From: Greg Kroah-Hartman Date: Thu, 1 Feb 2018 13:15:09 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.115~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c02157e4ce81f62820c78db59737163bfb16b173;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch arm-dts-nsp-fix-ppi-interrupt-types.patch auxdisplay-img-ascii-lcd-only-build-on-archs-that-have-iomem.patch bcache-check-return-value-of-register_shrinker.patch bnxt_en-fix-an-error-handling-path-in-bnxt_get_module_eeprom.patch btrfs-fix-deadlock-when-writing-out-space-cache.patch cpufreq-add-loongson-machine-dependencies.patch cpupower-fix-cpupower-working-when-cpu0-is-offline.patch cpupowerutils-bench-fix-cpu-online-check.patch drm-amdgpu-don-t-try-to-move-pinned-bos.patch drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch drm-amdkfd-fix-sdma-oversubsription-handling.patch drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch drm-bridge-tc358767-do-no-fail-on-hi-res-displays.patch drm-bridge-tc358767-filter-out-too-high-modes.patch drm-bridge-tc358767-fix-1-lane-behavior.patch drm-bridge-tc358767-fix-auxdatan-registers-access.patch drm-bridge-tc358767-fix-dp0_misc-register-set.patch drm-bridge-tc358767-fix-timing-calculations.patch drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch drm-vc4-account-for-interrupts-in-flight.patch drm-vc4-move-irq-enable-to-pm-path.patch grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch hwmon-pmbus-use-64bit-math-for-direct-format-values.patch iwlwifi-mvm-fix-the-tx-queue-hang-timeout-for-monitor-vif-type.patch kmemleak-add-scheduling-point-to-kmemleak_scan.patch kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch kvm-x86-fix-operand-address-size-during-instruction-decoding.patch kvm-x86-fix-softlockup-when-get-the-current-kvmclock.patch kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch mac80211-fix-the-update-of-path-metric-for-rann-frame.patch media-usbtv-add-a-new-usbid.patch net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch nfsd-check-for-use-of-the-closed-special-stateid.patch nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch openvswitch-fix-the-incorrect-flow-action-alloc-size.patch quota-check-for-register_shrinker-failure.patch reiserfs-remove-unneeded-i_version-bump.patch scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch sunrpc-allow-connect-to-return-ehostunreach.patch usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch xen-netfront-remove-warning-when-unloading-module.patch xfs-always-free-inline-data-before-resetting-inode-fork-during-ifree.patch xfs-fortify-xfs_alloc_buftarg-error-handling.patch xfs-properly-retry-failed-dquot-items-in-case-of-error-during-buffer-writeback.patch xfs-ubsan-fixes.patch --- diff --git a/queue-4.9/acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch b/queue-4.9/acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch new file mode 100644 index 00000000000..0563d8e9e6d --- /dev/null +++ b/queue-4.9/acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Hans de Goede +Date: Sun, 15 Oct 2017 21:24:49 +0200 +Subject: ACPI / bus: Leave modalias empty for devices which are not present + +From: Hans de Goede + + +[ Upstream commit 10809bb976648ac58194a629e3d7af99e7400297 ] + +Most Bay and Cherry Trail devices use a generic DSDT with all possible +peripheral devices present in the DSDT, with their _STA returning 0x00 or +0x0f based on AML variables which describe what is actually present on +the board. + +Since ACPI device objects with a 0x00 status (not present) still get an +entry under /sys/bus/acpi/devices, and those entry had an acpi:PNPID +modalias, userspace would end up loading modules for non present hardware. + +This commit fixes this by leaving the modalias empty for non present +devices. This results in 10 modules less being loaded with a generic +distro kernel config on my Cherry Trail test-device (a GPD pocket). + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/device_sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c +index 7b2c48fde4e2..201c7ceb7052 100644 +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -146,6 +146,10 @@ static int create_pnp_modalias(struct acpi_device *acpi_dev, char *modalias, + int count; + struct acpi_hardware_id *id; + ++ /* Avoid unnecessarily loading modules for non present devices. */ ++ if (!acpi_device_is_present(acpi_dev)) ++ return 0; ++ + /* + * Since we skip ACPI_DT_NAMESPACE_HID from the modalias below, 0 should + * be returned if ACPI_DT_NAMESPACE_HID is the only ACPI/PNP ID in the +-- +2.16.1 + diff --git a/queue-4.9/arm-dts-nsp-fix-ppi-interrupt-types.patch b/queue-4.9/arm-dts-nsp-fix-ppi-interrupt-types.patch new file mode 100644 index 00000000000..fcf2ecff7a9 --- /dev/null +++ b/queue-4.9/arm-dts-nsp-fix-ppi-interrupt-types.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Florian Fainelli +Date: Tue, 7 Nov 2017 11:10:29 -0800 +Subject: ARM: dts: NSP: Fix PPI interrupt types + +From: Florian Fainelli + + +[ Upstream commit 5f1aa51c7a1eef1c5a60b8334e32c89904964245 ] + +Booting a kernel results in the kernel warning us about the following +PPI interrupts configuration: +[ 0.105127] smp: Bringing up secondary CPUs ... +[ 0.110545] GIC: PPI11 is secure or misconfigured +[ 0.110551] GIC: PPI13 is secure or misconfigured + +Fix this by using the appropriate edge configuration for PPI11 and +PPI13, this is similar to what was fixed for Northstar (BCM5301X) in +commit 0e34079cd1f6 ("ARM: dts: BCM5301X: Correct GIC_PPI interrupt +flags"). + +Fixes: 7b2e987de207 ("ARM: NSP: add minimal Northstar Plus device tree") +Fixes: 1a9d53cabaf4 ("ARM: dts: NSP: Add TWD Support to DT") +Acked-by: Jon Mason +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm-nsp.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/bcm-nsp.dtsi ++++ b/arch/arm/boot/dts/bcm-nsp.dtsi +@@ -85,7 +85,7 @@ + timer@20200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0x20200 0x100>; +- interrupts = ; ++ interrupts = ; + clocks = <&periph_clk>; + }; + +@@ -93,7 +93,7 @@ + compatible = "arm,cortex-a9-twd-timer"; + reg = <0x20600 0x20>; + interrupts = ; ++ IRQ_TYPE_EDGE_RISING)>; + clocks = <&periph_clk>; + }; + diff --git a/queue-4.9/auxdisplay-img-ascii-lcd-only-build-on-archs-that-have-iomem.patch b/queue-4.9/auxdisplay-img-ascii-lcd-only-build-on-archs-that-have-iomem.patch new file mode 100644 index 00000000000..a1d28b942d0 --- /dev/null +++ b/queue-4.9/auxdisplay-img-ascii-lcd-only-build-on-archs-that-have-iomem.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Thomas Meyer +Date: Thu, 10 Aug 2017 10:53:53 +0200 +Subject: auxdisplay: img-ascii-lcd: Only build on archs that have IOMEM + +From: Thomas Meyer + + +[ Upstream commit 141cbfba1d0502006463aa80f57c64086226af1a ] + +This avoids the MODPOST error: + + ERROR: "devm_ioremap_resource" [drivers/auxdisplay/img-ascii-lcd.ko] undefined! + +Signed-off-by: Thomas Meyer +Acked-by: Randy Dunlap +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/auxdisplay/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/auxdisplay/Kconfig ++++ b/drivers/auxdisplay/Kconfig +@@ -121,6 +121,7 @@ config CFAG12864B_RATE + + config IMG_ASCII_LCD + tristate "Imagination Technologies ASCII LCD Display" ++ depends on HAS_IOMEM + default y if MIPS_MALTA || MIPS_SEAD3 + select SYSCON + help diff --git a/queue-4.9/bcache-check-return-value-of-register_shrinker.patch b/queue-4.9/bcache-check-return-value-of-register_shrinker.patch new file mode 100644 index 00000000000..0ee7964bbb3 --- /dev/null +++ b/queue-4.9/bcache-check-return-value-of-register_shrinker.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Michael Lyle +Date: Fri, 24 Nov 2017 15:14:27 -0800 +Subject: bcache: check return value of register_shrinker + +From: Michael Lyle + + +[ Upstream commit 6c4ca1e36cdc1a0a7a84797804b87920ccbebf51 ] + +register_shrinker is now __must_check, so check it to kill a warning. +Caller of bch_btree_cache_alloc in super.c appropriately checks return +value so this is fully plumbed through. + +This V2 fixes checkpatch warnings and improves the commit description, +as I was too hasty getting the previous version out. + +Signed-off-by: Michael Lyle +Reviewed-by: Vojtech Pavlik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -803,7 +803,10 @@ int bch_btree_cache_alloc(struct cache_s + c->shrink.scan_objects = bch_mca_scan; + c->shrink.seeks = 4; + c->shrink.batch = c->btree_pages * 2; +- register_shrinker(&c->shrink); ++ ++ if (register_shrinker(&c->shrink)) ++ pr_warn("bcache: %s: could not register shrinker", ++ __func__); + + return 0; + } diff --git a/queue-4.9/bnxt_en-fix-an-error-handling-path-in-bnxt_get_module_eeprom.patch b/queue-4.9/bnxt_en-fix-an-error-handling-path-in-bnxt_get_module_eeprom.patch new file mode 100644 index 00000000000..ec4e66d9e70 --- /dev/null +++ b/queue-4.9/bnxt_en-fix-an-error-handling-path-in-bnxt_get_module_eeprom.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Christophe JAILLET +Date: Tue, 21 Nov 2017 20:46:49 +0100 +Subject: bnxt_en: Fix an error handling path in 'bnxt_get_module_eeprom()' + +From: Christophe JAILLET + + +[ Upstream commit dea521a2b9f96e905fa2bb2f95e23ec00c2ec436 ] + +Error code returned by 'bnxt_read_sfp_module_eeprom_info()' is handled a +few lines above when reading the A0 portion of the EEPROM. +The same should be done when reading the A2 portion of the EEPROM. + +In order to correctly propagate an error, update 'rc' in this 2nd call as +well, otherwise 0 (success) is returned. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -1843,8 +1843,8 @@ static int bnxt_get_module_eeprom(struct + /* Read A2 portion of the EEPROM */ + if (length) { + start -= ETH_MODULE_SFF_8436_LEN; +- bnxt_read_sfp_module_eeprom_info(bp, I2C_DEV_ADDR_A2, 1, start, +- length, data); ++ rc = bnxt_read_sfp_module_eeprom_info(bp, I2C_DEV_ADDR_A2, 1, ++ start, length, data); + } + return rc; + } diff --git a/queue-4.9/btrfs-fix-deadlock-when-writing-out-space-cache.patch b/queue-4.9/btrfs-fix-deadlock-when-writing-out-space-cache.patch new file mode 100644 index 00000000000..1bed77081c0 --- /dev/null +++ b/queue-4.9/btrfs-fix-deadlock-when-writing-out-space-cache.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Josef Bacik +Date: Wed, 15 Nov 2017 16:20:52 -0500 +Subject: btrfs: fix deadlock when writing out space cache + +From: Josef Bacik + + +[ Upstream commit b77000ed558daa3bef0899d29bf171b8c9b5e6a8 ] + +If we fail to prepare our pages for whatever reason (out of memory in +our case) we need to make sure to drop the block_group->data_rwsem, +otherwise hilarity ensues. + +Signed-off-by: Josef Bacik +Reviewed-by: Omar Sandoval +Reviewed-by: Liu Bo +Reviewed-by: David Sterba +[ add label and use existing unlocking code ] +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/free-space-cache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -1253,7 +1253,7 @@ static int __btrfs_write_out_cache(struc + /* Lock all pages first so we can lock the extent safely. */ + ret = io_ctl_prepare_pages(io_ctl, inode, 0); + if (ret) +- goto out; ++ goto out_unlock; + + lock_extent_bits(&BTRFS_I(inode)->io_tree, 0, i_size_read(inode) - 1, + &cached_state); +@@ -1346,6 +1346,7 @@ out_nospc_locked: + out_nospc: + cleanup_write_cache_enospc(inode, io_ctl, &cached_state, &bitmap_list); + ++out_unlock: + if (block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA)) + up_write(&block_group->data_rwsem); + diff --git a/queue-4.9/cpufreq-add-loongson-machine-dependencies.patch b/queue-4.9/cpufreq-add-loongson-machine-dependencies.patch new file mode 100644 index 00000000000..f7f9f64f5fe --- /dev/null +++ b/queue-4.9/cpufreq-add-loongson-machine-dependencies.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: James Hogan +Date: Wed, 15 Nov 2017 21:17:55 +0000 +Subject: cpufreq: Add Loongson machine dependencies + +From: James Hogan + + +[ Upstream commit 0d307935fefa6389eb726c6362351c162c949101 ] + +The MIPS loongson cpufreq drivers don't build unless configured for the +correct machine type, due to dependency on machine specific architecture +headers and symbols in machine specific platform code. + +More specifically loongson1-cpufreq.c uses RST_CPU_EN and RST_CPU, +neither of which is defined in asm/mach-loongson32/regs-clk.h unless +CONFIG_LOONGSON1_LS1B=y, and loongson2_cpufreq.c references +loongson2_clockmod_table[], which is only defined in +arch/mips/loongson64/lemote-2f/clock.c, i.e. when +CONFIG_LEMOTE_MACH2F=y. + +Add these dependencies to Kconfig to avoid randconfig / allyesconfig +build failures (e.g. when based on BMIPS which also has a cpufreq +driver). + +Signed-off-by: James Hogan +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/cpufreq/Kconfig ++++ b/drivers/cpufreq/Kconfig +@@ -273,6 +273,7 @@ endif + if MIPS + config LOONGSON2_CPUFREQ + tristate "Loongson2 CPUFreq Driver" ++ depends on LEMOTE_MACH2F + help + This option adds a CPUFreq driver for loongson processors which + support software configurable cpu frequency. +@@ -285,6 +286,7 @@ config LOONGSON2_CPUFREQ + + config LOONGSON1_CPUFREQ + tristate "Loongson1 CPUFreq Driver" ++ depends on LOONGSON1_LS1B + help + This option adds a CPUFreq driver for loongson1 processors which + support software configurable cpu frequency. diff --git a/queue-4.9/cpupower-fix-cpupower-working-when-cpu0-is-offline.patch b/queue-4.9/cpupower-fix-cpupower-working-when-cpu0-is-offline.patch new file mode 100644 index 00000000000..e0d10d60462 --- /dev/null +++ b/queue-4.9/cpupower-fix-cpupower-working-when-cpu0-is-offline.