From: Greg Kroah-Hartman Date: Mon, 27 Nov 2017 16:06:32 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.85~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd7bc0a0d1f2ebd0cd1455a32dc1c01d65b2c6ee;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch alsa-usb-audio-add-sanity-checks-to-fe-parser.patch alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch autofs-don-t-fail-mount-for-transient-error.patch bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch fs-9p-compare-qid.path-in-v9fs_test_inode.patch irqchip-gic-v3-fix-ppi-partitions-lookup.patch iscsi-target-fix-non-immediate-tmr-reference-leak.patch isofs-fix-timestamps-beyond-2027.patch libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch lockd-double-unregister-of-inetaddr-notifiers.patch mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch mips-fix-an-n32-core-file-generation-regset-support-regression.patch mips-fix-odd-fp-register-warnings-with-mips64r2.patch mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch mtd-nand-fix-writing-mtdoops-to-nand-flash.patch mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch mtd-nand-omap2-fix-subpage-write.patch nfs-avoid-rcu-usage-in-tracepoints.patch nfs-fix-typo-in-nomigration-mount-option.patch nfs-fix-ugly-referral-attributes.patch nfsd-deal-with-revoked-delegations-appropriately.patch nilfs2-fix-race-condition-that-causes-file-system-corruption.patch p54-don-t-unregister-leds-when-they-are-not-initialized.patch rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch target-fix-queue_full-scsi-task-attribute-handling.patch --- diff --git a/queue-4.9/alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch b/queue-4.9/alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch new file mode 100644 index 00000000000..4068516759e --- /dev/null +++ b/queue-4.9/alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch @@ -0,0 +1,47 @@ +From c2432466f583cb719b35a41e757da587d9ab1d00 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 17 Nov 2017 12:08:40 +0100 +Subject: ALSA: hda: Fix too short HDMI/DP chmap reporting + +From: Takashi Iwai + +commit c2432466f583cb719b35a41e757da587d9ab1d00 upstream. + +We got a regression report about the HD-audio HDMI chmap, where some +surround channels are reported as UNKNOWN. The git bisection pointed +the culprit at the commit 9b3dc8aa3fb1 ("ALSA: hda - Register chmap +obj as priv data instead of codec"). The story behind scene is like +this: + +- While moving the code out of the legacy HDA to the HDA common place, + the patch modifies the code to obtain the chmap array indirectly in + a byte array, and it expands it to kctl value array. +- At the latter operation, the size of the array is wrongly passed by + sizeof() to the pointer. +- It can be 4 on 32bit arch, thus too short for 6+ channels. + (And that's the reason why it didn't hit other persons; it's 8 on + 64bit arch, thus it's usually enough.) + +The code was further changed meanwhile, but the problem persisted. +Let's fix it by correctly evaluating the array size. + +Fixes: 9b3dc8aa3fb1 ("ALSA: hda - Register chmap obj as priv data instead of codec") +Reported-by: VDR User +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/hda/hdmi_chmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/hda/hdmi_chmap.c ++++ b/sound/hda/hdmi_chmap.c +@@ -746,7 +746,7 @@ static int hdmi_chmap_ctl_get(struct snd + memset(pcm_chmap, 0, sizeof(pcm_chmap)); + chmap->ops.get_chmap(chmap->hdac, pcm_idx, pcm_chmap); + +- for (i = 0; i < sizeof(chmap); i++) ++ for (i = 0; i < ARRAY_SIZE(pcm_chmap); i++) + ucontrol->value.integer.value[i] = pcm_chmap[i]; + + return 0; diff --git a/queue-4.9/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch b/queue-4.9/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch new file mode 100644 index 00000000000..ed212dd66cd --- /dev/null +++ b/queue-4.9/alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch @@ -0,0 +1,32 @@ +From 2d7fe6185722b0817bb345f62ab06b76a7b26542 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 22 Nov 2017 15:21:32 +0800 +Subject: ALSA: hda/realtek - Fix ALC700 family no sound issue + +From: Kailang Yang + +commit 2d7fe6185722b0817bb345f62ab06b76a7b26542 upstream. + +It maybe the typo for ALC700 support patch. +To fix the bit value on this patch. + +Fixes: 6fbae35a3170 ("ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703") +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6272,7 +6272,7 @@ static int patch_alc269(struct hda_codec + case 0x10ec0703: + spec->codec_variant = ALC269_TYPE_ALC700; + spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */ +- alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */ ++ alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */ + break; + + } diff --git a/queue-4.9/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch b/queue-4.9/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch new file mode 100644 index 00000000000..e5b54993795 --- /dev/null +++ b/queue-4.9/alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch @@ -0,0 +1,58 @@ +From 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 Mon Sep 17 00:00:00 2001 +From: Henrik Eriksson +Date: Tue, 21 Nov 2017 09:29:28 +0100 +Subject: ALSA: pcm: update tstamp only if audio_tstamp changed + +From: Henrik Eriksson + +commit 20e3f985bb875fea4f86b04eba4b6cc29bfd6b71 upstream. + +commit 3179f6200188 ("ALSA: core: add .get_time_info") had a side effect +of changing the behaviour of the PCM runtime tstamp. Prior to this +change tstamp was not updated by snd_pcm_update_hw_ptr0() unless the +hw_ptr had moved, after this change tstamp was always updated. + +For an application using alsa-lib, doing snd_pcm_readi() followed by +snd_pcm_status() to estimate the age of the read samples by subtracting +status->avail * [sample rate] from status->tstamp this change degraded +the accuracy of the estimate on devices where the pcm hw does not +provide a granular hw_ptr, e.g., devices using +soc-generic-dmaengine-pcm.c and a dma-engine with residue_granularity +DMA_RESIDUE_GRANULARITY_DESCRIPTOR. The accuracy of the estimate +depended on the latency between the PCM hw completing a period and the +driver called snd_pcm_period_elapsed() to notify ALSA core, typically +determined by interrupt handling latency. After the change the accuracy +of the estimate depended on the latency between the PCM hw completing a +period and the application calling snd_pcm_status(), determined by the +scheduling of the application process. The maximum error of the +estimate is one period length in both cases, but the error average and +variance is smaller when it depends on interrupt latency. + +Instead of always updating tstamp, update it only if audio_tstamp +changed. + +Fixes: 3179f6200188 ("ALSA: core: add .get_time_info") +Suggested-by: Pierre-Louis Bossart +Signed-off-by: Henrik Eriksson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm_lib.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -264,8 +264,10 @@ static void update_audio_tstamp(struct s + runtime->rate); + *audio_tstamp = ns_to_timespec(audio_nsecs); + } +- runtime->status->audio_tstamp = *audio_tstamp; +- runtime->status->tstamp = *curr_tstamp; ++ if (!timespec_equal(&runtime->status->audio_tstamp, audio_tstamp)) { ++ runtime->status->audio_tstamp = *audio_tstamp; ++ runtime->status->tstamp = *curr_tstamp; ++ } + + /* + * re-take a driver timestamp to let apps detect if the reference tstamp diff --git a/queue-4.9/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch b/queue-4.9/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch new file mode 100644 index 00000000000..fd93946dfdf --- /dev/null +++ b/queue-4.9/alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch @@ -0,0 +1,54 @@ +From 3d4e8303f2c747c8540a0a0126d0151514f6468b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 16:36:11 +0100 +Subject: ALSA: timer: Remove kernel warning at compat ioctl error paths + +From: Takashi Iwai + +commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream. + +Some timer compat ioctls have NULL checks of timer instance with +snd_BUG_ON() that bring up WARN_ON() when the debug option is set. +Actually the condition can be met in the normal situation and it's +confusing and bad to spew kernel warnings with stack trace there. +Let's remove snd_BUG_ON() invocation and replace with the simple +checks. Also, correct the error code to EBADFD to follow the native +ioctl error handling. + +Reported-by: syzbot +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer_compat.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/core/timer_compat.c ++++ b/sound/core/timer_compat.c +@@ -66,11 +66,11 @@ static int snd_timer_user_info_compat(st + struct snd_timer *t; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + t = tu->timeri->timer; +- if (snd_BUG_ON(!t)) +- return -ENXIO; ++ if (!t) ++ return -EBADFD; + memset(&info, 0, sizeof(info)); + info.card = t->card ? t->card->number : -1; + if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) +@@ -99,8 +99,8 @@ static int snd_timer_user_status_compat( + struct snd_timer_status32 status; + + tu = file->private_data; +- if (snd_BUG_ON(!tu->timeri)) +- return -ENXIO; ++ if (!tu->timeri) ++ return -EBADFD; + memset(&status, 0, sizeof(status)); + status.tstamp.tv_sec = tu->tstamp.tv_sec; + status.tstamp.tv_nsec = tu->tstamp.tv_nsec; diff --git a/queue-4.9/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch b/queue-4.9/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch new file mode 100644 index 00000000000..52b88972f48 --- /dev/null +++ b/queue-4.9/alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch @@ -0,0 +1,57 @@ +From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:28:06 +0100 +Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers + +From: Takashi Iwai + +commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream. + +The helper functions to parse and look for the clock source, selector +and multiplier unit may return the descriptor with a too short length +than required, while there is no sanity check in the caller side. +Add some sanity checks in the parsers, at least, to guarantee the +given descriptor size, for avoiding the potential crashes. + +Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices") +Reported-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/clock.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -43,7 +43,7 @@ static struct uac_clock_source_descripto + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SOURCE))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + +@@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_SELECTOR))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) { ++ if (cs->bLength < 5 + cs->bNrInPins) ++ return NULL; + return cs; ++ } + } + + return NULL; +@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr + while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra, + ctrl_iface->extralen, + cs, UAC2_CLOCK_MULTIPLIER))) { +- if (cs->bClockID == clock_id) ++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) + return cs; + } + diff --git a/queue-4.9/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch b/queue-4.9/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch new file mode 100644 index 00000000000..0293acf7faa --- /dev/null +++ b/queue-4.9/alsa-usb-audio-add-sanity-checks-to-fe-parser.patch @@ -0,0 +1,51 @@ +From d937cd6790a2bef2d07b500487646bd794c039bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 16:55:51 +0100 +Subject: ALSA: usb-audio: Add sanity checks to FE parser + +From: Takashi Iwai + +commit d937cd6790a2bef2d07b500487646bd794c039bb upstream. + +When the usb-audio descriptor contains the malformed feature unit +description with a too short length, the driver may access +out-of-bounds. Add a sanity check of the header size at the beginning +of parse_audio_feature_unit(). + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Reported-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1463,6 +1463,12 @@ static int parse_audio_feature_unit(stru + __u8 *bmaControls; + + if (state->mixer->protocol == UAC_VERSION_1) { ++ if (hdr->bLength < 7) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = hdr->bControlSize; + if (!csize) { + usb_audio_dbg(state->chip, +@@ -1480,6 +1486,12 @@ static int parse_audio_feature_unit(stru + } + } else { + struct uac2_feature_unit_descriptor *ftr = _ftr; ++ if (hdr->bLength < 6) { ++ usb_audio_err(state->chip, ++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", ++ unitid); ++ return -EINVAL; ++ } + csize = 4; + channels = (hdr->bLength - 6) / 4 - 1; + bmaControls = ftr->bmaControls; diff --git a/queue-4.9/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch b/queue-4.9/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch