From: Greg Kroah-Hartman Date: Fri, 7 Sep 2018 10:19:34 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.18.7~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bed0f5025981c1b39602b07ef5fe15eb829f4abf;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: 9p-fix-multiple-null-pointer-dereferences.patch 9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch 9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch block-really-disable-runtime-pm-for-blk-mq.patch cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch dm-crypt-don-t-decrease-device-limits.patch dm-integrity-change-suspending-variable-from-bool-to-int.patch dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch drm-i915-userptr-reject-zero-user_size.patch extcon-release-locking-when-sending-the-notification-of-connector-state.patch fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch iio-ad9523-fix-displayed-phase.patch iio-ad9523-fix-return-value-for-ad952x_store.patch iio-sca3000-fix-missing-return-in-switch.patch libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch livepatch-validate-module-old-func-name-length.patch mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch media-revert-tvp5150-fix-pad-format-frame-height.patch mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch net-6lowpan-fix-reserved-space-for-single-frames.patch net-9p-client.c-version-pointer-uninitialized.patch net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch net-mac802154-tx-expand-tailroom-if-necessary.patch ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch printk-tracing-do-not-trace-printk_nmi_enter.patch rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch readahead-stricter-check-for-bdi-io_pages.patch replace-magic-for-trusting-the-secondary-keyring-with-define.patch rtc-omap-fix-potential-crash-on-power-off.patch spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch spi-davinci-fix-a-null-pointer-dereference.patch spi-pxa2xx-add-support-for-intel-ice-lake.patch spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch tracing-blktrace-fix-to-allow-setting-same-value.patch tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch uart-fix-race-between-uart_put_char-and-uart_shutdown.patch uprobes-use-synchronize_rcu-not-synchronize_sched.patch vmw_balloon-do-not-use-2mb-without-batching.patch vmw_balloon-fix-inflation-of-64-bit-gfns.patch vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch vmw_balloon-vmci_doorbell_set-does-not-check-status.patch --- diff --git a/queue-4.14/9p-fix-multiple-null-pointer-dereferences.patch b/queue-4.14/9p-fix-multiple-null-pointer-dereferences.patch new file mode 100644 index 00000000000..9bdd110ad45 --- /dev/null +++ b/queue-4.14/9p-fix-multiple-null-pointer-dereferences.patch @@ -0,0 +1,82 @@ +From 10aa14527f458e9867cf3d2cc6b8cb0f6704448b Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Fri, 27 Jul 2018 13:05:58 +0200 +Subject: 9p: fix multiple NULL-pointer-dereferences + +From: Tomas Bortoli + +commit 10aa14527f458e9867cf3d2cc6b8cb0f6704448b upstream. + +Added checks to prevent GPFs from raising. + +Link: http://lkml.kernel.org/r/20180727110558.5479-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_fd.c | 5 ++++- + net/9p/trans_rdma.c | 3 +++ + net/9p/trans_virtio.c | 3 +++ + net/9p/trans_xen.c | 3 +++ + 4 files changed, 13 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -951,7 +951,7 @@ p9_fd_create_tcp(struct p9_client *clien + if (err < 0) + return err; + +- if (valid_ipaddr4(addr) < 0) ++ if (addr == NULL || valid_ipaddr4(addr) < 0) + return -EINVAL; + + csocket = NULL; +@@ -1001,6 +1001,9 @@ p9_fd_create_unix(struct p9_client *clie + + csocket = NULL; + ++ if (addr == NULL) ++ return -EINVAL; ++ + if (strlen(addr) >= UNIX_PATH_MAX) { + pr_err("%s (%d): address too long: %s\n", + __func__, task_pid_nr(current), addr); +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -646,6 +646,9 @@ rdma_create_trans(struct p9_client *clie + struct rdma_conn_param conn_param; + struct ib_qp_init_attr qp_attr; + ++ if (addr == NULL) ++ return -EINVAL; ++ + /* Parse the transport specific mount options */ + err = parse_opts(args, &opts); + if (err < 0) +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -650,6 +650,9 @@ p9_virtio_create(struct p9_client *clien + int ret = -ENOENT; + int found = 0; + ++ if (devname == NULL) ++ return -EINVAL; ++ + mutex_lock(&virtio_9p_lock); + list_for_each_entry(chan, &virtio_chan_list, chan_list) { + if (!strncmp(devname, chan->tag, chan->tag_len) && +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -95,6 +95,9 @@ static int p9_xen_create(struct p9_clien + { + struct xen_9pfs_front_priv *priv; + ++ if (addr == NULL) ++ return -EINVAL; ++ + read_lock(&xen_9pfs_lock); + list_for_each_entry(priv, &xen_9pfs_devs, list) { + if (!strcmp(priv->tag, addr)) { diff --git a/queue-4.14/9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch b/queue-4.14/9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch new file mode 100644 index 00000000000..44a35751b96 --- /dev/null +++ b/queue-4.14/9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch @@ -0,0 +1,59 @@ +From d28c756caee6e414d9ba367d0b92da24145af2a8 Mon Sep 17 00:00:00 2001 +From: Chirantan Ekbote +Date: Mon, 16 Jul 2018 17:35:29 -0700 +Subject: 9p/net: Fix zero-copy path in the 9p virtio transport + +From: Chirantan Ekbote + +commit d28c756caee6e414d9ba367d0b92da24145af2a8 upstream. + +The zero-copy optimization when reading or writing large chunks of data +is quite useful. However, the 9p messages created through the zero-copy +write path have an incorrect message size: it should be the size of the +header + size of the data being written but instead it's just the size +of the header. + +This only works if the server ignores the size field of the message and +otherwise breaks the framing of the protocol. Fix this by re-writing the +message size field with the correct value. + +Tested by running `dd if=/dev/zero of=out bs=4k count=1` inside a +virtio-9p mount. + +Link: http://lkml.kernel.org/r/20180717003529.114368-1-chirantan@chromium.org +Signed-off-by: Chirantan Ekbote +Reviewed-by: Greg Kurz +Tested-by: Greg Kurz +Cc: Dylan Reid +Cc: Guenter Roeck +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_virtio.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -406,6 +406,7 @@ p9_virtio_zc_request(struct p9_client *c + p9_debug(P9_DEBUG_TRANS, "virtio request\n"); + + if (uodata) { ++ __le32 sz; + int n = p9_get_mapped_pages(chan, &out_pages, uodata, + outlen, &offs, &need_drop); + if (n < 0) +@@ -416,6 +417,12 @@ p9_virtio_zc_request(struct p9_client *c + memcpy(&req->tc->sdata[req->tc->size - 4], &v, 4); + outlen = n; + } ++ /* The size field of the message must include the length of the ++ * header and the length of the data. We didn't actually know ++ * the length of the data until this point so add it in now. ++ */ ++ sz = cpu_to_le32(req->tc->size + outlen); ++ memcpy(&req->tc->sdata[0], &sz, sizeof(sz)); + } else if (uidata) { + int n = p9_get_mapped_pages(chan, &in_pages, uidata, + inlen, &offs, &need_drop); diff --git a/queue-4.14/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch b/queue-4.14/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch new file mode 100644 index 00000000000..400fc29416b --- /dev/null +++ b/queue-4.14/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch @@ -0,0 +1,44 @@ +From 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 Mon Sep 17 00:00:00 2001 +From: jiangyiwen +Date: Fri, 3 Aug 2018 12:11:34 +0800 +Subject: 9p/virtio: fix off-by-one error in sg list bounds check + +From: jiangyiwen + +commit 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 upstream. + +Because the value of limit is VIRTQUEUE_NUM, if index is equal to +limit, it will cause sg array out of bounds, so correct the judgement +of BUG_ON. + +Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com +Signed-off-by: Yiwen Jiang +Reported-By: Dan Carpenter +Acked-by: Jun Piao +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_virtio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -189,7 +189,7 @@ static int pack_sg_list(struct scatterli + s = rest_of_page(data); + if (s > count) + s = count; +- BUG_ON(index > limit); ++ BUG_ON(index >= limit); + /* Make sure we don't terminate early. */ + sg_unmark_end(&sg[index]); + sg_set_buf(&sg[index++], data, s); +@@ -234,6 +234,7 @@ pack_sg_list_p(struct scatterlist *sg, i + s = PAGE_SIZE - data_off; + if (s > count) + s = count; ++ BUG_ON(index >= limit); + /* Make sure we don't terminate early. */ + sg_unmark_end(&sg[index]); + sg_set_page(&sg[index++], pdata[i++], s, data_off); diff --git a/queue-4.14/block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch b/queue-4.14/block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch new file mode 100644 index 00000000000..74f468a65fa --- /dev/null +++ b/queue-4.14/block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch @@ -0,0 +1,45 @@ +From 54648cf1ec2d7f4b6a71767799c45676a138ca24 Mon Sep 17 00:00:00 2001 +From: xiao jin +Date: Mon, 30 Jul 2018 14:11:12 +0800 +Subject: block: blk_init_allocated_queue() set q->fq as NULL in the fail case + +From: xiao jin + +commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream. + +We find the memory use-after-free issue in __blk_drain_queue() +on the kernel 4.14. After read the latest kernel 4.18-rc6 we +think it has the same problem. + +Memory is allocated for q->fq in the blk_init_allocated_queue(). +If the elevator init function called with error return, it will +run into the fail case to free the q->fq. + +Then the __blk_drain_queue() uses the same memory after the free +of the q->fq, it will lead to the unpredictable event. + +The patch is to set q->fq as NULL in the fail case of +blk_init_allocated_queue(). + +Fixes: commit 7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery") +Cc: +Reviewed-by: Ming Lei +Reviewed-by: Bart Van Assche +Signed-off-by: xiao jin +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1025,6 +1025,7 @@ out_exit_flush_rq: + q->exit_rq_fn(q, q->fq->flush_rq); + out_free_flush_queue: + blk_free_flush_queue(q->fq); ++ q->fq = NULL; + return -ENOMEM; + } + EXPORT_SYMBOL(blk_init_allocated_queue); diff --git a/queue-4.14/block-really-disable-runtime-pm-for-blk-mq.patch b/queue-4.14/block-really-disable-runtime-pm-for-blk-mq.patch new file mode 100644 index 00000000000..0365be7758b --- /dev/null +++ b/queue-4.14/block-really-disable-runtime-pm-for-blk-mq.patch @@ -0,0 +1,48 @@ +From b233f127042dba991229e3882c6217c80492f6ef Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Mon, 30 Jul 2018 20:02:19 +0800 +Subject: block: really disable runtime-pm for blk-mq + +From: Ming Lei + +commit b233f127042dba991229e3882c6217c80492f6ef upstream. + +Runtime PM isn't ready for blk-mq yet, and commit 765e40b675a9 ("block: +disable runtime-pm for blk-mq") tried to disable it. Unfortunately, +it can't take effect in that way since user space still can switch +it on via 'echo auto > /sys/block/sdN/device/power/control'. + +This patch disables runtime-pm for blk-mq really by pm_runtime_disable() +and fixes all kinds of PM related kernel crash. + +Cc: Tomas Janousek +Cc: Przemek Socha +Cc: Alan Stern +Cc: +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Tested-by: Patrick Steinhardt +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -3459,9 +3459,11 @@ EXPORT_SYMBOL(blk_finish_plug); + */ + void blk_pm_runtime_init(struct request_queue *q, struct device *dev) + { +- /* not support for RQF_PM and ->rpm_status in blk-mq yet */ +- if (q->mq_ops) ++ /* Don't enable runtime PM for blk-mq until it is ready */ ++ if (q->mq_ops) { ++ pm_runtime_disable(dev); + return; ++ } + + q->dev = dev; + q->rpm_status = RPM_ACTIVE; diff --git a/queue-4.14/cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch b/queue-4.14/cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch new file mode 100644 index 00000000000..562cd9255bd --- /dev/null +++ b/queue-4.14/cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch @@ -0,0 +1,42 @@ +From ef6cb5f1a048fdf91ccee6d63d2bfa293338502d Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Wed, 4 Jul 2018 20:58:33 +0530 +Subject: cxl: Fix wrong comparison in cxl_adapter_context_get() + +From: Vaibhav Jain + +commit ef6cb5f1a048fdf91ccee6d63d2bfa293338502d upstream. + +Function atomic_inc_unless_negative() returns a bool to indicate +success/failure. However cxl_adapter_context_get() wrongly compares +the return value against '>=0' which will always be true. The patch +fixes this comparison to '==0' there by also fixing this compile time +warning: + + drivers/misc/cxl/main.c:290 cxl_adapter_context_get() + warn: 'atomic_inc_unless_negative(&adapter->contexts_num)' is unsigned + +Fixes: 70b565bbdb91 ("cxl: Prevent adapter reset if an active context exists") +Cc: stable@vger.kernel.org # v4.9+ +Reported-by: Dan Carpenter +Signed-off-by: Vaibhav Jain +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/cxl/main.c ++++ b/drivers/misc/cxl/main.c +@@ -287,7 +287,7 @@ int cxl_adapter_context_get(struct cxl * + int rc; + + rc = atomic_inc_unless_negative(&adapter->contexts_num); +- return rc >= 0 ? 0 : -EBUSY; ++ return rc ? 