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Abhishek Goel +Date: Wed, 15 Nov 2017 14:10:02 +0530 +Subject: cpupower : Fix cpupower working when cpu0 is offline + +From: Abhishek Goel + + +[ Upstream commit dbdc468f35ee827cab2753caa1c660bdb832243a ] + +cpuidle_monitor used to assume that cpu0 is always online which is not +a valid assumption on POWER machines. This patch fixes this by getting +the cpu on which the current thread is running, instead of always using +cpu0 for monitoring which may not be online. + +Signed-off-by: Abhishek Goel +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c ++++ b/tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c +@@ -130,15 +130,18 @@ static struct cpuidle_monitor *cpuidle_r + { + int num; + char *tmp; ++ int this_cpu; ++ ++ this_cpu = sched_getcpu(); + + /* Assume idle state count is the same for all CPUs */ +- cpuidle_sysfs_monitor.hw_states_num = cpuidle_state_count(0); ++ cpuidle_sysfs_monitor.hw_states_num = cpuidle_state_count(this_cpu); + + if (cpuidle_sysfs_monitor.hw_states_num <= 0) + return NULL; + + for (num = 0; num < cpuidle_sysfs_monitor.hw_states_num; num++) { +- tmp = cpuidle_state_name(0, num); ++ tmp = cpuidle_state_name(this_cpu, num); + if (tmp == NULL) + continue; + +@@ -146,7 +149,7 @@ static struct cpuidle_monitor *cpuidle_r + strncpy(cpuidle_cstates[num].name, tmp, CSTATE_NAME_LEN - 1); + free(tmp); + +- tmp = cpuidle_state_desc(0, num); ++ tmp = cpuidle_state_desc(this_cpu, num); + if (tmp == NULL) + continue; + strncpy(cpuidle_cstates[num].desc, tmp, CSTATE_DESC_LEN - 1); diff --git a/queue-4.9/cpupowerutils-bench-fix-cpu-online-check.patch b/queue-4.9/cpupowerutils-bench-fix-cpu-online-check.patch new file mode 100644 index 00000000000..9cfbaa5bcba --- /dev/null +++ b/queue-4.9/cpupowerutils-bench-fix-cpu-online-check.patch @@ -0,0 +1,32 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Abhishek Goel +Date: Tue, 7 Nov 2017 15:17:55 +0530 +Subject: cpupowerutils: bench - Fix cpu online check + +From: Abhishek Goel + + +[ Upstream commit 53d1cd6b125fb9d69303516a1179ebc3b72f797a ] + +cpupower_is_cpu_online was incorrectly checking for 0. This patch fixes +this by checking for 1 when the cpu is online. + +Signed-off-by: Abhishek Goel +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/power/cpupower/bench/system.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/power/cpupower/bench/system.c ++++ b/tools/power/cpupower/bench/system.c +@@ -61,7 +61,7 @@ int set_cpufreq_governor(char *governor, + + dprintf("set %s as cpufreq governor\n", governor); + +- if (cpupower_is_cpu_online(cpu) != 0) { ++ if (cpupower_is_cpu_online(cpu) != 1) { + perror("cpufreq_cpu_exists"); + fprintf(stderr, "error: cpu %u does not exist\n", cpu); + return -1; diff --git a/queue-4.9/drm-amdgpu-don-t-try-to-move-pinned-bos.patch b/queue-4.9/drm-amdgpu-don-t-try-to-move-pinned-bos.patch new file mode 100644 index 00000000000..5d5425e73f8 --- /dev/null +++ b/queue-4.9/drm-amdgpu-don-t-try-to-move-pinned-bos.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: "Christian König" +Date: Fri, 24 Nov 2017 11:39:30 +0100 +Subject: drm/amdgpu: don't try to move pinned BOs + +From: "Christian König" + + +[ Upstream commit 6edc6910ba4cd6eab309263539c8f09b8ad772bf ] + +Never try to move pinned BOs during CS. + +Signed-off-by: Christian König +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -416,6 +416,10 @@ static bool amdgpu_cs_try_evict(struct a + if (candidate == lobj) + break; + ++ /* We can't move pinned BOs here */ ++ if (bo->pin_count) ++ continue; ++ + other = amdgpu_mem_type_to_domain(bo->tbo.mem.mem_type); + + /* Check if this BO is in one of the domains we need space for */ diff --git a/queue-4.9/drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch b/queue-4.9/drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch new file mode 100644 index 00000000000..f212ef4cfe1 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Felix Kuehling +Date: Wed, 1 Nov 2017 19:21:55 -0400 +Subject: drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode + +From: Felix Kuehling + + +[ Upstream commit cf21654b40968609779751b34e7923180968fe5b ] + +Fix the SDMA load and unload sequence as suggested by HW document. + +Signed-off-by: shaoyun liu +Signed-off-by: Felix Kuehling +Acked-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c | 47 +++++++++++++++------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c +@@ -367,29 +367,50 @@ static int kgd_hqd_sdma_load(struct kgd_ + { + struct amdgpu_device *adev = get_amdgpu_device(kgd); + struct cik_sdma_rlc_registers *m; ++ unsigned long end_jiffies; + uint32_t sdma_base_addr; ++ uint32_t data; + + m = get_sdma_mqd(mqd); + sdma_base_addr = get_sdma_base_addr(m); + +- WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR, +- m->sdma_rlc_virtual_addr); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL, ++ m->sdma_rlc_rb_cntl & (~SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK)); + +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, +- m->sdma_rlc_rb_base); ++ end_jiffies = msecs_to_jiffies(2000) + jiffies; ++ while (true) { ++ data = RREG32(sdma_base_addr + mmSDMA0_RLC0_CONTEXT_STATUS); ++ if (data & SDMA0_RLC0_CONTEXT_STATUS__IDLE_MASK) ++ break; ++ if (time_after(jiffies, end_jiffies)) ++ return -ETIME; ++ usleep_range(500, 1000); ++ } ++ if (m->sdma_engine_id) { ++ data = RREG32(mmSDMA1_GFX_CONTEXT_CNTL); ++ data = REG_SET_FIELD(data, SDMA1_GFX_CONTEXT_CNTL, ++ RESUME_CTX, 0); ++ WREG32(mmSDMA1_GFX_CONTEXT_CNTL, data); ++ } else { ++ data = RREG32(mmSDMA0_GFX_CONTEXT_CNTL); ++ data = REG_SET_FIELD(data, SDMA0_GFX_CONTEXT_CNTL, ++ RESUME_CTX, 0); ++ WREG32(mmSDMA0_GFX_CONTEXT_CNTL, data); ++ } + ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, ++ m->sdma_rlc_doorbell); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR, ++ m->sdma_rlc_virtual_addr); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, m->sdma_rlc_rb_base); + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE_HI, + m->sdma_rlc_rb_base_hi); +- + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_LO, + m->sdma_rlc_rb_rptr_addr_lo); +- + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_HI, + m->sdma_rlc_rb_rptr_addr_hi); +- +- WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, +- m->sdma_rlc_doorbell); +- + WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL, + m->sdma_rlc_rb_cntl); + +@@ -493,9 +514,9 @@ static int kgd_hqd_sdma_destroy(struct k + } + + WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, 0); +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0); +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0); +- WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, 0); ++ WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL, ++ RREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL) | ++ SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK); + + return 0; + } diff --git a/queue-4.9/drm-amdkfd-fix-sdma-oversubsription-handling.patch b/queue-4.9/drm-amdkfd-fix-sdma-oversubsription-handling.patch new file mode 100644 index 00000000000..298578fa489 --- /dev/null +++ b/queue-4.9/drm-amdkfd-fix-sdma-oversubsription-handling.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Felix Kuehling +Date: Wed, 1 Nov 2017 19:21:57 -0400 +Subject: drm/amdkfd: Fix SDMA oversubsription handling + +From: Felix Kuehling + + +[ Upstream commit 8c946b8988acec785bcf67088b6bd0747f36d2d3 ] + +SDMA only supports a fixed number of queues. HWS cannot handle +oversubscription. + +Signed-off-by: shaoyun liu +Signed-off-by: Felix Kuehling +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 18 +++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -205,6 +205,24 @@ int pqm_create_queue(struct process_queu + + switch (type) { + case KFD_QUEUE_TYPE_SDMA: ++ if (dev->dqm->queue_count >= ++ CIK_SDMA_QUEUES_PER_ENGINE * CIK_SDMA_ENGINE_NUM) { ++ pr_err("Over-subscription is not allowed for SDMA.\n"); ++ retval = -EPERM; ++ goto err_create_queue; ++ } ++ ++ retval = create_cp_queue(pqm, dev, &q, properties, f, *qid); ++ if (retval != 0) ++ goto err_create_queue; ++ pqn->q = q; ++ pqn->kq = NULL; ++ retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd, ++ &q->properties.vmid); ++ pr_debug("DQM returned %d for create_queue\n", retval); ++ print_queue(q); ++ break; ++ + case KFD_QUEUE_TYPE_COMPUTE: + /* check if there is over subscription */ + if ((sched_policy == KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION) && diff --git a/queue-4.9/drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch b/queue-4.9/drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch new file mode 100644 index 00000000000..4ba2092255b --- /dev/null +++ b/queue-4.9/drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: shaoyunl +Date: Wed, 1 Nov 2017 19:21:56 -0400 +Subject: drm/amdkfd: Fix SDMA ring buffer size calculation + +From: shaoyunl + + +[ Upstream commit d12fb13f23199faa7e536acec1db49068e5a067d ] + +ffs function return the position of the first bit set on 1 based. +(bit zero returns 1). + +Signed-off-by: shaoyun liu +Signed-off-by: Felix Kuehling +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c +@@ -215,8 +215,8 @@ static int update_mqd_sdma(struct mqd_ma + BUG_ON(!mm || !mqd || !q); + + m = get_sdma_mqd(mqd); +- m->sdma_rlc_rb_cntl = ffs(q->queue_size / sizeof(unsigned int)) << +- SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT | ++ m->sdma_rlc_rb_cntl = (ffs(q->queue_size / sizeof(unsigned int)) - 1) ++ << SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT | + q->vmid << SDMA0_RLC0_RB_CNTL__RB_VMID__SHIFT | + 1 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_ENABLE__SHIFT | + 6 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_TIMER__SHIFT; diff --git a/queue-4.9/drm-bridge-tc358767-do-no-fail-on-hi-res-displays.patch b/queue-4.9/drm-bridge-tc358767-do-no-fail-on-hi-res-displays.patch new file mode 100644 index 00000000000..62a16d1bc55 --- /dev/null +++ b/queue-4.9/drm-bridge-tc358767-do-no-fail-on-hi-res-displays.patch @@ -0,0 +1,54 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Andrey Gusakov +Date: Tue, 7 Nov 2017 19:56:19 +0300 +Subject: drm/bridge: tc358767: do no fail on hi-res displays + +From: Andrey Gusakov + + +[ Upstream commit cffd2b16c01c3431a7a7dd62e722af33490fc436 ] + +Do not fail data rates higher than 2.7 and more than 2 lanes. +Try to fall back to 2.7Gbps and 2 lanes. + +Acked-by: Philipp Zabel +Reviewed-by: Andrzej Hajda +Signed-off-by: Andrey Gusakov +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-2-git-send-email-andrey.gusakov@cogentembedded.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/tc358767.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -603,8 +603,15 @@ static int tc_get_display_props(struct t + ret = drm_dp_link_probe(&tc->aux, &tc->link.base); + if (ret < 0) + goto err_dpcd_read; +- if ((tc->link.base.rate != 162000) && (tc->link.base.rate != 270000)) +- goto err_dpcd_inval; ++ if (tc->link.base.rate != 162000 && tc->link.base.rate != 270000) { ++ dev_dbg(tc->dev, "Falling to 2.7 Gbps rate\n"); ++ tc->link.base.rate = 270000; ++ } ++ ++ if (tc->link.base.num_lanes > 2) { ++ dev_dbg(tc->dev, "Falling to 2 lanes\n"); ++ tc->link.base.num_lanes = 2; ++ } + + ret = drm_dp_dpcd_readb(&tc->aux, DP_MAX_DOWNSPREAD, tmp); + if (ret < 0) +@@ -637,9 +644,6 @@ static int tc_get_display_props(struct t + err_dpcd_read: + dev_err(tc->dev, "failed to read DPCD: %d\n", ret); + return ret; +-err_dpcd_inval: +- dev_err(tc->dev, "invalid DPCD\n"); +- return -EINVAL; + } + + static int tc_set_video_mode(struct tc_data *tc, struct drm_display_mode *mode) diff --git a/queue-4.9/drm-bridge-tc358767-filter-out-too-high-modes.patch b/queue-4.9/drm-bridge-tc358767-filter-out-too-high-modes.patch new file mode 100644 index 00000000000..2563dcec036 --- /dev/null +++ b/queue-4.9/drm-bridge-tc358767-filter-out-too-high-modes.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Andrey Gusakov +Date: Tue, 7 Nov 2017 19:56:20 +0300 +Subject: drm/bridge: tc358767: filter out too high modes + +From: Andrey Gusakov + + +[ Upstream commit 99fc8e963a4c0203dba26a77cf737db6081bca14 ] + +Pixel clock limitation for DPI is 154 MHz. Do not accept modes +with higher pixel clock rate. + +Reviewed-by: Andrzej Hajda +Signed-off-by: Andrey Gusakov +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-3-git-send-email-andrey.gusakov@cogentembedded.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/tc358767.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -1109,7 +1109,10 @@ static bool tc_bridge_mode_fixup(struct + static int tc_connector_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { +- /* Accept any mode */ ++ /* DPI interface clock limitation: upto 154 MHz */ ++ if (mode->clock > 154000) ++ return MODE_CLOCK_HIGH; ++ + return MODE_OK; + } + diff --git a/queue-4.9/drm-bridge-tc358767-fix-1-lane-behavior.patch b/queue-4.9/drm-bridge-tc358767-fix-1-lane-behavior.patch new file mode 100644 index 00000000000..159a4b39db8 --- /dev/null +++ b/queue-4.9/drm-bridge-tc358767-fix-1-lane-behavior.