], 8); ++ data = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ ++ data = PTR_ALIGN(data, 8); + + ms_addr = (addr >> 16); + status = rsi_sdio_master_access_msword(adapter, ms_addr); +@@ -648,7 +651,7 @@ static int rsi_sdio_master_reg_read(stru + rsi_dbg(ERR_ZONE, + "%s: Unable to set ms word to common reg\n", + __func__); +- return status; ++ goto err; + } + addr &= 0xFFFF; + +@@ -666,7 +669,7 @@ static int rsi_sdio_master_reg_read(stru + (u8 *)data, 4); + if (status < 0) { + rsi_dbg(ERR_ZONE, "%s: AHB register read failed\n", __func__); +- return status; ++ goto err; + } + if (size == 2) { + if ((addr & 0x3) == 0) +@@ -688,17 +691,23 @@ static int rsi_sdio_master_reg_read(stru + *read_buf = *data; + } + +- return 0; ++err: ++ kfree(data); ++ return status; + } + + static int rsi_sdio_master_reg_write(struct rsi_hw *adapter, + unsigned long addr, + unsigned long data, u16 size) + { +- unsigned long data1[2], *data_aligned; ++ unsigned long *data_aligned; + int status; + +- data_aligned = PTR_ALIGN(&data1[0], 8); ++ data_aligned = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL); ++ if (!data_aligned) ++ return -ENOMEM; ++ ++ data_aligned = PTR_ALIGN(data_aligned, 8); + + if (size == 2) { + *data_aligned = ((data << 16) | (data & 0xFFFF)); +@@ -717,6 +726,7 @@ static int rsi_sdio_master_reg_write(str + rsi_dbg(ERR_ZONE, + "%s: Unable to set ms word to common reg\n", + __func__); ++ kfree(data_aligned); + return -EIO; + } + addr = addr & 0xFFFF; +@@ -726,12 +736,12 @@ static int rsi_sdio_master_reg_write(str + (adapter, + (addr | RSI_SD_REQUEST_MASTER), + (u8 *)data_aligned, size); +- if (status < 0) { ++ if (status < 0) + rsi_dbg(ERR_ZONE, + "%s: Unable to do AHB reg write\n", __func__); +- return status; +- } +- return 0; ++ ++ kfree(data_aligned); ++ return status; + } + + /** +--- a/drivers/net/wireless/rsi/rsi_sdio.h ++++ b/drivers/net/wireless/rsi/rsi_sdio.h +@@ -46,6 +46,8 @@ enum sdio_interrupt_type { + #define PKT_BUFF_AVAILABLE 1 + #define FW_ASSERT_IND 2 + ++#define RSI_MASTER_REG_BUF_SIZE 12 ++ + #define RSI_DEVICE_BUFFER_STATUS_REGISTER 0xf3 + #define RSI_FN1_INT_REGISTER 0xf9 + #define RSI_INT_ENABLE_REGISTER 0x04 diff --git a/queue-4.16/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch b/queue-4.16/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch new file mode 100644 index 00000000000..6ed4901042e --- /dev/null +++ b/queue-4.16/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:44 +0100 +Subject: rxrpc: Don't treat call aborts as conn aborts + +From: David Howells + +[ Upstream commit 57b0c9d49b94bbeb53649b7fbd264603c1ebd585 ] + +If a call-level abort is received for the previous call to complete on a +connection channel, then that abort is queued for the connection processor +to handle. Unfortunately, the connection processor then assumes without +checking that the abort is connection-level (ie. callNumber is 0) and +distributes it over all active calls on that connection, thereby +incorrectly aborting them. + +Fix this by discarding aborts aimed at a completed call. + +Further, discard all packets aimed at a call that's complete if there's +currently an active call on a channel, since the DATA packets associated +with the new call automatically terminate the old call. + +Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -1240,16 +1240,19 @@ void rxrpc_data_ready(struct sock *udp_s + goto discard_unlock; + + if (sp->hdr.callNumber == chan->last_call) { +- /* For the previous service call, if completed successfully, we +- * discard all further packets. ++ if (chan->call || ++ sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) ++ goto discard_unlock; ++ ++ /* For the previous service call, if completed ++ * successfully, we discard all further packets. + */ + if (rxrpc_conn_is_service(conn) && +- (chan->last_type == RXRPC_PACKET_TYPE_ACK || +- sp->hdr.type == RXRPC_PACKET_TYPE_ABORT)) ++ chan->last_type == RXRPC_PACKET_TYPE_ACK) + goto discard_unlock; + +- /* But otherwise we need to retransmit the final packet from +- * data cached in the connection record. ++ /* But otherwise we need to retransmit the final packet ++ * from data cached in the connection record. + */ + rxrpc_post_packet_to_conn(conn, skb); + goto out_unlock; diff --git a/queue-4.16/rxrpc-fix-resend-event-time-calculation.patch b/queue-4.16/rxrpc-fix-resend-event-time-calculation.patch new file mode 100644 index 00000000000..54ed5a93bef --- /dev/null +++ b/queue-4.16/rxrpc-fix-resend-event-time-calculation.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Marc Dionne +Date: Fri, 30 Mar 2018 21:04:44 +0100 +Subject: rxrpc: Fix resend event time calculation + +From: Marc Dionne + +[ Upstream commit 59299aa1028fce051adbd25aaff7c387b865cd6d ] + +Commit a158bdd3 ("rxrpc: Fix call timeouts") reworked the time calculation +for the next resend event. For this calculation, "oldest" will be before +"now", so ktime_sub(oldest, now) will yield a negative value. When passed +to nsecs_to_jiffies which expects an unsigned value, the end result will be +a very large value, and a resend event scheduled far into the future. This +could cause calls to stall if some packets were lost. + +Fix by ordering the arguments to ktime_sub correctly. + +Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -225,7 +225,7 @@ static void rxrpc_resend(struct rxrpc_ca + ktime_to_ns(ktime_sub(skb->tstamp, max_age))); + } + +- resend_at = nsecs_to_jiffies(ktime_to_ns(ktime_sub(oldest, now))); ++ resend_at = nsecs_to_jiffies(ktime_to_ns(ktime_sub(now, oldest))); + resend_at += jiffies + rxrpc_resend_timeout; + WRITE_ONCE(call->resend_at, resend_at); + diff --git a/queue-4.16/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch b/queue-4.16/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch new file mode 100644 index 00000000000..445e49fcd1a --- /dev/null +++ b/queue-4.16/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:43 +0100 +Subject: rxrpc: Fix Tx ring annotation after initial Tx failure + +From: David Howells + +[ Upstream commit 03877bf6a30cca7d4bc3ffabd3c3e9464a7a1a19 ] + +rxrpc calls have a ring of packets that are awaiting ACK or retransmission +and a parallel ring of annotations that tracks the state of those packets. +If the initial transmission of a packet on the underlying UDP socket fails +then the packet annotation is marked for resend - but the setting of this +mark accidentally erases the last-packet mark also stored in the same +annotation slot. If this happens, a call won't switch out of the Tx phase +when all the packets have been transmitted. + +Fix this by retaining the last-packet mark and only altering the packet +state. + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/sendmsg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -130,7 +130,9 @@ static inline void rxrpc_instant_resend( + spin_lock_bh(&call->lock); + + if (call->state < RXRPC_CALL_COMPLETE) { +- call->rxtx_annotations[ix] = RXRPC_TX_ANNO_RETRANS; ++ call->rxtx_annotations[ix] = ++ (call->rxtx_annotations[ix] & RXRPC_TX_ANNO_LAST) | ++ RXRPC_TX_ANNO_RETRANS; + if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events)) + rxrpc_queue_call(call); + } diff --git a/queue-4.16/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch b/queue-4.16/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch new file mode 100644 index 00000000000..475e0f1d647 --- /dev/null +++ b/queue-4.16/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Davidlohr Bueso +Date: Mon, 2 Apr 2018 09:49:54 -0700 +Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning + +From: Davidlohr Bueso + +[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ] + +While running rt-tests' pi_stress program I got the following splat: + + rq->clock_update_flags < RQCF_ACT_SKIP + WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20 + + [...] + + + enqueue_top_rt_rq+0xf4/0x150 + ? cpufreq_dbs_governor_start+0x170/0x170 + sched_rt_rq_enqueue+0x65/0x80 + sched_rt_period_timer+0x156/0x360 + ? sched_rt_rq_enqueue+0x80/0x80 + __hrtimer_run_queues+0xfa/0x260 + hrtimer_interrupt+0xcb/0x220 + smp_apic_timer_interrupt+0x62/0x120 + apic_timer_interrupt+0xf/0x20 + + + [...] + + do_idle+0x183/0x1e0 + cpu_startup_entry+0x5f/0x70 + start_secondary+0x192/0x1d0 + secondary_startup_64+0xa5/0xb0 + +We can get rid of it be the "traditional" means of adding an +update_rq_clock() call after acquiring the rq->lock in +do_sched_rt_period_timer(). + +The case for the RT task throttling (which this workload also hits) +can be ignored in that the skip_update call is actually bogus and +quite the contrary (the request bits are removed/reverted). + +By setting RQCF_UPDATED we really don't care if the skip is happening +or not and will therefore make the assert_clock_updated() check happy. + +Signed-off-by: Davidlohr Bueso +Reviewed-by: Matt Fleming +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Thomas Gleixner +Cc: dave@stgolabs.net +Cc: linux-kernel@vger.kernel.org +Cc: rostedt@goodmis.org +Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/rt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -843,6 +843,8 @@ static int do_sched_rt_period_timer(stru + continue; + + raw_spin_lock(&rq->lock); ++ update_rq_clock(rq); ++ + if (rt_rq->rt_time) { + u64 runtime; + diff --git a/queue-4.16/selftests-add-fib-onlink-tests.patch b/queue-4.16/selftests-add-fib-onlink-tests.patch new file mode 100644 index 00000000000..d33c830f8a0 --- /dev/null +++ b/queue-4.16/selftests-add-fib-onlink-tests.patch @@ -0,0 +1,399 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: David Ahern +Date: Tue, 13 Feb 2018 08:44:06 -0800 +Subject: selftests: Add FIB onlink tests + +From: David Ahern + +[ Upstream commit 153e1b84f477f716bc3f81e6cfae1a3d941fc7ec ] + +Add test cases verifying FIB onlink commands work as expected in +various conditions - IPv4, IPv6, main table, and VRF. + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fib-onlink-tests.sh | 375 ++++++++++++++++++++++++ + 1 file changed, 375 insertions(+) + create mode 100644 tools/testing/selftests/net/fib-onlink-tests.sh + +--- /dev/null ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -0,0 +1,375 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++# IPv4 and IPv6 onlink tests ++ ++PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} ++ ++# Network interfaces ++# - odd in current namespace; even in peer ns ++declare -A NETIFS ++# default VRF ++NETIFS[p1]=veth1 ++NETIFS[p2]=veth2 ++NETIFS[p3]=veth3 ++NETIFS[p4]=veth4 ++# VRF ++NETIFS[p5]=veth5 ++NETIFS[p6]=veth6 ++NETIFS[p7]=veth7 ++NETIFS[p8]=veth8 ++ ++# /24 network ++declare -A V4ADDRS ++V4ADDRS[p1]=169.254.1.1 ++V4ADDRS[p2]=169.254.1.2 ++V4ADDRS[p3]=169.254.3.1 ++V4ADDRS[p4]=169.254.3.2 ++V4ADDRS[p5]=169.254.5.1 ++V4ADDRS[p6]=169.254.5.2 ++V4ADDRS[p7]=169.254.7.1 ++V4ADDRS[p8]=169.254.7.2 ++ ++# /64 network ++declare -A V6ADDRS ++V6ADDRS[p1]=2001:db8:101::1 ++V6ADDRS[p2]=2001:db8:101::2 ++V6ADDRS[p3]=2001:db8:301::1 ++V6ADDRS[p4]=2001:db8:301::2 ++V6ADDRS[p5]=2001:db8:501::1 ++V6ADDRS[p6]=2001:db8:501::2 ++V6ADDRS[p7]=2001:db8:701::1 ++V6ADDRS[p8]=2001:db8:701::2 ++ ++# Test networks: ++# [1] = default table ++# [2] = VRF ++# ++# /32 host routes ++declare -A TEST_NET4 ++TEST_NET4[1]=169.254.101 ++TEST_NET4[2]=169.254.102 ++# /128 host routes ++declare -A TEST_NET6 ++TEST_NET6[1]=2001:db8:101 ++TEST_NET6[2]=2001:db8:102 ++ ++# connected gateway ++CONGW[1]=169.254.1.254 ++CONGW[2]=169.254.5.254 ++ ++# recursive gateway ++RECGW4[1]=169.254.11.254 ++RECGW4[2]=169.254.12.254 ++RECGW6[1]=2001:db8:11::64 ++RECGW6[2]=2001:db8:12::64 ++ ++# for v4 mapped to v6 ++declare -A TEST_NET4IN6IN6 ++TEST_NET4IN6[1]=10.1.1.254 ++TEST_NET4IN6[2]=10.2.1.254 ++ ++# mcast address ++MCAST6=ff02::1 ++ ++ ++PEER_NS=bart ++PEER_CMD="ip netns exec ${PEER_NS}" ++VRF=lisa ++VRF_TABLE=1101 ++PBR_TABLE=101 ++ ++################################################################################ ++# utilities ++ ++log_test() ++{ ++ local rc=$1 ++ local expected=$2 ++ local msg="$3" ++ ++ if [ ${rc} -eq ${expected} ]; then ++ nsuccess=$((nsuccess+1)) ++ printf "\n TEST: %-50s [ OK ]\n" "${msg}" ++ else ++ nfail=$((nfail+1)) ++ printf "\n TEST: %-50s [FAIL]\n" "${msg}" ++ if [ "${PAUSE_ON_FAIL}" = "yes" ]; then ++ echo ++ echo "hit enter to continue, 'q' to quit" ++ read a ++ [ "$a" = "q" ] && exit 1 ++ fi ++ fi ++} ++ ++log_section() ++{ ++ echo ++ echo "######################################################################" ++ echo "TEST SECTION: $*" ++ echo "######################################################################" ++} ++ ++log_subsection() ++{ ++ echo ++ echo "#########################################" ++ echo "TEST SUBSECTION: $*" ++} ++ ++run_cmd() ++{ ++ echo ++ echo "COMMAND: $*" ++ eval $* ++} ++ ++get_linklocal() ++{ ++ local dev=$1 ++ local pfx ++ local addr ++ ++ addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ awk '{ ++ for (i = 3; i <= NF; ++i) { ++ if ($i ~ /^fe80/) ++ print $i ++ } ++ }' ++ ) ++ addr=${addr/\/*} ++ ++ [ -z "$addr" ] && return 1 ++ ++ echo $addr ++ ++ return 0 ++} ++ ++################################################################################ ++# ++ ++setup() ++{ ++ echo ++ echo "########################################" ++ echo "Configuring interfaces" ++ ++ set -e ++ ++ # create namespace ++ ip netns add ${PEER_NS} ++ ip -netns ${PEER_NS} li set lo up ++ ++ # add vrf table ++ ip li add ${VRF} type vrf table ${VRF_TABLE} ++ ip li set ${VRF} up ++ ip ro add table ${VRF_TABLE} unreachable default ++ ip -6 ro add table ${VRF_TABLE} unreachable default ++ ++ # create test interfaces ++ ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ++ # enslave vrf interfaces ++ for n in 5 7; do ++ ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ done ++ ++ # add addresses ++ for n in 1 3 5 7; do ++ ip li set ${NETIFS[p${n}]} up ++ ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} ++ done ++ ++ # move peer interfaces to namespace and add addresses ++ for n in 2 4 6 8; do ++ ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up ++ ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} ++ done ++ ++ set +e ++ ++ # let DAD complete - assume default of 1 probe ++ sleep 1 ++} ++ ++cleanup() ++{ ++ # make sure we start from a clean slate ++ ip netns del ${PEER_NS} 2>/dev/null ++ for n in 1 3 5 7; do ++ ip link del ${NETIFS[p${n}]} 2>/dev/null ++ done ++ ip link del ${VRF} 2>/dev/null ++ ip ro flush table ${VRF_TABLE} ++ ip -6 ro flush table ${VRF_TABLE} ++} ++ ++################################################################################ ++# IPv4 tests ++# ++ ++run_ip() ++{ ++ local table="$1" ++ local prefix="$2" ++ local gw="$3" ++ local dev="$4" ++ local exp_rc="$5" ++ local desc="$6" ++ ++ # dev arg may be empty ++ [ -n "${dev}" ] && dev="dev ${dev}" ++ ++ run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ log_test $? ${exp_rc} "${desc}" ++} ++ ++valid_onlink_ipv4() ++{ ++ # - unicast connected, unicast recursive ++ # ++ log_subsection "default VRF - main table" ++ ++ run_ip 254 ${TEST_NET4[1]}.1 ${CONGW[1]} ${NETIFS[p1]} 0 "unicast connected" ++ run_ip 254 ${TEST_NET4[1]}.2 ${RECGW4[1]} ${NETIFS[p1]} 0 "unicast recursive" ++ ++ log_subsection "VRF ${VRF}" ++ ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.1 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected" ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.2 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive" ++ ++ log_subsection "VRF device, PBR table" ++ ++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.3 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected" ++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.4 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive" ++} ++ ++invalid_onlink_ipv4() ++{ ++ run_ip 254 ${TEST_NET4[1]}.11 ${V4ADDRS[p1]} ${NETIFS[p1]} 2 \ ++ "Invalid gw - local unicast address" ++ ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.11 ${V4ADDRS[p5]} ${NETIFS[p5]} 2 \ ++ "Invalid gw - local unicast address, VRF" ++ ++ run_ip 254 ${TEST_NET4[1]}.101 ${V4ADDRS[p1]} "" 2 "No nexthop device given" ++ ++ run_ip 254 ${TEST_NET4[1]}.102 ${V4ADDRS[p3]} ${NETIFS[p1]} 2 \ ++ "Gateway resolves to wrong nexthop device" ++ ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.103 ${V4ADDRS[p7]} ${NETIFS[p5]} 2 \ ++ "Gateway resolves to wrong nexthop device - VRF" ++} ++ ++################################################################################ ++# IPv6 tests ++# ++ ++run_ip6() ++{ ++ local table="$1" ++ local prefix="$2" ++ local gw="$3" ++ local dev="$4" ++ local exp_rc="$5" ++ local desc="$6" ++ ++ # dev arg may be empty ++ [ -n "${dev}" ] && dev="dev ${dev}" ++ ++ run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ log_test $? ${exp_rc} "${desc}" ++} ++ ++valid_onlink_ipv6() ++{ ++ # - unicast connected, unicast recursive, v4-mapped ++ # ++ log_subsection "default VRF - main table" ++ ++ run_ip6 254 ${TEST_NET6[1]}::1 ${V6ADDRS[p1]/::*}::64 ${NETIFS[p1]} 0 "unicast connected" ++ run_ip6 254 ${TEST_NET6[1]}::2 ${RECGW6[1]} ${NETIFS[p1]} 0 "unicast recursive" ++ run_ip6 254 ${TEST_NET6[1]}::3 ::ffff:${TEST_NET4IN6[1]} ${NETIFS[p1]} 0 "v4-mapped" ++ ++ log_subsection "VRF ${VRF}" ++ ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::1 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::2 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::3 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped" ++ ++ log_subsection "VRF device, PBR table" ++ ++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::4 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected" ++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::5 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive" ++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::6 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped" ++} ++ ++invalid_onlink_ipv6() ++{ ++ local lladdr ++ ++ lladdr=$(get_linklocal ${NETIFS[p1]}) || return 1 ++ ++ run_ip6 254 ${TEST_NET6[1]}::11 ${V6ADDRS[p1]} ${NETIFS[p1]} 2 \ ++ "Invalid gw - local unicast address" ++ run_ip6 254 ${TEST_NET6[1]}::12 ${lladdr} ${NETIFS[p1]} 2 \ ++ "Invalid gw - local linklocal address" ++ run_ip6 254 ${TEST_NET6[1]}::12 ${MCAST6} ${NETIFS[p1]} 2 \ ++ "Invalid gw - multicast address" ++ ++ lladdr=$(get_linklocal ${NETIFS[p5]}) || return 1 ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::11 ${V6ADDRS[p5]} ${NETIFS[p5]} 2 \ ++ "Invalid gw - local unicast address, VRF" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${lladdr} ${NETIFS[p5]} 2 \ ++ "Invalid gw - local linklocal address, VRF" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${MCAST6} ${NETIFS[p5]} 2 \ ++ "Invalid gw - multicast address, VRF" ++ ++ run_ip6 254 ${TEST_NET6[1]}::101 ${V6ADDRS[p1]} "" 2 \ ++ "No nexthop device given" ++ ++ # default VRF validation is done against LOCAL table ++ # run_ip6 254 ${TEST_NET6[1]}::102 ${V6ADDRS[p3]/::[0-9]/::64} ${NETIFS[p1]} 2 \ ++ # "Gateway resolves to wrong nexthop device" ++ ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::103 ${V6ADDRS[p7]/::[0-9]/::64} ${NETIFS[p5]} 2 \ ++ "Gateway resolves to wrong nexthop device - VRF" ++} ++ ++run_onlink_tests() ++{ ++ log_section "IPv4 onlink" ++ log_subsection "Valid onlink commands" ++ valid_onlink_ipv4 ++ log_subsection "Invalid onlink commands" ++ invalid_onlink_ipv4 ++ ++ log_section "IPv6 onlink" ++ log_subsection "Valid onlink commands" ++ valid_onlink_ipv6 ++ invalid_onlink_ipv6 ++} ++ ++################################################################################ ++# main ++ ++nsuccess=0 ++nfail=0 ++ ++cleanup ++setup ++run_onlink_tests ++cleanup ++ ++if [ "$TESTS" != "none" ]; then ++ printf "\nTests passed: %3d\n" ${nsuccess} ++ printf "Tests failed: %3d\n" ${nfail} ++fi diff --git a/queue-4.16/selftests-net-fixes-psock_fanout-ebpf-test-case.patch b/queue-4.16/selftests-net-fixes-psock_fanout-ebpf-test-case.patch new file mode 100644 index 00000000000..03f1d9a64c0 --- /dev/null +++ b/queue-4.16/selftests-net-fixes-psock_fanout-ebpf-test-case.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Prashant Bhole +Date: Thu, 15 Feb 2018 09:19:26 +0900 +Subject: selftests/net: fixes psock_fanout eBPF test case + +From: Prashant Bhole + +[ Upstream commit ddd0010392d9cbcb95b53d11b7cafc67b373ab56 ] + +eBPF test fails due to verifier failure because log_buf is too small. +Fixed by increasing log_buf size + +Signed-off-by: Prashant Bhole +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/psock_fanout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/psock_fanout.c ++++ b/tools/testing/selftests/net/psock_fanout.c +@@ -128,6 +128,8 @@ static void sock_fanout_getopts(int fd, + + static void sock_fanout_set_ebpf(int fd) + { ++ static char log_buf[65536]; ++ + const int len_off = __builtin_offsetof(struct __sk_buff, len); + struct bpf_insn prog[] = { + { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 }, +@@ -140,7 +142,6 @@ static void sock_fanout_set_ebpf(int fd) + { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 }, + { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 } + }; +- char log_buf[512]; + union bpf_attr attr; + int pfd; + diff --git a/queue-4.16/selftests-print-the-test-we-re-running-to-dev-kmsg.patch b/queue-4.16/selftests-print-the-test-we-re-running-to-dev-kmsg.patch new file mode 100644 index 00000000000..8aee858d325 --- /dev/null +++ b/queue-4.16/selftests-print-the-test-we-re-running-to-dev-kmsg.