0 : -EBUSY; + } + + void cxl_adapter_context_put(struct cxl *adapter) diff --git a/queue-4.14/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch b/queue-4.14/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch new file mode 100644 index 00000000000..6ead91a6d48 --- /dev/null +++ b/queue-4.14/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch @@ -0,0 +1,53 @@ +From fd2fa95416188a767a63979296fa3e169a9ef5ec Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Thu, 2 Aug 2018 16:08:52 -0400 +Subject: dm cache metadata: save in-core policy_hint_size to on-disk superblock + +From: Mike Snitzer + +commit fd2fa95416188a767a63979296fa3e169a9ef5ec upstream. + +policy_hint_size starts as 0 during __write_initial_superblock(). It +isn't until the policy is loaded that policy_hint_size is set in-core +(cmd->policy_hint_size). But it never got recorded in the on-disk +superblock because __commit_transaction() didn't deal with transfering +the in-core cmd->policy_hint_size to the on-disk superblock. + +The in-core cmd->policy_hint_size gets initialized by metadata_open()'s +__begin_transaction_flags() which re-reads all superblock fields. +Because the superblock's policy_hint_size was never properly stored, when +the cache was created, hints_array_available() would always return false +when re-activating a previously created cache. This means +__load_mappings() always considered the hints invalid and never made use +of the hints (these hints served to optimize). + +Another detremental side-effect of this oversight is the cache_check +utility would fail with: "invalid hint width: 0" + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -362,7 +362,7 @@ static int __write_initial_superblock(st + disk_super->version = cpu_to_le32(cmd->version); + memset(disk_super->policy_name, 0, sizeof(disk_super->policy_name)); + memset(disk_super->policy_version, 0, sizeof(disk_super->policy_version)); +- disk_super->policy_hint_size = 0; ++ disk_super->policy_hint_size = cpu_to_le32(0); + + __copy_sm_root(cmd, disk_super); + +@@ -700,6 +700,7 @@ static int __commit_transaction(struct d + disk_super->policy_version[0] = cpu_to_le32(cmd->policy_version[0]); + disk_super->policy_version[1] = cpu_to_le32(cmd->policy_version[1]); + disk_super->policy_version[2] = cpu_to_le32(cmd->policy_version[2]); ++ disk_super->policy_hint_size = cpu_to_le32(cmd->policy_hint_size); + + disk_super->read_hits = cpu_to_le32(cmd->stats.read_hits); + disk_super->read_misses = cpu_to_le32(cmd->stats.read_misses); diff --git a/queue-4.14/dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch b/queue-4.14/dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch new file mode 100644 index 00000000000..84b565256a5 --- /dev/null +++ b/queue-4.14/dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch @@ -0,0 +1,127 @@ +From 5b1fe7bec8a8d0cc547a22e7ddc2bd59acd67de4 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 9 Aug 2018 12:38:28 +0200 +Subject: dm cache metadata: set dirty on all cache blocks after a crash + +From: Ilya Dryomov + +commit 5b1fe7bec8a8d0cc547a22e7ddc2bd59acd67de4 upstream. + +Quoting Documentation/device-mapper/cache.txt: + + The 'dirty' state for a cache block changes far too frequently for us + to keep updating it on the fly. So we treat it as a hint. In normal + operation it will be written when the dm device is suspended. If the + system crashes all cache blocks will be assumed dirty when restarted. + +This got broken in commit f177940a8091 ("dm cache metadata: switch to +using the new cursor api for loading metadata") in 4.9, which removed +the code that consulted cmd->clean_when_opened (CLEAN_SHUTDOWN on-disk +flag) when loading cache blocks. This results in data corruption on an +unclean shutdown with dirty cache blocks on the fast device. After the +crash those blocks are considered clean and may get evicted from the +cache at any time. This can be demonstrated by doing a lot of reads +to trigger individual evictions, but uncache is more predictable: + + ### Disable auto-activation in lvm.conf to be able to do uncache in + ### time (i.e. see uncache doing flushing) when the fix is applied. + + # xfs_io -d -c 'pwrite -b 4M -S 0xaa 0 1G' /dev/vdb + # vgcreate vg_cache /dev/vdb /dev/vdc + # lvcreate -L 1G -n lv_slowdev vg_cache /dev/vdb + # lvcreate -L 512M -n lv_cachedev vg_cache /dev/vdc + # lvcreate -L 256M -n lv_metadev vg_cache /dev/vdc + # lvconvert --type cache-pool --cachemode writeback vg_cache/lv_cachedev --poolmetadata vg_cache/lv_metadev + # lvconvert --type cache vg_cache/lv_slowdev --cachepool vg_cache/lv_cachedev + # xfs_io -d -c 'pwrite -b 4M -S 0xbb 0 512M' /dev/mapper/vg_cache-lv_slowdev + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + # dmsetup status vg_cache-lv_slowdev + 0 2097152 cache 8 27/65536 128 8192/8192 1 100 0 0 0 8192 7065 2 metadata2 writeback 2 migration_threshold 2048 smq 0 rw - + ^^^^ + 7065 * 64k = 441M yet to be written to the slow device + # echo b >/proc/sysrq-trigger + + # vgchange -ay vg_cache + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + # lvconvert --uncache vg_cache/lv_slowdev + Flushing 0 blocks for cache vg_cache/lv_slowdev. + Logical volume "lv_cachedev" successfully removed + Logical volume vg_cache/lv_slowdev is not cached. + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ................ + 0fe00010: aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ................ + +This is the case with both v1 and v2 cache pool metatata formats. + +After applying this patch: + + # vgchange -ay vg_cache + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + # lvconvert --uncache vg_cache/lv_slowdev + Flushing 3724 blocks for cache vg_cache/lv_slowdev. + ... + Flushing 71 blocks for cache vg_cache/lv_slowdev. + Logical volume "lv_cachedev" successfully removed + Logical volume vg_cache/lv_slowdev is not cached. + # xfs_io -d -c 'pread -v 254M 512' /dev/mapper/vg_cache-lv_slowdev | head -n 2 + 0fe00000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + 0fe00010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + +Cc: stable@vger.kernel.org +Fixes: f177940a8091 ("dm cache metadata: switch to using the new cursor api for loading metadata") +Signed-off-by: Ilya Dryomov +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -1322,6 +1322,7 @@ static int __load_mapping_v1(struct dm_c + + dm_oblock_t oblock; + unsigned flags; ++ bool dirty = true; + + dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le); + memcpy(&mapping, mapping_value_le, sizeof(mapping)); +@@ -1332,8 +1333,10 @@ static int __load_mapping_v1(struct dm_c + dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le); + memcpy(&hint, hint_value_le, sizeof(hint)); + } ++ if (cmd->clean_when_opened) ++ dirty = flags & M_DIRTY; + +- r = fn(context, oblock, to_cblock(cb), flags & M_DIRTY, ++ r = fn(context, oblock, to_cblock(cb), dirty, + le32_to_cpu(hint), hints_valid); + if (r) { + DMERR("policy couldn't load cache block %llu", +@@ -1361,7 +1364,7 @@ static int __load_mapping_v2(struct dm_c + + dm_oblock_t oblock; + unsigned flags; +- bool dirty; ++ bool dirty = true; + + dm_array_cursor_get_value(mapping_cursor, (void **) &mapping_value_le); + memcpy(&mapping, mapping_value_le, sizeof(mapping)); +@@ -1372,8 +1375,9 @@ static int __load_mapping_v2(struct dm_c + dm_array_cursor_get_value(hint_cursor, (void **) &hint_value_le); + memcpy(&hint, hint_value_le, sizeof(hint)); + } ++ if (cmd->clean_when_opened) ++ dirty = dm_bitset_cursor_get_value(dirty_cursor); + +- dirty = dm_bitset_cursor_get_value(dirty_cursor); + r = fn(context, oblock, to_cblock(cb), dirty, + le32_to_cpu(hint), hints_valid); + if (r) { diff --git a/queue-4.14/dm-crypt-don-t-decrease-device-limits.patch b/queue-4.14/dm-crypt-don-t-decrease-device-limits.patch new file mode 100644 index 00000000000..089b4b5fa12 --- /dev/null +++ b/queue-4.14/dm-crypt-don-t-decrease-device-limits.patch @@ -0,0 +1,44 @@ +From bc9e9cf0401f18e33b78d4c8a518661b8346baf7 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 10 Aug 2018 11:23:56 -0400 +Subject: dm crypt: don't decrease device limits + +From: Mikulas Patocka + +commit bc9e9cf0401f18e33b78d4c8a518661b8346baf7 upstream. + +dm-crypt should only increase device limits, it should not decrease them. + +This fixes a bug where the user could creates a crypt device with 1024 +sector size on the top of scsi device that had 4096 logical block size. +The limit 4096 would be lost and the user could incorrectly send +1024-I/Os to the crypt device. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-crypt.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -3072,11 +3072,11 @@ static void crypt_io_hints(struct dm_tar + */ + limits->max_segment_size = PAGE_SIZE; + +- if (cc->sector_size != (1 << SECTOR_SHIFT)) { +- limits->logical_block_size = cc->sector_size; +- limits->physical_block_size = cc->sector_size; +- blk_limits_io_min(limits, cc->sector_size); +- } ++ limits->logical_block_size = ++ max_t(unsigned short, limits->logical_block_size, cc->sector_size); ++ limits->physical_block_size = ++ max_t(unsigned, limits->physical_block_size, cc->sector_size); ++ limits->io_min = max_t(unsigned, limits->io_min, cc->sector_size); + } + + static struct target_type crypt_target = { diff --git a/queue-4.14/dm-integrity-change-suspending-variable-from-bool-to-int.patch b/queue-4.14/dm-integrity-change-suspending-variable-from-bool-to-int.patch new file mode 100644 index 00000000000..d8eadd9da3e --- /dev/null +++ b/queue-4.14/dm-integrity-change-suspending-variable-from-bool-to-int.patch @@ -0,0 +1,55 @@ +From c21b16392701543d61e366dca84e15fe7f0cf0cf Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 3 Jul 2018 20:13:25 +0200 +Subject: dm integrity: change 'suspending' variable from bool to int + +From: Mikulas Patocka + +commit c21b16392701543d61e366dca84e15fe7f0cf0cf upstream. + +Early alpha processors can't write a byte or short atomically - they +read 8 bytes, modify the byte or two bytes in registers and write back +8 bytes. + +The modification of the variable "suspending" may race with +modification of the variable "failed". Fix this by changing +"suspending" to an int. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-integrity.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -177,7 +177,7 @@ struct dm_integrity_c { + __u8 sectors_per_block; + + unsigned char mode; +- bool suspending; ++ int suspending; + + int failed; + +@@ -2209,7 +2209,7 @@ static void dm_integrity_postsuspend(str + + del_timer_sync(&ic->autocommit_timer); + +- ic->suspending = true; ++ WRITE_ONCE(ic->suspending, 1); + + queue_work(ic->commit_wq, &ic->commit_work); + drain_workqueue(ic->commit_wq); +@@ -2219,7 +2219,7 @@ static void dm_integrity_postsuspend(str + dm_integrity_flush_buffers(ic); + } + +- ic->suspending = false; ++ WRITE_ONCE(ic->suspending, 0); + + BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress)); + diff --git a/queue-4.14/dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch b/queue-4.14/dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch new file mode 100644 index 00000000000..4b9fdc6d117 --- /dev/null +++ b/queue-4.14/dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch @@ -0,0 +1,56 @@ +From 75294442d896f2767be34f75aca7cc2b0d01301f Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Thu, 2 Aug 2018 16:18:24 +0800 +Subject: dm thin: stop no_space_timeout worker when switching to write-mode + +From: Hou Tao + +commit 75294442d896f2767be34f75aca7cc2b0d01301f upstream. + +Now both check_for_space() and do_no_space_timeout() will read & write +pool->pf.error_if_no_space. If these functions run concurrently, as +shown in the following case, the default setting of "queue_if_no_space" +can get lost. + +precondition: + * error_if_no_space = false (aka "queue_if_no_space") + * pool is in Out-of-Data-Space (OODS) mode + * no_space_timeout worker has been queued + +CPU 0: CPU 1: +// delete a thin device +process_delete_mesg() +// check_for_space() invoked by commit() +set_pool_mode(pool, PM_WRITE) + pool->pf.error_if_no_space = \ + pt->requested_pf.error_if_no_space + + // timeout, pool is still in OODS mode + do_no_space_timeout + // "queue_if_no_space" config is lost + pool->pf.error_if_no_space = true + pool->pf.mode = new_mode + +Fix it by stopping no_space_timeout worker when switching to write mode. + +Fixes: bcc696fac11f ("dm thin: stay in out-of-data-space mode once no_space_timeout expires") +Cc: stable@vger.kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2514,6 +2514,8 @@ static void set_pool_mode(struct pool *p + case PM_WRITE: + if (old_mode != new_mode) + notify_of_pool_mode_change(pool, "write"); ++ if (old_mode == PM_OUT_OF_DATA_SPACE) ++ cancel_delayed_work_sync(&pool->no_space_timeout); + pool->out_of_data_space = false; + pool->pf.error_if_no_space = pt->requested_pf.error_if_no_space; + dm_pool_metadata_read_write(pool->pmd); diff --git a/queue-4.14/drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch b/queue-4.14/drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch new file mode 100644 index 00000000000..bc0724f47b0 --- /dev/null +++ b/queue-4.14/drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch @@ -0,0 +1,134 @@ +From d3b26dd7cb0e3433bfd3c1d4dcf74c6039bb49fb Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Thu, 2 Aug 2018 03:08:23 +0000 +Subject: Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() + +From: Dexuan Cui + +commit d3b26dd7cb0e3433bfd3c1d4dcf74c6039bb49fb upstream. + +Before setting channel->rescind in vmbus_rescind_cleanup(), we should make +sure the channel callback won't run any more, otherwise a high-level +driver like pci_hyperv, which may be infinitely waiting for the host VSP's +response and notices the channel has been rescinded, can't safely give +up: e.g., in hv_pci_protocol_negotiation() -> wait_for_response(), it's +unsafe to exit from wait_for_response() and proceed with the on-stack +variable "comp_pkt" popped. The issue was originally spotted by +Michael Kelley . + +In vmbus_close_internal(), the patch also minimizes the range protected by +disabling/enabling channel->callback_event: we don't really need that for +the whole function. + +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Cc: stable@vger.kernel.org +Cc: K. Y. Srinivasan +Cc: Stephen Hemminger +Cc: Michael Kelley +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 40 ++++++++++++++++++++++++---------------- + drivers/hv/channel_mgmt.c | 6 ++++++ + include/linux/hyperv.h | 2 ++ + 3 files changed, 32 insertions(+), 16 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -541,11 +541,8 @@ static void reset_channel_cb(void *arg) + channel->onchannel_callback = NULL; + } + +-static int vmbus_close_internal(struct vmbus_channel *channel) ++void vmbus_reset_channel_cb(struct vmbus_channel *channel) + { +- struct vmbus_channel_close_channel *msg; +- int ret; +- + /* + * vmbus_on_event(), running in the per-channel tasklet, can race + * with vmbus_close_internal() in the case of SMP guest, e.g., when +@@ -555,6 +552,29 @@ static int vmbus_close_internal(struct v + */ + tasklet_disable(&channel->callback_event); + ++ channel->sc_creation_callback = NULL; ++ ++ /* Stop the callback asap */ ++ if (channel->target_cpu != get_cpu()) { ++ put_cpu(); ++ smp_call_function_single(channel->target_cpu, reset_channel_cb, ++ channel, true); ++ } else { ++ reset_channel_cb(channel); ++ put_cpu(); ++ } ++ ++ /* Re-enable tasklet for use on re-open */ ++ tasklet_enable(&channel->callback_event); ++} ++ ++static int vmbus_close_internal(struct vmbus_channel *channel) ++{ ++ struct vmbus_channel_close_channel *msg; ++ int ret; ++ ++ vmbus_reset_channel_cb(channel); ++ + /* + * In case a device driver's probe() fails (e.g., + * util_probe() -> vmbus_open() returns -ENOMEM) and the device is +@@ -568,16 +588,6 @@ static int vmbus_close_internal(struct v + } + + channel->state = CHANNEL_OPEN_STATE; +- channel->sc_creation_callback = NULL; +- /* Stop callback and cancel the timer asap */ +- if (channel->target_cpu != get_cpu()) { +- put_cpu(); +- smp_call_function_single(channel->target_cpu, reset_channel_cb, +- channel, true); +- } else { +- reset_channel_cb(channel); +- put_cpu(); +- } + + /* Send a closing message */ + +@@ -620,8 +630,6 @@ static int vmbus_close_internal(struct v + get_order(channel->ringbuffer_pagecount * PAGE_SIZE)); + + out: +- /* re-enable tasklet for use on re-open */ +- tasklet_enable(&channel->callback_event); + return ret; + } + +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -882,6 +882,12 @@ static void vmbus_onoffer_rescind(struct + } + + /* ++ * Before setting channel->rescind in vmbus_rescind_cleanup(), we ++ * should make sure the channel callback is not running any more. ++ */ ++ vmbus_reset_channel_cb(channel); ++ ++ /* + * Now wait for offer handling to complete. + */ + vmbus_rescind_cleanup(channel); +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1026,6 +1026,8 @@ extern int vmbus_establish_gpadl(struct + extern int vmbus_teardown_gpadl(struct vmbus_channel *channel, + u32 gpadl_handle); + ++void vmbus_reset_channel_cb(struct vmbus_channel *channel); ++ + extern int vmbus_recvpacket(struct vmbus_channel *channel, + void *buffer, + u32 bufferlen, diff --git a/queue-4.14/drm-i915-userptr-reject-zero-user_size.patch b/queue-4.14/drm-i915-userptr-reject-zero-user_size.patch new file mode 100644 index 00000000000..9914d87448e --- /dev/null +++ b/queue-4.14/drm-i915-userptr-reject-zero-user_size.patch @@ -0,0 +1,37 @@ +From c11c7bfd213495784b22ef82a69b6489f8d0092f Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Wed, 2 May 2018 20:50:21 +0100 +Subject: drm/i915/userptr: reject zero user_size + +From: Matthew Auld + +commit c11c7bfd213495784b22ef82a69b6489f8d0092f upstream. + +Operating on a zero sized GEM userptr object will lead to explosions. + +Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl") +Testcase: igt/gem_userptr_blits/input-checking +Signed-off-by: Matthew Auld +Cc: Chris Wilson +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20180502195021.30900-1-matthew.auld@intel.com +Cc: Loic +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_userptr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_gem_userptr.c ++++ b/drivers/gpu/drm/i915/i915_gem_userptr.c +@@ -782,6 +782,9 @@ i915_gem_userptr_ioctl(struct drm_device + I915_USERPTR_UNSYNCHRONIZED)) + return -EINVAL; + ++ if (!args->user_size) ++ return -EINVAL; ++ + if (offset_in_page(args->user_ptr | args->user_size)) + return -EINVAL; + diff --git a/queue-4.14/extcon-release-locking-when-sending-the-notification-of-connector-state.patch b/queue-4.14/extcon-release-locking-when-sending-the-notification-of-connector-state.patch new file mode 100644 index 00000000000..baad364e1c9 --- /dev/null +++ b/queue-4.14/extcon-release-locking-when-sending-the-notification-of-connector-state.patch @@ -0,0 +1,50 @@ +From 8a9dbb779fe882325b9a0238494a7afaff2eb444 Mon Sep 17 00:00:00 2001 +From: Chanwoo Choi +Date: Thu, 14 Jun 2018 11:16:29 +0900 +Subject: extcon: Release locking when sending the notification of connector state + +From: Chanwoo Choi + +commit 8a9dbb779fe882325b9a0238494a7afaff2eb444 upstream. + +Previously, extcon used the spinlock before calling the notifier_call_chain +to prevent the scheduled out of task and to prevent the notification delay. +When spinlock is locked for sending the notification, deadlock issue +occured on the side of extcon consumer device. To fix this issue, +extcon consumer device should always use the work. it is always not +reasonable to use work. + +To fix this issue on extcon consumer device, release locking when sending +the notification of connector state. + +Fixes: ab11af049f88 ("extcon: Add the synchronization extcon APIs to support the notification") +Cc: stable@vger.kernel.org +Cc: Roger Quadros +Cc: Kishon Vijay Abraham I +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/extcon/extcon.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -433,8 +433,8 @@ int extcon_sync(struct extcon_dev *edev, + return index; + + spin_lock_irqsave(&edev->lock, flags); +- + state = !!(edev->state & BIT(index)); ++ spin_unlock_irqrestore(&edev->lock, flags); + + /* + * Call functions in a raw notifier chain for the specific one +@@ -448,6 +448,7 @@ int extcon_sync(struct extcon_dev *edev, + */ + raw_notifier_call_chain(&edev->nh_all, state, edev); + ++ spin_lock_irqsave(&edev->lock, flags); + /* This could be in interrupt handler */ + prop_buf = (char *)get_zeroed_page(GFP_ATOMIC); + if (!prop_buf) { diff --git a/queue-4.14/fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch b/queue-4.14/fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch new file mode 100644 index 00000000000..193ef0128ec --- /dev/null +++ b/queue-4.14/fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch @@ -0,0 +1,41 @@ +From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001 +From: Yannik Sembritzki +Date: Thu, 16 Aug 2018 14:05:23 +0100 +Subject: Fix kexec forbidding kernels signed with keys in the secondary keyring to boot + +From: Yannik Sembritzki + +commit ea93102f32244e3f45c8b26260be77ed0cc1d16c upstream. + +The split of .system_keyring into .builtin_trusted_keys and +.secondary_trusted_keys broke kexec, thereby preventing kernels signed by +keys which are now in the secondary keyring from being kexec'd. + +Fix this by passing VERIFY_USE_SECONDARY_KEYRING to +verify_pefile_signature(). + +Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") +Signed-off-by: Yannik Sembritzki +Signed-off-by: David Howells +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kexec-bzimage64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loade + static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) + { + return verify_pefile_signature(kernel, kernel_len, +- NULL, ++ VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + } + #endif diff --git a/queue-4.14/fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch b/queue-4.14/fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch new file mode 100644 index 00000000000..d79f05efe76 --- /dev/null +++ b/queue-4.14/fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch @@ -0,0 +1,62 @@ +From 3111784bee81591ea2815011688d28b65df03627 Mon Sep 17 00:00:00 2001 +From: piaojun +Date: Wed, 25 Jul 2018 11:13:16 +0800 +Subject: fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed + +From: piaojun + +commit 3111784bee81591ea2815011688d28b65df03627 upstream. + +In my testing, v9fs_fid_xattr_set will return successfully even if the +backend ext4 filesystem has no space to store xattr key-value. That will +cause inconsistent behavior between front end and back end. The reason is +that lsetxattr will be triggered by p9_client_clunk, and unfortunately we +did not catch the error. This patch will catch the error to notify upper +caller. + +p9_client_clunk (in 9p) + p9_client_rpc(clnt, P9_TCLUNK, "d", fid->fid); + v9fs_clunk (in qemu) + put_fid + free_fid + v9fs_xattr_fid_clunk + v9fs_co_lsetxattr + s->ops->lsetxattr + ext4_xattr_user_set (in host ext4 filesystem) + +Link: http://lkml.kernel.org/r/5B57EACC.2060900@huawei.com +Signed-off-by: Jun Piao +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Cc: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/xattr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/9p/xattr.c ++++ b/fs/9p/xattr.c +@@ -105,7 +105,7 @@ int v9fs_fid_xattr_set(struct p9_fid *fi + { + struct kvec kvec = {.iov_base = (void *)value, .iov_len = value_len}; + struct iov_iter from; +- int retval; ++ int retval, err; + + iov_iter_kvec(&from, WRITE | ITER_KVEC, &kvec, 1, value_len); + +@@ -126,7 +126,9 @@ int v9fs_fid_xattr_set(struct p9_fid *fi + retval); + else + p9_client_write(fid, 0, &from, &retval); +- p9_client_clunk(fid); ++ err = p9_client_clunk(fid); ++ if (!retval && err) ++ retval = err; + return retval; + } + diff --git a/queue-4.14/ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch b/queue-4.14/ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch new file mode 100644 index 00000000000..75124e472d7 --- /dev/null +++ b/queue-4.14/ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch @@ -0,0 +1,54 @@ +From 995250959d22fc341b5424e3343b0ce5df672461 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 2 Jul 2018 14:08:18 -0700 +Subject: ib_srpt: Fix a use-after-free in srpt_close_ch() + +From: Bart Van Assche + +commit 995250959d22fc341b5424e3343b0ce5df672461 upstream. + +Avoid that KASAN reports the following: + +BUG: KASAN: use-after-free in srpt_close_ch+0x4f/0x1b0 [ib_srpt] +Read of size 4 at addr ffff880151180cb8 by task check/4681 + +CPU: 15 PID: 4681 Comm: check Not tainted 4.18.0-rc2-dbg+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0xa4/0xf5 + print_address_description+0x6f/0x270 + kasan_report+0x241/0x360 + __asan_load4+0x78/0x80 + srpt_close_ch+0x4f/0x1b0 [ib_srpt] + srpt_set_enabled+0xf7/0x1e0 [ib_srpt] + srpt_tpg_enable_store+0xb8/0x120 [ib_srpt] + configfs_write_file+0x14e/0x1d0 [configfs] + __vfs_write+0xd2/0x3b0 + vfs_write+0x101/0x270 + ksys_write+0xab/0x120 + __x64_sys_write+0x43/0x50 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably") +Signed-off-by: Bart Van Assche +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -1713,8 +1713,7 @@ static bool srpt_close_ch(struct srpt_rd + int ret; + + if (!srpt_set_ch_state(ch, CH_DRAINING)) { +- pr_debug("%s-%d: already closed\n", ch->sess_name, +- ch->qp->qp_num); ++ pr_debug("%s: already closed\n", ch->sess_name); + return false; + } + diff --git a/queue-4.14/iio-ad9523-fix-displayed-phase.patch b/queue-4.14/iio-ad9523-fix-displayed-phase.patch new file mode 100644 index 00000000000..9bcb8692366 --- /dev/null +++ b/queue-4.14/iio-ad9523-fix-displayed-phase.patch @@ -0,0 +1,36 @@ +From 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 25 Jun 2018 11:03:07 +0300 +Subject: iio: ad9523: Fix displayed phase + +From: Lars-Peter Clausen + +commit 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e upstream. + +Fix the displayed phase for the ad9523 driver. Currently the most +significant decimal place is dropped and all other digits are shifted one +to the left. This is due to a multiplication by 10, which is not necessary, +so remove it. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Fixes: cd1678f9632 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/frequency/ad9523.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/ad9523.c ++++ b/drivers/iio/frequency/ad9523.c +@@ -642,7 +642,7 @@ static int ad9523_read_raw(struct iio_de + code = (AD9523_CLK_DIST_DIV_PHASE_REV(ret) * 3141592) / + AD9523_CLK_DIST_DIV_REV(ret); + *val = code / 1000000; +- *val2 = (code % 1000000) * 10; ++ *val2 = code % 1000000; + return IIO_VAL_INT_PLUS_MICRO; + default: + return -EINVAL; diff --git a/queue-4.14/iio-ad9523-fix-return-value-for-ad952x_store.patch b/queue-4.14/iio-ad9523-fix-return-value-for-ad952x_store.patch new file mode 100644 index 00000000000..3abaa07c88e --- /dev/null +++ b/queue-4.14/iio-ad9523-fix-return-value-for-ad952x_store.patch @@ -0,0 +1,40 @@ +From 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Fri, 27 Jul 2018 09:42:45 +0300 +Subject: iio: ad9523: Fix return value for ad952x_store() + +From: Lars-Peter Clausen + +commit 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 upstream. + +A sysfs write callback function needs to either return the number of +consumed characters or an error. + +The ad952x_store() function currently returns 0 if the input value was "0", +this will signal that no characters have been consumed and the function +will be called repeatedly in a loop indefinitely. Fix this by returning +number of supplied characters to indicate that the whole input string has +been consumed. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Fixes: cd1678f96329 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/frequency/ad9523.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/ad9523.c ++++ b/drivers/iio/frequency/ad9523.c +@@ -508,7 +508,7 @@ static ssize_t ad9523_store(struct devic + return ret; + + if (!state) +- return 0; ++ return len; + + mutex_lock(&indio_dev->mlock); + switch ((u32)this_attr->address) { diff --git a/queue-4.14/iio-sca3000-fix-missing-return-in-switch.patch b/queue-4.14/iio-sca3000-fix-missing-return-in-switch.patch new file mode 100644 index 00000000000..4c034414326 --- /dev/null +++ b/queue-4.14/iio-sca3000-fix-missing-return-in-switch.patch @@ -0,0 +1,36 @@ +From c5b974bee9d2ceae4c441ae5a01e498c2674e100 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Sat, 7 Jul 2018 12:44:01 -0500 +Subject: iio: sca3000: Fix missing return in switch + +From: Gustavo A. R. Silva + +commit c5b974bee9d2ceae4c441ae5a01e498c2674e100 upstream. + +The IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY case is missing a +return and will fall through to the default case and errorenously +return -EINVAL. + +Fix this by adding in missing *return ret*. + +Fixes: 626f971b5b07 ("staging:iio:accel:sca3000 Add write support to the low pass filter control") +Reported-by: Jonathan Cameron +Signed-off-by: Gustavo A. R. Silva +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/sca3000.