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Andrey Gusakov +Date: Tue, 7 Nov 2017 19:56:24 +0300 +Subject: drm/bridge: tc358767: fix 1-lane behavior + +From: Andrey Gusakov + + +[ Upstream commit 4dbd6c03fbf88299c573d676838896c6e06aade2 ] + +Use drm_dp_channel_eq_ok helper + +Acked-by: Philipp Zabel +Signed-off-by: Andrey Gusakov +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-7-git-send-email-andrey.gusakov@cogentembedded.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/tc358767.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -819,8 +819,6 @@ static int tc_main_link_setup(struct tc_ + unsigned int rate; + u32 dp_phy_ctrl; + int timeout; +- bool aligned; +- bool ready; + u32 value; + int ret; + u8 tmp[8]; +@@ -965,16 +963,15 @@ static int tc_main_link_setup(struct tc_ + ret = drm_dp_dpcd_read_link_status(aux, tmp + 2); + if (ret < 0) + goto err_dpcd_read; +- ready = (tmp[2] == ((DP_CHANNEL_EQ_BITS << 4) | /* Lane1 */ +- DP_CHANNEL_EQ_BITS)); /* Lane0 */ +- aligned = tmp[4] & DP_INTERLANE_ALIGN_DONE; +- } while ((--timeout) && !(ready && aligned)); ++ } while ((--timeout) && ++ !(drm_dp_channel_eq_ok(tmp + 2, tc->link.base.num_lanes))); + + if (timeout == 0) { + /* Read DPCD 0x200-0x201 */ + ret = drm_dp_dpcd_read(aux, DP_SINK_COUNT, tmp, 2); + if (ret < 0) + goto err_dpcd_read; ++ dev_err(dev, "channel(s) EQ not ok\n"); + dev_info(dev, "0x0200 SINK_COUNT: 0x%02x\n", tmp[0]); + dev_info(dev, "0x0201 DEVICE_SERVICE_IRQ_VECTOR: 0x%02x\n", + tmp[1]); +@@ -985,10 +982,6 @@ static int tc_main_link_setup(struct tc_ + dev_info(dev, "0x0206 ADJUST_REQUEST_LANE0_1: 0x%02x\n", + tmp[6]); + +- if (!ready) +- dev_err(dev, "Lane0/1 not ready\n"); +- if (!aligned) +- dev_err(dev, "Lane0/1 not aligned\n"); + return -EAGAIN; + } + diff --git a/queue-4.9/drm-bridge-tc358767-fix-auxdatan-registers-access.patch b/queue-4.9/drm-bridge-tc358767-fix-auxdatan-registers-access.patch new file mode 100644 index 00000000000..96cec089d1c --- /dev/null +++ b/queue-4.9/drm-bridge-tc358767-fix-auxdatan-registers-access.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Andrey Gusakov +Date: Tue, 7 Nov 2017 19:56:23 +0300 +Subject: drm/bridge: tc358767: fix AUXDATAn registers access + +From: Andrey Gusakov + + +[ Upstream commit 9217c1abbc145a77d65c476cf2004a3df02104c7 ] + +First four bytes should go to DP0_AUXWDATA0. Due to bug if +len > 4 first four bytes was writen to DP0_AUXWDATA1 and all +data get shifted by 4 bytes. Fix it. + +Acked-by: Philipp Zabel +Signed-off-by: Andrey Gusakov +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-6-git-send-email-andrey.gusakov@cogentembedded.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/tc358767.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -318,7 +318,7 @@ static ssize_t tc_aux_transfer(struct dr + tmp = (tmp << 8) | buf[i]; + i++; + if (((i % 4) == 0) || (i == size)) { +- tc_write(DP0_AUXWDATA(i >> 2), tmp); ++ tc_write(DP0_AUXWDATA((i - 1) >> 2), tmp); + tmp = 0; + } + } diff --git a/queue-4.9/drm-bridge-tc358767-fix-dp0_misc-register-set.patch b/queue-4.9/drm-bridge-tc358767-fix-dp0_misc-register-set.patch new file mode 100644 index 00000000000..b53bcff300f --- /dev/null +++ b/queue-4.9/drm-bridge-tc358767-fix-dp0_misc-register-set.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Andrey Gusakov +Date: Tue, 7 Nov 2017 19:56:21 +0300 +Subject: drm/bridge: tc358767: fix DP0_MISC register set + +From: Andrey Gusakov + + +[ Upstream commit f3b8adbe1911f66fd3cab1aaa74f0f66b7ceda25 ] + +Remove shift from TU_SIZE_RECOMMENDED define as it used to +calculate max_tu_symbols. + +Acked-by: Philipp Zabel +Signed-off-by: Andrey Gusakov +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-4-git-send-email-andrey.gusakov@cogentembedded.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/tc358767.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -97,7 +97,7 @@ + #define DP0_ACTIVEVAL 0x0650 + #define DP0_SYNCVAL 0x0654 + #define DP0_MISC 0x0658 +-#define TU_SIZE_RECOMMENDED (0x3f << 16) /* LSCLK cycles per TU */ ++#define TU_SIZE_RECOMMENDED (63) /* LSCLK cycles per TU */ + #define BPC_6 (0 << 5) + #define BPC_8 (1 << 5) + +@@ -716,7 +716,8 @@ static int tc_set_video_mode(struct tc_d + * Must be less than tu_size. + */ + max_tu_symbol = TU_SIZE_RECOMMENDED - 1; +- tc_write(DP0_MISC, (max_tu_symbol << 23) | TU_SIZE_RECOMMENDED | BPC_8); ++ tc_write(DP0_MISC, (max_tu_symbol << 23) | (TU_SIZE_RECOMMENDED << 16) | ++ BPC_8); + + return 0; + err: diff --git a/queue-4.9/drm-bridge-tc358767-fix-timing-calculations.patch b/queue-4.9/drm-bridge-tc358767-fix-timing-calculations.patch new file mode 100644 index 00000000000..3cdcdc3f8ff --- /dev/null +++ b/queue-4.9/drm-bridge-tc358767-fix-timing-calculations.patch @@ -0,0 +1,90 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Andrey Gusakov +Date: Tue, 7 Nov 2017 19:56:22 +0300 +Subject: drm/bridge: tc358767: fix timing calculations + +From: Andrey Gusakov + + +[ Upstream commit 66d1c3b94d5d59e4325e61a78d520f92c043d645 ] + +Fields in HTIM01 and HTIM02 regs should be even. +Recomended thresh_dly value is max_tu_symbol. +Remove set of VPCTRL0.VSDELAY as it is related to DSI input +interface. Currently driver supports only DPI. + +Acked-by: Philipp Zabel +Signed-off-by: Andrey Gusakov +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/1510073785-16108-5-git-send-email-andrey.gusakov@cogentembedded.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/tc358767.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -659,6 +659,14 @@ static int tc_set_video_mode(struct tc_d + int lower_margin = mode->vsync_start - mode->vdisplay; + int vsync_len = mode->vsync_end - mode->vsync_start; + ++ /* ++ * Recommended maximum number of symbols transferred in a transfer unit: ++ * DIV_ROUND_UP((input active video bandwidth in bytes) * tu_size, ++ * (output active video bandwidth in bytes)) ++ * Must be less than tu_size. ++ */ ++ max_tu_symbol = TU_SIZE_RECOMMENDED - 1; ++ + dev_dbg(tc->dev, "set mode %dx%d\n", + mode->hdisplay, mode->vdisplay); + dev_dbg(tc->dev, "H margin %d,%d sync %d\n", +@@ -668,13 +676,18 @@ static int tc_set_video_mode(struct tc_d + dev_dbg(tc->dev, "total: %dx%d\n", mode->htotal, mode->vtotal); + + +- /* LCD Ctl Frame Size */ +- tc_write(VPCTRL0, (0x40 << 20) /* VSDELAY */ | ++ /* ++ * LCD Ctl Frame Size ++ * datasheet is not clear of vsdelay in case of DPI ++ * assume we do not need any delay when DPI is a source of ++ * sync signals ++ */ ++ tc_write(VPCTRL0, (0 << 20) /* VSDELAY */ | + OPXLFMT_RGB888 | FRMSYNC_DISABLED | MSF_DISABLED); +- tc_write(HTIM01, (left_margin << 16) | /* H back porch */ +- (hsync_len << 0)); /* Hsync */ +- tc_write(HTIM02, (right_margin << 16) | /* H front porch */ +- (mode->hdisplay << 0)); /* width */ ++ tc_write(HTIM01, (ALIGN(left_margin, 2) << 16) | /* H back porch */ ++ (ALIGN(hsync_len, 2) << 0)); /* Hsync */ ++ tc_write(HTIM02, (ALIGN(right_margin, 2) << 16) | /* H front porch */ ++ (ALIGN(mode->hdisplay, 2) << 0)); /* width */ + tc_write(VTIM01, (upper_margin << 16) | /* V back porch */ + (vsync_len << 0)); /* Vsync */ + tc_write(VTIM02, (lower_margin << 16) | /* V front porch */ +@@ -693,7 +706,7 @@ static int tc_set_video_mode(struct tc_d + /* DP Main Stream Attributes */ + vid_sync_dly = hsync_len + left_margin + mode->hdisplay; + tc_write(DP0_VIDSYNCDELAY, +- (0x003e << 16) | /* thresh_dly */ ++ (max_tu_symbol << 16) | /* thresh_dly */ + (vid_sync_dly << 0)); + + tc_write(DP0_TOTALVAL, (mode->vtotal << 16) | (mode->htotal)); +@@ -709,13 +722,6 @@ static int tc_set_video_mode(struct tc_d + tc_write(DPIPXLFMT, VS_POL_ACTIVE_LOW | HS_POL_ACTIVE_LOW | + DE_POL_ACTIVE_HIGH | SUB_CFG_TYPE_CONFIG1 | DPI_BPP_RGB888); + +- /* +- * Recommended maximum number of symbols transferred in a transfer unit: +- * DIV_ROUND_UP((input active video bandwidth in bytes) * tu_size, +- * (output active video bandwidth in bytes)) +- * Must be less than tu_size. +- */ +- max_tu_symbol = TU_SIZE_RECOMMENDED - 1; + tc_write(DP0_MISC, (max_tu_symbol << 23) | (TU_SIZE_RECOMMENDED << 16) | + BPC_8); + diff --git a/queue-4.9/drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch b/queue-4.9/drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch new file mode 100644 index 00000000000..c5223878a5a --- /dev/null +++ b/queue-4.9/drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Christophe JAILLET +Date: Sun, 24 Sep 2017 08:01:03 +0200 +Subject: drm/omap: Fix error handling path in 'omap_dmm_probe()' + +From: Christophe JAILLET + + +[ Upstream commit 8677b1ac2db021ab30bb1fa34f1e56ebe0051ec3 ] + +If we don't find a matching device node, we must free the memory allocated +in 'omap_dmm' a few lines above. + +Fixes: 7cb0d6c17b96 ("drm/omap: fix TILER on OMAP5") +Signed-off-by: Christophe JAILLET +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -638,7 +638,8 @@ static int omap_dmm_probe(struct platfor + match = of_match_node(dmm_of_match, dev->dev.of_node); + if (!match) { + dev_err(&dev->dev, "failed to find matching device node\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto fail; + } + + omap_dmm->plat_data = match->data; diff --git a/queue-4.9/drm-vc4-account-for-interrupts-in-flight.patch b/queue-4.9/drm-vc4-account-for-interrupts-in-flight.patch new file mode 100644 index 00000000000..2622c7fa50e --- /dev/null +++ b/queue-4.9/drm-vc4-account-for-interrupts-in-flight.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Stefan Schake +Date: Fri, 10 Nov 2017 02:05:06 +0100 +Subject: drm/vc4: Account for interrupts in flight + +From: Stefan Schake + + +[ Upstream commit 253696ccd613fbdaa5aba1de44c461a058e0a114 ] + +Synchronously disable the IRQ to make the following cancel_work_sync +invocation effective. + +An interrupt in flight could enqueue further overflow mem work. As we +free the binner BO immediately following vc4_irq_uninstall this caused +a NULL pointer dereference in the work callback vc4_overflow_mem_work. + +Link: https://github.com/anholt/linux/issues/114 +Signed-off-by: Stefan Schake +Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") +Signed-off-by: Eric Anholt +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/1510275907-993-2-git-send-email-stschake@gmail.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vc4/vc4_irq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/vc4/vc4_irq.c ++++ b/drivers/gpu/drm/vc4/vc4_irq.c +@@ -208,6 +208,9 @@ vc4_irq_postinstall(struct drm_device *d + { + struct vc4_dev *vc4 = to_vc4_dev(dev); + ++ /* Undo the effects of a previous vc4_irq_uninstall. */ ++ enable_irq(dev->irq); ++ + /* Enable both the render done and out of memory interrupts. */ + V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS); + +@@ -225,6 +228,9 @@ vc4_irq_uninstall(struct drm_device *dev + /* Clear any pending interrupts we might have left. */ + V3D_WRITE(V3D_INTCTL, V3D_DRIVER_IRQS); + ++ /* Finish any interrupt handler still in flight. */ ++ disable_irq(dev->irq); ++ + cancel_work_sync(&vc4->overflow_mem_work); + } + diff --git a/queue-4.9/drm-vc4-move-irq-enable-to-pm-path.patch b/queue-4.9/drm-vc4-move-irq-enable-to-pm-path.patch new file mode 100644 index 00000000000..f028170c233 --- /dev/null +++ b/queue-4.9/drm-vc4-move-irq-enable-to-pm-path.patch @@ -0,0 +1,53 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Stefan Schake +Date: Fri, 29 Dec 2017 17:05:43 +0100 +Subject: drm/vc4: Move IRQ enable to PM path + +From: Stefan Schake + + +[ Upstream commit ce9caf2f79a5aa170a4b6456a03db639eed9c988 ] + +We were calling enable_irq on bind, where it was already enabled previously +by the IRQ helper. Additionally, dev->irq is not set correctly until after +postinstall and so was always zero here, triggering a warning in 4.15. +Fix both by moving the enable to the power management resume path, where we +know there was a previous disable invocation during suspend. + +Fixes: 253696ccd613 ("drm/vc4: Account for interrupts in flight") +Signed-off-by: Stefan Schake +Signed-off-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/1514563543-32511-1-git-send-email-stschake@gmail.com +Tested-by: Stefan Wahren +Reviewed-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vc4/vc4_irq.c | 3 --- + drivers/gpu/drm/vc4/vc4_v3d.c | 3 +++ + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/vc4/vc4_irq.c ++++ b/drivers/gpu/drm/vc4/vc4_irq.c +@@ -208,9 +208,6 @@ vc4_irq_postinstall(struct drm_device *d + { + struct vc4_dev *vc4 = to_vc4_dev(dev); + +- /* Undo the effects of a previous vc4_irq_uninstall. */ +- enable_irq(dev->irq); +- + /* Enable both the render done and out of memory interrupts. */ + V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS); + +--- a/drivers/gpu/drm/vc4/vc4_v3d.c ++++ b/drivers/gpu/drm/vc4/vc4_v3d.c +@@ -173,6 +173,9 @@ static int vc4_v3d_runtime_resume(struct + struct vc4_dev *vc4 = v3d->vc4; + + vc4_v3d_init_hw(vc4->dev); ++ ++ /* We disabled the IRQ as part of vc4_irq_uninstall in suspend. */ ++ enable_irq(vc4->dev->irq); + vc4_irq_postinstall(vc4->dev); + + return 0; diff --git a/queue-4.9/grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch b/queue-4.9/grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch new file mode 100644 index 00000000000..56535696553 --- /dev/null +++ b/queue-4.9/grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch @@ -0,0 +1,31 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Vasily Averin +Date: Mon, 6 Nov 2017 16:22:48 +0300 +Subject: grace: replace BUG_ON by WARN_ONCE in exit_net hook + +From: Vasily Averin + + +[ Upstream commit b872285751c1af010e12d02bce7069e2061a58ca ] + +Signed-off-by: Vasily Averin +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs_common/grace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfs_common/grace.c ++++ b/fs/nfs_common/grace.c +@@ -104,7 +104,9 @@ grace_exit_net(struct net *net) + { + struct list_head *grace_list = net_generic(net, grace_net_id); + +- BUG_ON(!list_empty(grace_list)); ++ WARN_ONCE(!list_empty(grace_list), ++ "net %x %s: grace_list is not empty\n", ++ net->ns.inum, __func__); + } + + static struct pernet_operations grace_net_ops = { diff --git a/queue-4.9/hwmon-pmbus-use-64bit-math-for-direct-format-values.patch b/queue-4.9/hwmon-pmbus-use-64bit-math-for-direct-format-values.patch new file mode 100644 index 00000000000..14e44754adb --- /dev/null +++ b/queue-4.9/hwmon-pmbus-use-64bit-math-for-direct-format-values.patch @@ -0,0 +1,94 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Robert Lippert +Date: Mon, 27 Nov 2017 15:51:55 -0800 +Subject: hwmon: (pmbus) Use 64bit math for DIRECT format values + +From: Robert Lippert + + +[ Upstream commit bd467e4eababe4c04272c1e646f066db02734c79 ] + +Power values in the 100s of watt range can easily blow past +32bit math limits when processing everything in microwatts. + +Use 64bit math instead to avoid these issues on common 32bit ARM +BMC platforms. + +Fixes: 442aba78728e ("hwmon: PMBus device driver") +Signed-off-by: Robert Lippert +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/pmbus_core.