From: Greg Kroah-Hartman Date: Mon, 27 Nov 2017 16:30:02 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.85~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd9cf3fe6d7c582ecb625efc92e517f7c97b8f7d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: clk-ti-dra7-atl-clock-fix-child-node-lookups.patch dax-fix-general-protection-fault-in-dax_alloc_inode.patch dax-fix-pmd-faults-on-zero-length-files.patch ib-cm-fix-memory-corruption-in-handling-cm-request.patch ib-core-avoid-crash-on-pkey-enforcement-failed-in-received-mads.patch ib-core-only-maintain-real-qps-in-the-security-lists.patch ib-hfi1-fix-incorrect-available-receive-user-context-count.patch ib-srp-avoid-that-a-cable-pull-can-trigger-a-kernel-crash.patch ib-srpt-do-not-accept-invalid-initiator-port-names.patch kvm-nvmx-set-idtr-and-gdtr-limits-when-loading-l1-host-state.patch kvm-ppc-book3s-hv-don-t-call-real-mode-xics-hypercall-handlers-if-not-enabled.patch kvm-svm-obey-guest-pat.patch kvm-vmx-reinstate-support-for-cpus-without-virtual-nmi.patch libnvdimm-dimm-clear-locked-status-on-successful-dimm-enable.patch libnvdimm-namespace-fix-label-initialization-to-use-valid-seq-numbers.patch libnvdimm-namespace-make-resource-attribute-only-readable-by-root.patch libnvdimm-pfn-make-resource-attribute-only-readable-by-root.patch libnvdimm-region-make-resource-attribute-only-readable-by-root.patch nfc-fix-device-allocation-error-return.patch spi-nor-intel-spi-fix-broken-software-sequencing-codes.patch sunrpc-fix-tracepoint-storage-issues-with-svc_recv-and-svc_rqst_status.patch svcrdma-preserve-cb-send-buffer-across-retransmits.patch --- diff --git a/queue-4.14/clk-ti-dra7-atl-clock-fix-child-node-lookups.patch b/queue-4.14/clk-ti-dra7-atl-clock-fix-child-node-lookups.patch new file mode 100644 index 00000000000..8f3d002c648 --- /dev/null +++ b/queue-4.14/clk-ti-dra7-atl-clock-fix-child-node-lookups.patch @@ -0,0 +1,41 @@ +From 33ec6dbc5a02677509d97fe36cd2105753f0f0ea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 11 Nov 2017 17:29:29 +0100 +Subject: clk: ti: dra7-atl-clock: fix child-node lookups + +From: Johan Hovold + +commit 33ec6dbc5a02677509d97fe36cd2105753f0f0ea upstream. + +Fix child node-lookup during probe, which ended up searching the whole +device tree depth-first starting at parent rather than just matching on +its children. + +Note that the original premature free of the parent node has already +been fixed separately, but that fix was apparently never backported to +stable. + +Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)") +Fixes: 660e15519399 ("clk: ti: dra7-atl-clock: Fix of_node reference counting") +Cc: Peter Ujfalusi +Signed-off-by: Johan Hovold +Acked-by: Peter Ujfalusi +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ti/clk-dra7-atl.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/clk/ti/clk-dra7-atl.c ++++ b/drivers/clk/ti/clk-dra7-atl.c +@@ -274,8 +274,7 @@ static int of_dra7_atl_clk_probe(struct + + /* Get configuration for the ATL instances */ + snprintf(prop, sizeof(prop), "atl%u", i); +- of_node_get(node); +- cfg_node = of_find_node_by_name(node, prop); ++ cfg_node = of_get_child_by_name(node, prop); + if (cfg_node) { + ret = of_property_read_u32(cfg_node, "bws", + &cdesc->bws); diff --git a/queue-4.14/dax-fix-general-protection-fault-in-dax_alloc_inode.patch b/queue-4.14/dax-fix-general-protection-fault-in-dax_alloc_inode.patch new file mode 100644 index 00000000000..1d7b13f3f1a --- /dev/null +++ b/queue-4.14/dax-fix-general-protection-fault-in-dax_alloc_inode.patch @@ -0,0 +1,48 @@ +From 9f586fff6574f6ecbf323f92d44ffaf0d96225fe Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 14 Nov 2017 09:59:54 -0500 +Subject: dax: fix general protection fault in dax_alloc_inode + +From: Mikulas Patocka + +commit 9f586fff6574f6ecbf323f92d44ffaf0d96225fe upstream. + +Don't crash in case of allocation failure in dax_alloc_inode. + + syzkaller hit the following crash on e4880bc5dfb1 + + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + [..] + RIP: 0010:dax_alloc_inode+0x3b/0x70 drivers/dax/super.c:348 + Call Trace: + alloc_inode+0x65/0x180 fs/inode.c:208 + new_inode_pseudo+0x69/0x190 fs/inode.c:890 + new_inode+0x1c/0x40 fs/inode.c:919 + mount_pseudo_xattr+0x288/0x560 fs/libfs.c:261 + mount_pseudo include/linux/fs.h:2137 [inline] + dax_mount+0x2e/0x40 drivers/dax/super.c:388 + mount_fs+0x66/0x2d0 fs/super.c:1223 + +Fixes: 7b6be8444e0f ("dax: refactor dax-fs into a generic provider...") +Reported-by: syzbot +Signed-off-by: Mikulas Patocka +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dax/super.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/dax/super.c ++++ b/drivers/dax/super.c +@@ -344,6 +344,9 @@ static struct inode *dax_alloc_inode(str + struct inode *inode; + + dax_dev = kmem_cache_alloc(dax_cache, GFP_KERNEL); ++ if (!dax_dev) ++ return NULL; ++ + inode = &dax_dev->inode; + inode->i_rdev = 0; + return inode; diff --git a/queue-4.14/dax-fix-pmd-faults-on-zero-length-files.patch b/queue-4.14/dax-fix-pmd-faults-on-zero-length-files.patch new file mode 100644 index 00000000000..20ed2c56a36 --- /dev/null +++ b/queue-4.14/dax-fix-pmd-faults-on-zero-length-files.patch @@ -0,0 +1,64 @@ +From 957ac8c421ad8b5eef9b17fe98e146d8311a541e Mon Sep 17 00:00:00 2001 +From: Jeff Moyer +Date: Tue, 14 Nov 2017 20:37:27 -0500 +Subject: dax: fix PMD faults on zero-length files + +From: Jeff Moyer + +commit 957ac8c421ad8b5eef9b17fe98e146d8311a541e upstream. + +PMD faults on a zero length file on a file system mounted with -o dax +will not generate SIGBUS as expected. + + fd = open(...O_TRUNC); + addr = mmap(NULL, 2*1024*1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + *addr = 'a'; + + +The problem is this code in dax_iomap_pmd_fault: + + max_pgoff = (i_size_read(inode) - 1) >> PAGE_SHIFT; + +If the inode size is zero, we end up with a max_pgoff that is way larger +than 0. :) Fix it by using DIV_ROUND_UP, as is done elsewhere in the +kernel. + +I tested this with some simple test code that ensured that SIGBUS was +received where expected. + +Fixes: 642261ac995e ("dax: add struct iomap based DAX PMD support") +Signed-off-by: Jeff Moyer +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dax.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -1327,7 +1327,7 @@ static int dax_iomap_pmd_fault(struct vm + * this is a reliable test. + */ + pgoff = linear_page_index(vma, pmd_addr); +- max_pgoff = (i_size_read(inode) - 1) >> PAGE_SHIFT; ++ max_pgoff = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); + + trace_dax_pmd_fault(inode, vmf, max_pgoff, 0); + +@@ -1351,13 +1351,13 @@ static int dax_iomap_pmd_fault(struct vm + if ((pmd_addr + PMD_SIZE) > vma->vm_end) + goto fallback; + +- if (pgoff > max_pgoff) { ++ if (pgoff >= max_pgoff) { + result = VM_FAULT_SIGBUS; + goto out; + } + + /* If the PMD would extend beyond the file size */ +- if ((pgoff | PG_PMD_COLOUR) > max_pgoff) ++ if ((pgoff | PG_PMD_COLOUR) >= max_pgoff) + goto fallback; + + /* diff --git a/queue-4.14/ib-cm-fix-memory-corruption-in-handling-cm-request.patch b/queue-4.14/ib-cm-fix-memory-corruption-in-handling-cm-request.patch new file mode 100644 index 00000000000..f7481f0c78b --- /dev/null +++ b/queue-4.14/ib-cm-fix-memory-corruption-in-handling-cm-request.patch @@ -0,0 +1,74 @@ +From 5a3dc32372439eb9a0d6027c54cbfff64803fce5 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Thu, 19 Oct 2017 08:40:30 +0300 +Subject: IB/cm: Fix memory corruption in handling CM request + +From: Parav Pandit + +commit 5a3dc32372439eb9a0d6027c54cbfff64803fce5 upstream. + +In recent code, two path record entries are alwasy cleared while +allocated could be either one or two path record entries. +This leads to zero out of unallocated memory. + +This fix initializes alternative path record only when alternative path +is set. + +While we are at it, path record allocation doesn't check for OPA +alternative path, but rest of the code checks for OPA alternative path. +Path record allocation code doesn't check for OPA alternative LID. +This can further lead to memory corruption when only one path record is +allocated, but