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/accel/sca3000.c ++++ b/drivers/iio/accel/sca3000.c +@@ -797,6 +797,7 @@ static int sca3000_write_raw(struct iio_ + mutex_lock(&st->lock); + ret = sca3000_write_3db_freq(st, val); + mutex_unlock(&st->lock); ++ return ret; + default: + return -EINVAL; + } diff --git a/queue-4.14/libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch b/queue-4.14/libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch new file mode 100644 index 00000000000..9726857433d --- /dev/null +++ b/queue-4.14/libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch @@ -0,0 +1,114 @@ +From 7444a8092906ed44c09459780c56ba57043e39b1 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Wed, 27 Jun 2018 20:58:45 +0200 +Subject: libertas: fix suspend and resume for SDIO connected cards + +From: Daniel Mack + +commit 7444a8092906ed44c09459780c56ba57043e39b1 upstream. + +Prior to commit 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM +callbacks from the sdio bus"), the MMC core used to call into the power +management functions of SDIO clients itself and removed the card if the +return code was non-zero. IOW, the mmc handled errors gracefully and didn't +upchain them to the pm core. + +Since this change, the mmc core relies on generic power management +functions which treat all errors as a reason to cancel the suspend +immediately. This causes suspend attempts to fail when the libertas +driver is loaded. + +To fix this, power down the card explicitly in if_sdio_suspend() when we +know we're about to lose power and return success. Also set a flag in these +cases, and power up the card again in if_sdio_resume(). + +Fixes: 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM callbacks from the sdio bus") +Cc: +Signed-off-by: Daniel Mack +Reviewed-by: Chris Ball +Reviewed-by: Ulf Hansson +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/libertas/dev.h | 1 + drivers/net/wireless/marvell/libertas/if_sdio.c | 30 +++++++++++++++++++----- + 2 files changed, 25 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/marvell/libertas/dev.h ++++ b/drivers/net/wireless/marvell/libertas/dev.h +@@ -104,6 +104,7 @@ struct lbs_private { + u8 fw_ready; + u8 surpriseremoved; + u8 setup_fw_on_resume; ++ u8 power_up_on_resume; + int (*hw_host_to_card) (struct lbs_private *priv, u8 type, u8 *payload, u16 nb); + void (*reset_card) (struct lbs_private *priv); + int (*power_save) (struct lbs_private *priv); +--- a/drivers/net/wireless/marvell/libertas/if_sdio.c ++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c +@@ -1290,15 +1290,23 @@ static void if_sdio_remove(struct sdio_f + static int if_sdio_suspend(struct device *dev) + { + struct sdio_func *func = dev_to_sdio_func(dev); +- int ret; + struct if_sdio_card *card = sdio_get_drvdata(func); ++ struct lbs_private *priv = card->priv; ++ int ret; + + mmc_pm_flag_t flags = sdio_get_host_pm_caps(func); ++ priv->power_up_on_resume = false; + + /* If we're powered off anyway, just let the mmc layer remove the + * card. */ +- if (!lbs_iface_active(card->priv)) +- return -ENOSYS; ++ if (!lbs_iface_active(priv)) { ++ if (priv->fw_ready) { ++ priv->power_up_on_resume = true; ++ if_sdio_power_off(card); ++ } ++ ++ return 0; ++ } + + dev_info(dev, "%s: suspend: PM flags = 0x%x\n", + sdio_func_id(func), flags); +@@ -1306,9 +1314,14 @@ static int if_sdio_suspend(struct device + /* If we aren't being asked to wake on anything, we should bail out + * and let the SD stack power down the card. + */ +- if (card->priv->wol_criteria == EHS_REMOVE_WAKEUP) { ++ if (priv->wol_criteria == EHS_REMOVE_WAKEUP) { + dev_info(dev, "Suspend without wake params -- powering down card\n"); +- return -ENOSYS; ++ if (priv->fw_ready) { ++ priv->power_up_on_resume = true; ++ if_sdio_power_off(card); ++ } ++ ++ return 0; + } + + if (!(flags & MMC_PM_KEEP_POWER)) { +@@ -1321,7 +1334,7 @@ static int if_sdio_suspend(struct device + if (ret) + return ret; + +- ret = lbs_suspend(card->priv); ++ ret = lbs_suspend(priv); + if (ret) + return ret; + +@@ -1336,6 +1349,11 @@ static int if_sdio_resume(struct device + + dev_info(dev, "%s: resume: we're back\n", sdio_func_id(func)); + ++ if (card->priv->power_up_on_resume) { ++ if_sdio_power_on(card); ++ wait_event(card->pwron_waitq, card->priv->fw_ready); ++ } ++ + ret = lbs_resume(card->priv); + + return ret; diff --git a/queue-4.14/livepatch-validate-module-old-func-name-length.patch b/queue-4.14/livepatch-validate-module-old-func-name-length.patch new file mode 100644 index 00000000000..e3552c6fa93 --- /dev/null +++ b/queue-4.14/livepatch-validate-module-old-func-name-length.patch @@ -0,0 +1,56 @@ +From 6e9df95b76cad18f7b217bdad7bb8a26d63b8c47 Mon Sep 17 00:00:00 2001 +From: Kamalesh Babulal +Date: Fri, 20 Jul 2018 15:16:42 +0530 +Subject: livepatch: Validate module/old func name length + +From: Kamalesh Babulal + +commit 6e9df95b76cad18f7b217bdad7bb8a26d63b8c47 upstream. + +livepatch module author can pass module name/old function name with more +than the defined character limit. With obj->name length greater than +MODULE_NAME_LEN, the livepatch module gets loaded but waits forever on +the module specified by obj->name to be loaded. It also populates a /sys +directory with an untruncated object name. + +In the case of funcs->old_name length greater then KSYM_NAME_LEN, it +would not match against any of the symbol table entries. Instead loop +through the symbol table comparing them against a nonexisting function, +which can be avoided. + +The same issues apply, to misspelled/incorrect names. At least gatekeep +the modules with over the limit string length, by checking for their +length during livepatch module registration. + +Cc: stable@vger.kernel.org +Signed-off-by: Kamalesh Babulal +Acked-by: Josh Poimboeuf +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/livepatch/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/livepatch/core.c ++++ b/kernel/livepatch/core.c +@@ -605,6 +605,9 @@ static int klp_init_func(struct klp_obje + if (!func->old_name || !func->new_func) + return -EINVAL; + ++ if (strlen(func->old_name) >= KSYM_NAME_LEN) ++ return -EINVAL; ++ + INIT_LIST_HEAD(&func->stack_node); + func->patched = false; + func->transition = false; +@@ -678,6 +681,9 @@ static int klp_init_object(struct klp_pa + if (!obj->funcs) + return -EINVAL; + ++ if (klp_is_module(obj) && strlen(obj->name) >= MODULE_NAME_LEN) ++ return -EINVAL; ++ + obj->patched = false; + obj->mod = NULL; + diff --git a/queue-4.14/mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch b/queue-4.14/mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..47e210cad39 --- /dev/null +++ b/queue-4.14/mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 3512a18cbd8d09e22a790540cb9624c3c49827ba Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 26 Jul 2018 12:11:39 -0500 +Subject: mailbox: xgene-slimpro: Fix potential NULL pointer dereference + +From: Gustavo A. R. Silva + +commit 3512a18cbd8d09e22a790540cb9624c3c49827ba upstream. + +There is a potential execution path in which function +platform_get_resource() returns NULL. If this happens, +we will end up having a NULL pointer dereference. + +Fix this by replacing devm_ioremap with devm_ioremap_resource, +which has the NULL check and the memory region request. + +This code was detected with the help of Coccinelle. + +Cc: stable@vger.kernel.org +Fixes: f700e84f417b ("mailbox: Add support for APM X-Gene platform mailbox driver") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox-xgene-slimpro.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mailbox/mailbox-xgene-slimpro.c ++++ b/drivers/mailbox/mailbox-xgene-slimpro.c +@@ -195,9 +195,9 @@ static int slimpro_mbox_probe(struct pla + platform_set_drvdata(pdev, ctx); + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- mb_base = devm_ioremap(&pdev->dev, regs->start, resource_size(regs)); +- if (!mb_base) +- return -ENOMEM; ++ mb_base = devm_ioremap_resource(&pdev->dev, regs); ++ if (IS_ERR(mb_base)) ++ return PTR_ERR(mb_base); + + /* Setup mailbox links */ + for (i = 0; i < MBOX_CNT; i++) { diff --git a/queue-4.14/media-revert-tvp5150-fix-pad-format-frame-height.patch b/queue-4.14/media-revert-tvp5150-fix-pad-format-frame-height.patch new file mode 100644 index 00000000000..99c55c23fec --- /dev/null +++ b/queue-4.14/media-revert-tvp5150-fix-pad-format-frame-height.patch @@ -0,0 +1,44 @@ +From 1831af092308aa5a59ae61e47494e441c8be6b93 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Sun, 10 Jun 2018 16:43:02 -0400 +Subject: media: Revert "[media] tvp5150: fix pad format frame height" + +From: Javier Martinez Canillas + +commit 1831af092308aa5a59ae61e47494e441c8be6b93 upstream. + +This reverts commit 0866df8dffd514185bfab0d205db76e4c02cf1e4. + +The v4l uAPI documentation [0] makes clear that in the case of interlaced +video (i.e: field is V4L2_FIELD_ALTERNATE) the height refers to the number +of lines in the field and not the number of lines in the full frame (which +is twice the field height for interlaced formats). + +So the original height calculation was correct, and it shouldn't had been +changed by the mentioned commit. + +[0]:https://linuxtv.org/downloads/v4l-dvb-apis/uapi/v4l/subdev-formats.html + +Fixes: 0866df8dffd5 ("[media] tvp5150: fix pad format frame height") + +Signed-off-by: Javier Martinez Canillas +Cc: # for v4.12 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tvp5150.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -871,7 +871,7 @@ static int tvp5150_fill_fmt(struct v4l2_ + f = &format->format; + + f->width = decoder->rect.width; +- f->height = decoder->rect.height; ++ f->height = decoder->rect.height / 2; + + f->code = MEDIA_BUS_FMT_UYVY8_2X8; + f->field = V4L2_FIELD_ALTERNATE; diff --git a/queue-4.14/mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch b/queue-4.14/mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch new file mode 100644 index 00000000000..f2e0b019a00 --- /dev/null +++ b/queue-4.14/mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch @@ -0,0 +1,65 @@ +From 6afebb70ee7a4bde106dc1a875e7ac7997248f84 Mon Sep 17 00:00:00 2001 +From: Rafael David Tinoco +Date: Fri, 6 Jul 2018 14:28:33 -0300 +Subject: mfd: hi655x: Fix regmap area declared size for hi655x + +From: Rafael David Tinoco + +commit 6afebb70ee7a4bde106dc1a875e7ac7997248f84 upstream. + +Fixes https://bugs.linaro.org/show_bug.cgi?id=3903 + +LTP Functional tests have caused a bad paging request when triggering +the regmap_read_debugfs() logic of the device PMIC Hi6553 (reading +regmap/f8000000.pmic/registers file during read_all test): + +Unable to handle kernel paging request at virtual address ffff0 +[ffff00000984e000] pgd=0000000077ffe803, pud=0000000077ffd803,0 +Internal error: Oops: 96000007 [#1] SMP +... +Hardware name: HiKey Development Board (DT) +... +Call trace: + regmap_mmio_read8+0x24/0x40 + regmap_mmio_read+0x48/0x70 + _regmap_bus_reg_read+0x38/0x48 + _regmap_read+0x68/0x170 + regmap_read+0x50/0x78 + regmap_read_debugfs+0x1a0/0x308 + regmap_map_read_file+0x48/0x58 + full_proxy_read+0x68/0x98 + __vfs_read+0x48/0x80 + vfs_read+0x94/0x150 + SyS_read+0x6c/0xd8 + el0_svc_naked+0x30/0x34 +Code: aa1e03e0 d503201f f9400280 8b334000 (39400000) + +Investigations have showed that, when triggered by debugfs read() +handler, the mmio regmap logic was reading a bigger (16k) register area +than the one mapped by devm_ioremap_resource() during hi655x-pmic probe +time (4k). + +This commit changes hi655x's max register, according to HW specs, to be +the same as the one declared in the pmic device in hi6220's dts, fixing +the issue. + +Cc: #v4.9 #v4.14 #v4.16 #v4.17 +Signed-off-by: Rafael David Tinoco +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/hi655x-pmic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mfd/hi655x-pmic.c ++++ b/drivers/mfd/hi655x-pmic.c +@@ -49,7 +49,7 @@ static struct regmap_config hi655x_regma + .reg_bits = 32, + .reg_stride = HI655X_STRIDE, + .val_bits = 8, +- .max_register = HI655X_BUS_ADDR(0xFFF), ++ .max_register = HI655X_BUS_ADDR(0x400) - HI655X_STRIDE, + }; + + static struct resource pwrkey_resources[] = { diff --git a/queue-4.14/mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch b/queue-4.14/mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch new file mode 100644 index 00000000000..98f4e1386fd --- /dev/null +++ b/queue-4.14/mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch @@ -0,0 +1,34 @@ +From 9faf870e559a710c44e747ba20383ea82d8ac5d2 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Wed, 22 Aug 2018 21:28:01 +0300 +Subject: mmc: renesas_sdhi_internal_dmac: fix #define RST_RESERVED_BITS + +From: Sergei Shtylyov + +commit 9faf870e559a710c44e747ba20383ea82d8ac5d2 upstream. + +The DM_CM_RST register actually has bits 0-31 defaulting to 1s and bits +32-63 defaulting to 0s -- fix off-by-one in #define RST_RESERVED_BITS. + +Signed-off-by: Sergei Shtylyov +Reviewed-by: Wolfram Sang +Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/renesas_sdhi_internal_dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c ++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c +@@ -44,7 +44,7 @@ + /* DM_CM_RST */ + #define RST_DTRANRST1 BIT(9) + #define RST_DTRANRST0 BIT(8) +-#define RST_RESERVED_BITS GENMASK_ULL(32, 0) ++#define RST_RESERVED_BITS GENMASK_ULL(31, 0) + + /* DM_CM_INFO1 and DM_CM_INFO1_MASK */ + #define INFO1_CLEAR 0 diff --git a/queue-4.14/net-6lowpan-fix-reserved-space-for-single-frames.patch b/queue-4.14/net-6lowpan-fix-reserved-space-for-single-frames.patch new file mode 100644 index 00000000000..4ac566862ab --- /dev/null +++ b/queue-4.14/net-6lowpan-fix-reserved-space-for-single-frames.patch @@ -0,0 +1,57 @@ +From ac74f87c789af40936a80131c4759f3e72579c3a Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Sat, 14 Jul 2018 12:52:10 -0400 +Subject: net: 6lowpan: fix reserved space for single frames + +From: Alexander Aring + +commit ac74f87c789af40936a80131c4759f3e72579c3a upstream. + +This patch fixes patch add handling to take care tail and headroom for +single 6lowpan frames. We need to be sure we have a skb with the right +head and tailroom for single frames. This patch do it by using +skb_copy_expand() if head and tailroom is not enough allocated by upper +layer. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195059 +Reported-by: David Palma +Reported-by: Rabi Narayan Sahoo +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Aring +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman + +--- + net/ieee802154/6lowpan/tx.