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Michael Ellerman +Date: Fri, 23 Mar 2018 20:44:27 +1100 +Subject: selftests: Print the test we're running to /dev/kmsg + +From: Michael Ellerman + +[ Upstream commit 88893cf787d3062c631cc20b875068eb11756e03 ] + +Some tests cause the kernel to print things to the kernel log +buffer (ie. printk), in particular oops and warnings etc. However when +running all the tests in succession it's not always obvious which +test(s) caused the kernel to print something. + +We can narrow it down by printing which test directory we're running +in to /dev/kmsg, if it's writable. + +Example output: + + [ 170.149149] kselftest: Running tests in powerpc + [ 305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes + left + [ 808.915456] kselftest: Running tests in pstore + +Signed-off-by: Michael Ellerman +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -130,6 +130,7 @@ ifdef INSTALL_PATH + BUILD_TARGET=$$BUILD/$$TARGET; \ + echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \ + echo "echo ========================================" >> $(ALL_SCRIPT); \ ++ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \ + echo "cd $$TARGET" >> $(ALL_SCRIPT); \ + make -s --no-print-directory OUTPUT=$$BUILD_TARGET -C $$TARGET emit_tests >> $(ALL_SCRIPT); \ + echo "cd \$$ROOT" >> $(ALL_SCRIPT); \ diff --git a/queue-4.16/series b/queue-4.16/series index 44856d237f0..6c3ace6a8c5 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -42,3 +42,229 @@ kvm-x86-update-cpuid-properly-when-cr4.osxave-or-cr4.pke-is-changed.patch kvm-x86-ia32_arch_capabilities-is-always-supported.patch x86-kvm-fix-lapic-timer-drift-when-guest-uses-periodic-mode.patch arm-dts-sun4i-fix-incorrect-clocks-for-displays.patch +sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch +firmware-dmi_scan-fix-uuid-length-safety-check.patch +nvme-don-t-send-keep-alives-to-the-discovery-controller.patch +btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch +btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch +x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch +x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch +bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch +nvme-expand-nvmf_check_if_ready-checks.patch +fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch +kasan-fix-invalid-free-test-crashing-the-kernel.patch +kasan-slub-fix-handling-of-kasan_slab_free-hook.patch +swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch +z3fold-fix-memory-leak.patch +sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch +force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch +cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch +powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch +perf-tools-fix-perf-builds-with-clang-support.patch +perf-clang-add-support-for-recent-clang-versions.patch +dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch +arm-dts-ls1021a-specify-tbipa-register-address.patch +ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch +genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch +mm-ksm-fix-interaction-with-thp.patch +mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch +mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch +btrfs-bail-out-on-error-during-replay_dir_deletes.patch +btrfs-fix-null-pointer-dereference-in-log_dir_items.patch +btrfs-fix-possible-softlock-on-single-core-machines.patch +ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch +ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch +powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch +sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch +x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch +kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch +lan78xx-connect-phy-early.patch +fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch +dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch +sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch +riscv-spinlock-strengthen-implementations-with-fences.patch +platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch +net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch +net-bgmac-correctly-annotate-register-space.patch +bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch +powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch +btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch +btrfs-fix-copy_items-return-value-when-logging-an-inode.patch +btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch +btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch +rxrpc-fix-resend-event-time-calculation.patch +rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch +rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch +xen-acpi-off-by-one-in-read_acpi_id.patch +drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch +acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch +powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch +ieee802154-ca8210-fix-uninitialised-data-read.patch +ath10k-advertize-beacon_int_min_gcd.patch +iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch +intel_th-use-correct-method-of-finding-hub.patch +m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch +iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch +iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch +net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch +parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch +perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch +hwmon-nct6775-fix-writing-pwmx_mode.patch +mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch +mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch +powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch +powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch +rsi-fix-kernel-panic-observed-on-64bit-machine.patch +tools-thermal-tmon-fix-for-segfault.patch +selftests-print-the-test-we-re-running-to-dev-kmsg.patch +i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch +net-mlx5-protect-from-command-bit-overflow.patch +watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch +net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch +net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch +net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch +net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch +ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch +nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch +nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch +ath9k-fix-crash-in-spectral-scan.patch +btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch +cxgb4-setup-fw-queues-before-registering-netdev.patch +hv_netvsc-fix-the-return-status-in-rx-path.patch +ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch +ima-fallback-to-the-builtin-hash-algorithm.patch +watchdog-aspeed-allow-configuring-for-alternate-boot.patch +gfs2-check-for-the-end-of-metadata-in-punch_hole.patch +virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch +arm-dts-socfpga-fix-gic-ppi-warning.patch +ima-clear-ima_hash.patch +ext4-don-t-complain-about-incorrect-features-when-probing.patch +drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch +iommu-mediatek-fix-protect-memory-setting.patch +cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch +firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch +ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch +zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch +bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch +remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch +dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch +bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch +acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch +acpica-fix-memory-leak-on-unusual-memory-leak.patch +bcache-stop-dc-writeback_rate_update-properly.patch +acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch +cxgb4-fix-queue-free-path-of-uld-drivers.patch +i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch +kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch +perf-top-fix-top.call-graph-config-option-reading.patch +perf-stat-fix-core-dump-when-flag-t-is-used.patch +ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch +drm-amdkfd-add-missing-include-of-mm.h.patch +coresight-use-px-to-print-pcsr-instead-of-p.patch +ibmvnic-fix-reset-return-from-closed-state.patch +regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch +spi-bcm-qspi-fix-some-error-handling-paths.patch +net-smc-pay-attention-to-max_order-for-cq-entries.patch +mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch +powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch +pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch +watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch +watchdog-dw-rmw-the-control-register.patch +watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch +ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch +drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch +drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch +powerpc-add-missing-prototype-for-arch_irq_work_raise.patch +powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch +f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch +cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch +f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch +f2fs-fix-to-clear-cp_trimmed_flag.patch +f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch +perf-core-fix-installing-cgroup-events-on-cpu.patch +max17042-propagate-of_node-to-power-supply-device.patch +perf-core-fix-perf_output_read_group.patch +drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch +hwmon-pmbus-max8688-accept-negative-page-register-values.patch +hwmon-pmbus-adm1275-accept-negative-page-register-values.patch +perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch +cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch +efi-arm-only-register-page-tables-when-they-exist.patch +perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch +perf-x86-intel-fix-event-update-for-auto-reload.patch +arm64-dts-qcom-fix-spi5-config-on-msm8996.patch +soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch +gfs2-fix-fallocate-chunk-size.patch +x86-devicetree-initialize-device-tree-before-using-it.patch +x86-devicetree-fix-device-irq-settings-in-dt.patch +phy-rockchip-emmc-retry-calpad-busy-trimming.patch +alsa-vmaster-propagate-slave-error.patch +phy-qcom-qmp-fix-phy-pipe-clock-gating.patch +drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch +drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch +tools-hv-fix-compiler-warnings-about-major-target_fname.patch +block-null_blk-fix-invalid-parameters-when-loading-module.patch +dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch +arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch +powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch +i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch +dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch +enic-enable-rq-before-updating-rq-descriptors.patch +watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch +hwrng-stm32-add-reset-during-probe.patch +pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch +pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch +vfio-ccw-fence-off-transport-mode.patch +dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch +drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch +arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch +drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch +drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch +ibmvnic-allocate-statistics-buffers-during-probe.patch +net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch +net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch +cpufreq-reorder-cpufreq_online-error-code-path.patch +dpaa_eth-fix-sg-mapping.