there is actually alternative OPA path record present in CM +request. + +Fixes: 9fdca4da4d8c ("IB/SA: Split struct sa_path_rec based on IB and ROCE specific fields") +Signed-off-by: Parav Pandit +Reviewed-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -1575,7 +1575,7 @@ static void cm_format_req_event(struct c + param->bth_pkey = cm_get_bth_pkey(work); + param->port = cm_id_priv->av.port->port_num; + param->primary_path = &work->path[0]; +- if (req_msg->alt_local_lid) ++ if (cm_req_has_alt_path(req_msg)) + param->alternate_path = &work->path[1]; + else + param->alternate_path = NULL; +@@ -1856,7 +1856,8 @@ static int cm_req_handler(struct cm_work + cm_process_routed_req(req_msg, work->mad_recv_wc->wc); + + memset(&work->path[0], 0, sizeof(work->path[0])); +- memset(&work->path[1], 0, sizeof(work->path[1])); ++ if (cm_req_has_alt_path(req_msg)) ++ memset(&work->path[1], 0, sizeof(work->path[1])); + grh = rdma_ah_read_grh(&cm_id_priv->av.ah_attr); + ret = ib_get_cached_gid(work->port->cm_dev->ib_device, + work->port->port_num, +@@ -3817,14 +3818,16 @@ static void cm_recv_handler(struct ib_ma + struct cm_port *port = mad_agent->context; + struct cm_work *work; + enum ib_cm_event_type event; ++ bool alt_path = false; + u16 attr_id; + int paths = 0; + int going_down = 0; + + switch (mad_recv_wc->recv_buf.mad->mad_hdr.attr_id) { + case CM_REQ_ATTR_ID: +- paths = 1 + (((struct cm_req_msg *) mad_recv_wc->recv_buf.mad)-> +- alt_local_lid != 0); ++ alt_path = cm_req_has_alt_path((struct cm_req_msg *) ++ mad_recv_wc->recv_buf.mad); ++ paths = 1 + (alt_path != 0); + event = IB_CM_REQ_RECEIVED; + break; + case CM_MRA_ATTR_ID: diff --git a/queue-4.14/ib-core-avoid-crash-on-pkey-enforcement-failed-in-received-mads.patch b/queue-4.14/ib-core-avoid-crash-on-pkey-enforcement-failed-in-received-mads.patch new file mode 100644 index 00000000000..cd00aaf1694 --- /dev/null +++ b/queue-4.14/ib-core-avoid-crash-on-pkey-enforcement-failed-in-received-mads.patch @@ -0,0 +1,85 @@ +From 89548bcafec7ecfeea58c553f0834b5d575a66eb Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Tue, 31 Oct 2017 10:33:18 -0500 +Subject: IB/core: Avoid crash on pkey enforcement failed in received MADs + +From: Parav Pandit + +commit 89548bcafec7ecfeea58c553f0834b5d575a66eb upstream. + +Below kernel crash is observed when Pkey security enforcement fails on +received MADs. This issue is reported in [1]. + +ib_free_recv_mad() accesses the rmpp_list, whose initialization is +needed before accessing it. +When security enformcent fails on received MADs, MAD processing avoided +due to security checks failed. + +OpenSM[3770]: SM port is down +kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +kernel: IP: ib_free_recv_mad+0x44/0xa0 [ib_core] +kernel: PGD 0 +kernel: P4D 0 +kernel: +kernel: Oops: 0002 [#1] SMP +kernel: CPU: 0 PID: 2833 Comm: kworker/0:1H Tainted: P IO 4.13.4-1-pve #1 +kernel: Hardware name: Dell XS23-TY3 /9CMP63, BIOS 1.71 09/17/2013 +kernel: Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] +kernel: task: ffffa069c6541600 task.stack: ffffb9a729054000 +kernel: RIP: 0010:ib_free_recv_mad+0x44/0xa0 [ib_core] +kernel: RSP: 0018:ffffb9a729057d38 EFLAGS: 00010286 +kernel: RAX: ffffa069cb138a48 RBX: ffffa069cb138a10 RCX: 0000000000000000 +kernel: RDX: ffffb9a729057d38 RSI: 0000000000000000 RDI: ffffa069cb138a20 +kernel: RBP: ffffb9a729057d60 R08: ffffa072d2d49800 R09: ffffa069cb138ae0 +kernel: R10: ffffa069cb138ae0 R11: ffffa072b3994e00 R12: ffffb9a729057d38 +kernel: R13: ffffa069d1c90000 R14: 0000000000000000 R15: ffffa069d1c90880 +kernel: FS: 0000000000000000(0000) GS:ffffa069dba00000(0000) knlGS:0000000000000000 +kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +kernel: CR2: 0000000000000008 CR3: 00000011f51f2000 CR4: 00000000000006f0 +kernel: Call Trace: +kernel: ib_mad_recv_done+0x5cc/0xb50 [ib_core] +kernel: __ib_process_cq+0x5c/0xb0 [ib_core] +kernel: ib_cq_poll_work+0x20/0x60 [ib_core] +kernel: process_one_work+0x1e9/0x410 +kernel: worker_thread+0x4b/0x410 +kernel: kthread+0x109/0x140 +kernel: ? process_one_work+0x410/0x410 +kernel: ? kthread_create_on_node+0x70/0x70 +kernel: ? SyS_exit_group+0x14/0x20 +kernel: ret_from_fork+0x25/0x30 +kernel: RIP: ib_free_recv_mad+0x44/0xa0 [ib_core] RSP: ffffb9a729057d38 +kernel: CR2: 0000000000000008 + +[1] : https://www.spinics.net/lists/linux-rdma/msg56190.html + +Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams") +Signed-off-by: Parav Pandit +Reported-by: Chris Blake +Reviewed-by: Daniel Jurgens +Reviewed-by: Hal Rosenstock +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/mad.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -1974,14 +1974,15 @@ static void ib_mad_complete_recv(struct + unsigned long flags; + int ret; + ++ INIT_LIST_HEAD(&mad_recv_wc->rmpp_list); + ret = ib_mad_enforce_security(mad_agent_priv, + mad_recv_wc->wc->pkey_index); + if (ret) { + ib_free_recv_mad(mad_recv_wc); + deref_mad_agent(mad_agent_priv); ++ return; + } + +- INIT_LIST_HEAD(&mad_recv_wc->rmpp_list); + list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list); + if (ib_mad_kernel_rmpp_agent(&mad_agent_priv->agent)) { + mad_recv_wc = ib_process_rmpp_recv_wc(mad_agent_priv, diff --git a/queue-4.14/ib-core-only-maintain-real-qps-in-the-security-lists.patch b/queue-4.14/ib-core-only-maintain-real-qps-in-the-security-lists.patch new file mode 100644 index 00000000000..c8e8ed1e983 --- /dev/null +++ b/queue-4.14/ib-core-only-maintain-real-qps-in-the-security-lists.patch @@ -0,0 +1,125 @@ +From 877add28178a7fa3c68f29c450d050a8e6513f08 Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens +Date: Tue, 7 Nov 2017 18:33:26 +0200 +Subject: IB/core: Only maintain real QPs in the security lists + +From: Daniel Jurgens + +commit 877add28178a7fa3c68f29c450d050a8e6513f08 upstream. + +When modify QP is called on a shared QP update the security context for +the real QP. When security is subsequently enforced the shared QP +handles will be checked as well. + +Without this change shared QP handles get added to the port/pkey lists, +which is a bug, because not all shared QP handles will be checked for +access. Also the shared QP security context wouldn't get removed from +the port/pkey lists causing access to free memory and list corruption +when they are destroyed. + +Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs") +Signed-off-by: Daniel Jurgens +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/security.c | 51 ++++++++++++++++++++----------------- + 1 file changed, 28 insertions(+), 23 deletions(-) + +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -87,16 +87,14 @@ static int enforce_qp_pkey_security(u16 + if (ret) + return ret; + +- if (qp_sec->qp == qp_sec->qp->real_qp) { +- list_for_each_entry(shared_qp_sec, +- &qp_sec->shared_qp_list, +- shared_qp_list) { +- ret = security_ib_pkey_access(shared_qp_sec->security, +- subnet_prefix, +- pkey); +- if (ret) +- return ret; +- } ++ list_for_each_entry(shared_qp_sec, ++ &qp_sec->shared_qp_list, ++ shared_qp_list) { ++ ret = security_ib_pkey_access(shared_qp_sec->security, ++ subnet_prefix, ++ pkey); ++ if (ret) ++ return ret; + } + return 0; + } +@@ -560,15 +558,22 @@ int ib_security_modify_qp(struct ib_qp * + int ret = 0; + struct ib_ports_pkeys *tmp_pps; + struct ib_ports_pkeys *new_pps; +- bool special_qp = (qp->qp_type == IB_QPT_SMI || +- qp->qp_type == IB_QPT_GSI || +- qp->qp_type >= IB_QPT_RESERVED1); ++ struct ib_qp *real_qp = qp->real_qp; ++ bool special_qp = (real_qp->qp_type == IB_QPT_SMI || ++ real_qp->qp_type == IB_QPT_GSI || ++ real_qp->qp_type >= IB_QPT_RESERVED1); + bool pps_change = ((qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) || + (qp_attr_mask & IB_QP_ALT_PATH)); + ++ /* The port/pkey settings are maintained only for the real QP. Open ++ * handles on the real QP will be in the shared_qp_list. When ++ * enforcing security on the real QP all the shared QPs will be ++ * checked as well. ++ */ ++ + if (pps_change && !special_qp) { +- mutex_lock(&qp->qp_sec->mutex); +- new_pps = get_new_pps(qp, ++ mutex_lock(&real_qp->qp_sec->mutex); ++ new_pps = get_new_pps(real_qp, + qp_attr, + qp_attr_mask); + +@@ -586,14 +591,14 @@ int ib_security_modify_qp(struct ib_qp * + + if (!ret) + ret = check_qp_port_pkey_settings(new_pps, +- qp->qp_sec); ++ real_qp->qp_sec); + } + + if (!ret) +- ret = qp->device->modify_qp(qp->real_qp, +- qp_attr, +- qp_attr_mask, +- udata); ++ ret = real_qp->device->modify_qp(real_qp, ++ qp_attr, ++ qp_attr_mask, ++ udata); + + if (pps_change && !special_qp) { + /* Clean up the lists and free the appropriate +@@ -602,8 +607,8 @@ int ib_security_modify_qp(struct ib_qp * + if (ret) { + tmp_pps = new_pps; + } else { +- tmp_pps = qp->qp_sec->ports_pkeys; +- qp->qp_sec->ports_pkeys = new_pps; ++ tmp_pps = real_qp->qp_sec->ports_pkeys; ++ real_qp->qp_sec->ports_pkeys = new_pps; + } + + if (tmp_pps) { +@@ -611,7 +616,7 @@ int ib_security_modify_qp(struct ib_qp * + port_pkey_list_remove(&tmp_pps->alt); + } + kfree(tmp_pps); +- mutex_unlock(&qp->qp_sec->mutex); ++ mutex_unlock(&real_qp->qp_sec->mutex); + } + return ret; + } diff --git a/queue-4.14/ib-hfi1-fix-incorrect-available-receive-user-context-count.patch b/queue-4.14/ib-hfi1-fix-incorrect-available-receive-user-context-count.patch new file mode 100644 index 00000000000..a1ac1f307ed --- /dev/null +++ b/queue-4.14/ib-hfi1-fix-incorrect-available-receive-user-context-count.patch @@ -0,0 +1,194 @@ +From d7d626179fb283aba73699071af0df6d00e32138 Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Mon, 2 Oct 2017 11:04:19 -0700 +Subject: IB/hfi1: Fix incorrect available receive user context count + +From: Michael J. Ruhl + +commit d7d626179fb283aba73699071af0df6d00e32138 upstream. + +The addition of the VNIC contexts to num_rcv_contexts changes the +meaning of the sysfs value nctxts from available user contexts, to +user contexts + reserved VNIC contexts. + +User applications that use nctxts are now broken. + +Update the calculation so that VNIC contexts are used only if there are +hardware contexts available, and do not silently affect nctxts. + +Update code to use the calculated VNIC context number. + +Update the sysfs value nctxts to be available user contexts only. + +Fixes: 2280740f01ae ("IB/hfi1: Virtual Network Interface Controller (VNIC) HW support") +Reviewed-by: Ira Weiny +Reviewed-by: Niranjana Vishwanathapura +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/chip.c | 35 +++++++++++++++++++-------------- + drivers/infiniband/hw/hfi1/hfi.h | 2 + + drivers/infiniband/hw/hfi1/sysfs.c | 2 - + drivers/infiniband/hw/hfi1/vnic_main.c | 7 ++++-- + 4 files changed, 29 insertions(+), 17 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -13074,7 +13074,7 @@ static int request_msix_irqs(struct hfi1 + first_sdma = last_general; + last_sdma = first_sdma + dd->num_sdma; + first_rx = last_sdma; +- last_rx = first_rx + dd->n_krcv_queues + HFI1_NUM_VNIC_CTXT; ++ last_rx = first_rx + dd->n_krcv_queues + dd->num_vnic_contexts; + + /* VNIC MSIx interrupts get mapped when VNIC contexts are created */ + dd->first_dyn_msix_idx = first_rx + dd->n_krcv_queues; +@@ -13294,8 +13294,9 @@ static int set_up_interrupts(struct hfi1 + * slow source, SDMACleanupDone) + * N interrupts - one per used SDMA engine + * M interrupt - one per kernel receive context ++ * V interrupt - one for each VNIC context + */ +- total = 1 + dd->num_sdma + dd->n_krcv_queues + HFI1_NUM_VNIC_CTXT; ++ total = 1 + dd->num_sdma + dd->n_krcv_queues + dd->num_vnic_contexts; + + /* ask for MSI-X interrupts */ + request = request_msix(dd, total); +@@ -13356,10 +13357,12 @@ fail: + * in array of contexts + * freectxts - number of free user contexts + * num_send_contexts - number of PIO send contexts being used ++ * num_vnic_contexts - number of contexts reserved for VNIC + */ + static int set_up_context_variables(struct hfi1_devdata *dd) + { + unsigned long num_kernel_contexts; ++ u16 num_vnic_contexts = HFI1_NUM_VNIC_CTXT; + int total_contexts; + int ret; + unsigned ngroups; +@@ -13393,6 +13396,14 @@ static int set_up_context_variables(stru + num_kernel_contexts); + num_kernel_contexts = dd->chip_send_contexts - num_vls - 1; + } ++ ++ /* Accommodate VNIC contexts if possible */ ++ if ((num_kernel_contexts + num_vnic_contexts) > dd->chip_rcv_contexts) { ++ dd_dev_err(dd, "No receive contexts available for VNIC\n"); ++ num_vnic_contexts = 0; ++ } ++ total_contexts = num_kernel_contexts + num_vnic_contexts; ++ + /* + * User contexts: + * - default to 1 user context per real (non-HT) CPU core if +@@ -13402,19 +13413,16 @@ static int set_up_context_variables(stru + num_user_contexts = + cpumask_weight(&node_affinity.real_cpu_mask); + +- total_contexts = num_kernel_contexts + num_user_contexts; +- + /* + * Adjust the counts given a global max. + */ +- if (total_contexts > dd->chip_rcv_contexts) { ++ if (total_contexts + num_user_contexts > dd->chip_rcv_contexts) { + dd_dev_err(dd, + "Reducing # user receive contexts to: %d, from %d\n", +- (int)(dd->chip_rcv_contexts - num_kernel_contexts), ++ (int)(dd->chip_rcv_contexts - total_contexts), + (int)num_user_contexts); +- num_user_contexts = dd->chip_rcv_contexts - num_kernel_contexts; + /* recalculate */ +- total_contexts = num_kernel_contexts + num_user_contexts; ++ num_user_contexts = dd->chip_rcv_contexts - total_contexts; + } + + /* each user context requires an entry in the RMT */ +@@ -13427,25 +13435,24 @@ static int set_up_context_variables(stru + user_rmt_reduced); + /* recalculate */ + num_user_contexts = user_rmt_reduced; +- total_contexts = num_kernel_contexts + num_user_contexts; + } + +- /* Accommodate VNIC contexts */ +- if ((total_contexts + HFI1_NUM_VNIC_CTXT) <= dd->chip_rcv_contexts) +- total_contexts += HFI1_NUM_VNIC_CTXT; ++ total_contexts += num_user_contexts; + + /* the first N are kernel contexts, the rest are user/vnic contexts */ + dd->num_rcv_contexts = total_contexts; + dd->n_krcv_queues = num_kernel_contexts; + dd->first_dyn_alloc_ctxt = num_kernel_contexts; ++ dd->num_vnic_contexts = num_vnic_contexts; + dd->num_user_contexts = num_user_contexts; + dd->freectxts = num_user_contexts; + dd_dev_info(dd, +- "rcv contexts: chip %d, used %d (kernel %d, user %d)\n", ++ "rcv contexts: chip %d, used %d (kernel %d, vnic %u, user %u)\n", + (int)dd->chip_rcv_contexts, + (int)dd->num_rcv_contexts, + (int)dd->n_krcv_queues, +- (int)dd->num_rcv_contexts - dd->n_krcv_queues); ++ dd->num_vnic_contexts, ++ dd->num_user_contexts); + + /* + * Receive array allocation: +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1047,6 +1047,8 @@ struct hfi1_devdata { + u64 z_send_schedule; + + u64 __percpu *send_schedule; ++ /* number of reserved contexts for VNIC usage */ ++ u16 num_vnic_contexts; + /* number of receive contexts in use by the driver */ + u32 num_rcv_contexts; + /* number of pio send contexts in use by the driver */ +--- a/drivers/infiniband/hw/hfi1/sysfs.c ++++ b/drivers/infiniband/hw/hfi1/sysfs.c +@@ -543,7 +543,7 @@ static ssize_t show_nctxts(struct device + * give a more accurate picture of total contexts available. + */ + return scnprintf(buf, PAGE_SIZE, "%u\n", +- min(dd->num_rcv_contexts - dd->first_dyn_alloc_ctxt, ++ min(dd->num_user_contexts, + (u32)dd->sc_sizes[SC_USER].count)); + } + +--- a/drivers/infiniband/hw/hfi1/vnic_main.c ++++ b/drivers/infiniband/hw/hfi1/vnic_main.c +@@ -840,6 +840,9 @@ struct net_device *hfi1_vnic_alloc_rn(st + struct rdma_netdev *rn; + int i, size, rc; + ++ if (!dd->num_vnic_contexts) ++ return ERR_PTR(-ENOMEM); ++ + if (!port_num || (port_num > dd->num_pports)) + return ERR_PTR(-EINVAL); + +@@ -848,7 +851,7 @@ struct net_device *hfi1_vnic_alloc_rn(st + + size = sizeof(struct opa_vnic_rdma_netdev) + sizeof(*vinfo); + netdev = alloc_netdev_mqs(size, name, name_assign_type, setup, +- dd->chip_sdma_engines, HFI1_NUM_VNIC_CTXT); ++ dd->chip_sdma_engines, dd->num_vnic_contexts); + if (!netdev) + return ERR_PTR(-ENOMEM); + +@@ -856,7 +859,7 @@ struct net_device *hfi1_vnic_alloc_rn(st + vinfo = opa_vnic_dev_priv(netdev); + vinfo->dd = dd; + vinfo->num_tx_q = dd->chip_sdma_engines; +- vinfo->num_rx_q = HFI1_NUM_VNIC_CTXT; ++ vinfo->num_rx_q = dd->num_vnic_contexts; + vinfo->netdev = netdev; + rn->free_rdma_netdev = hfi1_vnic_free_rn; + rn->set_id = hfi1_vnic_set_vesw_id; diff --git a/queue-4.14/ib-srp-avoid-that-a-cable-pull-can-trigger-a-kernel-crash.patch b/queue-4.14/ib-srp-avoid-that-a-cable-pull-can-trigger-a-kernel-crash.patch new file mode 100644 index 00000000000..b55df116bac --- /dev/null +++ b/queue-4.14/ib-srp-avoid-that-a-cable-pull-can-trigger-a-kernel-crash.patch @@ -0,0 +1,84 @@ +From 8a0d18c62121d3c554a83eb96e2752861d84d937 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 11 Oct 2017 10:27:26 -0700 +Subject: IB/srp: Avoid that a cable pull can trigger a kernel crash + +From: Bart Van Assche + +commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream. + +This patch fixes the following kernel crash: + +general protection fault: 0000 [#1] PREEMPT SMP +Workqueue: ib_mad2 timeout_sends [ib_core] +Call Trace: + ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core] + send_handler+0xb2/0xd0 [ib_core] + timeout_sends+0x14d/0x220 [ib_core] + process_one_work+0x200/0x630 + worker_thread+0x4e/0x3b0 + kthread+0x113/0x150 + +Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") +Signed-off-by: Bart Van Assche +Reviewed-by: Sagi Grimberg +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -665,12 +665,19 @@ static void srp_path_rec_completion(int + static int srp_lookup_path(struct srp_rdma_ch *ch) + { + struct srp_target_port *target = ch->target; +- int ret; ++ int ret = -ENODEV; + + ch->path.numb_path = 1; + + init_completion(&ch->done); + ++ /* ++ * Avoid that the SCSI host can be removed by srp_remove_target() ++ * before srp_path_rec_completion() is called. ++ */ ++ if (!scsi_host_get(target->scsi_host)) ++ goto out; ++ + ch->path_query_id = ib_sa_path_rec_get(&srp_sa_client, + target->srp_host->srp_dev->dev, + target->srp_host->port, +@@ -684,18 +691,24 @@ static int srp_lookup_path(struct srp_rd + GFP_KERNEL, + srp_path_rec_completion, + ch, &ch->path_query); +- if (ch->path_query_id < 0) +- return ch->path_query_id; ++ ret = ch->path_query_id; ++ if (ret < 0) ++ goto put; + + ret = wait_for_completion_interruptible(&ch->done); + if (ret < 0) +- return ret; ++ goto put; + +- if (ch->status < 0) ++ ret = ch->status; ++ if (ret < 0) + shost_printk(KERN_WARNING, target->scsi_host, + PFX "Path record query failed\n"); + +- return ch->status; ++put: ++ scsi_host_put(target->scsi_host); ++ ++out: ++ return ret; + } + + static int srp_send_req(struct srp_rdma_ch *ch, bool multich) diff --git a/queue-4.14/ib-srpt-do-not-accept-invalid-initiator-port-names.patch b/queue-4.14/ib-srpt-do-not-accept-invalid-initiator-port-names.patch new file mode 100644 index 00000000000..0c6bed582a7 --- /dev/null +++ b/queue-4.14/ib-srpt-do-not-accept-invalid-initiator-port-names.patch @@ -0,0 +1,46 @@ +From c70ca38960399a63d5c048b7b700612ea321d17e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 11 Oct 2017 10:27:22 -0700 +Subject: IB/srpt: Do not accept invalid initiator port names + +From: Bart Van Assche + +commit c70ca38960399a63d5c048b7b700612ea321d17e upstream. + +Make srpt_parse_i_port_id() return a negative value if hex2bin() +fails. + +Fixes: commit a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") +Signed-off-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2777,7 +2777,7 @@ static int srpt_parse_i_port_id(u8 i_por + { + const char *p; + unsigned len, count, leading_zero_bytes; +- int ret, rc; ++ int ret; + + p = name; + if (strncasecmp(p, "0x", 2) == 0) +@@ -2789,10 +2789,9 @@ static int srpt_parse_i_port_id(u8 i_por + count = min(len / 2, 16U); + leading_zero_bytes = 16 - count; + memset(i_port_id, 0, leading_zero_bytes); +- rc = hex2bin(i_port_id + leading_zero_bytes, p, count); +- if (rc < 0) +- pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc); +- ret = 0; ++ ret = hex2bin(i_port_id + leading_zero_bytes, p, count); ++ if (ret < 0) ++ pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret); + out: + return ret; + } diff --git a/queue-4.14/kvm-nvmx-set-idtr-and-gdtr-limits-when-loading-l1-host-state.patch b/queue-4.14/kvm-nvmx-set-idtr-and-gdtr-limits-when-loading-l1-host-state.patch new file mode 100644 index 00000000000..2d63be671c2 --- /dev/null +++ b/queue-4.14/kvm-nvmx-set-idtr-and-gdtr-limits-when-loading-l1-host-state.patch @@ -0,0 +1,32 @@ +From 21f2d551183847bc7fbe8d866151d00cdad18752 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 11 Oct 2017 16:54:42 +0200 +Subject: KVM: nVMX: set IDTR and GDTR limits when loading L1 host state + +From: Ladi Prosek + +commit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream. + +Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers: + +"The GDTR and IDTR limits are each set to FFFFH." + +Signed-off-by: Ladi Prosek +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -11325,6 +11325,8 @@ static void load_vmcs12_host_state(struc + vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip); + vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base); + vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base); ++ vmcs_write32(GUEST_IDTR_LIMIT, 0xFFFF); ++ vmcs_write32(GUEST_GDTR_LIMIT, 0xFFFF); + + /* If not VM_EXIT_CLEAR_BNDCFGS, the L2 value propagates to L1. */ + if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS) diff --git a/queue-4.14/kvm-ppc-book3s-hv-don-t-call-real-mode-xics-hypercall-handlers-if-not-enabled.patch b/queue-4.14/kvm-ppc-book3s-hv-don-t-call-real-mode-xics-hypercall-handlers-if-not-enabled.patch new file mode 100644 index 00000000000..58f47ef0dcb --- /dev/null +++ b/queue-4.14/kvm-ppc-book3s-hv-don-t-call-real-mode-xics-hypercall-handlers-if-not-enabled.patch @@ -0,0 +1,89 @@ +From 00bb6ae5006205e041ce9784c819460562351d47 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Thu, 26 Oct 2017 17:00:22 +1100 +Subject: KVM: PPC: Book3S HV: Don't call real-mode XICS hypercall handlers if not enabled + +From: Paul Mackerras + +commit 00bb6ae5006205e041ce9784c819460562351d47 upstream. + +When running a guest on a POWER9 system with the in-kernel XICS +emulation disabled (for example by running QEMU with the parameter +"-machine pseries,kernel_irqchip=off"), the kernel does not pass +the XICS-related hypercalls such as H_CPPR up to userspace for +emulation there as it should. + +The reason for this is that the real-mode handlers for these +hypercalls don't check whether a XICS device has been instantiated +before calling the xics-on-xive code. That code doesn't check +either, leading to potential NULL pointer dereferences because +vcpu->arch.xive_vcpu is NULL. Those dereferences won't cause an +exception in real mode but will lead to kernel memory corruption. + +This fixes it by adding kvmppc_xics_enabled() checks before calling +the XICS functions. + +Fixes: 5af50993850a ("KVM: PPC: Book3S HV: Native usage of the XIVE interrupt controller") +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv_builtin.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/powerpc/kvm/book3s_hv_builtin.c ++++ b/arch/powerpc/kvm/book3s_hv_builtin.c +@@ -529,6 +529,8 @@ static inline bool is_rm(void) + + unsigned long kvmppc_rm_h_xirr(struct kvm_vcpu *vcpu) + { ++ if (!kvmppc_xics_enabled(vcpu)) ++ return H_TOO_HARD; + if (xive_enabled()) { + if (is_rm()) + return xive_rm_h_xirr(vcpu); +@@ -541,6 +543,8 @@ unsigned long kvmppc_rm_h_xirr(struct kv + + unsigned long kvmppc_rm_h_xirr_x(struct kvm_vcpu *vcpu) + { ++ if (!kvmppc_xics_enabled(vcpu)) ++ return H_TOO_HARD; + vcpu->arch.gpr[5] = get_tb(); + if (xive_enabled()) { + if (is_rm()) +@@ -554,6 +558,8 @@ unsigned long kvmppc_rm_h_xirr_x(struct + + unsigned long kvmppc_rm_h_ipoll(struct kvm_vcpu *vcpu, unsigned long server) + { ++ if (!kvmppc_xics_enabled(vcpu)) ++ return H_TOO_HARD; + if (xive_enabled()) { + if (is_rm()) + return xive_rm_h_ipoll(vcpu, server); +@@ -567,6 +573,8 @@ unsigned long kvmppc_rm_h_ipoll(struct k + int kvmppc_rm_h_ipi(struct kvm_vcpu *vcpu, unsigned long server, + unsigned long mfrr) + { ++ if (!kvmppc_xics_enabled(vcpu)) ++ return H_TOO_HARD; + if (xive_enabled()) { + if (is_rm()) + return xive_rm_h_ipi(vcpu, server, mfrr); +@@ -579,6 +587,8 @@ int kvmppc_rm_h_ipi(struct kvm_vcpu *vcp + + int kvmppc_rm_h_cppr(struct kvm_vcpu *vcpu, unsigned long cppr) + { ++ if (!kvmppc_xics_enabled(vcpu)) ++ return H_TOO_HARD; + if (xive_enabled()) { + if (is_rm()) + return xive_rm_h_cppr(vcpu, cppr); +@@ -591,6 +601,8 @@ int kvmppc_rm_h_cppr(struct kvm_vcpu *vc + + int kvmppc_rm_h_eoi(struct kvm_vcpu *vcpu, unsigned long xirr) + { ++ if (!kvmppc_xics_enabled(vcpu)) ++ return H_TOO_HARD; + if (xive_enabled()) { + if (is_rm()) + return xive_rm_h_eoi(vcpu, xirr); diff --git a/queue-4.14/kvm-svm-obey-guest-pat.patch b/queue-4.14/kvm-svm-obey-guest-pat.patch new file mode 100644 index 00000000000..ff1f69957f5 --- /dev/null +++ b/queue-4.14/kvm-svm-obey-guest-pat.patch @@ -0,0 +1,54 @@ +From 15038e14724799b8c205beb5f20f9e54896013c3 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 26 Oct 2017 09:13:27 +0200 +Subject: KVM: SVM: obey guest PAT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit 15038e14724799b8c205beb5f20f9e54896013c3 upstream. + +For many years some users of assigned devices have reported worse +performance on AMD processors with NPT than on AMD without NPT, +Intel or bare metal. + +The reason turned out to be that SVM is discarding the guest PAT +setting and uses the default (PA0=PA4=WB, PA1=PA5=WT, PA2=PA6=UC-, +PA3=UC). The guest might be using a different setting, and +especially might want write combining but isn't getting it +(instead getting slow UC or UC- accesses). + +Thanks a lot to geoff@hostfission.com for noticing the relation +to the g_pat setting. The patch has been tested also by a bunch +of people on VFIO users forums. + +Fixes: 709ddebf81cb40e3c36c6109a7892e8b93a09464 +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196409 +Signed-off-by: Paolo Bonzini +Reviewed-by: David Hildenbrand +Tested-by: Nick Sarnie +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3657,6 +3657,13 @@ static int svm_set_msr(struct kvm_vcpu * + u32 ecx = msr->index; + u64 data = msr->data; + switch (ecx) { ++ case MSR_IA32_CR_PAT: ++ if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) ++ return 1; ++ vcpu->arch.pat = data; ++ svm->vmcb->save.g_pat = data; ++ mark_dirty(svm->vmcb, VMCB_NPT); ++ break; + case MSR_IA32_TSC: + kvm_write_tsc(vcpu, msr); + break; diff --git a/queue-4.14/kvm-vmx-reinstate-support-for-cpus-without-virtual-nmi.patch b/queue-4.14/kvm-vmx-reinstate-support-for-cpus-without-virtual-nmi.patch new file mode 100644 index 00000000000..57ed04c9f66 --- /dev/null +++ b/queue-4.14/kvm-vmx-reinstate-support-for-cpus-without-virtual-nmi.patch @@ -0,0 +1,296 @@ +From 8a1b43922d0d1279e7936ba85c4c2a870403c95f Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 6 Nov 2017 13:31:12 +0100 +Subject: kvm: vmx: Reinstate support for CPUs without virtual NMI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit 8a1b43922d0d1279e7936ba85c4c2a870403c95f upstream. + +This is more or less a revert of commit 2c82878b0cb3 ("KVM: VMX: require +virtual NMI support", 2017-03-27); it turns out that Core 2 Duo machines +only had virtual NMIs in some SKUs. + +The revert is not trivial because in the meanwhile there have been several +fixes to nested NMI injection. Therefore, the entire vNMI state is moved +to struct loaded_vmcs. + +Another change compared to before the patch is a simplification here: + + if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked && + !(is_guest_mode(vcpu) && nested_cpu_has_virtual_nmis( + get_vmcs12(vcpu))))) { + +The final condition here is always true (because nested_cpu_has_virtual_nmis +is always false) and is removed. + +Fixes: 2c82878b0cb38fd516fd612c67852a6bbf282003 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1490803 +Signed-off-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 150 +++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 106 insertions(+), 44 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -202,6 +202,10 @@ struct loaded_vmcs { + bool nmi_known_unmasked; + unsigned long vmcs_host_cr3; /* May not match real cr3 */ + unsigned long vmcs_host_cr4; /* May not match real cr4 */ ++ /* Support for vnmi-less CPUs */ ++ int soft_vnmi_blocked; ++ ktime_t entry_time; ++ s64 vnmi_blocked_time; + struct list_head loaded_vmcss_on_cpu_link; + }; + +@@ -1286,6 +1290,11 @@ static inline bool cpu_has_vmx_invpcid(v + SECONDARY_EXEC_ENABLE_INVPCID; + } + ++static inline bool cpu_has_virtual_nmis(void) ++{ ++ return vmcs_config.pin_based_exec_ctrl & PIN_BASED_VIRTUAL_NMIS; ++} ++ + static inline bool cpu_has_vmx_wbinvd_exit(void) + { + return vmcs_config.cpu_based_2nd_exec_ctrl & +@@ -1343,11 +1352,6 @@ static inline bool nested_cpu_has2(struc + (vmcs12->secondary_vm_exec_control & bit); + } + +-static inline bool nested_cpu_has_virtual_nmis(struct vmcs12 *vmcs12) +-{ +- return vmcs12->pin_based_vm_exec_control & PIN_BASED_VIRTUAL_NMIS; +-} +- + static inline bool nested_cpu_has_preemption_timer(struct vmcs12 *vmcs12) + { + return vmcs12->pin_based_vm_exec_control & +@@ -3699,9 +3703,9 @@ static __init int setup_vmcs_config(stru + &_vmexit_control) < 0) + return -EIO; + +- min = PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING | +- PIN_BASED_VIRTUAL_NMIS; +- opt = PIN_BASED_POSTED_INTR | PIN_BASED_VMX_PREEMPTION_TIMER; ++ min = PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING; ++ opt = PIN_BASED_VIRTUAL_NMIS | PIN_BASED_POSTED_INTR | ++ PIN_BASED_VMX_PREEMPTION_TIMER; + if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PINBASED_CTLS, + &_pin_based_exec_control) < 0) + return -EIO; +@@ -5667,7 +5671,8 @@ static void enable_irq_window(struct kvm + + static void enable_nmi_window(struct kvm_vcpu *vcpu) + { +- if (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI) { ++ if (!cpu_has_virtual_nmis() || ++ vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI) { + enable_irq_window(vcpu); + return; + } +@@ -5707,6 +5712,19 @@ static void vmx_inject_nmi(struct kvm_vc + { + struct vcpu_vmx *vmx = to_vmx(vcpu); + ++ if (!cpu_has_virtual_nmis()) { ++ /* ++ * Tracking the NMI-blocked state in software is built upon ++ * finding the next open IRQ window. This, in turn, depends on ++ * well-behaving guests: They have to keep IRQs disabled at ++ * least as long as the NMI handler runs. Otherwise we may ++ * cause NMI nesting, maybe breaking the guest. But as this is ++ * highly unlikely, we can live with the residual risk. ++ */ ++ vmx->loaded_vmcs->soft_vnmi_blocked = 1; ++ vmx->loaded_vmcs->vnmi_blocked_time = 0; ++ } ++ + ++vcpu->stat.nmi_injections; + vmx->loaded_vmcs->nmi_known_unmasked = false; + +@@ -5725,6 +5743,8 @@ static bool vmx_get_nmi_mask(struct kvm_ + struct vcpu_vmx *vmx = to_vmx(vcpu); + bool masked; + ++ if (!cpu_has_virtual_nmis()) ++ return vmx->loaded_vmcs->soft_vnmi_blocked; + if (vmx->loaded_vmcs->nmi_known_unmasked) + return false; + masked = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_NMI; +@@ -5736,13 +5756,20 @@ static void vmx_set_nmi_mask(struct kvm_ + { + struct vcpu_vmx *vmx = to_vmx(vcpu); + +- vmx->loaded_vmcs->nmi_known_unmasked = !masked; +- if (masked) +- vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, +- GUEST_INTR_STATE_NMI); +- else +- vmcs_clear_bits(GUEST_INTERRUPTIBILITY_INFO, +- GUEST_INTR_STATE_NMI); ++ if (!cpu_has_virtual_nmis()) { ++ if (vmx->loaded_vmcs->soft_vnmi_blocked != masked) { ++ vmx->loaded_vmcs->soft_vnmi_blocked = masked; ++ vmx->loaded_vmcs->vnmi_blocked_time = 0; ++ } ++ } else { ++ vmx->loaded_vmcs->nmi_known_unmasked = !masked; ++ if (masked) ++ vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, ++ GUEST_INTR_STATE_NMI); ++ else ++ vmcs_clear_bits(GUEST_INTERRUPTIBILITY_INFO, ++ GUEST_INTR_STATE_NMI); ++ } + } + + static int vmx_nmi_allowed(struct kvm_vcpu *vcpu) +@@ -5750,6 +5777,10 @@ static int vmx_nmi_allowed(struct kvm_vc + if (to_vmx(vcpu)->nested.nested_run_pending) + return 0; + ++ if (!cpu_has_virtual_nmis() && ++ to_vmx(vcpu)->loaded_vmcs->soft_vnmi_blocked) ++ return 0; ++ + return !