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -20,6 +20,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -476,8 +477,8 @@ static long pmbus_reg2data_linear(struct + static long pmbus_reg2data_direct(struct pmbus_data *data, + struct pmbus_sensor *sensor) + { +- long val = (s16) sensor->data; +- long m, b, R; ++ s64 b, val = (s16)sensor->data; ++ s32 m, R; + + m = data->info->m[sensor->class]; + b = data->info->b[sensor->class]; +@@ -505,11 +506,12 @@ static long pmbus_reg2data_direct(struct + R--; + } + while (R < 0) { +- val = DIV_ROUND_CLOSEST(val, 10); ++ val = div_s64(val + 5LL, 10L); /* round closest */ + R++; + } + +- return (val - b) / m; ++ val = div_s64(val - b, m); ++ return clamp_val(val, LONG_MIN, LONG_MAX); + } + + /* +@@ -629,7 +631,8 @@ static u16 pmbus_data2reg_linear(struct + static u16 pmbus_data2reg_direct(struct pmbus_data *data, + struct pmbus_sensor *sensor, long val) + { +- long m, b, R; ++ s64 b, val64 = val; ++ s32 m, R; + + m = data->info->m[sensor->class]; + b = data->info->b[sensor->class]; +@@ -646,18 +649,18 @@ static u16 pmbus_data2reg_direct(struct + R -= 3; /* Adjust R and b for data in milli-units */ + b *= 1000; + } +- val = val * m + b; ++ val64 = val64 * m + b; + + while (R > 0) { +- val *= 10; ++ val64 *= 10; + R--; + } + while (R < 0) { +- val = DIV_ROUND_CLOSEST(val, 10); ++ val64 = div_s64(val64 + 5LL, 10L); /* round closest */ + R++; + } + +- return val; ++ return (u16)clamp_val(val64, S16_MIN, S16_MAX); + } + + static u16 pmbus_data2reg_vid(struct pmbus_data *data, diff --git a/queue-4.9/iwlwifi-mvm-fix-the-tx-queue-hang-timeout-for-monitor-vif-type.patch b/queue-4.9/iwlwifi-mvm-fix-the-tx-queue-hang-timeout-for-monitor-vif-type.patch new file mode 100644 index 00000000000..003ac2b7b06 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-the-tx-queue-hang-timeout-for-monitor-vif-type.patch @@ -0,0 +1,32 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Emmanuel Grumbach +Date: Wed, 15 Nov 2017 14:12:30 +0200 +Subject: iwlwifi: mvm: fix the TX queue hang timeout for MONITOR vif type + +From: Emmanuel Grumbach + + +[ Upstream commit d1b275ffec459c5ae12b5c7086c84175696e5a9f ] + +The MONITOR type is missing in the interface type switch. +Add it. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +@@ -1040,6 +1040,8 @@ unsigned int iwl_mvm_get_wd_timeout(stru + return le32_to_cpu(txq_timer->p2p_go); + case NL80211_IFTYPE_P2P_DEVICE: + return le32_to_cpu(txq_timer->p2p_device); ++ case NL80211_IFTYPE_MONITOR: ++ return default_timeout; + default: + WARN_ON(1); + return mvm->cfg->base_params->wd_timeout; diff --git a/queue-4.9/kmemleak-add-scheduling-point-to-kmemleak_scan.patch b/queue-4.9/kmemleak-add-scheduling-point-to-kmemleak_scan.patch new file mode 100644 index 00000000000..7dde9c0dc03 --- /dev/null +++ b/queue-4.9/kmemleak-add-scheduling-point-to-kmemleak_scan.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Yisheng Xie +Date: Wed, 29 Nov 2017 16:11:08 -0800 +Subject: kmemleak: add scheduling point to kmemleak_scan() + +From: Yisheng Xie + + +[ Upstream commit bde5f6bc68db51128f875a756e9082a6c6ff7b4c ] + +kmemleak_scan() will scan struct page for each node and it can be really +large and resulting in a soft lockup. We have seen a soft lockup when +do scan while compile kernel: + + watchdog: BUG: soft lockup - CPU#53 stuck for 22s! [bash:10287] + [...] + Call Trace: + kmemleak_scan+0x21a/0x4c0 + kmemleak_write+0x312/0x350 + full_proxy_write+0x5a/0xa0 + __vfs_write+0x33/0x150 + vfs_write+0xad/0x1a0 + SyS_write+0x52/0xc0 + do_syscall_64+0x61/0x1a0 + entry_SYSCALL64_slow_path+0x25/0x25 + +Fix this by adding cond_resched every MAX_SCAN_SIZE. + +Link: http://lkml.kernel.org/r/1511439788-20099-1-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Yisheng Xie +Suggested-by: Catalin Marinas +Acked-by: Catalin Marinas +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1442,6 +1442,8 @@ static void kmemleak_scan(void) + if (page_count(page) == 0) + continue; + scan_block(page, page + 1, NULL); ++ if (!(pfn % (MAX_SCAN_SIZE / sizeof(*page)))) ++ cond_resched(); + } + } + put_online_mems(); diff --git a/queue-4.9/kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch b/queue-4.9/kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch new file mode 100644 index 00000000000..579dc7c1e09 --- /dev/null +++ b/queue-4.9/kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Wanpeng Li +Date: Mon, 20 Nov 2017 14:52:21 -0800 +Subject: KVM: VMX: Fix rflags cache during vCPU reset + +From: Wanpeng Li + + +[ Upstream commit c37c28730bb031cc8a44a130c2555c0f3efbe2d0 ] + +Reported by syzkaller: + + *** Guest State *** + CR0: actual=0x0000000080010031, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 + CR4: actual=0x0000000000002061, shadow=0x0000000000000000, gh_mask=ffffffffffffe8f1 + CR3 = 0x000000002081e000 + RSP = 0x000000000000fffa RIP = 0x0000000000000000 + RFLAGS=0x00023000 DR7 = 0x00000000000000 + ^^^^^^^^^^ + ------------[ cut here ]------------ + WARNING: CPU: 6 PID: 24431 at /home/kernel/linux/arch/x86/kvm//x86.c:7302 kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm] + CPU: 6 PID: 24431 Comm: reprotest Tainted: G W OE 4.14.0+ #26 + RIP: 0010:kvm_arch_vcpu_ioctl_run+0x651/0x2ea0 [kvm] + RSP: 0018:ffff880291d179e0 EFLAGS: 00010202 + Call Trace: + kvm_vcpu_ioctl+0x479/0x880 [kvm] + do_vfs_ioctl+0x142/0x9a0 + SyS_ioctl+0x74/0x80 + entry_SYSCALL_64_fastpath+0x23/0x9a + +The failed vmentry is triggered by the following beautified testcase: + + #include + #include + #include + #include + #include + #include + #include + + long r[5]; + int main() + { + struct kvm_debugregs dr = { 0 }; + + r[2] = open("/dev/kvm", O_RDONLY); + r[3] = ioctl(r[2], KVM_CREATE_VM, 0); + r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7); + struct kvm_guest_debug debug = { + .control = 0xf0403, + .arch = { + .debugreg[6] = 0x2, + .debugreg[7] = 0x2 + } + }; + ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug); + ioctl(r[4], KVM_RUN, 0); + } + +which testcase tries to setup the processor specific debug +registers and configure vCPU for handling guest debug events through +KVM_SET_GUEST_DEBUG. The KVM_SET_GUEST_DEBUG ioctl will get and set +rflags in order to set TF bit if single step is needed. All regs' caches +are reset to avail and GUEST_RFLAGS vmcs field is reset to 0x2 during vCPU +reset. However, the cache of rflags is not reset during vCPU reset. The +function vmx_get_rflags() returns an unreset rflags cache value since +the cache is marked avail, it is 0 after boot. Vmentry fails if the +rflags reserved bit 1 is 0. + +This patch fixes it by resetting both the GUEST_RFLAGS vmcs field and +its cache to 0x2 during vCPU reset. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Reviewed-by: David Hildenbrand +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Nadav Amit +Cc: Dmitry Vyukov +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5194,7 +5194,7 @@ static void vmx_vcpu_reset(struct kvm_vc + vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + } + +- vmcs_writel(GUEST_RFLAGS, 0x02); ++ kvm_set_rflags(vcpu, X86_EFLAGS_FIXED); + kvm_rip_write(vcpu, 0xfff0); + + vmcs_writel(GUEST_GDTR_BASE, 0); diff --git a/queue-4.9/kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch b/queue-4.9/kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch new file mode 100644 index 00000000000..8601f66a960 --- /dev/null +++ b/queue-4.9/kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Liran Alon +Date: Sun, 5 Nov 2017 16:56:34 +0200 +Subject: KVM: x86: Don't re-execute instruction when not passing CR2 value + +From: Liran Alon + + +[ Upstream commit 9b8ae63798cb97e785a667ff27e43fa6220cb734 ] + +In case of instruction-decode failure or emulation failure, +x86_emulate_instruction() will call reexecute_instruction() which will +attempt to use the cr2 value passed to x86_emulate_instruction(). +However, when x86_emulate_instruction() is called from +emulate_instruction(), cr2 is not passed (passed as 0) and therefore +it doesn't make sense to execute reexecute_instruction() logic at all. + +Fixes: 51d8b66199e9 ("KVM: cleanup emulate_instruction") + +Signed-off-by: Liran Alon +Reviewed-by: Nikita Leshenko +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 3 ++- + arch/x86/kvm/vmx.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1113,7 +1113,8 @@ int x86_emulate_instruction(struct kvm_v + static inline int emulate_instruction(struct kvm_vcpu *vcpu, + int emulation_type) + { +- return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0); ++ return x86_emulate_instruction(vcpu, 0, ++ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0); + } + + void kvm_enable_efer_bits(u64); +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6257,7 +6257,7 @@ static int handle_invalid_guest_state(st + if (test_bit(KVM_REQ_EVENT, &vcpu->requests)) + return 1; + +- err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE); ++ err = emulate_instruction(vcpu, 0); + + if (err == EMULATE_USER_EXIT) { + ++vcpu->stat.mmio_exits; diff --git a/queue-4.9/kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch b/queue-4.9/kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch new file mode 100644 index 00000000000..6f80e98d2b1 --- /dev/null +++ b/queue-4.9/kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Liran Alon +Date: Sun, 5 Nov 2017 16:56:33 +0200 +Subject: KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure + +From: Liran Alon + + +[ Upstream commit 1f4dcb3b213235e642088709a1c54964d23365e9 ] + +On this case, handle_emulation_failure() fills kvm_run with +internal-error information which it expects to be delivered +to user-mode for further processing. +However, the code reports a wrong return-value which makes KVM to never +return to user-mode on this scenario. + +Fixes: 6d77dbfc88e3 ("KVM: inject #UD if instruction emulation fails and exit to +userspace") + +Signed-off-by: Liran Alon +Reviewed-by: Nikita Leshenko +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5308,7 +5308,7 @@ static int handle_emulation_failure(stru + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; + vcpu->run->internal.ndata = 0; +- r = EMULATE_FAIL; ++ r = EMULATE_USER_EXIT; + } + kvm_queue_exception(vcpu, UD_VECTOR); + diff --git a/queue-4.9/kvm-x86-fix-operand-address-size-during-instruction-decoding.patch b/queue-4.9/kvm-x86-fix-operand-address-size-during-instruction-decoding.patch new file mode 100644 index 00000000000..65ce5185c23 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-operand-address-size-during-instruction-decoding.patch @@ -0,0 +1,61 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Wanpeng Li +Date: Sun, 5 Nov 2017 16:54:47 -0800 +Subject: KVM: X86: Fix operand/address-size during instruction decoding + +From: Wanpeng Li + + +[ Upstream commit 3853be2603191829b442b64dac6ae8ba0c027bf9 ] + +Pedro reported: + During tests that we conducted on KVM, we noticed that executing a "PUSH %ES" + instruction under KVM produces different results on both memory and the SP + register depending on whether EPT support is enabled. With EPT the SP is + reduced by 4 bytes (and the written value is 0-padded) but without EPT support + it is only reduced by 2 bytes. The difference can be observed when the CS.DB + field is 1 (32-bit) but not when it's 0 (16-bit). + +The internal segment descriptor cache exist even in real/vm8096 mode. The CS.D +also should be respected instead