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch +udf-provide-saner-default-for-invalid-uid-gid.patch +fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch +ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch +sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch +power-supply-ltc2941-battery-gauge-fix-temperature-units.patch +arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch +arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch +pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch +hwrng-bcm2835-handle-deferred-clock-properly.patch +audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch +net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch +rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch +pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch +dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch +drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch +dpaa_eth-fix-pause-capability-advertisement-logic.patch +mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch +soc-renesas-r8a77970-sysc-fix-power-area-parents.patch +drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch +x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch +perf-test-fix-test-case-inet_pton-to-accept-inlines.patch +perf-report-fix-wrong-jump-arrow.patch +perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch +perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch +perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch +selftests-net-fixes-psock_fanout-ebpf-test-case.patch +drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch +netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch +drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch +drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch +selftests-add-fib-onlink-tests.patch +arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch +arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch +regmap-correct-comparison-in-regmap_cached.patch +soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch +i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch +arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch +arm-dts-porter-fix-hdmi-output-routing.patch +regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch +pinctrl-msm-use-dynamic-gpio-numbering.patch +pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch +kdb-make-mdr-command-repeat.patch diff --git a/queue-4.16/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch b/queue-4.16/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch new file mode 100644 index 00000000000..8b30121385b --- /dev/null +++ b/queue-4.16/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Rich Felker +Date: Thu, 15 Mar 2018 20:01:36 -0400 +Subject: sh: fix debug trap failure to process signals before return to user + +From: Rich Felker + +[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ] + +When responding to a debug trap (breakpoint) in userspace, the +kernel's trap handler raised SIGTRAP but returned from the trap via a +code path that ignored pending signals, resulting in an infinite loop +re-executing the trapping instruction. + +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/entry-common.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -255,7 +255,7 @@ debug_trap: + mov.l @r8, r8 + jsr @r8 + nop +- bra __restore_all ++ bra ret_from_exception + nop + CFI_ENDPROC + diff --git a/queue-4.16/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch b/queue-4.16/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch new file mode 100644 index 00000000000..2d56b0da7be --- /dev/null +++ b/queue-4.16/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sergei Shtylyov +Date: Sat, 24 Feb 2018 22:41:45 +0300 +Subject: sh_eth: fix TSU init on SH7734/R8A7740 + +From: Sergei Shtylyov + +[ Upstream commit a94cf2a614f8bc5b2b33c708626ce695bf71e424 ] + +It appears that the single port Ether controllers having TSU (like SH7734/ +R8A7740) need the same kind of treating in sh_eth_tsu_init() as R7S72100 +currently has -- they also don't have the TSU registers related e.g. to +passing the frames between ports. Add the 'sh_eth_cpu_data::dual_port' +flag and use it as a new criterion for taking a "short path" in the TSU +init sequence in order to avoid writing to the non-existent registers... + +Fixes: f0e81fecd4f8 ("net: sh_eth: Add support SH7734") +Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740") +Signed-off-by: Sergei Shtylyov +Tested-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 6 +++++- + drivers/net/ethernet/renesas/sh_eth.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -763,6 +763,7 @@ static struct sh_eth_cpu_data sh7757_dat + .rpadir = 1, + .rpadir_value = 2 << 16, + .rtrate = 1, ++ .dual_port = 1, + }; + + #define SH_GIGA_ETH_BASE 0xfee00000UL +@@ -841,6 +842,7 @@ static struct sh_eth_cpu_data sh7757_dat + .no_trimd = 1, + .no_ade = 1, + .tsu = 1, ++ .dual_port = 1, + }; + + /* SH7734 */ +@@ -911,6 +913,7 @@ static struct sh_eth_cpu_data sh7763_dat + .tsu = 1, + .irq_flags = IRQF_SHARED, + .magic = 1, ++ .dual_port = 1, + }; + + static struct sh_eth_cpu_data sh7619_data = { +@@ -943,6 +946,7 @@ static struct sh_eth_cpu_data sh771x_dat + EESIPR_RRFIP | EESIPR_RTLFIP | EESIPR_RTSFIP | + EESIPR_PREIP | EESIPR_CERFIP, + .tsu = 1, ++ .dual_port = 1, + }; + + static void sh_eth_set_default_cpu_data(struct sh_eth_cpu_data *cd) +@@ -2932,7 +2936,7 @@ static int sh_eth_vlan_rx_kill_vid(struc + /* SuperH's TSU register init function */ + static void sh_eth_tsu_init(struct sh_eth_private *mdp) + { +- if (sh_eth_is_rz_fast_ether(mdp)) { ++ if (!mdp->cd->dual_port) { + sh_eth_tsu_write(mdp, 0, TSU_TEN); /* Disable all CAM entry */ + sh_eth_tsu_write(mdp, TSU_FWSLC_POSTENU | TSU_FWSLC_POSTENL, + TSU_FWSLC); /* Enable POST registers */ +--- a/drivers/net/ethernet/renesas/sh_eth.h ++++ b/drivers/net/ethernet/renesas/sh_eth.h +@@ -509,6 +509,7 @@ struct sh_eth_cpu_data { + unsigned rmiimode:1; /* EtherC has RMIIMODE register */ + unsigned rtrate:1; /* EtherC has RTRATE register */ + unsigned magic:1; /* EtherC has ECMR.MPDE and ECSR.MPD */ ++ unsigned dual_port:1; /* Dual EtherC/E-DMAC */ + }; + + struct sh_eth_private { diff --git a/queue-4.16/soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch b/queue-4.16/soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch new file mode 100644 index 00000000000..7de69030265 --- /dev/null +++ b/queue-4.16/soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Heiner Kallweit +Date: Thu, 21 Dec 2017 20:41:02 +0100 +Subject: soc: amlogic: meson-gx-pwrc-vpu: fix error on shutdown when domain is powered off + +From: Heiner Kallweit + +[ Upstream commit 87f88732d25e6175cb4faa8070658f604660d720 ] + +When operating the system headless headless, the domain is never +powered on, leaving the clocks disabled. The shutdown function then +tries to disable the already disabled clocks, resulting in errors. +Therefore call meson_gx_pwrc_vpu_power_off() only if domain is +powered on. +This patch fixes the described issue on my system (Odorid-C2). + +Fixes: 339cd0ea0822 "soc: amlogic: meson-gx-pwrc-vpu: fix power-off when powered by bootloader" +Signed-off-by: Heiner Kallweit +Reviewed-by: Neil Armstrong +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/amlogic/meson-gx-pwrc-vpu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/soc/amlogic/meson-gx-pwrc-vpu.c ++++ b/drivers/soc/amlogic/meson-gx-pwrc-vpu.c +@@ -224,7 +224,11 @@ static int meson_gx_pwrc_vpu_probe(struc + + static void meson_gx_pwrc_vpu_shutdown(struct platform_device *pdev) + { +- meson_gx_pwrc_vpu_power_off(&vpu_hdmi_pd.genpd); ++ bool powered_off; ++ ++ powered_off = meson_gx_pwrc_vpu_get_power(&vpu_hdmi_pd); ++ if (!powered_off) ++ meson_gx_pwrc_vpu_power_off(&vpu_hdmi_pd.genpd); + } + + static const struct of_device_id meson_gx_pwrc_vpu_match_table[] = { diff --git a/queue-4.16/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch b/queue-4.16/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch new file mode 100644 index 00000000000..07792d38f46 --- /dev/null +++ b/queue-4.16/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Bjorn Andersson +Date: Tue, 27 Feb 2018 16:45:25 -0800 +Subject: soc: qcom: wcnss_ctrl: Fix increment in NV upload + +From: Bjorn Andersson + +[ Upstream commit 90c29ed7627b6b4aeb603ee197650173c8434512 ] + +hdr.len includes both the size of the header and the fragment, so using +this when stepping through the firmware causes us to skip 16 bytes every +chunk of 3072 bytes; causing only the first fragment to actually be +valid data. + +Instead use fragment size steps through the firmware blob. + +Fixes: ea7a1f275cf0 ("soc: qcom: Introduce WCNSS_CTRL SMD client") +Reported-by: Will Newton +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/wcnss_ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/wcnss_ctrl.c ++++ b/drivers/soc/qcom/wcnss_ctrl.c +@@ -249,7 +249,7 @@ static int wcnss_download_nv(struct wcns + /* Increment for next fragment */ + req->seq++; + +- data += req->hdr.len; ++ data += NV_FRAGMENT_SIZE; + left -= NV_FRAGMENT_SIZE; + } while (left > 0); + diff --git a/queue-4.16/soc-renesas-r8a77970-sysc-fix-power-area-parents.patch b/queue-4.16/soc-renesas-r8a77970-sysc-fix-power-area-parents.patch new file mode 100644 index 00000000000..e1f3a6f212c --- /dev/null +++ b/queue-4.16/soc-renesas-r8a77970-sysc-fix-power-area-parents.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Sergei Shtylyov +Date: Fri, 16 Feb 2018 23:09:48 +0300 +Subject: soc: renesas: r8a77970-sysc: fix power area parents + +From: Sergei Shtylyov + +[ Upstream commit 40d5c8e94751f4a4fa4e0e27e3805e201a4e79c0 ] + +According to the figure 9.2(b) of the R-Car Series, 3rd Generation User’s +Manual: Hardware Rev. 0.80 the A2IRn and A2SCn power areas in R8A77970 have +the A3IR area as a parent, thus the SYSC driver has those parents wrong... + +Fixes: bab9b2a74fe9 ("soc: renesas: rcar-sysc: add R8A77970 support") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/renesas/r8a77970-sysc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/soc/renesas/r8a77970-sysc.c ++++ b/drivers/soc/renesas/r8a77970-sysc.c +@@ -25,12 +25,12 @@ static const struct rcar_sysc_area r8a77 + PD_CPU_NOCR }, + { "cr7", 0x240, 0, R8A77970_PD_CR7, R8A77970_PD_ALWAYS_ON }, + { "a3ir", 0x180, 0, R8A77970_PD_A3IR, R8A77970_PD_ALWAYS_ON }, +- { "a2ir0", 0x400, 0, R8A77970_PD_A2IR0, R8A77970_PD_ALWAYS_ON }, +- { "a2ir1", 0x400, 1, R8A77970_PD_A2IR1, R8A77970_PD_A2IR0 }, +- { "a2ir2", 0x400, 2, R8A77970_PD_A2IR2, R8A77970_PD_A2IR0 }, +- { "a2ir3", 0x400, 3, R8A77970_PD_A2IR3, R8A77970_PD_A2IR0 }, +- { "a2sc0", 0x400, 4, R8A77970_PD_A2SC0, R8A77970_PD_ALWAYS_ON }, +- { "a2sc1", 0x400, 5, R8A77970_PD_A2SC1, R8A77970_PD_A2SC0 }, ++ { "a2ir0", 0x400, 0, R8A77970_PD_A2IR0, R8A77970_PD_A3IR }, ++ { "a2ir1", 0x400, 1, R8A77970_PD_A2IR1, R8A77970_PD_A3IR }, ++ { "a2ir2", 0x400, 2, R8A77970_PD_A2IR2, R8A77970_PD_A3IR }, ++ { "a2ir3", 0x400, 3, R8A77970_PD_A2IR3, R8A77970_PD_A3IR }, ++ { "a2sc0", 0x400, 4, R8A77970_PD_A2SC0, R8A77970_PD_A3IR }, ++ { "a2sc1", 0x400, 5, R8A77970_PD_A2SC1, R8A77970_PD_A3IR }, + }; + + const struct rcar_sysc_info r8a77970_sysc_info __initconst = { diff --git a/queue-4.16/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch b/queue-4.16/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch new file mode 100644 index 00000000000..d081356538a --- /dev/null +++ b/queue-4.16/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: "David S. Miller" +Date: Tue, 3 Apr 2018 08:24:35 -0700 +Subject: sparc64: Make atomic_xchg() an inline function rather than a macro. + +From: "David S. Miller" + +[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ] + +This avoids a lot of -Wunused warnings such as: + +==================== +kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’: +./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value] + #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) + +./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’ + #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) + ^~~~ +kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’ + atomic_xchg(&kgdb_active, cpu); + ^~~~~~~~~~~ +==================== + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/atomic_64.