new file mode 100644 index 00000000000..846c9d3da7f --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch @@ -0,0 +1,34 @@ +From f658f17b5e0e339935dca23e77e0f3cad591926b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:00:32 +0100 +Subject: ALSA: usb-audio: Fix potential out-of-bound access at parsing SU + +From: Takashi Iwai + +commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream. + +The usb-audio driver may trigger an out-of-bound access at parsing a +malformed selector unit, as it checks the header length only after +evaluating bNrInPins field, which can be already above the given +length. Fix it by adding the length check beforehand. + +Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2092,7 +2092,8 @@ static int parse_audio_selector_unit(str + const struct usbmix_name_map *map; + char **namelist; + +- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) { ++ if (desc->bLength < 5 || !desc->bNrInPins || ++ desc->bLength < 5 + desc->bNrInPins) { + usb_audio_err(state->chip, + "invalid SELECTOR UNIT descriptor %d\n", unitid); + return -EINVAL; diff --git a/queue-4.9/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch b/queue-4.9/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch new file mode 100644 index 00000000000..d89dc8a215a --- /dev/null +++ b/queue-4.9/alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch @@ -0,0 +1,39 @@ +From 8428a8ebde2db1e988e41a58497a28beb7ce1705 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Nov 2017 17:07:43 +0100 +Subject: ALSA: usb-audio: Fix potential zero-division at parsing FU + +From: Takashi Iwai + +commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream. + +parse_audio_feature_unit() contains a code dividing potentially with +zero when a malformed FU descriptor is passed. Although there is +already a sanity check, it checks only the value zero, hence it can +still lead to a zero-division when a value 1 is passed there. + +Fix it by correcting the sanity check (and the error message +thereof). + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1470,9 +1470,9 @@ static int parse_audio_feature_unit(stru + return -EINVAL; + } + csize = hdr->bControlSize; +- if (!csize) { ++ if (csize <= 1) { + usb_audio_dbg(state->chip, +- "unit %u: invalid bControlSize == 0\n", ++ "unit %u: invalid bControlSize <= 1\n", + unitid); + return -EINVAL; + } diff --git a/queue-4.9/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch b/queue-4.9/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch new file mode 100644 index 00000000000..f0171e2dca1 --- /dev/null +++ b/queue-4.9/ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch @@ -0,0 +1,39 @@ +From f1601113ddc0339a745e702f4fb1ca37d4875e65 Mon Sep 17 00:00:00 2001 +From: Rameshwar Prasad Sahu +Date: Thu, 2 Nov 2017 16:31:07 +0530 +Subject: ata: fixes kernel crash while tracing ata_eh_link_autopsy event + +From: Rameshwar Prasad Sahu + +commit f1601113ddc0339a745e702f4fb1ca37d4875e65 upstream. + +When tracing ata link error event, the kernel crashes when the disk is +removed due to NULL pointer access by trace_ata_eh_link_autopsy API. +This occurs as the dev is NULL when the disk disappeared. This patch +fixes this crash by calling trace_ata_eh_link_autopsy only if "dev" +is not NULL. + +v2 changes: + Removed direct passing "link" pointer instead of "dev" in trace API. + +Signed-off-by: Rameshwar Prasad Sahu +Signed-off-by: Tejun Heo +Fixes: 255c03d15a29 ("libata: Add tracepoints") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-eh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2329,8 +2329,8 @@ static void ata_eh_link_autopsy(struct a + if (dev->flags & ATA_DFLAG_DUBIOUS_XFER) + eflags |= ATA_EFLAG_DUBIOUS_XFER; + ehc->i.action |= ata_eh_speed_down(dev, eflags, all_err_mask); ++ trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + } +- trace_ata_eh_link_autopsy(dev, ehc->i.action, all_err_mask); + DPRINTK("EXIT\n"); + } + diff --git a/queue-4.9/autofs-don-t-fail-mount-for-transient-error.patch b/queue-4.9/autofs-don-t-fail-mount-for-transient-error.patch new file mode 100644 index 00000000000..23f25ba4759 --- /dev/null +++ b/queue-4.9/autofs-don-t-fail-mount-for-transient-error.patch @@ -0,0 +1,81 @@ +From ecc0c469f27765ed1e2b967be0aa17cee1a60b76 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 17 Nov 2017 15:29:13 -0800 +Subject: autofs: don't fail mount for transient error + +From: NeilBrown + +commit ecc0c469f27765ed1e2b967be0aa17cee1a60b76 upstream. + +Currently if the autofs kernel module gets an error when writing to the +pipe which links to the daemon, then it marks the whole moutpoint as +catatonic, and it will stop working. + +It is possible that the error is transient. This can happen if the +daemon is slow and more than 16 requests queue up. If a subsequent +process tries to queue a request, and is then signalled, the write to +the pipe will return -ERESTARTSYS and autofs will take that as total +failure. + +So change the code to assess -ERESTARTSYS and -ENOMEM as transient +failures which only abort the current request, not the whole mountpoint. + +It isn't a crash or a data corruption, but having autofs mountpoints +suddenly stop working is rather inconvenient. + +Ian said: + +: And given the problems with a half dozen (or so) user space applications +: consuming large amounts of CPU under heavy mount and umount activity this +: could happen more easily than we expect. + +Link: http://lkml.kernel.org/r/87y3norvgp.fsf@notabene.neil.brown.name +Signed-off-by: NeilBrown +Acked-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/autofs4/waitq.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/autofs4/waitq.c ++++ b/fs/autofs4/waitq.c +@@ -87,7 +87,8 @@ static int autofs4_write(struct autofs_s + spin_unlock_irqrestore(¤t->sighand->siglock, flags); + } + +- return (bytes > 0); ++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */ ++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO; + } + + static void autofs4_notify_daemon(struct autofs_sb_info *sbi, +@@ -101,6 +102,7 @@ static void autofs4_notify_daemon(struct + } pkt; + struct file *pipe = NULL; + size_t pktsz; ++ int ret; + + pr_debug("wait id = 0x%08lx, name = %.*s, type=%d\n", + (unsigned long) wq->wait_queue_token, +@@ -175,7 +177,18 @@ static void autofs4_notify_daemon(struct + mutex_unlock(&sbi->wq_mutex); + + if (autofs4_write(sbi, pipe, &pkt, pktsz)) ++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) { ++ case 0: ++ break; ++ case -ENOMEM: ++ case -ERESTARTSYS: ++ /* Just fail this one */ ++ autofs4_wait_release(sbi, wq->wait_queue_token, ret); ++ break; ++ default: + autofs4_catatonic_mode(sbi); ++ break; ++ } + fput(pipe); + } + diff --git a/queue-4.9/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch b/queue-4.9/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch new file mode 100644 index 00000000000..35ad3f64a45 --- /dev/null +++ b/queue-4.9/bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch @@ -0,0 +1,46 @@ +From 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 13 Oct 2017 16:35:29 -0700 +Subject: bcache: check ca->alloc_thread initialized before wake up it + +From: Coly Li + +commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream. + +In bcache code, sysfs entries are created before all resources get +allocated, e.g. allocation thread of a cache set. + +There is posibility for NULL pointer deference if a resource is accessed +but which is not initialized yet. Indeed Jorg Bornschein catches one on +cache set allocation thread and gets a kernel oops. + +The reason for this bug is, when bch_bucket_alloc() is called during +cache set registration and attaching, ca->alloc_thread is not properly +allocated and initialized yet, call wake_up_process() on ca->alloc_thread +triggers NULL pointer deference failure. A simple and fast fix is, before +waking up ca->alloc_thread, checking whether it is allocated, and only +wake up ca->alloc_thread when it is not NULL. + +Signed-off-by: Coly Li +Reported-by: Jorg Bornschein +Cc: Kent Overstreet +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/alloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -404,7 +404,8 @@ long bch_bucket_alloc(struct cache *ca, + + finish_wait(&ca->set->bucket_wait, &w); + out: +- wake_up_process(ca->alloc_thread); ++ if (ca->alloc_thread) ++ wake_up_process(ca->alloc_thread); + + trace_bcache_alloc(ca, reserve); + diff --git a/queue-4.9/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch b/queue-4.9/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch new file mode 100644 index 00000000000..decc6c86456 --- /dev/null +++ b/queue-4.9/bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch @@ -0,0 +1,76 @@ +From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 30 Oct 2017 14:46:31 -0700 +Subject: bcache: only permit to recovery read error when cache device is clean + +From: Coly Li + +commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream. + +When bcache does read I/Os, for example in writeback or writethrough mode, +if a read request on cache device is failed, bcache will try to recovery +the request by reading from cached device. If the data on cached device is +not synced with cache device, then requester will get a stale data. + +For critical storage system like database, providing stale data from +recovery may result an application level data corruption, which is +unacceptible. + +With this patch, for a failed read request in writeback or writethrough +mode, recovery a recoverable read request only happens when cache device +is clean. That is to say, all data on cached device is up to update. + +For other cache modes in bcache, read request will never hit +cached_dev_read_error(), they don't need this patch. + +Please note, because cache mode can be switched arbitrarily in run time, a +writethrough mode might be switched from a writeback mode. Therefore +checking dc->has_data in writethrough mode still makes sense. + +Changelog: +V4: Fix parens error pointed by Michael Lyle. +v3: By response from Kent Oversteet, he thinks recovering stale data is a + bug to fix, and option to permit it is unnecessary. So this version + the sysfs file is removed. +v2: rename sysfs entry from allow_stale_data_on_failure to + allow_stale_data_on_failure, and fix the confusing commit log. +v1: initial patch posted. + +[small change to patch comment spelling by mlyle] + +Signed-off-by: Coly Li +Signed-off-by: Michael Lyle +Reported-by: Arne Wolf +Reviewed-by: Michael Lyle +Cc: Kent Overstreet +Cc: Nix +Cc: Kai Krakow +Cc: Eric Wheeler +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -702,8 +702,16 @@ static void cached_dev_read_error(struct + { + struct search *s = container_of(cl, struct search, cl); + struct bio *bio = &s->bio.bio; ++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); + +- if (s->recoverable) { ++ /* ++ * If cache device is dirty (dc->has_dirty is non-zero), then ++ * recovery a failed read request from cached device may get a ++ * stale data back. So read failure recovery is only permitted ++ * when cache device is clean. ++ */ ++ if (s->recoverable && ++ (dc && !atomic_read(&dc->has_dirty))) { + /* Retry from the backing device: */ + trace_bcache_read_retry(s->orig_bio); + diff --git a/queue-4.9/block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch b/queue-4.9/block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch new file mode 100644 index 00000000000..be85a30ddfb --- /dev/null +++ b/queue-4.9/block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch @@ -0,0 +1,66 @@ +From 4e9b6f20828ac880dbc1fa2fdbafae779473d1af Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 19 Oct 2017 10:00:48 -0700 +Subject: block: Fix a race between blk_cleanup_queue() and timeout handling + +From: Bart Van Assche + +commit 4e9b6f20828ac880dbc1fa2fdbafae779473d1af upstream. + +Make sure that if the timeout timer fires after a queue has been +marked "dying" that the affected requests are finished. + +Reported-by: chenxiang (M) +Fixes: commit 287922eb0b18 ("block: defer timeouts to a workqueue") +Signed-off-by: Bart Van Assche +Tested-by: chenxiang (M) +Cc: Christoph Hellwig +Cc: Keith Busch +Cc: Hannes Reinecke +Cc: Ming Lei +Cc: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 2 ++ + block/blk-timeout.c | 3 --- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -282,6 +282,7 @@ EXPORT_SYMBOL(blk_stop_queue); + void blk_sync_queue(struct request_queue *q) + { + del_timer_sync(&q->timeout); ++ cancel_work_sync(&q->timeout_work); + + if (q->mq_ops) { + struct blk_mq_hw_ctx *hctx; +@@ -720,6 +721,7 @@ struct request_queue *blk_alloc_queue_no + setup_timer(&q->backing_dev_info.laptop_mode_wb_timer, + laptop_mode_timer_fn, (unsigned