From: Greg Kroah-Hartman Date: Mon, 9 Apr 2018 12:03:43 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.104~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df1b7722b1615ccea88fcc09477fe3f1232d596a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: acpi-ec-fix-debugfs_create_-usage.patch acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch asoc-intel-cht_bsw_rt5645-analog-mic-support.patch asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch backlight-tdo24m-fix-the-spi-cs-between-transfers.patch bcache-ret-ioerr-when-read-meets-metadata-error.patch bcache-segregate-flash-only-volume-write-streams.patch bcache-stop-writeback-thread-after-detaching.patch blk-mq-avoid-to-map-cpu-into-stale-hw-queue.patch blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch block-bfq-put-async-queues-for-root-bfq-groups-too.patch bluetooth-add-a-new-04ca-3015-qca_rome-device.patch clk-divider-fix-incorrect-usage-of-container_of.patch clk-meson-mpll-use-64-bit-maths-in-params_from_rate.patch clk-sunxi-ng-a83t-add-m-divider-to-tcon1-clock.patch clk-sunxi-ng-fix-the-a64-h5-clock-description-of-de2-ccu.patch crypto-aes-generic-build-with-os-on-gcc-7.patch cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch edac-mv64x60-fix-an-error-handling-path.patch gpio-label-descriptors-using-the-device-name.patch gpio-thunderx-fix-error-return-code-in-thunderx_gpio_probe.patch hwmon-ina2xx-make-calibration-register-value-fixed.patch i40evf-don-t-rely-on-netif_running-outside-rtnl_lock.patch i40iw-correct-q1-xf-object-count-equation.patch i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch i40iw-validate-correct-ird-ord-connection-parameters.patch ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch ibmvnic-don-t-handle-rx-interrupts-when-not-up.patch input-goodix-disable-irqs-while-suspended.patch ipv6-reinject-ipv6-packets-if-ipsec-policy-matches-after-snat.patch irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch l2tp-fix-missing-print-session-offset-info.patch mac80211-fix-setting-tx-power-on-monitor-interfaces.patch media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch mtd-mtd_oobtest-handle-bitflips-during-reads.patch net-hns3-fix-a-loop-index-error-of-tqp-statistics-query.patch net-hns3-fix-an-error-macro-definition-of-hns3_tqp_stat.patch net-hns3-fix-an-error-of-total-drop-packet-statistics.patch net-hns3-fix-for-changing-mtu.patch net-hns3-fix-for-getting-auto-negotiation-state-in-hclge_get_autoneg.patch net-hns3-free-the-ring_data-structrue-when-change-tqps.patch net-mlx4_en-change-default-qos-settings.patch net-mlx5-fix-race-for-multiple-roce-enable.patch nvme_fcloop-disassocate-local-port-structs.patch nvme_fcloop-fix-abort-race-condition.patch perf-evsel-enable-ignore_missing_thread-for-pid-option.patch perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch perf-probe-find-versioned-symbols-from-map.patch perf-report-fix-a-no-annotate-browser-displayed-issue.patch perf-tools-fix-copyfile_offset-update-of-output-offset.patch pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch power-supply-axp288_charger-properly-stop-work-on-probe-error-remove.patch powernv-cpufreq-add-helper-to-extract-pstate-from-pmsr.patch rdma-cma-fix-rdma_cm-path-querying-for-roce.patch rdma-cma-mark-end-of-cma-id-messages.patch rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch scsi-libsas-fix-error-when-getting-phy-events.patch scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch scsi-megaraid_sas-error-handling-for-invalid-ldcount-provided-by-firmware-in-raid-map.patch scsi-megaraid_sas-unload-flag-should-be-set-after-scsi_remove_host-is-called.patch scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch selftests-net-fix-bugs-in-address-and-port-initialization.patch signal-arm-document-conflicts-with-si_user-and-sigfpe.patch signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch spi-sh-msiof-fix-timeout-failures-for-tx-only-dma-transfers.patch staging-lustre-disable-preempt-while-sampling-processor-id.patch tcmu-release-blocks-for-partially-setup-cmds.patch thermal-int3400_thermal-fix-error-handling-in-int3400_thermal_probe.patch thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch tpm-return-a-tpm_rc_command_code-response-if-command-is-not-implemented.patch tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch uio_hv_generic-check-that-host-supports-monitor-page.patch vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch vfs-close-race-between-getcwd-and-d_move.patch watchdog-dw_wdt-add-stop-watchdog-operation.patch wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch x86-gart-exclude-gart-aperture-from-vmcore.patch --- diff --git a/queue-4.14/acpi-ec-fix-debugfs_create_-usage.patch b/queue-4.14/acpi-ec-fix-debugfs_create_-usage.patch new file mode 100644 index 00000000000..82fae785c7a --- /dev/null +++ b/queue-4.14/acpi-ec-fix-debugfs_create_-usage.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Geert Uytterhoeven +Date: Tue, 2 Jan 2018 16:26:31 +0100 +Subject: ACPI: EC: Fix debugfs_create_*() usage + +From: Geert Uytterhoeven + + +[ Upstream commit 3522f867c13b63cf62acdf1b8ca5664c549a716a ] + +acpi_ec.gpe is "unsigned long", hence treating it as "u32" would expose +the wrong half on big-endian 64-bit systems. Fix this by changing its +type to "u32" and removing the cast, as all other code already uses u32 +or sometimes even only u8. + +Fixes: 1195a098168fcacf (ACPI: Provide /sys/kernel/debug/ec/...) +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/ec.c | 2 +- + drivers/acpi/ec_sys.c | 2 +- + drivers/acpi/internal.h | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1516,7 +1516,7 @@ static int acpi_ec_setup(struct acpi_ec + } + + acpi_handle_info(ec->handle, +- "GPE=0x%lx, EC_CMD/EC_SC=0x%lx, EC_DATA=0x%lx\n", ++ "GPE=0x%x, EC_CMD/EC_SC=0x%lx, EC_DATA=0x%lx\n", + ec->gpe, ec->command_addr, ec->data_addr); + return ret; + } +--- a/drivers/acpi/ec_sys.c ++++ b/drivers/acpi/ec_sys.c +@@ -128,7 +128,7 @@ static int acpi_ec_add_debugfs(struct ac + return -ENOMEM; + } + +- if (!debugfs_create_x32("gpe", 0444, dev_dir, (u32 *)&first_ec->gpe)) ++ if (!debugfs_create_x32("gpe", 0444, dev_dir, &first_ec->gpe)) + goto error; + if (!debugfs_create_bool("use_global_lock", 0444, dev_dir, + &first_ec->global_lock)) +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -159,7 +159,7 @@ static inline void acpi_early_processor_ + -------------------------------------------------------------------------- */ + struct acpi_ec { + acpi_handle handle; +- unsigned long gpe; ++ u32 gpe; + unsigned long command_addr; + unsigned long data_addr; + bool global_lock; diff --git a/queue-4.14/acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch b/queue-4.14/acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch new file mode 100644 index 00000000000..4b1f13ddc49 --- /dev/null +++ b/queue-4.14/acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Hans de Goede +Date: Sat, 23 Dec 2017 19:41:47 +0100 +Subject: ACPI / video: Default lcd_only to true on Win8-ready and newer machines + +From: Hans de Goede + + +[ Upstream commit 5928c281524fe451114e04f1dfa11246a37e859f ] + +We're seeing a lot of bogus backlight interfaces on newer machines without +a LCD such as desktops, servers and HDMI sticks. This causes userspace to +show a non-functional brightness slider in e.g. the GNOME3 system menu, +which is undesirable. And, in general, we should simply just not register +a non functional backlight interface. + +Checking the LCD flag causes the bogus acpi_video backlight interfaces to +go away (on the machines this was tested on). + +This change sets the lcd_only option by default on any machines which +are Win8-ready, to fix this. + +This is not entirely without a risk of regressions, but video_detect.c +already prefers native-backlight interfaces over the acpi_video one +on Win8-ready machines, calling acpi_video_unregister_backlight() as soon +as a native interface shows up. This is done because the ACPI backlight +interface often is broken on Win8-ready machines, because win8 does not +seem to actually use it. + +So in practice we already end up not registering the ACPI backlight +interface on (most) Win8-ready machines with a LCD panel, thus this +change does not change anything for (most) machines with a LCD panel +and on machines without a LCD panel we actually don't want to register +any backlight interfaces. + +This has been tested on the following machines and fixes a bogus backlight +interface showing up there: + - Desktop with an Asrock B150M Pro4S/D3 m.b. using i5-6500 builtin gfx + - Intel Compute Stick STK1AW32SC + - Meegopad T08 HDMI stick + +Bogus backlight interfaces have also been reported on: + - Desktop with Asus H87I-Plus m.b. + - Desktop with ASRock B75M-ITX m.b. + - Desktop with Gigabyte Z87-D3HP m.b. + - Dell PowerEdge T20 desktop + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1097436 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133327 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133329 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133646 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_video.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -80,8 +80,8 @@ MODULE_PARM_DESC(report_key_events, + static bool device_id_scheme = false; + module_param(device_id_scheme, bool, 0444); + +-static bool only_lcd = false; +-module_param(only_lcd, bool, 0444); ++static int only_lcd = -1; ++module_param(only_lcd, int, 0444); + + static int register_count; + static DEFINE_MUTEX(register_count_mutex); +@@ -2136,6 +2136,16 @@ int acpi_video_register(void) + goto leave; + } + ++ /* ++ * We're seeing a lot of bogus backlight interfaces on newer machines ++ * without a LCD such as desktops, servers and HDMI sticks. Checking ++ * the lcd flag fixes this, so enable this on any machines which are ++ * win8 ready (where we also prefer the native backlight driver, so ++ * normally the acpi_video code should not register there anyways). ++ */ ++ if (only_lcd == -1) ++ only_lcd = acpi_osi_is_win8(); ++ + dmi_check_system(video_dmi_table); + + ret = acpi_bus_register_driver(&acpi_video_bus); diff --git a/queue-4.14/arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch b/queue-4.14/arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch new file mode 100644 index 00000000000..b75d144843f --- /dev/null +++ b/queue-4.14/arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Rasmus Villemoes +Date: Thu, 16 Nov 2017 13:15:26 +0100 +Subject: ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node + +From: Rasmus Villemoes + + +[ Upstream commit d5c7b4d5ac2237a6da7ced3adfe6b8bf769f8cc6 ] + +Commit a22950c888e3 (mmc: sdhci-of-esdhc: add quirk +SDHCI_QUIRK_BROKEN_TIMEOUT_VAL for ls1021a) added logic to the driver to +enable the broken timeout val quirk for ls1021a, but did not add the +corresponding compatible string to the device tree, so it didn't really +have any effect. Fix that. + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/ls1021a.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -155,7 +155,7 @@ + }; + + esdhc: esdhc@1560000 { +- compatible = "fsl,esdhc"; ++ compatible = "fsl,ls1021a-esdhc", "fsl,esdhc"; + reg = <0x0 0x1560000 0x0 0x10000>; + interrupts = ; + clock-frequency = <0>; diff --git a/queue-4.14/asoc-intel-cht_bsw_rt5645-analog-mic-support.patch b/queue-4.14/asoc-intel-cht_bsw_rt5645-analog-mic-support.patch new file mode 100644 index 00000000000..e71ea1b642d --- /dev/null +++ b/queue-4.14/asoc-intel-cht_bsw_rt5645-analog-mic-support.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Hans de Goede +Date: Tue, 2 Jan 2018 19:53:14 +0100 +Subject: ASoC: Intel: cht_bsw_rt5645: Analog Mic support + +From: Hans de Goede + + +[ Upstream commit b70b309950418437bbd2a30afd169c4f09dee3e5 ] + +Various Cherry Trail boards with a rt5645 codec have an analog mic +connected to IN2P + IN2N. The mic on this boards also needs micbias to +be enabled, on some boards micbias1 is used and on others micbias2, so +we enable both. + +This commit adds a new "Int Analog Mic" DAPM widget for this, so that we +do not end up enabling micbias on boards with a digital mic which uses +the already present "Int Mic" widget. Some existing UCM files already +refer to "Int Mic" for their "Internal Analog Microphones" SectionDevice, +but these don't work anyways since they enable the RECMIX BST1 Switch +instead of the BST2 switch. + +Signed-off-by: Hans de Goede +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/boards/cht_bsw_rt5645.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/intel/boards/cht_bsw_rt5645.c ++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c +@@ -133,6 +133,7 @@ static const struct snd_soc_dapm_widget + SND_SOC_DAPM_HP("Headphone", NULL), + SND_SOC_DAPM_MIC("Headset Mic", NULL), + SND_SOC_DAPM_MIC("Int Mic", NULL), ++ SND_SOC_DAPM_MIC("Int Analog Mic", NULL), + SND_SOC_DAPM_SPK("Ext Spk", NULL), + SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0, + platform_clock_control, SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), +@@ -143,6 +144,8 @@ static const struct snd_soc_dapm_route c + {"IN1N", NULL, "Headset Mic"}, + {"DMIC L1", NULL, "Int Mic"}, + {"DMIC R1", NULL, "Int Mic"}, ++ {"IN2P", NULL, "Int Analog Mic"}, ++ {"IN2N", NULL, "Int Analog Mic"}, + {"Headphone", NULL, "HPOL"}, + {"Headphone", NULL, "HPOR"}, + {"Ext Spk", NULL, "SPOL"}, +@@ -150,6 +153,9 @@ static const struct snd_soc_dapm_route c + {"Headphone", NULL, "Platform Clock"}, + {"Headset Mic", NULL, "Platform Clock"}, + {"Int Mic", NULL, "Platform Clock"}, ++ {"Int Analog Mic", NULL, "Platform Clock"}, ++ {"Int Analog Mic", NULL, "micbias1"}, ++ {"Int Analog Mic", NULL, "micbias2"}, + {"Ext Spk", NULL, "Platform Clock"}, + }; + +@@ -204,6 +210,7 @@ static const struct snd_kcontrol_new cht + SOC_DAPM_PIN_SWITCH("Headphone"), + SOC_DAPM_PIN_SWITCH("Headset Mic"), + SOC_DAPM_PIN_SWITCH("Int Mic"), ++ SOC_DAPM_PIN_SWITCH("Int Analog Mic"), + SOC_DAPM_PIN_SWITCH("Ext Spk"), + }; + diff --git a/queue-4.14/asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch b/queue-4.14/asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch new file mode 100644 index 00000000000..22540694846 --- /dev/null +++ b/queue-4.14/asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Pardha Saradhi K +Date: Tue, 2 Jan 2018 14:59:57 +0530 +Subject: ASoC: Intel: Skylake: Disable clock gating during firmware and library download + +From: Pardha Saradhi K + + +[ Upstream commit d5cc0a1fcbb5ddbef9fdd4c4a978da3254ddbf37 ] + +During firmware and library download, sometimes it is observed that +firmware and library download is timed-out resulting into probe failure. + +This patch disables dynamic clock gating while firmware and library +download. + +Signed-off-by: Pardha Saradhi K +Signed-off-by: Sanyog Kale +Signed-off-by: Guneshwor Singh +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/skylake/skl-messages.c | 4 ++++ + sound/soc/intel/skylake/skl-pcm.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/sound/soc/intel/skylake/skl-messages.c ++++ b/sound/soc/intel/skylake/skl-messages.c +@@ -404,7 +404,11 @@ int skl_resume_dsp(struct skl *skl) + if (skl->skl_sst->is_first_boot == true) + return 0; + ++ /* disable dynamic clock gating during fw and lib download */ ++ ctx->enable_miscbdcge(ctx->dev, false); ++ + ret = skl_dsp_wake(ctx->dsp); ++ ctx->enable_miscbdcge(ctx->dev, true); + if (ret < 0) + return ret; + +--- a/sound/soc/intel/skylake/skl-pcm.c ++++ b/sound/soc/intel/skylake/skl-pcm.c +@@ -1332,7 +1332,11 @@ static int skl_platform_soc_probe(struct + return -EIO; + } + ++ /* disable dynamic clock gating during fw and lib download */ ++ skl->skl_sst->enable_miscbdcge(platform->dev, false); ++ + ret = ops->init_fw(platform->dev, skl->skl_sst); ++ skl->skl_sst->enable_miscbdcge(platform->dev, true); + if (ret < 0) { + dev_err(platform->dev, "Failed to boot first fw: %d\n", ret); + return ret; diff --git a/queue-4.14/asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch b/queue-4.14/asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch new file mode 100644 index 00000000000..f961e8f6b7f --- /dev/null +++ b/queue-4.14/asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Christophe JAILLET +Date: Sat, 6 Jan 2018 21:18:24 +0100 +Subject: ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' + +From: Christophe JAILLET + + +[ Upstream commit eaadb1caa966a91128297b754e90b7c92b350a00 ] + +In some error handling paths, an error code is assiegned to 'ret'. +However, the function always return 0. + +Fix it and return the error code if such an error paths is taken. + +Fixes: 3d9ff34622ba ("ASoC: Intel: sst: add stream operations") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/atom/sst/sst_stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/intel/atom/sst/sst_stream.c ++++ b/sound/soc/intel/atom/sst/sst_stream.c +@@ -221,7 +221,7 @@ int sst_send_byte_stream_mrfld(struct in + sst_free_block(sst_drv_ctx, block); + out: + test_and_clear_bit(pvt_id, &sst_drv_ctx->pvt_id); +- return 0; ++ return ret; + } + + /* diff --git a/queue-4.14/backlight-tdo24m-fix-the-spi-cs-between-transfers.patch b/queue-4.14/backlight-tdo24m-fix-the-spi-cs-between-transfers.patch new file mode 100644 index 00000000000..469d036914b --- /dev/null +++ b/queue-4.14/backlight-tdo24m-fix-the-spi-cs-between-transfers.patch @@ -0,0 +1,81 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Robert Jarzmik +Date: Thu, 28 Dec 2017 09:27:41 +0100 +Subject: backlight: tdo24m: Fix the SPI CS between transfers + +From: Robert Jarzmik + + +[ Upstream commit 2023b0524a6310e9ea80daf085f51c71bff9289f ] + +Currently the LCD display (TD035S) on the cm-x300 platform is broken and +remains blank. + +The TD0245S specification requires that the chipselect is toggled +between commands sent to the panel. This was also the purpose of the +former patch of commit f64dcac0b124 ("backlight: tdo24m: ensure chip +select changes between transfers"). + +Unfortunately, the "cs_change" field of a SPI transfer is +misleading. Its true meaning is that for a SPI message holding multiple +transfers, the chip select is toggled between each transfer, but for the +last transfer it remains asserted. + +In this driver, all the SPI messages contain exactly one transfer, which +means that each transfer is the last of its message, and as a +consequence the chip select is never toggled. + +Actually, there was a second bug hidding the first one, hence the +problem was not seen until v4.6. This problem was fixed by commit +a52db659c79c ("spi: pxa2xx: Fix cs_change management") for PXA based +boards. + +This fix makes the TD035S work again on a cm-x300 board. The same +applies to other PXA boards, ie. corgi and tosa. + +Fixes: a52db659c79c ("spi: pxa2xx: Fix cs_change management") +Reported-by: Andrea Adami +Signed-off-by: Robert Jarzmik +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/backlight/corgi_lcd.c | 2 +- + drivers/video/backlight/tdo24m.c | 2 +- + drivers/video/backlight/tosa_lcd.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/video/backlight/corgi_lcd.c ++++ b/drivers/video/backlight/corgi_lcd.c +@@ -177,7 +177,7 @@ static int corgi_ssp_lcdtg_send(struct c + struct spi_message msg; + struct spi_transfer xfer = { + .len = 1, +- .cs_change = 1, ++ .cs_change = 0, + .tx_buf = lcd->buf, + }; + +--- a/drivers/video/backlight/tdo24m.c ++++ b/drivers/video/backlight/tdo24m.c +@@ -369,7 +369,7 @@ static int tdo24m_probe(struct spi_devic + + spi_message_init(m); + +- x->cs_change = 1; ++ x->cs_change = 0; + x->tx_buf = &lcd->buf[0]; + spi_message_add_tail(x, m); + +--- a/drivers/video/backlight/tosa_lcd.c ++++ b/drivers/video/backlight/tosa_lcd.c +@@ -49,7 +49,7 @@ static int tosa_tg_send(struct spi_devic + struct spi_message msg; + struct spi_transfer xfer = { + .len = 1, +- .cs_change = 1, ++ .cs_change = 0, + .tx_buf = buf, + }; + diff --git a/queue-4.14/bcache-ret-ioerr-when-read-meets-metadata-error.patch b/queue-4.14/bcache-ret-ioerr-when-read-meets-metadata-error.patch new file mode 100644 index 00000000000..9d12842f89d --- /dev/null +++ b/queue-4.14/bcache-ret-ioerr-when-read-meets-metadata-error.patch @@ -0,0 +1,87 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Rui Hua +Date: Mon, 8 Jan 2018 12:21:18 -0800 +Subject: bcache: ret IOERR when read meets metadata error + +From: Rui Hua + + +[ Upstream commit b221fc130c49c50f4c2250d22e873420765a9fa2 ] + +The read request might meet error when searching the btree, but the error +was not handled in cache_lookup(), and this kind of metadata failure will +not go into cached_dev_read_error(), finally, the upper layer will receive +bi_status=0. In this patch we judge the metadata error by the return +value of bch_btree_map_keys(), there are two potential paths give rise to +the error: + +1. Because the btree is not totally cached in memery, we maybe get error + when read btree node from cache device (see bch_btree_node_get()), the + likely errno is -EIO, -ENOMEM + +2. When read miss happens, bch_btree_insert_check_key() will be called to + insert a "replace_key" to btree(see cached_dev_cache_miss(), just for + doing preparatory work before insert the missed data to cache device), + a failure can also happen in this situation, the likely errno is + -ENOMEM + +bch_btree_map_keys() will return MAP_DONE in normal scenario, but we will +get either -EIO or -ENOMEM in above two cases. if this happened, we should +NOT recover data from backing device (when cache device is dirty) because +we don't know whether bkeys the read request covered are all clean. And +after that happened, s->iop.status is still its initially value(0) before +we submit s->bio.bio, we set it to BLK_STS_IOERR, so it can go into +cached_dev_read_error(), and finally it can be passed to upper layer, or +recovered by reread from backing device. + +[edit by mlyle: patch formatting, word-wrap, comment spelling, +commit log format] + +Signed-off-by: Hua Rui +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/request.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -568,6 +568,7 @@ static void cache_lookup(struct closure + { + struct search *s = container_of(cl, struct search, iop.cl); + struct bio *bio = &s->bio.bio; ++ struct cached_dev *dc; + int ret; + + bch_btree_op_init(&s->op, -1); +@@ -580,6 +581,27 @@ static void cache_lookup(struct closure + return; + } + ++ /* ++ * We might meet err when searching the btree, If that happens, we will ++ * get negative ret, in this scenario we should not recover data from ++ * backing device (when cache device is dirty) because we don't know ++ * whether bkeys the read request covered are all clean. ++ * ++ * And after that happened, s->iop.status is still its initial value ++ * before we submit s->bio.bio ++ */ ++ if (ret < 0) { ++ BUG_ON(ret == -EINTR); ++ if (s->d && s->d->c && ++ !UUID_FLASH_ONLY(&s->d->c->uuids[s->d->id])) { ++ dc = container_of(s->d, struct cached_dev, disk); ++ if (dc && atomic_read(&dc->has_dirty)) ++ s->recoverable = false; ++ } ++ if (!s->iop.status) ++ s->iop.status = BLK_STS_IOERR; ++ } ++ + closure_return(cl); + } + diff --git a/queue-4.14/bcache-segregate-flash-only-volume-write-streams.patch b/queue-4.14/bcache-segregate-flash-only-volume-write-streams.patch new file mode 100644 index 00000000000..1b735bf981c --- /dev/null +++ b/queue-4.14/bcache-segregate-flash-only-volume-write-streams.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Tang Junhui +Date: Mon, 8 Jan 2018 12:21:21 -0800 +Subject: bcache: segregate flash only volume write streams + +From: Tang Junhui + + +[ Upstream commit 4eca1cb28d8b0574ca4f1f48e9331c5f852d43b9 ] + +In such scenario that there are some flash only volumes +, and some cached devices, when many tasks request these devices in +writeback mode, the write IOs may fall to the same bucket as bellow: +| cached data | flash data | cached data | cached data| flash data| +then after writeback of these cached devices, the bucket would +be like bellow bucket: +| free | flash data | free | free | flash data | + +So, there are many free space in this bucket, but since data of flash +only volumes still exists, so this bucket cannot be reclaimable, +which would cause waste of bucket space. + +In this patch, we segregate flash only volume write streams from +cached devices, so data from flash only volumes and cached devices +can store in different buckets. + +Compare to v1 patch, this patch do not add a additionally open bucket +list, and it is try best to segregate flash only volume write streams +from cached devices, sectors of flash only volumes may still be mixed +with dirty sectors of cached device, but the number is very small. + +[mlyle: fixed commit log formatting, permissions, line endings] + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/alloc.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -515,15 +515,21 @@ struct open_bucket { + + /* + * We keep multiple buckets open for writes, and try to segregate different +- * write streams for better cache utilization: first we look for a bucket where +- * the last write to it was sequential with the current write, and failing that +- * we look for a bucket that was last used by the same task. ++ * write streams for better cache utilization: first we try to segregate flash ++ * only volume write streams from cached devices, secondly we look for a bucket ++ * where the last write to it was sequential with the current write, and ++ * failing that we look for a bucket that was last used by the same task. + * + * The ideas is if you've got multiple tasks pulling data into the cache at the + * same time, you'll get better cache utilization if you try to segregate their + * data and preserve locality. + * +- * For example, say you've starting Firefox at the same time you're copying a ++ * For example, dirty sectors of flash only volume is not reclaimable, if their ++ * dirty sectors mixed with dirty sectors of cached device, such buckets will ++ * be marked as dirty and won't be reclaimed, though the dirty data of cached ++ * device have been written back to backend device. ++ * ++ * And say you've starting Firefox at the same time you're copying a + * bunch of files. Firefox will likely end up being fairly hot and stay in the + * cache awhile, but the data you copied might not be; if you wrote all that + * data to the same buckets it'd get invalidated at the same time. +@@ -540,7 +546,10 @@ static struct open_bucket *pick_data_buc + struct open_bucket *ret, *ret_task = NULL; + + list_for_each_entry_reverse(ret, &c->data_buckets, list) +- if (!bkey_cmp(&ret->key, search)) ++ if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) != ++ UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)])) ++ continue; ++ else if (!bkey_cmp(&ret->key, search)) + goto found; + else if (ret->last_write_point == write_point) + ret_task = ret; diff --git a/queue-4.14/bcache-stop-writeback-thread-after-detaching.patch b/queue-4.14/bcache-stop-writeback-thread-after-detaching.patch new file mode 100644 index 00000000000..21b67c9681d --- /dev/null +++ b/queue-4.14/bcache-stop-writeback-thread-after-detaching.