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/net/ieee802154/6lowpan/tx.c ++++ b/net/ieee802154/6lowpan/tx.c +@@ -265,9 +265,24 @@ netdev_tx_t lowpan_xmit(struct sk_buff * + /* We must take a copy of the skb before we modify/replace the ipv6 + * header as the header could be used elsewhere + */ +- skb = skb_unshare(skb, GFP_ATOMIC); +- if (!skb) +- return NET_XMIT_DROP; ++ if (unlikely(skb_headroom(skb) < ldev->needed_headroom || ++ skb_tailroom(skb) < ldev->needed_tailroom)) { ++ struct sk_buff *nskb; ++ ++ nskb = skb_copy_expand(skb, ldev->needed_headroom, ++ ldev->needed_tailroom, GFP_ATOMIC); ++ if (likely(nskb)) { ++ consume_skb(skb); ++ skb = nskb; ++ } else { ++ kfree_skb(skb); ++ return NET_XMIT_DROP; ++ } ++ } else { ++ skb = skb_unshare(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_XMIT_DROP; ++ } + + ret = lowpan_header(skb, ldev, &dgram_size, &dgram_offset); + if (ret < 0) { diff --git a/queue-4.14/net-9p-client.c-version-pointer-uninitialized.patch b/queue-4.14/net-9p-client.c-version-pointer-uninitialized.patch new file mode 100644 index 00000000000..aaf818e60e8 --- /dev/null +++ b/queue-4.14/net-9p-client.c-version-pointer-uninitialized.patch @@ -0,0 +1,43 @@ +From 7913690dcc5e18e235769fd87c34143072f5dbea Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Tue, 10 Jul 2018 00:29:43 +0200 +Subject: net/9p/client.c: version pointer uninitialized + +From: Tomas Bortoli + +commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream. + +The p9_client_version() does not initialize the version pointer. If the +call to p9pdu_readf() returns an error and version has not been allocated +in p9pdu_readf(), then the program will jump to the "error" label and will +try to free the version pointer. If version is not initialized, free() +will be called with uninitialized, garbage data and will provoke a crash. + +Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com +Reviewed-by: Jun Piao +Reviewed-by: Yiwen Jiang +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -955,7 +955,7 @@ static int p9_client_version(struct p9_c + { + int err = 0; + struct p9_req_t *req; +- char *version; ++ char *version = NULL; + int msize; + + p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n", diff --git a/queue-4.14/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch b/queue-4.14/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch new file mode 100644 index 00000000000..b54af0a98ce --- /dev/null +++ b/queue-4.14/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch @@ -0,0 +1,39 @@ +From 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Fri, 20 Jul 2018 11:27:30 +0200 +Subject: net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() + +From: Tomas Bortoli + +commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 upstream. + +The patch adds the flush in p9_mux_poll_stop() as it the function used by +p9_conn_destroy(), in turn called by p9_fd_close() to stop the async +polling associated with the data regarding the connection. + +Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com +To: Eric Van Hensbergen +To: Ron Minnich +To: Latchesar Ionkov +Cc: Yiwen Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_c + spin_lock_irqsave(&p9_poll_lock, flags); + list_del_init(&m->poll_pending_link); + spin_unlock_irqrestore(&p9_poll_lock, flags); ++ ++ flush_work(&p9_poll_work); + } + + /** diff --git a/queue-4.14/net-mac802154-tx-expand-tailroom-if-necessary.patch b/queue-4.14/net-mac802154-tx-expand-tailroom-if-necessary.patch new file mode 100644 index 00000000000..fc1acb86ee0 --- /dev/null +++ b/queue-4.14/net-mac802154-tx-expand-tailroom-if-necessary.patch @@ -0,0 +1,48 @@ +From f9c52831133050c6b82aa8b6831c92da2bbf2a0b Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Mon, 2 Jul 2018 16:32:03 -0400 +Subject: net: mac802154: tx: expand tailroom if necessary + +From: Alexander Aring + +commit f9c52831133050c6b82aa8b6831c92da2bbf2a0b upstream. + +This patch is necessary if case of AF_PACKET or other socket interface +which I am aware of it and didn't allocated the necessary room. + +Reported-by: David Palma +Reported-by: Rabi Narayan Sahoo +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Aring +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac802154/tx.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/net/mac802154/tx.c ++++ b/net/mac802154/tx.c +@@ -63,8 +63,21 @@ ieee802154_tx(struct ieee802154_local *l + int ret; + + if (!(local->hw.flags & IEEE802154_HW_TX_OMIT_CKSUM)) { +- u16 crc = crc_ccitt(0, skb->data, skb->len); ++ struct sk_buff *nskb; ++ u16 crc; + ++ if (unlikely(skb_tailroom(skb) < IEEE802154_FCS_LEN)) { ++ nskb = skb_copy_expand(skb, 0, IEEE802154_FCS_LEN, ++ GFP_ATOMIC); ++ if (likely(nskb)) { ++ consume_skb(skb); ++ skb = nskb; ++ } else { ++ goto err_tx; ++ } ++ } ++ ++ crc = crc_ccitt(0, skb->data, skb->len); + put_unaligned_le16(crc, skb_put(skb, 2)); + } + diff --git a/queue-4.14/ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch b/queue-4.14/ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch new file mode 100644 index 00000000000..fe8a5d78e26 --- /dev/null +++ b/queue-4.14/ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch @@ -0,0 +1,75 @@ +From 67810693077afc1ebf9e1646af300436cb8103c2 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 17 Jul 2018 16:05:38 +0300 +Subject: ovl: fix wrong use of impure dir cache in ovl_iterate() + +From: Amir Goldstein + +commit 67810693077afc1ebf9e1646af300436cb8103c2 upstream. + +Only upper dir can be impure, but if we are in the middle of +iterating a lower real dir, dir could be copied up and marked +impure. We only want the impure cache if we started iterating +a real upper dir to begin with. + +Aditya Kali reported that the following reproducer hits the +WARN_ON(!cache->refcount) in ovl_get_cache(): + + docker run --rm drupal:8.5.4-fpm-alpine \ + sh -c 'cd /var/www/html/vendor/symfony && \ + chown -R www-data:www-data . && ls -l .' + +Reported-by: Aditya Kali +Tested-by: Aditya Kali +Fixes: 4edb83bb1041 ('ovl: constant d_ino for non-merge dirs') +Cc: # v4.14 +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/readdir.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -623,6 +623,21 @@ static int ovl_fill_real(struct dir_cont + return orig_ctx->actor(orig_ctx, name, namelen, offset, ino, d_type); + } + ++static bool ovl_is_impure_dir(struct file *file) ++{ ++ struct ovl_dir_file *od = file->private_data; ++ struct inode *dir = d_inode(file->f_path.dentry); ++ ++ /* ++ * Only upper dir can be impure, but if we are in the middle of ++ * iterating a lower real dir, dir could be copied up and marked ++ * impure. We only want the impure cache if we started iterating ++ * a real upper dir to begin with. ++ */ ++ return od->is_upper && ovl_test_flag(OVL_IMPURE, dir); ++ ++} ++ + static int ovl_iterate_real(struct file *file, struct dir_context *ctx) + { + int err; +@@ -646,7 +661,7 @@ static int ovl_iterate_real(struct file + rdt.parent_ino = stat.ino; + } + +- if (ovl_test_flag(OVL_IMPURE, d_inode(dir))) { ++ if (ovl_is_impure_dir(file)) { + rdt.cache = ovl_cache_get_impure(&file->f_path); + if (IS_ERR(rdt.cache)) + return PTR_ERR(rdt.cache); +@@ -676,7 +691,7 @@ static int ovl_iterate(struct file *file + * entries. + */ + if (ovl_same_sb(dentry->d_sb) && +- (ovl_test_flag(OVL_IMPURE, d_inode(dentry)) || ++ (ovl_is_impure_dir(file) || + OVL_TYPE_MERGE(ovl_path_type(dentry->d_parent)))) { + return ovl_iterate_real(file, ctx); + } diff --git a/queue-4.14/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch b/queue-4.14/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch new file mode 100644 index 00000000000..5666e4620c9 --- /dev/null +++ b/queue-4.14/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch @@ -0,0 +1,253 @@ +From 1bd6a1c4b80a28d975287630644e6b47d0f977a5 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Tue, 7 Aug 2018 02:12:45 +0530 +Subject: powerpc/fadump: handle crash memory ranges array index overflow + +From: Hari Bathini + +commit 1bd6a1c4b80a28d975287630644e6b47d0f977a5 upstream. + +Crash memory ranges is an array of memory ranges of the crashing kernel +to be exported as a dump via /proc/vmcore file. The size of the array +is set based on INIT_MEMBLOCK_REGIONS, which works alright in most cases +where memblock memory regions count is less than INIT_MEMBLOCK_REGIONS +value. But this count can grow beyond INIT_MEMBLOCK_REGIONS value since +commit 142b45a72e22 ("memblock: Add array resizing support"). + +On large memory systems with a few DLPAR operations, the memblock memory +regions count could be larger than INIT_MEMBLOCK_REGIONS value. On such +systems, registering fadump results in crash or other system failures +like below: + + task: c00007f39a290010 ti: c00000000b738000 task.ti: c00000000b738000 + NIP: c000000000047df4 LR: c0000000000f9e58 CTR: c00000000010f180 + REGS: c00000000b73b570 TRAP: 0300 Tainted: G L X (4.4.140+) + MSR: 8000000000009033 CR: 22004484 XER: 20000000 + CFAR: c000000000008500 DAR: 000007a450000000 DSISR: 40000000 SOFTE: 0 + ... + NIP [c000000000047df4] smp_send_reschedule+0x24/0x80 + LR [c0000000000f9e58] resched_curr+0x138/0x160 + Call Trace: + resched_curr+0x138/0x160 (unreliable) + check_preempt_curr+0xc8/0xf0 + ttwu_do_wakeup+0x38/0x150 + try_to_wake_up+0x224/0x4d0 + __wake_up_common+0x94/0x100 + ep_poll_callback+0xac/0x1c0 + __wake_up_common+0x94/0x100 + __wake_up_sync_key+0x70/0xa0 + sock_def_readable+0x58/0xa0 + unix_stream_sendmsg+0x2dc/0x4c0 + sock_sendmsg+0x68/0xa0 + ___sys_sendmsg+0x2cc/0x2e0 + __sys_sendmsg+0x5c/0xc0 + SyS_socketcall+0x36c/0x3f0 + system_call+0x3c/0x100 + +as array index overflow is not checked for while setting up crash memory +ranges causing memory corruption. To resolve this issue, dynamically +allocate memory for crash memory ranges and resize it incrementally, +in units of pagesize, on hitting array size limit. + +Fixes: 2df173d9e85d ("fadump: Initialize elfcore header and add PT_LOAD program headers.") +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Hari Bathini +Reviewed-by: Mahesh Salgaonkar +[mpe: Just use PAGE_SIZE directly, fixup variable placement] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/fadump.h | 3 - + arch/powerpc/kernel/fadump.c | 91 ++++++++++++++++++++++++++++++++------ + 2 files changed, 77 insertions(+), 17 deletions(-) + +--- a/arch/powerpc/include/asm/fadump.h ++++ b/arch/powerpc/include/asm/fadump.h +@@ -195,9 +195,6 @@ struct fadump_crash_info_header { + struct cpumask online_mask; + }; + +-/* Crash memory ranges */ +-#define INIT_CRASHMEM_RANGES (INIT_MEMBLOCK_REGIONS + 2) +- + struct fad_crash_memory_ranges { + unsigned long long base; + unsigned long long size; +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -47,8 +47,10 @@ static struct fadump_mem_struct fdm; + static const struct fadump_mem_struct *fdm_active; + + static DEFINE_MUTEX(fadump_mutex); +-struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES]; ++struct fad_crash_memory_ranges *crash_memory_ranges; ++int crash_memory_ranges_size; + int crash_mem_ranges; ++int max_crash_mem_ranges; + + /* Scan the Firmware Assisted dump configuration details. */ + int __init early_init_dt_scan_fw_dump(unsigned long node, +@@ -843,38 +845,88 @@ static int __init process_fadump(const s + return 0; + } + +-static inline void fadump_add_crash_memory(unsigned long long base, +- unsigned long long end) ++static void free_crash_memory_ranges(void) ++{ ++ kfree(crash_memory_ranges); ++ crash_memory_ranges = NULL; ++ crash_memory_ranges_size = 0; ++ max_crash_mem_ranges = 0; ++} ++ ++/* ++ * Allocate or reallocate crash memory ranges array in incremental units ++ * of PAGE_SIZE. ++ */ ++static int allocate_crash_memory_ranges(void) ++{ ++ struct fad_crash_memory_ranges *new_array; ++ u64 new_size; ++ ++ new_size = crash_memory_ranges_size + PAGE_SIZE; ++ pr_debug("Allocating %llu bytes of memory for crash memory ranges\n", ++ new_size); ++ ++ new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL); ++ if (new_array == NULL) { ++ pr_err("Insufficient memory for setting up crash memory ranges\n"); ++ free_crash_memory_ranges(); ++ return -ENOMEM; ++ } ++ ++ crash_memory_ranges = new_array; ++ crash_memory_ranges_size = new_size; ++ max_crash_mem_ranges = (new_size / ++ sizeof(struct fad_crash_memory_ranges)); ++ return 0; ++} ++ ++static inline int fadump_add_crash_memory(unsigned long long base, ++ unsigned long long end) + { + if (base == end) +- return; ++ return 0; ++ ++ if (crash_mem_ranges == max_crash_mem_ranges) { ++ int ret; ++ ++ ret = allocate_crash_memory_ranges(); ++ if (ret) ++ return ret; ++ } + + pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n", + crash_mem_ranges, base, end - 1, (end - base)); + crash_memory_ranges[crash_mem_ranges].base = base; + crash_memory_ranges[crash_mem_ranges].size = end - base; + crash_mem_ranges++; ++ return 0; + } + +-static void fadump_exclude_reserved_area(unsigned long long start, ++static int fadump_exclude_reserved_area(unsigned long long start, + unsigned long long end) + { + unsigned long long ra_start, ra_end; ++ int ret = 0; + + ra_start = fw_dump.reserve_dump_area_start; + ra_end = ra_start + fw_dump.reserve_dump_area_size; + + if ((ra_start < end) && (ra_end > start)) { + if ((start < ra_start) && (end > ra_end)) { +- fadump_add_crash_memory(start, ra_start); +- fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_crash_memory(start, ra_start); ++ if (ret) ++ return ret; ++ ++ ret = fadump_add_crash_memory(ra_end, end); + } else if (start < ra_start) { +- fadump_add_crash_memory(start, ra_start); ++ ret = fadump_add_crash_memory(start, ra_start); + } else if (ra_end < end) { +- fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_crash_memory(ra_end, end); + } + } else +- fadump_add_crash_memory(start, end); ++ ret = fadump_add_crash_memory(start, end); ++ ++ return ret; + } + + static int fadump_init_elfcore_header(char *bufp) +@@ -914,10 +966,11 @@ static int fadump_init_elfcore_header(ch + * Traverse through memblock structure and setup crash memory ranges. These + * ranges will be used create PT_LOAD program headers in elfcore header. + */ +-static void fadump_setup_crash_memory_ranges(void) ++static int fadump_setup_crash_memory_ranges(void) + { + struct memblock_region *reg; + unsigned long long start, end; ++ int ret; + + pr_debug("Setup crash memory ranges.\n"); + crash_mem_ranges = 0; +@@ -928,7 +981,9 @@ static void fadump_setup_crash_memory_ra + * specified during fadump registration. We need to create a separate + * program header for this chunk with the correct offset. + */ +- fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size); ++ ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size); ++ if (ret) ++ return ret; + + for_each_memblock(memory, reg) { + start = (unsigned long long)reg->base; +@@ -948,8 +1003,12 @@ static void fadump_setup_crash_memory_ra + } + + /* add this range excluding the reserved dump area. */ +- fadump_exclude_reserved_area(start, end); ++ ret = fadump_exclude_reserved_area(start, end); ++ if (ret) ++ return ret; + } ++ ++ return 0; + } + + /* +@@ -1072,6 +1131,7 @@ static int register_fadump(void) + { + unsigned long addr; + void *vaddr; ++ int ret; + + /* + * If no memory is reserved then we can not register for firmware- +@@ -1080,7 +1140,9 @@ static int register_fadump(void) + if (!fw_dump.reserve_dump_area_size) + return -ENODEV; + +- fadump_setup_crash_memory_ranges(); ++ ret = fadump_setup_crash_memory_ranges(); ++ if (ret) ++ return ret; + + addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len); + /* Initialize fadump crash info header. */ +@@ -1158,6 +1220,7 @@ void fadump_cleanup(void) + } else if (fw_dump.dump_registered) { + /* Un-register Firmware-assisted dump if it was registered. */ + fadump_unregister_dump(&fdm); ++ free_crash_memory_ranges(); + } + } + diff --git a/queue-4.14/powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch b/queue-4.14/powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch new file mode 100644 index 00000000000..da9e04a10d2 --- /dev/null +++ b/queue-4.14/powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch @@ -0,0 +1,88 @@ +From db2173198b9513f7add8009f225afa1f1c79bcc6 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 17 Aug 2018 17:30:39 +1000 +Subject: powerpc/powernv/pci: Work around races in PCI bridge enabling + +From: Benjamin Herrenschmidt + +commit db2173198b9513f7add8009f225afa1f1c79bcc6 upstream. + +The generic code is racy when multiple children of a PCI bridge try to +enable it simultaneously. + +This leads to drivers trying to access a device through a +not-yet-enabled bridge, and this EEH errors under various +circumstances when using parallel