of just default operand/address-size/66H +prefix/67H prefix during instruction decoding. This patch fixes it by also +adjusting operand/address-size according to CS.D. + +Reported-by: Pedro Fonseca +Tested-by: Pedro Fonseca +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Nadav Amit +Cc: Pedro Fonseca +Signed-off-by: Wanpeng Li +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4990,6 +4990,8 @@ int x86_decode_insn(struct x86_emulate_c + bool op_prefix = false; + bool has_seg_override = false; + struct opcode opcode; ++ u16 dummy; ++ struct desc_struct desc; + + ctxt->memop.type = OP_NONE; + ctxt->memopp = NULL; +@@ -5008,6 +5010,11 @@ int x86_decode_insn(struct x86_emulate_c + switch (mode) { + case X86EMUL_MODE_REAL: + case X86EMUL_MODE_VM86: ++ def_op_bytes = def_ad_bytes = 2; ++ ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS); ++ if (desc.d) ++ def_op_bytes = def_ad_bytes = 4; ++ break; + case X86EMUL_MODE_PROT16: + def_op_bytes = def_ad_bytes = 2; + break; diff --git a/queue-4.9/kvm-x86-fix-softlockup-when-get-the-current-kvmclock.patch b/queue-4.9/kvm-x86-fix-softlockup-when-get-the-current-kvmclock.patch new file mode 100644 index 00000000000..59b5d98b28c --- /dev/null +++ b/queue-4.9/kvm-x86-fix-softlockup-when-get-the-current-kvmclock.patch @@ -0,0 +1,61 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Wanpeng Li +Date: Mon, 20 Nov 2017 14:55:05 -0800 +Subject: KVM: X86: Fix softlockup when get the current kvmclock + +From: Wanpeng Li + + +[ Upstream commit e70b57a6ce4e8b92a56a615ae79bdb2bd66035e7 ] + + watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [qemu-system-x86:10185] + CPU: 6 PID: 10185 Comm: qemu-system-x86 Tainted: G OE 4.14.0-rc4+ #4 + RIP: 0010:kvm_get_time_scale+0x4e/0xa0 [kvm] + Call Trace: + get_time_ref_counter+0x5a/0x80 [kvm] + kvm_hv_process_stimers+0x120/0x5f0 [kvm] + kvm_arch_vcpu_ioctl_run+0x4b4/0x1690 [kvm] + kvm_vcpu_ioctl+0x33a/0x620 [kvm] + do_vfs_ioctl+0xa1/0x5d0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x1e/0xa9 + +This can be reproduced when running kvm-unit-tests/hyperv_stimer.flat and +cpu-hotplug stress simultaneously. __this_cpu_read(cpu_tsc_khz) returns 0 +(set in kvmclock_cpu_down_prep()) when the pCPU is unhotplug which results +in kvm_get_time_scale() gets into an infinite loop. + +This patch fixes it by treating the unhotplug pCPU as not using master clock. + +Reviewed-by: Radim Krčmář +Reviewed-by: David Hildenbrand +Cc: Paolo Bonzini +Cc: Radim Krčmář +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1751,10 +1751,13 @@ static u64 __get_kvmclock_ns(struct kvm + /* both __this_cpu_read() and rdtsc() should be on the same cpu */ + get_cpu(); + +- kvm_get_time_scale(NSEC_PER_SEC, __this_cpu_read(cpu_tsc_khz) * 1000LL, +- &hv_clock.tsc_shift, +- &hv_clock.tsc_to_system_mul); +- ret = __pvclock_read_cycles(&hv_clock, rdtsc()); ++ if (__this_cpu_read(cpu_tsc_khz)) { ++ kvm_get_time_scale(NSEC_PER_SEC, __this_cpu_read(cpu_tsc_khz) * 1000LL, ++ &hv_clock.tsc_shift, ++ &hv_clock.tsc_to_system_mul); ++ ret = __pvclock_read_cycles(&hv_clock, rdtsc()); ++ } else ++ ret = ktime_get_boot_ns() + ka->kvmclock_offset; + + put_cpu(); + diff --git a/queue-4.9/kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch b/queue-4.9/kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch new file mode 100644 index 00000000000..caef0785207 --- /dev/null +++ b/queue-4.9/kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Nikita Leshenko +Date: Sun, 5 Nov 2017 15:52:32 +0200 +Subject: KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered + +From: Nikita Leshenko + + +[ Upstream commit a8bfec2930525808c01f038825d1df3904638631 ] + +Some OSes (Linux, Xen) use this behavior to clear the Remote IRR bit for +IOAPICs without an EOI register. They simulate the EOI message manually +by changing the trigger mode to edge and then back to level, with the +entry being masked during this. + +QEMU implements this feature in commit ed1263c363c9 +("ioapic: clear remote irr bit for edge-triggered interrupts") + +As a side effect, this commit removes an incorrect behavior where Remote +IRR was cleared when the redirection table entry was rewritten. This is not +consistent with the manual and also opens an opportunity for a strange +behavior when a redirection table entry is modified from an interrupt +handler that handles the same entry: The modification will clear the +Remote IRR bit even though the interrupt handler is still running. + +Signed-off-by: Nikita Leshenko +Reviewed-by: Liran Alon +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Reviewed-by: Steve Rutherford +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/ioapic.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index a7ac8688bba8..4b573c8694ac 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -306,8 +306,17 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val) + } else { + e->bits &= ~0xffffffffULL; + e->bits |= (u32) val; +- e->fields.remote_irr = 0; + } ++ ++ /* ++ * Some OSes (Linux, Xen) assume that Remote IRR bit will ++ * be cleared by IOAPIC hardware when the entry is configured ++ * as edge-triggered. This behavior is used to simulate an ++ * explicit EOI on IOAPICs that don't have the EOI register. ++ */ ++ if (e->fields.trig_mode == IOAPIC_EDGE_TRIG) ++ e->fields.remote_irr = 0; ++ + mask_after = e->fields.mask; + if (mask_before != mask_after) + kvm_fire_mask_notifiers(ioapic->kvm, KVM_IRQCHIP_IOAPIC, index, mask_after); +-- +2.16.1 + diff --git a/queue-4.9/kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch b/queue-4.9/kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch new file mode 100644 index 00000000000..6f7fa2f608f --- /dev/null +++ b/queue-4.9/kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Nikita Leshenko +Date: Sun, 5 Nov 2017 15:52:29 +0200 +Subject: KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race + +From: Nikita Leshenko + + +[ Upstream commit 0fc5a36dd6b345eb0d251a65c236e53bead3eef7 ] + +KVM uses ioapic_handled_vectors to track vectors that need to notify the +IOAPIC on EOI. The problem is that IOAPIC can be reconfigured while an +interrupt with old configuration is pending or running and +ioapic_handled_vectors only remembers the newest configuration; +thus EOI from the old interrupt is not delievered to the IOAPIC. + +A previous commit db2bdcbbbd32 +("KVM: x86: fix edge EOI and IOAPIC reconfig race") +addressed this issue by adding pending edge-triggered interrupts to +ioapic_handled_vectors, fixing this race for edge-triggered interrupts. +The commit explicitly ignored level-triggered interrupts, +but this race applies to them as well: + +1) IOAPIC sends a level triggered interrupt vector to VCPU0 +2) VCPU0's handler deasserts the irq line and reconfigures the IOAPIC + to route the vector to VCPU1. The reconfiguration rewrites only the + upper 32 bits of the IOREDTBLn register. (Causes KVM to update + ioapic_handled_vectors for VCPU0 and it no longer includes the vector.) +3) VCPU0 sends EOI for the vector, but it's not delievered to the + IOAPIC because the ioapic_handled_vectors doesn't include the vector. +4) New interrupts are not delievered to VCPU1 because remote_irr bit + is set forever. + +Therefore, the correct behavior is to add all pending and running +interrupts to ioapic_handled_vectors. + +This commit introduces a slight performance hit similar to +commit db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race") +for the rare case that the vector is reused by a non-IOAPIC source on +VCPU0. We prefer to keep solution simple and not handle this case just +as the original commit does. + +Fixes: db2bdcbbbd32 ("KVM: x86: fix edge EOI and IOAPIC reconfig race") + +Signed-off-by: Nikita Leshenko +Reviewed-by: Liran Alon +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/ioapic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c +index 6e219e5c07d2..a7ac8688bba8 100644 +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -257,8 +257,7 @@ void kvm_ioapic_scan_entry(struct kvm_vcpu *vcpu, ulong *ioapic_handled_vectors) + index == RTC_GSI) { + if (kvm_apic_match_dest(vcpu, NULL, 0, + e->fields.dest_id, e->fields.dest_mode) || +- (e->fields.trig_mode == IOAPIC_EDGE_TRIG && +- kvm_apic_pending_eoi(vcpu, e->fields.vector))) ++ kvm_apic_pending_eoi(vcpu, e->fields.vector)) + __set_bit(e->fields.vector, + ioapic_handled_vectors); + } +-- +2.16.1 + diff --git a/queue-4.9/kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch b/queue-4.9/kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch new file mode 100644 index 00000000000..837c1cc72c6 --- /dev/null +++ b/queue-4.9/kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Feb 1 13:58:04 CET 2018 +From: Nikita Leshenko +Date: Sun, 5 Nov 2017 15:52:33 +0200 +Subject: KVM: x86: ioapic: Preserve read-only values in the redirection table + +From: Nikita Leshenko + + +[ Upstream commit b200dded0a6974a3b69599832b2203483920ab25 ] + +According to 82093AA (IOAPIC) manual, Remote IRR and Delivery Status are +read-only. QEMU implements the bits as RO in commit 479c2a1cb7fb +("ioapic: keep RO bits for IOAPIC entry"). + +Signed-off-by: Nikita Leshenko +Reviewed-by: Liran Alon +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Wanpeng Li +Reviewed-by: Steve Rutherford +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/ioapic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -278,6 +278,7 @@ static void ioapic_write_indirect(struct + { + unsigned index; + bool mask_before, mask_after; ++ int old_remote_irr, old_delivery_status; + union kvm_ioapic_redirect_entry *e; + + switch (ioapic->ioregsel) { +@@ -300,6 +301,9 @@ static void ioapic_write_indirect(struct + return; + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; ++ /* Preserve read-only fields */ ++ old_remote_irr = e->fields.remote_irr; ++ old_delivery_status = e->fields.delivery_status; + if (ioapic->ioregsel & 1) { + e->bits &= 0xffffffff; + e->bits |= (u64) val << 32; +@@ -307,6 +311,8 @@ static void ioapic_write_indirect(struct + e->bits &= ~0xffffffffULL; + e->bits |= (u32) val; + } ++ e->fields.remote_irr = old_remote_irr; ++ e->fields.delivery_status = old_delivery_status; + + /* + * Some OSes (Linux, Xen) assume that Remote IRR bit will diff --git a/queue-4.9/lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch b/queue-4.9/lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch new file mode 100644 index 00000000000..ca5f939877a --- /dev/null +++ b/queue-4.9/lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch @@ -0,0 +1,84 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Vasily Averin +Date: Mon, 13 Nov 2017 07:25:40 +0300 +Subject: lockd: fix "list_add double add" caused by legacy signal interface + +From: Vasily Averin + + +[ Upstream commit 81833de1a46edce9ca20cfe079872ac1c20ef359 ] + +restart_grace() uses hardcoded init_net. +It can cause to "list_add double add" in following scenario: + +1) nfsd and lockd was started in several net namespaces +2) nfsd in init_net was stopped (lockd was not stopped because + it have users from another net namespaces) +3) lockd got signal, called restart_grace() -> set_grace_period() + and enabled lock_manager in hardcoded init_net. +4) nfsd in init_net is started again, + its lockd_up() calls set_grace_period() and tries to add + lock_manager into init_net 2nd time. + +Jeff Layton suggest: +"Make it safe to call locks_start_grace multiple times on the same +lock_manager. If it's already on the global grace_list, then don't try +to add it again. (But we don't intentionally add twice, so for now we +WARN about that case.) + +With this change, we also need to ensure that the nfsd4 lock manager +initializes the list before we call locks_start_grace. While we're at +it, move the rest of the nfsd_net initialization into +nfs4_state_create_net. I see no reason to have it spread over two +functions like it is today." + +Suggested patch was updated to generate warning in described situation. + +Suggested-by: Jeff Layton +Signed-off-by: Vasily Averin +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs_common/grace.c | 6 +++++- + fs/nfsd/nfs4state.c | 7 ++++--- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/nfs_common/grace.c ++++ b/fs/nfs_common/grace.c +@@ -30,7 +30,11 @@ locks_start_grace(struct net *net, struc + struct list_head *grace_list = net_generic(net, grace_net_id); + + spin_lock(&grace_lock); +- list_add(&lm->list, grace_list); ++ if (list_empty(&lm->list)) ++ list_add(&lm->list, grace_list); ++ else ++ WARN(1, "double list_add attempt detected in net %x %s\n", ++ net->ns.inum, (net == &init_net) ? "(init_net)" : ""); + spin_unlock(&grace_lock); + } + EXPORT_SYMBOL_GPL(locks_start_grace); +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -7012,6 +7012,10 @@ static int nfs4_state_create_net(struct + INIT_LIST_HEAD(&nn->sessionid_hashtbl[i]); + nn->conf_name_tree = RB_ROOT; + nn->unconf_name_tree = RB_ROOT; ++ nn->boot_time = get_seconds(); ++ nn->grace_ended = false; ++ nn->nfsd4_manager.block_opens = true; ++ INIT_LIST_HEAD(&nn->nfsd4_manager.list); + INIT_LIST_HEAD(&nn->client_lru); + INIT_LIST_HEAD(&nn->close_lru); + INIT_LIST_HEAD(&nn->del_recall_lru); +@@ -7069,9 +7073,6 @@ nfs4_state_start_net(struct net *net) + ret = nfs4_state_create_net(net); + if (ret) + return ret; +- nn->boot_time = get_seconds(); +- nn->grace_ended = false; +- nn->nfsd4_manager.block_opens = true; + locks_start_grace(net, &nn->nfsd4_manager); + nfsd4_client_tracking_init(net); + printk(KERN_INFO "NFSD: starting %ld-second grace period (net %p)\n", diff --git a/queue-4.9/mac80211-fix-the-update-of-path-metric-for-rann-frame.patch b/queue-4.9/mac80211-fix-the-update-of-path-metric-for-rann-frame.patch new file mode 100644 index 00000000000..8eab62a2442 --- /dev/null +++ b/queue-4.9/mac80211-fix-the-update-of-path-metric-for-rann-frame.patch @@ -0,0 +1,81 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Chun-Yeow Yeoh +Date: Tue, 14 Nov 2017 23:20:05 +0800 +Subject: mac80211: fix the update of path metric for RANN frame + +From: Chun-Yeow Yeoh + + +[ Upstream commit fbbdad5edf0bb59786a51b94a9d006bc8c2da9a2 ] + +The previous path metric update from RANN frame has not considered +the own link metric toward the transmitting mesh STA. Fix this. + +Reported-by: Michael65535 +Signed-off-by: Chun-Yeow Yeoh +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_hwmp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -788,7 +788,7 @@ static void hwmp_rann_frame_process(stru + struct mesh_path *mpath; + u8 ttl, flags, hopcount; + const u8 *orig_addr; +- u32 orig_sn, metric, metric_txsta, interval; ++ u32 orig_sn, new_metric, orig_metric, last_hop_metric, interval; + bool root_is_gate; + + ttl = rann->rann_ttl; +@@ -799,7 +799,7 @@ static void hwmp_rann_frame_process(stru + interval = le32_to_cpu(rann->rann_interval); + hopcount = rann->rann_hopcount; + hopcount++; +- metric = le32_to_cpu(rann->rann_metric); ++ orig_metric = le32_to_cpu(rann->rann_metric); + + /* Ignore our own RANNs */ + if (ether_addr_equal(orig_addr, sdata->vif.addr)) +@@ -816,7 +816,10 @@ static void hwmp_rann_frame_process(stru + return; + } + +- metric_txsta = airtime_link_metric_get(local, sta); ++ last_hop_metric = airtime_link_metric_get(local, sta); ++ new_metric = orig_metric + last_hop_metric; ++ if (new_metric < orig_metric) ++ new_metric = MAX_METRIC; + + mpath = mesh_path_lookup(sdata, orig_addr); + if (!mpath) { +@@ -829,7 +832,7 @@ static void hwmp_rann_frame_process(stru + } + + if (!(SN_LT(mpath->sn, orig_sn)) && +- !(mpath->sn == orig_sn && metric < mpath->rann_metric)) { ++ !(mpath->sn == orig_sn && new_metric < mpath->rann_metric)) { + rcu_read_unlock(); + return; + } +@@ -847,7 +850,7 @@ static void hwmp_rann_frame_process(stru + } + + mpath->sn = orig_sn; +- mpath->rann_metric = metric + metric_txsta; ++ mpath->rann_metric = new_metric; + mpath->is_root = true; + /* Recording RANNs sender address to send individually + * addressed PREQs destined for root mesh STA */ +@@ -867,7 +870,7 @@ static void hwmp_rann_frame_process(stru + mesh_path_sel_frame_tx(MPATH_RANN, flags, orig_addr, + orig_sn, 0, NULL, 0, broadcast_addr, + hopcount, ttl, interval, +- metric + metric_txsta, 0, sdata); ++ new_metric, 0, sdata); + } + + rcu_read_unlock(); diff --git a/queue-4.9/media-usbtv-add-a-new-usbid.patch b/queue-4.9/media-usbtv-add-a-new-usbid.patch new file mode 100644 index 00000000000..9bdbf3a3736 --- /dev/null +++ b/queue-4.9/media-usbtv-add-a-new-usbid.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Icenowy Zheng +Date: Sun, 16 Apr 2017 02:51:16 -0400 +Subject: media: usbtv: add a new usbid + +From: Icenowy Zheng + + +[ Upstream commit 04226916d2360f56d57ad00bc48d2d1854d1e0b0 ] + +A new usbid of UTV007 is found in a newly bought device. + +The usbid is 1f71:3301. + +The ID on the chip is: +UTV007 +A89029.1 +1520L18K1 + +Both video and audio is tested with the modified usbtv driver. + +Signed-off-by: Icenowy Zheng +Acked-by: Lubomir Rintel +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/usbtv/usbtv-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/usb/usbtv/usbtv-core.c ++++ b/drivers/media/usb/usbtv/usbtv-core.c +@@ -141,6 +141,7 @@ static void usbtv_disconnect(struct usb_ + + static struct usb_device_id usbtv_id_table[] = { + { USB_DEVICE(0x1b71, 0x3002) }, ++ { USB_DEVICE(0x1f71, 0x3301) }, + {} + }; + MODULE_DEVICE_TABLE(usb, usbtv_id_table); diff --git a/queue-4.9/net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch b/queue-4.9/net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch new file mode 100644 index 00000000000..e9e8db4f360 --- /dev/null +++ b/queue-4.9/net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Geert Uytterhoeven +Date: Wed, 29 Nov 2017 11:01:09 +0100 +Subject: net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit + +From: Geert Uytterhoeven + + +[ Upstream commit 15bfe05c8d6386f1a90e9340d15336e85e32aad6 ] + +On 64-bit (e.g. powerpc64/allmodconfig): + + drivers/net/ethernet/xilinx/ll_temac_main.c: In function 'temac_start_xmit_done': + drivers/net/ethernet/xilinx/ll_temac_main.c:633:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] + dev_kfree_skb_irq((struct sk_buff *)cur_p->app4); + ^ + +cdmac_bd.app4 is u32, so it is too small to hold a kernel pointer. + +Note that several other fields in struct cdmac_bd are also too small to +hold physical addresses on 64-bit platforms. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/xilinx/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/xilinx/Kconfig ++++ b/drivers/net/ethernet/xilinx/Kconfig +@@ -34,6 +34,7 @@ config XILINX_AXI_EMAC + config XILINX_LL_TEMAC + tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver" + depends on (PPC || MICROBLAZE) ++ depends on !64BIT || BROKEN + select PHYLIB + ---help--- + This driver supports the Xilinx 10/100/1000 LocalLink TEMAC diff --git a/queue-4.9/nfsd-check-for-use-of-the-closed-special-stateid.patch b/queue-4.9/nfsd-check-for-use-of-the-closed-special-stateid.patch new file mode 100644 index 00000000000..219f7875693 --- /dev/null +++ b/queue-4.9/nfsd-check-for-use-of-the-closed-special-stateid.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Andrew Elble +Date: Thu, 9 Nov 2017 13:41:10 -0500 +Subject: nfsd: check for use of the closed special stateid + +From: Andrew Elble + + +[ Upstream commit ae254dac721d44c0bfebe2795df87459e2e88219 ] + +Prevent the use of the closed (invalid) special stateid by clients. + +Signed-off-by: Andrew Elble +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -72,6 +72,7 @@ static u64 current_sessionid = 1; + #define ZERO_STATEID(stateid) (!memcmp((stateid), &zero_stateid, sizeof(stateid_t))) + #define ONE_STATEID(stateid) (!memcmp((stateid), &one_stateid, sizeof(stateid_t))) + #define CURRENT_STATEID(stateid) (!memcmp((stateid), ¤tstateid, sizeof(stateid_t))) ++#define CLOSE_STATEID(stateid) (!memcmp((stateid), &close_stateid, sizeof(stateid_t))) + + /* forward declarations */ + static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner); +@@ -4869,7 +4870,8 @@ static __be32 nfsd4_validate_stateid(str + struct nfs4_stid *s; + __be32 status = nfserr_bad_stateid; + +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || ++ CLOSE_STATEID(stateid)) + return status; + /* Client debugging aid. */ + if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) { +@@ -4927,7 +4929,8 @@ nfsd4_lookup_stateid(struct nfsd4_compou + else if (typemask & NFS4_DELEG_STID) + typemask |= NFS4_REVOKED_DELEG_STID; + +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || ++ CLOSE_STATEID(stateid)) + return nfserr_bad_stateid; + status = lookup_clientid(&stateid->si_opaque.so_clid, cstate, nn); + if (status == nfserr_stale_clientid) { diff --git a/queue-4.9/nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch b/queue-4.9/nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch new file mode 100644 index 00000000000..f4b8e5fd6cf --- /dev/null +++ b/queue-4.9/nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Trond Myklebust +Date: Fri, 3 Nov 2017 08:00:12 -0400 +Subject: nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) + +From: Trond Myklebust + + +[ Upstream commit fb500a7cfee7f2f447d2bbf30cb59629feab6ac1 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -63,6 +63,9 @@ static const stateid_t zero_stateid = { + static const stateid_t currentstateid = { + .si_generation = 1, + }; ++static const stateid_t close_stateid = { ++ .si_generation = 0xffffffffU, ++}; + + static u64 current_sessionid = 1; + +@@ -5407,6 +5410,11 @@ nfsd4_close(struct svc_rqst *rqstp, stru + nfsd4_close_open_stateid(stp); + mutex_unlock(&stp->st_mutex); + ++ /* See RFC5661 sectionm 18.2.4 */ ++ if (stp->st_stid.sc_client->cl_minorversion) ++ memcpy(&close->cl_stateid, &close_stateid, ++ sizeof(close->cl_stateid)); ++ + /* put reference from nfs4_preprocess_seqid_op */ + nfs4_put_stid(&stp->st_stid); + out: diff --git a/queue-4.9/nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch b/queue-4.9/nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch new file mode 100644 index 00000000000..76294a3f1c2 --- /dev/null +++ b/queue-4.9/nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Trond Myklebust +Date: Fri, 3 Nov 2017 08:00:15 -0400 +Subject: nfsd: Ensure we check stateid validity in the seqid operation checks + +From: Trond Myklebust + + +[ Upstream commit 9271d7e509c1bfc0b9a418caec29ec8d1ac38270 ] + +After taking the stateid st_mutex, we want to know that the stateid +still represents valid state before performing any non-idempotent +actions. + +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -5178,15 +5178,9 @@ static __be32 nfs4_seqid_op_checks(struc + status = nfsd4_check_seqid(cstate, sop, seqid); + if (status) + return status; +- if (stp->st_stid.sc_type == NFS4_CLOSED_STID +- || stp->st_stid.sc_type == NFS4_REVOKED_DELEG_STID) +- /* +- * "Closed" stateid's exist *only* to return +- * nfserr_replay_me from the previous step, and +- * revoked delegations are kept only for free_stateid. +- */ +- return nfserr_bad_stateid; +- mutex_lock(&stp->st_mutex); ++ status = nfsd4_lock_ol_stateid(stp); ++ if (status != nfs_ok) ++ return status; + status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate)); + if (status == nfs_ok) + status = nfs4_check_fh(current_fh, &stp->st_stid); diff --git a/queue-4.9/openvswitch-fix-the-incorrect-flow-action-alloc-size.patch b/queue-4.9/openvswitch-fix-the-incorrect-flow-action-alloc-size.patch new file mode 100644 index 00000000000..26ba334e4f3 --- /dev/null +++ b/queue-4.9/openvswitch-fix-the-incorrect-flow-action-alloc-size.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: zhangliping +Date: Sat, 25 Nov 2017 22:02:12 +0800 +Subject: openvswitch: fix the incorrect flow action alloc size + +From: zhangliping + + +[ Upstream commit 67c8d22a73128ff910e2287567132530abcf5b71 ] + +If we want to add a datapath flow, which has more than 500 vxlan outputs' +action, we will get the following error reports: + openvswitch: netlink: Flow action size 32832 bytes exceeds max + openvswitch: netlink: Flow action size 32832 bytes exceeds max + openvswitch: netlink: Actions may not be safe on all matching packets + ... ... + +It seems that we can simply enlarge the MAX_ACTIONS_BUFSIZE to fix it, but +this is not the root cause. For example, for a vxlan output action, we need +about 60 bytes for the nlattr, but after it is converted to the flow +action, it only occupies 24 bytes. This means that we can still support +more than 1000 vxlan output actions for a single datapath flow under the +the current 32k max limitation. + +So even if the nla_len(attr) is larger than MAX_ACTIONS_BUFSIZE, we +shouldn't report EINVAL and keep it move on, as the judgement can be +done by the reserve_sfa_size. + +Signed-off-by: zhangliping +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/flow_netlink.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1789,14 +1789,11 @@ int ovs_nla_put_mask(const struct sw_flo + + #define MAX_ACTIONS_BUFSIZE (32 * 1024) + +-static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log) ++static struct sw_flow_actions *nla_alloc_flow_actions(int size) + { + struct sw_flow_actions *sfa; + +- if (size > MAX_ACTIONS_BUFSIZE) { +- OVS_NLERR(log, "Flow action size %u bytes exceeds max", size); +- return ERR_PTR(-EINVAL); +- } ++ WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE); + + sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL); + if (!sfa) +@@ -1869,12 +1866,15 @@ static struct nlattr *reserve_sfa_size(s + new_acts_size = ksize(*sfa) * 2; + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { +- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) ++ if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { ++ OVS_NLERR(log, "Flow action size exceeds max %u", ++ MAX_ACTIONS_BUFSIZE); + return ERR_PTR(-EMSGSIZE); ++ } + new_acts_size = MAX_ACTIONS_BUFSIZE; + } + +- acts = nla_alloc_flow_actions(new_acts_size, log); ++ acts = nla_alloc_flow_actions(new_acts_size); + if (IS_ERR(acts)) + return (void *)acts; + +@@ -2500,7 +2500,7 @@ int ovs_nla_copy_actions(struct net *net + { + int err; + +- *sfa = nla_alloc_flow_actions(nla_len(attr), log); ++ *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE)); + if (IS_ERR(*sfa)) + return PTR_ERR(*sfa); + diff --git a/queue-4.9/quota-check-for-register_shrinker-failure.patch b/queue-4.9/quota-check-for-register_shrinker-failure.patch new file mode 100644 index 00000000000..9397bbe779f --- /dev/null +++ b/queue-4.9/quota-check-for-register_shrinker-failure.