long) q); + setup_timer(&q->timeout, blk_rq_timed_out_timer, (unsigned long) q); ++ INIT_WORK(&q->timeout_work, NULL); + INIT_LIST_HEAD(&q->queue_head); + INIT_LIST_HEAD(&q->timeout_list); + INIT_LIST_HEAD(&q->icq_list); +--- a/block/blk-timeout.c ++++ b/block/blk-timeout.c +@@ -135,8 +135,6 @@ void blk_timeout_work(struct work_struct + struct request *rq, *tmp; + int next_set = 0; + +- if (blk_queue_enter(q, true)) +- return; + spin_lock_irqsave(q->queue_lock, flags); + + list_for_each_entry_safe(rq, tmp, &q->timeout_list, timeout_list) +@@ -146,7 +144,6 @@ void blk_timeout_work(struct work_struct + mod_timer(&q->timeout, round_jiffies_up(next)); + + spin_unlock_irqrestore(q->queue_lock, flags); +- blk_queue_exit(q); + } + + /** diff --git a/queue-4.9/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch b/queue-4.9/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch new file mode 100644 index 00000000000..c3245a17c16 --- /dev/null +++ b/queue-4.9/dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch @@ -0,0 +1,72 @@ +From b9a41d21dceadf8104812626ef85dc56ee8a60ed Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 1 Nov 2017 15:42:36 +0800 +Subject: dm: fix race between dm_get_from_kobject() and __dm_destroy() + +From: Hou Tao + +commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream. + +The following BUG_ON was hit when testing repeat creation and removal of +DM devices: + + kernel BUG at drivers/md/dm.c:2919! + CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44 + Call Trace: + [] dm_get_from_kobject+0x34/0x3a + [] dm_attr_show+0x2b/0x5e + [] ? mutex_lock+0x26/0x44 + [] sysfs_kf_seq_show+0x83/0xcf + [] kernfs_seq_show+0x23/0x25 + [] seq_read+0x16f/0x325 + [] kernfs_fop_read+0x3a/0x13f + [] __vfs_read+0x26/0x9d + [] ? security_file_permission+0x3c/0x44 + [] ? rw_verify_area+0x83/0xd9 + [] vfs_read+0x8f/0xcf + [] ? __fdget_pos+0x12/0x41 + [] SyS_read+0x4b/0x76 + [] system_call_fastpath+0x12/0x71 + +The bug can be easily triggered, if an extra delay (e.g. 10ms) is added +between the test of DMF_FREEING & DMF_DELETING and dm_get() in +dm_get_from_kobject(). + +To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and +dm_get() are done in an atomic way, so _minor_lock is used. + +The other callers of dm_get() have also been checked to be OK: some +callers invoke dm_get() under _minor_lock, some callers invoke it under +_hash_lock, and dm_start_request() invoke it after increasing +md->open_count. + +Signed-off-by: Hou Tao +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2515,11 +2515,15 @@ struct mapped_device *dm_get_from_kobjec + + md = container_of(kobj, struct mapped_device, kobj_holder.kobj); + +- if (test_bit(DMF_FREEING, &md->flags) || +- dm_deleting_md(md)) +- return NULL; +- ++ spin_lock(&_minor_lock); ++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) { ++ md = NULL; ++ goto out; ++ } + dm_get(md); ++out: ++ spin_unlock(&_minor_lock); ++ + return md; + } + diff --git a/queue-4.9/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch b/queue-4.9/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch new file mode 100644 index 00000000000..a3caa67aa65 --- /dev/null +++ b/queue-4.9/ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch @@ -0,0 +1,43 @@ +From db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 22 Aug 2017 23:41:28 +0300 +Subject: eCryptfs: use after free in ecryptfs_release_messaging() + +From: Dan Carpenter + +commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream. + +We're freeing the list iterator so we should be using the _safe() +version of hlist_for_each_entry(). + +Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism") +Signed-off-by: Dan Carpenter +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/messaging.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/ecryptfs/messaging.c ++++ b/fs/ecryptfs/messaging.c +@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void) + } + if (ecryptfs_daemon_hash) { + struct ecryptfs_daemon *daemon; ++ struct hlist_node *n; + int i; + + mutex_lock(&ecryptfs_daemon_hash_mux); + for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { + int rc; + +- hlist_for_each_entry(daemon, +- &ecryptfs_daemon_hash[i], +- euid_chain) { ++ hlist_for_each_entry_safe(daemon, n, ++ &ecryptfs_daemon_hash[i], ++ euid_chain) { + rc = ecryptfs_exorcise_daemon(daemon); + if (rc) + printk(KERN_ERR "%s: Error whilst " diff --git a/queue-4.9/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch b/queue-4.9/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch new file mode 100644 index 00000000000..e1dede5de20 --- /dev/null +++ b/queue-4.9/ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch @@ -0,0 +1,64 @@ +From 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 6 Oct 2017 23:09:55 -0400 +Subject: ext4: fix interaction between i_size, fallocate, and delalloc after a crash + +From: Theodore Ts'o + +commit 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 upstream. + +If there are pending writes subject to delayed allocation, then i_size +will show size after the writes have completed, while i_disksize +contains the value of i_size on the disk (since the writes have not +been persisted to disk). + +If fallocate(2) is called with the FALLOC_FL_KEEP_SIZE flag, either +with or without the FALLOC_FL_ZERO_RANGE flag set, and the new size +after the fallocate(2) is between i_size and i_disksize, then after a +crash, if a journal commit has resulted in the changes made by the +fallocate() call to be persisted after a crash, but the delayed +allocation write has not resolved itself, i_size would not be updated, +and this would cause the following e2fsck complaint: + +Inode 12, end of extent exceeds allowed value + (logical block 33, physical block 33441, len 7) + +This can only take place on a sparse file, where the fallocate(2) call +is allocating blocks in a range which is before a pending delayed +allocation write which is extending i_size. Since this situation is +quite rare, and the window in which the crash must take place is +typically < 30 seconds, in practice this condition will rarely happen. + +Nevertheless, it can be triggered in testing, and in particular by +xfstests generic/456. + +Signed-off-by: Theodore Ts'o +Reported-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4803,7 +4803,8 @@ static long ext4_zero_range(struct file + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) +@@ -4974,7 +4975,8 @@ long ext4_fallocate(struct file *file, i + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +- offset + len > i_size_read(inode)) { ++ (offset + len > i_size_read(inode) || ++ offset + len > EXT4_I(inode)->i_disksize)) { + new_size = offset + len; + ret = inode_newsize_ok(inode, new_size); + if (ret) diff --git a/queue-4.9/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch b/queue-4.9/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch new file mode 100644 index 00000000000..b238ec07292 --- /dev/null +++ b/queue-4.9/fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch @@ -0,0 +1,40 @@ +From 11d49e9d089ccec81be87c2386dfdd010d7f7f6e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 24 Sep 2017 18:36:44 -0400 +Subject: fix a page leak in vhost_scsi_iov_to_sgl() error recovery + +From: Al Viro + +commit 11d49e9d089ccec81be87c2386dfdd010d7f7f6e upstream. + +we are advancing sg as we go, so the pages we need to drop in +case of error are *before* the current sg. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/scsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -693,6 +693,7 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_ + struct scatterlist *sg, int sg_count) + { + size_t off = iter->iov_offset; ++ struct scatterlist *p = sg; + int i, ret; + + for (i = 0; i < iter->nr_segs; i++) { +@@ -701,8 +702,8 @@ vhost_scsi_iov_to_sgl(struct vhost_scsi_ + + ret = vhost_scsi_map_to_sgl(cmd, base, len, sg, write); + if (ret < 0) { +- for (i = 0; i < sg_count; i++) { +- struct page *page = sg_page(&sg[i]); ++ while (p < sg) { ++ struct page *page = sg_page(p++); + if (page) + put_page(page); + } diff --git a/queue-4.9/fs-9p-compare-qid.path-in-v9fs_test_inode.patch b/queue-4.9/fs-9p-compare-qid.path-in-v9fs_test_inode.patch new file mode 100644 index 00000000000..6fa8fdf3e89 --- /dev/null +++ b/queue-4.9/fs-9p-compare-qid.path-in-v9fs_test_inode.patch @@ -0,0 +1,51 @@ +From 8ee031631546cf2f7859cc69593bd60bbdd70b46 Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen +Date: Wed, 6 Sep 2017 17:59:07 +0300 +Subject: fs/9p: Compare qid.path in v9fs_test_inode + +From: Tuomas Tynkkynen + +commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream. + +Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details +and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked() +instead of iget_locked(). However, the test() callback is not checking +fid.path at all, which means that a lookup in the inode cache can now +accidentally locate a completely wrong inode from the same inode hash +bucket if the other fields (qid.type and qid.version) match. + +Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.") +Reviewed-by: Latchesar Ionkov +Signed-off-by: Tuomas Tynkkynen +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_inode.c | 3 +++ + fs/9p/vfs_inode_dotl.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i + + if (v9inode->qid.type != st->qid.type) + return 0; ++ ++ if (v9inode->qid.path != st->qid.path) ++ return 0; + return 1; + } + diff --git a/queue-4.9/irqchip-gic-v3-fix-ppi-partitions-lookup.patch b/queue-4.9/irqchip-gic-v3-fix-ppi-partitions-lookup.patch new file mode 100644 index 00000000000..5a652b84e83 --- /dev/null +++ b/queue-4.9/irqchip-gic-v3-fix-ppi-partitions-lookup.patch @@ -0,0 +1,59 @@ +From 00ee9a1ca5080202bc37b44e998c3b2c74d45817 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 11 Nov 2017 17:51:25 +0100 +Subject: irqchip/gic-v3: Fix ppi-partitions lookup + +From: Johan Hovold + +commit 00ee9a1ca5080202bc37b44e998c3b2c74d45817 upstream. + +Fix child-node lookup during initialisation, which ended up searching +the whole device tree depth-first starting at the parent rather than +just matching on its children. + +To make things worse, the parent gic node was prematurely freed, while +the ppi-partitions node was leaked. + +Fixes: e3825ba1af3a ("irqchip/gic-v3: Add support for partitioned PPIs") +Signed-off-by: Johan Hovold +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -1022,18 +1022,18 @@ static void __init gic_populate_ppi_part + int nr_parts; + struct partition_affinity *parts; + +- parts_node = of_find_node_by_name(gic_node, "ppi-partitions"); ++ parts_node = of_get_child_by_name(gic_node, "ppi-partitions"); + if (!parts_node) + return; + + nr_parts = of_get_child_count(parts_node); + + if (!nr_parts) +- return; ++ goto out_put_node; + + parts = kzalloc(sizeof(*parts) * nr_parts, GFP_KERNEL); + if (WARN_ON(!parts)) +- return; ++ goto out_put_node; + + for_each_child_of_node(parts_node, child_part) { + struct partition_affinity *part; +@@ -1100,6 +1100,9 @@ static void __init gic_populate_ppi_part + + gic_data.ppi_descs[i] = desc; + } ++ ++out_put_node: ++ of_node_put(parts_node); + } + + static void __init gic_of_setup_kvm_info(struct device_node *node) diff --git a/queue-4.9/iscsi-target-fix-non-immediate-tmr-reference-leak.patch b/queue-4.9/iscsi-target-fix-non-immediate-tmr-reference-leak.patch new file mode 100644 index 00000000000..d0a32617356 --- /dev/null +++ b/queue-4.9/iscsi-target-fix-non-immediate-tmr-reference-leak.patch @@ -0,0 +1,47 @@ +From 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 27 Oct 2017 20:52:56 -0700 +Subject: iscsi-target: Fix non-immediate TMR reference leak + +From: Nicholas Bellinger + +commit 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c upstream. + +This patch fixes a se_cmd->cmd_kref reference leak that can +occur when a non immediate TMR is proceeded our of command +sequence number order, and CMDSN_LOWER_THAN_EXP is returned +by iscsit_sequence_cmd(). + +To address this bug, call target_put_sess_cmd() during this +special case following what iscsit_process_scsi_cmd() does +upon CMDSN_LOWER_THAN_EXP. + +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -2104,12 +2104,14 @@ attach: + + if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) { + int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn); +- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) ++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) { + out_of_order_cmdsn = 1; +- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) ++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) { ++ target_put_sess_cmd(&cmd->se_cmd); + return 0; +- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) ++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) { + return -1; ++ } + } + iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn)); + diff --git a/queue-4.9/isofs-fix-timestamps-beyond-2027.patch b/queue-4.9/isofs-fix-timestamps-beyond-2027.patch new file mode 100644 index 00000000000..03b40455923 --- /dev/null +++ b/queue-4.9/isofs-fix-timestamps-beyond-2027.patch @@ -0,0 +1,64 @@ +From 34be4dbf87fc3e474a842305394534216d428f5d Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 19 Oct 2017 16:47:48 +0200 +Subject: isofs: fix timestamps beyond 2027 + +From: Arnd Bergmann + +commit 34be4dbf87fc3e474a842305394534216d428f5d upstream. + +isofs uses a 'char' variable to load the number of years since +1900 for an inode timestamp. On architectures that use a signed +char type by default, this results in an invalid date for +anything beyond 2027. + +This changes the function argument to a 'u8' array, which +is defined the same way on all architectures, and unambiguously +lets us use years until 2155. + +This should be backported to all kernels that might still be +in use by that date. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/isofs.h | 2 +- + fs/isofs/rock.h | 2 +- + fs/isofs/util.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -103,7 +103,7 @@ static inline unsigned int isonum_733(ch + /* Ignore bigendian datum due to broken mastering programs */ + return get_unaligned_le32(p); + } +-extern int iso_date(char *, int); ++extern int iso_date(u8 *, int); + + struct inode; /* To make gcc happy */ + +--- a/fs/isofs/rock.h ++++ b/fs/isofs/rock.h +@@ -65,7 +65,7 @@ struct RR_PL_s { + }; + + struct stamp { +- char time[7]; ++ __u8 time[7]; /* actually 6 unsigned, 1 signed */ + } __attribute__ ((packed)); + + struct RR_TF_s { +--- a/fs/isofs/util.c ++++ b/fs/isofs/util.c +@@ -15,7 +15,7 @@ + * to GMT. Thus we should always be correct. + */ + +-int iso_date(char * p, int flag) ++int iso_date(u8 *p, int flag) + { + int year, month, day, hour, minute, second, tz; + int crtime; diff --git a/queue-4.9/libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch b/queue-4.9/libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch new file mode 100644 index 00000000000..9f82e9d28bd --- /dev/null +++ b/queue-4.9/libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch @@ -0,0 +1,42 @@ +From b11270853fa3654f08d4a6a03b23ddb220512d8d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 6 Nov 2017 21:57:26 -0800 +Subject: libceph: don't WARN() if user tries to add invalid key + +From: Eric Biggers + +commit b11270853fa3654f08d4a6a03b23ddb220512d8d upstream. + +The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a +user tries to add a key of type "ceph" with an invalid payload as +follows (assuming CONFIG_CEPH_LIB=y): + + echo -e -n '\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \ + | keyctl padd ceph desc @s + +This can be hit by fuzzers. As this is merely bad input and not a +kernel bug, replace the WARN_ON() with return -EINVAL. + +Fixes: 7af3ea189a9a ("libceph: stop allocating a new cipher on every crypto request") +Signed-off-by: Eric Biggers +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/crypto.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ceph/crypto.c ++++ b/net/ceph/crypto.c +@@ -34,7 +34,9 @@ static int set_secret(struct ceph_crypto + return -ENOTSUPP; + } + +- WARN_ON(!key->len); ++ if (!key->len) ++ return -EINVAL; ++ + key->key = kmemdup(buf, key->len, GFP_NOIO); + if (!key->key) { + ret = -ENOMEM; diff --git a/queue-4.9/lockd-double-unregister-of-inetaddr-notifiers.patch b/queue-4.9/lockd-double-unregister-of-inetaddr-notifiers.patch new file mode 100644 index 00000000000..22716318dc6 --- /dev/null +++ b/queue-4.9/lockd-double-unregister-of-inetaddr-notifiers.patch @@ -0,0 +1,71 @@ +From dc3033e16c59a2c4e62b31341258a5786cbcee56 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Fri, 20 Oct 2017 17:33:18 +0300 +Subject: lockd: double unregister of inetaddr notifiers + +From: Vasily Averin + +commit dc3033e16c59a2c4e62b31341258a5786cbcee56 upstream. + +lockd_up() can call lockd_unregister_notifiers twice: +inside lockd_start_svc() when it calls lockd_svc_exit_thread() +and then in error path of lockd_up() + +Patch forces lockd_start_svc() to unregister notifiers in all error cases +and removes extra unregister in error path of lockd_up(). + +Fixes: cb7d224f82e4 "lockd: unregister notifier blocks if the service ..." +Signed-off-by: Vasily Averin +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/svc.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -365,6 +365,7 @@ static int lockd_start_svc(struct svc_se + printk(KERN_WARNING + "lockd_up: svc_rqst allocation failed, error=%d\n", + error); ++ lockd_unregister_notifiers(); + goto out_rqst; + } + +@@ -455,13 +456,16 @@ int lockd_up(struct net *net) + } + + error = lockd_up_net(serv, net); +- if (error < 0) +- goto err_net; ++ if (error < 0) { ++ lockd_unregister_notifiers(); ++ goto err_put; ++ } + + error = lockd_start_svc(serv); +- if (error < 0) +- goto err_start; +- ++ if (error < 0) { ++ lockd_down_net(serv, net); ++ goto err_put; ++ } + nlmsvc_users++; + /* + * Note: svc_serv structures have an initial use count of 1, +@@ -472,12 +476,6 @@ err_put: + err_create: + mutex_unlock(&nlmsvc_mutex); + return error; +- +-err_start: +- lockd_down_net(serv, net); +-err_net: +- lockd_unregister_notifiers(); +- goto err_put; + } + EXPORT_SYMBOL_GPL(lockd_up); + diff --git a/queue-4.9/mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch b/queue-4.9/mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch new file mode 100644 index 00000000000..c1253d24695 --- /dev/null +++ b/queue-4.9/mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch @@ -0,0 +1,31 @@ +From 07d70913dce59f3c8e5d0ca76250861158a9ca6c Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 11 Oct 2017 12:40:55 +0200 +Subject: mfd: lpc_ich: Avoton/Rangeley uses SPI_BYT method + +From: Joakim Tjernlund + +commit 07d70913dce59f3c8e5d0ca76250861158a9ca6c upstream. + +Avoton/Rangeley are based on Silvermount micro-architecture, like +Bay Trail, and uses the INTEL_SPI_BYT method to drive SPI. + +Signed-off-by: Joakim Tjernlund +Acked-by: Mika Westerberg +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/lpc_ich.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/lpc_ich.c ++++ b/drivers/mfd/lpc_ich.c +@@ -506,6 +506,7 @@ static struct lpc_ich_info lpc_chipset_i + .name = "Avoton SoC", + .iTCO_version = 3, + .gpio_version = AVOTON_GPIO, ++ .spi_type = INTEL_SPI_BYT, + }, + [LPC_BAYTRAIL] = { + .name = "Bay Trail SoC", diff --git a/queue-4.9/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch b/queue-4.9/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch new file mode 100644 index 00000000000..2c3ad4f00df --- /dev/null +++ b/queue-4.9/mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch @@ -0,0 +1,39 @@ +From 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 Mon Sep 17 00:00:00 2001 +From: Mirko Parthey +Date: Thu, 18 May 2017 21:30:03 +0200 +Subject: MIPS: BCM47XX: Fix LED inversion for WRT54GSv1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirko Parthey + +commit 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 upstream. + +The WLAN LED on the Linksys WRT54GSv1 is active low, but the software +treats it as active high. Fix the inverted logic. + +Fixes: 7bb26b169116 ("MIPS: BCM47xx: Fix LEDs on WRT54GS V1.0") +Signed-off-by: Mirko Parthey +Looks-ok-by: Rafał Miłecki +Cc: Hauke Mehrtens +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16071/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/bcm47xx/leds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/bcm47xx/leds.c ++++ b/arch/mips/bcm47xx/leds.c +@@ -330,7 +330,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __init + /* Verified on: WRT54GS V1.0 */ + static const struct gpio_led + bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = { +- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF), ++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF), + BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON), + BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF), + }; diff --git a/queue-4.9/mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch b/queue-4.9/mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch new file mode 100644 index 00000000000..0c086430454 --- /dev/null +++ b/queue-4.9/mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch @@ -0,0 +1,32 @@ +From 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sun, 5 Nov 2017 14:30:52 +0900 +Subject: MIPS: dts: remove bogus bcm96358nb4ser.dtb from dtb-y entry + +From: Masahiro Yamada + +commit 3cad14d56adbf7d621fc5a35db42f3acc0a2d6e8 upstream. + +arch/mips/boot/dts/brcm/bcm96358nb4ser.dts does not exist, so +we cannot build bcm96358nb4ser.dtb . + +Signed-off-by: Masahiro Yamada +Fixes: 695835511f96 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom") +Acked-by: James Hogan +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/boot/dts/brcm/Makefile | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/mips/boot/dts/brcm/Makefile ++++ b/arch/mips/boot/dts/brcm/Makefile +@@ -22,7 +22,6 @@ dtb-$(CONFIG_DT_NONE) += \ + bcm63268-comtrend-vr-3032u.dtb \ + bcm93384wvg.dtb \ + bcm93384wvg_viper.dtb \ +- bcm96358nb4ser.dtb \ + bcm96368mvwg.dtb \ + bcm9ejtagprb.dtb \ + bcm97125cbmb.dtb \ diff --git a/queue-4.9/mips-fix-an-n32-core-file-generation-regset-support-regression.patch b/queue-4.9/mips-fix-an-n32-core-file-generation-regset-support-regression.patch new file mode 100644 index 00000000000..5f5de5802ba --- /dev/null +++ b/queue-4.9/mips-fix-an-n32-core-file-generation-regset-support-regression.patch @@ -0,0 +1,83 @@ +From 547da673173de51f73887377eb275304775064ad Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 7 Nov 2017 19:09:20 +0000 +Subject: MIPS: Fix an n32 core file generation regset support regression + +From: Maciej W. Rozycki + +commit 547da673173de51f73887377eb275304775064ad upstream. + +Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF +core dumper to use regsets.)", that caused n32 processes to dump o32 +core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file +header's `e_flags' member: + +$ file tls-core +tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...] +$ ./tls-core +Aborted (core dumped) +$ file core +core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style +$ + +Previously the flag was set as the result of a: + +statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the +regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is +no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the +`->e_flags' member of the regset view chosen is. We have the views +defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64 +one, and the latter is used for n32 as well. Consequently an o32 core +file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class +is chosen elsewhere, and the 32-bit one is correctly selected for n32). + +Correct the issue then by defining an n32 regset view and using it as +appropriate. Issue discovered in GDB testing. + +Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +Signed-off-by: Maciej W. Rozycki +Cc: Ralf Baechle +Cc: Djordje Todorovic +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17617/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -647,6 +647,19 @@ static const struct user_regset_view use + .n = ARRAY_SIZE(mips64_regsets), + }; + ++#ifdef CONFIG_MIPS32_N32 ++ ++static const struct user_regset_view user_mipsn32_view = { ++ .name = "mipsn32", ++ .e_flags = EF_MIPS_ABI2, ++ .e_machine = ELF_ARCH, ++ .ei_osabi = ELF_OSABI, ++ .regsets = mips64_regsets, ++ .n = ARRAY_SIZE(mips64_regsets), ++}; ++ ++#endif /* CONFIG_MIPS32_N32 */ ++ + #endif /* CONFIG_64BIT */ + + const struct user_regset_view *task_user_regset_view(struct task_struct *task) +@@ -658,6 +671,10 @@ const struct user_regset_view *task_user + if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) + return &user_mips_view; + #endif ++#ifdef CONFIG_MIPS32_N32 ++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR)) ++ return &user_mipsn32_view; ++#endif + return &user_mips64_view; + #endif + } diff --git a/queue-4.9/mips-fix-odd-fp-register-warnings-with-mips64r2.patch b/queue-4.9/mips-fix-odd-fp-register-warnings-with-mips64r2.patch new file mode 100644 index 00000000000..f4b47c47986 --- /dev/null +++ b/queue-4.9/mips-fix-odd-fp-register-warnings-with-mips64r2.patch @@ -0,0 +1,79 @@ +From c7fd89a6407ea3a44a2a2fa12d290162c42499c4 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 10 Nov 2017 11:46:54 +0000 +Subject: MIPS: Fix odd fp register warnings with MIPS64r2 + +From: James Hogan + +commit c7fd89a6407ea3a44a2a2fa12d290162c42499c4 upstream. + +Building 32-bit MIPS64r2 kernels produces warnings like the following +on certain toolchains (such as GNU assembler 2.24.90, but not GNU +assembler 2.28.51) since commit 22b8ba765a72 ("MIPS: Fix MIPS64 FP +save/restore on 32-bit kernels"), due to the exposure of fpu_save_16odd +from fpu_save_double and fpu_restore_16odd from fpu_restore_double: + +arch/mips/kernel/r4k_fpu.S:47: Warning: float register should be even, was 1 +... +arch/mips/kernel/r4k_fpu.S:59: Warning: float register should be even, was 1 +... + +This appears to be because .set mips64r2 does not change the FPU ABI to +64-bit when -march=mips64r2 (or e.g. -march=xlp) is provided on the +command line on that toolchain, from the default FPU ABI of 32-bit due +to the -mabi=32. This makes access to the odd FPU registers invalid. + +Fix by explicitly changing the FPU ABI with .set fp=64 directives in +fpu_save_16odd and fpu_restore_16odd, and moving the undefine of fp up +in asmmacro.h so fp doesn't turn into $30. + +Fixes: 22b8ba765a72 ("MIPS: Fix MIPS64 FP save/restore on 32-bit kernels") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17656/ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/asmmacro.