driver probing. + +There is work going on to fix that properly in the PCI core but it +will take some time. + +x86 gets away with it because (outside of hotplug), the BIOS enables +all the bridges at boot time. + +This patch does the same thing on powernv by enabling all bridges that +have child devices at boot time, thus avoiding subsequent races. It's +suitable for backporting to stable and distros, while the proper PCI +fix will probably be significantly more invasive. + +Signed-off-by: Benjamin Herrenschmidt +Cc: stable@vger.kernel.org +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 37 ++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -3286,12 +3286,49 @@ static void pnv_pci_ioda_create_dbgfs(vo + #endif /* CONFIG_DEBUG_FS */ + } + ++static void pnv_pci_enable_bridge(struct pci_bus *bus) ++{ ++ struct pci_dev *dev = bus->self; ++ struct pci_bus *child; ++ ++ /* Empty bus ? bail */ ++ if (list_empty(&bus->devices)) ++ return; ++ ++ /* ++ * If there's a bridge associated with that bus enable it. This works ++ * around races in the generic code if the enabling is done during ++ * parallel probing. This can be removed once those races have been ++ * fixed. ++ */ ++ if (dev) { ++ int rc = pci_enable_device(dev); ++ if (rc) ++ pci_err(dev, "Error enabling bridge (%d)\n", rc); ++ pci_set_master(dev); ++ } ++ ++ /* Perform the same to child busses */ ++ list_for_each_entry(child, &bus->children, node) ++ pnv_pci_enable_bridge(child); ++} ++ ++static void pnv_pci_enable_bridges(void) ++{ ++ struct pci_controller *hose; ++ ++ list_for_each_entry(hose, &hose_list, list_node) ++ pnv_pci_enable_bridge(hose->bus); ++} ++ + static void pnv_pci_ioda_fixup(void) + { + pnv_pci_ioda_setup_PEs(); + pnv_pci_ioda_setup_iommu_api(); + pnv_pci_ioda_create_dbgfs(); + ++ pnv_pci_enable_bridges(); ++ + #ifdef CONFIG_EEH + eeh_init(); + eeh_addr_cache_build(); diff --git a/queue-4.14/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch b/queue-4.14/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch new file mode 100644 index 00000000000..4320325e54d --- /dev/null +++ b/queue-4.14/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch @@ -0,0 +1,71 @@ +From cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Tue, 7 Aug 2018 19:46:46 +0530 +Subject: powerpc/pseries: Fix endianness while restoring of r3 in MCE handler. + +From: Mahesh Salgaonkar + +commit cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 upstream. + +During Machine Check interrupt on pseries platform, register r3 points +RTAS extended event log passed by hypervisor. Since hypervisor uses r3 +to pass pointer to rtas log, it stores the original r3 value at the +start of the memory (first 8 bytes) pointed by r3. Since hypervisor +stores this info and rtas log is in BE format, linux should make +sure to restore r3 value in correct endian format. + +Without this patch when MCE handler, after recovery, returns to code that +that caused the MCE may end up with Data SLB access interrupt for invalid +address followed by kernel panic or hang. + + Severe Machine check interrupt [Recovered] + NIP [d00000000ca301b8]: init_module+0x1b8/0x338 [bork_kernel] + Initiator: CPU + Error type: SLB [Multihit] + Effective address: d00000000ca70000 + cpu 0xa: Vector: 380 (Data SLB Access) at [c0000000fc7775b0] + pc: c0000000009694c0: vsnprintf+0x80/0x480 + lr: c0000000009698e0: vscnprintf+0x20/0x60 + sp: c0000000fc777830 + msr: 8000000002009033 + dar: a803a30c000000d0 + current = 0xc00000000bc9ef00 + paca = 0xc00000001eca5c00 softe: 3 irq_happened: 0x01 + pid = 8860, comm = insmod + vscnprintf+0x20/0x60 + vprintk_emit+0xb4/0x4b0 + vprintk_func+0x5c/0xd0 + printk+0x38/0x4c + init_module+0x1c0/0x338 [bork_kernel] + do_one_initcall+0x54/0x230 + do_init_module+0x8c/0x248 + load_module+0x12b8/0x15b0 + sys_finit_module+0xa8/0x110 + system_call+0x58/0x6c + --- Exception: c00 (System Call) at 00007fff8bda0644 + SP (7fffdfbfe980) is in userspace + +This patch fixes this issue. + +Fixes: a08a53ea4c97 ("powerpc/le: Enable RTAS events support") +Cc: stable@vger.kernel.org # v3.15+ +Reviewed-by: Nicholas Piggin +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/ras.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -360,7 +360,7 @@ static struct rtas_error_log *fwnmi_get_ + } + + savep = __va(regs->gpr[3]); +- regs->gpr[3] = savep[0]; /* restore original r3 */ ++ regs->gpr[3] = be64_to_cpu(savep[0]); /* restore original r3 */ + + /* If it isn't an extended log we can use the per cpu 64bit buffer */ + h = (struct rtas_error_log *)&savep[1]; diff --git a/queue-4.14/printk-tracing-do-not-trace-printk_nmi_enter.patch b/queue-4.14/printk-tracing-do-not-trace-printk_nmi_enter.patch new file mode 100644 index 00000000000..da062ddec41 --- /dev/null +++ b/queue-4.14/printk-tracing-do-not-trace-printk_nmi_enter.patch @@ -0,0 +1,106 @@ +From d1c392c9e2a301f38998a353f467f76414e38725 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 5 Sep 2018 16:29:49 -0400 +Subject: printk/tracing: Do not trace printk_nmi_enter() + +From: Steven Rostedt (VMware) + +commit d1c392c9e2a301f38998a353f467f76414e38725 upstream. + +I hit the following splat in my tests: + +------------[ cut here ]------------ +IRQs not enabled as expected +WARNING: CPU: 3 PID: 0 at kernel/time/tick-sched.c:982 tick_nohz_idle_enter+0x44/0x8c +Modules linked in: ip6t_REJECT nf_reject_ipv6 ip6table_filter ip6_tables ipv6 +CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.19.0-rc2-test+ #2 +Hardware name: MSI MS-7823/CSM-H87M-G43 (MS-7823), BIOS V1.6 02/22/2014 +EIP: tick_nohz_idle_enter+0x44/0x8c +Code: ec 05 00 00 00 75 26 83 b8 c0 05 00 00 00 75 1d 80 3d d0 36 3e c1 00 +75 14 68 94 63 12 c1 c6 05 d0 36 3e c1 01 e8 04 ee f8 ff <0f> 0b 58 fa bb a0 +e5 66 c1 e8 25 0f 04 00 64 03 1d 28 31 52 c1 8b +EAX: 0000001c EBX: f26e7f8c ECX: 00000006 EDX: 00000007 +ESI: f26dd1c0 EDI: 00000000 EBP: f26e7f40 ESP: f26e7f38 +DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010296 +CR0: 80050033 CR2: 0813c6b0 CR3: 2f342000 CR4: 001406f0 +Call Trace: + do_idle+0x33/0x202 + cpu_startup_entry+0x61/0x63 + start_secondary+0x18e/0x1ed + startup_32_smp+0x164/0x168 +irq event stamp: 18773830 +hardirqs last enabled at (18773829): [] trace_hardirqs_on_thunk+0xc/0x10 +hardirqs last disabled at (18773830): [] trace_hardirqs_off_thunk+0xc/0x10 +softirqs last enabled at (18773824): [] __do_softirq+0x25f/0x2bf +softirqs last disabled at (18773767): [] call_on_stack+0x45/0x4b +---[ end trace b7c64aa79e17954a ]--- + +After a bit of debugging, I found what was happening. This would trigger +when performing "perf" with a high NMI interrupt rate, while enabling and +disabling function tracer. Ftrace uses breakpoints to convert the nops at +the start of functions to calls to the function trampolines. The breakpoint +traps disable interrupts and this makes calls into lockdep via the +trace_hardirqs_off_thunk in the entry.S code. What happens is the following: + + do_idle { + + [interrupts enabled] + + [interrupts disabled] + TRACE_IRQS_OFF [lockdep says irqs off] + [...] + TRACE_IRQS_IRET + test if pt_regs say return to interrupts enabled [yes] + TRACE_IRQS_ON [lockdep says irqs are on] + + + nmi_enter() { + printk_nmi_enter() [traced by ftrace] + [ hit ftrace breakpoint ] + + TRACE_IRQS_OFF [lockdep says irqs off] + [...] + TRACE_IRQS_IRET [return from breakpoint] + test if pt_regs say interrupts enabled [no] + [iret back to interrupt] + [iret back to code] + + tick_nohz_idle_enter() { + + lockdep_assert_irqs_enabled() [lockdep say no!] + +Although interrupts are indeed enabled, lockdep thinks it is not, and since +we now do asserts via lockdep, it gives a false warning. The issue here is +that printk_nmi_enter() is called before lockdep_off(), which disables +lockdep (for this reason) in NMIs. By simply not allowing ftrace to see +printk_nmi_enter() (via notrace annotation) we keep lockdep from getting +confused. + +Cc: stable@vger.kernel.org +Fixes: 42a0bb3f71383 ("printk/nmi: generic solution for safe printk in NMI") +Acked-by: Sergey Senozhatsky +Acked-by: Petr Mladek +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk_safe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/printk/printk_safe.c ++++ b/kernel/printk/printk_safe.c +@@ -309,12 +309,12 @@ static __printf(1, 0) int vprintk_nmi(co + return printk_safe_log_store(s, fmt, args); + } + +-void printk_nmi_enter(void) ++void notrace printk_nmi_enter(void) + { + this_cpu_or(printk_context, PRINTK_NMI_CONTEXT_MASK); + } + +-void printk_nmi_exit(void) ++void notrace printk_nmi_exit(void) + { + this_cpu_and(printk_context, ~PRINTK_NMI_CONTEXT_MASK); + } diff --git a/queue-4.14/rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch b/queue-4.14/rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch new file mode 100644 index 00000000000..3ead6903b3b --- /dev/null +++ b/queue-4.14/rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch @@ -0,0 +1,33 @@ +From 61b717d041b1976530f68f8b539b2e3a7dd8e39c Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 26 Jun 2018 08:39:36 -0700 +Subject: RDMA/rxe: Set wqe->status correctly if an unexpected response is received + +From: Bart Van Assche + +commit 61b717d041b1976530f68f8b539b2e3a7dd8e39c upstream. + +Every function that returns COMPST_ERROR must set wqe->status to another +value than IB_WC_SUCCESS before returning COMPST_ERROR. Fix the only code +path for which this is not yet the case. + +Signed-off-by: Bart Van Assche +Cc: +Reviewed-by: Yuval Shaia +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -276,6 +276,7 @@ static inline enum comp_state check_ack( + case IB_OPCODE_RC_RDMA_READ_RESPONSE_MIDDLE: + if (wqe->wr.opcode != IB_WR_RDMA_READ && + wqe->wr.opcode != IB_WR_RDMA_READ_WITH_INV) { ++ wqe->status = IB_WC_FATAL_ERR; + return COMPST_ERROR; + } + reset_retry_counters(qp); diff --git a/queue-4.14/readahead-stricter-check-for-bdi-io_pages.patch b/queue-4.14/readahead-stricter-check-for-bdi-io_pages.patch new file mode 100644 index 00000000000..be6f2eea333 --- /dev/null +++ b/queue-4.14/readahead-stricter-check-for-bdi-io_pages.patch @@ -0,0 +1,60 @@ +From dc30b96ab6d569060741572cf30517d3179429a8 Mon Sep 17 00:00:00 2001 +From: Markus Stockhausen +Date: Fri, 27 Jul 2018 09:09:53 -0600 +Subject: readahead: stricter check for bdi io_pages + +From: Markus Stockhausen + +commit dc30b96ab6d569060741572cf30517d3179429a8 upstream. + +ondemand_readahead() checks bdi->io_pages to cap the maximum pages +that need to be processed. This works until the readit section. If +we would do an async only readahead (async size = sync size) and +target is at beginning of window we expand the pages by another +get_next_ra_size() pages. Btrace for large reads shows that kernel +always issues a doubled size read at the beginning of processing. +Add an additional check for io_pages in the lower part of the func. +The fix helps devices that hard limit bio pages and rely on proper +handling of max_hw_read_sectors (e.g. older FusionIO cards). For +that reason it could qualify for stable. + +Fixes: 9491ae4a ("mm: don't cap request size based on read-ahead setting") +Cc: stable@vger.kernel.org +Signed-off-by: Markus Stockhausen stockhausen@collogia.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + mm/readahead.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -380,6 +380,7 @@ ondemand_readahead(struct address_space + { + struct backing_dev_info *bdi = inode_to_bdi(mapping->host); + unsigned long max_pages = ra->ra_pages; ++ unsigned long add_pages; + pgoff_t prev_offset; + + /* +@@ -469,10 +470,17 @@ readit: + * Will this read hit the readahead marker made by itself? + * If so, trigger the readahead marker hit now, and merge + * the resulted next readahead window into the current one. ++ * Take care of maximum IO pages as above. + */ + if (offset == ra->start && ra->size == ra->async_size) { +- ra->async_size = get_next_ra_size(ra, max_pages); +- ra->size += ra->async_size; ++ add_pages = get_next_ra_size(ra, max_pages); ++ if (ra->size + add_pages <= max_pages) { ++ ra->async_size = add_pages; ++ ra->size += add_pages; ++ } else { ++ ra->size = max_pages; ++ ra->async_size = max_pages >> 1; ++ } + } + + return ra_submit(ra, mapping, filp); diff --git a/queue-4.14/replace-magic-for-trusting-the-secondary-keyring-with-define.patch b/queue-4.14/replace-magic-for-trusting-the-secondary-keyring-with-define.patch new file mode 100644 index 00000000000..3e712477bbb --- /dev/null +++ b/queue-4.14/replace-magic-for-trusting-the-secondary-keyring-with-define.patch @@ -0,0 +1,70 @@ +From 817aef260037f33ee0f44c17fe341323d3aebd6d Mon Sep 17 00:00:00 2001 +From: Yannik Sembritzki +Date: Thu, 16 Aug 2018 14:05:10 +0100 +Subject: Replace magic for trusting the secondary keyring with #define + +From: Yannik Sembritzki + +commit 817aef260037f33ee0f44c17fe341323d3aebd6d upstream. + +Replace the use of a magic number that indicates that verify_*_signature() +should use the secondary keyring with a symbol. + +Signed-off-by: Yannik Sembritzki +Signed-off-by: David Howells +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + certs/system_keyring.c | 3 ++- + crypto/asymmetric_keys/pkcs7_key_type.c | 2 +- + include/linux/verification.h | 6 ++++++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -230,7 +231,7 @@ int verify_pkcs7_signature(const void *d + + if (!trusted_keys) { + trusted_keys = builtin_trusted_keys; +- } else if (trusted_keys == (void *)1UL) { ++ } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) { + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + trusted_keys = secondary_trusted_keys; + #else +--- a/crypto/asymmetric_keys/pkcs7_key_type.c ++++ b/crypto/asymmetric_keys/pkcs7_key_type.c +@@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_pre + + return verify_pkcs7_signature(NULL, 0, + prep->data, prep->datalen, +- (void *)1UL, usage, ++ VERIFY_USE_SECONDARY_KEYRING, usage, + pkcs7_view_content, prep); + } + +--- a/include/linux/verification.h ++++ b/include/linux/verification.h +@@ -13,6 +13,12 @@ + #define _LINUX_VERIFICATION_H + + /* ++ * Indicate that both builtin trusted keys and secondary trusted keys ++ * should be used. ++ */ ++#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) ++ ++/* + * The use to which an asymmetric key is being put. + */ + enum key_being_used_for { diff --git a/queue-4.14/rtc-omap-fix-potential-crash-on-power-off.patch b/queue-4.14/rtc-omap-fix-potential-crash-on-power-off.patch new file mode 100644 index 00000000000..57f247f48a2 --- /dev/null +++ b/queue-4.14/rtc-omap-fix-potential-crash-on-power-off.patch @@ -0,0 +1,57 @@ +From 5c8b84f410b3819d14cb1ebf32e4b3714b5a6e0b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Jul 2018 11:05:55 +0200 +Subject: rtc: omap: fix potential crash on power off + +From: Johan Hovold + +commit 5c8b84f410b3819d14cb1ebf32e4b3714b5a6e0b upstream. + +Do not set the system power-off callback and omap power-off rtc pointer +until we're done setting up our device to avoid leaving stale pointers +around after a late probe error. + +Fixes: 97ea1906b3c2 ("rtc: omap: Support ext_wakeup configuration") +Cc: stable # 4.9 +Cc: Marcin Niestroj +Cc: Tony Lindgren +Signed-off-by: Johan Hovold +Acked-by: Tony Lindgren +Reviewed-by: Marcin Niestroj +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-omap.