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Tang Junhui +Date: Mon, 8 Jan 2018 12:21:19 -0800 +Subject: bcache: stop writeback thread after detaching + +From: Tang Junhui + + +[ Upstream commit 8d29c4426b9f8afaccf28de414fde8a722b35fdf ] + +Currently, when a cached device detaching from cache, writeback thread is +not stopped, and writeback_rate_update work is not canceled. For example, +after the following command: +echo 1 >/sys/block/sdb/bcache/detach +you can still see the writeback thread. Then you attach the device to the +cache again, bcache will create another writeback thread, for example, +after below command: +echo ba0fb5cd-658a-4533-9806-6ce166d883b9 > /sys/block/sdb/bcache/attach +then you will see 2 writeback threads. +This patch stops writeback thread and cancels writeback_rate_update work +when cached device detaching from cache. + +Compare with patch v1, this v2 patch moves code down into the register +lock for safety in case of any future changes as Coly and Mike suggested. + +[edit by mlyle: commit log spelling/formatting] + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -893,6 +893,12 @@ static void cached_dev_detach_finish(str + + mutex_lock(&bch_register_lock); + ++ cancel_delayed_work_sync(&dc->writeback_rate_update); ++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) { ++ kthread_stop(dc->writeback_thread); ++ dc->writeback_thread = NULL; ++ } ++ + memset(&dc->sb.set_uuid, 0, 16); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE); + diff --git a/queue-4.14/blk-mq-avoid-to-map-cpu-into-stale-hw-queue.patch b/queue-4.14/blk-mq-avoid-to-map-cpu-into-stale-hw-queue.patch new file mode 100644 index 00000000000..a61f0216f52 --- /dev/null +++ b/queue-4.14/blk-mq-avoid-to-map-cpu-into-stale-hw-queue.patch @@ -0,0 +1,102 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Ming Lei +Date: Sat, 6 Jan 2018 16:27:39 +0800 +Subject: blk-mq: avoid to map CPU into stale hw queue + +From: Ming Lei + + +[ Upstream commit 7d4901a90d02500c8011472a060f9b2e60e6e605 ] + +blk_mq_pci_map_queues() may not map one CPU into any hw queue, but its +previous map isn't cleared yet, and may point to one stale hw queue +index. + +This patch fixes the following issue by clearing the mapping table before +setting it up in blk_mq_pci_map_queues(). + +This patches fixes this following issue reported by Zhang Yi: + +[ 101.202734] BUG: unable to handle kernel NULL pointer dereference at 0000000094d3013f +[ 101.211487] IP: blk_mq_map_swqueue+0xbc/0x200 +[ 101.216346] PGD 0 P4D 0 +[ 101.219171] Oops: 0000 [#1] SMP +[ 101.222674] Modules linked in: sunrpc ipmi_ssif vfat fat intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate intel_uncore mxm_wmi intel_rapl_perf iTCO_wdt ipmi_si ipmi_devintf pcspkr iTCO_vendor_support sg dcdbas ipmi_msghandler wmi mei_me lpc_ich shpchp mei acpi_power_meter dm_multipath ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ahci libahci crc32c_intel libata tg3 nvme nvme_core megaraid_sas ptp i2c_core pps_core dm_mirror dm_region_hash dm_log dm_mod +[ 101.284881] CPU: 0 PID: 504 Comm: kworker/u25:5 Not tainted 4.15.0-rc2 #1 +[ 101.292455] Hardware name: Dell Inc. PowerEdge R730xd/072T6D, BIOS 2.5.5 08/16/2017 +[ 101.301001] Workqueue: nvme-wq nvme_reset_work [nvme] +[ 101.306636] task: 00000000f2c53190 task.stack: 000000002da874f9 +[ 101.313241] RIP: 0010:blk_mq_map_swqueue+0xbc/0x200 +[ 101.318681] RSP: 0018:ffffc9000234fd70 EFLAGS: 00010282 +[ 101.324511] RAX: ffff88047ffc9480 RBX: ffff88047e130850 RCX: 0000000000000000 +[ 101.332471] RDX: ffffe8ffffd40580 RSI: ffff88047e509b40 RDI: ffff88046f37a008 +[ 101.340432] RBP: 000000000000000b R08: ffff88046f37a008 R09: 0000000011f94280 +[ 101.348392] R10: ffff88047ffd4d00 R11: 0000000000000000 R12: ffff88046f37a008 +[ 101.356353] R13: ffff88047e130f38 R14: 000000000000000b R15: ffff88046f37a558 +[ 101.364314] FS: 0000000000000000(0000) GS:ffff880277c00000(0000) knlGS:0000000000000000 +[ 101.373342] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 101.379753] CR2: 0000000000000098 CR3: 000000047f409004 CR4: 00000000001606f0 +[ 101.387714] Call Trace: +[ 101.390445] blk_mq_update_nr_hw_queues+0xbf/0x130 +[ 101.395791] nvme_reset_work+0x6f4/0xc06 [nvme] +[ 101.400848] ? pick_next_task_fair+0x290/0x5f0 +[ 101.405807] ? __switch_to+0x1f5/0x430 +[ 101.409988] ? put_prev_entity+0x2f/0xd0 +[ 101.414365] process_one_work+0x141/0x340 +[ 101.418836] worker_thread+0x47/0x3e0 +[ 101.422921] kthread+0xf5/0x130 +[ 101.426424] ? rescuer_thread+0x380/0x380 +[ 101.430896] ? kthread_associate_blkcg+0x90/0x90 +[ 101.436048] ret_from_fork+0x1f/0x30 +[ 101.440034] Code: 48 83 3c ca 00 0f 84 2b 01 00 00 48 63 cd 48 8b 93 10 01 00 00 8b 0c 88 48 8b 83 20 01 00 00 4a 03 14 f5 60 04 af 81 48 8b 0c c8 <48> 8b 81 98 00 00 00 f0 4c 0f ab 30 8b 81 f8 00 00 00 89 42 44 +[ 101.461116] RIP: blk_mq_map_swqueue+0xbc/0x200 RSP: ffffc9000234fd70 +[ 101.468205] CR2: 0000000000000098 +[ 101.471907] ---[ end trace 5fe710f98228a3ca ]--- +[ 101.482489] Kernel panic - not syncing: Fatal exception +[ 101.488505] Kernel Offset: disabled +[ 101.497752] ---[ end Kernel panic - not syncing: Fatal exception + +Reviewed-by: Christoph Hellwig +Suggested-by: Christoph Hellwig +Reported-by: Yi Zhang +Tested-by: Yi Zhang +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2528,9 +2528,27 @@ static int blk_mq_alloc_rq_maps(struct b + + static int blk_mq_update_queue_map(struct blk_mq_tag_set *set) + { +- if (set->ops->map_queues) ++ if (set->ops->map_queues) { ++ int cpu; ++ /* ++ * transport .map_queues is usually done in the following ++ * way: ++ * ++ * for (queue = 0; queue < set->nr_hw_queues; queue++) { ++ * mask = get_cpu_mask(queue) ++ * for_each_cpu(cpu, mask) ++ * set->mq_map[cpu] = queue; ++ * } ++ * ++ * When we need to remap, the table has to be cleared for ++ * killing stale mapping since one CPU may not be mapped ++ * to any hw queue. ++ */ ++ for_each_possible_cpu(cpu) ++ set->mq_map[cpu] = 0; ++ + return set->ops->map_queues(set); +- else ++ } else + return blk_mq_map_queues(set); + } + diff --git a/queue-4.14/blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch b/queue-4.14/blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch new file mode 100644 index 00000000000..d5cdb68b87c --- /dev/null +++ b/queue-4.14/blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Ming Lei +Date: Tue, 9 Jan 2018 21:28:29 +0800 +Subject: blk-mq: fix kernel oops in blk_mq_tag_idle() + +From: Ming Lei + + +[ Upstream commit 8ab0b7dc73e1b3e2987d42554b2bff503f692772 ] + +HW queues may be unmapped in some cases, such as blk_mq_update_nr_hw_queues(), +then we need to check it before calling blk_mq_tag_idle(), otherwise +the following kernel oops can be triggered, so fix it by checking if +the hw queue is unmapped since it doesn't make sense to idle the tags +any more after hw queues are unmapped. + +[ 440.771298] Workqueue: nvme-wq nvme_rdma_del_ctrl_work [nvme_rdma] +[ 440.779104] task: ffff894bae755ee0 ti: ffff893bf9bc8000 task.ti: ffff893bf9bc8000 +[ 440.788359] RIP: 0010:[] [] __blk_mq_tag_idle+0x24/0x40 +[ 440.798697] RSP: 0018:ffff893bf9bcbd10 EFLAGS: 00010286 +[ 440.805538] RAX: 0000000000000000 RBX: ffff895bb131dc00 RCX: 000000000000011f +[ 440.814426] RDX: 00000000ffffffff RSI: 0000000000000120 RDI: ffff895bb131dc00 +[ 440.823301] RBP: ffff893bf9bcbd10 R08: 000000000001b860 R09: 4a51d361c00c0000 +[ 440.832193] R10: b5907f32b4cc7003 R11: ffffd6cabfb57000 R12: ffff894bafd1e008 +[ 440.841091] R13: 0000000000000001 R14: ffff895baf770000 R15: 0000000000000080 +[ 440.849988] FS: 0000000000000000(0000) GS:ffff894bbdcc0000(0000) knlGS:0000000000000000 +[ 440.859955] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 440.867274] CR2: 0000000000000008 CR3: 000000103d098000 CR4: 00000000001407e0 +[ 440.876169] Call Trace: +[ 440.879818] [] blk_mq_exit_hctx+0xd8/0xe0 +[ 440.887051] [] blk_mq_free_queue+0xf0/0x160 +[ 440.894465] [] blk_cleanup_queue+0xd9/0x150 +[ 440.901881] [] nvme_ns_remove+0x5b/0xb0 [nvme_core] +[ 440.910068] [] nvme_remove_namespaces+0x3b/0x60 [nvme_core] +[ 440.919026] [] __nvme_rdma_remove_ctrl+0x2b/0xb0 [nvme_rdma] +[ 440.928079] [] nvme_rdma_del_ctrl_work+0x17/0x20 [nvme_rdma] +[ 440.937126] [] process_one_work+0x17a/0x440 +[ 440.944517] [] worker_thread+0x278/0x3c0 +[ 440.951607] [] ? manage_workers.isra.24+0x2a0/0x2a0 +[ 440.959760] [] kthread+0xcf/0xe0 +[ 440.966055] [] ? insert_kthread_work+0x40/0x40 +[ 440.973715] [] ret_from_fork+0x58/0x90 +[ 440.980586] [] ? insert_kthread_work+0x40/0x40 +[ 440.988229] Code: 5b 41 5c 5d c3 66 90 0f 1f 44 00 00 48 8b 87 20 01 00 00 f0 0f ba 77 40 01 19 d2 85 d2 75 08 c3 0f 1f 80 00 00 00 00 55 48 89 e5 ff 48 08 48 8d 78 10 e8 7f 0f 05 00 5d c3 0f 1f 00 66 2e 0f +[ 441.011620] RIP [] __blk_mq_tag_idle+0x24/0x40 +[ 441.019301] RSP +[ 441.024052] CR2: 0000000000000008 + +Reported-by: Zhang Yi +Tested-by: Zhang Yi +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1928,7 +1928,8 @@ static void blk_mq_exit_hctx(struct requ + { + blk_mq_debugfs_unregister_hctx(hctx); + +- blk_mq_tag_idle(hctx); ++ if (blk_mq_hw_queue_mapped(hctx)) ++ blk_mq_tag_idle(hctx); + + if (set->ops->exit_request) + set->ops->exit_request(set, hctx->fq->flush_rq, hctx_idx); diff --git a/queue-4.14/blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch b/queue-4.14/blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch new file mode 100644 index 00000000000..cb725769c4c --- /dev/null +++ b/queue-4.14/blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Ming Lei +Date: Sat, 6 Jan 2018 16:27:40 +0800 +Subject: blk-mq: fix race between updating nr_hw_queues and switching io sched + +From: Ming Lei + + +[ Upstream commit fb350e0ad99359768e1e80b4784692031ec340e4 ] + +In both elevator_switch_mq() and blk_mq_update_nr_hw_queues(), sched tags +can be allocated, and q->nr_hw_queue is used, and race is inevitable, for +example: blk_mq_init_sched() may trigger use-after-free on hctx, which is +freed in blk_mq_realloc_hw_ctxs() when nr_hw_queues is decreased. + +This patch fixes the race be holding q->sysfs_lock. + +Reviewed-by: Christoph Hellwig +Reported-by: Yi Zhang +Tested-by: Yi Zhang +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2314,6 +2314,9 @@ static void blk_mq_realloc_hw_ctxs(struc + struct blk_mq_hw_ctx **hctxs = q->queue_hw_ctx; + + blk_mq_sysfs_unregister(q); ++ ++ /* protect against switching io scheduler */ ++ mutex_lock(&q->sysfs_lock); + for (i = 0; i < set->nr_hw_queues; i++) { + int node; + +@@ -2358,6 +2361,7 @@ static void blk_mq_realloc_hw_ctxs(struc + } + } + q->nr_hw_queues = i; ++ mutex_unlock(&q->sysfs_lock); + blk_mq_sysfs_register(q); + } + diff --git a/queue-4.14/block-bfq-put-async-queues-for-root-bfq-groups-too.patch b/queue-4.14/block-bfq-put-async-queues-for-root-bfq-groups-too.patch new file mode 100644 index 00000000000..0a57f8ce541 --- /dev/null +++ b/queue-4.14/block-bfq-put-async-queues-for-root-bfq-groups-too.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Paolo Valente +Date: Tue, 9 Jan 2018 10:27:58 +0100 +Subject: block, bfq: put async queues for root bfq groups too + +From: Paolo Valente + + +[ Upstream commit 52257ffbfcaf58d247b13fb148e27ed17c33e526 ] + +For each pair [device for which bfq is selected as I/O scheduler, +group in blkio/io], bfq maintains a corresponding bfq group. Each such +bfq group contains a set of async queues, with each async queue +created on demand, i.e., when some I/O request arrives for it. On +creation, an async queue gets an extra reference, to make sure that +the queue is not freed as long as its bfq group exists. Accordingly, +to allow the queue to be freed after the group exited, this extra +reference must released on group exit. + +The above holds also for a bfq root group, i.e., for the bfq group +corresponding to the root blkio/io root for a given device. Yet, by +mistake, the references to the existing async queues of a root group +are not released when the latter exits. This causes a memory leak when +the instance of bfq for a given device exits. In a similar vein, +bfqg_stats_xfer_dead is not executed for a root group. + +This commit fixes bfq_pd_offline so that the latter executes the above +missing operations for a root group too. + +Reported-by: Holger Hoffstätte +Reported-by: Guoqing Jiang +Tested-by: Holger Hoffstätte +Signed-off-by: Davide Ferrari +Signed-off-by: Paolo Valente +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/bfq-cgroup.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -749,10 +749,11 @@ static void bfq_pd_offline(struct blkg_p + unsigned long flags; + int i; + ++ spin_lock_irqsave(&bfqd->lock, flags); ++ + if (!entity) /* root group */ +- return; ++ goto put_async_queues; + +- spin_lock_irqsave(&bfqd->lock, flags); + /* + * Empty all service_trees belonging to this group before + * deactivating the group itself. +@@ -783,6 +784,8 @@ static void bfq_pd_offline(struct blkg_p + } + + __bfq_deactivate_entity(entity, false); ++ ++put_async_queues: + bfq_put_async_queues(bfqd, bfqg); + + spin_unlock_irqrestore(&bfqd->lock, flags); diff --git a/queue-4.14/bluetooth-add-a-new-04ca-3015-qca_rome-device.patch b/queue-4.14/bluetooth-add-a-new-04ca-3015-qca_rome-device.patch new file mode 100644 index 00000000000..a2d39d946ad --- /dev/null +++ b/queue-4.14/bluetooth-add-a-new-04ca-3015-qca_rome-device.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Ioan Moldovan +Date: Mon, 28 Aug 2017 18:09:39 +0300 +Subject: Bluetooth: Add a new 04ca:3015 QCA_ROME device + +From: Ioan Moldovan + + +[ Upstream commit 0a03f98b98c201191e3ba15a0e33f46d8660e1fd ] + +This patch adds the 04ca:3015 (from a QCA9377 board) Bluetooth device +to the btusb blacklist and makes the kernel use the btqca module +instead of btusb. The patch is necessary because, without it the +04ca:3015 device defaults to using the btusb driver, which makes the +WIFI side of the QCA9377 board unusable (obtains 0 MBps in speedtest, +when the 04ca:3015 bluetooth is used with an audio headset). + +/sys/kernel/debug/usb/devices: + + T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 + D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 + P: Vendor=04ca ProdID=3015 Rev= 0.01 + C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA + I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms + E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms + E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms + I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms + I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms + I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms + I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms + I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms + I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Ioan Moldovan +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -277,6 +277,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0489, 0xe09f), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0489, 0xe0a2), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x04ca, 0x3011), .driver_info = BTUSB_QCA_ROME }, ++ { USB_DEVICE(0x04ca, 0x3015), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x04ca, 0x3016), .driver_info = BTUSB_QCA_ROME }, + + /* Broadcom BCM2035 */ diff --git a/queue-4.14/clk-divider-fix-incorrect-usage-of-container_of.patch b/queue-4.14/clk-divider-fix-incorrect-usage-of-container_of.patch new file mode 100644 index 00000000000..b0627cb90d2 --- /dev/null +++ b/queue-4.14/clk-divider-fix-incorrect-usage-of-container_of.patch @@ -0,0 +1,155 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jerome Brunet +Date: Thu, 21 Dec 2017 17:30:54 +0100 +Subject: clk: divider: fix incorrect usage of container_of + +From: Jerome Brunet + + +[ Upstream commit 12a26c298d2a8b1cab498533fa65198e49e3afd3 ] + +divider_recalc_rate() is an helper function used by clock divider of +different types, so the structure containing the 'hw' pointer is not +always a 'struct clk_divider' + +At the following line: +> div = _get_div(table, val, flags, divider->width); + +in several cases, the value of 'divider->width' is garbage as the actual +structure behind this memory is not a 'struct clk_divider' + +Fortunately, this width value is used by _get_val() only when +CLK_DIVIDER_MAX_AT_ZERO flag is set. This has never been the case so +far when the structure is not a 'struct clk_divider'. This is probably +why we did not notice this bug before + +Fixes: afe76c8fd030 ("clk: allow a clk divider with max divisor when zero") +Signed-off-by: Jerome Brunet +Acked-by: Alexandre Belloni +Acked-by: Sylvain Lemieux +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-divider.c | 7 +++---- + drivers/clk/hisilicon/clkdivider-hi6220.c | 2 +- + drivers/clk/nxp/clk-lpc32xx.c | 2 +- + drivers/clk/qcom/clk-regmap-divider.c | 2 +- + drivers/clk/sunxi-ng/ccu_div.c | 2 +- + drivers/gpu/drm/msm/dsi/pll/dsi_pll_14nm.c | 2 +- + drivers/rtc/rtc-ac100.c | 6 ++++-- + include/linux/clk-provider.h | 2 +- + 8 files changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/clk/clk-divider.c ++++ b/drivers/clk/clk-divider.c +@@ -118,12 +118,11 @@ static unsigned int _get_val(const struc + unsigned long divider_recalc_rate(struct clk_hw *hw, unsigned long parent_rate, + unsigned int val, + const struct clk_div_table *table, +- unsigned long flags) ++ unsigned long flags, unsigned long width) + { +- struct clk_divider *divider = to_clk_divider(hw); + unsigned int div; + +- div = _get_div(table, val, flags, divider->width); ++ div = _get_div(table, val, flags, width); + if (!div) { + WARN(!(flags & CLK_DIVIDER_ALLOW_ZERO), + "%s: Zero divisor and CLK_DIVIDER_ALLOW_ZERO not set\n", +@@ -145,7 +144,7 @@ static unsigned long clk_divider_recalc_ + val &= div_mask(divider->width); + + return divider_recalc_rate(hw, parent_rate, val, divider->table, +- divider->flags); ++ divider->flags, divider->width); + } + + static bool _is_valid_table_div(const struct clk_div_table *table, +--- a/drivers/clk/hisilicon/clkdivider-hi6220.c ++++ b/drivers/clk/hisilicon/clkdivider-hi6220.c +@@ -56,7 +56,7 @@ static unsigned long hi6220_clkdiv_recal + val &= div_mask(dclk->width); + + return divider_recalc_rate(hw, parent_rate, val, dclk->table, +- CLK_DIVIDER_ROUND_CLOSEST); ++ CLK_DIVIDER_ROUND_CLOSEST, dclk->width); + } + + static long hi6220_clkdiv_round_rate(struct clk_hw *hw, unsigned long rate, +--- a/drivers/clk/nxp/clk-lpc32xx.c ++++ b/drivers/clk/nxp/clk-lpc32xx.c +@@ -956,7 +956,7 @@ static unsigned long clk_divider_recalc_ + val &= div_mask(divider->width); + + return divider_recalc_rate(hw, parent_rate, val, divider->table, +- divider->flags); ++ divider->flags, divider->width); + } + + static long clk_divider_round_rate(struct clk_hw *hw, unsigned long rate, +--- a/drivers/clk/qcom/clk-regmap-divider.c ++++ b/drivers/clk/qcom/clk-regmap-divider.c +@@ -59,7 +59,7 @@ static unsigned long div_recalc_rate(str + div &= BIT(divider->width) - 1; + + return divider_recalc_rate(hw, parent_rate, div, NULL, +- CLK_DIVIDER_ROUND_CLOSEST); ++ CLK_DIVIDER_ROUND_CLOSEST, divider->width); + } + + const struct clk_ops clk_regmap_div_ops = { +--- a/drivers/clk/sunxi-ng/ccu_div.c ++++ b/drivers/clk/sunxi-ng/ccu_div.c +@@ -71,7 +71,7 @@ static unsigned long ccu_div_recalc_rate + parent_rate); + + val = divider_recalc_rate(hw, parent_rate, val, cd->div.table, +- cd->div.flags); ++ cd->div.flags, cd->div.width); + + if (cd->common.features & CCU_FEATURE_FIXED_POSTDIV) + val /= cd->fixed_post_div; +--- a/drivers/gpu/drm/msm/dsi/pll/dsi_pll_14nm.c ++++ b/drivers/gpu/drm/msm/dsi/pll/dsi_pll_14nm.c +@@ -698,7 +698,7 @@ static unsigned long dsi_pll_14nm_postdi + val &= div_mask(width); + + return divider_recalc_rate(hw, parent_rate, val, NULL, +- postdiv->flags); ++ postdiv->flags, width); + } + + static long dsi_pll_14nm_postdiv_round_rate(struct clk_hw *hw, +--- a/drivers/rtc/rtc-ac100.c ++++ b/drivers/rtc/rtc-ac100.c +@@ -137,13 +137,15 @@ static unsigned long ac100_clkout_recalc + div = (reg >> AC100_CLKOUT_PRE_DIV_SHIFT) & + ((1 << AC100_CLKOUT_PRE_DIV_WIDTH) - 1); + prate = divider_recalc_rate(hw, prate, div, +- ac100_clkout_prediv, 0); ++ ac100_clkout_prediv, 0, ++ AC100_CLKOUT_PRE_DIV_WIDTH); + } + + div = (reg >> AC100_CLKOUT_DIV_SHIFT) & + (BIT(AC100_CLKOUT_DIV_WIDTH) - 1); + return divider_recalc_rate(hw, prate, div, NULL, +- CLK_DIVIDER_POWER_OF_TWO); ++ CLK_DIVIDER_POWER_OF_TWO, ++ AC100_CLKOUT_DIV_WIDTH); + } + + static long ac100_clkout_round_rate(struct clk_hw *hw, unsigned long rate, +--- a/include/linux/clk-provider.h ++++ b/include/linux/clk-provider.h +@@ -412,7 +412,7 @@ extern const struct clk_ops clk_divider_ + + unsigned long divider_recalc_rate(struct clk_hw *hw, unsigned long parent_rate, + unsigned int val, const struct clk_div_table *table, +- unsigned long flags); ++ unsigned long flags, unsigned long width); + long divider_round_rate_parent(struct clk_hw *hw, struct clk_hw *parent, + unsigned long rate, unsigned long *prate, + const struct clk_div_table *table, diff --git a/queue-4.14/clk-meson-mpll-use-64-bit-maths-in-params_from_rate.patch b/queue-4.14/clk-meson-mpll-use-64-bit-maths-in-params_from_rate.patch new file mode 100644 index 00000000000..d5057e926c1 --- /dev/null +++ b/queue-4.14/clk-meson-mpll-use-64-bit-maths-in-params_from_rate.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Martin Blumenstingl +Date: Sat, 23 Dec 2017 22:38:32 +0100 +Subject: clk: meson: mpll: use 64-bit maths in params_from_rate + +From: Martin Blumenstingl + + +[ Upstream commit 86aacdca66774051cbc0958110a48074b57a060b ] + +"rem * SDM_DEN" can easily overflow on the 32-bit Meson8 and Meson8b +SoCs if the "remainder" (after the division operation) is greater than +262143Hz. This is likely to happen since the input clock for the MPLLs +on Meson8 and Meson8b is "fixed_pll", which is running at a rate of +2550MHz. + +One example where this was observed to be problematic was the Ethernet +clock calculation (which takes MPLL2 as input). When requesting a rate +of 125MHz there is a remainder of 2500000Hz. +The resulting MPLL2 rate before this patch was 127488329Hz. +The resulting MPLL2 rate after this patch is 124999103Hz. + +Commit b609338b26f5 ("clk: meson: mpll: use 64bit math in +rate_from_params") already fixed a similar issue in rate_from_params. + +Fixes: 007e6e5c5f01d3 ("clk: meson: mpll: add rw operation") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/meson/clk-mpll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/meson/clk-mpll.c ++++ b/drivers/clk/meson/clk-mpll.c +@@ -98,7 +98,7 @@ static void params_from_rate(unsigned lo + *sdm = SDM_DEN - 1; + } else { + *n2 = div; +- *sdm = DIV_ROUND_UP(rem * SDM_DEN, requested_rate); ++ *sdm = DIV_ROUND_UP_ULL((u64)rem * SDM_DEN, requested_rate); + } + } + diff --git a/queue-4.14/clk-sunxi-ng-a83t-add-m-divider-to-tcon1-clock.patch b/queue-4.14/clk-sunxi-ng-a83t-add-m-divider-to-tcon1-clock.patch new file mode 100644 index 00000000000..a0eb90bb8e0 --- /dev/null +++ b/queue-4.14/clk-sunxi-ng-a83t-add-m-divider-to-tcon1-clock.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Jernej Å krabec" +Date: Sat, 30 Dec 2017 22:01:54 +0100 +Subject: clk: sunxi-ng: a83t: Add M divider to TCON1 clock + +From: "Jernej Å krabec" + + +[ Upstream commit 7dbc7f5f4904cfddc199af171ea095490a434f15 ] + +TCON1 also has M divider, contrary to TCON0. And the mux is only +2 bits wide, instead of 3. + +Fixes: 05359be1176b ("clk: sunxi-ng: Add driver for A83T CCU") +Signed-off-by: Jernej Skrabec +[wens@csie.org: Add description about mux width difference] +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/sunxi-ng/ccu-sun8i-a83t.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/sunxi-ng/ccu-sun8i-a83t.c ++++ b/drivers/clk/sunxi-ng/ccu-sun8i-a83t.c +@@ -493,8 +493,8 @@ static SUNXI_CCU_MUX_WITH_GATE(tcon0_clk + 0x118, 24, 3, BIT(31), CLK_SET_RATE_PARENT); + + static const char * const tcon1_parents[] = { "pll-video1" }; +-static SUNXI_CCU_MUX_WITH_GATE(tcon1_clk, "tcon1", tcon1_parents, +- 0x11c, 24, 3, BIT(31), CLK_SET_RATE_PARENT); ++static SUNXI_CCU_M_WITH_MUX_GATE(tcon1_clk, "tcon1", tcon1_parents, ++ 0x11c, 0, 4, 24, 2, BIT(31), CLK_SET_RATE_PARENT); + + static SUNXI_CCU_GATE(csi_misc_clk, "csi-misc", "osc24M", 0x130, BIT(16), 0); + diff --git a/queue-4.14/clk-sunxi-ng-fix-the-a64-h5-clock-description-of-de2-ccu.patch b/queue-4.14/clk-sunxi-ng-fix-the-a64-h5-clock-description-of-de2-ccu.patch new file mode 100644 index 00000000000..05f389948c2 --- /dev/null +++ b/queue-4.14/clk-sunxi-ng-fix-the-a64-h5-clock-description-of-de2-ccu.