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/mips/include/asm/asmmacro.h ++++ b/arch/mips/include/asm/asmmacro.h +@@ -19,6 +19,9 @@ + #include + #endif + ++/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */ ++#undef fp ++ + /* + * Helper macros for generating raw instruction encodings. + */ +@@ -105,6 +108,7 @@ + .macro fpu_save_16odd thread + .set push + .set mips64r2 ++ .set fp=64 + SET_HARDFLOAT + sdc1 $f1, THREAD_FPR1(\thread) + sdc1 $f3, THREAD_FPR3(\thread) +@@ -163,6 +167,7 @@ + .macro fpu_restore_16odd thread + .set push + .set mips64r2 ++ .set fp=64 + SET_HARDFLOAT + ldc1 $f1, THREAD_FPR1(\thread) + ldc1 $f3, THREAD_FPR3(\thread) +@@ -234,9 +239,6 @@ + .endm + + #ifdef TOOLCHAIN_SUPPORTS_MSA +-/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */ +-#undef fp +- + .macro _cfcmsa rd, cs + .set push + .set mips32r2 diff --git a/queue-4.9/mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch b/queue-4.9/mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch new file mode 100644 index 00000000000..b23e598e55d --- /dev/null +++ b/queue-4.9/mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch @@ -0,0 +1,34 @@ +From 8593b18ad348733b5d5ddfa0c79dcabf51dff308 Mon Sep 17 00:00:00 2001 +From: John Crispin +Date: Mon, 20 Feb 2017 10:29:43 +0100 +Subject: MIPS: pci: Remove KERN_WARN instance inside the mt7620 driver + +From: John Crispin + +commit 8593b18ad348733b5d5ddfa0c79dcabf51dff308 upstream. + +Switch the printk() call to the prefered pr_warn() api. + +Fixes: 7e5873d3755c ("MIPS: pci: Add MT7620a PCIE driver") +Signed-off-by: John Crispin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15321/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/pci/pci-mt7620.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/pci/pci-mt7620.c ++++ b/arch/mips/pci/pci-mt7620.c +@@ -121,7 +121,7 @@ static int wait_pciephy_busy(void) + else + break; + if (retry++ > WAITRETRY_MAX) { +- printk(KERN_WARN "PCIE-PHY retry failed.\n"); ++ pr_warn("PCIE-PHY retry failed.\n"); + return -1; + } + } diff --git a/queue-4.9/mtd-nand-fix-writing-mtdoops-to-nand-flash.patch b/queue-4.9/mtd-nand-fix-writing-mtdoops-to-nand-flash.patch new file mode 100644 index 00000000000..13ab60aa813 --- /dev/null +++ b/queue-4.9/mtd-nand-fix-writing-mtdoops-to-nand-flash.patch @@ -0,0 +1,50 @@ +From 30863e38ebeb500a31cecee8096fb5002677dd9b Mon Sep 17 00:00:00 2001 +From: Brent Taylor +Date: Mon, 30 Oct 2017 22:32:45 -0500 +Subject: mtd: nand: Fix writing mtdoops to nand flash. + +From: Brent Taylor + +commit 30863e38ebeb500a31cecee8096fb5002677dd9b upstream. + +When mtdoops calls mtd_panic_write(), it eventually calls +panic_nand_write() in nand_base.c. In order to properly wait for the +nand chip to be ready in panic_nand_wait(), the chip must first be +selected. + +When using the atmel nand flash controller, a panic would occur due to +a NULL pointer exception. + +Fixes: 2af7c6539931 ("mtd: Add panic_write for NAND flashes") +Signed-off-by: Brent Taylor +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2935,15 +2935,18 @@ static int panic_nand_write(struct mtd_i + size_t *retlen, const uint8_t *buf) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int chipnr = (int)(to >> chip->chip_shift); + struct mtd_oob_ops ops; + int ret; + +- /* Wait for the device to get ready */ +- panic_nand_wait(mtd, chip, 400); +- + /* Grab the device */ + panic_nand_get_device(chip, mtd, FL_WRITING); + ++ chip->select_chip(mtd, chipnr); ++ ++ /* Wait for the device to get ready */ ++ panic_nand_wait(mtd, chip, 400); ++ + memset(&ops, 0, sizeof(ops)); + ops.len = len; + ops.datbuf = (uint8_t *)buf; diff --git a/queue-4.9/mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch b/queue-4.9/mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch new file mode 100644 index 00000000000..408d61bde87 --- /dev/null +++ b/queue-4.9/mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch @@ -0,0 +1,95 @@ +From 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d Mon Sep 17 00:00:00 2001 +From: Xiaolei Li +Date: Mon, 30 Oct 2017 10:39:56 +0800 +Subject: mtd: nand: mtk: fix infinite ECC decode IRQ issue + +From: Xiaolei Li + +commit 1d2fcdcf33339c7c8016243de0f7f31cf6845e8d upstream. + +For MT2701 NAND Controller, there may generate infinite ECC decode IRQ +during long time burn test on some platforms. Once this issue occurred, +the ECC decode IRQ status cannot be cleared in the IRQ handler function, +and threads cannot be scheduled. + +ECC HW generates decode IRQ each sector, so there will have more than one +decode IRQ if read one page of large page NAND. + +Currently, ECC IRQ handle flow is that we will check whether it is decode +IRQ at first by reading the register ECC_DECIRQ_STA. This is a read-clear +type register. If this IRQ is decode IRQ, then the ECC IRQ signal will be +cleared at the same time. +Secondly, we will check whether all sectors are decoded by reading the +register ECC_DECDONE. This is because the current IRQ may be not dealed +in time, and the next sectors have been decoded before reading the +register ECC_DECIRQ_STA. Then, the next sectors's decode IRQs will not +be generated. +Thirdly, if all sectors are decoded by comparing with ecc->sectors, then we +will complete ecc->done, set ecc->sectors as 0, and disable ECC IRQ by +programming the register ECC_IRQ_REG(op) as 0. Otherwise, wait for the +next ECC IRQ. + +But, there is a timing issue between step one and two. When we read the +reigster ECC_DECIRQ_STA, all sectors are decoded except the last sector, +and the ECC IRQ signal is cleared. But the last sector is decoded before +reading ECC_DECDONE, so the ECC IRQ signal is enabled again by ECC HW, and +it means we will receive one extra ECC IRQ later. In step three, we will +find that all sectors were decoded, then disable ECC IRQ and return. +When deal with the extra ECC IRQ, the ECC IRQ status cannot be cleared +anymore. That is because the register ECC_DECIRQ_STA can only be cleared +when the register ECC_IRQ_REG(op) is enabled. But actually we have +disabled ECC IRQ in the previous ECC IRQ handle. So, there will +keep receiving ECC decode IRQ. + +Now, we read the register ECC_DECIRQ_STA once again before completing the +ecc done event. This ensures that there will be no extra ECC decode IRQ. + +Also, remove writel(0, ecc->regs + ECC_IRQ_REG(op)) from irq handler, +because ECC IRQ is disabled in mtk_ecc_disable(). And clear ECC_DECIRQ_STA +in mtk_ecc_disable() in case there is a timeout to wait decode IRQ. + +Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") +Signed-off-by: Xiaolei Li +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/mtk_ecc.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/mtk_ecc.c ++++ b/drivers/mtd/nand/mtk_ecc.c +@@ -116,6 +116,11 @@ static irqreturn_t mtk_ecc_irq(int irq, + op = ECC_DECODE; + dec = readw(ecc->regs + ECC_DECDONE); + if (dec & ecc->sectors) { ++ /* ++ * Clear decode IRQ status once again to ensure that ++ * there will be no extra IRQ. ++ */ ++ readw(ecc->regs + ECC_DECIRQ_STA); + ecc->sectors = 0; + complete(&ecc->done); + } else { +@@ -131,8 +136,6 @@ static irqreturn_t mtk_ecc_irq(int irq, + } + } + +- writel(0, ecc->regs + ECC_IRQ_REG(op)); +- + return IRQ_HANDLED; + } + +@@ -342,6 +345,12 @@ void mtk_ecc_disable(struct mtk_ecc *ecc + + /* disable it */ + mtk_ecc_wait_idle(ecc, op); ++ if (op == ECC_DECODE) ++ /* ++ * Clear decode IRQ status in case there is a timeout to wait ++ * decode IRQ. ++ */ ++ readw(ecc->regs + ECC_DECIRQ_STA); + writew(0, ecc->regs + ECC_IRQ_REG(op)); + writew(ECC_OP_DISABLE, ecc->regs + ECC_CTL_REG(op)); + diff --git a/queue-4.9/mtd-nand-omap2-fix-subpage-write.patch b/queue-4.9/mtd-nand-omap2-fix-subpage-write.patch new file mode 100644 index 00000000000..3c59d3f3df3 --- /dev/null +++ b/queue-4.9/mtd-nand-omap2-fix-subpage-write.patch @@ -0,0 +1,460 @@ +From 739c64414f01748a36e7d82c8e0611dea94412bd Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Fri, 20 Oct 2017 15:16:21 +0300 +Subject: mtd: nand: omap2: Fix subpage write + +From: Roger Quadros + +commit 739c64414f01748a36e7d82c8e0611dea94412bd upstream. + +Since v4.12, NAND subpage writes were causing a NULL pointer +dereference on OMAP platforms (omap2-nand) using OMAP_ECC_BCH4_CODE_HW, +OMAP_ECC_BCH8_CODE_HW and OMAP_ECC_BCH16_CODE_HW. + +This is because for those ECC modes, omap_calculate_ecc_bch() +generates ECC bytes for the entire (multi-sector) page and this can +overflow the ECC buffer provided by nand_write_subpage_hwecc() +as it expects ecc.calculate() to return ECC bytes for just one sector. + +However, the root cause of the problem is present since v3.9 +but was not seen then as NAND buffers were being allocated +as one big chunk prior to commit 3deb9979c731 ("mtd: nand: allocate +aligned buffers if NAND_OWN_BUFFERS is unset"). + +Fix the issue by providing a OMAP optimized write_subpage() +implementation. + +Fixes: 62116e5171e0 ("mtd: nand: omap2: Support for hardware BCH error correction.") +Signed-off-by: Roger Quadros +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/omap2.c | 339 +++++++++++++++++++++++++++++++---------------- + 1 file changed, 224 insertions(+), 115 deletions(-) + +--- a/drivers/mtd/nand/omap2.c ++++ b/drivers/mtd/nand/omap2.c +@@ -1133,129 +1133,172 @@ static u8 bch8_polynomial[] = {0xef, 0x + 0x97, 0x79, 0xe5, 0x24, 0xb5}; + + /** +- * omap_calculate_ecc_bch - Generate bytes of ECC bytes ++ * _omap_calculate_ecc_bch - Generate ECC bytes for one sector + * @mtd: MTD device structure + * @dat: The pointer to data on which ecc is computed + * @ecc_code: The ecc_code buffer ++ * @i: The sector number (for a multi sector page) + * +- * Support calculating of BCH4/8 ecc vectors for the page ++ * Support calculating of BCH4/8/16 ECC vectors for one sector ++ * within a page. Sector number is in @i. + */ +-static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd, +- const u_char *dat, u_char *ecc_calc) ++static int _omap_calculate_ecc_bch(struct mtd_info *mtd, ++ const u_char *dat, u_char *ecc_calc, int i) + { + struct omap_nand_info *info = mtd_to_omap(mtd); + int eccbytes = info->nand.ecc.bytes; + struct gpmc_nand_regs *gpmc_regs = &info->reg; + u8 *ecc_code; +- unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4; ++ unsigned long bch_val1, bch_val2, bch_val3, bch_val4; + u32 val; +- int i, j; ++ int j; ++ ++ ecc_code = ecc_calc; ++ switch (info->ecc_opt) { ++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: ++ case OMAP_ECC_BCH8_CODE_HW: ++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); ++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); ++ bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]); ++ bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]); ++ *ecc_code++ = (bch_val4 & 0xFF); ++ *ecc_code++ = ((bch_val3 >> 24) & 0xFF); ++ *ecc_code++ = ((bch_val3 >> 16) & 0xFF); ++ *ecc_code++ = ((bch_val3 >> 8) & 0xFF); ++ *ecc_code++ = (bch_val3 & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 24) & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 16) & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 8) & 0xFF); ++ *ecc_code++ = (bch_val2 & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 24) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 16) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 8) & 0xFF); ++ *ecc_code++ = (bch_val1 & 0xFF); ++ break; ++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: ++ case OMAP_ECC_BCH4_CODE_HW: ++ bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); ++ bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); ++ *ecc_code++ = ((bch_val2 >> 12) & 0xFF); ++ *ecc_code++ = ((bch_val2 >> 4) & 0xFF); ++ *ecc_code++ = ((bch_val2 & 0xF) << 4) | ++ ((bch_val1 >> 28) & 0xF); ++ *ecc_code++ = ((bch_val1 >> 20) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 12) & 0xFF); ++ *ecc_code++ = ((bch_val1 >> 4) & 0xFF); ++ *ecc_code++ = ((bch_val1 & 0xF) << 4); ++ break; ++ case OMAP_ECC_BCH16_CODE_HW: ++ val = readl(gpmc_regs->gpmc_bch_result6[i]); ++ ecc_code[0] = ((val >> 8) & 0xFF); ++ ecc_code[1] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result5[i]); ++ ecc_code[2] = ((val >> 24) & 0xFF); ++ ecc_code[3] = ((val >> 16) & 0xFF); ++ ecc_code[4] = ((val >> 8) & 0xFF); ++ ecc_code[5] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result4[i]); ++ ecc_code[6] = ((val >> 24) & 0xFF); ++ ecc_code[7] = ((val >> 16) & 0xFF); ++ ecc_code[8] = ((val >> 8) & 0xFF); ++ ecc_code[9] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result3[i]); ++ ecc_code[10] = ((val >> 24) & 0xFF); ++ ecc_code[11] = ((val >> 16) & 0xFF); ++ ecc_code[12] = ((val >> 8) & 0xFF); ++ ecc_code[13] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result2[i]); ++ ecc_code[14] = ((val >> 24) & 0xFF); ++ ecc_code[15] = ((val >> 16) & 0xFF); ++ ecc_code[16] = ((val >> 8) & 0xFF); ++ ecc_code[17] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result1[i]); ++ ecc_code[18] = ((val >> 24) & 0xFF); ++ ecc_code[19] = ((val >> 16) & 0xFF); ++ ecc_code[20] = ((val >> 8) & 0xFF); ++ ecc_code[21] = ((val >> 0) & 0xFF); ++ val = readl(gpmc_regs->gpmc_bch_result0[i]); ++ ecc_code[22] = ((val >> 24) & 0xFF); ++ ecc_code[23] = ((val >> 16) & 0xFF); ++ ecc_code[24] = ((val >> 8) & 0xFF); ++ ecc_code[25] = ((val >> 0) & 0xFF); ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ /* ECC scheme specific syndrome customizations */ ++ switch (info->ecc_opt) { ++ case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: ++ /* Add constant polynomial to remainder, so that ++ * ECC of blank pages results in 0x0 on reading back ++ */ ++ for (j = 0; j < eccbytes; j++) ++ ecc_calc[j] ^= bch4_polynomial[j]; ++ break; ++ case OMAP_ECC_BCH4_CODE_HW: ++ /* Set 8th ECC byte as 0x0 for ROM compatibility */ ++ ecc_calc[eccbytes - 1] = 0x0; ++ break; ++ case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: ++ /* Add constant polynomial to remainder, so that ++ * ECC of blank pages results in 0x0 on reading back ++ */ ++ for (j = 0; j < eccbytes; j++) ++ ecc_calc[j] ^= bch8_polynomial[j]; ++ break; ++ case OMAP_ECC_BCH8_CODE_HW: ++ /* Set 14th ECC byte as 0x0 for ROM compatibility */ ++ ecc_calc[eccbytes - 1] = 0x0; ++ break; ++ case OMAP_ECC_BCH16_CODE_HW: ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ ++/** ++ * omap_calculate_ecc_bch_sw - ECC generator for sector for SW based correction ++ * @mtd: MTD device structure ++ * @dat: The pointer to data on which ecc is computed ++ * @ecc_code: The ecc_code buffer ++ * ++ * Support calculating of BCH4/8/16 ECC vectors for one sector. This is used ++ * when SW based correction is required as ECC is required for one sector ++ * at a time. ++ */ ++static int omap_calculate_ecc_bch_sw(struct mtd_info *mtd, ++ const u_char *dat, u_char *ecc_calc) ++{ ++ return _omap_calculate_ecc_bch(mtd, dat, ecc_calc, 0); ++} ++ ++/** ++ * omap_calculate_ecc_bch_multi - Generate ECC for multiple sectors ++ * @mtd: MTD device structure ++ * @dat: The pointer to data on which ecc is computed ++ * @ecc_code: The ecc_code buffer ++ * ++ * Support calculating of BCH4/8/16 ecc vectors for the entire page in one go. ++ */ ++static int omap_calculate_ecc_bch_multi(struct mtd_info *mtd, ++ const u_char *dat, u_char *ecc_calc) ++{ ++ struct omap_nand_info *info = mtd_to_omap(mtd); ++ int eccbytes = info->nand.ecc.bytes; ++ unsigned long nsectors; ++ int i, ret; + + nsectors = ((readl(info->reg.gpmc_ecc_config) >> 4) & 0x7) + 1; + for (i = 0; i < nsectors; i++) { +- ecc_code = ecc_calc; +- switch (info->ecc_opt) { +- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: +- case OMAP_ECC_BCH8_CODE_HW: +- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); +- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); +- bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]); +- bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]); +- *ecc_code++ = (bch_val4 & 0xFF); +- *ecc_code++ = ((bch_val3 >> 24) & 0xFF); +- *ecc_code++ = ((bch_val3 >> 16) & 0xFF); +- *ecc_code++ = ((bch_val3 >> 8) & 0xFF); +- *ecc_code++ = (bch_val3 & 0xFF); +- *ecc_code++ = ((bch_val2 >> 24) & 0xFF); +- *ecc_code++ = ((bch_val2 >> 16) & 0xFF); +- *ecc_code++ = ((bch_val2 >> 8) & 0xFF); +- *ecc_code++ = (bch_val2 & 0xFF); +- *ecc_code++ = ((bch_val1 >> 24) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 16) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 8) & 0xFF); +- *ecc_code++ = (bch_val1 & 0xFF); +- break; +- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: +- case OMAP_ECC_BCH4_CODE_HW: +- bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); +- bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); +- *ecc_code++ = ((bch_val2 >> 12) & 0xFF); +- *ecc_code++ = ((bch_val2 >> 4) & 0xFF); +- *ecc_code++ = ((bch_val2 & 0xF) << 4) | +- ((bch_val1 >> 28) & 0xF); +- *ecc_code++ = ((bch_val1 >> 20) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 12) & 0xFF); +- *ecc_code++ = ((bch_val1 >> 4) & 0xFF); +- *ecc_code++ = ((bch_val1 & 0xF) << 4); +- break; +- case OMAP_ECC_BCH16_CODE_HW: +- val = readl(gpmc_regs->gpmc_bch_result6[i]); +- ecc_code[0] = ((val >> 8) & 0xFF); +- ecc_code[1] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result5[i]); +- ecc_code[2] = ((val >> 24) & 0xFF); +- ecc_code[3] = ((val >> 16) & 0xFF); +- ecc_code[4] = ((val >> 8) & 0xFF); +- ecc_code[5] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result4[i]); +- ecc_code[6] = ((val >> 24) & 0xFF); +- ecc_code[7] = ((val >> 16) & 0xFF); +- ecc_code[8] = ((val >> 8) & 0xFF); +- ecc_code[9] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result3[i]); +- ecc_code[10] = ((val >> 24) & 0xFF); +- ecc_code[11] = ((val >> 16) & 0xFF); +- ecc_code[12] = ((val >> 8) & 0xFF); +- ecc_code[13] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result2[i]); +- ecc_code[14] = ((val >> 24) & 0xFF); +- ecc_code[15] = ((val >> 16) & 0xFF); +- ecc_code[16] = ((val >> 8) & 0xFF); +- ecc_code[17] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result1[i]); +- ecc_code[18] = ((val >> 24) & 0xFF); +- ecc_code[19] = ((val >> 16) & 0xFF); +- ecc_code[20] = ((val >> 8) & 0xFF); +- ecc_code[21] = ((val >> 0) & 0xFF); +- val = readl(gpmc_regs->gpmc_bch_result0[i]); +- ecc_code[22] = ((val >> 24) & 0xFF); +- ecc_code[23] = ((val >> 16) & 0xFF); +- ecc_code[24] = ((val >> 8) & 0xFF); +- ecc_code[25] = ((val >> 0) & 0xFF); +- break; +- default: +- return -EINVAL; +- } +- +- /* ECC scheme specific syndrome customizations */ +- switch (info->ecc_opt) { +- case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: +- /* Add constant polynomial to remainder, so that +- * ECC of blank pages results in 0x0 on reading back */ +- for (j = 0; j < eccbytes; j++) +- ecc_calc[j] ^= bch4_polynomial[j]; +- break; +- case OMAP_ECC_BCH4_CODE_HW: +- /* Set 8th ECC byte as 0x0 for ROM compatibility */ +- ecc_calc[eccbytes - 1] = 0x0; +- break; +- case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: +- /* Add constant polynomial to remainder, so that +- * ECC of blank pages results in 0x0 on reading back */ +- for (j = 0; j < eccbytes; j++) +- ecc_calc[j] ^= bch8_polynomial[j]; +- break; +- case OMAP_ECC_BCH8_CODE_HW: +- /* Set 14th ECC byte as 0x0 for ROM compatibility */ +- ecc_calc[eccbytes - 1] = 0x0; +- break; +- case OMAP_ECC_BCH16_CODE_HW: +- break; +- default: +- return -EINVAL; +- } ++ ret = _omap_calculate_ecc_bch(mtd, dat, ecc_calc, i); ++ if (ret) ++ return ret; + +- ecc_calc += eccbytes; ++ ecc_calc += eccbytes; + } + + return 0; +@@ -1496,7 +1539,7 @@ static int omap_write_page_bch(struct mt + chip->write_buf(mtd, buf, mtd->writesize); + + /* Update ecc vector from GPMC result registers */ +- chip->ecc.calculate(mtd, buf, &ecc_calc[0]); ++ omap_calculate_ecc_bch_multi(mtd, buf, &ecc_calc[0]); + + ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0, + chip->ecc.total); +@@ -1509,6 +1552,72 @@ static int omap_write_page_bch(struct mt + } + + /** ++ * omap_write_subpage_bch - BCH hardware ECC based subpage write ++ * @mtd: mtd info structure ++ * @chip: nand chip info structure ++ * @offset: column address of subpage within the page ++ * @data_len: data length ++ * @buf: data buffer ++ * @oob_required: must write chip->oob_poi to OOB ++ * @page: page number to write ++ * ++ * OMAP optimized subpage write method. ++ */ ++static int omap_write_subpage_bch(struct mtd_info *mtd, ++ struct nand_chip *chip, u32 offset, ++ u32 data_len, const u8 *buf, ++ int oob_required, int page) ++{ ++ u8 *ecc_calc = chip->buffers->ecccalc; ++ int ecc_size = chip->ecc.size; ++ int ecc_bytes = chip->ecc.bytes; ++ int ecc_steps = chip->ecc.steps; ++ u32 start_step = offset / ecc_size; ++ u32 end_step = (offset + data_len - 1) / ecc_size; ++ int step, ret = 0; ++ ++ /* ++ * Write entire page at one go as it would be optimal ++ * as ECC is calculated by hardware. ++ * ECC is calculated for all subpages but we choose ++ * only what we want. ++ */ ++ ++ /* Enable GPMC ECC engine */ ++ chip->ecc.hwctl(mtd, NAND_ECC_WRITE); ++ ++ /* Write data */ ++ chip->write_buf(mtd, buf, mtd->writesize); ++ ++ for (step = 0; step < ecc_steps; step++) { ++ /* mask ECC of un-touched subpages by padding 0xFF */ ++ if (step < start_step || step > end_step) ++ memset(ecc_calc, 0xff, ecc_bytes); ++ else ++ ret = _omap_calculate_ecc_bch(mtd, buf, ecc_calc, step); ++ ++ if (ret) ++ return ret; ++ ++ buf += ecc_size; ++ ecc_calc += ecc_bytes; ++ } ++ ++ /* copy calculated ECC for whole page to chip->buffer->oob */ ++ /* this include masked-value(0xFF) for unwritten subpages */ ++ ecc_calc = chip->buffers->ecccalc; ++ ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0, ++ chip->ecc.total); ++ if (ret) ++ return ret; ++ ++ /* write OOB buffer to NAND device */ ++ chip->write_buf(mtd, chip->oob_poi, mtd->oobsize); ++ ++ return 0; ++} ++ ++/** + * omap_read_page_bch - BCH ecc based page read function for entire page + * @mtd: mtd info structure + * @chip: nand chip info structure +@@ -1544,7 +1653,7 @@ static int omap_read_page_bch(struct mtd + chip->ecc.total); + + /* Calculate ecc bytes */ +- chip->ecc.calculate(mtd, buf, ecc_calc); ++ omap_calculate_ecc_bch_multi(mtd, buf, ecc_calc); + + ret = mtd_ooblayout_get_eccbytes(mtd, ecc_code, chip->oob_poi, 0, + chip->ecc.total); +@@ -2044,7 +2153,7 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 4; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = nand_bch_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; ++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw; + mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops); + /* Reserve one byte for the OMAP marker */ + oobbytes_per_step = nand_chip->ecc.bytes + 1; +@@ -2066,9 +2175,9 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 4; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = omap_elm_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; + nand_chip->ecc.read_page = omap_read_page_bch; + nand_chip->ecc.write_page = omap_write_page_bch; ++ nand_chip->ecc.write_subpage = omap_write_subpage_bch; + mtd_set_ooblayout(mtd, &omap_ooblayout_ops); + oobbytes_per_step = nand_chip->ecc.bytes; + +@@ -2087,7 +2196,7 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 8; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = nand_bch_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; ++ nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw; + mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops); + /* Reserve one byte for the OMAP marker */ + oobbytes_per_step = nand_chip->ecc.bytes + 1; +@@ -2109,9 +2218,9 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 8; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = omap_elm_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; + nand_chip->ecc.read_page = omap_read_page_bch; + nand_chip->ecc.write_page = omap_write_page_bch; ++ nand_chip->ecc.write_subpage = omap_write_subpage_bch; + mtd_set_ooblayout(mtd, &omap_ooblayout_ops); + oobbytes_per_step = nand_chip->ecc.bytes; + +@@ -2131,9 +2240,9 @@ static int omap_nand_probe(struct platfo + nand_chip->ecc.strength = 16; + nand_chip->ecc.hwctl = omap_enable_hwecc_bch; + nand_chip->ecc.correct = omap_elm_correct_data; +- nand_chip->ecc.calculate = omap_calculate_ecc_bch; + nand_chip->ecc.read_page = omap_read_page_bch; + nand_chip->ecc.write_page = omap_write_page_bch; ++ nand_chip->ecc.write_subpage = omap_write_subpage_bch; + mtd_set_ooblayout(mtd, &omap_ooblayout_ops); + oobbytes_per_step = nand_chip->ecc.bytes; + diff --git a/queue-4.9/nfs-avoid-rcu-usage-in-tracepoints.patch b/queue-4.9/nfs-avoid-rcu-usage-in-tracepoints.patch new file mode 100644 index 00000000000..44044215ed9 --- /dev/null +++ b/queue-4.9/nfs-avoid-rcu-usage-in-tracepoints.patch @@ -0,0 +1,88 @@ +From 3944369db701f075092357b511fd9f5755771585 Mon Sep 17 00:00:00 2001 +From: Anna Schumaker +Date: Wed, 1 Nov 2017 15:48:43 -0400 +Subject: NFS: Avoid RCU usage in tracepoints + +From: Anna Schumaker + +commit 3944369db701f075092357b511fd9f5755771585 upstream. + +There isn't an obvious way to acquire and release the RCU lock during a +tracepoint, so we can't use the rpc_peeraddr2str() function here. +Instead, rely on the client's cl_hostname, which should have similar +enough information without needing an rcu_dereference(). + +Reported-by: Dave Jones +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4trace.h | 24 ++++++------------------ + 1 file changed, 6 insertions(+), 18 deletions(-) + +--- a/fs/nfs/nfs4trace.h ++++ b/fs/nfs/nfs4trace.h +@@ -201,17 +201,13 @@ DECLARE_EVENT_CLASS(nfs4_clientid_event, + TP_ARGS(clp, error), + + TP_STRUCT__entry( +- __string(dstaddr, +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR)) ++ __string(dstaddr, clp->cl_hostname) + __field(int, error) + ), + + TP_fast_assign( + __entry->error = error; +- __assign_str(dstaddr, +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR)); ++ __assign_str(dstaddr, clp->cl_hostname); + ), + + TP_printk( +@@ -1103,9 +1099,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_ + __field(dev_t, dev) + __field(u32, fhandle) + __field(u64, fileid) +- __string(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __string(dstaddr, clp ? clp->cl_hostname : "unknown") + ), + + TP_fast_assign( +@@ -1118,9 +1112,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_ + __entry->fileid = 0; + __entry->dev = 0; + } +- __assign_str(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown") + ), + + TP_printk( +@@ -1162,9 +1154,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c + __field(dev_t, dev) + __field(u32, fhandle) + __field(u64, fileid) +- __string(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __string(dstaddr, clp ? clp->cl_hostname : "unknown") + __field(int, stateid_seq) + __field(u32, stateid_hash) + ), +@@ -1179,9 +1169,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c + __entry->fileid = 0; + __entry->dev = 0; + } +- __assign_str(dstaddr, clp ? +- rpc_peeraddr2str(clp->cl_rpcclient, +- RPC_DISPLAY_ADDR) : "unknown") ++ __assign_str(dstaddr, clp ? clp->cl_hostname : "unknown") + __entry->stateid_seq = + be32_to_cpu(stateid->seqid); + __entry->stateid_hash = diff --git a/queue-4.9/nfs-fix-typo-in-nomigration-mount-option.patch b/queue-4.9/nfs-fix-typo-in-nomigration-mount-option.patch new file mode 100644 index 00000000000..0ddd7d0df48 --- /dev/null +++ b/queue-4.9/nfs-fix-typo-in-nomigration-mount-option.patch @@ -0,0 +1,30 @@ +From f02fee227e5f21981152850744a6084ff3fa94ee Mon Sep 17 00:00:00 2001 +From: Joshua Watt +Date: Tue, 7 Nov 2017 16:25:47 -0600 +Subject: NFS: Fix typo in nomigration mount option + +From: Joshua Watt + +commit f02fee227e5f21981152850744a6084ff3fa94ee upstream. + +The option was incorrectly masking off all other options. + +Signed-off-by: Joshua Watt +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1339,7 +1339,7 @@ static int nfs_parse_mount_options(char + mnt->options |= NFS_OPTION_MIGRATION; + break; + case Opt_nomigration: +- mnt->options &= NFS_OPTION_MIGRATION; ++ mnt->options &= ~NFS_OPTION_MIGRATION; + break; + + /* diff --git a/queue-4.9/nfs-fix-ugly-referral-attributes.patch b/queue-4.9/nfs-fix-ugly-referral-attributes.patch new file mode 100644 index 00000000000..1179326b252 --- /dev/null +++ b/queue-4.9/nfs-fix-ugly-referral-attributes.patch @@ -0,0 +1,85 @@ +From c05cefcc72416a37eba5a2b35f0704ed758a9145 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 5 Nov 2017 15:45:22 -0500 +Subject: nfs: Fix ugly referral attributes + +From: Chuck Lever + +commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream. + +Before traversing a referral and performing a mount, the mounted-on +directory looks strange: + +dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0 + +nfs4_get_referral is wiping out any cached attributes with what was +returned via GETATTR(fs_locations), but the bit mask for that +operation does not request any file attributes. + +Retrieve owner and timestamp information so that the memcpy in +nfs4_get_referral fills in more attributes. + +Changes since v1: +- Don't request attributes that the client unconditionally replaces +- Request only MOUNTED_ON_FILEID or FILEID attribute, not both +- encode_fs_locations() doesn't use the third bitmask word + +Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral") +Suggested-by: Pradeep Thomas +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -256,15 +256,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT + }; + + const u32 nfs4_fs_locations_bitmap[3] = { +- FATTR4_WORD0_TYPE +- | FATTR4_WORD0_CHANGE ++ FATTR4_WORD0_CHANGE + | FATTR4_WORD0_SIZE + | FATTR4_WORD0_FSID + | FATTR4_WORD0_FILEID + | FATTR4_WORD0_FS_LOCATIONS, +- FATTR4_WORD1_MODE +- | FATTR4_WORD1_NUMLINKS +- | FATTR4_WORD1_OWNER ++ FATTR4_WORD1_OWNER + | FATTR4_WORD1_OWNER_GROUP + | FATTR4_WORD1_RAWDEV + | FATTR4_WORD1_SPACE_USED +@@ -6678,9 +6675,7 @@ static int _nfs4_proc_fs_locations(struc + struct page *page) + { + struct nfs_server *server = NFS_SERVER(dir); +- u32 bitmask[3] = { +- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS, +- }; ++ u32 bitmask[3]; + struct nfs4_fs_locations_arg args = { + .dir_fh = NFS_FH(dir), + .name = name, +@@ -6699,12 +6694,15 @@ static int _nfs4_proc_fs_locations(struc + + dprintk("%s: start\n", __func__); + ++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS; ++ bitmask[1] = nfs4_fattr_bitmap[1]; ++ + /* Ask for the fileid of the absent filesystem if mounted_on_fileid + * is not supported */ + if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID) +- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID; ++ bitmask[0] &= ~FATTR4_WORD0_FILEID; + else +- bitmask[0] |= FATTR4_WORD0_FILEID; ++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID; + + nfs_fattr_init(&fs_locations->fattr); + fs_locations->server = server; diff --git a/queue-4.9/nfsd-deal-with-revoked-delegations-appropriately.patch b/queue-4.9/nfsd-deal-with-revoked-delegations-appropriately.patch new file mode 100644 index 00000000000..8cad90107fa --- /dev/null +++ b/queue-4.9/nfsd-deal-with-revoked-delegations-appropriately.patch @@ -0,0 +1,84 @@ +From 95da1b3a5aded124dd1bda1e3cdb876184813140 Mon Sep 17 00:00:00 2001 +From: Andrew Elble +Date: Fri, 3 Nov 2017 14:06:31 -0400 +Subject: nfsd: deal with revoked delegations appropriately + +From: Andrew Elble + +commit 95da1b3a5aded124dd1bda1e3cdb876184813140 upstream. + +If a delegation has been revoked by the server, operations using that +delegation should error out with NFS4ERR_DELEG_REVOKED in the >4.1 +case, and NFS4ERR_BAD_STATEID otherwise. + +The server needs NFSv4.1 clients to explicitly free revoked delegations. +If the server returns NFS4ERR_DELEG_REVOKED, the client will do that; +otherwise it may just forget about the delegation and be unable to +recover when it later sees SEQ4_STATUS_RECALLABLE_STATE_REVOKED set on a +SEQUENCE reply. That can cause the Linux 4.1 client to loop in its +stage manager. + +Signed-off-by: Andrew Elble +Reviewed-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3967,7 +3967,8 @@ static struct nfs4_delegation *find_dele + { + struct nfs4_stid *ret; + +- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID); ++ ret = find_stateid_by_type(cl, s, ++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID); + if (!ret) + return NULL; + return delegstateid(ret); +@@ -3990,6 +3991,12 @@ nfs4_check_deleg(struct nfs4_client *cl, + deleg = find_deleg_stateid(cl, &open->op_delegate_stateid); + if (deleg == NULL) + goto out; ++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) { ++ nfs4_put_stid(&deleg->dl_stid); ++ if (cl->cl_minorversion) ++ status = nfserr_deleg_revoked; ++ goto out; ++ } + flags = share_access_to_flags(open->op_share_access); + status = nfs4_check_delegmode(deleg, flags); + if (status) { +@@ -4858,6 +4865,16 @@ nfsd4_lookup_stateid(struct nfsd4_compou + struct nfs4_stid **s, struct nfsd_net *nn) + { + __be32 status; ++ bool return_revoked = false; ++ ++ /* ++ * only return revoked delegations if explicitly asked. ++ * otherwise we report revoked or bad_stateid status. ++ */ ++ if (typemask & NFS4_REVOKED_DELEG_STID) ++ return_revoked = true; ++ else if (typemask & NFS4_DELEG_STID) ++ typemask |= NFS4_REVOKED_DELEG_STID; + + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) + return nfserr_bad_stateid; +@@ -4872,6 +4889,12 @@ nfsd4_lookup_stateid(struct nfsd4_compou + *s = find_stateid_by_type(cstate->clp, stateid, typemask); + if (!*s) + return nfserr_bad_stateid; ++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) { ++ nfs4_put_stid(*s); ++ if (cstate->minorversion) ++ return nfserr_deleg_revoked; ++ return nfserr_bad_stateid; ++ } + return nfs_ok; + } + diff --git a/queue-4.9/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch b/queue-4.9/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch new file mode 100644 index 00000000000..7647461609b --- /dev/null +++ b/queue-4.9/nilfs2-fix-race-condition-that-causes-file-system-corruption.patch @@ -0,0 +1,84 @@ +From 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 Mon Sep 17 00:00:00 2001 +From: Andreas Rohner +Date: Fri, 17 Nov 2017 15:29:35 -0800 +Subject: nilfs2: fix race condition that causes file system corruption + +From: Andreas Rohner + +commit 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 upstream. + +There is a race condition between nilfs_dirty_inode() and +nilfs_set_file_dirty(). + +When a file is opened, nilfs_dirty_inode() is called to update the +access timestamp in the inode. It calls __nilfs_mark_inode_dirty() in a +separate transaction. __nilfs_mark_inode_dirty() caches the ifile +buffer_head in the i_bh field of the inode info structure and marks it +as dirty. + +After some data was written to the file in another transaction, the +function nilfs_set_file_dirty() is called, which adds the inode to the +ns_dirty_files list. + +Then the segment construction calls nilfs_segctor_collect_dirty_files(), +which goes through the ns_dirty_files list and checks the i_bh field. +If there is a cached buffer_head in i_bh it is not marked as dirty +again. + +Since nilfs_dirty_inode() and nilfs_set_file_dirty() use separate +transactions, it is possible that a segment construction that writes out +the ifile occurs in-between the two. If this happens the inode is not +on the ns_dirty_files list, but its ifile block is still marked as dirty +and written out. + +In the next segment construction, the data for the file is written out +and nilfs_bmap_propagate() updates the b-tree. Eventually the bmap root +is written into the i_bh block, which is not dirty, because it was +written out in another segment construction. + +As a result the bmap update can be lost, which leads to file system +corruption. Either the virtual block address points to an unallocated +DAT block, or the DAT entry will be reused for something different. + +The error can remain undetected for a long time. A typical error +message would be one of the "bad btree" errors or a warning that a DAT +entry could not be found. + +This bug can be reproduced reliably by a simple benchmark that creates +and overwrites millions of 4k files. + +Link: http://lkml.kernel.org/r/1509367935-3086-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp +Signed-off-by: Andreas Rohner +Signed-off-by: Ryusuke Konishi +Tested-by: Andreas Rohner +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/segment.