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & + (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI + | GUEST_INTR_STATE_NMI)); +@@ -6478,6 +6509,7 @@ static int handle_ept_violation(struct k + * AAK134, BY25. + */ + if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) && ++ cpu_has_virtual_nmis() && + (exit_qualification & INTR_INFO_UNBLOCK_NMI)) + vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, GUEST_INTR_STATE_NMI); + +@@ -6961,7 +6993,7 @@ static struct loaded_vmcs *nested_get_cu + } + + /* Create a new VMCS */ +- item = kmalloc(sizeof(struct vmcs02_list), GFP_KERNEL); ++ item = kzalloc(sizeof(struct vmcs02_list), GFP_KERNEL); + if (!item) + return NULL; + item->vmcs02.vmcs = alloc_vmcs(); +@@ -7978,6 +8010,7 @@ static int handle_pml_full(struct kvm_vc + * "blocked by NMI" bit has to be set before next VM entry. + */ + if (!(to_vmx(vcpu)->idt_vectoring_info & VECTORING_INFO_VALID_MASK) && ++ cpu_has_virtual_nmis() && + (exit_qualification & INTR_INFO_UNBLOCK_NMI)) + vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, + GUEST_INTR_STATE_NMI); +@@ -8822,6 +8855,25 @@ static int vmx_handle_exit(struct kvm_vc + return 0; + } + ++ if (unlikely(!cpu_has_virtual_nmis() && ++ vmx->loaded_vmcs->soft_vnmi_blocked)) { ++ if (vmx_interrupt_allowed(vcpu)) { ++ vmx->loaded_vmcs->soft_vnmi_blocked = 0; ++ } else if (vmx->loaded_vmcs->vnmi_blocked_time > 1000000000LL && ++ vcpu->arch.nmi_pending) { ++ /* ++ * This CPU don't support us in finding the end of an ++ * NMI-blocked window if the guest runs with IRQs ++ * disabled. So we pull the trigger after 1 s of ++ * futile waiting, but inform the user about this. ++ */ ++ printk(KERN_WARNING "%s: Breaking out of NMI-blocked " ++ "state on VCPU %d after 1 s timeout\n", ++ __func__, vcpu->vcpu_id); ++ vmx->loaded_vmcs->soft_vnmi_blocked = 0; ++ } ++ } ++ + if (exit_reason < kvm_vmx_max_exit_handlers + && kvm_vmx_exit_handlers[exit_reason]) + return kvm_vmx_exit_handlers[exit_reason](vcpu); +@@ -9104,33 +9156,38 @@ static void vmx_recover_nmi_blocking(str + + idtv_info_valid = vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK; + +- if (vmx->loaded_vmcs->nmi_known_unmasked) +- return; +- /* +- * Can't use vmx->exit_intr_info since we're not sure what +- * the exit reason is. +- */ +- exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO); +- unblock_nmi = (exit_intr_info & INTR_INFO_UNBLOCK_NMI) != 0; +- vector = exit_intr_info & INTR_INFO_VECTOR_MASK; +- /* +- * SDM 3: 27.7.1.2 (September 2008) +- * Re-set bit "block by NMI" before VM entry if vmexit caused by +- * a guest IRET fault. +- * SDM 3: 23.2.2 (September 2008) +- * Bit 12 is undefined in any of the following cases: +- * If the VM exit sets the valid bit in the IDT-vectoring +- * information field. +- * If the VM exit is due to a double fault. +- */ +- if ((exit_intr_info & INTR_INFO_VALID_MASK) && unblock_nmi && +- vector != DF_VECTOR && !idtv_info_valid) +- vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, +- GUEST_INTR_STATE_NMI); +- else +- vmx->loaded_vmcs->nmi_known_unmasked = +- !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) +- & GUEST_INTR_STATE_NMI); ++ if (cpu_has_virtual_nmis()) { ++ if (vmx->loaded_vmcs->nmi_known_unmasked) ++ return; ++ /* ++ * Can't use vmx->exit_intr_info since we're not sure what ++ * the exit reason is. ++ */ ++ exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO); ++ unblock_nmi = (exit_intr_info & INTR_INFO_UNBLOCK_NMI) != 0; ++ vector = exit_intr_info & INTR_INFO_VECTOR_MASK; ++ /* ++ * SDM 3: 27.7.1.2 (September 2008) ++ * Re-set bit "block by NMI" before VM entry if vmexit caused by ++ * a guest IRET fault. ++ * SDM 3: 23.2.2 (September 2008) ++ * Bit 12 is undefined in any of the following cases: ++ * If the VM exit sets the valid bit in the IDT-vectoring ++ * information field. ++ * If the VM exit is due to a double fault. ++ */ ++ if ((exit_intr_info & INTR_INFO_VALID_MASK) && unblock_nmi && ++ vector != DF_VECTOR && !idtv_info_valid) ++ vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, ++ GUEST_INTR_STATE_NMI); ++ else ++ vmx->loaded_vmcs->nmi_known_unmasked = ++ !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) ++ & GUEST_INTR_STATE_NMI); ++ } else if (unlikely(vmx->loaded_vmcs->soft_vnmi_blocked)) ++ vmx->loaded_vmcs->vnmi_blocked_time += ++ ktime_to_ns(ktime_sub(ktime_get(), ++ vmx->loaded_vmcs->entry_time)); + } + + static void __vmx_complete_interrupts(struct kvm_vcpu *vcpu, +@@ -9247,6 +9304,11 @@ static void __noclone vmx_vcpu_run(struc + struct vcpu_vmx *vmx = to_vmx(vcpu); + unsigned long debugctlmsr, cr3, cr4; + ++ /* Record the guest's net vcpu time for enforced NMI injections. */ ++ if (unlikely(!cpu_has_virtual_nmis() && ++ vmx->loaded_vmcs->soft_vnmi_blocked)) ++ vmx->loaded_vmcs->entry_time = ktime_get(); ++ + /* Don't enter VMX if guest state is invalid, let the exit handler + start emulation until we arrive back to a valid state */ + if (vmx->emulation_required) diff --git a/queue-4.14/libnvdimm-dimm-clear-locked-status-on-successful-dimm-enable.patch b/queue-4.14/libnvdimm-dimm-clear-locked-status-on-successful-dimm-enable.patch new file mode 100644 index 00000000000..809eeea701b --- /dev/null +++ b/queue-4.14/libnvdimm-dimm-clear-locked-status-on-successful-dimm-enable.patch @@ -0,0 +1,60 @@ +From d34cb808402898e53b9a9bcbbedd01667a78723b Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 25 Sep 2017 11:01:31 -0700 +Subject: libnvdimm, dimm: clear 'locked' status on successful DIMM enable + +From: Dan Williams + +commit d34cb808402898e53b9a9bcbbedd01667a78723b upstream. + +If we successfully enable a DIMM then it must not be locked and we can +clear the label-read failure condition. Otherwise, we need to reload the +entire bus provider driver to achieve the same effect, and that can +disrupt unrelated DIMMs and namespaces. + +Fixes: 9d62ed965118 ("libnvdimm: handle locked label storage areas") +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/dimm.c | 1 + + drivers/nvdimm/dimm_devs.c | 7 +++++++ + drivers/nvdimm/nd.h | 1 + + 3 files changed, 9 insertions(+) + +--- a/drivers/nvdimm/dimm.c ++++ b/drivers/nvdimm/dimm.c +@@ -68,6 +68,7 @@ static int nvdimm_probe(struct device *d + rc = nd_label_reserve_dpa(ndd); + if (ndd->ns_current >= 0) + nvdimm_set_aliasing(dev); ++ nvdimm_clear_locked(dev); + nvdimm_bus_unlock(dev); + + if (rc) +--- a/drivers/nvdimm/dimm_devs.c ++++ b/drivers/nvdimm/dimm_devs.c +@@ -200,6 +200,13 @@ void nvdimm_set_locked(struct device *de + set_bit(NDD_LOCKED, &nvdimm->flags); + } + ++void nvdimm_clear_locked(struct device *dev) ++{ ++ struct nvdimm *nvdimm = to_nvdimm(dev); ++ ++ clear_bit(NDD_LOCKED, &nvdimm->flags); ++} ++ + static void nvdimm_release(struct device *dev) + { + struct nvdimm *nvdimm = to_nvdimm(dev); +--- a/drivers/nvdimm/nd.h ++++ b/drivers/nvdimm/nd.h +@@ -254,6 +254,7 @@ long nvdimm_clear_poison(struct device * + unsigned int len); + void nvdimm_set_aliasing(struct device *dev); + void nvdimm_set_locked(struct device *dev); ++void nvdimm_clear_locked(struct device *dev); + struct nd_btt *to_nd_btt(struct device *dev); + + struct nd_gen_sb { diff --git a/queue-4.14/libnvdimm-namespace-fix-label-initialization-to-use-valid-seq-numbers.patch b/queue-4.14/libnvdimm-namespace-fix-label-initialization-to-use-valid-seq-numbers.patch new file mode 100644 index 00000000000..d3dc9868d2e --- /dev/null +++ b/queue-4.14/libnvdimm-namespace-fix-label-initialization-to-use-valid-seq-numbers.patch @@ -0,0 +1,44 @@ +From b18d4b8a25af6fe83d7692191d6ff962ea611c4f Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 26 Sep 2017 11:41:28 -0700 +Subject: libnvdimm, namespace: fix label initialization to use valid seq numbers + +From: Dan Williams + +commit b18d4b8a25af6fe83d7692191d6ff962ea611c4f upstream. + +The set of valid sequence numbers is {1,2,3}. The specification +indicates that an implementation should consider 0 a sign of a critical +error: + + UEFI 2.7: 13.19 NVDIMM Label Protocol + + Software never writes the sequence number 00, so a correctly + check-summed Index Block with this sequence number probably indicates a + critical error. When software discovers this case it treats it as an + invalid Index Block indication. + +While the expectation is that the invalid block is just thrown away, the +Robustness Principle says we should fix this to make both sequence +numbers valid. + +Fixes: f524bf271a5c ("libnvdimm: write pmem label set") +Reported-by: Juston Li +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/label.