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Tetsuo Handa +Date: Wed, 29 Nov 2017 22:34:50 +0900 +Subject: quota: Check for register_shrinker() failure. + +From: Tetsuo Handa + + +[ Upstream commit 88bc0ede8d35edc969350852894dc864a2dc1859 ] + +register_shrinker() might return -ENOMEM error since Linux 3.12. +Call panic() as with other failure checks in this function if +register_shrinker() failed. + +Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work") +Signed-off-by: Tetsuo Handa +Cc: Jan Kara +Cc: Michal Hocko +Reviewed-by: Michal Hocko +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/quota/dquot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2985,7 +2985,8 @@ static int __init dquot_init(void) + pr_info("VFS: Dquot-cache hash table entries: %ld (order %ld," + " %ld bytes)\n", nr_hash, order, (PAGE_SIZE << order)); + +- register_shrinker(&dqcache_shrinker); ++ if (register_shrinker(&dqcache_shrinker)) ++ panic("Cannot register dquot shrinker"); + + return 0; + } diff --git a/queue-4.9/reiserfs-remove-unneeded-i_version-bump.patch b/queue-4.9/reiserfs-remove-unneeded-i_version-bump.patch new file mode 100644 index 00000000000..347d5bd1a6e --- /dev/null +++ b/queue-4.9/reiserfs-remove-unneeded-i_version-bump.patch @@ -0,0 +1,31 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Jeff Layton +Date: Mon, 30 Oct 2017 11:20:15 -0400 +Subject: reiserfs: remove unneeded i_version bump + +From: Jeff Layton + + +[ Upstream commit 9f97df50c52c2887432debb6238f4e43567386a5 ] + +The i_version field in reiserfs is not initialized and is only ever +updated here. Nothing ever views it, so just remove it. + +Signed-off-by: Jeff Layton +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/super.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -2521,7 +2521,6 @@ out: + return err; + if (inode->i_size < off + len - towrite) + i_size_write(inode, off + len - towrite); +- inode->i_version++; + inode->i_mtime = inode->i_ctime = current_time(inode); + mark_inode_dirty(inode); + return len - towrite; diff --git a/queue-4.9/scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch b/queue-4.9/scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch new file mode 100644 index 00000000000..0bf367c2ee5 --- /dev/null +++ b/queue-4.9/scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: "Guilherme G. Piccoli" +Date: Fri, 17 Nov 2017 19:14:55 -0200 +Subject: scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path + +From: "Guilherme G. Piccoli" + + +[ Upstream commit e4717292ddebcfe231651b5aff9fa19ca158d178 ] + +As part of the scsi EH path, aacraid performs a reinitialization of the +adapter, which encompass freeing resources and IRQs, NULLifying lots of +pointers, and then initialize it all over again. We've identified a +problem during the free IRQ portion of this path if CONFIG_DEBUG_SHIRQ +is enabled on kernel config file. + +Happens that, in case this flag was set, right after free_irq() +effectively clears the interrupt, it checks if it was requested as +IRQF_SHARED. In positive case, it performs another call to the IRQ +handler on driver. Problem is: since aacraid currently free some +resources *before* freeing the IRQ, once free_irq() path calls the +handler again (due to CONFIG_DEBUG_SHIRQ), aacraid crashes due to NULL +pointer dereference with the following trace: + + aac_src_intr_message+0xf8/0x740 [aacraid] + __free_irq+0x33c/0x4a0 + free_irq+0x78/0xb0 + aac_free_irq+0x13c/0x150 [aacraid] + aac_reset_adapter+0x2e8/0x970 [aacraid] + aac_eh_reset+0x3a8/0x5d0 [aacraid] + scsi_try_host_reset+0x74/0x180 + scsi_eh_ready_devs+0xc70/0x1510 + scsi_error_handler+0x624/0xa20 + +This patch prevents the crash by changing the order of the +deinitialization in this path of aacraid: first we clear the IRQ, then +we free other resources. No functional change intended. + +Signed-off-by: Guilherme G. Piccoli +Reviewed-by: Raghava Aditya Renukunta +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aacraid/commsup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -1416,13 +1416,13 @@ static int _aac_reset_adapter(struct aac + * will ensure that i/o is queisced and the card is flushed in that + * case. + */ ++ aac_free_irq(aac); + aac_fib_map_free(aac); + pci_free_consistent(aac->pdev, aac->comm_size, aac->comm_addr, aac->comm_phys); + aac->comm_addr = NULL; + aac->comm_phys = 0; + kfree(aac->queues); + aac->queues = NULL; +- aac_free_irq(aac); + kfree(aac->fsa_dev); + aac->fsa_dev = NULL; + quirks = aac_get_driver_ident(index)->quirks; diff --git a/queue-4.9/scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch b/queue-4.9/scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch new file mode 100644 index 00000000000..63ef3b3d89d --- /dev/null +++ b/queue-4.9/scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: "Gustavo A. R. Silva" +Date: Mon, 20 Nov 2017 08:12:29 -0600 +Subject: scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg + +From: "Gustavo A. R. Silva" + + +[ Upstream commit 727535903bea924c4f73abb202c4b3e85fff0ca4 ] + +_vreg_ is being dereferenced before it is null checked, hence there is a +potential null pointer dereference. + +Fix this by moving the pointer dereference after _vreg_ has been null +checked. + +This issue was detected with the help of Coccinelle. + +Fixes: aa4976130934 ("ufs: Add regulator enable support") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Subhash Jadavani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -5327,12 +5327,15 @@ static int ufshcd_config_vreg(struct dev + struct ufs_vreg *vreg, bool on) + { + int ret = 0; +- struct regulator *reg = vreg->reg; +- const char *name = vreg->name; ++ struct regulator *reg; ++ const char *name; + int min_uV, uA_load; + + BUG_ON(!vreg); + ++ reg = vreg->reg; ++ name = vreg->name; ++ + if (regulator_count_voltages(reg) > 0) { + min_uV = on ? vreg->min_uV : 0; + ret = regulator_set_voltage(reg, min_uV, vreg->max_uV); diff --git a/queue-4.9/series b/queue-4.9/series index 27850a1c084..ff76f1dfac4 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -14,3 +14,57 @@ gpio-iop-add-missing-module_description-author-license.patch gpio-ath79-add-missing-module_description-license.patch mtd-nand-denali_pci-add-missing-module_description-author-license.patch igb-free-irqs-when-device-is-hotplugged.patch +drm-vc4-account-for-interrupts-in-flight.patch +cpupowerutils-bench-fix-cpu-online-check.patch +cpupower-fix-cpupower-working-when-cpu0-is-offline.patch +kvm-x86-emulator-return-to-user-mode-on-l1-cpl-0-emulation-failure.patch +kvm-x86-don-t-re-execute-instruction-when-not-passing-cr2-value.patch +kvm-x86-fix-operand-address-size-during-instruction-decoding.patch +kvm-x86-ioapic-fix-level-triggered-eoi-and-ioapic-reconfigure-race.patch +kvm-x86-ioapic-clear-remote-irr-when-entry-is-switched-to-edge-triggered.patch +acpi-bus-leave-modalias-empty-for-devices-which-are-not-present.patch +kvm-x86-ioapic-preserve-read-only-values-in-the-redirection-table.patch +cpufreq-add-loongson-machine-dependencies.patch +bcache-check-return-value-of-register_shrinker.patch +drm-amdgpu-fix-sdma-load-unload-sequence-on-hws-disabled-mode.patch +drm-amdkfd-fix-sdma-ring-buffer-size-calculation.patch +drm-amdkfd-fix-sdma-oversubsription-handling.patch +openvswitch-fix-the-incorrect-flow-action-alloc-size.patch +mac80211-fix-the-update-of-path-metric-for-rann-frame.patch +btrfs-fix-deadlock-when-writing-out-space-cache.patch +reiserfs-remove-unneeded-i_version-bump.patch +kvm-x86-fix-softlockup-when-get-the-current-kvmclock.patch +kvm-vmx-fix-rflags-cache-during-vcpu-reset.patch +xfs-always-free-inline-data-before-resetting-inode-fork-during-ifree.patch +xen-netfront-remove-warning-when-unloading-module.patch +auxdisplay-img-ascii-lcd-only-build-on-archs-that-have-iomem.patch +nfsd-close-should-return-the-invalid-special-stateid-for-nfsv4.x-x-0.patch +nfsd-ensure-we-check-stateid-validity-in-the-seqid-operation-checks.patch +grace-replace-bug_on-by-warn_once-in-exit_net-hook.patch +nfsd-check-for-use-of-the-closed-special-stateid.patch +lockd-fix-list_add-double-add-caused-by-legacy-signal-interface.patch +hwmon-pmbus-use-64bit-math-for-direct-format-values.patch +bnxt_en-fix-an-error-handling-path-in-bnxt_get_module_eeprom.patch +xfs-fortify-xfs_alloc_buftarg-error-handling.patch +drm-amdgpu-don-t-try-to-move-pinned-bos.patch +net-ethernet-xilinx-mark-xilinx_ll_temac-broken-on-64-bit.patch +quota-check-for-register_shrinker-failure.patch +sunrpc-allow-connect-to-return-ehostunreach.patch +kmemleak-add-scheduling-point-to-kmemleak_scan.patch +drm-bridge-tc358767-do-no-fail-on-hi-res-displays.patch +drm-bridge-tc358767-filter-out-too-high-modes.patch +drm-bridge-tc358767-fix-dp0_misc-register-set.patch +drm-bridge-tc358767-fix-timing-calculations.patch +drm-bridge-tc358767-fix-auxdatan-registers-access.patch +drm-bridge-tc358767-fix-1-lane-behavior.patch +drm-omap-fix-error-handling-path-in-omap_dmm_probe.patch +xfs-ubsan-fixes.patch +xfs-properly-retry-failed-dquot-items-in-case-of-error-during-buffer-writeback.patch +scsi-aacraid-prevent-crash-in-case-of-free-interrupt-during-scsi-eh-path.patch +scsi-ufs-ufshcd-fix-potential-null-pointer-dereference-in-ufshcd_config_vreg.patch +iwlwifi-mvm-fix-the-tx-queue-hang-timeout-for-monitor-vif-type.patch +arm-dts-nsp-fix-ppi-interrupt-types.patch +media-usbtv-add-a-new-usbid.patch +usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch +staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch +drm-vc4-move-irq-enable-to-pm-path.patch diff --git a/queue-4.9/staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch b/queue-4.9/staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch new file mode 100644 index 00000000000..34da099d933 --- /dev/null +++ b/queue-4.9/staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Larry Finger +Date: Sat, 25 Nov 2017 13:32:38 -0600 +Subject: staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID + +From: Larry Finger + + +[ Upstream commit b77992d2df9e47144354d1b25328b180afa33442 ] + +When not associated with an AP, wifi device drivers should respond to the +SIOCGIWESSID ioctl with a zero-length string for the SSID, which is the +behavior expected by dhcpcd. + +Currently, this driver returns an error code (-1) from the ioctl call, +which causes dhcpcd to assume that the device is not a wireless interface +and therefore it fails to work correctly with it thereafter. + +This problem was reported and tested at +https://github.com/lwfinger/rtl8188eu/issues/234. + +Signed-off-by: Larry Finger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +@@ -1397,19 +1397,13 @@ static int rtw_wx_get_essid(struct net_d + if ((check_fwstate(pmlmepriv, _FW_LINKED)) || + (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) { + len = pcur_bss->Ssid.SsidLength; +- +- wrqu->essid.length = len; +- + memcpy(extra, pcur_bss->Ssid.Ssid, len); +- +- wrqu->essid.flags = 1; + } else { +- ret = -1; +- goto exit; ++ len = 0; ++ *extra = 0; + } +- +-exit: +- ++ wrqu->essid.length = len; ++ wrqu->essid.flags = 1; + + return ret; + } diff --git a/queue-4.9/sunrpc-allow-connect-to-return-ehostunreach.patch b/queue-4.9/sunrpc-allow-connect-to-return-ehostunreach.patch new file mode 100644 index 00000000000..c241f975e39 --- /dev/null +++ b/queue-4.9/sunrpc-allow-connect-to-return-ehostunreach.patch @@ -0,0 +1,30 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Trond Myklebust +Date: Fri, 24 Nov 2017 12:00:24 -0500 +Subject: SUNRPC: Allow connect to return EHOSTUNREACH + +From: Trond Myklebust + + +[ Upstream commit 4ba161a793d5f43757c35feff258d9f20a082940 ] + +Reported-by: Dmitry Vyukov +Signed-off-by: Trond Myklebust +Tested-by: Dmitry Vyukov +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtsock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2381,6 +2381,7 @@ static void xs_tcp_setup_socket(struct w + case -ECONNREFUSED: + case -ECONNRESET: + case -ENETUNREACH: ++ case -EHOSTUNREACH: + case -EADDRINUSE: + case -ENOBUFS: + /* retry with existing socket, after a delay */ diff --git a/queue-4.9/usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch b/queue-4.9/usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch new file mode 100644 index 00000000000..ca37d3cd58c --- /dev/null +++ b/queue-4.9/usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Colin Ian King +Date: Tue, 14 Nov 2017 16:18:28 +0000 +Subject: usb: gadget: don't dereference g until after it has been null checked + +From: Colin Ian King + + +[ Upstream commit b2fc059fa549fe6881d4c1f8d698b0f50bcd16ec ] + +Avoid dereferencing pointer g until after g has been sanity null checked; +move the assignment of cdev much later when it is required into a more +local scope. + +Detected by CoverityScan, CID#1222135 ("Dereference before null check") + +Fixes: b785ea7ce662 ("usb: gadget: composite: fix ep->maxburst initialization") +Signed-off-by: Colin Ian King +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -150,7 +150,6 @@ int config_ep_by_speed(struct usb_gadget + struct usb_function *f, + struct usb_ep *_ep) + { +- struct usb_composite_dev *cdev = get_gadget_data(g); + struct usb_endpoint_descriptor *chosen_desc = NULL; + struct usb_descriptor_header **speed_desc = NULL; + +@@ -229,8 +228,12 @@ ep_found: + _ep->maxburst = comp_desc->bMaxBurst + 1; + break; + default: +- if (comp_desc->bMaxBurst != 0) ++ if (comp_desc->bMaxBurst != 0) { ++ struct usb_composite_dev *cdev; ++ ++ cdev = get_gadget_data(g); + ERROR(cdev, "ep0 bMaxBurst must be 0\n"); ++ } + _ep->maxburst = 1; + break; + } diff --git a/queue-4.9/xen-netfront-remove-warning-when-unloading-module.patch b/queue-4.9/xen-netfront-remove-warning-when-unloading-module.patch new file mode 100644 index 00000000000..a2f48dc1d97 --- /dev/null +++ b/queue-4.9/xen-netfront-remove-warning-when-unloading-module.