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-omap.c ++++ b/drivers/rtc/rtc-omap.c +@@ -817,13 +817,6 @@ static int omap_rtc_probe(struct platfor + goto err; + } + +- if (rtc->is_pmic_controller) { +- if (!pm_power_off) { +- omap_rtc_power_off_rtc = rtc; +- pm_power_off = omap_rtc_power_off; +- } +- } +- + /* Support ext_wakeup pinconf */ + rtc_pinctrl_desc.name = dev_name(&pdev->dev); + +@@ -833,6 +826,13 @@ static int omap_rtc_probe(struct platfor + return PTR_ERR(rtc->pctldev); + } + ++ if (rtc->is_pmic_controller) { ++ if (!pm_power_off) { ++ omap_rtc_power_off_rtc = rtc; ++ pm_power_off = omap_rtc_power_off; ++ } ++ } ++ + return 0; + + err: diff --git a/queue-4.14/spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch b/queue-4.14/spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch new file mode 100644 index 00000000000..5c01c3a1789 --- /dev/null +++ b/queue-4.14/spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch @@ -0,0 +1,64 @@ +From 931c4e9a72ae91d59c5332ffb6812911a749da8e Mon Sep 17 00:00:00 2001 +From: Janek Kotas +Date: Mon, 4 Jun 2018 11:24:44 +0000 +Subject: spi: cadence: Change usleep_range() to udelay(), for atomic context + +From: Janek Kotas + +commit 931c4e9a72ae91d59c5332ffb6812911a749da8e upstream. + +The path "spi: cadence: Add usleep_range() for +cdns_spi_fill_tx_fifo()" added a usleep_range() function call, +which cannot be used in atomic context. +However the cdns_spi_fill_tx_fifo() function can be called during +an interrupt which may result in a kernel panic: + +BUG: scheduling while atomic: grep/561/0x00010002 +Modules linked in: +Preemption disabled at: +[] wait_for_common+0x48/0x178 +CPU: 0 PID: 561 Comm: grep Not tainted 4.17.0 #1 +Hardware name: Cadence CSP (DT) +Call trace: + dump_backtrace+0x0/0x198 + show_stack+0x14/0x20 + dump_stack+0x8c/0xac + __schedule_bug+0x6c/0xb8 + __schedule+0x570/0x5d8 + schedule+0x34/0x98 + schedule_hrtimeout_range_clock+0x98/0x110 + schedule_hrtimeout_range+0x10/0x18 + usleep_range+0x64/0x98 + cdns_spi_fill_tx_fifo+0x70/0xb0 + cdns_spi_irq+0xd0/0xe0 + __handle_irq_event_percpu+0x9c/0x128 + handle_irq_event_percpu+0x34/0x88 + handle_irq_event+0x48/0x78 + handle_fasteoi_irq+0xbc/0x1b0 + generic_handle_irq+0x24/0x38 + __handle_domain_irq+0x84/0xf8 + gic_handle_irq+0xc4/0x180 + +This patch replaces the function call with udelay() which can be +used in an atomic context, like an interrupt. + +Signed-off-by: Jan Kotas +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-cadence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -319,7 +319,7 @@ static void cdns_spi_fill_tx_fifo(struct + */ + if (cdns_spi_read(xspi, CDNS_SPI_ISR) & + CDNS_SPI_IXR_TXFULL) +- usleep_range(10, 20); ++ udelay(10); + + if (xspi->txbuf) + cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++); diff --git a/queue-4.14/spi-davinci-fix-a-null-pointer-dereference.patch b/queue-4.14/spi-davinci-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..49a25c38812 --- /dev/null +++ b/queue-4.14/spi-davinci-fix-a-null-pointer-dereference.patch @@ -0,0 +1,32 @@ +From 563a53f3906a6b43692498e5b3ae891fac93a4af Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 10 Aug 2018 11:13:52 +0200 +Subject: spi: davinci: fix a NULL pointer dereference + +From: Bartosz Golaszewski + +commit 563a53f3906a6b43692498e5b3ae891fac93a4af upstream. + +On non-OF systems spi->controlled_data may be NULL. This causes a NULL +pointer derefence on dm365-evm. + +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -217,7 +217,7 @@ static void davinci_spi_chipselect(struc + pdata = &dspi->pdata; + + /* program delay transfers if tx_delay is non zero */ +- if (spicfg->wdelay) ++ if (spicfg && spicfg->wdelay) + spidat1 |= SPIDAT1_WDEL; + + /* diff --git a/queue-4.14/spi-pxa2xx-add-support-for-intel-ice-lake.patch b/queue-4.14/spi-pxa2xx-add-support-for-intel-ice-lake.patch new file mode 100644 index 00000000000..fa46b73e99b --- /dev/null +++ b/queue-4.14/spi-pxa2xx-add-support-for-intel-ice-lake.patch @@ -0,0 +1,36 @@ +From 22d71a5097ec7059b6cbbee678a4f88484695941 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 28 Jun 2018 13:52:23 +0300 +Subject: spi: pxa2xx: Add support for Intel Ice Lake + +From: Mika Westerberg + +commit 22d71a5097ec7059b6cbbee678a4f88484695941 upstream. + +Intel Ice Lake SPI host controller follows the Intel Cannon Lake but the +PCI IDs are different. Add the new PCI IDs to the driver supported +devices list. + +Signed-off-by: Mika Westerberg +Signed-off-by: Jarkko Nikula +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1480,6 +1480,10 @@ static const struct pci_device_id pxa2xx + { PCI_VDEVICE(INTEL, 0x31c2), LPSS_BXT_SSP }, + { PCI_VDEVICE(INTEL, 0x31c4), LPSS_BXT_SSP }, + { PCI_VDEVICE(INTEL, 0x31c6), LPSS_BXT_SSP }, ++ /* ICL-LP */ ++ { PCI_VDEVICE(INTEL, 0x34aa), LPSS_CNL_SSP }, ++ { PCI_VDEVICE(INTEL, 0x34ab), LPSS_CNL_SSP }, ++ { PCI_VDEVICE(INTEL, 0x34fb), LPSS_CNL_SSP }, + /* APL */ + { PCI_VDEVICE(INTEL, 0x5ac2), LPSS_BXT_SSP }, + { PCI_VDEVICE(INTEL, 0x5ac4), LPSS_BXT_SSP }, diff --git a/queue-4.14/spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch b/queue-4.14/spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch new file mode 100644 index 00000000000..c167f3fed9e --- /dev/null +++ b/queue-4.14/spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch @@ -0,0 +1,90 @@ +From d8ffee2f551a627ffb7b216e2da322cb9a037f77 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 29 Jun 2018 13:33:09 +0200 +Subject: spi: spi-fsl-dspi: Fix imprecise abort on VF500 during probe + +From: Krzysztof Kozlowski + +commit d8ffee2f551a627ffb7b216e2da322cb9a037f77 upstream. + +Registers of DSPI should not be accessed before enabling its clock. On +Toradex Colibri VF50 on Iris carrier board this could be seen during +bootup as imprecise abort: + + Unhandled fault: imprecise external abort (0x1c06) at 0x00000000 + Internal error: : 1c06 [#1] ARM + Modules linked in: + CPU: 0 PID: 1 Comm: swapper Not tainted 4.14.39-dirty #97 + Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) + Backtrace: + [<804166a8>] (regmap_write) from [<80466b5c>] (dspi_probe+0x1f0/0x8dc) + [<8046696c>] (dspi_probe) from [<8040107c>] (platform_drv_probe+0x54/0xb8) + [<80401028>] (platform_drv_probe) from [<803ff53c>] (driver_probe_device+0x280/0x2f8) + [<803ff2bc>] (driver_probe_device) from [<803ff674>] (__driver_attach+0xc0/0xc4) + [<803ff5b4>] (__driver_attach) from [<803fd818>] (bus_for_each_dev+0x70/0xa4) + [<803fd7a8>] (bus_for_each_dev) from [<803fee74>] (driver_attach+0x24/0x28) + [<803fee50>] (driver_attach) from [<803fe980>] (bus_add_driver+0x1a0/0x218) + [<803fe7e0>] (bus_add_driver) from [<803fffe8>] (driver_register+0x80/0x100) + [<803fff68>] (driver_register) from [<80400fdc>] (__platform_driver_register+0x48/0x50) + [<80400f94>] (__platform_driver_register) from [<8091cf7c>] (fsl_dspi_driver_init+0x1c/0x20) + [<8091cf60>] (fsl_dspi_driver_init) from [<8010195c>] (do_one_initcall+0x4c/0x174) + [<80101910>] (do_one_initcall) from [<80900e8c>] (kernel_init_freeable+0x144/0x1d8) + [<80900d48>] (kernel_init_freeable) from [<805ff6a8>] (kernel_init+0x10/0x114) + [<805ff698>] (kernel_init) from [<80107be8>] (ret_from_fork+0x14/0x2c) + +Cc: +Fixes: 5ee67b587a2b ("spi: dspi: clear SPI_SR before enable interrupt") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-fsl-dspi.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -1006,31 +1006,31 @@ static int dspi_probe(struct platform_de + goto out_master_put; + } + ++ dspi->clk = devm_clk_get(&pdev->dev, "dspi"); ++ if (IS_ERR(dspi->clk)) { ++ ret = PTR_ERR(dspi->clk); ++ dev_err(&pdev->dev, "unable to get clock\n"); ++ goto out_master_put; ++ } ++ ret = clk_prepare_enable(dspi->clk); ++ if (ret) ++ goto out_master_put; ++ + dspi_init(dspi); + dspi->irq = platform_get_irq(pdev, 0); + if (dspi->irq < 0) { + dev_err(&pdev->dev, "can't get platform irq\n"); + ret = dspi->irq; +- goto out_master_put; ++ goto out_clk_put; + } + + ret = devm_request_irq(&pdev->dev, dspi->irq, dspi_interrupt, 0, + pdev->name, dspi); + if (ret < 0) { + dev_err(&pdev->dev, "Unable to attach DSPI interrupt\n"); +- goto out_master_put; ++ goto out_clk_put; + } + +- dspi->clk = devm_clk_get(&pdev->dev, "dspi"); +- if (IS_ERR(dspi->clk)) { +- ret = PTR_ERR(dspi->clk); +- dev_err(&pdev->dev, "unable to get clock\n"); +- goto out_master_put; +- } +- ret = clk_prepare_enable(dspi->clk); +- if (ret) +- goto out_master_put; +- + if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) { + ret = dspi_request_dma(dspi, res->start); + if (ret < 0) { diff --git a/queue-4.14/tracing-blktrace-fix-to-allow-setting-same-value.patch b/queue-4.14/tracing-blktrace-fix-to-allow-setting-same-value.patch new file mode 100644 index 00000000000..c1fac68a174 --- /dev/null +++ b/queue-4.14/tracing-blktrace-fix-to-allow-setting-same-value.patch @@ -0,0 +1,63 @@ +From 757d9140072054528b13bbe291583d9823cde195 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 16 Aug 2018 16:08:37 -0400 +Subject: tracing/blktrace: Fix to allow setting same value + +From: Steven Rostedt (VMware) + +commit 757d9140072054528b13bbe291583d9823cde195 upstream. + +Masami Hiramatsu reported: + + Current trace-enable attribute in sysfs returns an error + if user writes the same setting value as current one, + e.g. + + # cat /sys/block/sda/trace/enable + 0 + # echo 0 > /sys/block/sda/trace/enable + bash: echo: write error: Invalid argument + # echo 1 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + bash: echo: write error: Device or resource busy + + But this is not a preferred behavior, it should ignore + if new setting is same as current one. This fixes the + problem as below. + + # cat /sys/block/sda/trace/enable + 0 + # echo 0 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + +Link: http://lkml.kernel.org/r/20180816103802.08678002@gandalf.local.home + +Cc: Ingo Molnar +Cc: Jens Axboe +Cc: linux-block@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: cd649b8bb830d ("blktrace: remove sysfs_blk_trace_enable_show/store()") +Reported-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/blktrace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1809,6 +1809,10 @@ static ssize_t sysfs_blk_trace_attr_stor + mutex_lock(&q->blk_trace_mutex); + + if (attr == &dev_attr_enable) { ++ if (!!value == !!q->blk_trace) { ++ ret = 0; ++ goto out_unlock_bdev; ++ } + if (value) + ret = blk_trace_setup_queue(q, bdev); + else diff --git a/queue-4.14/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch b/queue-4.14/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch new file mode 100644 index 00000000000..f694bcffe61 --- /dev/null +++ b/queue-4.14/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch @@ -0,0 +1,41 @@ +From f143641bfef9a4a60c57af30de26c63057e7e695 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 1 Aug 2018 15:40:57 -0400 +Subject: tracing: Do not call start/stop() functions when tracing_on does not change + +From: Steven Rostedt (VMware) + +commit f143641bfef9a4a60c57af30de26c63057e7e695 upstream. + +Currently, when one echo's in 1 into tracing_on, the current tracer's +"start()" function is executed, even if tracing_on was already one. This can +lead to strange side effects. One being that if the hwlat tracer is enabled, +and someone does "echo 1 > tracing_on" into tracing_on, the hwlat tracer's +start() function is called again which will recreate another kernel thread, +and make it unable to remove the old one. + +Link: http://lkml.kernel.org/r/1533120354-22923-1-git-send-email-erica.bugden@linutronix.de + +Cc: stable@vger.kernel.org +Fixes: 2df8f8a6a897e ("tracing: Fix regression with irqsoff tracer and tracing_on file") +Reported-by: Erica Bugden +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7545,7 +7545,9 @@ rb_simple_write(struct file *filp, const + + if (buffer) { + mutex_lock(&trace_types_lock); +- if (val) { ++ if (!!val == tracer_tracing_is_on(tr)) { ++ val = 0; /* do nothing */ ++ } else if (val) { + tracer_tracing_on(tr); + if (tr->current_trace->start) + tr->current_trace->start(tr); diff --git a/queue-4.14/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch b/queue-4.14/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch new file mode 100644 index 00000000000..532c00866b0 --- /dev/null +++ b/queue-4.14/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch @@ -0,0 +1,186 @@ +From a5ba1d95e46ecaea638ddd7cd144107c783acb5d Mon Sep 17 00:00:00 2001 +From: Tycho Andersen +Date: Fri, 6 Jul 2018 10:24:57 -0600 +Subject: uart: fix race between uart_put_char() and uart_shutdown() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tycho Andersen + +commit a5ba1d95e46ecaea638ddd7cd144107c783acb5d upstream. + +We have reports of the following crash: + + PID: 7 TASK: ffff88085c6d61c0 CPU: 1 COMMAND: "kworker/u25:0" + #0 [ffff88085c6db710] machine_kexec at ffffffff81046239 + #1 [ffff88085c6db760] crash_kexec at ffffffff810fc248 + #2 [ffff88085c6db830] oops_end at ffffffff81008ae7 + #3 [ffff88085c6db860] no_context at ffffffff81050b8f + #4 [ffff88085c6db8b0] __bad_area_nosemaphore at ffffffff81050d75 + #5 [ffff88085c6db900] bad_area_nosemaphore at ffffffff81050e83 + #6 [ffff88085c6db910] __do_page_fault at ffffffff8105132e + #7 [ffff88085c6db9b0] do_page_fault at ffffffff8105152c + #8 [ffff88085c6db9c0] page_fault at ffffffff81a3f122 + [exception RIP: uart_put_char+149] + RIP: ffffffff814b67b5 RSP: ffff88085c6dba78 RFLAGS: 00010006 + RAX: 0000000000000292 RBX: ffffffff827c5120 RCX: 0000000000000081 + RDX: 0000000000000000 RSI: 000000000000005f RDI: ffffffff827c5120 + RBP: ffff88085c6dba98 R8: 000000000000012c R9: ffffffff822ea320 + R10: ffff88085fe4db04 R11: 0000000000000001 R12: ffff881059f9c000 + R13: 0000000000000001 R14: 000000000000005f R15: 0000000000000fba + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #9 [ffff88085c6dbaa0] tty_put_char at ffffffff81497544 + #10 [ffff88085c6dbac0] do_output_char at ffffffff8149c91c + #11 [ffff88085c6dbae0] __process_echoes at ffffffff8149cb8b + #12 [ffff88085c6dbb30] commit_echoes at ffffffff8149cdc2 + #13 [ffff88085c6dbb60] n_tty_receive_buf_fast at ffffffff8149e49b + #14 [ffff88085c6dbbc0] __receive_buf at ffffffff8149ef5a + #15 [ffff88085c6dbc20] n_tty_receive_buf_common at ffffffff8149f016 + #16 [ffff88085c6dbca0] n_tty_receive_buf2 at ffffffff8149f194 + #17 [ffff88085c6dbcb0] flush_to_ldisc at ffffffff814a238a + #18 [ffff88085c6dbd50] process_one_work at ffffffff81090be2 + #19 [ffff88085c6dbe20] worker_thread at ffffffff81091b4d + #20 [ffff88085c6dbeb0] kthread at ffffffff81096384 + #21 [ffff88085c6dbf50] ret_from_fork at ffffffff81a3d69f​ + +after slogging through some dissasembly: + +ffffffff814b6720 : +ffffffff814b6720: 55 push %rbp +ffffffff814b6721: 48 89 e5 mov %rsp,%rbp +ffffffff814b6724: 48 83 ec 20 sub $0x20,%rsp +ffffffff814b6728: 48 89 1c 24 mov %rbx,(%rsp) +ffffffff814b672c: 4c 89 64 24 08 mov %r12,0x8(%rsp) +ffffffff814b6731: 4c 89 6c 24 10 mov %r13,0x10(%rsp) +ffffffff814b6736: 4c 89 74 24 18 mov %r14,0x18(%rsp) +ffffffff814b673b: e8 b0 8e 58 00 callq ffffffff81a3f5f0 +ffffffff814b6740: 4c 8b a7 88 02 00 00 mov 0x288(%rdi),%r12 +ffffffff814b6747: 45 31 ed xor %r13d,%r13d +ffffffff814b674a: 41 89 f6 mov %esi,%r14d +ffffffff814b674d: 49 83 bc 24 70 01 00 cmpq $0x0,0x170(%r12) +ffffffff814b6754: 00 00 +ffffffff814b6756: 49 8b 9c 24 80 01 00 mov 0x180(%r12),%rbx +ffffffff814b675d: 00 +ffffffff814b675e: 74 2f je ffffffff814b678f +ffffffff814b6760: 48 89 df mov %rbx,%rdi +ffffffff814b6763: e8 a8 67 58 00 callq ffffffff81a3cf10 <_raw_spin_lock_irqsave> +ffffffff814b6768: 41 8b 8c 24 78 01 00 mov 0x178(%r12),%ecx +ffffffff814b676f: 00 +ffffffff814b6770: 89 ca mov %ecx,%edx +ffffffff814b6772: f7 d2 not %edx +ffffffff814b6774: 41 03 94 24 7c 01 00 add 0x17c(%r12),%edx +ffffffff814b677b: 00 +ffffffff814b677c: 81 e2 ff 0f 00 00 and $0xfff,%edx +ffffffff814b6782: 75 23 jne ffffffff814b67a7 +ffffffff814b6784: 48 89 c6 mov %rax,%rsi +ffffffff814b6787: 48 89 df mov %rbx,%rdi +ffffffff814b678a: e8 e1 64 58 00 callq ffffffff81a3cc70 <_raw_spin_unlock_irqrestore> +ffffffff814b678f: 44 89 e8 mov %r13d,%eax +ffffffff814b6792: 48 8b 1c 24 mov (%rsp),%rbx +ffffffff814b6796: 4c 8b 64 24 08 mov 0x8(%rsp),%r12 +ffffffff814b679b: 4c 8b 6c 24 10 mov 0x10(%rsp),%r13 +ffffffff814b67a0: 4c 8b 74 24 18 mov 0x18(%rsp),%r14 +ffffffff814b67a5: c9 leaveq +ffffffff814b67a6: c3 retq +ffffffff814b67a7: 49 8b 94 24 70 01 00 mov 0x170(%r12),%rdx +ffffffff814b67ae: 00 +ffffffff814b67af: 48 63 c9 movslq %ecx,%rcx +ffffffff814b67b2: 41 b5 01 mov $0x1,%r13b +ffffffff814b67b5: 44 88 34 0a mov %r14b,(%rdx,%rcx,1) +ffffffff814b67b9: 41 8b 94 24 78 01 00 mov 0x178(%r12),%edx +ffffffff814b67c0: 00 +ffffffff814b67c1: 83 c2 01 add $0x1,%edx +ffffffff814b67c4: 81 e2 ff 0f 00 00 and $0xfff,%edx +ffffffff814b67ca: 41 89 94 24 78 01 00 mov %edx,0x178(%r12) +ffffffff814b67d1: 00 +ffffffff814b67d2: eb b0 jmp ffffffff814b6784 +ffffffff814b67d4: 66 66 66 2e 0f 1f 84 data32 data32 nopw %cs:0x0(%rax,%rax,1) +ffffffff814b67db: 00 00 00 00 00 + +for our build, this is crashing at: + + circ->buf[circ->head] = c; + +Looking in uart_port_startup(), it seems that circ->buf (state->xmit.buf) +protected by the "per-port mutex", which based on uart_port_check() is +state->port.mutex. Indeed, the lock acquired in uart_put_char() is +uport->lock, i.e. not the same lock. + +Anyway, since the lock is not acquired, if uart_shutdown() is called, the +last chunk of that function may release state->xmit.buf before its assigned +to null, and cause the race above. + +To fix it, let's lock uport->lock when allocating/deallocating +state->xmit.buf in addition to the per-port mutex. + +v2: switch to locking uport->lock on allocation/deallocation instead of + locking the per-port mutex in uart_put_char. Note that since + uport->lock is a spin lock, we have to switch the allocation to + GFP_ATOMIC. +v3: move the allocation outside the lock, so we can switch back to + GFP_KERNEL + +Signed-off-by: Tycho Andersen +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -195,6 +195,7 @@ static int uart_port_startup(struct tty_ + { + struct uart_port *uport = uart_port_check(state); + unsigned long page; ++ unsigned long flags = 0; + int retval = 0; + + if (uport->type == PORT_UNKNOWN) +@@ -209,15 +210,18 @@ static int uart_port_startup(struct tty_ + * Initialise and allocate the transmit and temporary + * buffer. + */ +- if (!state->xmit.buf) { +- /* This is protected by the per port mutex */ +- page = get_zeroed_page(GFP_KERNEL); +- if (!page) +- return -ENOMEM; ++ page = get_zeroed_page(GFP_KERNEL); ++ if (!page) ++ return -ENOMEM; + ++ uart_port_lock(state, flags); ++ if (!state->xmit.buf) { + state->xmit.buf = (unsigned char *) page; + uart_circ_clear(&state->xmit); ++ } else { ++ free_page(page); + } ++ uart_port_unlock(uport, flags); + + retval = uport->ops->startup(uport); + if (retval == 0) { +@@ -276,6 +280,7 @@ static void uart_shutdown(struct tty_str + { + struct uart_port *uport = uart_port_check(state); + struct tty_port *port = &state->port; ++ unsigned long flags = 0; + + /* + * Set the TTY IO error marker +@@ -308,10 +313,12 @@ static void uart_shutdown(struct tty_str + /* + * Free the transmit buffer page. + */ ++ uart_port_lock(state, flags); + if (state->xmit.buf) { + free_page((unsigned long)state->xmit.buf); + state->xmit.buf = NULL; + } ++ uart_port_unlock(uport, flags); + } + + /** diff --git a/queue-4.14/uprobes-use-synchronize_rcu-not-synchronize_sched.patch b/queue-4.14/uprobes-use-synchronize_rcu-not-synchronize_sched.patch new file mode 100644 index 00000000000..17940583cb2 --- /dev/null +++ b/queue-4.14/uprobes-use-synchronize_rcu-not-synchronize_sched.patch @@ -0,0 +1,39 @@ +From 016f8ffc48cb01d1e7701649c728c5d2e737d295 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 9 Aug 2018 15:37:59 -0400 +Subject: uprobes: Use synchronize_rcu() not synchronize_sched() + +From: Steven Rostedt (VMware) + +commit 016f8ffc48cb01d1e7701649c728c5d2e737d295 upstream. + +While debugging another bug, I was looking at all the synchronize*() +functions being used in kernel/trace, and noticed that trace_uprobes was +using synchronize_sched(), with a comment to synchronize with +{u,ret}_probe_trace_func(). When looking at those functions, the data is +protected with "rcu_read_lock()" and not with "rcu_read_lock_sched()". This +is using the wrong synchronize_*() function. + +Link: http://lkml.kernel.org/r/20180809160553.469e1e32@gandalf.local.home + +Cc: stable@vger.kernel.org +Fixes: 70ed91c6ec7f8 ("tracing/uprobes: Support ftrace_event_file base multibuffer") +Acked-by: Oleg Nesterov +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_uprobe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -967,7 +967,7 @@ probe_event_disable(struct trace_uprobe + + list_del_rcu(&link->list); + /* synchronize with u{,ret}probe_trace_func */ +- synchronize_sched(); ++ synchronize_rcu(); + kfree(link); + + if (!list_empty(&tu->tp.files)) diff --git a/queue-4.14/vmw_balloon-do-not-use-2mb-without-batching.patch b/queue-4.14/vmw_balloon-do-not-use-2mb-without-batching.patch new file mode 100644 index 00000000000..cacaa332b9a --- /dev/null +++ b/queue-4.14/vmw_balloon-do-not-use-2mb-without-batching.patch @@ -0,0 +1,44 @@ +From 5081efd112560d3febb328e627176235b250d59d Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:25 -0700 +Subject: vmw_balloon: do not use 2MB without batching + +From: Nadav Amit + +commit 5081efd112560d3febb328e627176235b250d59d upstream. + +If the hypervisor sets 2MB batching is on, while batching is cleared, +the balloon code breaks. In this case the legacy mechanism is used with +2MB page. The VM would report a 2MB page is ballooned, and the +hypervisor would only take the first 4KB. + +While the hypervisor should not report such settings, make the code more +robust by not enabling 2MB support without batching. + +Fixes: 365bd7ef7ec8e ("VMware balloon: Support 2m page ballooning.") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -341,7 +341,13 @@ static bool vmballoon_send_start(struct + success = false; + } + +- if (b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS) ++ /* ++ * 2MB pages are only supported with batching. If batching is for some ++ * reason disabled, do not use 2MB pages, since otherwise the legacy ++ * mechanism is used with 2MB pages, causing a failure. ++ */ ++ if ((b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS) && ++ (b->capabilities & VMW_BALLOON_BATCHED_CMDS)) + b->supported_page_sizes = 2; + else + b->supported_page_sizes = 1; diff --git a/queue-4.14/vmw_balloon-fix-inflation-of-64-bit-gfns.patch b/queue-4.14/vmw_balloon-fix-inflation-of-64-bit-gfns.patch new file mode 100644 index 00000000000..e5fd61b2ce3 --- /dev/null +++ b/queue-4.14/vmw_balloon-fix-inflation-of-64-bit-gfns.patch @@ -0,0 +1,70 @@ +From 09755690c6b7c1eabdc4651eb3b276f8feb1e447 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:24 -0700 +Subject: vmw_balloon: fix inflation of 64-bit GFNs + +From: Nadav Amit + +commit 09755690c6b7c1eabdc4651eb3b276f8feb1e447 upstream. + +When balloon batching is not supported by the hypervisor, the guest +frame number (GFN) must fit in 32-bit. However, due to a bug, this check +was mistakenly ignored. In practice, when total RAM is greater than +16TB, the balloon does not work currently, making this bug unlikely to +happen. + +Fixes: ef0f8f112984 ("VMware balloon: partially inline vmballoon_reserve_page.") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -450,7 +450,7 @@ static int vmballoon_send_lock_page(stru + + pfn32 = (u32)pfn; + if (pfn32 != pfn) +- return -1; ++ return -EINVAL; + + STATS_INC(b->stats.lock[false]); + +@@ -460,7 +460,7 @@ static int vmballoon_send_lock_page(stru + + pr_debug("%s - ppn %lx, hv returns %ld\n", __func__, pfn, status); + STATS_INC(b->stats.lock_fail[false]); +- return 1; ++ return -EIO; + } + + static int vmballoon_send_batched_lock(struct vmballoon *b, +@@ -597,11 +597,12 @@ static int vmballoon_lock_page(struct vm + + locked = vmballoon_send_lock_page(b, page_to_pfn(page), &hv_status, + target); +- if (locked > 0) { ++ if (locked) { + STATS_INC(b->stats.refused_alloc[false]); + +- if (hv_status == VMW_BALLOON_ERROR_RESET || +- hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED) { ++ if (locked == -EIO && ++ (hv_status == VMW_BALLOON_ERROR_RESET || ++ hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED)) { + vmballoon_free_page(page, false); + return -EIO; + } +@@ -617,7 +618,7 @@ static int vmballoon_lock_page(struct vm + } else { + vmballoon_free_page(page, false); + } +- return -EIO; ++ return locked; + } + + /* track allocated page */ diff --git a/queue-4.14/vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch b/queue-4.14/vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch new file mode 100644 index 00000000000..61f2e9b7114 --- /dev/null +++ b/queue-4.14/vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch @@ -0,0 +1,53 @@ +From c3cc1b0fc27508da53fe955a3b23d03964410682 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:27 -0700 +Subject: vmw_balloon: fix VMCI use when balloon built into kernel + +From: Nadav Amit + +commit c3cc1b0fc27508da53fe955a3b23d03964410682 upstream. + +Currently, when all modules, including VMCI and VMware balloon are built +into the kernel, the initialization of the balloon happens before the +VMCI is probed. As a result, the balloon fails to initialize the VMCI +doorbell, which it uses to get asynchronous requests for balloon size +changes. + +The problem can be seen in the logs, in the form of the following +message: + "vmw_balloon: failed to initialize vmci doorbell" + +The driver would work correctly but slightly less efficiently, probing +for requests periodically. This patch changes the balloon to be +initialized using late_initcall() instead of module_init() to address +this issue. It does not address a situation in which VMCI is built as a +module and the balloon is built into the kernel. + +Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -1297,7 +1297,14 @@ static int __init vmballoon_init(void) + + return 0; + } +-module_init(vmballoon_init); ++ ++/* ++ * Using late_initcall() instead of module_init() allows the balloon to use the ++ * VMCI doorbell even when the balloon is built into the kernel. Otherwise the ++ * VMCI is probed only after the balloon is initialized. If the balloon is used ++ * as a module, late_initcall() is equivalent to module_init(). ++ */ ++late_initcall(vmballoon_init); + + static void __exit vmballoon_exit(void) + { diff --git a/queue-4.14/vmw_balloon-vmci_doorbell_set-does-not-check-status.patch b/queue-4.14/vmw_balloon-vmci_doorbell_set-does-not-check-status.patch new file mode 100644 index 00000000000..fb30d6049bb --- /dev/null +++ b/queue-4.14/vmw_balloon-vmci_doorbell_set-does-not-check-status.patch @@ -0,0 +1,76 @@ +From ce664331b2487a5d244a51cbdd8cb54f866fbe5d Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 19 Jun 2018 16:00:26 -0700 +Subject: vmw_balloon: VMCI_DOORBELL_SET does not check status + +From: Nadav Amit + +commit ce664331b2487a5d244a51cbdd8cb54f866fbe5d upstream. + +When vmballoon_vmci_init() sets a doorbell using VMCI_DOORBELL_SET, for +some reason it does not consider the status and looks at the result. +However, the hypervisor does not update the result - it updates the +status. This might cause VMCI doorbell not to be enabled, resulting in +degraded performance. + +Fixes: 48e3d668b790 ("VMware balloon: Enable notification via VMCI") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 37 +++++++++++++++++++------------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -1036,29 +1036,30 @@ static void vmballoon_vmci_cleanup(struc + */ + static int vmballoon_vmci_init(struct vmballoon *b) + { +- int error = 0; ++ unsigned long error, dummy; + +- if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) != 0) { +- error = vmci_doorbell_create(&b->vmci_doorbell, +- VMCI_FLAG_DELAYED_CB, +- VMCI_PRIVILEGE_FLAG_RESTRICTED, +- vmballoon_doorbell, b); +- +- if (error == VMCI_SUCCESS) { +- VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET, +- b->vmci_doorbell.context, +- b->vmci_doorbell.resource, error); +- STATS_INC(b->stats.doorbell_set); +- } +- } ++ if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) == 0) ++ return 0; + +- if (error != 0) { +- vmballoon_vmci_cleanup(b); ++ error = vmci_doorbell_create(&b->vmci_doorbell, VMCI_FLAG_DELAYED_CB, ++ VMCI_PRIVILEGE_FLAG_RESTRICTED, ++ vmballoon_doorbell, b); + +- return -EIO; +- } ++ if (error != VMCI_SUCCESS) ++ goto fail; ++ ++ error = VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET, b->vmci_doorbell.context, ++ b->vmci_doorbell.resource, dummy); ++ ++ STATS_INC(b->stats.doorbell_set); ++ ++ if (error != VMW_BALLOON_SUCCESS) ++ goto fail; + + return 0; ++fail: ++ vmballoon_vmci_cleanup(b); ++ return -EIO; + } + + /*