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/sparc/include/asm/atomic_64.h ++++ b/arch/sparc/include/asm/atomic_64.h +@@ -83,7 +83,11 @@ ATOMIC_OPS(xor) + #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0) + + #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) +-#define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++ ++static inline int atomic_xchg(atomic_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline int __atomic_add_unless(atomic_t *v, int a, int u) + { diff --git a/queue-4.16/spi-bcm-qspi-fix-some-error-handling-paths.patch b/queue-4.16/spi-bcm-qspi-fix-some-error-handling-paths.patch new file mode 100644 index 00000000000..6f8f87fb140 --- /dev/null +++ b/queue-4.16/spi-bcm-qspi-fix-some-error-handling-paths.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 19:36:58 +0100 +Subject: spi: bcm-qspi: fIX some error handling paths + +From: Christophe Jaillet + +[ Upstream commit bc3cc75281b3c2b1c5355d88d147b66a753bb9a5 ] + +For some reason, commit c0368e4db4a3 ("spi: bcm-qspi: Fix use after free +in bcm_qspi_probe() in error path") has updated some gotos, but not all of +them. + +This looks spurious, so fix it. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm-qspi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1255,7 +1255,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[MSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[MSPI])) { + ret = PTR_ERR(qspi->base[MSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + } else { + goto qspi_resource_err; +@@ -1266,7 +1266,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[BSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[BSPI])) { + ret = PTR_ERR(qspi->base[BSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + qspi->bspi_mode = true; + } else { diff --git a/queue-4.16/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch b/queue-4.16/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch new file mode 100644 index 00000000000..28336603321 --- /dev/null +++ b/queue-4.16/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch @@ -0,0 +1,119 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Jens Axboe +Date: Wed, 11 Apr 2018 11:26:09 -0600 +Subject: sr: get/drop reference to device in revalidate and check_events + +From: Jens Axboe + +[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ] + +We can't just use scsi_cd() to get the scsi_cd structure, we have +to grab a live reference to the device. For both callbacks, we're +not inside an open where we already hold a reference to the device. + +This fixes device removal/addition under concurrent device access, +which otherwise could result in the below oops. + +NULL pointer dereference at 0000000000000010 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: +sr 12:0:0:0: [sr2] scsi-1 drive + scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl +sr 12:0:0:0: Attached scsi CD-ROM sr2 + sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc +sr 12:0:0:0: Attached scsi generic sg7 type 5 + igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif] +CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650 +Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016 +RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod] +RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292 +RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66 +RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000 +RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000 +R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d +R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000 +FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ? __invalidate_device+0x48/0x60 + check_disk_change+0x4c/0x60 + sr_block_open+0x16/0xd0 [sr_mod] + __blkdev_get+0xb9/0x450 + ? iget5_locked+0x1c0/0x1e0 + blkdev_get+0x11e/0x320 + ? bdget+0x11d/0x150 + ? _raw_spin_unlock+0xa/0x20 + ? bd_acquire+0xc0/0xc0 + do_dentry_open+0x1b0/0x320 + ? inode_permission+0x24/0xc0 + path_openat+0x4e6/0x1420 + ? cpumask_any_but+0x1f/0x40 + ? flush_tlb_mm_range+0xa0/0x120 + do_filp_open+0x8c/0xf0 + ? __seccomp_filter+0x28/0x230 + ? _raw_spin_unlock+0xa/0x20 + ? __handle_mm_fault+0x7d6/0x9b0 + ? list_lru_add+0xa8/0xc0 + ? _raw_spin_unlock+0xa/0x20 + ? __alloc_fd+0xaf/0x160 + ? do_sys_open+0x1a6/0x230 + do_sys_open+0x1a6/0x230 + do_syscall_64+0x5a/0x100 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Reviewed-by: Lee Duncan +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sr.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -585,18 +585,28 @@ out: + static unsigned int sr_block_check_events(struct gendisk *disk, + unsigned int clearing) + { +- struct scsi_cd *cd = scsi_cd(disk); ++ unsigned int ret = 0; ++ struct scsi_cd *cd; + +- if (atomic_read(&cd->device->disk_events_disable_depth)) ++ cd = scsi_cd_get(disk); ++ if (!cd) + return 0; + +- return cdrom_check_events(&cd->cdi, clearing); ++ if (!atomic_read(&cd->device->disk_events_disable_depth)) ++ ret = cdrom_check_events(&cd->cdi, clearing); ++ ++ scsi_cd_put(cd); ++ return ret; + } + + static int sr_block_revalidate_disk(struct gendisk *disk) + { +- struct scsi_cd *cd = scsi_cd(disk); + struct scsi_sense_hdr sshdr; ++ struct scsi_cd *cd; ++ ++ cd = scsi_cd_get(disk); ++ if (!cd) ++ return -ENXIO; + + /* if the unit is not ready, nothing more to do */ + if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr)) +@@ -605,6 +615,7 @@ static int sr_block_revalidate_disk(stru + sr_cd_check(&cd->cdi); + get_sectorsize(cd); + out: ++ scsi_cd_put(cd); + return 0; + } + diff --git a/queue-4.16/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch b/queue-4.16/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch new file mode 100644 index 00000000000..d76c5aeb190 --- /dev/null +++ b/queue-4.16/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Tom Abraham +Date: Tue, 10 Apr 2018 16:29:48 -0700 +Subject: swap: divide-by-zero when zero length swap file on ssd + +From: Tom Abraham + +[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ] + +Calling swapon() on a zero length swap file on SSD can lead to a +divide-by-zero. + +Although creating such files isn't possible with mkswap and they woud be +considered invalid, it would be better for the swapon code to be more +robust and handle this condition gracefully (return -EINVAL). +Especially since the fix is small and straightforward. + +To help with wear leveling on SSD, the swapon syscall calculates a +random position in the swap file using modulo p->highest_bit, which is +set to maxpages - 1 in read_swap_header. + +If the swap file is zero length, read_swap_header sets maxpages=1 and +last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we +modulo p->highest_bit in swapon syscall. + +This can be prevented by having read_swap_header return zero if +last_page is zero. + +Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com +Signed-off-by: Thomas Abraham +Reported-by: +Reviewed-by: Andrew Morton +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2961,6 +2961,10 @@ static unsigned long read_swap_header(st + maxpages = swp_offset(pte_to_swp_entry( + swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; + last_page = swap_header->info.last_page; ++ if (!last_page) { ++ pr_warn("Empty swap-file\n"); ++ return 0; ++ } + if (last_page > maxpages) { + pr_warn("Truncating oversized swap area, only using %luk out of %luk\n", + maxpages << (PAGE_SHIFT - 10), diff --git a/queue-4.16/tools-hv-fix-compiler-warnings-about-major-target_fname.patch b/queue-4.16/tools-hv-fix-compiler-warnings-about-major-target_fname.patch new file mode 100644 index 00000000000..efffd8714dc --- /dev/null +++ b/queue-4.16/tools-hv-fix-compiler-warnings-about-major-target_fname.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Dexuan Cui +Date: Sun, 4 Mar 2018 22:17:14 -0700 +Subject: tools: hv: fix compiler warnings about major/target_fname + +From: Dexuan Cui + +[ Upstream commit 1330fc35327f3ecdfa1aa645e7321ced7349b2cd ] + +This patch fixes the below warnings with new glibc and gcc: + +hv_vss_daemon.c:100:13: warning: In the GNU C Library, "major" is defined + by . For historical compatibility, it is currently +defined by as well, but we plan to remove this soon. +To use "major", include directly. + +hv_fcopy_daemon.c:42:2: note: 'snprintf' output between 2 and 1040 +bytes into a destination of size 260 + +Signed-off-by: Dexuan Cui +Cc: Stephen Hemminger +Cc: K. Y. Srinivasan +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/hv/hv_fcopy_daemon.c | 3 ++- + tools/hv/hv_vss_daemon.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/hv/hv_fcopy_daemon.c ++++ b/tools/hv/hv_fcopy_daemon.c +@@ -23,13 +23,14 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + + static int target_fd; +-static char target_fname[W_MAX_PATH]; ++static char target_fname[PATH_MAX]; + static unsigned long long filesize; + + static int hv_start_fcopy(struct hv_start_fcopy *smsg) +--- a/tools/hv/hv_vss_daemon.c ++++ b/tools/hv/hv_vss_daemon.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/queue-4.16/tools-thermal-tmon-fix-for-segfault.patch b/queue-4.16/tools-thermal-tmon-fix-for-segfault.patch new file mode 100644 index 00000000000..6526ea2386b --- /dev/null +++ b/queue-4.16/tools-thermal-tmon-fix-for-segfault.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Frank Asseg +Date: Mon, 12 Mar 2018 19:57:06 +0100 +Subject: tools/thermal: tmon: fix for segfault + +From: Frank Asseg + +[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ] + +Fixes a segfault occurring when e.g. is pressed multiple times in the +ncurses tmon application. The segfault is caused by incrementing +cur_thermal_record in the main function without checking if it's value reached +NR_THERMAL_RECORD immediately. Since the boundary check only occurred in +update_thermal_data a race condition existed, which lead to an attempted read +beyond the last element of the trec array. + +The fix was implemented by moving the cur_thermal_record incrementation to the +update_thermal_data function using a temporary variable on which the boundary +condition is checked before updating cur_thread_record, so that the variable is +never incremented beyond the trec array's boundary. + +It seems the segfault does not occur on every machine: On a HP EliteBook G4 the +segfault happens, while it does not happen on a Thinkpad T540p. + +Signed-off-by: Frank Asseg +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/thermal/tmon/sysfs.c | 12 +++++++----- + tools/thermal/tmon/tmon.c | 1 - + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/tools/thermal/tmon/sysfs.c ++++ b/tools/thermal/tmon/sysfs.c +@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst + int update_thermal_data() + { + int i; ++ int next_thermal_record = cur_thermal_record + 1; + char tz_name[256]; + static unsigned long samples; + +@@ -495,9 +496,9 @@ int update_thermal_data() + } + + /* circular buffer for keeping historic data */ +- if (cur_thermal_record >= NR_THERMAL_RECORDS) +- cur_thermal_record = 0; +- gettimeofday(&trec[cur_thermal_record].tv, NULL); ++ if (next_thermal_record >= NR_THERMAL_RECORDS) ++ next_thermal_record = 0; ++ gettimeofday(&trec[next_thermal_record].tv, NULL); + if (tmon_log) { + fprintf(tmon_log, "%lu ", ++samples); + fprintf(tmon_log, "%3.1f ", p_param.t_target); +@@ -507,11 +508,12 @@ int update_thermal_data() + snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE, + ptdata.tzi[i].instance); + sysfs_get_ulong(tz_name, "temp", +- &trec[cur_thermal_record].temp[i]); ++ &trec[next_thermal_record].temp[i]); + if (tmon_log) + fprintf(tmon_log, "%lu ", +- trec[cur_thermal_record].temp[i]/1000); ++ trec[next_thermal_record].temp[i] / 1000); + } ++ cur_thermal_record = next_thermal_record; + for (i = 0; i < ptdata.nr_cooling_dev; i++) { + char cdev_name[256]; + unsigned long val; +--- a/tools/thermal/tmon/tmon.c ++++ b/tools/thermal/tmon/tmon.c +@@ -336,7 +336,6 @@ int main(int argc, char **argv) + show_data_w(); + show_cooling_device(); + } +- cur_thermal_record++; + time_elapsed += ticktime; + controller_handler(trec[0].temp[target_tz_index] / 1000, + &yk); diff --git a/queue-4.16/udf-provide-saner-default-for-invalid-uid-gid.patch b/queue-4.16/udf-provide-saner-default-for-invalid-uid-gid.patch new file mode 100644 index 00000000000..78e550b11b0 --- /dev/null +++ b/queue-4.16/udf-provide-saner-default-for-invalid-uid-gid.