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Icenowy Zheng +Date: Fri, 22 Dec 2017 20:22:35 +0800 +Subject: clk: sunxi-ng: fix the A64/H5 clock description of DE2 CCU + +From: Icenowy Zheng + + +[ Upstream commit cf4881c1293516c1975606e8f2af7948789168b8 ] + +The clocks of A64/H5 SoCs in the DE2 CCU is the same as the clocks in H3 +DE2 CCU rather than the A83T DE2 CCU (the parent of them is the DE +module clock). + +Fix this by change the clock descriptions to use the clocks of H3. + +Fixes: 763c5bd045b1 ("clk: sunxi-ng: add support for DE2 CCU") +Signed-off-by: Icenowy Zheng +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/sunxi-ng/ccu-sun8i-de2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/clk/sunxi-ng/ccu-sun8i-de2.c ++++ b/drivers/clk/sunxi-ng/ccu-sun8i-de2.c +@@ -129,10 +129,10 @@ static const struct sunxi_ccu_desc sun8i + }; + + static const struct sunxi_ccu_desc sun50i_a64_de2_clk_desc = { +- .ccu_clks = sun8i_a83t_de2_clks, +- .num_ccu_clks = ARRAY_SIZE(sun8i_a83t_de2_clks), ++ .ccu_clks = sun8i_h3_de2_clks, ++ .num_ccu_clks = ARRAY_SIZE(sun8i_h3_de2_clks), + +- .hw_clks = &sun8i_a83t_de2_hw_clks, ++ .hw_clks = &sun8i_h3_de2_hw_clks, + + .resets = sun50i_a64_de2_resets, + .num_resets = ARRAY_SIZE(sun50i_a64_de2_resets), diff --git a/queue-4.14/crypto-aes-generic-build-with-os-on-gcc-7.patch b/queue-4.14/crypto-aes-generic-build-with-os-on-gcc-7.patch new file mode 100644 index 00000000000..e461f2f9d41 --- /dev/null +++ b/queue-4.14/crypto-aes-generic-build-with-os-on-gcc-7.patch @@ -0,0 +1,91 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Arnd Bergmann +Date: Wed, 3 Jan 2018 23:39:27 +0100 +Subject: crypto: aes-generic - build with -Os on gcc-7+ + +From: Arnd Bergmann + + +[ Upstream commit 148b974deea927f5dbb6c468af2707b488bfa2de ] + +While testing other changes, I discovered that gcc-7.2.1 produces badly +optimized code for aes_encrypt/aes_decrypt. This is especially true when +CONFIG_UBSAN_SANITIZE_ALL is enabled, where it leads to extremely +large stack usage that in turn might cause kernel stack overflows: + +crypto/aes_generic.c: In function 'aes_encrypt': +crypto/aes_generic.c:1371:1: warning: the frame size of 4880 bytes is larger than 2048 bytes [-Wframe-larger-than=] +crypto/aes_generic.c: In function 'aes_decrypt': +crypto/aes_generic.c:1441:1: warning: the frame size of 4864 bytes is larger than 2048 bytes [-Wframe-larger-than=] + +I verified that this problem exists on all architectures that are +supported by gcc-7.2, though arm64 in particular is less affected than +the others. I also found that gcc-7.1 and gcc-8 do not show the extreme +stack usage but still produce worse code than earlier versions for this +file, apparently because of optimization passes that generally provide +a substantial improvement in object code quality but understandably fail +to find any shortcuts in the AES algorithm. + +Possible workarounds include + +a) disabling -ftree-pre and -ftree-sra optimizations, this was an earlier + patch I tried, which reliably fixed the stack usage, but caused a + serious performance regression in some versions, as later testing + found. + +b) disabling UBSAN on this file or all ciphers, as suggested by Ard + Biesheuvel. This would lead to massively better crypto performance in + UBSAN-enabled kernels and avoid the stack usage, but there is a concern + over whether we should exclude arbitrary files from UBSAN at all. + +c) Forcing the optimization level in a different way. Similar to a), + but rather than deselecting specific optimization stages, + this now uses "gcc -Os" for this file, regardless of the + CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE/SIZE option. This is a reliable + workaround for the stack consumption on all architecture, and I've + retested the performance results now on x86, cycles/byte (lower is + better) for cbc(aes-generic) with 256 bit keys: + + -O2 -Os + gcc-6.3.1 14.9 15.1 + gcc-7.0.1 14.7 15.3 + gcc-7.1.1 15.3 14.7 + gcc-7.2.1 16.8 15.9 + gcc-8.0.0 15.5 15.6 + +This implements the option c) by enabling forcing -Os on all compiler +versions starting with gcc-7.1. As a workaround for PR83356, it would +only be needed for gcc-7.2+ with UBSAN enabled, but since it also shows +better performance on gcc-7.1 without UBSAN, it seems appropriate to +use the faster version here as well. + +Side note: during testing, I also played with the AES code in libressl, +which had a similar performance regression from gcc-6 to gcc-7.2, +but was three times slower overall. It might be interesting to +investigate that further and possibly port the Linux implementation +into that. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83651 +Cc: Richard Biener +Cc: Jakub Jelinek +Cc: Ard Biesheuvel +Signed-off-by: Arnd Bergmann +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -98,6 +98,7 @@ obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += t + obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o + CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 + obj-$(CONFIG_CRYPTO_AES) += aes_generic.o ++CFLAGS_aes_generic.o := $(call cc-ifversion, -ge, 0701, -Os) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 + obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o + obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o + obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o diff --git a/queue-4.14/cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch b/queue-4.14/cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch new file mode 100644 index 00000000000..33b79278826 --- /dev/null +++ b/queue-4.14/cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Arjun Vynipadath +Date: Wed, 10 Jan 2018 12:02:13 +0530 +Subject: cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages + +From: Arjun Vynipadath + + +[ Upstream commit ea0a42109aee7b92e631c4eb3f2219fadf58acdd ] + +We'd come in with SGE_FL_BUFFER_SIZE[0] and [1] both equal to 64KB and +the extant logic would flag that as an error. This was already fixed in +cxgb4 driver with "92ddcc7 cxgb4: Fix some small bugs in +t4_sge_init_soft() when our Page Size is 64KB". + +Original Work by: Casey Leedom +Signed-off-by: Arjun Vynipadath +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c +@@ -2619,8 +2619,8 @@ void t4vf_sge_stop(struct adapter *adapt + int t4vf_sge_init(struct adapter *adapter) + { + struct sge_params *sge_params = &adapter->params.sge; +- u32 fl0 = sge_params->sge_fl_buffer_size[0]; +- u32 fl1 = sge_params->sge_fl_buffer_size[1]; ++ u32 fl_small_pg = sge_params->sge_fl_buffer_size[0]; ++ u32 fl_large_pg = sge_params->sge_fl_buffer_size[1]; + struct sge *s = &adapter->sge; + + /* +@@ -2628,9 +2628,20 @@ int t4vf_sge_init(struct adapter *adapte + * the Physical Function Driver. Ideally we should be able to deal + * with _any_ configuration. Practice is different ... + */ +- if (fl0 != PAGE_SIZE || (fl1 != 0 && fl1 <= fl0)) { ++ ++ /* We only bother using the Large Page logic if the Large Page Buffer ++ * is larger than our Page Size Buffer. ++ */ ++ if (fl_large_pg <= fl_small_pg) ++ fl_large_pg = 0; ++ ++ /* The Page Size Buffer must be exactly equal to our Page Size and the ++ * Large Page Size Buffer should be 0 (per above) or a power of 2. ++ */ ++ if (fl_small_pg != PAGE_SIZE || ++ (fl_large_pg & (fl_large_pg - 1)) != 0) { + dev_err(adapter->pdev_dev, "bad SGE FL buffer sizes [%d, %d]\n", +- fl0, fl1); ++ fl_small_pg, fl_large_pg); + return -EINVAL; + } + if ((sge_params->sge_control & RXPKTCPLMODE_F) != +@@ -2642,8 +2653,8 @@ int t4vf_sge_init(struct adapter *adapte + /* + * Now translate the adapter parameters into our internal forms. + */ +- if (fl1) +- s->fl_pg_order = ilog2(fl1) - PAGE_SHIFT; ++ if (fl_large_pg) ++ s->fl_pg_order = ilog2(fl_large_pg) - PAGE_SHIFT; + s->stat_len = ((sge_params->sge_control & EGRSTATUSPAGESIZE_F) + ? 128 : 64); + s->pktshift = PKTSHIFT_G(sge_params->sge_control); diff --git a/queue-4.14/edac-mv64x60-fix-an-error-handling-path.patch b/queue-4.14/edac-mv64x60-fix-an-error-handling-path.patch new file mode 100644 index 00000000000..f1d322393d3 --- /dev/null +++ b/queue-4.14/edac-mv64x60-fix-an-error-handling-path.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Christophe JAILLET +Date: Sun, 7 Jan 2018 21:54:00 +0100 +Subject: EDAC, mv64x60: Fix an error handling path + +From: Christophe JAILLET + + +[ Upstream commit 68fa24f9121c04ef146b5158f538c8b32f285be5 ] + +We should not call edac_mc_del_mc() if a corresponding call to +edac_mc_add_mc() has not been performed yet. + +So here, we should go to err instead of err2 to branch at the right +place of the error handling path. + +Signed-off-by: Christophe JAILLET +Cc: linux-edac +Link: http://lkml.kernel.org/r/20180107205400.14068-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/mv64x60_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/mv64x60_edac.c ++++ b/drivers/edac/mv64x60_edac.c +@@ -758,7 +758,7 @@ static int mv64x60_mc_err_probe(struct p + /* Non-ECC RAM? */ + printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__); + res = -ENODEV; +- goto err2; ++ goto err; + } + + edac_dbg(3, "init mci\n"); diff --git a/queue-4.14/gpio-label-descriptors-using-the-device-name.patch b/queue-4.14/gpio-label-descriptors-using-the-device-name.patch new file mode 100644 index 00000000000..06382cdb411 --- /dev/null +++ b/queue-4.14/gpio-label-descriptors-using-the-device-name.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Linus Walleij +Date: Thu, 4 Jan 2018 22:31:11 +0100 +Subject: gpio: label descriptors using the device name + +From: Linus Walleij + + +[ Upstream commit 24e78079bf2250874e33da2e7cfbb6db72d3caf4 ] + +Some GPIO lines appear named "?" in the lsgpio dump due to their +requesting drivers not passing a reasonable label. + +Most typically this happens if a device tree node just defines +gpios = <...> and not foo-gpios = <...>, the former gets named +"foo" and the latter gets named "?". + +However the struct device passed in is always valid so let's +just label the GPIO with dev_name() on the device if no proper +label was passed. + +Cc: Reported-by: Jason Kridner +Reported-by: Jason Kridner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -3340,7 +3340,8 @@ struct gpio_desc *__must_check gpiod_get + return desc; + } + +- status = gpiod_request(desc, con_id); ++ /* If a connection label was passed use that, else use the device name as label */ ++ status = gpiod_request(desc, con_id ? con_id : dev_name(dev)); + if (status < 0) + return ERR_PTR(status); + diff --git a/queue-4.14/gpio-thunderx-fix-error-return-code-in-thunderx_gpio_probe.patch b/queue-4.14/gpio-thunderx-fix-error-return-code-in-thunderx_gpio_probe.patch new file mode 100644 index 00000000000..281095988ee --- /dev/null +++ b/queue-4.14/gpio-thunderx-fix-error-return-code-in-thunderx_gpio_probe.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Wei Yongjun +Date: Wed, 10 Jan 2018 14:37:13 +0000 +Subject: gpio: thunderx: fix error return code in thunderx_gpio_probe() + +From: Wei Yongjun + + +[ Upstream commit 76e28f5ffed82b1e81a86c4eb8d0420515765620 ] + +Fix to return error code -ENOMEM from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 5a2a30024d8c ("gpio: Add gpio driver support for ThunderX and OCTEON-TX") +Signed-off-by: Wei Yongjun +Acked-by: David Daney +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-thunderx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-thunderx.c ++++ b/drivers/gpio/gpio-thunderx.c +@@ -566,8 +566,10 @@ static int thunderx_gpio_probe(struct pc + txgpio->irqd = irq_domain_create_hierarchy(irq_get_irq_data(txgpio->msix_entries[0].vector)->domain, + 0, 0, of_node_to_fwnode(dev->of_node), + &thunderx_gpio_irqd_ops, txgpio); +- if (!txgpio->irqd) ++ if (!txgpio->irqd) { ++ err = -ENOMEM; + goto out; ++ } + + /* Push on irq_data and the domain for each line. */ + for (i = 0; i < ngpio; i++) { diff --git a/queue-4.14/hwmon-ina2xx-make-calibration-register-value-fixed.patch b/queue-4.14/hwmon-ina2xx-make-calibration-register-value-fixed.patch new file mode 100644 index 00000000000..f018a6415da --- /dev/null +++ b/queue-4.14/hwmon-ina2xx-make-calibration-register-value-fixed.patch @@ -0,0 +1,214 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Maciej Purski +Date: Wed, 22 Nov 2017 16:32:15 +0100 +Subject: hwmon: (ina2xx) Make calibration register value fixed + +From: Maciej Purski + + +[ Upstream commit 5d389b125186cf254ad5b8015763ac07c151aea4 ] + +Calibration register is used for calculating current register in +hardware according to datasheet: +current = shunt_volt * calib_register / 2048 (ina 226) +current = shunt_volt * calib_register / 4096 (ina 219) + +Fix calib_register value to 2048 for ina226 and 4096 for ina 219 in +order to avoid truncation error and provide best precision allowed +by shunt_voltage measurement. Make current scale value follow changes +of shunt_resistor from sysfs as calib_register value is now fixed. + +Power_lsb value should also follow shunt_resistor changes as stated in +datasheet: +power_lsb = 25 * current_lsb (ina 226) +power_lsb = 20 * current_lsb (ina 219) + +Signed-off-by: Maciej Purski +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/ina2xx.c | 87 ++++++++++++++++++++++++++++--------------------- + 1 file changed, 50 insertions(+), 37 deletions(-) + +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -95,18 +95,20 @@ enum ina2xx_ids { ina219, ina226 }; + + struct ina2xx_config { + u16 config_default; +- int calibration_factor; ++ int calibration_value; + int registers; + int shunt_div; + int bus_voltage_shift; + int bus_voltage_lsb; /* uV */ +- int power_lsb; /* uW */ ++ int power_lsb_factor; + }; + + struct ina2xx_data { + const struct ina2xx_config *config; + + long rshunt; ++ long current_lsb_uA; ++ long power_lsb_uW; + struct mutex config_lock; + struct regmap *regmap; + +@@ -116,21 +118,21 @@ struct ina2xx_data { + static const struct ina2xx_config ina2xx_config[] = { + [ina219] = { + .config_default = INA219_CONFIG_DEFAULT, +- .calibration_factor = 40960000, ++ .calibration_value = 4096, + .registers = INA219_REGISTERS, + .shunt_div = 100, + .bus_voltage_shift = 3, + .bus_voltage_lsb = 4000, +- .power_lsb = 20000, ++ .power_lsb_factor = 20, + }, + [ina226] = { + .config_default = INA226_CONFIG_DEFAULT, +- .calibration_factor = 5120000, ++ .calibration_value = 2048, + .registers = INA226_REGISTERS, + .shunt_div = 400, + .bus_voltage_shift = 0, + .bus_voltage_lsb = 1250, +- .power_lsb = 25000, ++ .power_lsb_factor = 25, + }, + }; + +@@ -169,12 +171,16 @@ static u16 ina226_interval_to_reg(int in + return INA226_SHIFT_AVG(avg_bits); + } + ++/* ++ * Calibration register is set to the best value, which eliminates ++ * truncation errors on calculating current register in hardware. ++ * According to datasheet (eq. 3) the best values are 2048 for ++ * ina226 and 4096 for ina219. They are hardcoded as calibration_value. ++ */ + static int ina2xx_calibrate(struct ina2xx_data *data) + { +- u16 val = DIV_ROUND_CLOSEST(data->config->calibration_factor, +- data->rshunt); +- +- return regmap_write(data->regmap, INA2XX_CALIBRATION, val); ++ return regmap_write(data->regmap, INA2XX_CALIBRATION, ++ data->config->calibration_value); + } + + /* +@@ -187,10 +193,6 @@ static int ina2xx_init(struct ina2xx_dat + if (ret < 0) + return ret; + +- /* +- * Set current LSB to 1mA, shunt is in uOhms +- * (equation 13 in datasheet). +- */ + return ina2xx_calibrate(data); + } + +@@ -268,15 +270,15 @@ static int ina2xx_get_value(struct ina2x + val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_POWER: +- val = regval * data->config->power_lsb; ++ val = regval * data->power_lsb_uW; + break; + case INA2XX_CURRENT: +- /* signed register, LSB=1mA (selected), in mA */ +- val = (s16)regval; ++ /* signed register, result in mA */ ++ val = regval * data->current_lsb_uA; ++ val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_CALIBRATION: +- val = DIV_ROUND_CLOSEST(data->config->calibration_factor, +- regval); ++ val = regval; + break; + default: + /* programmer goofed */ +@@ -304,9 +306,32 @@ static ssize_t ina2xx_show_value(struct + ina2xx_get_value(data, attr->index, regval)); + } + +-static ssize_t ina2xx_set_shunt(struct device *dev, +- struct device_attribute *da, +- const char *buf, size_t count) ++/* ++ * In order to keep calibration register value fixed, the product ++ * of current_lsb and shunt_resistor should also be fixed and equal ++ * to shunt_voltage_lsb = 1 / shunt_div multiplied by 10^9 in order ++ * to keep the scale. ++ */ ++static int ina2xx_set_shunt(struct ina2xx_data *data, long val) ++{ ++ unsigned int dividend = DIV_ROUND_CLOSEST(1000000000, ++ data->config->shunt_div); ++ if (val <= 0 || val > dividend) ++ return -EINVAL; ++ ++ mutex_lock(&data->config_lock); ++ data->rshunt = val; ++ data->current_lsb_uA = DIV_ROUND_CLOSEST(dividend, val); ++ data->power_lsb_uW = data->config->power_lsb_factor * ++ data->current_lsb_uA; ++ mutex_unlock(&data->config_lock); ++ ++ return 0; ++} ++ ++static ssize_t ina2xx_store_shunt(struct device *dev, ++ struct device_attribute *da, ++ const char *buf, size_t count) + { + unsigned long val; + int status; +@@ -316,18 +341,9 @@ static ssize_t ina2xx_set_shunt(struct d + if (status < 0) + return status; + +- if (val == 0 || +- /* Values greater than the calibration factor make no sense. */ +- val > data->config->calibration_factor) +- return -EINVAL; +- +- mutex_lock(&data->config_lock); +- data->rshunt = val; +- status = ina2xx_calibrate(data); +- mutex_unlock(&data->config_lock); ++ status = ina2xx_set_shunt(data, val); + if (status < 0) + return status; +- + return count; + } + +@@ -387,7 +403,7 @@ static SENSOR_DEVICE_ATTR(power1_input, + + /* shunt resistance */ + static SENSOR_DEVICE_ATTR(shunt_resistor, S_IRUGO | S_IWUSR, +- ina2xx_show_value, ina2xx_set_shunt, ++ ina2xx_show_value, ina2xx_store_shunt, + INA2XX_CALIBRATION); + + /* update interval (ina226 only) */ +@@ -448,10 +464,7 @@ static int ina2xx_probe(struct i2c_clien + val = INA2XX_RSHUNT_DEFAULT; + } + +- if (val <= 0 || val > data->config->calibration_factor) +- return -ENODEV; +- +- data->rshunt = val; ++ ina2xx_set_shunt(data, val); + + ina2xx_regmap_config.max_register = data->config->registers; + diff --git a/queue-4.14/i40evf-don-t-rely-on-netif_running-outside-rtnl_lock.patch b/queue-4.14/i40evf-don-t-rely-on-netif_running-outside-rtnl_lock.patch new file mode 100644 index 00000000000..1f0a3bb36ab --- /dev/null +++ b/queue-4.14/i40evf-don-t-rely-on-netif_running-outside-rtnl_lock.patch @@ -0,0 +1,92 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jacob Keller +Date: Fri, 27 Oct 2017 11:06:49 -0400 +Subject: i40evf: don't rely on netif_running() outside rtnl_lock() + +From: Jacob Keller + + +[ Upstream commit 44b034b406211fc103159f82b9e601e05675c739 ] + +In i40evf_reset_task we use netif_running() to determine whether or not +the device is currently up. This allows us to properly free queue memory +and shut down things before we request the hardware reset. + +It turns out that we cannot be guaranteed of netif_running() returning +false until the device is fully up, as the kernel core code sets +__LINK_STATE_START prior to calling .ndo_open. Since we're not holding +the rtnl_lock(), it's possible that the driver's i40evf_open handler +function is currently being called while we're resetting. + +We can't simply hold the rtnl_lock() while checking netif_running() as +this could cause a deadlock with the i40evf_open() function. +Additionally, we can't avoid the deadlock by holding the rtnl_lock() +over the whole reset path, as this essentially serializes all resets, +and can cause massive delays if we have multiple VFs on a system. + +Instead, lets just check our own internal state __I40EVF_RUNNING state +field. This allows us to ensure that the state is correct and is only +set after we've finished bringing the device up. + +Without this change we might free data structures about device queues +and other memory before they've been fully allocated. + +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40evf/i40evf_main.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/i40evf/i40evf_main.c ++++ b/drivers/net/ethernet/intel/i40evf/i40evf_main.c +@@ -1775,7 +1775,11 @@ static void i40evf_disable_vf(struct i40 + + adapter->flags |= I40EVF_FLAG_PF_COMMS_FAILED; + +- if (netif_running(adapter->netdev)) { ++ /* We don't use netif_running() because it may be true prior to ++ * ndo_open() returning, so we can't assume it means all our open ++ * tasks have finished, since we're not holding the rtnl_lock here. ++ */ ++ if (adapter->state == __I40EVF_RUNNING) { + set_bit(__I40E_VSI_DOWN, adapter->vsi.state); + netif_carrier_off(adapter->netdev); + netif_tx_disable(adapter->netdev); +@@ -1833,6 +1837,7 @@ static void i40evf_reset_task(struct wor + struct i40evf_mac_filter *f; + u32 reg_val; + int i = 0, err; ++ bool running; + + while (test_and_set_bit(__I40EVF_IN_CLIENT_TASK, + &adapter->crit_section)) +@@ -1892,7 +1897,13 @@ static void i40evf_reset_task(struct wor + } + + continue_reset: +- if (netif_running(netdev)) { ++ /* We don't use netif_running() because it may be true prior to ++ * ndo_open() returning, so we can't assume it means all our open ++ * tasks have finished, since we're not holding the rtnl_lock here. ++ */ ++ running = (adapter->state == __I40EVF_RUNNING); ++ ++ if (running) { + netif_carrier_off(netdev); + netif_tx_stop_all_queues(netdev); + adapter->link_up = false; +@@ -1936,7 +1947,10 @@ continue_reset: + + mod_timer(&adapter->watchdog_timer, jiffies + 2); + +- if (netif_running(adapter->netdev)) { ++ /* We were running when the reset started, so we need to restore some ++ * state here. ++ */ ++ if (running) { + /* allocate transmit descriptors */ + err = i40evf_setup_all_tx_resources(adapter); + if (err) diff --git a/queue-4.14/i40iw-correct-q1-xf-object-count-equation.patch b/queue-4.14/i40iw-correct-q1-xf-object-count-equation.patch new file mode 100644 index 00000000000..1bfda7e305b --- /dev/null +++ b/queue-4.14/i40iw-correct-q1-xf-object-count-equation.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Shiraz Saleem +Date: Fri, 22 Dec 2017 09:46:56 -0600 +Subject: i40iw: Correct Q1/XF object count equation + +From: Shiraz Saleem + + +[ Upstream commit fe99afd1febd74e0ef1fed7e3283f09effe1f4f0 ] + +Lower Inbound RDMA Read Queue (Q1) object count by a factor of 2 +as it is incorrectly doubled. Also, round up Q1 and Transmit FIFO (XF) +object count to power of 2 to satisfy hardware requirement. + +Fixes: 86dbcd0f12e9 ("i40iw: add file to handle cqp calls") +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_ctrl.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_ctrl.c +@@ -3875,8 +3875,10 @@ enum i40iw_status_code i40iw_config_fpm_ + hmc_info->hmc_obj[I40IW_HMC_IW_APBVT_ENTRY].cnt = 1; + hmc_info->hmc_obj[I40IW_HMC_IW_MR].cnt = mrwanted; + +- hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt = I40IW_MAX_WQ_ENTRIES * qpwanted; +- hmc_info->hmc_obj[I40IW_HMC_IW_Q1].cnt = 4 * I40IW_MAX_IRD_SIZE * qpwanted; ++ hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt = ++ roundup_pow_of_two(I40IW_MAX_WQ_ENTRIES * qpwanted); ++ hmc_info->hmc_obj[I40IW_HMC_IW_Q1].cnt = ++ roundup_pow_of_two(2 * I40IW_MAX_IRD_SIZE * qpwanted); + hmc_info->hmc_obj[I40IW_HMC_IW_XFFL].cnt = + hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt / hmc_fpm_misc->xf_block_size; + hmc_info->hmc_obj[I40IW_HMC_IW_Q1FL].cnt = diff --git a/queue-4.14/i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch b/queue-4.14/i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch new file mode 100644 index 00000000000..c5b75379940 --- /dev/null +++ b/queue-4.14/i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Shiraz Saleem +Date: Fri, 22 Dec 2017 09:46:59 -0600 +Subject: i40iw: Fix sequence number for the first partial FPDU + +From: Shiraz Saleem + + +[ Upstream commit df8b13a1b23356d01dfc4647a5629cdb0f4ce566 ] + +Partial FPDU processing is broken as the sequence number +for the first partial FPDU is wrong due to incorrect +Q2 buffer offset. The offset should be 64 rather than 16. + +Fixes: 786c6adb3a94 ("i40iw: add puda code") +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_d.h | 1 + + drivers/infiniband/hw/i40iw/i40iw_puda.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_d.h ++++ b/drivers/infiniband/hw/i40iw/i40iw_d.h +@@ -93,6 +93,7 @@ + #define RDMA_OPCODE_MASK 0x0f + #define RDMA_READ_REQ_OPCODE 1 + #define Q2_BAD_FRAME_OFFSET 72 ++#define Q2_FPSN_OFFSET 64 + #define CQE_MAJOR_DRV 0x8000 + + #define I40IW_TERM_SENT 0x01 +--- a/drivers/infiniband/hw/i40iw/i40iw_puda.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_puda.c +@@ -1376,7 +1376,7 @@ static void i40iw_ieq_handle_exception(s + u32 *hw_host_ctx = (u32 *)qp->hw_host_ctx; + u32 rcv_wnd = hw_host_ctx[23]; + /* first partial seq # in q2 */ +- u32 fps = qp->q2_buf[16]; ++ u32 fps = *(u32 *)(qp->q2_buf + Q2_FPSN_OFFSET); + struct list_head *rxlist = &pfpdu->rxlist; + struct list_head *plist; + diff --git a/queue-4.14/i40iw-validate-correct-ird-ord-connection-parameters.patch b/queue-4.14/i40iw-validate-correct-ird-ord-connection-parameters.patch new file mode 100644 index 00000000000..70bc0232623 --- /dev/null +++ b/queue-4.14/i40iw-validate-correct-ird-ord-connection-parameters.