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -1050,7 +1050,7 @@ static int init_labels(struct nd_mapping + nsindex = to_namespace_index(ndd, 0); + memset(nsindex, 0, ndd->nsarea.config_size); + for (i = 0; i < 2; i++) { +- int rc = nd_label_write_index(ndd, i, i*2, ND_NSINDEX_INIT); ++ int rc = nd_label_write_index(ndd, i, 3 - i, ND_NSINDEX_INIT); + + if (rc) + return rc; diff --git a/queue-4.14/libnvdimm-namespace-make-resource-attribute-only-readable-by-root.patch b/queue-4.14/libnvdimm-namespace-make-resource-attribute-only-readable-by-root.patch new file mode 100644 index 00000000000..2769c2020b0 --- /dev/null +++ b/queue-4.14/libnvdimm-namespace-make-resource-attribute-only-readable-by-root.patch @@ -0,0 +1,34 @@ +From c1fb3542074fd0c4d901d778bd52455111e4eb6f Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 26 Sep 2017 11:21:24 -0700 +Subject: libnvdimm, namespace: make 'resource' attribute only readable by root + +From: Dan Williams + +commit c1fb3542074fd0c4d901d778bd52455111e4eb6f upstream. + +For the same reason that /proc/iomem returns 0's for non-root readers +and acpi tables are root-only, make the 'resource' attribute for +namespace devices only readable by root. Otherwise we disclose physical +address information. + +Fixes: bf9bccc14c05 ("libnvdimm: pmem label sets and namespace instantiation") +Reported-by: Dave Hansen +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/namespace_devs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -1620,7 +1620,7 @@ static umode_t namespace_visible(struct + if (a == &dev_attr_resource.attr) { + if (is_namespace_blk(dev)) + return 0; +- return a->mode; ++ return 0400; + } + + if (is_namespace_pmem(dev) || is_namespace_blk(dev)) { diff --git a/queue-4.14/libnvdimm-pfn-make-resource-attribute-only-readable-by-root.patch b/queue-4.14/libnvdimm-pfn-make-resource-attribute-only-readable-by-root.patch new file mode 100644 index 00000000000..fbb9bda91c5 --- /dev/null +++ b/queue-4.14/libnvdimm-pfn-make-resource-attribute-only-readable-by-root.patch @@ -0,0 +1,42 @@ +From 26417ae4fc6108f8db436f24108b08f68bdc520e Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 26 Sep 2017 13:07:06 -0700 +Subject: libnvdimm, pfn: make 'resource' attribute only readable by root + +From: Dan Williams + +commit 26417ae4fc6108f8db436f24108b08f68bdc520e upstream. + +For the same reason that /proc/iomem returns 0's for non-root readers +and acpi tables are root-only, make the 'resource' attribute for pfn +devices only readable by root. Otherwise we disclose physical address +information. + +Fixes: f6ed58c70d14 ("libnvdimm, pfn: 'resource'-address and 'size'...") +Reported-by: Dave Hansen +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/pfn_devs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -282,8 +282,16 @@ static struct attribute *nd_pfn_attribut + NULL, + }; + ++static umode_t pfn_visible(struct kobject *kobj, struct attribute *a, int n) ++{ ++ if (a == &dev_attr_resource.attr) ++ return 0400; ++ return a->mode; ++} ++ + struct attribute_group nd_pfn_attribute_group = { + .attrs = nd_pfn_attributes, ++ .is_visible = pfn_visible, + }; + + static const struct attribute_group *nd_pfn_attribute_groups[] = { diff --git a/queue-4.14/libnvdimm-region-make-resource-attribute-only-readable-by-root.patch b/queue-4.14/libnvdimm-region-make-resource-attribute-only-readable-by-root.patch new file mode 100644 index 00000000000..1d2fdfc5647 --- /dev/null +++ b/queue-4.14/libnvdimm-region-make-resource-attribute-only-readable-by-root.patch @@ -0,0 +1,42 @@ +From b8ff981f88df03c72a4de2f6eaa9ce447a10ac03 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 26 Sep 2017 11:17:52 -0700 +Subject: libnvdimm, region : make 'resource' attribute only readable by root + +From: Dan Williams + +commit b8ff981f88df03c72a4de2f6eaa9ce447a10ac03 upstream. + +For the same reason that /proc/iomem returns 0's for non-root readers +and acpi tables are root-only, make the 'resource' attribute for region +devices only readable by root. Otherwise we disclose physical address +information. + +Fixes: 802f4be6feee ("libnvdimm: Add 'resource' sysfs attribute to regions") +Cc: Dave Jiang +Cc: Johannes Thumshirn +Reported-by: Dave Hansen +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/region_devs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/nvdimm/region_devs.c ++++ b/drivers/nvdimm/region_devs.c +@@ -562,8 +562,12 @@ static umode_t region_visible(struct kob + if (!is_nd_pmem(dev) && a == &dev_attr_badblocks.attr) + return 0; + +- if (!is_nd_pmem(dev) && a == &dev_attr_resource.attr) +- return 0; ++ if (a == &dev_attr_resource.attr) { ++ if (is_nd_pmem(dev)) ++ return 0400; ++ else ++ return 0; ++ } + + if (a == &dev_attr_deep_flush.attr) { + int has_flush = nvdimm_has_flush(nd_region); diff --git a/queue-4.14/nfc-fix-device-allocation-error-return.patch b/queue-4.14/nfc-fix-device-allocation-error-return.patch new file mode 100644 index 00000000000..4d7aaf3a8cc --- /dev/null +++ b/queue-4.14/nfc-fix-device-allocation-error-return.patch @@ -0,0 +1,41 @@ +From c45e3e4c5b134b081e8af362109905427967eb19 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 9 Jul 2017 13:08:58 +0200 +Subject: NFC: fix device-allocation error return + +From: Johan Hovold + +commit c45e3e4c5b134b081e8af362109905427967eb19 upstream. + +A recent change fixing NFC device allocation itself introduced an +error-handling bug by returning an error pointer in case device-id +allocation failed. This is clearly broken as the callers still expected +NULL to be returned on errors as detected by Dan's static checker. + +Fix this up by returning NULL in the event that we've run out of memory +when allocating a new device id. + +Note that the offending commit is marked for stable (3.8) so this fix +needs to be backported along with it. + +Fixes: 20777bc57c34 ("NFC: fix broken device allocation") +Reported-by: Dan Carpenter +Signed-off-by: Johan Hovold +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1106,7 +1106,7 @@ struct nfc_dev *nfc_allocate_device(stru + err_free_dev: + kfree(dev); + +- return ERR_PTR(rc); ++ return NULL; + } + EXPORT_SYMBOL(nfc_allocate_device); + diff --git a/queue-4.14/series b/queue-4.14/series index a6faea81284..e1397ffe501 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -130,3 +130,25 @@ raid1-prevent-freeze_array-wait_all_barriers-deadlock.patch genirq-track-whether-the-trigger-type-has-been-set.patch irqchip-gic-v3-fix-ppi-partitions-lookup.patch lockd-double-unregister-of-inetaddr-notifiers.patch +kvm-ppc-book3s-hv-don-t-call-real-mode-xics-hypercall-handlers-if-not-enabled.patch +kvm-nvmx-set-idtr-and-gdtr-limits-when-loading-l1-host-state.patch +kvm-svm-obey-guest-pat.patch +kvm-vmx-reinstate-support-for-cpus-without-virtual-nmi.patch +dax-fix-pmd-faults-on-zero-length-files.patch +dax-fix-general-protection-fault-in-dax_alloc_inode.patch +sunrpc-fix-tracepoint-storage-issues-with-svc_recv-and-svc_rqst_status.patch +clk-ti-dra7-atl-clock-fix-child-node-lookups.patch +libnvdimm-dimm-clear-locked-status-on-successful-dimm-enable.patch +libnvdimm-pfn-make-resource-attribute-only-readable-by-root.patch +libnvdimm-namespace-fix-label-initialization-to-use-valid-seq-numbers.patch +libnvdimm-region-make-resource-attribute-only-readable-by-root.patch +libnvdimm-namespace-make-resource-attribute-only-readable-by-root.patch +svcrdma-preserve-cb-send-buffer-across-retransmits.patch +ib-srpt-do-not-accept-invalid-initiator-port-names.patch +ib-cm-fix-memory-corruption-in-handling-cm-request.patch +ib-hfi1-fix-incorrect-available-receive-user-context-count.patch +ib-srp-avoid-that-a-cable-pull-can-trigger-a-kernel-crash.patch +ib-core-avoid-crash-on-pkey-enforcement-failed-in-received-mads.patch +ib-core-only-maintain-real-qps-in-the-security-lists.patch +nfc-fix-device-allocation-error-return.patch +spi-nor-intel-spi-fix-broken-software-sequencing-codes.patch diff --git a/queue-4.14/spi-nor-intel-spi-fix-broken-software-sequencing-codes.patch b/queue-4.14/spi-nor-intel-spi-fix-broken-software-sequencing-codes.patch new file mode 100644 index 00000000000..7c4b33d554a --- /dev/null +++ b/queue-4.14/spi-nor-intel-spi-fix-broken-software-sequencing-codes.patch @@ -0,0 +1,44 @@ +From 9d63f17661e25fd28714dac94bdebc4ff5b75f09 Mon Sep 17 00:00:00 2001 +From: Bin Meng +Date: Mon, 11 Sep 2017 02:41:53 -0700 +Subject: spi-nor: intel-spi: Fix broken software sequencing codes + +From: Bin Meng + +commit 9d63f17661e25fd28714dac94bdebc4ff5b75f09 upstream. + +There are two bugs in current intel_spi_sw_cycle(): + +- The 'data byte count' field should be the number of bytes + transferred minus 1 +- SSFSTS_CTL is the offset from ispi->sregs, not ispi->base + +Signed-off-by: Bin Meng +Acked-by: Mika Westerberg +Signed-off-by: Cyrille Pitchen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/spi-nor/intel-spi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/intel-spi.c ++++ b/drivers/mtd/spi-nor/intel-spi.c +@@ -422,7 +422,7 @@ static int intel_spi_sw_cycle(struct int + if (ret < 0) + return ret; + +- val = (len << SSFSTS_CTL_DBC_SHIFT) | SSFSTS_CTL_DS; ++ val = ((len - 1) << SSFSTS_CTL_DBC_SHIFT) | SSFSTS_CTL_DS; + val |= ret << SSFSTS_CTL_COP_SHIFT; + val |= SSFSTS_CTL_FCERR | SSFSTS_CTL_FDONE; + val |= SSFSTS_CTL_SCGO; +@@ -432,7 +432,7 @@ static int intel_spi_sw_cycle(struct int + if (ret) + return ret; + +- status = readl(ispi->base + SSFSTS_CTL); ++ status = readl(ispi->sregs + SSFSTS_CTL); + if (status & SSFSTS_CTL_FCERR) + return -EIO; + else if (status & SSFSTS_CTL_AEL) diff --git a/queue-4.14/sunrpc-fix-tracepoint-storage-issues-with-svc_recv-and-svc_rqst_status.patch b/queue-4.14/sunrpc-fix-tracepoint-storage-issues-with-svc_recv-and-svc_rqst_status.patch new file mode 100644 index 00000000000..8f04f68f023 --- /dev/null +++ b/queue-4.14/sunrpc-fix-tracepoint-storage-issues-with-svc_recv-and-svc_rqst_status.patch @@ -0,0 +1,76 @@ +From e9d4bf219c83d09579bc62512fea2ca10f025d93 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 10 Oct 2017 17:31:42 -0400 +Subject: SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status + +From: Trond Myklebust + +commit e9d4bf219c83d09579bc62512fea2ca10f025d93 upstream. + +There is no guarantee that either the request or the svc_xprt exist +by the time we get round to printing the trace message. + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/sunrpc.h | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -456,20 +456,22 @@ TRACE_EVENT(svc_recv, + TP_ARGS(rqst, status), + + TP_STRUCT__entry( +- __field(struct sockaddr *, addr) + __field(__be32, xid) + __field(int, status) + __field(unsigned long, flags) ++ __dynamic_array(unsigned char, addr, rqst->rq_addrlen) + ), + + TP_fast_assign( +- __entry->addr = (struct sockaddr *)&rqst->rq_addr; + __entry->xid = status > 0 ? rqst->rq_xid : 0; + __entry->status = status; + __entry->flags = rqst->rq_flags; ++ memcpy(__get_dynamic_array(addr), ++ &rqst->rq_addr, rqst->rq_addrlen); + ), + +- TP_printk("addr=%pIScp xid=0x%x status=%d flags=%s", __entry->addr, ++ TP_printk("addr=%pIScp xid=0x%x status=%d flags=%s", ++ (struct sockaddr *)__get_dynamic_array(addr), + be32_to_cpu(__entry->xid), __entry->status, + show_rqstp_flags(__entry->flags)) + ); +@@ -514,22 +516,23 @@ DECLARE_EVENT_CLASS(svc_rqst_status, + TP_ARGS(rqst, status), + + TP_STRUCT__entry( +- __field(struct sockaddr *, addr) + __field(__be32, xid) +- __field(int, dropme) + __field(int, status) + __field(unsigned long, flags) ++ __dynamic_array(unsigned char, addr, rqst->rq_addrlen) + ), + + TP_fast_assign( +- __entry->addr = (struct sockaddr *)&rqst->rq_addr; + __entry->xid = rqst->rq_xid; + __entry->status = status; + __entry->flags = rqst->rq_flags; ++ memcpy(__get_dynamic_array(addr), ++ &rqst->rq_addr, rqst->rq_addrlen); + ), + + TP_printk("addr=%pIScp rq_xid=0x%x status=%d flags=%s", +- __entry->addr, be32_to_cpu(__entry->xid), ++ (struct sockaddr *)__get_dynamic_array(addr), ++ be32_to_cpu(__entry->xid), + __entry->status, show_rqstp_flags(__entry->flags)) + ); + diff --git a/queue-4.14/svcrdma-preserve-cb-send-buffer-across-retransmits.patch b/queue-4.14/svcrdma-preserve-cb-send-buffer-across-retransmits.patch new file mode 100644 index 00000000000..9be33faaa77 --- /dev/null +++ b/queue-4.14/svcrdma-preserve-cb-send-buffer-across-retransmits.patch @@ -0,0 +1,93 @@ +From 0bad47cada5defba13e98827d22d06f13258dfb3 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Mon, 16 Oct 2017 12:14:33 -0400 +Subject: svcrdma: Preserve CB send buffer across retransmits + +From: Chuck Lever + +commit 0bad47cada5defba13e98827d22d06f13258dfb3 upstream. + +During each NFSv4 callback Call, an RDMA Send completion frees the +page that contains the RPC Call message. If the upper layer +determines that a retransmit is necessary, this is too soon. + +One possible symptom: after a GARBAGE_ARGS response an NFSv4.1 +callback request, the following BUG fires on the NFS server: + +kernel: BUG: Bad page state in process kworker/0:2H pfn:7d3ce2 +kernel: page:ffffea001f4f3880 count:-2 mapcount:0 mapping: (null) index:0x0 +kernel: flags: 0x2fffff80000000() +kernel: raw: 002fffff80000000 0000000000000000 0000000000000000 fffffffeffffffff +kernel: raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 +kernel: page dumped because: nonzero _refcount +kernel: Modules linked in: cts rpcsec_gss_krb5 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm +ocfs2_nodemanager ocfs2_stackglue rpcrdm a ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad +rdma_cm ib_cm iw_cm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel +kvm irqbypass crct10dif_pc lmul crc32_pclmul ghash_clmulni_intel pcbc iTCO_wdt +iTCO_vendor_support aesni_intel crypto_simd glue_helper cryptd pcspkr lpc_ich i2c_i801 +mei_me mf d_core mei raid0 sg wmi ioatdma ipmi_si ipmi_devintf ipmi_msghandler shpchp +acpi_power_meter acpi_pad nfsd nfs_acl lockd auth_rpcgss grace sunrpc ip_tables xfs +libcrc32c mlx4_en mlx4_ib mlx5_ib ib_core sd_mod sr_mod cdrom ast drm_kms_helper +syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ahci crc32c_intel libahci drm +mlx5_core igb libata mlx4_core dca i2c_algo_bit i2c_core nvme +kernel: ptp nvme_core pps_core dm_mirror dm_region_hash dm_log dm_mod dax +kernel: CPU: 0 PID: 11495 Comm: kworker/0:2H Not tainted 4.14.0-rc3-00001-g577ce48 #811 +kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 +kernel: Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] +kernel: Call Trace: +kernel: dump_stack+0x62/0x80 +kernel: bad_page+0xfe/0x11a +kernel: free_pages_check_bad+0x76/0x78 +kernel: free_pcppages_bulk+0x364/0x441 +kernel: ? ttwu_do_activate.isra.61+0x71/0x78 +kernel: free_hot_cold_page+0x1c5/0x202 +kernel: __put_page+0x2c/0x36 +kernel: svc_rdma_put_context+0xd9/0xe4 [rpcrdma] +kernel: svc_rdma_wc_send+0x50/0x98 [rpcrdma] + +This issue exists all the way back to v4.5, but refactoring and code +re-organization prevents this simple patch from applying to kernels +older than v4.12. The fix is the same, however, if someone needs to +backport it. + +Reported-by: Ben Coddington +BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=314 +Fixes: 5d252f90a800 ('svcrdma: Add class for RDMA backwards ... ') +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +@@ -133,6 +133,10 @@ static int svc_rdma_bc_sendto(struct svc + if (ret) + goto out_err; + ++ /* Bump page refcnt so Send completion doesn't release ++ * the rq_buffer before all retransmits are complete. ++ */ ++ get_page(virt_to_page(rqst->rq_buffer)); + ret = svc_rdma_post_send_wr(rdma, ctxt, 1, 0); + if (ret) + goto out_unmap; +@@ -165,7 +169,6 @@ xprt_rdma_bc_allocate(struct rpc_task *t + return -EINVAL; + } + +- /* svc_rdma_sendto releases this page */ + page = alloc_page(RPCRDMA_DEF_GFP); + if (!page) + return -ENOMEM; +@@ -184,6 +187,7 @@ xprt_rdma_bc_free(struct rpc_task *task) + { + struct rpc_rqst *rqst = task->tk_rqstp; + ++ put_page(virt_to_page(rqst->rq_buffer)); + kfree(rqst->rq_rbuffer); + } +