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jan Kara +Date: Thu, 22 Feb 2018 10:39:52 +0100 +Subject: udf: Provide saner default for invalid uid / gid + +From: Jan Kara + +[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ] + +Currently when UDF filesystem is recorded without uid / gid (ids are set +to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid= +and gid= mount options. In such case filesystem could not be modified in +any way as VFS refuses to modify files with invalid ids (even by root). +This is confusing to users and not very useful default since such media +mode is generally used for removable media. Use overflow[ug]id instead +so that at least root can modify the filesystem. + +Reported-by: Steve Kenton +Reviewed-by: Pali Rohár +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -2091,8 +2091,9 @@ static int udf_fill_super(struct super_b + bool lvid_open = false; + + uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT); +- uopt.uid = INVALID_UID; +- uopt.gid = INVALID_GID; ++ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */ ++ uopt.uid = make_kuid(current_user_ns(), overflowuid); ++ uopt.gid = make_kgid(current_user_ns(), overflowgid); + uopt.umask = 0; + uopt.fmode = UDF_INVALID_MODE; + uopt.dmode = UDF_INVALID_MODE; diff --git a/queue-4.16/vfio-ccw-fence-off-transport-mode.patch b/queue-4.16/vfio-ccw-fence-off-transport-mode.patch new file mode 100644 index 00000000000..ccc26ffa154 --- /dev/null +++ b/queue-4.16/vfio-ccw-fence-off-transport-mode.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Cornelia Huck +Date: Thu, 22 Feb 2018 15:35:43 +0100 +Subject: vfio-ccw: fence off transport mode + +From: Cornelia Huck + +[ Upstream commit 9851bc77e62499957567e7c39a5beba7d6de6296 ] + +vfio-ccw only supports command mode for channel programs, not transport +mode. User space is supposed to already take care of that and pass us +command-mode ORBs only, but better make sure and return an error to +the caller instead of trying to process tcws as ccws. + +Reviewed-by: Dong Jia Shi +Acked-by: Halil Pasic +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/vfio_ccw_fsm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/s390/cio/vfio_ccw_fsm.c ++++ b/drivers/s390/cio/vfio_ccw_fsm.c +@@ -129,6 +129,11 @@ static void fsm_io_request(struct vfio_c + if (scsw->cmd.fctl & SCSW_FCTL_START_FUNC) { + orb = (union orb *)io_region->orb_area; + ++ /* Don't try to build a cp if transport mode is specified. */ ++ if (orb->tm.b) { ++ io_region->ret_code = -EOPNOTSUPP; ++ goto err_out; ++ } + io_region->ret_code = cp_init(&private->cp, mdev_dev(mdev), + orb); + if (io_region->ret_code) diff --git a/queue-4.16/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch b/queue-4.16/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch new file mode 100644 index 00000000000..d150dde64b6 --- /dev/null +++ b/queue-4.16/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Jay Vosburgh +Date: Thu, 22 Mar 2018 14:42:41 +0000 +Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS + +From: Jay Vosburgh + +[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ] + +The operstate update logic will leave an interface in the +default UNKNOWN operstate if the interface carrier state never changes +from the default carrier up state set at creation. This includes the +case of an explicit call to netif_carrier_on, as the carrier on to on +transition has no effect on operstate. + + This affects virtio-net for the case that the virtio peer does +not support VIRTIO_NET_F_STATUS (the feature that provides carrier state +updates). Without this feature, the virtio specification states that +"the link should be assumed active," so, logically, the operstate should +be UP instead of UNKNOWN. This has impact on user space applications +that use the operstate to make availability decisions for the interface. + + Resolve this by changing the virtio probe logic slightly to call +netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS +cases, and then the existing call to netif_carrier_on for the "without" +case will cause an operstate transition. + +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Ben Hutchings +Signed-off-by: Jay Vosburgh +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -2874,8 +2874,8 @@ static int virtnet_probe(struct virtio_d + + /* Assume link up if device can't report link status, + otherwise get link status from config. */ ++ netif_carrier_off(dev); + if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) { +- netif_carrier_off(dev); + schedule_work(&vi->config_work); + } else { + vi->status = VIRTIO_NET_S_LINK_UP; diff --git a/queue-4.16/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch b/queue-4.16/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch new file mode 100644 index 00000000000..648caf0bc05 --- /dev/null +++ b/queue-4.16/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Alexey Khoroshilov +Date: Sat, 10 Feb 2018 13:17:27 +0300 +Subject: watchdog: asm9260_wdt: fix error handling in asm9260_wdt_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 3c829f47e33eb0398a9a14e357a05199a7be0277 ] + +If devm_reset_control_get_exclusive() fails, asm9260_wdt_probe() +returns immediately. But clks has been already enabled at that point, +so it is required to disable them or to move the code around. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/asm9260_wdt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/watchdog/asm9260_wdt.c ++++ b/drivers/watchdog/asm9260_wdt.c +@@ -292,14 +292,14 @@ static int asm9260_wdt_probe(struct plat + if (IS_ERR(priv->iobase)) + return PTR_ERR(priv->iobase); + +- ret = asm9260_wdt_get_dt_clks(priv); +- if (ret) +- return ret; +- + priv->rst = devm_reset_control_get_exclusive(&pdev->dev, "wdt_rst"); + if (IS_ERR(priv->rst)) + return PTR_ERR(priv->rst); + ++ ret = asm9260_wdt_get_dt_clks(priv); ++ if (ret) ++ return ret; ++ + wdd = &priv->wdd; + wdd->info = &asm9260_wdt_ident; + wdd->ops = &asm9260_wdt_ops; diff --git a/queue-4.16/watchdog-aspeed-allow-configuring-for-alternate-boot.patch b/queue-4.16/watchdog-aspeed-allow-configuring-for-alternate-boot.patch new file mode 100644 index 00000000000..f81b758f7c7 --- /dev/null +++ b/queue-4.16/watchdog-aspeed-allow-configuring-for-alternate-boot.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Milton Miller +Date: Thu, 15 Mar 2018 11:02:06 -0500 +Subject: watchdog: aspeed: Allow configuring for alternate boot + +From: Milton Miller + +[ Upstream commit 6ffa3402211acc30e47e691e14d62f3fd065a54e ] + +Allow the device tree to specify a watchdog to fallover to +the alternate boot source. + +The aspeeed watchdog can set a latch directing flash chip select 0 to +chip select 1, allowing boot from an alternate media if the watchdog +is not reset in time. On the ast2400 bank 1 also goes to flash bank 1, +while on the ast2500 the chip selects are swapped. + +Also clear the secondary boot bit during the machine restart operation. +Otherwise, the system will switch to the alternate boot after every +reboot, which is not desired. + +Signed-off-by: Milton Miller +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/aspeed_wdt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/watchdog/aspeed_wdt.c ++++ b/drivers/watchdog/aspeed_wdt.c +@@ -46,6 +46,7 @@ MODULE_DEVICE_TABLE(of, aspeed_wdt_of_ta + #define WDT_RELOAD_VALUE 0x04 + #define WDT_RESTART 0x08 + #define WDT_CTRL 0x0C ++#define WDT_CTRL_BOOT_SECONDARY BIT(7) + #define WDT_CTRL_RESET_MODE_SOC (0x00 << 5) + #define WDT_CTRL_RESET_MODE_FULL_CHIP (0x01 << 5) + #define WDT_CTRL_RESET_MODE_ARM_CPU (0x10 << 5) +@@ -158,6 +159,7 @@ static int aspeed_wdt_restart(struct wat + { + struct aspeed_wdt *wdt = to_aspeed_wdt(wdd); + ++ wdt->ctrl &= ~WDT_CTRL_BOOT_SECONDARY; + aspeed_wdt_enable(wdt, 128 * WDT_RATE_1MHZ / 1000); + + mdelay(1000); +@@ -242,6 +244,8 @@ static int aspeed_wdt_probe(struct platf + } + if (of_property_read_bool(np, "aspeed,external-signal")) + wdt->ctrl |= WDT_CTRL_WDT_EXT; ++ if (of_property_read_bool(np, "aspeed,alt-boot")) ++ wdt->ctrl |= WDT_CTRL_BOOT_SECONDARY; + + if (readl(wdt->base + WDT_CTRL) & WDT_CTRL_ENABLE) { + /* diff --git a/queue-4.16/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch b/queue-4.16/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch new file mode 100644 index 00000000000..c4d1135568a --- /dev/null +++ b/queue-4.16/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Milton Miller +Date: Fri, 9 Mar 2018 15:58:19 -0600 +Subject: watchdog: aspeed: Fix translation of reset mode to ctrl register + +From: Milton Miller + +[ Upstream commit d2fc8db691bf3197d43b2afb553311a9bf257bff ] + +Assert RESET_SYSTEM bit for any reset and set MODE field from reset +type. + +The watchdog control register has a RESET_SYSTEM bit that is really +closer to activate a reset, and RESET_SYSTEM_MODE field that chooses +how much to reset. + +Before this patch, a node without these optional property would do a +SOC reset, but a node with properties requesting a cpu or SOC reset +would do nothing and a node requesting a system reset would do a +SOC reset. + +Fixes: b7f0b8ad25f3 ("drivers/watchdog: ASPEED reference dev tree properties for config") +Signed-off-by: Milton Miller +Signed-off-by: Eddie James +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/aspeed_wdt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/watchdog/aspeed_wdt.c ++++ b/drivers/watchdog/aspeed_wdt.c +@@ -234,11 +234,14 @@ static int aspeed_wdt_probe(struct platf + wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | WDT_CTRL_RESET_SYSTEM; + } else { + if (!strcmp(reset_type, "cpu")) +- wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU | ++ WDT_CTRL_RESET_SYSTEM; + else if (!strcmp(reset_type, "soc")) +- wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | ++ WDT_CTRL_RESET_SYSTEM; + else if (!strcmp(reset_type, "system")) +- wdt->ctrl |= WDT_CTRL_RESET_SYSTEM; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_FULL_CHIP | ++ WDT_CTRL_RESET_SYSTEM; + else if (strcmp(reset_type, "none")) + return -EINVAL; + } diff --git a/queue-4.16/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch b/queue-4.16/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch new file mode 100644 index 00000000000..0b12a81862c --- /dev/null +++ b/queue-4.16/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Alexey Khoroshilov +Date: Sat, 24 Mar 2018 00:36:46 +0300 +Subject: watchdog: davinci_wdt: fix error handling in davinci_wdt_probe() + +From: Alexey Khoroshilov + +[ Upstream commit d66e53649c18377edc08d48901e658e4fd491d46 ] + +clk_disable_unprepare() was added to one error path, +but there is another one. The patch makes sure clk is +disabled at the both of them. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/davinci_wdt.