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Tatyana Nikolova +Date: Fri, 22 Dec 2017 09:47:01 -0600 +Subject: i40iw: Validate correct IRD/ORD connection parameters + +From: Tatyana Nikolova + + +[ Upstream commit ce9ce74145aa6814a370a9ff4f5a1d719baaced1 ] + +Casting to u16 before validating IRD/ORD connection +parameters could cause recording wrong IRD/ORD values +in the cm_node. Validate the IRD/ORD parameters as +they are passed by the application before recording +them. + +Fixes: f27b4746f378 ("i40iw: add connection management code") +Signed-off-by: Tatyana Nikolova +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_cm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -125,7 +125,8 @@ static u8 i40iw_derive_hw_ird_setting(u1 + * @conn_ird: connection IRD + * @conn_ord: connection ORD + */ +-static void i40iw_record_ird_ord(struct i40iw_cm_node *cm_node, u16 conn_ird, u16 conn_ord) ++static void i40iw_record_ird_ord(struct i40iw_cm_node *cm_node, u32 conn_ird, ++ u32 conn_ord) + { + if (conn_ird > I40IW_MAX_IRD_SIZE) + conn_ird = I40IW_MAX_IRD_SIZE; +@@ -3841,7 +3842,7 @@ int i40iw_connect(struct iw_cm_id *cm_id + } + + cm_node->apbvt_set = true; +- i40iw_record_ird_ord(cm_node, (u16)conn_param->ird, (u16)conn_param->ord); ++ i40iw_record_ird_ord(cm_node, conn_param->ird, conn_param->ord); + if (cm_node->send_rdma0_op == SEND_RDMA_READ_ZERO && + !cm_node->ord_size) + cm_node->ord_size = 1; diff --git a/queue-4.14/ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch b/queue-4.14/ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch new file mode 100644 index 00000000000..119dec54a67 --- /dev/null +++ b/queue-4.14/ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Mike Marciniszyn +Date: Mon, 18 Dec 2017 19:57:06 -0800 +Subject: IB/rdmavt: Allocate CQ memory on the correct node + +From: Mike Marciniszyn + + +[ Upstream commit db9a2c6f9b6196b889b98e961cb9a37617b11ccf ] + +CQ allocation does not ensure that completion queue entries +and the completion queue structure are allocated on the correct +numa node. + +Fix by allocating the rvt_cq and kernel CQ entries on the device node, +leaving the user CQ entries on the default local node. Also ensure +CQ resizes use the correct allocator when extending a CQ. + +Reviewed-by: Sebastian Sanchez +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rdmavt/cq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/sw/rdmavt/cq.c ++++ b/drivers/infiniband/sw/rdmavt/cq.c +@@ -198,7 +198,7 @@ struct ib_cq *rvt_create_cq(struct ib_de + return ERR_PTR(-EINVAL); + + /* Allocate the completion queue structure. */ +- cq = kzalloc(sizeof(*cq), GFP_KERNEL); ++ cq = kzalloc_node(sizeof(*cq), GFP_KERNEL, rdi->dparms.node); + if (!cq) + return ERR_PTR(-ENOMEM); + +@@ -214,7 +214,9 @@ struct ib_cq *rvt_create_cq(struct ib_de + sz += sizeof(struct ib_uverbs_wc) * (entries + 1); + else + sz += sizeof(struct ib_wc) * (entries + 1); +- wc = vmalloc_user(sz); ++ wc = udata ? ++ vmalloc_user(sz) : ++ vzalloc_node(sz, rdi->dparms.node); + if (!wc) { + ret = ERR_PTR(-ENOMEM); + goto bail_cq; +@@ -369,7 +371,9 @@ int rvt_resize_cq(struct ib_cq *ibcq, in + sz += sizeof(struct ib_uverbs_wc) * (cqe + 1); + else + sz += sizeof(struct ib_wc) * (cqe + 1); +- wc = vmalloc_user(sz); ++ wc = udata ? ++ vmalloc_user(sz) : ++ vzalloc_node(sz, rdi->dparms.node); + if (!wc) + return -ENOMEM; + diff --git a/queue-4.14/ibmvnic-don-t-handle-rx-interrupts-when-not-up.patch b/queue-4.14/ibmvnic-don-t-handle-rx-interrupts-when-not-up.patch new file mode 100644 index 00000000000..4ced1804b9f --- /dev/null +++ b/queue-4.14/ibmvnic-don-t-handle-rx-interrupts-when-not-up.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Nathan Fontenot +Date: Wed, 10 Jan 2018 10:40:09 -0600 +Subject: ibmvnic: Don't handle RX interrupts when not up. + +From: Nathan Fontenot + + +[ Upstream commit 09fb35ead58cd557aa9b20576d15816bc91a4deb ] + +Initiating a kdump via the command line can cause a pending interrupt +to be handled by the ibmvnic driver when initializing the sub-CRQ +irqs during driver initialization. + +NIP [d000000000ca34f0] ibmvnic_interrupt_rx+0x40/0xd0 [ibmvnic] +LR [c000000008132ef0] __handle_irq_event_percpu+0xa0/0x2f0 +Call Trace: +[c000000047fcfde0] [c000000008132ef0] __handle_irq_event_percpu+0xa0/0x2f0 +[c000000047fcfea0] [c00000000813317c] handle_irq_event_percpu+0x3c/0x90 +[c000000047fcfee0] [c00000000813323c] handle_irq_event+0x6c/0xd0 +[c000000047fcff10] [c0000000081385e0] handle_fasteoi_irq+0xf0/0x250 +[c000000047fcff40] [c0000000081320a0] generic_handle_irq+0x50/0x80 +[c000000047fcff60] [c000000008014984] __do_irq+0x84/0x1d0 +[c000000047fcff90] [c000000008027564] call_do_irq+0x14/0x24 +[c00000003c92af00] [c000000008014b70] do_IRQ+0xa0/0x120 +[c00000003c92af50] [c000000008002594] hardware_interrupt_common+0x114/0x180 + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2209,6 +2209,12 @@ static irqreturn_t ibmvnic_interrupt_rx( + struct ibmvnic_sub_crq_queue *scrq = instance; + struct ibmvnic_adapter *adapter = scrq->adapter; + ++ /* When booting a kdump kernel we can hit pending interrupts ++ * prior to completing driver initialization. ++ */ ++ if (unlikely(adapter->state != VNIC_OPEN)) ++ return IRQ_NONE; ++ + adapter->rx_stats_buffers[scrq->scrq_num].interrupts++; + + if (napi_schedule_prep(&adapter->napi[scrq->scrq_num])) { diff --git a/queue-4.14/input-goodix-disable-irqs-while-suspended.patch b/queue-4.14/input-goodix-disable-irqs-while-suspended.patch new file mode 100644 index 00000000000..711fd0832ec --- /dev/null +++ b/queue-4.14/input-goodix-disable-irqs-while-suspended.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Hans de Goede +Date: Fri, 12 Jan 2018 00:36:48 -0800 +Subject: Input: goodix - disable IRQs while suspended + +From: Hans de Goede + + +[ Upstream commit faec44b6838312484d63e82286087cf2d5ebb891 ] + +We should not try to do any i2c transfers before the controller is +resumed (which happens before our resume method gets called). + +So we need to disable our IRQ while suspended to enforce this. The +code paths for devices with GPIOs for the int and reset pins already +disable the IRQ the through goodix_free_irq(). + +This commit also disables the IRQ while suspended for devices without +GPIOs for the int and reset pins. + +This fixes the i2c bus sometimes getting stuck after a suspend/resume +causing the touchscreen to sometimes not work after a suspend/resume. +This has been tested on a GPD pocked device. + +BugLink: https://github.com/nexus511/gpd-ubuntu-packages/issues/10 +BugLink: https://www.reddit.com/r/GPDPocket/comments/7niut2/fix_for_broken_touch_after_resume_all_linux/ +Tested-by: Hans de Goede +Signed-off-by: Hans de Goede +Reviewed-by: Bastien Nocera +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/goodix.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -808,8 +808,10 @@ static int __maybe_unused goodix_suspend + int error; + + /* We need gpio pins to suspend/resume */ +- if (!ts->gpiod_int || !ts->gpiod_rst) ++ if (!ts->gpiod_int || !ts->gpiod_rst) { ++ disable_irq(client->irq); + return 0; ++ } + + wait_for_completion(&ts->firmware_loading_complete); + +@@ -849,8 +851,10 @@ static int __maybe_unused goodix_resume( + struct goodix_ts_data *ts = i2c_get_clientdata(client); + int error; + +- if (!ts->gpiod_int || !ts->gpiod_rst) ++ if (!ts->gpiod_int || !ts->gpiod_rst) { ++ enable_irq(client->irq); + return 0; ++ } + + /* + * Exit sleep mode by outputting HIGH level to INT pin diff --git a/queue-4.14/ipv6-reinject-ipv6-packets-if-ipsec-policy-matches-after-snat.patch b/queue-4.14/ipv6-reinject-ipv6-packets-if-ipsec-policy-matches-after-snat.patch new file mode 100644 index 00000000000..c4b04599878 --- /dev/null +++ b/queue-4.14/ipv6-reinject-ipv6-packets-if-ipsec-policy-matches-after-snat.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Tobias Brunner +Date: Thu, 21 Dec 2017 17:32:24 +0100 +Subject: ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT + +From: Tobias Brunner + + +[ Upstream commit 09ee9dba9611cd382fd360a99ad1c2fa23bfdca8 ] + +If SNAT modifies the source address the resulting packet might match +an IPsec policy, reinject the packet if that's the case. + +The exact same thing is already done for IPv4. + +Signed-off-by: Tobias Brunner +Acked-by: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -138,6 +138,14 @@ static int ip6_finish_output(struct net + return ret; + } + ++#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM) ++ /* Policy lookup after SNAT yielded a new policy */ ++ if (skb_dst(skb)->xfrm) { ++ IPCB(skb)->flags |= IPSKB_REROUTED; ++ return dst_output(net, sk, skb); ++ } ++#endif ++ + if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || + dst_allfrag(skb_dst(skb)) || + (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size)) diff --git a/queue-4.14/irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch b/queue-4.14/irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch new file mode 100644 index 00000000000..f9357b582ed --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch @@ -0,0 +1,92 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Shanker Donthineni +Date: Tue, 5 Dec 2017 13:16:21 -0600 +Subject: irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry + +From: Shanker Donthineni + + +[ Upstream commit ebe2f8718007d5a1238bb3cb8141b5bb2b4d5773 ] + +The ACPI specification says OS shouldn't attempt to use GICC configuration +parameters if the flag ACPI_MADT_ENABLED is cleared. The ARM64-SMP code +skips the disabled GICC entries but not causing any issue. However the +current GICv3 driver probe bails out causing kernel panic() instead of +skipping the disabled GICC interfaces. This issue happens on systems +where redistributor regions are not in the always-on power domain and +one of GICC interface marked with ACPI_MADT_ENABLED=0. + +This patch does the two things to fix the panic. + - Don't return an error in gic_acpi_match_gicc() for disabled GICC entry. + - No need to keep GICR region information for disabled GICC entry. + +Observed kernel crash on QDF2400 platform GICC entry is disabled. +Kernel crash traces: + Kernel panic - not syncing: No interrupt controller found. + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.5 #26 + [] dump_backtrace+0x0/0x218 + [] show_stack+0x14/0x20 + [] dump_stack+0x98/0xb8 + [] panic+0x118/0x26c + [] init_IRQ+0x24/0x2c + [] start_kernel+0x230/0x394 + [] __primary_switched+0x64/0x6c + ---[ end Kernel panic - not syncing: No interrupt controller found. + +Disabled GICC subtable example: + Subtable Type : 0B [Generic Interrupt Controller] + Length : 50 + Reserved : 0000 + CPU Interface Number : 0000003D + Processor UID : 0000003D + Flags (decoded below) : 00000000 + Processor Enabled : 0 + Performance Interrupt Trig Mode : 0 + Virtual GIC Interrupt Trig Mode : 0 + Parking Protocol Version : 00000000 + Performance Interrupt : 00000017 + Parked Address : 0000000000000000 + Base Address : 0000000000000000 + Virtual GIC Base Address : 0000000000000000 + Hypervisor GIC Base Address : 0000000000000000 + Virtual GIC Interrupt : 00000019 + Redistributor Base Address : 0000FFFF88F40000 + ARM MPIDR : 000000000000000D + Efficiency Class : 00 + Reserved : 000000 +Signed-off-by: Shanker Donthineni +Signed-off-by: Marc Zyngier + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -1297,6 +1297,10 @@ gic_acpi_parse_madt_gicc(struct acpi_sub + u32 size = reg == GIC_PIDR2_ARCH_GICv4 ? SZ_64K * 4 : SZ_64K * 2; + void __iomem *redist_base; + ++ /* GICC entry which has !ACPI_MADT_ENABLED is not unusable so skip */ ++ if (!(gicc->flags & ACPI_MADT_ENABLED)) ++ return 0; ++ + redist_base = ioremap(gicc->gicr_base_address, size); + if (!redist_base) + return -ENOMEM; +@@ -1346,6 +1350,13 @@ static int __init gic_acpi_match_gicc(st + if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address) + return 0; + ++ /* ++ * It's perfectly valid firmware can pass disabled GICC entry, driver ++ * should not treat as errors, skip the entry instead of probe fail. ++ */ ++ if (!(gicc->flags & ACPI_MADT_ENABLED)) ++ return 0; ++ + return -ENODEV; + } + diff --git a/queue-4.14/l2tp-fix-missing-print-session-offset-info.patch b/queue-4.14/l2tp-fix-missing-print-session-offset-info.patch new file mode 100644 index 00000000000..4d4181a8c2b --- /dev/null +++ b/queue-4.14/l2tp-fix-missing-print-session-offset-info.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Hangbin Liu +Date: Fri, 22 Dec 2017 15:10:17 +0100 +Subject: l2tp: fix missing print session offset info + +From: Hangbin Liu + + +[ Upstream commit 820da5357572715c6235ba3b3daa2d5b43a1198f ] + +Report offset parameter in L2TP_CMD_SESSION_GET command if +it has been configured by userspace + +Fixes: 309795f4bec ("l2tp: Add netlink control API for L2TP") +Reported-by: Jianlin Shi +Signed-off-by: Hangbin Liu +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -765,6 +765,8 @@ static int l2tp_nl_session_send(struct s + + if ((session->ifname[0] && + nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) || ++ (session->offset && ++ nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) || + (session->cookie_len && + nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len, + &session->cookie[0])) || diff --git a/queue-4.14/mac80211-fix-setting-tx-power-on-monitor-interfaces.patch b/queue-4.14/mac80211-fix-setting-tx-power-on-monitor-interfaces.patch new file mode 100644 index 00000000000..ccc8770e502 --- /dev/null +++ b/queue-4.14/mac80211-fix-setting-tx-power-on-monitor-interfaces.patch @@ -0,0 +1,123 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Peter Große" +Date: Wed, 13 Dec 2017 18:29:46 +0100 +Subject: mac80211: Fix setting TX power on monitor interfaces + +From: "Peter Große" + + +[ Upstream commit 3a3713ec360138f806c6fc368d1de570f692b347 ] + +Instead of calling ieee80211_recalc_txpower on monitor interfaces +directly, call it using the virtual monitor interface, if one exists. + +In case of a single monitor interface given, reject setting TX power, +if no virtual monitor interface exists. + +That being checked, don't warn in ieee80211_bss_info_change_notify, +after setting TX power on a monitor interface. + +Fixes warning: +------------[ cut here ]------------ + WARNING: CPU: 0 PID: 2193 at net/mac80211/driver-ops.h:167 + ieee80211_bss_info_change_notify+0x111/0x190 Modules linked in: uvcvideo + videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core +rndis_host cdc_ether usbnet mii tp_smapi(O) thinkpad_ec(O) ohci_hcd vboxpci(O) + vboxnetadp(O) vboxnetflt(O) v boxdrv(O) x86_pkg_temp_thermal kvm_intel kvm + irqbypass iwldvm iwlwifi ehci_pci ehci_hcd tpm_tis tpm_tis_core tpm CPU: 0 + PID: 2193 Comm: iw Tainted: G O 4.12.12-gentoo #2 task: + ffff880186fd5cc0 task.stack: ffffc90001b54000 RIP: + 0010:ieee80211_bss_info_change_notify+0x111/0x190 RSP: 0018:ffffc90001b57a10 + EFLAGS: 00010246 RAX: 0000000000000006 RBX: ffff8801052ce840 RCX: + 0000000000000064 RDX: 00000000fffffffc RSI: 0000000000040000 RDI: + ffff8801052ce840 RBP: ffffc90001b57a38 R08: 0000000000000062 R09: + 0000000000000000 R10: ffff8802144b5000 R11: ffff880049dc4614 R12: + 0000000000040000 R13: 0000000000000064 R14: ffff8802105f0760 R15: + ffffc90001b57b48 FS: 00007f92644b4580(0000) GS:ffff88021e200000(0000) + knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f9263c109f0 CR3: 00000001df850000 CR4: 00000000000406f0 + Call Trace: + ieee80211_recalc_txpower+0x33/0x40 + ieee80211_set_tx_power+0x40/0x180 + nl80211_set_wiphy+0x32e/0x950 + +Reported-by: Peter Große +Signed-off-by: Peter Große + +Signed-off-by: Johannes Berg + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 28 +++++++++++++++++++++++++++- + net/mac80211/driver-ops.h | 3 ++- + 2 files changed, 29 insertions(+), 2 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2373,10 +2373,17 @@ static int ieee80211_set_tx_power(struct + struct ieee80211_sub_if_data *sdata; + enum nl80211_tx_power_setting txp_type = type; + bool update_txp_type = false; ++ bool has_monitor = false; + + if (wdev) { + sdata = IEEE80211_WDEV_TO_SUB_IF(wdev); + ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) { ++ sdata = rtnl_dereference(local->monitor_sdata); ++ if (!sdata) ++ return -EOPNOTSUPP; ++ } ++ + switch (type) { + case NL80211_TX_POWER_AUTOMATIC: + sdata->user_power_level = IEEE80211_UNSET_POWER_LEVEL; +@@ -2415,15 +2422,34 @@ static int ieee80211_set_tx_power(struct + + mutex_lock(&local->iflist_mtx); + list_for_each_entry(sdata, &local->interfaces, list) { ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) { ++ has_monitor = true; ++ continue; ++ } + sdata->user_power_level = local->user_power_level; + if (txp_type != sdata->vif.bss_conf.txpower_type) + update_txp_type = true; + sdata->vif.bss_conf.txpower_type = txp_type; + } +- list_for_each_entry(sdata, &local->interfaces, list) ++ list_for_each_entry(sdata, &local->interfaces, list) { ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) ++ continue; + ieee80211_recalc_txpower(sdata, update_txp_type); ++ } + mutex_unlock(&local->iflist_mtx); + ++ if (has_monitor) { ++ sdata = rtnl_dereference(local->monitor_sdata); ++ if (sdata) { ++ sdata->user_power_level = local->user_power_level; ++ if (txp_type != sdata->vif.bss_conf.txpower_type) ++ update_txp_type = true; ++ sdata->vif.bss_conf.txpower_type = txp_type; ++ ++ ieee80211_recalc_txpower(sdata, update_txp_type); ++ } ++ } ++ + return 0; + } + +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -165,7 +165,8 @@ static inline void drv_bss_info_changed( + if (WARN_ON_ONCE(sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE || + sdata->vif.type == NL80211_IFTYPE_NAN || + (sdata->vif.type == NL80211_IFTYPE_MONITOR && +- !sdata->vif.mu_mimo_owner))) ++ !sdata->vif.mu_mimo_owner && ++ !(changed & BSS_CHANGED_TXPOWER)))) + return; + + if (!check_sdata_in_driver(sdata)) diff --git a/queue-4.14/media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch b/queue-4.14/media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch new file mode 100644 index 00000000000..439fe215c52 --- /dev/null +++ b/queue-4.14/media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Mauro Carvalho Chehab +Date: Thu, 28 Dec 2017 09:16:47 -0500 +Subject: media: videobuf2-core: don't go out of the buffer range + +From: Mauro Carvalho Chehab + + +[ Upstream commit df93dc61b0d8b19a5c9db545cf3fcc24f88dfde4 ] + +Currently, there's no check if an invalid buffer range +is passed. However, while testing DVB memory mapped apps, +I got this: + + videobuf2_core: VB: num_buffers -2143943680, buffer 33, index -2143943647 + unable to handle kernel paging request at ffff888b773c0890 + IP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] + PGD 4142c7067 P4D 4142c7067 PUD 0 + Oops: 0002 [#1] SMP + Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc rc_dvbsky sp2 ts2020 intel_rapl x86_pkg_temp_thermal dvb_usb_dvbsky intel_powerclamp dvb_usb_v2 coretemp m88ds3103 kvm_intel i2c_mux dvb_core snd_hda_codec_hdmi crct10dif_pclmul crc32_pclmul videobuf2_vmalloc videobuf2_memops snd_hda_intel ghash_clmulni_intel videobuf2_core snd_hda_codec rc_core mei_me intel_cstate snd_hwdep snd_hda_core videodev intel_uncore snd_pcm mei media tpm_tis tpm_tis_core intel_rapl_perf tpm snd_timer lpc_ich snd soundcore kvm irqbypass libcrc32c i915 i2c_algo_bit drm_kms_helper + e1000e ptp drm crc32c_intel video pps_core + CPU: 3 PID: 1776 Comm: dvbv5-zap Not tainted 4.14.0+ #78 + Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 + task: ffff88877c73bc80 task.stack: ffffb7c402418000 + RIP: 0010:__vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] + RSP: 0018:ffffb7c40241bc60 EFLAGS: 00010246 + RAX: 0000000080360421 RBX: 0000000000000021 RCX: 000000000000000a + RDX: ffffb7c40241bcf4 RSI: ffff888780362c60 RDI: ffff888796d8e130 + RBP: ffffb7c40241bcc8 R08: 0000000000000316 R09: 0000000000000004 + R10: ffff888780362c00 R11: 0000000000000001 R12: 000000000002f000 + R13: ffff8887758be700 R14: 0000000000021000 R15: 0000000000000001 + FS: 00007f2849024740(0000) GS:ffff888796d80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff888b773c0890 CR3: 000000043beb2005 CR4: 00000000003606e0 + Call Trace: + vb2_core_reqbufs+0x226/0x420 [videobuf2_core] + dvb_vb2_reqbufs+0x2d/0xc0 [dvb_core] + dvb_dvr_do_ioctl+0x98/0x1d0 [dvb_core] + dvb_usercopy+0x53/0x1b0 [dvb_core] + ? dvb_demux_ioctl+0x20/0x20 [dvb_core] + ? tty_ldisc_deref+0x16/0x20 + ? tty_write+0x1f9/0x310 + ? process_echoes+0x70/0x70 + dvb_dvr_ioctl+0x15/0x20 [dvb_core] + do_vfs_ioctl+0xa5/0x600 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x1a/0xa5 + RIP: 0033:0x7f28486f7ea7 + RSP: 002b:00007ffc13b2db18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 000055b10fc06130 RCX: 00007f28486f7ea7 + RDX: 00007ffc13b2db48 RSI: 00000000c0086f3c RDI: 0000000000000007 + RBP: 0000000000000203 R08: 000055b10df1e02c R09: 000000000000002e + R10: 0036b42415108357 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007f2849062f60 R14: 00000000000001f1 R15: 00007ffc13b2da54 + Code: 74 0a 60 8b 0a 48 83 c0 30 48 83 c2 04 89 48 d0 89 48 d4 48 39 f0 75 eb 41 8b 42 08 83 7d d4 01 41 c7 82 ec 01 00 00 ff ff ff ff <4d> 89 94 c5 88 00 00 00 74 14 83 c3 01 41 39 dc 0f 85 f1 fe ff + RIP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] RSP: ffffb7c40241bc60 + CR2: ffff888b773c0890 + +So, add a sanity check in order to prevent going past array. + +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/videobuf2-core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -332,6 +332,10 @@ static int __vb2_queue_alloc(struct vb2_ + struct vb2_buffer *vb; + int ret; + ++ /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ ++ num_buffers = min_t(unsigned int, num_buffers, ++ VB2_MAX_FRAME - q->num_buffers); ++ + for (buffer = 0; buffer < num_buffers; ++buffer) { + /* Allocate videobuf buffer structures */ + vb = kzalloc(q->buf_struct_size, GFP_KERNEL); diff --git a/queue-4.14/mtd-mtd_oobtest-handle-bitflips-during-reads.patch b/queue-4.14/mtd-mtd_oobtest-handle-bitflips-during-reads.patch new file mode 100644 index 00000000000..83db47689d6 --- /dev/null +++ b/queue-4.14/mtd-mtd_oobtest-handle-bitflips-during-reads.patch @@ -0,0 +1,100 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Miquel Raynal +Date: Thu, 11 Jan 2018 21:39:20 +0100 +Subject: mtd: mtd_oobtest: Handle bitflips during reads + +From: Miquel Raynal + + +[ Upstream commit 12663b442e5ac5aa3d6097cd3f287c71ba46d26e ] + +Reads from NAND devices usually trigger bitflips, this is an expected +behavior. While bitflips are under a given threshold, the MTD core +returns 0. However, when the number of corrected bitflips is above this +same threshold, -EUCLEAN is returned to inform the upper layer that this +block is slightly dying and soon the ECC engine will be overtaken so +actions should be taken to move the data out of it. + +This particular condition should not be treated like an error and the +test should continue. + +Signed-off-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/tests/oobtest.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/drivers/mtd/tests/oobtest.c ++++ b/drivers/mtd/tests/oobtest.c +@@ -193,6 +193,9 @@ static int verify_eraseblock(int ebnum) + ops.datbuf = NULL; + ops.oobbuf = readbuf; + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err || ops.oobretlen != use_len) { + pr_err("error: readoob failed at %#llx\n", + (long long)addr); +@@ -227,6 +230,9 @@ static int verify_eraseblock(int ebnum) + ops.datbuf = NULL; + ops.oobbuf = readbuf; + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err || ops.oobretlen != mtd->oobavail) { + pr_err("error: readoob failed at %#llx\n", + (long long)addr); +@@ -286,6 +292,9 @@ static int verify_eraseblock_in_one_go(i + + /* read entire block's OOB at one go */ + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err || ops.oobretlen != len) { + pr_err("error: readoob failed at %#llx\n", + (long long)addr); +@@ -527,6 +536,9 @@ static int __init mtd_oobtest_init(void) + pr_info("attempting to start read past end of OOB\n"); + pr_info("an error is expected...\n"); + err = mtd_read_oob(mtd, addr0, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) { + pr_info("error occurred as expected\n"); + err = 0; +@@ -571,6 +583,9 @@ static int __init mtd_oobtest_init(void) + pr_info("attempting to read past end of device\n"); + pr_info("an error is expected...\n"); + err = mtd_read_oob(mtd, mtd->size - mtd->writesize, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) { + pr_info("error occurred as expected\n"); + err = 0; +@@ -615,6 +630,9 @@ static int __init mtd_oobtest_init(void) + pr_info("attempting to read past end of device\n"); + pr_info("an error is expected...\n"); + err = mtd_read_oob(mtd, mtd->size - mtd->writesize, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) { + pr_info("error occurred as expected\n"); + err = 0; +@@ -684,6 +702,9 @@ static int __init mtd_oobtest_init(void) + ops.datbuf = NULL; + ops.oobbuf = readbuf; + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) + goto out; + if (memcmpshow(addr, readbuf, writebuf, diff --git a/queue-4.14/net-hns3-fix-a-loop-index-error-of-tqp-statistics-query.patch b/queue-4.14/net-hns3-fix-a-loop-index-error-of-tqp-statistics-query.patch new file mode 100644 index 00000000000..0cadad3ff99 --- /dev/null +++ b/queue-4.14/net-hns3-fix-a-loop-index-error-of-tqp-statistics-query.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jian Shen +Date: Fri, 5 Jan 2018 18:18:13 +0800 +Subject: net: hns3: Fix a loop index error of tqp statistics query + +From: Jian Shen + + +[ Upstream commit 94bfaafac9d2a3c0bcca00d01e38f7597b741799 ] + +An error loop index was used while querying statistics data +of tqps, which may cause call trace. + +Fixes: 496d03e960ae ("net: hns3: Add Ethtool support to HNS3 driver") +Signed-off-by: Jian Shen +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c +@@ -189,13 +189,13 @@ static u64 *hns3_get_stats_tqps(struct h + struct hnae3_knic_private_info *kinfo = &handle->kinfo; + struct hns3_enet_ring *ring; + u8 *stat; +- u32 i; ++ int i, j; + + /* get stats for Tx */ + for (i = 0; i < kinfo->num_tqps; i++) { + ring = nic_priv->ring_data[i].ring; +- for (i = 0; i < HNS3_TXQ_STATS_COUNT; i++) { +- stat = (u8 *)ring + hns3_txq_stats[i].stats_offset; ++ for (j = 0; j < HNS3_TXQ_STATS_COUNT; j++) { ++ stat = (u8 *)ring + hns3_txq_stats[j].stats_offset; + *data++ = *(u64 *)stat; + } + } +@@ -203,8 +203,8 @@ static u64 *hns3_get_stats_tqps(struct h + /* get stats for Rx */ + for (i = 0; i < kinfo->num_tqps; i++) { + ring = nic_priv->ring_data[i + kinfo->num_tqps].ring; +- for (i = 0; i < HNS3_RXQ_STATS_COUNT; i++) { +- stat = (u8 *)ring + hns3_rxq_stats[i].stats_offset; ++ for (j = 0; j < HNS3_RXQ_STATS_COUNT; j++) { ++ stat = (u8 *)ring + hns3_rxq_stats[j].stats_offset; + *data++ = *(u64 *)stat; + } + } diff --git a/queue-4.14/net-hns3-fix-an-error-macro-definition-of-hns3_tqp_stat.patch b/queue-4.14/net-hns3-fix-an-error-macro-definition-of-hns3_tqp_stat.patch new file mode 100644 index 00000000000..34faa3455b7 --- /dev/null +++ b/queue-4.14/net-hns3-fix-an-error-macro-definition-of-hns3_tqp_stat.