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1956,8 +1956,6 @@ static int nilfs_segctor_collect_dirty_f + err, ii->vfs_inode.i_ino); + return err; + } +- mark_buffer_dirty(ibh); +- nilfs_mdt_mark_dirty(ifile); + spin_lock(&nilfs->ns_inode_lock); + if (likely(!ii->i_bh)) + ii->i_bh = ibh; +@@ -1966,6 +1964,10 @@ static int nilfs_segctor_collect_dirty_f + goto retry; + } + ++ // Always redirty the buffer to avoid race condition ++ mark_buffer_dirty(ii->i_bh); ++ nilfs_mdt_mark_dirty(ifile); ++ + clear_bit(NILFS_I_QUEUED, &ii->i_state); + set_bit(NILFS_I_BUSY, &ii->i_state); + list_move_tail(&ii->i_dirty, &sci->sc_dirty_files); diff --git a/queue-4.9/p54-don-t-unregister-leds-when-they-are-not-initialized.patch b/queue-4.9/p54-don-t-unregister-leds-when-they-are-not-initialized.patch new file mode 100644 index 00000000000..ea07637d47e --- /dev/null +++ b/queue-4.9/p54-don-t-unregister-leds-when-they-are-not-initialized.patch @@ -0,0 +1,80 @@ +From fc09785de0a364427a5df63d703bae9a306ed116 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Tue, 26 Sep 2017 17:11:33 +0200 +Subject: p54: don't unregister leds when they are not initialized + +From: Andrey Konovalov + +commit fc09785de0a364427a5df63d703bae9a306ed116 upstream. + +ieee80211_register_hw() in p54_register_common() may fail and leds won't +get initialized. Currently p54_unregister_common() doesn't check that and +always calls p54_unregister_leds(). The fix is to check priv->registered +flag before calling p54_unregister_leds(). + +Found by syzkaller. + +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 1 PID: 1404 Comm: kworker/1:1 Not tainted +4.14.0-rc1-42251-gebb2c2437d80-dirty #205 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769 + __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385 + lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002 + flush_work+0xf0/0x8c0 kernel/workqueue.c:2886 + __cancel_work_timer+0x51d/0x870 kernel/workqueue.c:2961 + cancel_delayed_work_sync+0x1f/0x30 kernel/workqueue.c:3081 + p54_unregister_leds+0x6c/0xc0 drivers/net/wireless/intersil/p54/led.c:160 + p54_unregister_common+0x3d/0xb0 drivers/net/wireless/intersil/p54/main.c:856 + p54u_disconnect+0x86/0x120 drivers/net/wireless/intersil/p54/p54usb.c:1073 + usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423 + __device_release_driver drivers/base/dd.c:861 + device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893 + device_release_driver+0x1e/0x30 drivers/base/dd.c:918 + bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565 + device_del+0x5c4/0xab0 drivers/base/core.c:1985 + usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170 + usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 + hub_port_connect drivers/usb/core/hub.c:4754 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + process_scheduled_works kernel/workqueue.c:2179 + worker_thread+0xb2b/0x1850 kernel/workqueue.c:2255 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 + +Signed-off-by: Andrey Konovalov +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intersil/p54/main.c ++++ b/drivers/net/wireless/intersil/p54/main.c +@@ -852,12 +852,11 @@ void p54_unregister_common(struct ieee80 + { + struct p54_common *priv = dev->priv; + +-#ifdef CONFIG_P54_LEDS +- p54_unregister_leds(priv); +-#endif /* CONFIG_P54_LEDS */ +- + if (priv->registered) { + priv->registered = false; ++#ifdef CONFIG_P54_LEDS ++ p54_unregister_leds(priv); ++#endif /* CONFIG_P54_LEDS */ + ieee80211_unregister_hw(dev); + } + diff --git a/queue-4.9/rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch b/queue-4.9/rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch new file mode 100644 index 00000000000..ac24c24187a --- /dev/null +++ b/queue-4.9/rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch @@ -0,0 +1,65 @@ +From bfa62a52cad93686bb8d8171ea5288813248a7c6 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 9 Nov 2017 11:59:24 +0100 +Subject: rt2x00usb: mark device removed when get ENOENT usb error + +From: Stanislaw Gruszka + +commit bfa62a52cad93686bb8d8171ea5288813248a7c6 upstream. + +ENOENT usb error mean "specified interface or endpoint does not exist or +is not enabled". Mark device not present when we encounter this error +similar like we do with ENODEV error. + +Otherwise we can have infinite loop in rt2x00usb_work_rxdone(), because +we remove and put again RX entries to the queue infinitely. + +We can have similar situation when submit urb will fail all the time +with other error, so we need consider to limit number of entries +processed by rxdone work. But for now, since the patch fixes +reproducible soft lockup issue on single processor systems +and taken ENOENT error meaning, let apply this fix. + +Patch adds additional ENOENT check not only in rx kick routine, but +also on other places where we check for ENODEV error. + +Reported-by: Richard Genoud +Debugged-by: Richard Genoud +Signed-off-by: Stanislaw Gruszka +Tested-by: Richard Genoud +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c +@@ -57,7 +57,7 @@ int rt2x00usb_vendor_request(struct rt2x + if (status >= 0) + return 0; + +- if (status == -ENODEV) { ++ if (status == -ENODEV || status == -ENOENT) { + /* Device has disappeared. */ + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + break; +@@ -321,7 +321,7 @@ static bool rt2x00usb_kick_tx_entry(stru + + status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); + if (status) { +- if (status == -ENODEV) ++ if (status == -ENODEV || status == -ENOENT) + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + set_bit(ENTRY_DATA_IO_FAILED, &entry->flags); + rt2x00lib_dmadone(entry); +@@ -410,7 +410,7 @@ static bool rt2x00usb_kick_rx_entry(stru + + status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); + if (status) { +- if (status == -ENODEV) ++ if (status == -ENODEV || status == -ENOENT) + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + set_bit(ENTRY_DATA_IO_FAILED, &entry->flags); + rt2x00lib_dmadone(entry); diff --git a/queue-4.9/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch b/queue-4.9/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch new file mode 100644 index 00000000000..a517bcb3e72 --- /dev/null +++ b/queue-4.9/rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch @@ -0,0 +1,37 @@ +From 3f2a162fab15aee243178b5308bb5d1206fc4043 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 6 Nov 2017 14:55:35 +0100 +Subject: rtlwifi: fix uninitialized rtlhal->last_suspend_sec time + +From: Arnd Bergmann + +commit 3f2a162fab15aee243178b5308bb5d1206fc4043 upstream. + +We set rtlhal->last_suspend_sec to an uninitialized stack variable, +but unfortunately gcc never warned about this, I only found it +while working on another patch. I opened a gcc bug for this. + +Presumably the value of rtlhal->last_suspend_sec is not all that +important, but it does get used, so we probably want the +patch backported to stable kernels. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82839 +Signed-off-by: Arnd Bergmann +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1378,6 +1378,7 @@ static void _rtl8821ae_get_wakeup_reason + + ppsc->wakeup_reason = 0; + ++ do_gettimeofday(&ts); + rtlhal->last_suspend_sec = ts.tv_sec; + + switch (fw_reason) { diff --git a/queue-4.9/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch b/queue-4.9/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch new file mode 100644 index 00000000000..0495fa6427e --- /dev/null +++ b/queue-4.9/rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch @@ -0,0 +1,47 @@ +From 519ce2f933fa14acf69d5c8cabcc18711943d629 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Thu, 14 Sep 2017 13:17:44 -0500 +Subject: rtlwifi: rtl8192ee: Fix memory leak when loading firmware + +From: Larry Finger + +commit 519ce2f933fa14acf69d5c8cabcc18711943d629 upstream. + +In routine rtl92ee_set_fw_rsvdpagepkt(), the driver allocates an skb, but +never calls rtl_cmd_send_packet(), which will free the buffer. All other +rtlwifi drivers perform this operation correctly. + +This problem has been in the driver since it was included in the kernel. +Fortunately, each firmware load only leaks 4 buffers, which likely +explains why it has not previously been detected. + +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c +@@ -664,7 +664,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); + struct sk_buff *skb = NULL; +- ++ bool rtstatus; + u32 totalpacketlen; + u8 u1rsvdpageloc[5] = { 0 }; + bool b_dlok = false; +@@ -727,7 +727,9 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i + memcpy((u8 *)skb_put(skb, totalpacketlen), + &reserved_page_packet, totalpacketlen); + +- b_dlok = true; ++ rtstatus = rtl_cmd_send_packet(hw, skb); ++ if (rtstatus) ++ b_dlok = true; + + if (b_dlok) { + RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD , diff --git a/queue-4.9/series b/queue-4.9/series index 4520eff3a4d..d8b32f0fe25 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -19,3 +19,45 @@ pci-set-cavium-acs-capability-quirk-flags-to-assert-rr-cr-sv-uf.patch alsa-hda-add-raven-pci-id.patch dm-bufio-fix-integer-overflow-when-limiting-maximum-cache-size.patch dm-allocate-struct-mapped_device-with-kvzalloc.patch +mips-pci-remove-kern_warn-instance-inside-the-mt7620-driver.patch +dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch +mips-fix-odd-fp-register-warnings-with-mips64r2.patch +mips-dts-remove-bogus-bcm96358nb4ser.dtb-from-dtb-y-entry.patch +mips-fix-an-n32-core-file-generation-regset-support-regression.patch +mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch +rt2x00usb-mark-device-removed-when-get-enoent-usb-error.patch +autofs-don-t-fail-mount-for-transient-error.patch +nilfs2-fix-race-condition-that-causes-file-system-corruption.patch +ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch +libceph-don-t-warn-if-user-tries-to-add-invalid-key.patch +bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch +bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch +isofs-fix-timestamps-beyond-2027.patch +nfs-fix-typo-in-nomigration-mount-option.patch +nfs-fix-ugly-referral-attributes.patch +nfs-avoid-rcu-usage-in-tracepoints.patch +nfsd-deal-with-revoked-delegations-appropriately.patch +rtlwifi-rtl8192ee-fix-memory-leak-when-loading-firmware.patch +rtlwifi-fix-uninitialized-rtlhal-last_suspend_sec-time.patch +ata-fixes-kernel-crash-while-tracing-ata_eh_link_autopsy-event.patch +ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch +alsa-pcm-update-tstamp-only-if-audio_tstamp-changed.patch +alsa-usb-audio-add-sanity-checks-to-fe-parser.patch +alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch +alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch +alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch +alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch +alsa-hda-fix-too-short-hdmi-dp-chmap-reporting.patch +alsa-hda-realtek-fix-alc700-family-no-sound-issue.patch +mfd-lpc_ich-avoton-rangeley-uses-spi_byt-method.patch +fix-a-page-leak-in-vhost_scsi_iov_to_sgl-error-recovery.patch +fs-9p-compare-qid.path-in-v9fs_test_inode.patch +iscsi-target-fix-non-immediate-tmr-reference-leak.patch +target-fix-queue_full-scsi-task-attribute-handling.patch +mtd-nand-omap2-fix-subpage-write.patch +mtd-nand-fix-writing-mtdoops-to-nand-flash.patch +mtd-nand-mtk-fix-infinite-ecc-decode-irq-issue.patch +p54-don-t-unregister-leds-when-they-are-not-initialized.patch +block-fix-a-race-between-blk_cleanup_queue-and-timeout-handling.patch +irqchip-gic-v3-fix-ppi-partitions-lookup.patch +lockd-double-unregister-of-inetaddr-notifiers.patch diff --git a/queue-4.9/target-fix-queue_full-scsi-task-attribute-handling.patch b/queue-4.9/target-fix-queue_full-scsi-task-attribute-handling.patch new file mode 100644 index 00000000000..64db33362bd --- /dev/null +++ b/queue-4.9/target-fix-queue_full-scsi-task-attribute-handling.patch @@ -0,0 +1,57 @@ +From 1c79df1f349fb6050016cea4ef1dfbc3853a5685 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 22 Sep 2017 16:48:28 -0700 +Subject: target: Fix QUEUE_FULL + SCSI task attribute handling + +From: Nicholas Bellinger + +commit 1c79df1f349fb6050016cea4ef1dfbc3853a5685 upstream. + +This patch fixes a bug during QUEUE_FULL where transport_complete_qf() +calls transport_complete_task_attr() after it's already been invoked +by target_complete_ok_work() or transport_generic_request_failure() +during initial completion, preceeding QUEUE_FULL. + +This will result in se_device->simple_cmds, se_device->dev_cur_ordered_id +and/or se_device->dev_ordered_sync being updated multiple times for +a single se_cmd. + +To address this bug, clear SCF_TASK_ATTR_SET after the first call +to transport_complete_task_attr(), and avoid updating SCSI task +attribute related counters for any subsequent calls. + +Also, when a se_cmd is deferred due to ordered tags and executed +via target_restart_delayed_cmds(), set CMD_T_SENT before execution +matching what target_execute_cmd() does. + +Cc: Michael Cyr +Cc: Bryant G. Ly +Cc: Mike Christie +Cc: Hannes Reinecke +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1976,6 +1976,8 @@ static void target_restart_delayed_cmds( + list_del(&cmd->se_delayed_node); + spin_unlock(&dev->delayed_cmd_lock); + ++ cmd->transport_state |= CMD_T_SENT; ++ + __target_execute_cmd(cmd, true); + + if (cmd->sam_task_attr == TCM_ORDERED_TAG) +@@ -2013,6 +2015,8 @@ static void transport_complete_task_attr + pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n", + dev->dev_cur_ordered_id); + } ++ cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET; ++ + restart: + target_restart_delayed_cmds(dev); + }