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/watchdog/davinci_wdt.c ++++ b/drivers/watchdog/davinci_wdt.c +@@ -236,15 +236,22 @@ static int davinci_wdt_probe(struct plat + + wdt_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + davinci_wdt->base = devm_ioremap_resource(dev, wdt_mem); +- if (IS_ERR(davinci_wdt->base)) +- return PTR_ERR(davinci_wdt->base); ++ if (IS_ERR(davinci_wdt->base)) { ++ ret = PTR_ERR(davinci_wdt->base); ++ goto err_clk_disable; ++ } + + ret = watchdog_register_device(wdd); +- if (ret < 0) { +- clk_disable_unprepare(davinci_wdt->clk); ++ if (ret) { + dev_err(dev, "cannot register watchdog device\n"); ++ goto err_clk_disable; + } + ++ return 0; ++ ++err_clk_disable: ++ clk_disable_unprepare(davinci_wdt->clk); ++ + return ret; + } + diff --git a/queue-4.16/watchdog-dw-rmw-the-control-register.patch b/queue-4.16/watchdog-dw-rmw-the-control-register.patch new file mode 100644 index 00000000000..57bb834c658 --- /dev/null +++ b/queue-4.16/watchdog-dw-rmw-the-control-register.patch @@ -0,0 +1,90 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Brian Norris +Date: Fri, 9 Mar 2018 19:46:06 -0800 +Subject: watchdog: dw: RMW the control register + +From: Brian Norris + +[ Upstream commit a81abbb412341e9e3b2d42ed7d310cf71fbb84a8 ] + +RK3399 has rst_pulse_length in CONTROL_REG[4:2], determining the length +of pulse to issue for system reset. We shouldn't clobber this value, +because that might make the system reset ineffective. On RK3399, we're +seeing that a value of 000b (meaning 2 cycles) yields an unreliable +(partial?) reset, and so we only fully reset after the watchdog fires a +second time. If we retain the system default (010b, or 8 clock cycles), +then the watchdog reset is much more reliable. + +Read-modify-write retains the system value and improves reset +reliability. + +It seems we were intentionally clobbering the response mode previously, +to ensure we performed a system reset (we don't support an interrupt +notification), so retain that explicitly. + +Signed-off-by: Brian Norris +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/dw_wdt.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/watchdog/dw_wdt.c ++++ b/drivers/watchdog/dw_wdt.c +@@ -34,6 +34,7 @@ + + #define WDOG_CONTROL_REG_OFFSET 0x00 + #define WDOG_CONTROL_REG_WDT_EN_MASK 0x01 ++#define WDOG_CONTROL_REG_RESP_MODE_MASK 0x02 + #define WDOG_TIMEOUT_RANGE_REG_OFFSET 0x04 + #define WDOG_TIMEOUT_RANGE_TOPINIT_SHIFT 4 + #define WDOG_CURRENT_COUNT_REG_OFFSET 0x08 +@@ -121,14 +122,23 @@ static int dw_wdt_set_timeout(struct wat + return 0; + } + ++static void dw_wdt_arm_system_reset(struct dw_wdt *dw_wdt) ++{ ++ u32 val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ ++ /* Disable interrupt mode; always perform system reset. */ ++ val &= ~WDOG_CONTROL_REG_RESP_MODE_MASK; ++ /* Enable watchdog. */ ++ val |= WDOG_CONTROL_REG_WDT_EN_MASK; ++ writel(val, dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++} ++ + static int dw_wdt_start(struct watchdog_device *wdd) + { + struct dw_wdt *dw_wdt = to_dw_wdt(wdd); + + dw_wdt_set_timeout(wdd, wdd->timeout); +- +- writel(WDOG_CONTROL_REG_WDT_EN_MASK, +- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ dw_wdt_arm_system_reset(dw_wdt); + + return 0; + } +@@ -152,16 +162,13 @@ static int dw_wdt_restart(struct watchdo + unsigned long action, void *data) + { + struct dw_wdt *dw_wdt = to_dw_wdt(wdd); +- u32 val; + + writel(0, dw_wdt->regs + WDOG_TIMEOUT_RANGE_REG_OFFSET); +- val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); +- if (val & WDOG_CONTROL_REG_WDT_EN_MASK) ++ if (dw_wdt_is_enabled(dw_wdt)) + writel(WDOG_COUNTER_RESTART_KICK_VALUE, + dw_wdt->regs + WDOG_COUNTER_RESTART_REG_OFFSET); + else +- writel(WDOG_CONTROL_REG_WDT_EN_MASK, +- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ dw_wdt_arm_system_reset(dw_wdt); + + /* wait for reset to assert... */ + mdelay(500); diff --git a/queue-4.16/watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch b/queue-4.16/watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch new file mode 100644 index 00000000000..ee7a6d12980 --- /dev/null +++ b/queue-4.16/watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Alexey Khoroshilov +Date: Fri, 9 Mar 2018 00:21:48 +0300 +Subject: watchdog: sprd_wdt: Fix error handling in sprd_wdt_enable() + +From: Alexey Khoroshilov + +[ Upstream commit 3c578cd4bc52b6e65d65be1abad9a8aa489ec207 ] + +If clk_prepare_enable(wdt->rtc_enable) fails, +wdt->enable clock is left enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/sprd_wdt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/sprd_wdt.c ++++ b/drivers/watchdog/sprd_wdt.c +@@ -154,8 +154,10 @@ static int sprd_wdt_enable(struct sprd_w + if (ret) + return ret; + ret = clk_prepare_enable(wdt->rtc_enable); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(wdt->enable); + return ret; ++ } + + sprd_wdt_unlock(wdt->base); + val = readl_relaxed(wdt->base + SPRD_WDT_CTRL); diff --git a/queue-4.16/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch b/queue-4.16/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch new file mode 100644 index 00000000000..a3029d8784a --- /dev/null +++ b/queue-4.16/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Baoquan He +Date: Wed, 14 Feb 2018 13:46:56 +0800 +Subject: x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified + +From: Baoquan He + +[ Upstream commit bee3204ec3c49f6f53add9c3962c9012a5c036fa ] + +Currently the kdump kernel becomes very slow if 'noapic' is specified. +Normal kernel doesn't have this bug. + +Kernel parameter 'noapic' is used to disable IO-APIC in system for +testing or special purpose. Here the root cause is that in kdump +kernel LAPIC is disabled since commit: + + 522e664644 ("x86/apic: Disable I/O APIC before shutdown of the local APIC") + +In this case we need set up through-local-APIC on boot CPU in +setup_local_APIC(). + +In normal kernel the legacy irq mode is enabled by the BIOS. If +it is virtual wire mode, the local-APIC has been enabled and set as +through-local-APIC. + +Though we fixed the regression introduced by commit 522e664644, +to further improve robustness set up the through-local-APIC mode +explicitly, do not rely on the default boot IRQ mode. + +Signed-off-by: Baoquan He +Reviewed-by: Eric W. Biederman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: douly.fnst@cn.fujitsu.com +Cc: joro@8bytes.org +Cc: prarit@redhat.com +Cc: uobergfe@redhat.com +Link: http://lkml.kernel.org/r/20180214054656.3780-7-bhe@redhat.com +[ Rewrote the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1570,7 +1570,7 @@ void setup_local_APIC(void) + * TODO: set up through-local-APIC from through-I/O-APIC? --macro + */ + value = apic_read(APIC_LVT0) & APIC_LVT_MASKED; +- if (!cpu && (pic_mode || !value)) { ++ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) { + value = APIC_DM_EXTINT; + apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu); + } else { diff --git a/queue-4.16/x86-devicetree-fix-device-irq-settings-in-dt.patch b/queue-4.16/x86-devicetree-fix-device-irq-settings-in-dt.patch new file mode 100644 index 00000000000..f2ec480b625 --- /dev/null +++ b/queue-4.16/x86-devicetree-fix-device-irq-settings-in-dt.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:53 -0800 +Subject: x86/devicetree: Fix device IRQ settings in DT + +From: Ivan Gorinov + +[ Upstream commit 0a5169add90e43ab45ab1ba34223b8583fcaf675 ] + +IRQ parameters for the SoC devices connected directly to I/O APIC lines +(without PCI IRQ routing) may be specified in the Device Tree. + +Called from DT IRQ parser, irq_create_fwspec_mapping() calls +irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg. + +But x86-specific DT IRQ allocation code casts @arg to of_phandle_args +structure pointer and crashes trying to read the IRQ parameters. The +function was not converted when the mapping descriptor was changed to +irq_fwspec in the generic irqdomain code. + +Fixes: 11e4438ee330 ("irqdomain: Introduce a firmware-specific IRQ specifier structure") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -195,19 +195,22 @@ static struct of_ioapic_type of_ioapic_t + static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + unsigned int nr_irqs, void *arg) + { +- struct of_phandle_args *irq_data = (void *)arg; ++ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg; + struct of_ioapic_type *it; + struct irq_alloc_info tmp; ++ int type_index; + +- if (WARN_ON(irq_data->args_count < 2)) ++ if (WARN_ON(fwspec->param_count < 2)) + return -EINVAL; +- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type)) ++ ++ type_index = fwspec->param[1]; ++ if (type_index >= ARRAY_SIZE(of_ioapic_type)) + return -EINVAL; + +- it = &of_ioapic_type[irq_data->args[1]]; ++ it = &of_ioapic_type[type_index]; + ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity); + tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain)); +- tmp.ioapic_pin = irq_data->args[0]; ++ tmp.ioapic_pin = fwspec->param[0]; + + return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp); + } diff --git a/queue-4.16/x86-devicetree-initialize-device-tree-before-using-it.patch b/queue-4.16/x86-devicetree-initialize-device-tree-before-using-it.patch new file mode 100644 index 00000000000..e703617595c --- /dev/null +++ b/queue-4.16/x86-devicetree-initialize-device-tree-before-using-it.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:29 -0800 +Subject: x86/devicetree: Initialize device tree before using it + +From: Ivan Gorinov + +[ Upstream commit 628df9dc5ad886b0a9b33c75a7b09710eb859ca1 ] + +Commit 08d53aa58cb1 added CRC32 calculation in early_init_dt_verify() and +checking in late initcall of_fdt_raw_init(), making early_init_dt_verify() +mandatory. + +The required call to early_init_dt_verify() was not added to the +x86-specific implementation, causing failure to create the sysfs entry in +of_fdt_raw_init(). + +Fixes: 08d53aa58cb1 ("of/fdt: export fdt blob as /sys/firmware/fdt") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -270,14 +271,15 @@ static void __init x86_flattree_get_conf + + map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128); + +- initial_boot_params = dt = early_memremap(initial_dtb, map_len); +- size = of_get_flat_dt_size(); ++ dt = early_memremap(initial_dtb, map_len); ++ size = fdt_totalsize(dt); + if (map_len < size) { + early_memunmap(dt, map_len); +- initial_boot_params = dt = early_memremap(initial_dtb, size); ++ dt = early_memremap(initial_dtb, size); + map_len = size; + } + ++ early_init_dt_verify(dt); + unflatten_and_copy_device_tree(); + early_memunmap(dt, map_len); + } diff --git a/queue-4.16/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch b/queue-4.16/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch new file mode 100644 index 00000000000..a7be86a86c3 --- /dev/null +++ b/queue-4.16/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Dave Hansen +Date: Fri, 6 Apr 2018 13:55:14 -0700 +Subject: x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init + +From: Dave Hansen + +[ Upstream commit 639d6aafe437a7464399d2a77d006049053df06f ] + +__ro_after_init data gets stuck in the .rodata section. That's normally +fine because the kernel itself manages the R/W properties. + +But, if we run __change_page_attr() on an area which is __ro_after_init, +the .rodata checks will trigger and force the area to be immediately +read-only, even if it is early-ish in boot. This caused problems when +trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: +it cleared _PAGE_GLOBAL like I asked, but also took it up on itself +to clear _PAGE_RW. The kernel then oopses the next time it wrote to +a __ro_after_init data structure. + +To