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jian Shen +Date: Fri, 5 Jan 2018 18:18:14 +0800 +Subject: net: hns3: Fix an error macro definition of HNS3_TQP_STAT + +From: Jian Shen + + +[ Upstream commit 57ffee737b36dbb81e8e60a37e01791553157a5e ] + +The member "stats_offset" was designed to indicate the offset +of each member of struct ring_stats in struct hns3_enet_ring, +but forgot to add the offset of the member in struct ring_stats. + +Fixes: 496d03e960a ("net: hns3: Add Ethtool support to HNS3 driver") +Signed-off-by: Jian Shen +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_ethtool.c +@@ -22,7 +22,8 @@ struct hns3_stats { + #define HNS3_TQP_STAT(_string, _member) { \ + .stats_string = _string, \ + .stats_size = FIELD_SIZEOF(struct ring_stats, _member), \ +- .stats_offset = offsetof(struct hns3_enet_ring, stats), \ ++ .stats_offset = offsetof(struct hns3_enet_ring, stats) +\ ++ offsetof(struct ring_stats, _member), \ + } \ + + static const struct hns3_stats hns3_txq_stats[] = { diff --git a/queue-4.14/net-hns3-fix-an-error-of-total-drop-packet-statistics.patch b/queue-4.14/net-hns3-fix-an-error-of-total-drop-packet-statistics.patch new file mode 100644 index 00000000000..1d73a7d3ead --- /dev/null +++ b/queue-4.14/net-hns3-fix-an-error-of-total-drop-packet-statistics.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jian Shen +Date: Fri, 5 Jan 2018 18:18:12 +0800 +Subject: net: hns3: Fix an error of total drop packet statistics + +From: Jian Shen + + +[ Upstream commit d2a5dca8404871be683c6bbc175ebf9c56dd2865 ] + +The dropped tx/rx packets number of each tqp should also +be counted into the total drop tx/rx packets numbers. + +Fixes: 76ad4f0ee74 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Jian Shen +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -1060,6 +1060,8 @@ hns3_nic_get_stats64(struct net_device * + u64 rx_bytes = 0; + u64 tx_pkts = 0; + u64 rx_pkts = 0; ++ u64 tx_drop = 0; ++ u64 rx_drop = 0; + + for (idx = 0; idx < queue_num; idx++) { + /* fetch the tx stats */ +@@ -1068,6 +1070,8 @@ hns3_nic_get_stats64(struct net_device * + start = u64_stats_fetch_begin_irq(&ring->syncp); + tx_bytes += ring->stats.tx_bytes; + tx_pkts += ring->stats.tx_pkts; ++ tx_drop += ring->stats.tx_busy; ++ tx_drop += ring->stats.sw_err_cnt; + } while (u64_stats_fetch_retry_irq(&ring->syncp, start)); + + /* fetch the rx stats */ +@@ -1076,6 +1080,9 @@ hns3_nic_get_stats64(struct net_device * + start = u64_stats_fetch_begin_irq(&ring->syncp); + rx_bytes += ring->stats.rx_bytes; + rx_pkts += ring->stats.rx_pkts; ++ rx_drop += ring->stats.non_vld_descs; ++ rx_drop += ring->stats.err_pkt_len; ++ rx_drop += ring->stats.l2_err; + } while (u64_stats_fetch_retry_irq(&ring->syncp, start)); + } + +@@ -1091,8 +1098,8 @@ hns3_nic_get_stats64(struct net_device * + stats->rx_missed_errors = netdev->stats.rx_missed_errors; + + stats->tx_errors = netdev->stats.tx_errors; +- stats->rx_dropped = netdev->stats.rx_dropped; +- stats->tx_dropped = netdev->stats.tx_dropped; ++ stats->rx_dropped = rx_drop + netdev->stats.rx_dropped; ++ stats->tx_dropped = tx_drop + netdev->stats.tx_dropped; + stats->collisions = netdev->stats.collisions; + stats->rx_over_errors = netdev->stats.rx_over_errors; + stats->rx_frame_errors = netdev->stats.rx_frame_errors; diff --git a/queue-4.14/net-hns3-fix-for-changing-mtu.patch b/queue-4.14/net-hns3-fix-for-changing-mtu.patch new file mode 100644 index 00000000000..d9caccc345d --- /dev/null +++ b/queue-4.14/net-hns3-fix-for-changing-mtu.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Fuyun Liang +Date: Fri, 5 Jan 2018 18:18:20 +0800 +Subject: net: hns3: fix for changing MTU + +From: Fuyun Liang + + +[ Upstream commit 5bad95a1e55f4d5bb41e130db859d57eaf1b1549 ] + +when changing MTU, The new MTU must need to be set to netdevice. + +Fixes: a8e8b7ff3517 ("net: hns3: Add support to change MTU in HNS3 hardware") +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -1313,6 +1313,8 @@ static int hns3_nic_change_mtu(struct ne + return ret; + } + ++ netdev->mtu = new_mtu; ++ + /* if the netdev was running earlier, bring it up again */ + if (if_running && hns3_nic_net_open(netdev)) + ret = -EINVAL; diff --git a/queue-4.14/net-hns3-fix-for-getting-auto-negotiation-state-in-hclge_get_autoneg.patch b/queue-4.14/net-hns3-fix-for-getting-auto-negotiation-state-in-hclge_get_autoneg.patch new file mode 100644 index 00000000000..3321b75d349 --- /dev/null +++ b/queue-4.14/net-hns3-fix-for-getting-auto-negotiation-state-in-hclge_get_autoneg.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Fuyun Liang +Date: Fri, 22 Dec 2017 12:21:50 +0800 +Subject: net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg + +From: Fuyun Liang + + +[ Upstream commit 27b5bf49f0924fd62d2b1ef8467b40773973da34 ] + +When phy exists, we use the value of phydev.autoneg to represent the +auto-negotiation state of hardware. Otherwise, we use the value of +mac.autoneg to represent it. + +This patch fixes for getting a error value of auto-negotiation state in +hclge_get_autoneg(). + +Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -2092,6 +2092,10 @@ static int hclge_get_autoneg(struct hnae + { + struct hclge_vport *vport = hclge_get_vport(handle); + struct hclge_dev *hdev = vport->back; ++ struct phy_device *phydev = hdev->hw.mac.phydev; ++ ++ if (phydev) ++ return phydev->autoneg; + + hclge_query_autoneg_result(hdev); + diff --git a/queue-4.14/net-hns3-free-the-ring_data-structrue-when-change-tqps.patch b/queue-4.14/net-hns3-free-the-ring_data-structrue-when-change-tqps.patch new file mode 100644 index 00000000000..b95944c1be1 --- /dev/null +++ b/queue-4.14/net-hns3-free-the-ring_data-structrue-when-change-tqps.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Peng Li +Date: Fri, 22 Dec 2017 12:21:43 +0800 +Subject: net: hns3: free the ring_data structrue when change tqps + +From: Peng Li + + +[ Upstream commit 99fdf6b1cadf41bb253408589788f025027274f3 ] + +This patch fixes a memory leak problems in change tqps process, +the function hns3_uninit_all_ring and hns3_init_all_ring +may be called many times. + +Signed-off-by: Peng Li +Signed-off-by: Mingguang Qu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hns3_enet.c +@@ -2687,8 +2687,12 @@ static int hns3_uninit_all_ring(struct h + h->ae_algo->ops->reset_queue(h, i); + + hns3_fini_ring(priv->ring_data[i].ring); ++ devm_kfree(priv->dev, priv->ring_data[i].ring); + hns3_fini_ring(priv->ring_data[i + h->kinfo.num_tqps].ring); ++ devm_kfree(priv->dev, ++ priv->ring_data[i + h->kinfo.num_tqps].ring); + } ++ devm_kfree(priv->dev, priv->ring_data); + + return 0; + } diff --git a/queue-4.14/net-mlx4_en-change-default-qos-settings.patch b/queue-4.14/net-mlx4_en-change-default-qos-settings.patch new file mode 100644 index 00000000000..bf9c53773d9 --- /dev/null +++ b/queue-4.14/net-mlx4_en-change-default-qos-settings.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Moni Shoua +Date: Thu, 28 Dec 2017 16:26:11 +0200 +Subject: net/mlx4_en: Change default QoS settings + +From: Moni Shoua + + +[ Upstream commit a42b63c1ac1986f17f71bc91a6b0aaa14d4dae71 ] + +Change the default mapping between TC and TCG as follows: + +Prio | TC/TCG + | from to + | (set by FW) (set by SW) +---------+----------------------------------- +0 | 0/0 0/7 +1 | 1/0 0/6 +2 | 2/0 0/5 +3 | 3/0 0/4 +4 | 4/0 0/3 +5 | 5/0 0/2 +6 | 6/0 0/1 +7 | 7/0 0/0 + +These new settings cause that a pause frame for any prio stops +traffic for all prios. + +Fixes: 564c274c3df0 ("net/mlx4_en: DCB QoS support") +Signed-off-by: Moni Shoua +Signed-off-by: Maor Gottlieb +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 5 +++++ + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 7 +++++++ + drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 1 + + 3 files changed, 13 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c +@@ -310,6 +310,7 @@ static int mlx4_en_ets_validate(struct m + } + + switch (ets->tc_tsa[i]) { ++ case IEEE_8021QAZ_TSA_VENDOR: + case IEEE_8021QAZ_TSA_STRICT: + break; + case IEEE_8021QAZ_TSA_ETS: +@@ -347,6 +348,10 @@ static int mlx4_en_config_port_scheduler + /* higher TC means higher priority => lower pg */ + for (i = IEEE_8021QAZ_MAX_TCS - 1; i >= 0; i--) { + switch (ets->tc_tsa[i]) { ++ case IEEE_8021QAZ_TSA_VENDOR: ++ pg[i] = MLX4_EN_TC_VENDOR; ++ tc_tx_bw[i] = MLX4_EN_BW_MAX; ++ break; + case IEEE_8021QAZ_TSA_STRICT: + pg[i] = num_strict++; + tc_tx_bw[i] = MLX4_EN_BW_MAX; +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -3335,6 +3335,13 @@ int mlx4_en_init_netdev(struct mlx4_en_d + priv->msg_enable = MLX4_EN_MSG_LEVEL; + #ifdef CONFIG_MLX4_EN_DCB + if (!mlx4_is_slave(priv->mdev->dev)) { ++ u8 prio; ++ ++ for (prio = 0; prio < IEEE_8021QAZ_MAX_TCS; ++prio) { ++ priv->ets.prio_tc[prio] = prio; ++ priv->ets.tc_tsa[prio] = IEEE_8021QAZ_TSA_VENDOR; ++ } ++ + priv->dcbx_cap = DCB_CAP_DCBX_VER_CEE | DCB_CAP_DCBX_HOST | + DCB_CAP_DCBX_VER_IEEE; + priv->flags |= MLX4_EN_DCB_ENABLED; +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +@@ -476,6 +476,7 @@ struct mlx4_en_frag_info { + #define MLX4_EN_BW_MIN 1 + #define MLX4_EN_BW_MAX 100 /* Utilize 100% of the line */ + ++#define MLX4_EN_TC_VENDOR 0 + #define MLX4_EN_TC_ETS 7 + + enum dcb_pfc_type { diff --git a/queue-4.14/net-mlx5-fix-race-for-multiple-roce-enable.patch b/queue-4.14/net-mlx5-fix-race-for-multiple-roce-enable.patch new file mode 100644 index 00000000000..8989366fbfc --- /dev/null +++ b/queue-4.14/net-mlx5-fix-race-for-multiple-roce-enable.patch @@ -0,0 +1,94 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Daniel Jurgens +Date: Thu, 4 Jan 2018 17:25:31 +0200 +Subject: net/mlx5: Fix race for multiple RoCE enable + +From: Daniel Jurgens + + +[ Upstream commit 734dc065fc41f6143ff88225aa5d335cb1e0f6aa ] + +There are two potential problems with the existing implementation. + +1. Enable and disable can race after the atomic operations. +2. If a command fails the refcount is left in an inconsistent state. + +Introduce a lock and perform error checking. + +Fixes: a6f7d2aff623 ("net/mlx5: Add support for multiple RoCE enable") +Signed-off-by: Daniel Jurgens +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/vport.c | 33 +++++++++++++++++++----- + include/linux/mlx5/driver.h | 2 - + 2 files changed, 28 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +@@ -36,6 +36,9 @@ + #include + #include "mlx5_core.h" + ++/* Mutex to hold while enabling or disabling RoCE */ ++static DEFINE_MUTEX(mlx5_roce_en_lock); ++ + static int _mlx5_query_vport_state(struct mlx5_core_dev *mdev, u8 opmod, + u16 vport, u32 *out, int outlen) + { +@@ -998,17 +1001,35 @@ static int mlx5_nic_vport_update_roce_st + + int mlx5_nic_vport_enable_roce(struct mlx5_core_dev *mdev) + { +- if (atomic_inc_return(&mdev->roce.roce_en) != 1) +- return 0; +- return mlx5_nic_vport_update_roce_state(mdev, MLX5_VPORT_ROCE_ENABLED); ++ int err = 0; ++ ++ mutex_lock(&mlx5_roce_en_lock); ++ if (!mdev->roce.roce_en) ++ err = mlx5_nic_vport_update_roce_state(mdev, MLX5_VPORT_ROCE_ENABLED); ++ ++ if (!err) ++ mdev->roce.roce_en++; ++ mutex_unlock(&mlx5_roce_en_lock); ++ ++ return err; + } + EXPORT_SYMBOL_GPL(mlx5_nic_vport_enable_roce); + + int mlx5_nic_vport_disable_roce(struct mlx5_core_dev *mdev) + { +- if (atomic_dec_return(&mdev->roce.roce_en) != 0) +- return 0; +- return mlx5_nic_vport_update_roce_state(mdev, MLX5_VPORT_ROCE_DISABLED); ++ int err = 0; ++ ++ mutex_lock(&mlx5_roce_en_lock); ++ if (mdev->roce.roce_en) { ++ mdev->roce.roce_en--; ++ if (mdev->roce.roce_en == 0) ++ err = mlx5_nic_vport_update_roce_state(mdev, MLX5_VPORT_ROCE_DISABLED); ++ ++ if (err) ++ mdev->roce.roce_en++; ++ } ++ mutex_unlock(&mlx5_roce_en_lock); ++ return err; + } + EXPORT_SYMBOL_GPL(mlx5_nic_vport_disable_roce); + +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -794,7 +794,7 @@ struct mlx5_core_dev { + struct mlx5e_resources mlx5e_res; + struct { + struct mlx5_rsvd_gids reserved_gids; +- atomic_t roce_en; ++ u32 roce_en; + } roce; + #ifdef CONFIG_MLX5_FPGA + struct mlx5_fpga_device *fpga; diff --git a/queue-4.14/nvme_fcloop-disassocate-local-port-structs.patch b/queue-4.14/nvme_fcloop-disassocate-local-port-structs.patch new file mode 100644 index 00000000000..01cf223e2fc --- /dev/null +++ b/queue-4.14/nvme_fcloop-disassocate-local-port-structs.patch @@ -0,0 +1,126 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: James Smart +Date: Wed, 29 Nov 2017 16:47:31 -0800 +Subject: nvme_fcloop: disassocate local port structs + +From: James Smart + + +[ Upstream commit 6fda20283e55b9d288cd56822ce39fc8e64f2208 ] + +The current fcloop driver gets its lport structure from the private +area co-allocated with the fc_localport. All is fine except the +teardown path, which wants to wait on the completion, which is marked +complete by the delete_localport callback performed after +unregister_localport. The issue is, the nvme_fc transport frees the +localport structure immediately after delete_localport is called, +meaning the original routine is trying to wait on a complete that +was just freed. + +Change such that a lport struct is allocated coincident with the +addition and registration of a localport. The private area of the +localport now contains just a backpointer to the real lport struct. +Now, the completion can be waited for, and after completing, the +new structure can be kfree'd. + +Signed-off-by: James Smart +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/fcloop.c | 35 +++++++++++++++++++++++++---------- + 1 file changed, 25 insertions(+), 10 deletions(-) + +--- a/drivers/nvme/target/fcloop.c ++++ b/drivers/nvme/target/fcloop.c +@@ -204,6 +204,10 @@ struct fcloop_lport { + struct completion unreg_done; + }; + ++struct fcloop_lport_priv { ++ struct fcloop_lport *lport; ++}; ++ + struct fcloop_rport { + struct nvme_fc_remote_port *remoteport; + struct nvmet_fc_target_port *targetport; +@@ -657,7 +661,8 @@ fcloop_nport_get(struct fcloop_nport *np + static void + fcloop_localport_delete(struct nvme_fc_local_port *localport) + { +- struct fcloop_lport *lport = localport->private; ++ struct fcloop_lport_priv *lport_priv = localport->private; ++ struct fcloop_lport *lport = lport_priv->lport; + + /* release any threads waiting for the unreg to complete */ + complete(&lport->unreg_done); +@@ -697,7 +702,7 @@ static struct nvme_fc_port_template fcte + .max_dif_sgl_segments = FCLOOP_SGL_SEGS, + .dma_boundary = FCLOOP_DMABOUND_4G, + /* sizes of additional private data for data structures */ +- .local_priv_sz = sizeof(struct fcloop_lport), ++ .local_priv_sz = sizeof(struct fcloop_lport_priv), + .remote_priv_sz = sizeof(struct fcloop_rport), + .lsrqst_priv_sz = sizeof(struct fcloop_lsreq), + .fcprqst_priv_sz = sizeof(struct fcloop_ini_fcpreq), +@@ -728,11 +733,17 @@ fcloop_create_local_port(struct device * + struct fcloop_ctrl_options *opts; + struct nvme_fc_local_port *localport; + struct fcloop_lport *lport; +- int ret; ++ struct fcloop_lport_priv *lport_priv; ++ unsigned long flags; ++ int ret = -ENOMEM; ++ ++ lport = kzalloc(sizeof(*lport), GFP_KERNEL); ++ if (!lport) ++ return -ENOMEM; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) +- return -ENOMEM; ++ goto out_free_lport; + + ret = fcloop_parse_options(opts, buf); + if (ret) +@@ -752,23 +763,25 @@ fcloop_create_local_port(struct device * + + ret = nvme_fc_register_localport(&pinfo, &fctemplate, NULL, &localport); + if (!ret) { +- unsigned long flags; +- + /* success */ +- lport = localport->private; ++ lport_priv = localport->private; ++ lport_priv->lport = lport; ++ + lport->localport = localport; + INIT_LIST_HEAD(&lport->lport_list); + + spin_lock_irqsave(&fcloop_lock, flags); + list_add_tail(&lport->lport_list, &fcloop_lports); + spin_unlock_irqrestore(&fcloop_lock, flags); +- +- /* mark all of the input buffer consumed */ +- ret = count; + } + + out_free_opts: + kfree(opts); ++out_free_lport: ++ /* free only if we're going to fail */ ++ if (ret) ++ kfree(lport); ++ + return ret ? ret : count; + } + +@@ -790,6 +803,8 @@ __wait_localport_unreg(struct fcloop_lpo + + wait_for_completion(&lport->unreg_done); + ++ kfree(lport); ++ + return ret; + } + diff --git a/queue-4.14/nvme_fcloop-fix-abort-race-condition.patch b/queue-4.14/nvme_fcloop-fix-abort-race-condition.patch new file mode 100644 index 00000000000..e78e9aeec98 --- /dev/null +++ b/queue-4.14/nvme_fcloop-fix-abort-race-condition.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: James Smart +Date: Wed, 29 Nov 2017 16:47:30 -0800 +Subject: nvme_fcloop: fix abort race condition + +From: James Smart + + +[ Upstream commit 278e096063f1914fccfc77a617be9fc8dbb31b0e ] + +A test case revealed a race condition of an i/o completing on a thread +parallel to the delete_association generating the aborts for the +outstanding ios on the controller. The i/o completion was freeing the +target fcloop context, thus the abort task referenced the just-freed +memory. + +Correct by clearing the target/initiator cross pointers in the io +completion and abort tasks before calling the callbacks. On aborts +that detect already finished io's, ensure the complete context is +called. + +Signed-off-by: James Smart +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/fcloop.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/nvme/target/fcloop.c ++++ b/drivers/nvme/target/fcloop.c +@@ -374,6 +374,7 @@ fcloop_tgt_fcprqst_done_work(struct work + + spin_lock(&tfcp_req->reqlock); + fcpreq = tfcp_req->fcpreq; ++ tfcp_req->fcpreq = NULL; + spin_unlock(&tfcp_req->reqlock); + + if (tport->remoteport && fcpreq) { +@@ -615,11 +616,7 @@ fcloop_fcp_abort(struct nvme_fc_local_po + + if (!tfcp_req) + /* abort has already been called */ +- return; +- +- if (rport->targetport) +- nvmet_fc_rcv_fcp_abort(rport->targetport, +- &tfcp_req->tgt_fcp_req); ++ goto finish; + + /* break initiator/target relationship for io */ + spin_lock(&tfcp_req->reqlock); +@@ -627,6 +624,11 @@ fcloop_fcp_abort(struct nvme_fc_local_po + tfcp_req->fcpreq = NULL; + spin_unlock(&tfcp_req->reqlock); + ++ if (rport->targetport) ++ nvmet_fc_rcv_fcp_abort(rport->targetport, ++ &tfcp_req->tgt_fcp_req); ++ ++finish: + /* post the aborted io completion */ + fcpreq->status = -ECANCELED; + schedule_work(&inireq->iniwork); diff --git a/queue-4.14/perf-evsel-enable-ignore_missing_thread-for-pid-option.patch b/queue-4.14/perf-evsel-enable-ignore_missing_thread-for-pid-option.patch new file mode 100644 index 00000000000..90a7e525719 --- /dev/null +++ b/queue-4.14/perf-evsel-enable-ignore_missing_thread-for-pid-option.patch @@ -0,0 +1,185 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Mengting Zhang +Date: Wed, 13 Dec 2017 15:01:53 +0800 +Subject: perf evsel: Enable ignore_missing_thread for pid option + +From: Mengting Zhang + + +[ Upstream commit ca8000684ec4e66f965e1f9547a3c6cb834154ca ] + +While monitoring a multithread process with pid option, perf sometimes +may return sys_perf_event_open failure with 3(No such process) if any of +the process's threads die before we open the event. However, we want +perf continue monitoring the remaining threads and do not exit with +error. + +Here, the patch enables perf_evsel::ignore_missing_thread for -p option +to ignore complete failure if any of threads die before we open the event. +But it may still return sys_perf_event_open failure with 22(Invalid) if we +monitors several event groups. + + sys_perf_event_open: pid 28960 cpu 40 group_fd 118202 flags 0x8 + sys_perf_event_open: pid 28961 cpu 40 group_fd 118203 flags 0x8 + WARNING: Ignored open failure for pid 28962 + sys_perf_event_open: pid 28962 cpu 40 group_fd [118203] flags 0x8 + sys_perf_event_open failed, error -22 + +That is because when we ignore a missing thread, we change the thread_idx +without dealing with its fds, FD(evsel, cpu, thread). Then get_group_fd() +may return a wrong group_fd for the next thread and sys_perf_event_open() +return with 22. + + sys_perf_event_open(){ + ... + if (group_fd != -1) + perf_fget_light()//to get corresponding group_leader by group_fd + ... + if (group_leader) + if (group_leader->ctx->task != ctx->task)//should on the same task + goto err_context + ... + } + +This patch also fixes this bug by introducing perf_evsel__remove_fd() and +update_fds to allow removing fds for the missing thread. + +Changes since v1: +- Change group_fd__remove() into a more genetic way without changing code logic +- Remove redundant condition + +Changes since v2: +- Use a proper function name and add some comment. +- Multiline comment style fixes. + +Committer testing: + +Before this patch the recently added 'perf stat --per-thread' for system +wide counting would race while enumerating all threads using /proc: + + [root@jouet ~]# perf stat --per-thread + failed to parse CPUs map: No such file or directory + + Usage: perf stat [] [] + + -C, --cpu list of cpus to monitor in system-wide + -a, --all-cpus system-wide collection from all CPUs + [root@jouet ~]# perf stat --per-thread + failed to parse CPUs map: No such file or directory + + Usage: perf stat [] [] + + -C, --cpu list of cpus to monitor in system-wide + -a, --all-cpus system-wide collection from all CPUs + [root@jouet ~]# + +When, say, the kernel was being built, so lots of shortlived threads, +after this patch this doesn't happen. + +Signed-off-by: Mengting Zhang +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Jiri Olsa +Cc: Cheng Jian +Cc: Li Bin +Cc: Wang Nan +Link: http://lkml.kernel.org/r/1513148513-6974-1-git-send-email-zhangmengting@huawei.com +[ Remove one use 'evlist' alias variable ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-record.c | 4 +-- + tools/perf/util/evsel.c | 47 ++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 47 insertions(+), 4 deletions(-) + +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -1856,8 +1856,8 @@ int cmd_record(int argc, const char **ar + goto out; + } + +- /* Enable ignoring missing threads when -u option is defined. */ +- rec->opts.ignore_missing_thread = rec->opts.target.uid != UINT_MAX; ++ /* Enable ignoring missing threads when -u/-p option is defined. */ ++ rec->opts.ignore_missing_thread = rec->opts.target.uid != UINT_MAX || rec->opts.target.pid; + + err = -ENOMEM; + if (perf_evlist__create_maps(rec->evlist, &rec->opts.target) < 0) +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1591,10 +1591,46 @@ static int __open_attr__fprintf(FILE *fp + return fprintf(fp, " %-32s %s\n", name, val); + } + ++static void perf_evsel__remove_fd(struct perf_evsel *pos, ++ int nr_cpus, int nr_threads, ++ int thread_idx) ++{ ++ for (int cpu = 0; cpu < nr_cpus; cpu++) ++ for (int thread = thread_idx; thread < nr_threads - 1; thread++) ++ FD(pos, cpu, thread) = FD(pos, cpu, thread + 1); ++} ++ ++static int update_fds(struct perf_evsel *evsel, ++ int nr_cpus, int cpu_idx, ++ int nr_threads, int thread_idx) ++{ ++ struct perf_evsel *pos; ++ ++ if (cpu_idx >= nr_cpus || thread_idx >= nr_threads) ++ return -EINVAL; ++ ++ evlist__for_each_entry(evsel->evlist, pos) { ++ nr_cpus = pos != evsel ? nr_cpus : cpu_idx; ++ ++ perf_evsel__remove_fd(pos, nr_cpus, nr_threads, thread_idx); ++ ++ /* ++ * Since fds for next evsel has not been created, ++ * there is no need to iterate whole event list. ++ */ ++ if (pos == evsel) ++ break; ++ } ++ return 0; ++} ++ + static bool ignore_missing_thread(struct perf_evsel *evsel, ++ int nr_cpus, int cpu, + struct thread_map *threads, + int thread, int err) + { ++ pid_t ignore_pid = thread_map__pid(threads, thread); ++ + if (!evsel->ignore_missing_thread) + return false; + +@@ -1610,11 +1646,18 @@ static bool ignore_missing_thread(struct + if (threads->nr == 1) + return false; + ++ /* ++ * We should remove fd for missing_thread first ++ * because thread_map__remove() will decrease threads->nr. ++ */ ++ if (update_fds(evsel, nr_cpus, cpu, threads->nr, thread)) ++ return false; ++ + if (thread_map__remove(threads, thread)) + return false; + + pr_warning("WARNING: Ignored open failure for pid %d\n", +- thread_map__pid(threads, thread)); ++ ignore_pid); + return true; + } + +@@ -1719,7 +1762,7 @@ retry_open: + if (fd < 0) { + err = -errno; + +- if (ignore_missing_thread(evsel, threads, thread, err)) { ++ if (ignore_missing_thread(evsel, cpus->nr, cpu, threads, thread, err)) { + /* + * We just removed 1 thread, so take a step + * back on thread index and lower the upper diff --git a/queue-4.14/perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch b/queue-4.14/perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch new file mode 100644 index 00000000000..d071f282023 --- /dev/null +++ b/queue-4.14/perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 9 Dec 2017 01:26:46 +0900 +Subject: perf probe: Add warning message if there is unexpected event name + +From: Masami Hiramatsu + + +[ Upstream commit 9f5c6d8777a2d962b0eeacb2a16f37da6bea545b ] + +This improve the error message so that user can know event-name error +before writing new events to kprobe-events interface. + +E.g. + ====== + #./perf probe -x /lib64/libc-2.25.so malloc_get_state* + Internal error: "malloc_get_state@GLIBC_2" is an invalid event name. + Error: Failed to add events. + ====== + +Reported-by: Arnaldo Carvalho de Melo +Signed-off-by: Masami Hiramatsu +Acked-by: Ravi Bangoria +Reviewed-by: Thomas Richter +Tested-by: Arnaldo Carvalho de Melo +Cc: Paul Clarke +Cc: bhargavb +Cc: linux-rt-users@vger.kernel.org +Link: http://lkml.kernel.org/r/151275040665.24652.5188568529237584489.stgit@devbox +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/probe-event.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -2625,6 +2625,14 @@ static int get_new_event_name(char *buf, + + out: + free(nbase); ++ ++ /* Final validation */ ++ if (ret >= 0 && !is_c_func_name(buf)) { ++ pr_warning("Internal error: \"%s\" is an invalid event name.