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Eduardo Otubo +Date: Thu, 23 Nov 2017 15:18:35 +0100 +Subject: xen-netfront: remove warning when unloading module + +From: Eduardo Otubo + + +[ Upstream commit 5b5971df3bc2775107ddad164018a8a8db633b81 ] + +v2: + * Replace busy wait with wait_event()/wake_up_all() + * Cannot garantee that at the time xennet_remove is called, the + xen_netback state will not be XenbusStateClosed, so added a + condition for that + * There's a small chance for the xen_netback state is + XenbusStateUnknown by the time the xen_netfront switches to Closed, + so added a condition for that. + +When unloading module xen_netfront from guest, dmesg would output +warning messages like below: + + [ 105.236836] xen:grant_table: WARNING: g.e. 0x903 still in use! + [ 105.236839] deferring g.e. 0x903 (pfn 0x35805) + +This problem relies on netfront and netback being out of sync. By the time +netfront revokes the g.e.'s netback didn't have enough time to free all of +them, hence displaying the warnings on dmesg. + +The trick here is to make netfront to wait until netback frees all the g.e.'s +and only then continue to cleanup for the module removal, and this is done by +manipulating both device states. + +Signed-off-by: Eduardo Otubo +Acked-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -86,6 +86,8 @@ struct netfront_cb { + /* IRQ name is queue name with "-tx" or "-rx" appended */ + #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3) + ++static DECLARE_WAIT_QUEUE_HEAD(module_unload_q); ++ + struct netfront_stats { + u64 packets; + u64 bytes; +@@ -2051,10 +2053,12 @@ static void netback_changed(struct xenbu + break; + + case XenbusStateClosed: ++ wake_up_all(&module_unload_q); + if (dev->state == XenbusStateClosed) + break; + /* Missed the backend's CLOSING state -- fallthrough */ + case XenbusStateClosing: ++ wake_up_all(&module_unload_q); + xenbus_frontend_closed(dev); + break; + } +@@ -2160,6 +2164,20 @@ static int xennet_remove(struct xenbus_d + + dev_dbg(&dev->dev, "%s\n", dev->nodename); + ++ if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) { ++ xenbus_switch_state(dev, XenbusStateClosing); ++ wait_event(module_unload_q, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosing); ++ ++ xenbus_switch_state(dev, XenbusStateClosed); ++ wait_event(module_unload_q, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown); ++ } ++ + xennet_disconnect_backend(info); + + unregister_netdev(info->netdev); diff --git a/queue-4.9/xfs-always-free-inline-data-before-resetting-inode-fork-during-ifree.patch b/queue-4.9/xfs-always-free-inline-data-before-resetting-inode-fork-during-ifree.patch new file mode 100644 index 00000000000..106f9ac9611 --- /dev/null +++ b/queue-4.9/xfs-always-free-inline-data-before-resetting-inode-fork-during-ifree.patch @@ -0,0 +1,67 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: "Darrick J. Wong" +Date: Wed, 22 Nov 2017 12:21:07 -0800 +Subject: xfs: always free inline data before resetting inode fork during ifree + +From: "Darrick J. Wong" + + +[ Upstream commit 98c4f78dcdd8cec112d1cbc5e9a792ee6e5ab7a6 ] + +In xfs_ifree, we reset the data/attr forks to extents format without +bothering to free any inline data buffer that might still be around +after all the blocks have been truncated off the file. Prior to commit +43518812d2 ("xfs: remove support for inlining data/extents into the +inode fork") nobody noticed because the leftover inline data after +truncation was small enough to fit inside the inline buffer inside the +fork itself. + +However, now that we've removed the inline buffer, we /always/ have to +free the inline data buffer or else we leak them like crazy. This test +was found by turning on kmemleak for generic/001 or generic/388. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_inode.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/xfs/xfs_inode.c ++++ b/fs/xfs/xfs_inode.c +@@ -2430,6 +2430,24 @@ retry: + } + + /* ++ * Free any local-format buffers sitting around before we reset to ++ * extents format. ++ */ ++static inline void ++xfs_ifree_local_data( ++ struct xfs_inode *ip, ++ int whichfork) ++{ ++ struct xfs_ifork *ifp; ++ ++ if (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_LOCAL) ++ return; ++ ++ ifp = XFS_IFORK_PTR(ip, whichfork); ++ xfs_idata_realloc(ip, -ifp->if_bytes, whichfork); ++} ++ ++/* + * This is called to return an inode to the inode free list. + * The inode should already be truncated to 0 length and have + * no pages associated with it. This routine also assumes that +@@ -2466,6 +2484,9 @@ xfs_ifree( + if (error) + return error; + ++ xfs_ifree_local_data(ip, XFS_DATA_FORK); ++ xfs_ifree_local_data(ip, XFS_ATTR_FORK); ++ + VFS_I(ip)->i_mode = 0; /* mark incore inode as free */ + ip->i_d.di_flags = 0; + ip->i_d.di_dmevmask = 0; diff --git a/queue-4.9/xfs-fortify-xfs_alloc_buftarg-error-handling.patch b/queue-4.9/xfs-fortify-xfs_alloc_buftarg-error-handling.patch new file mode 100644 index 00000000000..dba249988f8 --- /dev/null +++ b/queue-4.9/xfs-fortify-xfs_alloc_buftarg-error-handling.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Michal Hocko +Date: Thu, 23 Nov 2017 17:13:40 +0100 +Subject: xfs: fortify xfs_alloc_buftarg error handling + +From: Michal Hocko + + +[ Upstream commit d210a9874b8f6166579408131cb74495caff1958 ] + +percpu_counter_init failure path doesn't clean up &btp->bt_lru list. +Call list_lru_destroy in that error path. Similarly register_shrinker +error path is not handled. + +While it is unlikely to trigger these error path, it is not impossible +especially the later might fail with large NUMAs. Let's handle the +failure to make the code more robust. + +Noticed-by: Tetsuo Handa +Signed-off-by: Michal Hocko +Acked-by: Dave Chinner +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_buf.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -1785,22 +1785,27 @@ xfs_alloc_buftarg( + btp->bt_bdi = blk_get_backing_dev_info(bdev); + + if (xfs_setsize_buftarg_early(btp, bdev)) +- goto error; ++ goto error_free; + + if (list_lru_init(&btp->bt_lru)) +- goto error; ++ goto error_free; + + if (percpu_counter_init(&btp->bt_io_count, 0, GFP_KERNEL)) +- goto error; ++ goto error_lru; + + btp->bt_shrinker.count_objects = xfs_buftarg_shrink_count; + btp->bt_shrinker.scan_objects = xfs_buftarg_shrink_scan; + btp->bt_shrinker.seeks = DEFAULT_SEEKS; + btp->bt_shrinker.flags = SHRINKER_NUMA_AWARE; +- register_shrinker(&btp->bt_shrinker); ++ if (register_shrinker(&btp->bt_shrinker)) ++ goto error_pcpu; + return btp; + +-error: ++error_pcpu: ++ percpu_counter_destroy(&btp->bt_io_count); ++error_lru: ++ list_lru_destroy(&btp->bt_lru); ++error_free: + kmem_free(btp); + return NULL; + } diff --git a/queue-4.9/xfs-properly-retry-failed-dquot-items-in-case-of-error-during-buffer-writeback.patch b/queue-4.9/xfs-properly-retry-failed-dquot-items-in-case-of-error-during-buffer-writeback.patch new file mode 100644 index 00000000000..6f476e42a60 --- /dev/null +++ b/queue-4.9/xfs-properly-retry-failed-dquot-items-in-case-of-error-during-buffer-writeback.patch @@ -0,0 +1,130 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: Carlos Maiolino +Date: Tue, 28 Nov 2017 08:54:10 -0800 +Subject: xfs: Properly retry failed dquot items in case of error during buffer writeback + +From: Carlos Maiolino + + +[ Upstream commit 373b0589dc8d58bc09c9a28d03611ae4fb216057 ] + +Once the inode item writeback errors is already fixed, it's time to fix the same +problem in dquot code. + +Although there were no reports of users hitting this bug in dquot code (at least +none I've seen), the bug is there and I was already planning to fix it when the +correct approach to fix the inodes part was decided. + +This patch aims to fix the same problem in dquot code, regarding failed buffers +being unable to be resubmitted once they are flush locked. + +Tested with the recently test-case sent to fstests list by Hou Tao. + +Reviewed-by: Brian Foster +Signed-off-by: Carlos Maiolino +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_dquot.c | 14 +++++++++++--- + fs/xfs/xfs_dquot_item.c | 40 ++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 49 insertions(+), 5 deletions(-) + +--- a/fs/xfs/xfs_dquot.c ++++ b/fs/xfs/xfs_dquot.c +@@ -1004,14 +1004,22 @@ xfs_qm_dqflush_done( + * holding the lock before removing the dquot from the AIL. + */ + if ((lip->li_flags & XFS_LI_IN_AIL) && +- lip->li_lsn == qip->qli_flush_lsn) { ++ ((lip->li_lsn == qip->qli_flush_lsn) || ++ (lip->li_flags & XFS_LI_FAILED))) { + + /* xfs_trans_ail_delete() drops the AIL lock. */ + spin_lock(&ailp->xa_lock); +- if (lip->li_lsn == qip->qli_flush_lsn) ++ if (lip->li_lsn == qip->qli_flush_lsn) { + xfs_trans_ail_delete(ailp, lip, SHUTDOWN_CORRUPT_INCORE); +- else ++ } else { ++ /* ++ * Clear the failed state since we are about to drop the ++ * flush lock ++ */ ++ if (lip->li_flags & XFS_LI_FAILED) ++ xfs_clear_li_failed(lip); + spin_unlock(&ailp->xa_lock); ++ } + } + + /* +--- a/fs/xfs/xfs_dquot_item.c ++++ b/fs/xfs/xfs_dquot_item.c +@@ -137,6 +137,26 @@ xfs_qm_dqunpin_wait( + wait_event(dqp->q_pinwait, (atomic_read(&dqp->q_pincount) == 0)); + } + ++/* ++ * Callback used to mark a buffer with XFS_LI_FAILED when items in the buffer ++ * have been failed during writeback ++ * ++ * this informs the AIL that the dquot is already flush locked on the next push, ++ * and acquires a hold on the buffer to ensure that it isn't reclaimed before ++ * dirty data makes it to disk. ++ */ ++STATIC void ++xfs_dquot_item_error( ++ struct xfs_log_item *lip, ++ struct xfs_buf *bp) ++{ ++ struct xfs_dquot *dqp; ++ ++ dqp = DQUOT_ITEM(lip)->qli_dquot; ++ ASSERT(!completion_done(&dqp->q_flush)); ++ xfs_set_li_failed(lip, bp); ++} ++ + STATIC uint + xfs_qm_dquot_logitem_push( + struct xfs_log_item *lip, +@@ -144,13 +164,28 @@ xfs_qm_dquot_logitem_push( + __acquires(&lip->li_ailp->xa_lock) + { + struct xfs_dquot *dqp = DQUOT_ITEM(lip)->qli_dquot; +- struct xfs_buf *bp = NULL; ++ struct xfs_buf *bp = lip->li_buf; + uint rval = XFS_ITEM_SUCCESS; + int error; + + if (atomic_read(&dqp->q_pincount) > 0) + return XFS_ITEM_PINNED; + ++ /* ++ * The buffer containing this item failed to be written back ++ * previously. Resubmit the buffer for IO ++ */ ++ if (lip->li_flags & XFS_LI_FAILED) { ++ if (!xfs_buf_trylock(bp)) ++ return XFS_ITEM_LOCKED; ++ ++ if (!xfs_buf_resubmit_failed_buffers(bp, lip, buffer_list)) ++ rval = XFS_ITEM_FLUSHING; ++ ++ xfs_buf_unlock(bp); ++ return rval; ++ } ++ + if (!xfs_dqlock_nowait(dqp)) + return XFS_ITEM_LOCKED; + +@@ -242,7 +277,8 @@ static const struct xfs_item_ops xfs_dqu + .iop_unlock = xfs_qm_dquot_logitem_unlock, + .iop_committed = xfs_qm_dquot_logitem_committed, + .iop_push = xfs_qm_dquot_logitem_push, +- .iop_committing = xfs_qm_dquot_logitem_committing ++ .iop_committing = xfs_qm_dquot_logitem_committing, ++ .iop_error = xfs_dquot_item_error + }; + + /* diff --git a/queue-4.9/xfs-ubsan-fixes.patch b/queue-4.9/xfs-ubsan-fixes.patch new file mode 100644 index 00000000000..215e2eced6d --- /dev/null +++ b/queue-4.9/xfs-ubsan-fixes.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Feb 1 14:00:34 CET 2018 +From: "Darrick J. Wong" +Date: Mon, 27 Nov 2017 09:50:17 -0800 +Subject: xfs: ubsan fixes + +From: "Darrick J. Wong" + + +[ Upstream commit 22a6c83777ac7c17d6c63891beeeac24cf5da450 ] + +Fix some complaints from the UBSAN about signed integer addition overflows. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_aops.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -391,7 +391,7 @@ xfs_map_blocks( + (ip->i_df.if_flags & XFS_IFEXTENTS)); + ASSERT(offset <= mp->m_super->s_maxbytes); + +- if (offset + count > mp->m_super->s_maxbytes) ++ if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes) + count = mp->m_super->s_maxbytes - offset; + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count); + offset_fsb = XFS_B_TO_FSBT(mp, offset); +@@ -1295,7 +1295,7 @@ xfs_map_trim_size( + if (mapping_size > size) + mapping_size = size; + if (offset < i_size_read(inode) && +- offset + mapping_size >= i_size_read(inode)) { ++ (xfs_ufsize_t)offset + mapping_size >= i_size_read(inode)) { + /* limit mapping to block that spans EOF */ + mapping_size = roundup_64(i_size_read(inode) - offset, + i_blocksize(inode)); +@@ -1347,7 +1347,7 @@ __xfs_get_blocks( + lockmode = xfs_ilock_data_map_shared(ip); + + ASSERT(offset <= mp->m_super->s_maxbytes); +- if (offset + size > mp->m_super->s_maxbytes) ++ if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes) + size = mp->m_super->s_maxbytes - offset; + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size); + offset_fsb = XFS_B_TO_FSBT(mp, offset);