fix this, add the kernel_set_to_readonly check, just like we have +for kernel text, just a few lines below in this function. + +Signed-off-by: Dave Hansen +Acked-by: Kees Cook +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Hugh Dickins +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Nadav Amit +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180406205514.8D898241@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pageattr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -298,9 +298,11 @@ static inline pgprot_t static_protection + + /* + * The .rodata section needs to be read-only. Using the pfn +- * catches all aliases. ++ * catches all aliases. This also includes __ro_after_init, ++ * so do not enforce until kernel_set_to_readonly is true. + */ +- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, ++ if (kernel_set_to_readonly && ++ within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + __pa_symbol(__end_rodata) >> PAGE_SHIFT)) + pgprot_val(forbidden) |= _PAGE_RW; + diff --git a/queue-4.16/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch b/queue-4.16/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch new file mode 100644 index 00000000000..f1f9cfea1a9 --- /dev/null +++ b/queue-4.16/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Sai Praneeth +Date: Wed, 4 Apr 2018 12:34:19 -0700 +Subject: x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush() + +From: Sai Praneeth + +[ Upstream commit 162ee5a8ab49be40d253f90e94aef712470a3a24 ] + +Linus reported the following boot warning: + + WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/tlbflush.h:134 load_new_mm_cr3+0x114/0x170 + [...] + Call Trace: + switch_mm_irqs_off+0x267/0x590 + switch_mm+0xe/0x20 + efi_switch_mm+0x3e/0x50 + efi_enter_virtual_mode+0x43f/0x4da + start_kernel+0x3bf/0x458 + secondary_startup_64+0xa5/0xb0 + +... after merging: + + 03781e40890c: x86/efi: Use efi_switch_mm() rather than manually twiddling with %cr3 + +When the platform supports PCID and if CONFIG_DEBUG_VM=y is enabled, +build_cr3_noflush() (called via switch_mm()) does a sanity check to see +if X86_FEATURE_PCID is set. + +Presently, build_cr3_noflush() uses "this_cpu_has(X86_FEATURE_PCID)" to +perform the check but this_cpu_has() works only after SMP is initialized +(i.e. per cpu cpu_info's should be populated) and this happens to be very +late in the boot process (during rest_init()). + +As efi_runtime_services() are called during (early) kernel boot time +and run time, modify build_cr3_noflush() to use boot_cpu_has() all the +time. As suggested by Dave Hansen, this should be OK because all CPU's have +same capabilities on x86. + +With this change the warning is fixed. + +( Dave also suggested that we put a warning in this_cpu_has() if it's used + early in the boot process. This is still work in progress as it affects + MCE. ) + +Reported-by: Linus Torvalds +Signed-off-by: Sai Praneeth Prakhya +Cc: Andrew Morton +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Lee Chun-Yi +Cc: Matt Fleming +Cc: Michael S. Tsirkin +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Ravi Shankar +Cc: Ricardo Neri +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/1522870459-7432-1-git-send-email-sai.praneeth.prakhya@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/tlbflush.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -131,7 +131,12 @@ static inline unsigned long build_cr3(pg + static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid) + { + VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE); +- VM_WARN_ON_ONCE(!this_cpu_has(X86_FEATURE_PCID)); ++ /* ++ * Use boot_cpu_has() instead of this_cpu_has() as this function ++ * might be called during early boot. This should work even after ++ * boot because all CPU's the have same capabilities: ++ */ ++ VM_WARN_ON_ONCE(!boot_cpu_has(X86_FEATURE_PCID)); + return __sme_pa(pgd) | kern_pcid(asid) | CR3_NOFLUSH; + } + diff --git a/queue-4.16/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch b/queue-4.16/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch new file mode 100644 index 00000000000..29cb9146074 --- /dev/null +++ b/queue-4.16/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Joerg Roedel +Date: Wed, 11 Apr 2018 17:24:38 +0200 +Subject: x86/pgtable: Don't set huge PUD/PMD on non-leaf entries + +From: Joerg Roedel + +[ Upstream commit e3e288121408c3abeed5af60b87b95c847143845 ] + +The pmd_set_huge() and pud_set_huge() functions are used from +the generic ioremap() code to establish large mappings where this +is possible. + +But the generic ioremap() code does not check whether the +PMD/PUD entries are already populated with a non-leaf entry, +so that any page-table pages these entries point to will be +lost. + +Further, on x86-32 with SHARED_KERNEL_PMD=0, this causes a +BUG_ON() in vmalloc_sync_one() when PMD entries are synced +from swapper_pg_dir to the current page-table. This happens +because the PMD entry from swapper_pg_dir was promoted to a +huge-page entry while the current PGD still contains the +non-leaf entry. Because both entries are present and point +to a different page, the BUG_ON() triggers. + +This was actually triggered with pti-x32 enabled in a KVM +virtual machine by the graphics driver. + +A real and better fix for that would be to improve the +page-table handling in the generic ioremap() code. But that is +out-of-scope for this patch-set and left for later work. + +Reported-by: David H. Gutteridge +Signed-off-by: Joerg Roedel +Reviewed-by: Thomas Gleixner +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Jiri Kosina +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Pavel Machek +Cc: Peter Zijlstra +Cc: Waiman Long +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180411152437.GC15462@8bytes.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pgtable.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + #include + #include + #include +@@ -636,6 +637,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t + (mtrr != MTRR_TYPE_WRBACK)) + return 0; + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pud_present(*pud) && !pud_huge(*pud)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pud, pfn_pte( +@@ -664,6 +669,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t + return 0; + } + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pmd_present(*pmd) && !pmd_huge(*pmd)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pmd, pfn_pte( diff --git a/queue-4.16/xen-acpi-off-by-one-in-read_acpi_id.patch b/queue-4.16/xen-acpi-off-by-one-in-read_acpi_id.patch new file mode 100644 index 00000000000..8f655017ee6 --- /dev/null +++ b/queue-4.16/xen-acpi-off-by-one-in-read_acpi_id.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Dan Carpenter +Date: Thu, 29 Mar 2018 12:01:53 +0300 +Subject: xen/acpi: off by one in read_acpi_id() + +From: Dan Carpenter + +[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ] + +If acpi_id is == nr_acpi_bits, then we access one element beyond the end +of the acpi_psd[] array or we set one bit beyond the end of the bit map +when we do __set_bit(acpi_id, acpi_id_present); + +Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.") +Signed-off-by: Dan Carpenter +Reviewed-by: Joao Martins +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xen-acpi-processor.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/xen/xen-acpi-processor.c ++++ b/drivers/xen/xen-acpi-processor.c +@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl + } + /* There are more ACPI Processor objects than in x2APIC or MADT. + * This can happen with incorrect ACPI SSDT declerations. */ +- if (acpi_id > nr_acpi_bits) { +- pr_debug("We only have %u, trying to set %u\n", +- nr_acpi_bits, acpi_id); ++ if (acpi_id >= nr_acpi_bits) { ++ pr_debug("max acpi id %u, trying to set %u\n", ++ nr_acpi_bits - 1, acpi_id); + return AE_OK; + } + /* OK, There is a ACPI Processor object */ diff --git a/queue-4.16/z3fold-fix-memory-leak.patch b/queue-4.16/z3fold-fix-memory-leak.patch new file mode 100644 index 00000000000..30ede9e7e3b --- /dev/null +++ b/queue-4.16/z3fold-fix-memory-leak.patch @@ -0,0 +1,61 @@ +From foo@baz Sun May 27 16:10:02 CEST 2018 +From: Xidong Wang +Date: Tue, 10 Apr 2018 16:29:34 -0700 +Subject: z3fold: fix memory leak + +From: Xidong Wang + +[ Upstream commit 1ec6995d1290bfb87cc3a51f0836c889e857cef9 ] + +In z3fold_create_pool(), the memory allocated by __alloc_percpu() is not +released on the error path that pool->compact_wq , which holds the +return value of create_singlethread_workqueue(), is NULL. This will +result in a memory leak bug. + +[akpm@linux-foundation.org: fix oops on kzalloc() failure, check __alloc_percpu() retval] +Link: http://lkml.kernel.org/r/1522803111-29209-1-git-send-email-wangxidong_97@163.com +Signed-off-by: Xidong Wang +Reviewed-by: Andrew Morton +Cc: Vitaly Wool +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/z3fold.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -469,6 +469,8 @@ static struct z3fold_pool *z3fold_create + spin_lock_init(&pool->lock); + spin_lock_init(&pool->stale_lock); + pool->unbuddied = __alloc_percpu(sizeof(struct list_head)*NCHUNKS, 2); ++ if (!pool->unbuddied) ++ goto out_pool; + for_each_possible_cpu(cpu) { + struct list_head *unbuddied = + per_cpu_ptr(pool->unbuddied, cpu); +@@ -481,7 +483,7 @@ static struct z3fold_pool *z3fold_create + pool->name = name; + pool->compact_wq = create_singlethread_workqueue(pool->name); + if (!pool->compact_wq) +- goto out; ++ goto out_unbuddied; + pool->release_wq = create_singlethread_workqueue(pool->name); + if (!pool->release_wq) + goto out_wq; +@@ -491,8 +493,11 @@ static struct z3fold_pool *z3fold_create + + out_wq: + destroy_workqueue(pool->compact_wq); +-out: ++out_unbuddied: ++ free_percpu(pool->unbuddied); ++out_pool: + kfree(pool); ++out: + return NULL; + } + diff --git a/queue-4.16/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch b/queue-4.16/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch new file mode 100644 index 00000000000..f402d1483fb --- /dev/null +++ b/queue-4.16/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:10:03 CEST 2018 +From: Michael Schmitz +Date: Sat, 3 Mar 2018 12:04:13 +1300 +Subject: zorro: Set up z->dev.dma_mask for the DMA API + +From: Michael Schmitz + +[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ] + +The generic DMA API uses dev->dma_mask to check the DMA addressable +memory bitmask, and warns if no mask is set or even allocated. + +Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask +to point to z->dev.dma_coherent_mask so device drivers that need DMA have +everything set up to avoid warnings from dma_alloc_coherent(). Drivers can +still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask. + +Signed-off-by: Michael Schmitz +[geert: Handle Zorro II with 24-bit address space] +Acked-by: Christoph Hellwig +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/zorro/zorro.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/zorro/zorro.c ++++ b/drivers/zorro/zorro.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru + z->dev.parent = &bus->dev; + z->dev.bus = &zorro_bus_type; + z->dev.id = i; ++ switch (z->rom.er_Type & ERT_TYPEMASK) { ++ case ERT_ZORROIII: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(32); ++ break; ++ ++ case ERT_ZORROII: ++ default: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(24); ++ break; ++ } ++ z->dev.dma_mask = &z->dev.coherent_dma_mask; + } + + /* ... then register them */