\n", ++ buf); ++ ret = -EINVAL; ++ } ++ + return ret; + } + diff --git a/queue-4.14/perf-probe-find-versioned-symbols-from-map.patch b/queue-4.14/perf-probe-find-versioned-symbols-from-map.patch new file mode 100644 index 00000000000..02c229d50cd --- /dev/null +++ b/queue-4.14/perf-probe-find-versioned-symbols-from-map.patch @@ -0,0 +1,141 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 9 Dec 2017 01:28:12 +0900 +Subject: perf probe: Find versioned symbols from map + +From: Masami Hiramatsu + + +[ Upstream commit 4b3a2716dd785fabb9f6ac80c1d53cb29a88169d ] + +Commit d80406453ad4 ("perf symbols: Allow user probes on versioned +symbols") allows user to find default versioned symbols (with "@@") in +map. However, it did not enable normal versioned symbol (with "@") for +perf-probe. E.g. + + ===== + # ./perf probe -x /lib64/libc-2.25.so malloc_get_state + Failed to find symbol malloc_get_state in /usr/lib64/libc-2.25.so + Error: Failed to add events. + ===== + +This solves above issue by improving perf-probe symbol search function, +as below. + + ===== + # ./perf probe -x /lib64/libc-2.25.so malloc_get_state + Added new event: + probe_libc:malloc_get_state (on malloc_get_state in /usr/lib64/libc-2.25.so) + + You can now use it in all perf tools, such as: + + perf record -e probe_libc:malloc_get_state -aR sleep 1 + + # ./perf probe -l + probe_libc:malloc_get_state (on malloc_get_state@GLIBC_2.2.5 in /usr/lib64/libc-2.25.so) + ===== + +Signed-off-by: Masami Hiramatsu +Reviewed-by: Thomas Richter +Acked-by: Ravi Bangoria +Tested-by: Arnaldo Carvalho de Melo +Cc: Paul Clarke +Cc: bhargavb +Cc: linux-rt-users@vger.kernel.org +Link: http://lkml.kernel.org/r/151275049269.24652.1639103455496216255.stgit@devbox +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/sym-handling.c | 8 ++++++++ + tools/perf/util/probe-event.c | 20 ++++++++++++++++++-- + tools/perf/util/symbol.c | 5 +++++ + tools/perf/util/symbol.h | 1 + + 4 files changed, 32 insertions(+), 2 deletions(-) + +--- a/tools/perf/arch/powerpc/util/sym-handling.c ++++ b/tools/perf/arch/powerpc/util/sym-handling.c +@@ -64,6 +64,14 @@ int arch__compare_symbol_names_n(const c + + return strncmp(namea, nameb, n); + } ++ ++const char *arch__normalize_symbol_name(const char *name) ++{ ++ /* Skip over initial dot */ ++ if (name && *name == '.') ++ name++; ++ return name; ++} + #endif + + #if defined(_CALL_ELF) && _CALL_ELF == 2 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -2792,16 +2792,32 @@ static int find_probe_functions(struct m + int found = 0; + struct symbol *sym; + struct rb_node *tmp; ++ const char *norm, *ver; ++ char *buf = NULL; + + if (map__load(map) < 0) + return 0; + + map__for_each_symbol(map, sym, tmp) { +- if (strglobmatch(sym->name, name)) { ++ norm = arch__normalize_symbol_name(sym->name); ++ if (!norm) ++ continue; ++ ++ /* We don't care about default symbol or not */ ++ ver = strchr(norm, '@'); ++ if (ver) { ++ buf = strndup(norm, ver - norm); ++ if (!buf) ++ return -ENOMEM; ++ norm = buf; ++ } ++ if (strglobmatch(norm, name)) { + found++; + if (syms && found < probe_conf.max_probes) + syms[found - 1] = sym; + } ++ if (buf) ++ zfree(&buf); + } + + return found; +@@ -2847,7 +2863,7 @@ static int find_probe_trace_events_from_ + * same name but different addresses, this lists all the symbols. + */ + num_matched_functions = find_probe_functions(map, pp->function, syms); +- if (num_matched_functions == 0) { ++ if (num_matched_functions <= 0) { + pr_err("Failed to find symbol %s in %s\n", pp->function, + pev->target ? : "kernel"); + ret = -ENOENT; +--- a/tools/perf/util/symbol.c ++++ b/tools/perf/util/symbol.c +@@ -93,6 +93,11 @@ static int prefix_underscores_count(cons + return tail - str; + } + ++const char * __weak arch__normalize_symbol_name(const char *name) ++{ ++ return name; ++} ++ + int __weak arch__compare_symbol_names(const char *namea, const char *nameb) + { + return strcmp(namea, nameb); +--- a/tools/perf/util/symbol.h ++++ b/tools/perf/util/symbol.h +@@ -347,6 +347,7 @@ bool elf__needs_adjust_symbols(GElf_Ehdr + void arch__sym_update(struct symbol *s, GElf_Sym *sym); + #endif + ++const char *arch__normalize_symbol_name(const char *name); + #define SYMBOL_A 0 + #define SYMBOL_B 1 + diff --git a/queue-4.14/perf-report-fix-a-no-annotate-browser-displayed-issue.patch b/queue-4.14/perf-report-fix-a-no-annotate-browser-displayed-issue.patch new file mode 100644 index 00000000000..4954c583e9b --- /dev/null +++ b/queue-4.14/perf-report-fix-a-no-annotate-browser-displayed-issue.patch @@ -0,0 +1,87 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jin Yao +Date: Tue, 26 Dec 2017 18:42:43 +0800 +Subject: perf report: Fix a no annotate browser displayed issue + +From: Jin Yao + + +[ Upstream commit 40c39e3046411f84bab82f66783ff3593e2bcd9b ] + +When enabling '-b' option in perf record, for example, + + perf record -b ... + perf report + +and then browsing the annotate browser from perf report (press 'A'), it +would fail (annotate browser can't be displayed). + +It's because the '.add_entry_cb' op of struct report is overwritten by +hist_iter__branch_callback() in builtin-report.c. But this function doesn't do +something like mapping symbols and sources. So next, do_annotate() will return +directly. + + notes = symbol__annotation(act->ms.sym); + if (!notes->src) + return 0; + +This patch adds the lost code to hist_iter__branch_callback (refer to +hist_iter__report_callback). + +v2: + +Fix a crash bug when perform 'perf report --stdio'. + +The reason is that we init the symbol annotation only in browser mode, it +doesn't allocate/init resources for stdio mode. + +So now in hist_iter__branch_callback(), it will return directly if it's not in +browser mode. + +Signed-off-by: Jin Yao +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1514284963-18587-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-report.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -162,12 +162,28 @@ static int hist_iter__branch_callback(st + struct hist_entry *he = iter->he; + struct report *rep = arg; + struct branch_info *bi; ++ struct perf_sample *sample = iter->sample; ++ struct perf_evsel *evsel = iter->evsel; ++ int err; ++ ++ if (!ui__has_annotation()) ++ return 0; ++ ++ hist__account_cycles(sample->branch_stack, al, sample, ++ rep->nonany_branch_mode); + + bi = he->branch_info; ++ err = addr_map_symbol__inc_samples(&bi->from, sample, evsel->idx); ++ if (err) ++ goto out; ++ ++ err = addr_map_symbol__inc_samples(&bi->to, sample, evsel->idx); ++ + branch_type_count(&rep->brtype_stat, &bi->flags, + bi->from.addr, bi->to.addr); + +- return 0; ++out: ++ return err; + } + + static int process_sample_event(struct perf_tool *tool, diff --git a/queue-4.14/perf-tools-fix-copyfile_offset-update-of-output-offset.patch b/queue-4.14/perf-tools-fix-copyfile_offset-update-of-output-offset.patch new file mode 100644 index 00000000000..ed3468331a0 --- /dev/null +++ b/queue-4.14/perf-tools-fix-copyfile_offset-update-of-output-offset.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jiri Olsa +Date: Tue, 9 Jan 2018 14:39:23 +0100 +Subject: perf tools: Fix copyfile_offset update of output offset + +From: Jiri Olsa + + +[ Upstream commit fa1195ccc0af2d121abe0fe266a1caee8c265eea ] + +We need to increase output offset in each iteration, not decrease it as +we currently do. + +I guess we were lucky to finish in most cases in first iteration, so the +bug never showed. However it shows a lot when working with big (~4GB) +size data. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 9c9f5a2f1944 ("perf tools: Introduce copyfile_offset() function") +Link: http://lkml.kernel.org/r/20180109133923.25406-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/util.c ++++ b/tools/perf/util/util.c +@@ -196,7 +196,7 @@ int copyfile_offset(int ifd, loff_t off_ + + size -= ret; + off_in += ret; +- off_out -= ret; ++ off_out += ret; + } + munmap(ptr, off_in + size); + diff --git a/queue-4.14/pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch b/queue-4.14/pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch new file mode 100644 index 00000000000..169252979bf --- /dev/null +++ b/queue-4.14/pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Hans de Goede +Date: Mon, 1 Jan 2018 13:23:57 +0100 +Subject: pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts + +From: Hans de Goede + + +[ Upstream commit 9291c65b01d1c67ebd56644cb19317ad665c44b3 ] + +On some systems, some PCB traces attached to GpioInts are routed in such +a way that they pick up enough interference to constantly (many times per +second) trigger. + +Enabling glitch-filtering fixes this. + +Signed-off-by: Hans de Goede +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/intel/pinctrl-baytrail.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/pinctrl/intel/pinctrl-baytrail.c ++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c +@@ -46,6 +46,9 @@ + #define BYT_TRIG_POS BIT(25) + #define BYT_TRIG_LVL BIT(24) + #define BYT_DEBOUNCE_EN BIT(20) ++#define BYT_GLITCH_FILTER_EN BIT(19) ++#define BYT_GLITCH_F_SLOW_CLK BIT(17) ++#define BYT_GLITCH_F_FAST_CLK BIT(16) + #define BYT_PULL_STR_SHIFT 9 + #define BYT_PULL_STR_MASK (3 << BYT_PULL_STR_SHIFT) + #define BYT_PULL_STR_2K (0 << BYT_PULL_STR_SHIFT) +@@ -1579,6 +1582,9 @@ static int byt_irq_type(struct irq_data + */ + value &= ~(BYT_DIRECT_IRQ_EN | BYT_TRIG_POS | BYT_TRIG_NEG | + BYT_TRIG_LVL); ++ /* Enable glitch filtering */ ++ value |= BYT_GLITCH_FILTER_EN | BYT_GLITCH_F_SLOW_CLK | ++ BYT_GLITCH_F_FAST_CLK; + + writel(value, reg); + diff --git a/queue-4.14/pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch b/queue-4.14/pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch new file mode 100644 index 00000000000..9482e507c4f --- /dev/null +++ b/queue-4.14/pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Wed, 6 Dec 2017 14:20:15 -0600 +Subject: PM / devfreq: Fix potential NULL pointer dereference in governor_store + +From: "Gustavo A. R. Silva" + + +[ Upstream commit 63f1e05f7fe9ca509c60154d6a833abf96eecdc9 ] + +df->governor is being dereferenced before it is null checked, +hence there is a potential null pointer dereference. + +Notice that df->governor is being null checked at line 1004: +if (df->governor) {, which implies it might be null. + +Fix this by null checking df->governor before dereferencing it. + +Addresses-Coverity-ID: 1401988 ("Dereference before null check") +Fixes: bcf23c79c4e4 ("PM / devfreq: Fix available_governor sysfs") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Chanwoo Choi +Signed-off-by: MyungJoo Ham +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/devfreq/devfreq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -935,7 +935,8 @@ static ssize_t governor_store(struct dev + if (df->governor == governor) { + ret = 0; + goto out; +- } else if (df->governor->immutable || governor->immutable) { ++ } else if ((df->governor && df->governor->immutable) || ++ governor->immutable) { + ret = -EINVAL; + goto out; + } diff --git a/queue-4.14/power-supply-axp288_charger-properly-stop-work-on-probe-error-remove.patch b/queue-4.14/power-supply-axp288_charger-properly-stop-work-on-probe-error-remove.patch new file mode 100644 index 00000000000..76c4d59e68f --- /dev/null +++ b/queue-4.14/power-supply-axp288_charger-properly-stop-work-on-probe-error-remove.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Hans de Goede +Date: Tue, 26 Dec 2017 13:59:09 +0100 +Subject: power: supply: axp288_charger: Properly stop work on probe-error / remove + +From: Hans de Goede + + +[ Upstream commit 165c2357744e41391902a2a72dd170beb60c28d5 ] + +Properly stop any work we may have queued on probe-errors / remove. + +Rather then adding a remove driver callback for this, and goto style +error handling to probe, use a devm_action for this. + +The devm_action gets registered before we register any of the extcon +notifiers which may queue the work, devm does cleanup in reverse order, +so this ensures that the notifiers are removed before we cancel the work. + +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -785,6 +785,14 @@ static int charger_init_hw_regs(struct a + return 0; + } + ++static void axp288_charger_cancel_work(void *data) ++{ ++ struct axp288_chrg_info *info = data; ++ ++ cancel_work_sync(&info->otg.work); ++ cancel_work_sync(&info->cable.work); ++} ++ + static int axp288_charger_probe(struct platform_device *pdev) + { + int ret, i, pirq; +@@ -836,6 +844,11 @@ static int axp288_charger_probe(struct p + return ret; + } + ++ /* Cancel our work on cleanup, register this before the notifiers */ ++ ret = devm_add_action(dev, axp288_charger_cancel_work, info); ++ if (ret) ++ return ret; ++ + /* Register for extcon notification */ + INIT_WORK(&info->cable.work, axp288_charger_extcon_evt_worker); + info->cable.nb[0].notifier_call = axp288_charger_handle_cable0_evt; diff --git a/queue-4.14/powernv-cpufreq-add-helper-to-extract-pstate-from-pmsr.patch b/queue-4.14/powernv-cpufreq-add-helper-to-extract-pstate-from-pmsr.patch new file mode 100644 index 00000000000..0527ed50365 --- /dev/null +++ b/queue-4.14/powernv-cpufreq-add-helper-to-extract-pstate-from-pmsr.patch @@ -0,0 +1,139 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Gautham R. Shenoy" +Date: Wed, 13 Dec 2017 12:27:39 +0530 +Subject: powernv-cpufreq: Add helper to extract pstate from PMSR + +From: "Gautham R. Shenoy" + + +[ Upstream commit ee1f4a7dafa997816ff3de96155c6f3edc21c1e6 ] + +On POWERNV platform, the fields for pstates in the Power Management +Status Register (PMSR) and the Power Management Control Register +(PMCR) are 8-bits wide. On POWER8 the pstates are negatively numbered +while on POWER9 they are positively numbered. + +The device-tree exports pstates as 32-bit entries. The device-tree +implementation sign-extends the 8-bit pstate values to obtain the +corresponding 32-bit entry. + +Eg: On POWER8, a pstate value 0x82 [-126] is represented in the +device-tree as 0xfffffff82 while on POWER9, the same value 0x82 [130] +is represented in the device-tree as 0x00000082. + +The powernv-cpufreq driver implementation represents pstates using the +integer type. In multiple places in the driver, the code interprets +the pstates extracted from the PMSR as a signed byte and assigns it to +a integer variable to get the sign-extention. + +On POWER9 platforms which have greater than 128 pstates, this results +in the driver performing incorrect sign-extention, and thereby +treating a legitimate pstate (say 130) as an invalid pstates (since it +is interpreted as -126). + +This patch fixes the issue by implementing a helper function to +extract Pstates from PMSR register, and correctly sign-extend it to be +consistent with the values provided by the device-tree. + +Signed-off-by: Gautham R. Shenoy +Acked-by: Balbir Singh +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/powernv-cpufreq.c | 37 +++++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -41,11 +41,9 @@ + #define POWERNV_MAX_PSTATES 256 + #define PMSR_PSAFE_ENABLE (1UL << 30) + #define PMSR_SPR_EM_DISABLE (1UL << 31) +-#define PMSR_MAX(x) ((x >> 32) & 0xFF) ++#define MAX_PSTATE_SHIFT 32 + #define LPSTATE_SHIFT 48 + #define GPSTATE_SHIFT 56 +-#define GET_LPSTATE(x) (((x) >> LPSTATE_SHIFT) & 0xFF) +-#define GET_GPSTATE(x) (((x) >> GPSTATE_SHIFT) & 0xFF) + + #define MAX_RAMP_DOWN_TIME 5120 + /* +@@ -93,6 +91,7 @@ struct global_pstate_info { + }; + + static struct cpufreq_frequency_table powernv_freqs[POWERNV_MAX_PSTATES+1]; ++u32 pstate_sign_prefix; + static bool rebooting, throttled, occ_reset; + + static const char * const throttle_reason[] = { +@@ -147,6 +146,20 @@ static struct powernv_pstate_info { + bool wof_enabled; + } powernv_pstate_info; + ++static inline int extract_pstate(u64 pmsr_val, unsigned int shift) ++{ ++ int ret = ((pmsr_val >> shift) & 0xFF); ++ ++ if (!ret) ++ return ret; ++ ++ return (pstate_sign_prefix | ret); ++} ++ ++#define extract_local_pstate(x) extract_pstate(x, LPSTATE_SHIFT) ++#define extract_global_pstate(x) extract_pstate(x, GPSTATE_SHIFT) ++#define extract_max_pstate(x) extract_pstate(x, MAX_PSTATE_SHIFT) ++ + /* Use following macros for conversions between pstate_id and index */ + static inline int idx_to_pstate(unsigned int i) + { +@@ -277,6 +290,9 @@ next: + + powernv_pstate_info.nr_pstates = nr_pstates; + pr_debug("NR PStates %d\n", nr_pstates); ++ ++ pstate_sign_prefix = pstate_min & ~0xFF; ++ + for (i = 0; i < nr_pstates; i++) { + u32 id = be32_to_cpu(pstate_ids[i]); + u32 freq = be32_to_cpu(pstate_freqs[i]); +@@ -437,17 +453,10 @@ struct powernv_smp_call_data { + static void powernv_read_cpu_freq(void *arg) + { + unsigned long pmspr_val; +- s8 local_pstate_id; + struct powernv_smp_call_data *freq_data = arg; + + pmspr_val = get_pmspr(SPRN_PMSR); +- +- /* +- * The local pstate id corresponds bits 48..55 in the PMSR. +- * Note: Watch out for the sign! +- */ +- local_pstate_id = (pmspr_val >> 48) & 0xFF; +- freq_data->pstate_id = local_pstate_id; ++ freq_data->pstate_id = extract_local_pstate(pmspr_val); + freq_data->freq = pstate_id_to_freq(freq_data->pstate_id); + + pr_debug("cpu %d pmsr %016lX pstate_id %d frequency %d kHz\n", +@@ -521,7 +530,7 @@ static void powernv_cpufreq_throttle_che + chip = this_cpu_read(chip_info); + + /* Check for Pmax Capping */ +- pmsr_pmax = (s8)PMSR_MAX(pmsr); ++ pmsr_pmax = extract_max_pstate(pmsr); + pmsr_pmax_idx = pstate_to_idx(pmsr_pmax); + if (pmsr_pmax_idx != powernv_pstate_info.max) { + if (chip->throttled) +@@ -644,8 +653,8 @@ void gpstate_timer_handler(unsigned long + * value. Hence, read from PMCR to get correct data. + */ + val = get_pmspr(SPRN_PMCR); +- freq_data.gpstate_id = (s8)GET_GPSTATE(val); +- freq_data.pstate_id = (s8)GET_LPSTATE(val); ++ freq_data.gpstate_id = extract_global_pstate(val); ++ freq_data.pstate_id = extract_local_pstate(val); + if (freq_data.gpstate_id == freq_data.pstate_id) { + reset_gpstates(policy); + spin_unlock(&gpstates->gpstate_lock); diff --git a/queue-4.14/rdma-cma-fix-rdma_cm-path-querying-for-roce.patch b/queue-4.14/rdma-cma-fix-rdma_cm-path-querying-for-roce.patch new file mode 100644 index 00000000000..b1ca1de9489 --- /dev/null +++ b/queue-4.14/rdma-cma-fix-rdma_cm-path-querying-for-roce.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Parav Pandit +Date: Mon, 8 Jan 2018 17:04:48 +0200 +Subject: RDMA/cma: Fix rdma_cm path querying for RoCE + +From: Parav Pandit + + +[ Upstream commit 89838118a515847d3e5c904d2e022779a7173bec ] + +The 'if' logic in ucma_query_path was broken with OPA was introduced +and started to treat RoCE paths as as OPA paths. Invert the logic +of the 'if' so only OPA paths are treated as OPA paths. + +Otherwise the path records returned to rdma_cma users are mangled +when in RoCE mode. + +Fixes: 57520751445b ("IB/SA: Add OPA path record type") +Signed-off-by: Parav Pandit +Reviewed-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -914,13 +914,14 @@ static ssize_t ucma_query_path(struct uc + + resp->path_data[i].flags = IB_PATH_GMP | IB_PATH_PRIMARY | + IB_PATH_BIDIRECTIONAL; +- if (rec->rec_type == SA_PATH_REC_TYPE_IB) { +- ib_sa_pack_path(rec, &resp->path_data[i].path_rec); +- } else { ++ if (rec->rec_type == SA_PATH_REC_TYPE_OPA) { + struct sa_path_rec ib; + + sa_convert_path_opa_to_ib(&ib, rec); + ib_sa_pack_path(&ib, &resp->path_data[i].path_rec); ++ ++ } else { ++ ib_sa_pack_path(rec, &resp->path_data[i].path_rec); + } + } + diff --git a/queue-4.14/rdma-cma-mark-end-of-cma-id-messages.patch b/queue-4.14/rdma-cma-mark-end-of-cma-id-messages.patch new file mode 100644 index 00000000000..589ba314c05 --- /dev/null +++ b/queue-4.14/rdma-cma-mark-end-of-cma-id-messages.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Leon Romanovsky +Date: Mon, 1 Jan 2018 13:07:17 +0200 +Subject: RDMA/cma: Mark end of CMA ID messages + +From: Leon Romanovsky + + +[ Upstream commit e48e5e198fb6ec77c91047a694022f0fefa45292 ] + +The commit 1a1c116f3dcf ("RDMA/netlink: Simplify the put_msg and put_attr") +removes nlmsg_len calculation in ibnl_put_attr causing netlink messages and +caused to miss source and destination addresses. + +Fixes: 1a1c116f3dcf ("RDMA/netlink: Simplify the put_msg and put_attr") +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4453,6 +4453,7 @@ static int cma_get_id_stats(struct sk_bu + id_stats->qp_type = id->qp_type; + + i_id++; ++ nlmsg_end(skb, nlh); + } + + cb->args[1] = 0; diff --git a/queue-4.14/rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch b/queue-4.14/rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch new file mode 100644 index 00000000000..8b5f1064bc1 --- /dev/null +++ b/queue-4.14/rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Sowmini Varadhan +Date: Fri, 22 Dec 2017 09:38:59 -0800 +Subject: rds; Reset rs->rs_bound_addr in rds_add_bound() failure path + +From: Sowmini Varadhan + + +[ Upstream commit 7ae0c649c47f1c5d2db8cee6dd75855970af1669 ] + +If the rds_sock is not added to the bind_hash_table, we must +reset rs_bound_addr so that rds_remove_bound will not trip on +this rds_sock. + +rds_add_bound() does a rds_sock_put() in this failure path, so +failing to reset rs_bound_addr will result in a socket refcount +bug, and will trigger a WARN_ON with the stack shown below when +the application subsequently tries to close the PF_RDS socket. + + WARNING: CPU: 20 PID: 19499 at net/rds/af_rds.c:496 \ + rds_sock_destruct+0x15/0x30 [rds] + : + __sk_destruct+0x21/0x190 + rds_remove_bound.part.13+0xb6/0x140 [rds] + rds_release+0x71/0x120 [rds] + sock_release+0x1a/0x70 + sock_close+0xe/0x20 + __fput+0xd5/0x210 + task_work_run+0x82/0xa0 + do_exit+0x2ce/0xb30 + ? syscall_trace_enter+0x1cc/0x2b0 + do_group_exit+0x39/0xa0 + SyS_exit_group+0x10/0x10 + do_syscall_64+0x61/0x1a0 + +Signed-off-by: Sowmini Varadhan +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/bind.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rds/bind.c ++++ b/net/rds/bind.c +@@ -114,6 +114,7 @@ static int rds_add_bound(struct rds_sock + rs, &addr, (int)ntohs(*port)); + break; + } else { ++ rs->rs_bound_addr = 0; + rds_sock_put(rs); + ret = -ENOMEM; + break; diff --git a/queue-4.14/rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch b/queue-4.14/rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch new file mode 100644 index 00000000000..9196ea0d286 --- /dev/null +++ b/queue-4.14/rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Stanislaw Gruszka +Date: Tue, 19 Dec 2017 12:33:56 +0100 +Subject: rt2x00: do not pause queue unconditionally on error path + +From: Stanislaw Gruszka + + +[ Upstream commit 6dd80efd75ce7c2dbd9f117cf585ee2b33a42ee1 ] + +Pausing queue without checking threshold is racy with txdone path. +Moreover we do not need pause queue on any error, but only if queue +is full - in case when we send RTS frame ( other cases of almost full +queue are already handled in rt2x00queue_write_tx_frame() ). + +Patch fixes of theoretically possible problem of pausing empty +queue. + +Signed-off-by: Stanislaw Gruszka +Tested-by: Enrico Mioso +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -142,15 +142,25 @@ void rt2x00mac_tx(struct ieee80211_hw *h + if (!rt2x00dev->ops->hw->set_rts_threshold && + (tx_info->control.rates[0].flags & (IEEE80211_TX_RC_USE_RTS_CTS | + IEEE80211_TX_RC_USE_CTS_PROTECT))) { +- if (rt2x00queue_available(queue) <= 1) +- goto exit_fail; ++ if (rt2x00queue_available(queue) <= 1) { ++ /* ++ * Recheck for full queue under lock to avoid race ++ * conditions with rt2x00lib_txdone(). ++ */ ++ spin_lock(&queue->tx_lock); ++ if (rt2x00queue_threshold(queue)) ++ rt2x00queue_pause_queue(queue); ++ spin_unlock(&queue->tx_lock); ++ ++ goto exit_free_skb; ++ } + + if (rt2x00mac_tx_rts_cts(rt2x00dev, queue, skb)) +- goto exit_fail; ++ goto exit_free_skb; + } + + if (unlikely(rt2x00queue_write_tx_frame(queue, skb, control->sta, false))) +- goto exit_fail; ++ goto exit_free_skb; + + /* + * Pausing queue has to be serialized with rt2x00lib_txdone(). Note +@@ -164,10 +174,6 @@ void rt2x00mac_tx(struct ieee80211_hw *h + + return; + +- exit_fail: +- spin_lock(&queue->tx_lock); +- rt2x00queue_pause_queue(queue); +- spin_unlock(&queue->tx_lock); + exit_free_skb: + ieee80211_free_txskb(hw, skb); + } diff --git a/queue-4.14/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch b/queue-4.14/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch new file mode 100644 index 00000000000..47b41e85eff --- /dev/null +++ b/queue-4.14/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch @@ -0,0 +1,104 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Rafael David Tinoco +Date: Thu, 7 Dec 2017 19:59:13 -0200 +Subject: scsi: libiscsi: Allow sd_shutdown on bad transport + +From: Rafael David Tinoco + + +[ Upstream commit d754941225a7dbc61f6dd2173fa9498049f9a7ee ] + +If, for any reason, userland shuts down iscsi transport interfaces +before proper logouts - like when logging in to LUNs manually, without +logging out on server shutdown, or when automated scripts can't +umount/logout from logged LUNs - kernel will hang forever on its +sd_sync_cache() logic, after issuing the SYNCHRONIZE_CACHE cmd to all +still existent paths. + +PID: 1 TASK: ffff8801a69b8000 CPU: 1 COMMAND: "systemd-shutdow" + #0 [ffff8801a69c3a30] __schedule at ffffffff8183e9ee + #1 [ffff8801a69c3a80] schedule at ffffffff8183f0d5 + #2 [ffff8801a69c3a98] schedule_timeout at ffffffff81842199 + #3 [ffff8801a69c3b40] io_schedule_timeout at ffffffff8183e604 + #4 [ffff8801a69c3b70] wait_for_completion_io_timeout at ffffffff8183fc6c + #5 [ffff8801a69c3bd0] blk_execute_rq at ffffffff813cfe10 + #6 [ffff8801a69c3c88] scsi_execute at ffffffff815c3fc7 + #7 [ffff8801a69c3cc8] scsi_execute_req_flags at ffffffff815c60fe + #8 [ffff8801a69c3d30] sd_sync_cache at ffffffff815d37d7 + #9 [ffff8801a69c3da8] sd_shutdown at ffffffff815d3c3c + +This happens because iscsi_eh_cmd_timed_out(), the transport layer +timeout helper, would tell the queue timeout function (scsi_times_out) +to reset the request timer over and over, until the session state is +back to logged in state. Unfortunately, during server shutdown, this +might never happen again. + +Other option would be "not to handle" the issue in the transport +layer. That would trigger the error handler logic, which would also need +the session state to be logged in again. + +Best option, for such case, is to tell upper layers that the command was +handled during the transport layer error handler helper, marking it as +DID_NO_CONNECT, which will allow completion and inform about the +problem. + +After the session was marked as ISCSI_STATE_FAILED, due to the first +timeout during the server shutdown phase, all subsequent cmds will fail +to be queued, allowing upper logic to fail faster. + +Signed-off-by: Rafael David Tinoco +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1696,6 +1696,15 @@ int iscsi_queuecommand(struct Scsi_Host + */ + switch (session->state) { + case ISCSI_STATE_FAILED: ++ /* ++ * cmds should fail during shutdown, if the session ++ * state is bad, allowing completion to happen ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ reason = FAILURE_SESSION_FAILED; ++ sc->result = DID_NO_CONNECT << 16; ++ break; ++ } + case ISCSI_STATE_IN_RECOVERY: + reason = FAILURE_SESSION_IN_RECOVERY; + sc->result = DID_IMM_RETRY << 16; +@@ -1981,6 +1990,19 @@ enum blk_eh_timer_return iscsi_eh_cmd_ti + + if (session->state != ISCSI_STATE_LOGGED_IN) { + /* ++ * During shutdown, if session is prematurely disconnected, ++ * recovery won't happen and there will be hung cmds. Not ++ * handling cmds would trigger EH, also bad in this case. ++ * Instead, handle cmd, allow completion to happen and let ++ * upper layer to deal with the result. ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ sc->result = DID_NO_CONNECT << 16; ++ ISCSI_DBG_EH(session, "sc on shutdown, handled\n"); ++ rc = BLK_EH_HANDLED; ++ goto done; ++ } ++ /* + * We are probably in the middle of iscsi recovery so let + * that complete and handle the error. + */ +@@ -2084,7 +2106,7 @@ done: + task->last_timeout = jiffies; + spin_unlock(&session->frwd_lock); + ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ? +- "timer reset" : "nh"); ++ "timer reset" : "shutdown or nh"); + return rc; + } + EXPORT_SYMBOL_GPL(iscsi_eh_cmd_timed_out); diff --git a/queue-4.14/scsi-libsas-fix-error-when-getting-phy-events.patch b/queue-4.14/scsi-libsas-fix-error-when-getting-phy-events.patch new file mode 100644 index 00000000000..a91cbf6030c --- /dev/null +++ b/queue-4.14/scsi-libsas-fix-error-when-getting-phy-events.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jason Yan +Date: Thu, 4 Jan 2018 21:04:32 +0800 +Subject: scsi: libsas: fix error when getting phy events + +From: Jason Yan + + +[ Upstream commit 2b23d9509fd7174b362482cf5f3b5f9a2265bc33 ] + +The intend purpose here was to goto out if smp_execute_task() returned +error. Obviously something got screwed up. We will never get these link +error statistics below: + +~:/sys/class/sas_phy/phy-1:0:12 # cat invalid_dword_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat running_disparity_error_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat loss_of_dword_sync_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat phy_reset_problem_count +0 + +Obviously we should goto error handler if smp_execute_task() returns +non-zero. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Jason Yan +CC: John Garry +CC: chenqilin +CC: chenxiang +Reviewed-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -686,7 +686,7 @@ int sas_smp_get_phy_events(struct sas_ph + res = smp_execute_task(dev, req, RPEL_REQ_SIZE, + resp, RPEL_RESP_SIZE); + +- if (!res) ++ if (res) + goto out; + + phy->invalid_dword_count = scsi_to_u32(&resp[12]); diff --git a/queue-4.14/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch b/queue-4.14/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch new file mode 100644 index 00000000000..40699722b11 --- /dev/null +++ b/queue-4.14/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jason Yan +Date: Thu, 4 Jan 2018 21:04:31 +0800 +Subject: scsi: libsas: fix memory leak in sas_smp_get_phy_events() + +From: Jason Yan + + +[ Upstream commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 ] + +We've got a memory leak with the following producer: + +while true; +do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null; +done + +The buffer req is allocated and not freed after we return. Fix it. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Jason Yan +CC: John Garry +CC: chenqilin +CC: chenxiang +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -695,6 +695,7 @@ int sas_smp_get_phy_events(struct sas_ph + phy->phy_reset_problem_count = scsi_to_u32(&resp[24]); + + out: ++ kfree(req); + kfree(resp); + return res; + diff --git a/queue-4.14/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch b/queue-4.14/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch new file mode 100644 index 00000000000..ff5db8d2768 --- /dev/null +++ b/queue-4.14/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: chenxiang +Date: Thu, 4 Jan 2018 21:04:33 +0800 +Subject: scsi: libsas: initialize sas_phy status according to response of DISCOVER + +From: chenxiang + + +[ Upstream commit affc67788fe5dfffad5cda3d461db5cf2b2ff2b0 ] + +The status of SAS PHY is in sas_phy->enabled. There is an issue that the +status of a remote SAS PHY may be initialized incorrectly: if disable +remote SAS PHY through sysfs interface (such as echo 0 > +/sys/class/sas_phy/phy-1:0:0/enable), then reboot the system, and we +will find the status of remote SAS PHY which is disabled before is +1 (cat /sys/class/sas_phy/phy-1:0:0/enable). But actually the status of +remote SAS PHY is disabled and the device attached is not found. + +In SAS protocol, NEGOTIATED LOGICAL LINK RATE field of DISCOVER response +is 0x1 when remote SAS PHY is disabled. So initialize sas_phy->enabled +according to the value of NEGOTIATED LOGICAL LINK RATE field. + +Signed-off-by: chenxiang +Reviewed-by: John Garry +Signed-off-by: Jason Yan +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -293,6 +293,7 @@ static void sas_set_ex_phy(struct domain + phy->phy->minimum_linkrate = dr->pmin_linkrate; + phy->phy->maximum_linkrate = dr->pmax_linkrate; + phy->phy->negotiated_linkrate = phy->linkrate; ++ phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED); + + skip: + if (new_phy) diff --git a/queue-4.14/scsi-megaraid_sas-error-handling-for-invalid-ldcount-provided-by-firmware-in-raid-map.patch b/queue-4.14/scsi-megaraid_sas-error-handling-for-invalid-ldcount-provided-by-firmware-in-raid-map.patch new file mode 100644 index 00000000000..b72395d939d --- /dev/null +++ b/queue-4.14/scsi-megaraid_sas-error-handling-for-invalid-ldcount-provided-by-firmware-in-raid-map.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Shivasharan S +Date: Fri, 5 Jan 2018 05:27:40 -0800 +Subject: scsi: megaraid_sas: Error handling for invalid ldcount provided by firmware in RAID map + +From: Shivasharan S + + +[ Upstream commit 7ada701d0d5e5c6d357e157a72b841db3e8d03f4 ] + +Currently driver does not validate ldcount provided by firmware. If the +value is invalid, fail RAID map validation accordingly. This issue is +rare to hit in field and is fixed as part of code review. + +Signed-off-by: Sumit Saxena +Signed-off-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_fp.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_fp.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fp.c +@@ -168,7 +168,7 @@ static struct MR_LD_SPAN *MR_LdSpanPtrGe + /* + * This function will Populate Driver Map using firmware raid map + */ +-void MR_PopulateDrvRaidMap(struct megasas_instance *instance) ++static int MR_PopulateDrvRaidMap(struct megasas_instance *instance) + { + struct fusion_context *fusion = instance->ctrl_context; + struct MR_FW_RAID_MAP_ALL *fw_map_old = NULL; +@@ -259,7 +259,7 @@ void MR_PopulateDrvRaidMap(struct megasa + ld_count = (u16)le16_to_cpu(fw_map_ext->ldCount); + if (ld_count > MAX_LOGICAL_DRIVES_EXT) { + dev_dbg(&instance->pdev->dev, "megaraid_sas: LD count exposed in RAID map in not valid\n"); +- return; ++ return 1; + } + + pDrvRaidMap->ldCount = (__le16)cpu_to_le16(ld_count); +@@ -285,6 +285,12 @@ void MR_PopulateDrvRaidMap(struct megasa + fusion->ld_map[(instance->map_id & 1)]; + pFwRaidMap = &fw_map_old->raidMap; + ld_count = (u16)le32_to_cpu(pFwRaidMap->ldCount); ++ if (ld_count > MAX_LOGICAL_DRIVES) { ++ dev_dbg(&instance->pdev->dev, ++ "LD count exposed in RAID map in not valid\n"); ++ return 1; ++ } ++ + pDrvRaidMap->totalSize = pFwRaidMap->totalSize; + pDrvRaidMap->ldCount = (__le16)cpu_to_le16(ld_count); + pDrvRaidMap->fpPdIoTimeoutSec = pFwRaidMap->fpPdIoTimeoutSec; +@@ -300,6 +306,8 @@ void MR_PopulateDrvRaidMap(struct megasa + sizeof(struct MR_DEV_HANDLE_INFO) * + MAX_RAIDMAP_PHYSICAL_DEVICES); + } ++ ++ return 0; + } + + /* +@@ -317,8 +325,8 @@ u8 MR_ValidateMapInfo(struct megasas_ins + u16 ld; + u32 expected_size; + +- +- MR_PopulateDrvRaidMap(instance); ++ if (MR_PopulateDrvRaidMap(instance)) ++ return 0; + + fusion = instance->ctrl_context; + drv_map = fusion->ld_drv_map[(instance->map_id & 1)]; diff --git a/queue-4.14/scsi-megaraid_sas-unload-flag-should-be-set-after-scsi_remove_host-is-called.patch b/queue-4.14/scsi-megaraid_sas-unload-flag-should-be-set-after-scsi_remove_host-is-called.patch new file mode 100644 index 00000000000..3efc260d8ab --- /dev/null +++ b/queue-4.14/scsi-megaraid_sas-unload-flag-should-be-set-after-scsi_remove_host-is-called.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Shivasharan S +Date: Fri, 5 Jan 2018 05:27:41 -0800 +Subject: scsi: megaraid_sas: unload flag should be set after scsi_remove_host is called + +From: Shivasharan S + + +[ Upstream commit f3f7920b3910171b2999c7dc2335eb9f583e44f2 ] + +Issue - Driver returns DID_NO_CONNECT when unload is in progress, +indicated using instance->unload flag. In case of dynamic unload of +driver, this flag is set before calling scsi_remove_host(). While doing +manual driver unload, user will see lots of prints for Sync Cache +command with DID_NO_CONNECT status. + +Fix - Set the instance->unload flag after scsi_remove_host(). Allow +device removal process to be completed and do not block any command +before that. SCSI commands (like SYNC_CACHE) are received (as part of +scsi_remove_host) by driver during unload will be submitted further down +to the drives. + +Signed-off-by: Sumit Saxena +Signed-off-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -6605,7 +6605,6 @@ static void megasas_detach_one(struct pc + u32 pd_seq_map_sz; + + instance = pci_get_drvdata(pdev); +- instance->unload = 1; + host = instance->host; + fusion = instance->ctrl_context; + +@@ -6616,6 +6615,7 @@ static void megasas_detach_one(struct pc + if (instance->fw_crash_state != UNAVAILABLE) + megasas_free_host_crash_buffer(instance); + scsi_remove_host(instance->host); ++ instance->unload = 1; + + if (megasas_wait_for_adapter_operational(instance)) + goto skip_firing_dcmds; diff --git a/queue-4.14/scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch b/queue-4.14/scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch new file mode 100644 index 00000000000..acf36c6f77b --- /dev/null +++ b/queue-4.14/scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch @@ -0,0 +1,99 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Chaitra P B +Date: Wed, 27 Dec 2017 23:09:11 -0800 +Subject: scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag. + +From: Chaitra P B + + +[ Upstream commit f49d4aed1315a7b766d855f1367142e682b0cc87 ] + +1. In IO path, setting of "ATA command pending" flag early before device + removal, invalid device handle etc., checks causes any new commands + to be always returned with SAM_STAT_BUSY and when the driver removes + the drive the SML issues SYNC Cache command and that command is + always returned with SAM_STAT_BUSY and thus making SYNC Cache command + to requeued. + +2. If the driver gets an ATA PT command for a SATA drive then the driver + set "ATA command pending" flag in device specific data structure not + to allow any further commands until the ATA PT command is completed. + However, after setting the flag if the driver decides to return the + command back to upper layers without actually issuing to the firmware + (i.e., returns from qcmd failure return paths) then the corresponding + flag is not cleared and this prevents the driver from sending any new + commands to the drive. + +This patch fixes above two issues by setting of "ATA command pending" +flag after checking for whether device deleted, invalid device handle, +device busy with task management. And by setting "ATA command pending" +flag to false in all of the qcmd failure return paths after setting the +flag. + +Signed-off-by: Chaitra P B +Signed-off-by: Suganath Prabu S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -4106,19 +4106,6 @@ scsih_qcmd(struct Scsi_Host *shost, stru + return 0; + } + +- /* +- * Bug work around for firmware SATL handling. The loop +- * is based on atomic operations and ensures consistency +- * since we're lockless at this point +- */ +- do { +- if (test_bit(0, &sas_device_priv_data->ata_command_pending)) { +- scmd->result = SAM_STAT_BUSY; +- scmd->scsi_done(scmd); +- return 0; +- } +- } while (_scsih_set_satl_pending(scmd, true)); +- + sas_target_priv_data = sas_device_priv_data->sas_target; + + /* invalid device handle */ +@@ -4144,6 +4131,19 @@ scsih_qcmd(struct Scsi_Host *shost, stru + sas_device_priv_data->block) + return SCSI_MLQUEUE_DEVICE_BUSY; + ++ /* ++ * Bug work around for firmware SATL handling. The loop ++ * is based on atomic operations and ensures consistency ++ * since we're lockless at this point ++ */ ++ do { ++ if (test_bit(0, &sas_device_priv_data->ata_command_pending)) { ++ scmd->result = SAM_STAT_BUSY; ++ scmd->scsi_done(scmd); ++ return 0; ++ } ++ } while (_scsih_set_satl_pending(scmd, true)); ++ + if (scmd->sc_data_direction == DMA_FROM_DEVICE) + mpi_control = MPI2_SCSIIO_CONTROL_READ; + else if (scmd->sc_data_direction == DMA_TO_DEVICE) +@@ -4170,6 +4170,7 @@ scsih_qcmd(struct Scsi_Host *shost, stru + if (!smid) { + pr_err(MPT3SAS_FMT "%s: failed obtaining a smid\n", + ioc->name, __func__); ++ _scsih_set_satl_pending(scmd, false); + goto out; + } + mpi_request = mpt3sas_base_get_msg_frame(ioc, smid); +@@ -4200,6 +4201,7 @@ scsih_qcmd(struct Scsi_Host *shost, stru + if (mpi_request->DataLength) { + if (ioc->build_sg_scmd(ioc, scmd, smid)) { + mpt3sas_base_free_smid(ioc, smid); ++ _scsih_set_satl_pending(scmd, false); + goto out; + } + } else diff --git a/queue-4.14/sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch b/queue-4.14/sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch new file mode 100644 index 00000000000..6faf22884ed --- /dev/null +++ b/queue-4.14/sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Andy Shevchenko +Date: Thu, 11 Jan 2018 15:51:58 +0200 +Subject: sdhci: Advertise 2.0v supply on SDIO host controller + +From: Andy Shevchenko + + +[ Upstream commit 2a609abe71ca59e4bd7139e161eaca2144ae6f2e ] + +On Intel Edison the Broadcom Wi-Fi card, which is connected to SDIO, +requires 2.0v, while the host, according to Intel Merrifield TRM, +supports 1.8v supply only. + +The card announces itself as + + mmc2: new ultra high speed DDR50 SDIO card at address 0001 + +Introduce a custom OCR mask for SDIO host controller on Intel Merrifield +and add a special case to sdhci_set_power_noreg() to override 2.0v supply +by enforcing 1.8v power choice. + +Signed-off-by: Andy Shevchenko +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 2 ++ + drivers/mmc/host/sdhci.c | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -806,6 +806,8 @@ static int intel_mrfld_mmc_probe_slot(st + slot->host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V; + break; + case INTEL_MRFLD_SDIO: ++ /* Advertise 2.0v for compatibility with the SDIO card's OCR */ ++ slot->host->ocr_mask = MMC_VDD_20_21 | MMC_VDD_165_195; + slot->host->mmc->caps |= MMC_CAP_NONREMOVABLE | + MMC_CAP_POWER_OFF_CARD; + break; +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1470,6 +1470,13 @@ void sdhci_set_power_noreg(struct sdhci_ + if (mode != MMC_POWER_OFF) { + switch (1 << vdd) { + case MMC_VDD_165_195: ++ /* ++ * Without a regulator, SDHCI does not support 2.0v ++ * so we only get here if the driver deliberately ++ * added the 2.0v range to ocr_avail. Map it to 1.8v ++ * for the purpose of turning on the power. ++ */ ++ case MMC_VDD_20_21: + pwr = SDHCI_POWER_180; + break; + case MMC_VDD_29_30: diff --git a/queue-4.14/selftests-net-fix-bugs-in-address-and-port-initialization.patch b/queue-4.14/selftests-net-fix-bugs-in-address-and-port-initialization.patch new file mode 100644 index 00000000000..852ac7e2d32 --- /dev/null +++ b/queue-4.14/selftests-net-fix-bugs-in-address-and-port-initialization.patch @@ -0,0 +1,112 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Sowmini Varadhan +Date: Mon, 25 Dec 2017 14:43:04 -0800 +Subject: selftests/net: fix bugs in address and port initialization + +From: Sowmini Varadhan + + +[ Upstream commit d36f45e5b46723cf2d4147173e18c52d4143176d ] + +Address/port initialization should work correctly regardless +of the order in which command line arguments are supplied, +E.g, cfg_port should be used to connect to the remote host +even if it is processed after -D, src/dst address initialization +should not require that [-4|-6] be specified before +the -S or -D args, receiver should be able to bind to *. + +Achieve this by making sure that the address/port structures +are initialized after all command line options are parsed. + +Store cfg_port in host-byte order, and use htons() +to set up the sin_port/sin6_port before bind/connect, +so that the network system calls get the correct values +in network-byte order. + +Signed-off-by: Sowmini Varadhan +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/msg_zerocopy.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/net/msg_zerocopy.c ++++ b/tools/testing/selftests/net/msg_zerocopy.c +@@ -259,22 +259,28 @@ static int setup_ip6h(struct ipv6hdr *ip + return sizeof(*ip6h); + } + +-static void setup_sockaddr(int domain, const char *str_addr, void *sockaddr) ++ ++static void setup_sockaddr(int domain, const char *str_addr, ++ struct sockaddr_storage *sockaddr) + { + struct sockaddr_in6 *addr6 = (void *) sockaddr; + struct sockaddr_in *addr4 = (void *) sockaddr; + + switch (domain) { + case PF_INET: ++ memset(addr4, 0, sizeof(*addr4)); + addr4->sin_family = AF_INET; + addr4->sin_port = htons(cfg_port); +- if (inet_pton(AF_INET, str_addr, &(addr4->sin_addr)) != 1) ++ if (str_addr && ++ inet_pton(AF_INET, str_addr, &(addr4->sin_addr)) != 1) + error(1, 0, "ipv4 parse error: %s", str_addr); + break; + case PF_INET6: ++ memset(addr6, 0, sizeof(*addr6)); + addr6->sin6_family = AF_INET6; + addr6->sin6_port = htons(cfg_port); +- if (inet_pton(AF_INET6, str_addr, &(addr6->sin6_addr)) != 1) ++ if (str_addr && ++ inet_pton(AF_INET6, str_addr, &(addr6->sin6_addr)) != 1) + error(1, 0, "ipv6 parse error: %s", str_addr); + break; + default: +@@ -603,6 +609,7 @@ static void parse_opts(int argc, char ** + sizeof(struct tcphdr) - + 40 /* max tcp options */; + int c; ++ char *daddr = NULL, *saddr = NULL; + + cfg_payload_len = max_payload_len; + +@@ -627,7 +634,7 @@ static void parse_opts(int argc, char ** + cfg_cpu = strtol(optarg, NULL, 0); + break; + case 'D': +- setup_sockaddr(cfg_family, optarg, &cfg_dst_addr); ++ daddr = optarg; + break; + case 'i': + cfg_ifindex = if_nametoindex(optarg); +@@ -638,7 +645,7 @@ static void parse_opts(int argc, char ** + cfg_cork_mixed = true; + break; + case 'p': +- cfg_port = htons(strtoul(optarg, NULL, 0)); ++ cfg_port = strtoul(optarg, NULL, 0); + break; + case 'r': + cfg_rx = true; +@@ -647,7 +654,7 @@ static void parse_opts(int argc, char ** + cfg_payload_len = strtoul(optarg, NULL, 0); + break; + case 'S': +- setup_sockaddr(cfg_family, optarg, &cfg_src_addr); ++ saddr = optarg; + break; + case 't': + cfg_runtime_ms = 200 + strtoul(optarg, NULL, 10) * 1000; +@@ -660,6 +667,8 @@ static void parse_opts(int argc, char ** + break; + } + } ++ setup_sockaddr(cfg_family, daddr, &cfg_dst_addr); ++ setup_sockaddr(cfg_family, saddr, &cfg_src_addr); + + if (cfg_payload_len > max_payload_len) + error(1, 0, "-s: payload exceeds max (%d)", max_payload_len); diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..971d2611147 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,86 @@ +i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch +i40iw-correct-q1-xf-object-count-equation.patch +i40iw-validate-correct-ird-ord-connection-parameters.patch +clk-meson-mpll-use-64-bit-maths-in-params_from_rate.patch +arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch +bluetooth-add-a-new-04ca-3015-qca_rome-device.patch +ipv6-reinject-ipv6-packets-if-ipsec-policy-matches-after-snat.patch +thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch +perf-probe-find-versioned-symbols-from-map.patch +perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch +perf-evsel-enable-ignore_missing_thread-for-pid-option.patch +net-hns3-free-the-ring_data-structrue-when-change-tqps.patch +net-hns3-fix-for-getting-auto-negotiation-state-in-hclge_get_autoneg.patch +l2tp-fix-missing-print-session-offset-info.patch +rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch +acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch +net-mlx4_en-change-default-qos-settings.patch +vfs-close-race-between-getcwd-and-d_move.patch +watchdog-dw_wdt-add-stop-watchdog-operation.patch +clk-divider-fix-incorrect-usage-of-container_of.patch +clk-sunxi-ng-fix-the-a64-h5-clock-description-of-de2-ccu.patch +pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch +selftests-net-fix-bugs-in-address-and-port-initialization.patch +rdma-cma-mark-end-of-cma-id-messages.patch +hwmon-ina2xx-make-calibration-register-value-fixed.patch +clk-sunxi-ng-a83t-add-m-divider-to-tcon1-clock.patch +media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch +asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch +asoc-intel-cht_bsw_rt5645-analog-mic-support.patch +spi-sh-msiof-fix-timeout-failures-for-tx-only-dma-transfers.patch +scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch +scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch +irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch +acpi-ec-fix-debugfs_create_-usage.patch +mac80211-fix-setting-tx-power-on-monitor-interfaces.patch +vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch +gpio-label-descriptors-using-the-device-name.patch +powernv-cpufreq-add-helper-to-extract-pstate-from-pmsr.patch +ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch +blk-mq-avoid-to-map-cpu-into-stale-hw-queue.patch +blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch +backlight-tdo24m-fix-the-spi-cs-between-transfers.patch +pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch +nvme_fcloop-disassocate-local-port-structs.patch +nvme_fcloop-fix-abort-race-condition.patch +tpm-return-a-tpm_rc_command_code-response-if-command-is-not-implemented.patch +perf-report-fix-a-no-annotate-browser-displayed-issue.patch +staging-lustre-disable-preempt-while-sampling-processor-id.patch +asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch +power-supply-axp288_charger-properly-stop-work-on-probe-error-remove.patch +rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch +wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch +net-mlx5-fix-race-for-multiple-roce-enable.patch +net-hns3-fix-an-error-of-total-drop-packet-statistics.patch +net-hns3-fix-a-loop-index-error-of-tqp-statistics-query.patch +net-hns3-fix-an-error-macro-definition-of-hns3_tqp_stat.patch +net-hns3-fix-for-changing-mtu.patch +bcache-ret-ioerr-when-read-meets-metadata-error.patch +bcache-stop-writeback-thread-after-detaching.patch +bcache-segregate-flash-only-volume-write-streams.patch +scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch +scsi-libsas-fix-error-when-getting-phy-events.patch +scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch +blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch +tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch +block-bfq-put-async-queues-for-root-bfq-groups-too.patch +edac-mv64x60-fix-an-error-handling-path.patch +uio_hv_generic-check-that-host-supports-monitor-page.patch +i40evf-don-t-rely-on-netif_running-outside-rtnl_lock.patch +cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch +scsi-megaraid_sas-error-handling-for-invalid-ldcount-provided-by-firmware-in-raid-map.patch +scsi-megaraid_sas-unload-flag-should-be-set-after-scsi_remove_host-is-called.patch +rdma-cma-fix-rdma_cm-path-querying-for-roce.patch +gpio-thunderx-fix-error-return-code-in-thunderx_gpio_probe.patch +x86-gart-exclude-gart-aperture-from-vmcore.patch +sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch +ibmvnic-don-t-handle-rx-interrupts-when-not-up.patch +input-goodix-disable-irqs-while-suspended.patch +mtd-mtd_oobtest-handle-bitflips-during-reads.patch +crypto-aes-generic-build-with-os-on-gcc-7.patch +perf-tools-fix-copyfile_offset-update-of-output-offset.patch +signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch +signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch +signal-arm-document-conflicts-with-si_user-and-sigfpe.patch +tcmu-release-blocks-for-partially-setup-cmds.patch +thermal-int3400_thermal-fix-error-handling-in-int3400_thermal_probe.patch diff --git a/queue-4.14/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch b/queue-4.14/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch new file mode 100644 index 00000000000..68e80005f75 --- /dev/null +++ b/queue-4.14/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Eric W. Biederman" +Date: Thu, 17 Aug 2017 17:07:46 -0500 +Subject: signal/arm: Document conflicts with SI_USER and SIGFPE + +From: "Eric W. Biederman" + + +[ Upstream commit 7771c66457004977b616bab785209f49d164f527 ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +that uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME, siginfo_layout will now return SIL_FAULT and the +appropriate fields will be reliably copied. + +Possible ABI fixes includee: +- Send the signal without siginfo +- Don't generate a signal +- Possibly assign and use an appropriate si_code +- Don't handle cases which can't happen + +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Ref: 451436b7bbb2 ("[ARM] Add support code for ARM hardware vector floating point") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/uapi/asm/siginfo.h | 13 +++++++++++++ + arch/arm/vfp/vfpmodule.c | 2 +- + 2 files changed, 14 insertions(+), 1 deletion(-) + create mode 100644 arch/arm/include/uapi/asm/siginfo.h + +--- /dev/null ++++ b/arch/arm/include/uapi/asm/siginfo.h +@@ -0,0 +1,13 @@ ++#ifndef __ASM_SIGINFO_H ++#define __ASM_SIGINFO_H ++ ++#include ++ ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++#endif +--- a/arch/arm/vfp/vfpmodule.c ++++ b/arch/arm/vfp/vfpmodule.c +@@ -257,7 +257,7 @@ static void vfp_raise_exceptions(u32 exc + + if (exceptions == VFP_EXCEPTION_ERROR) { + vfp_panic("unhandled bounce", inst); +- vfp_raise_sigfpe(0, regs); ++ vfp_raise_sigfpe(FPE_FIXME, regs); + return; + } + diff --git a/queue-4.14/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch b/queue-4.14/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch new file mode 100644 index 00000000000..567147be92d --- /dev/null +++ b/queue-4.14/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Eric W. Biederman" +Date: Tue, 1 Aug 2017 10:37:40 -0500 +Subject: signal/metag: Document a conflict with SI_USER with SIGFPE + +From: "Eric W. Biederman" + + +[ Upstream commit b80328be53c215346b153769267b38f531d89b4f ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +hat uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME siginfo_layout will now return SIL_FAULT and the +appropriate fields will reliably be copied. + +Possible ABI fixes includee: + - Send the signal without siginfo + - Don't generate a signal + - Possibly assign and use an appropriate si_code + - Don't handle cases which can't happen + +Cc: James Hogan +Cc: linux-metag@vger.kernel.org +Ref: ac919f0883e5 ("metag: Traps") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/metag/include/uapi/asm/siginfo.h | 7 +++++++ + arch/metag/kernel/traps.c | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/metag/include/uapi/asm/siginfo.h ++++ b/arch/metag/include/uapi/asm/siginfo.h +@@ -6,4 +6,11 @@ + + #include + ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ + #endif +--- a/arch/metag/kernel/traps.c ++++ b/arch/metag/kernel/traps.c +@@ -735,7 +735,7 @@ TBIRES fpe_handler(TBIRES State, int Sig + else if (error_state & TXSTAT_FPE_INEXACT_BIT) + info.si_code = FPE_FLTRES; + else +- info.si_code = 0; ++ info.si_code = FPE_FIXME; + info.si_errno = 0; + info.si_addr = (__force void __user *)regs->ctx.CurrPC; + force_sig_info(SIGFPE, &info, current); diff --git a/queue-4.14/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch b/queue-4.14/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch new file mode 100644 index 00000000000..71ade7278ee --- /dev/null +++ b/queue-4.14/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch @@ -0,0 +1,114 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Eric W. Biederman" +Date: Sat, 19 Aug 2017 15:26:01 -0500 +Subject: signal/powerpc: Document conflicts with SI_USER and SIGFPE and SIGTRAP + +From: "Eric W. Biederman" + + +[ Upstream commit cf4674c46c66e45f238f8f7e81af2a444b970c0a ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +that uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME and TRAP_FIXME, siginfo_layout() will now return +SIL_FAULT and the appropriate fields will be reliably copied. + +Possible ABI fixes includee: +- Send the signal without siginfo +- Don't generate a signal +- Possibly assign and use an appropriate si_code +- Don't handle cases which can't happen +Cc: Paul Mackerras +Cc: Kumar Gala +Cc: Michael Ellerman +Cc: Benjamin Herrenschmidt +Cc: linuxppc-dev@lists.ozlabs.org +Ref: 9bad068c24d7 ("[PATCH] ppc32: support for e500 and 85xx") +Ref: 0ed70f6105ef ("PPC32: Provide proper siginfo information on various exceptions.") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/uapi/asm/siginfo.h | 15 +++++++++++++++ + arch/powerpc/kernel/traps.c | 10 +++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/include/uapi/asm/siginfo.h ++++ b/arch/powerpc/include/uapi/asm/siginfo.h +@@ -18,4 +18,19 @@ + #undef NSIGTRAP + #define NSIGTRAP 4 + ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++/* ++ * SIGTRAP si_codes ++ */ ++#ifdef __KERNEL__ ++#define TRAP_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++ + #endif /* _ASM_POWERPC_SIGINFO_H */ +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -720,7 +720,7 @@ void unknown_exception(struct pt_regs *r + printk("Bad trap at PC: %lx, SR: %lx, vector=%lx\n", + regs->nip, regs->msr, regs->trap); + +- _exception(SIGTRAP, regs, 0, 0); ++ _exception(SIGTRAP, regs, TRAP_FIXME, 0); + + exception_exit(prev_state); + } +@@ -742,7 +742,7 @@ bail: + + void RunModeException(struct pt_regs *regs) + { +- _exception(SIGTRAP, regs, 0, 0); ++ _exception(SIGTRAP, regs, TRAP_FIXME, 0); + } + + void single_step_exception(struct pt_regs *regs) +@@ -781,7 +781,7 @@ static void emulate_single_step(struct p + + static inline int __parse_fpscr(unsigned long fpscr) + { +- int ret = 0; ++ int ret = FPE_FIXME; + + /* Invalid operation */ + if ((fpscr & FPSCR_VE) && (fpscr & FPSCR_VX)) +@@ -1769,7 +1769,7 @@ void SPEFloatingPointException(struct pt + extern int do_spe_mathemu(struct pt_regs *regs); + unsigned long spefscr; + int fpexc_mode; +- int code = 0; ++ int code = FPE_FIXME; + int err; + + flush_spe_to_thread(current); +@@ -1838,7 +1838,7 @@ void SPEFloatingPointRoundException(stru + printk(KERN_ERR "unrecognized spe instruction " + "in %s at %lx\n", current->comm, regs->nip); + } else { +- _exception(SIGFPE, regs, 0, regs->nip); ++ _exception(SIGFPE, regs, FPE_FIXME, regs->nip); + return; + } + } diff --git a/queue-4.14/spi-sh-msiof-fix-timeout-failures-for-tx-only-dma-transfers.patch b/queue-4.14/spi-sh-msiof-fix-timeout-failures-for-tx-only-dma-transfers.patch new file mode 100644 index 00000000000..01a8996082d --- /dev/null +++ b/queue-4.14/spi-sh-msiof-fix-timeout-failures-for-tx-only-dma-transfers.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Geert Uytterhoeven +Date: Wed, 3 Jan 2018 18:11:14 +0100 +Subject: spi: sh-msiof: Fix timeout failures for TX-only DMA transfers + +From: Geert Uytterhoeven + + +[ Upstream commit 89434c3c35081439627baa2225622d5bd12242fe ] + +When using RX (with or without TX), the DMA interrupt triggers +completion when the RX FIFO has been emptied, i.e. after the full +transfer has finished. + +However, when using TX without RX, the DMA interrupt triggers completion +as soon as the DMA engine has filled the TX FIFO, i.e. before the full +transfer has finished. Then sh_msiof_modify_ctr_wait() will spin until +the transfer has really finished and the TFSE bit is cleared, for at +most 1 ms. For slow speeds and/or large transfers, this may cause +timeouts and transfer failures: + + spi_sh_msiof e6e10000.spi: failed to shut down hardware + 74x164 spi2.0: SPI transfer failed: -110 + spi_master spi2: failed to transfer one message from queue + 74x164 spi2.0: Failed writing: -110 + +Fix this by waiting explicitly until the TX FIFO has been emptied. + +Based on a patch in the BSP by Hiromitsu Yamasaki. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sh-msiof.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -797,11 +797,21 @@ static int sh_msiof_dma_once(struct sh_m + goto stop_dma; + } + +- /* wait for tx fifo to be emptied / rx fifo to be filled */ ++ /* wait for tx/rx DMA completion */ + ret = sh_msiof_wait_for_completion(p); + if (ret) + goto stop_reset; + ++ if (!rx) { ++ reinit_completion(&p->done); ++ sh_msiof_write(p, IER, IER_TEOFE); ++ ++ /* wait for tx fifo to be emptied */ ++ ret = sh_msiof_wait_for_completion(p); ++ if (ret) ++ goto stop_reset; ++ } ++ + /* clear status bits */ + sh_msiof_reset_str(p); + diff --git a/queue-4.14/staging-lustre-disable-preempt-while-sampling-processor-id.patch b/queue-4.14/staging-lustre-disable-preempt-while-sampling-processor-id.patch new file mode 100644 index 00000000000..6242eaabaa9 --- /dev/null +++ b/queue-4.14/staging-lustre-disable-preempt-while-sampling-processor-id.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: NeilBrown +Date: Tue, 19 Dec 2017 10:01:47 +1100 +Subject: staging: lustre: disable preempt while sampling processor id. + +From: NeilBrown + + +[ Upstream commit dbeccabf5294e80f7cc9ee566746c42211bed736 ] + +Calling smp_processor_id() without disabling preemption +triggers a warning (if CONFIG_DEBUG_PREEMPT). +I think the result of cfs_cpt_current() is only used as a hint for +load balancing, rather than as a precise and stable indicator of +the current CPU. So it doesn't need to be called with +preemption disabled. + +So disable preemption inside cfs_cpt_current() to silence the warning. + +Signed-off-by: NeilBrown +Reviewed-by: Andreas Dilger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lnet/libcfs/linux/linux-cpu.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/staging/lustre/lnet/libcfs/linux/linux-cpu.c ++++ b/drivers/staging/lustre/lnet/libcfs/linux/linux-cpu.c +@@ -528,19 +528,20 @@ EXPORT_SYMBOL(cfs_cpt_spread_node); + int + cfs_cpt_current(struct cfs_cpt_table *cptab, int remap) + { +- int cpu = smp_processor_id(); +- int cpt = cptab->ctb_cpu2cpt[cpu]; ++ int cpu; ++ int cpt; + +- if (cpt < 0) { +- if (!remap) +- return cpt; ++ preempt_disable(); ++ cpu = smp_processor_id(); ++ cpt = cptab->ctb_cpu2cpt[cpu]; + ++ if (cpt < 0 && remap) { + /* don't return negative value for safety of upper layer, + * instead we shadow the unknown cpu to a valid partition ID + */ + cpt = cpu % cptab->ctb_nparts; + } +- ++ preempt_enable(); + return cpt; + } + EXPORT_SYMBOL(cfs_cpt_current); diff --git a/queue-4.14/tcmu-release-blocks-for-partially-setup-cmds.patch b/queue-4.14/tcmu-release-blocks-for-partially-setup-cmds.patch new file mode 100644 index 00000000000..b0a67f26f48 --- /dev/null +++ b/queue-4.14/tcmu-release-blocks-for-partially-setup-cmds.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Mike Christie +Date: Tue, 28 Nov 2017 12:40:33 -0600 +Subject: tcmu: release blocks for partially setup cmds + +From: Mike Christie + + +[ Upstream commit 810b8153c4243d2012a6ec002ddd3bbc9a9ae8c2 ] + +If we cannot setup a cmd because we run out of ring space +or global pages release the blocks before sleeping. This +prevents a deadlock where dev0 has waiting_blocks set and +needs N blocks, but dev1 to devX have each allocated N / X blocks +and also hit the global block limit so they went to sleep. + +find_free_blocks is not able to take the sleeping dev's +blocks becaause their waiting_blocks is set and even +if it was not the block returned by find_last_bit could equal +dbi_max. The latter will probably never happen because +DATA_BLOCK_BITS is so high but in the next patches +DATA_BLOCK_BITS and TCMU_GLOBAL_MAX_BLOCKS will be settable so +it might be lower and could happen. + +Signed-off-by: Mike Christie +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_user.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -796,6 +796,13 @@ tcmu_queue_cmd_ring(struct tcmu_cmd *tcm + int ret; + DEFINE_WAIT(__wait); + ++ /* ++ * Don't leave commands partially setup because the unmap ++ * thread might need the blocks to make forward progress. ++ */ ++ tcmu_cmd_free_data(tcmu_cmd, tcmu_cmd->dbi_cur); ++ tcmu_cmd_reset_dbi_cur(tcmu_cmd); ++ + prepare_to_wait(&udev->wait_cmdr, &__wait, TASK_INTERRUPTIBLE); + + pr_debug("sleeping for ring space\n"); diff --git a/queue-4.14/thermal-int3400_thermal-fix-error-handling-in-int3400_thermal_probe.patch b/queue-4.14/thermal-int3400_thermal-fix-error-handling-in-int3400_thermal_probe.patch new file mode 100644 index 00000000000..a6da2bc8451 --- /dev/null +++ b/queue-4.14/thermal-int3400_thermal-fix-error-handling-in-int3400_thermal_probe.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Alexey Khoroshilov +Date: Sat, 30 Dec 2017 01:05:21 +0300 +Subject: thermal: int3400_thermal: fix error handling in int3400_thermal_probe() + +From: Alexey Khoroshilov + + +[ Upstream commit 0be86969ae385c5c944286bd9f66068525de15ee ] + +There are resources that are not dealocated on failure path +in int3400_thermal_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/int340x_thermal/int3400_thermal.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c +@@ -319,17 +319,21 @@ static int int3400_thermal_probe(struct + + result = sysfs_create_group(&pdev->dev.kobj, &uuid_attribute_group); + if (result) +- goto free_zone; ++ goto free_rel_misc; + + result = acpi_install_notify_handler( + priv->adev->handle, ACPI_DEVICE_NOTIFY, int3400_notify, + (void *)priv); + if (result) +- goto free_zone; ++ goto free_sysfs; + + return 0; + +-free_zone: ++free_sysfs: ++ sysfs_remove_group(&pdev->dev.kobj, &uuid_attribute_group); ++free_rel_misc: ++ if (!priv->rel_misc_dev_res) ++ acpi_thermal_rel_misc_device_remove(priv->adev->handle); + thermal_zone_device_unregister(priv->thermal); + free_art_trt: + kfree(priv->trts); diff --git a/queue-4.14/thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch b/queue-4.14/thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch new file mode 100644 index 00000000000..8559a020d6b --- /dev/null +++ b/queue-4.14/thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Yi Zeng +Date: Tue, 26 Dec 2017 19:22:26 +0800 +Subject: thermal: power_allocator: fix one race condition issue for thermal_instances list + +From: Yi Zeng + + +[ Upstream commit a5de11d67dcd268b8d0beb73dc374de5e97f0caf ] + +When invoking allow_maximum_power and traverse tz->thermal_instances, +we should grab thermal_zone_device->lock to avoid race condition. For +example, during the system reboot, if the mali GPU device implements +device shutdown callback and unregister GPU devfreq cooling device, +the deleted list head may be accessed to cause panic, as the following +log shows: + +[ 33.551070] c3 25 (kworker/3:0) Unable to handle kernel paging request at virtual address dead000000000070 +[ 33.566708] c3 25 (kworker/3:0) pgd = ffffffc0ed290000 +[ 33.572071] c3 25 (kworker/3:0) [dead000000000070] *pgd=00000001ed292003, *pud=00000001ed292003, *pmd=0000000000000000 +[ 33.581515] c3 25 (kworker/3:0) Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 33.599761] c3 25 (kworker/3:0) CPU: 3 PID: 25 Comm: kworker/3:0 Not tainted 4.4.35+ #912 +[ 33.614137] c3 25 (kworker/3:0) Workqueue: events_freezable thermal_zone_device_check +[ 33.620245] c3 25 (kworker/3:0) task: ffffffc0f32e4200 ti: ffffffc0f32f0000 task.ti: ffffffc0f32f0000 +[ 33.629466] c3 25 (kworker/3:0) PC is at power_allocator_throttle+0x7c8/0x8a4 +[ 33.636609] c3 25 (kworker/3:0) LR is at power_allocator_throttle+0x808/0x8a4 +[ 33.643742] c3 25 (kworker/3:0) pc : [] lr : [] pstate: 20000145 +[ 33.652874] c3 25 (kworker/3:0) sp : ffffffc0f32f3bb0 +[ 34.468519] c3 25 (kworker/3:0) Process kworker/3:0 (pid: 25, stack limit = 0xffffffc0f32f0020) +[ 34.477220] c3 25 (kworker/3:0) Stack: (0xffffffc0f32f3bb0 to 0xffffffc0f32f4000) +[ 34.819822] c3 25 (kworker/3:0) Call trace: +[ 34.824021] c3 25 (kworker/3:0) Exception stack(0xffffffc0f32f39c0 to 0xffffffc0f32f3af0) +[ 34.924993] c3 25 (kworker/3:0) [] power_allocator_throttle+0x7c8/0x8a4 +[ 34.933184] c3 25 (kworker/3:0) [] handle_thermal_trip.part.25+0x70/0x224 +[ 34.941545] c3 25 (kworker/3:0) [] thermal_zone_device_update+0xc0/0x20c +[ 34.949818] c3 25 (kworker/3:0) [] thermal_zone_device_check+0x20/0x2c +[ 34.957924] c3 25 (kworker/3:0) [] process_one_work+0x168/0x458 +[ 34.965414] c3 25 (kworker/3:0) [] worker_thread+0x13c/0x4b4 +[ 34.972650] c3 25 (kworker/3:0) [] kthread+0xe8/0xfc +[ 34.979187] c3 25 (kworker/3:0) [] ret_from_fork+0x10/0x40 +[ 34.986244] c3 25 (kworker/3:0) Code: f9405e73 eb1302bf d102e273 54ffc460 (b9402a61) +[ 34.994339] c3 25 (kworker/3:0) ---[ end trace 32057901e3b7e1db ]--- + +Signed-off-by: Yi Zeng +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/power_allocator.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/thermal/power_allocator.c ++++ b/drivers/thermal/power_allocator.c +@@ -523,6 +523,7 @@ static void allow_maximum_power(struct t + struct thermal_instance *instance; + struct power_allocator_params *params = tz->governor_data; + ++ mutex_lock(&tz->lock); + list_for_each_entry(instance, &tz->thermal_instances, tz_node) { + if ((instance->trip != params->trip_max_desired_temperature) || + (!cdev_is_power_actor(instance->cdev))) +@@ -534,6 +535,7 @@ static void allow_maximum_power(struct t + mutex_unlock(&instance->cdev->lock); + thermal_cdev_update(instance->cdev); + } ++ mutex_unlock(&tz->lock); + } + + /** diff --git a/queue-4.14/tpm-return-a-tpm_rc_command_code-response-if-command-is-not-implemented.patch b/queue-4.14/tpm-return-a-tpm_rc_command_code-response-if-command-is-not-implemented.patch new file mode 100644 index 00000000000..9d581eafbc2 --- /dev/null +++ b/queue-4.14/tpm-return-a-tpm_rc_command_code-response-if-command-is-not-implemented.patch @@ -0,0 +1,140 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Javier Martinez Canillas +Date: Thu, 30 Nov 2017 08:39:07 +0100 +Subject: tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented + +From: Javier Martinez Canillas + + +[ Upstream commit 095531f891e627e408606f2da4008d3d53e6748a ] + +According to the TPM Library Specification, a TPM device must do a command +header validation before processing and return a TPM_RC_COMMAND_CODE code +if the command is not implemented. + +So user-space will expect to handle that response as an error. But if the +in-kernel resource manager is used (/dev/tpmrm?), an -EINVAL errno code is +returned instead if the command isn't implemented. This confuses userspace +since it doesn't expect that error value. + +This also isn't consistent with the behavior when not using TPM spaces and +accessing the TPM directly (/dev/tpm?). In this case, the command is sent +to the TPM even when not implemented and the TPM responds with an error. + +Instead of returning an -EINVAL errno code when the tpm_validate_command() +function fails, synthesize a TPM command response so user-space can get a +TPM_RC_COMMAND_CODE as expected when a chip doesn't implement the command. + +The TPM only sets 12 of the 32 bits in the TPM_RC response, so the TSS and +TAB specifications define that higher layers in the stack should use some +of the unused 20 bits to specify from which level of the stack the error +is coming from. + +Since the TPM_RC_COMMAND_CODE response code is sent by the kernel resource +manager, set the error level to the TAB/RM layer so user-space is aware of +this. + +Suggested-by: Jason Gunthorpe +Signed-off-by: Javier Martinez Canillas +Reviewed-by: William Roberts +Reviewed-by: Philip Tricca +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm-interface.c | 28 ++++++++++++++++++++-------- + drivers/char/tpm/tpm.h | 5 +++++ + 2 files changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -328,7 +328,7 @@ unsigned long tpm_calc_ordinal_duration( + } + EXPORT_SYMBOL_GPL(tpm_calc_ordinal_duration); + +-static bool tpm_validate_command(struct tpm_chip *chip, ++static int tpm_validate_command(struct tpm_chip *chip, + struct tpm_space *space, + const u8 *cmd, + size_t len) +@@ -340,10 +340,10 @@ static bool tpm_validate_command(struct + unsigned int nr_handles; + + if (len < TPM_HEADER_SIZE) +- return false; ++ return -EINVAL; + + if (!space) +- return true; ++ return 0; + + if (chip->flags & TPM_CHIP_FLAG_TPM2 && chip->nr_commands) { + cc = be32_to_cpu(header->ordinal); +@@ -352,7 +352,7 @@ static bool tpm_validate_command(struct + if (i < 0) { + dev_dbg(&chip->dev, "0x%04X is an invalid command\n", + cc); +- return false; ++ return -EOPNOTSUPP; + } + + attrs = chip->cc_attrs_tbl[i]; +@@ -362,11 +362,11 @@ static bool tpm_validate_command(struct + goto err_len; + } + +- return true; ++ return 0; + err_len: + dev_dbg(&chip->dev, + "%s: insufficient command length %zu", __func__, len); +- return false; ++ return -EINVAL; + } + + /** +@@ -391,8 +391,20 @@ ssize_t tpm_transmit(struct tpm_chip *ch + unsigned long stop; + bool need_locality; + +- if (!tpm_validate_command(chip, space, buf, bufsiz)) +- return -EINVAL; ++ rc = tpm_validate_command(chip, space, buf, bufsiz); ++ if (rc == -EINVAL) ++ return rc; ++ /* ++ * If the command is not implemented by the TPM, synthesize a ++ * response with a TPM2_RC_COMMAND_CODE return for user-space. ++ */ ++ if (rc == -EOPNOTSUPP) { ++ header->length = cpu_to_be32(sizeof(*header)); ++ header->tag = cpu_to_be16(TPM2_ST_NO_SESSIONS); ++ header->return_code = cpu_to_be32(TPM2_RC_COMMAND_CODE | ++ TSS2_RESMGR_TPM_RC_LAYER); ++ return bufsiz; ++ } + + if (bufsiz > TPM_BUFSIZE) + bufsiz = TPM_BUFSIZE; +--- a/drivers/char/tpm/tpm.h ++++ b/drivers/char/tpm/tpm.h +@@ -93,12 +93,17 @@ enum tpm2_structures { + TPM2_ST_SESSIONS = 0x8002, + }; + ++/* Indicates from what layer of the software stack the error comes from */ ++#define TSS2_RC_LAYER_SHIFT 16 ++#define TSS2_RESMGR_TPM_RC_LAYER (11 << TSS2_RC_LAYER_SHIFT) ++ + enum tpm2_return_codes { + TPM2_RC_SUCCESS = 0x0000, + TPM2_RC_HASH = 0x0083, /* RC_FMT1 */ + TPM2_RC_HANDLE = 0x008B, + TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */ + TPM2_RC_DISABLED = 0x0120, ++ TPM2_RC_COMMAND_CODE = 0x0143, + TPM2_RC_TESTING = 0x090A, /* RC_WARN */ + TPM2_RC_REFERENCE_H0 = 0x0910, + }; diff --git a/queue-4.14/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch b/queue-4.14/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch new file mode 100644 index 00000000000..161c07c549a --- /dev/null +++ b/queue-4.14/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch @@ -0,0 +1,119 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Tony Lindgren +Date: Wed, 3 Jan 2018 10:18:03 -0800 +Subject: tty: n_gsm: Allow ADM response in addition to UA for control dlci + +From: Tony Lindgren + + +[ Upstream commit ea3d8465ab9b3e01be329ac5195970a84bef76c5 ] + +Some devices have the control dlci stay in ADM mode instead of the UA +mode. This can seen at least on droid 4 when trying to open the ts +27.010 mux port. Enabling n_gsm debug mode shows the control dlci +always respond with DM to SABM instead of UA: + +# modprobe n_gsm debug=0xff +# ldattach -d GSM0710 /dev/ttyS0 & +gsmld_output: 00000000: f9 03 3f 01 1c f9 +--> 0) C: SABM(P) +gsmld_receive: 00000000: f9 03 1f 01 36 f9 +<-- 0) C: DM(P) +... +$ minicom -D /dev/gsmtty1 +minicom: cannot open /dev/gsmtty1: No error information +$ strace minicom -D /dev/gsmtty1 +... +open("/dev/gsmtty1", O_RDWR|O_NOCTTY|O_NONBLOCK|O_LARGEFILE) = -1 EL2HLT + +Note that this is different issue from other n_gsm -EL2HLT issues such +as timeouts when the control dlci does not respond at all. + +The ADM mode seems to be a quite common according to "RF Wireless World" +article "GSM Issue-UE sends SABM and gets a DM response instead of +UA response": + + This issue is most commonly observed in GSM networks where in UE sends + SABM and expects network to send UA response but it ends up receiving + DM response from the network. SABM stands for Set asynchronous balanced + mode, UA stands for Unnumbered Acknowledge and DA stands for + Disconnected Mode. + + An RLP entity can be in one of two modes: + - Asynchronous Balanced Mode (ABM) + - Asynchronous Disconnected Mode (ADM) + +Currently Linux kernel closes the control dlci after several retries +in gsm_dlci_t1() on DM. This causes n_gsm /dev/gsmtty ports to produce +error code -EL2HLT when trying to open them as the closing of control +dlci has already set gsm->dead. + +Let's fix the issue by allowing control dlci stay in ADM mode after the +retries so the /dev/gsmtty ports can be opened and used. It seems that +it might take several attempts to get any response from the control +dlci, so it's best to allow ADM mode only after the SABM retries are +done. + +Note that for droid 4 additional patches are needed to mux the ttyS0 +pins and to toggle RTS gpio_149 to wake up the mdm6600 modem are also +needed to use n_gsm. And the mdm6600 modem needs to be powered on. + +Cc: linux-serial@vger.kernel.org +Cc: Alan Cox +Cc: Jiri Prchal +Cc: Jiri Slaby +Cc: Marcel Partap +Cc: Michael Scott +Cc: Peter Hurley +Cc: Russ Gorby +Cc: Sascha Hauer +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1463,6 +1463,10 @@ static void gsm_dlci_open(struct gsm_dlc + * in which case an opening port goes back to closed and a closing port + * is simply put into closed state (any further frames from the other + * end will get a DM response) ++ * ++ * Some control dlci can stay in ADM mode with other dlci working just ++ * fine. In that case we can just keep the control dlci open after the ++ * DLCI_OPENING retries time out. + */ + + static void gsm_dlci_t1(unsigned long data) +@@ -1476,8 +1480,15 @@ static void gsm_dlci_t1(unsigned long da + if (dlci->retries) { + gsm_command(dlci->gsm, dlci->addr, SABM|PF); + mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); +- } else ++ } else if (!dlci->addr && gsm->control == (DM | PF)) { ++ if (debug & 8) ++ pr_info("DLCI %d opening in ADM mode.\n", ++ dlci->addr); ++ gsm_dlci_open(dlci); ++ } else { + gsm_dlci_close(dlci); ++ } ++ + break; + case DLCI_CLOSING: + dlci->retries--; +@@ -1495,8 +1506,8 @@ static void gsm_dlci_t1(unsigned long da + * @dlci: DLCI to open + * + * Commence opening a DLCI from the Linux side. We issue SABM messages +- * to the modem which should then reply with a UA, at which point we +- * will move into open state. Opening is done asynchronously with retry ++ * to the modem which should then reply with a UA or ADM, at which point ++ * we will move into open state. Opening is done asynchronously with retry + * running off timers and the responses. + */ + diff --git a/queue-4.14/uio_hv_generic-check-that-host-supports-monitor-page.patch b/queue-4.14/uio_hv_generic-check-that-host-supports-monitor-page.patch new file mode 100644 index 00000000000..5f052ca6b82 --- /dev/null +++ b/queue-4.14/uio_hv_generic-check-that-host-supports-monitor-page.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Stephen Hemminger +Date: Tue, 9 Jan 2018 12:57:31 -0800 +Subject: uio_hv_generic: check that host supports monitor page + +From: Stephen Hemminger + + +[ Upstream commit 06028d15177a1b406b7b075ea47c6a352732f23a ] + +In order for userspace application to signal host, it needs the +host to support the monitor page property. Check for the flag +and fail if this is not supported. + +Signed-off-by: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio_hv_generic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -124,6 +124,13 @@ hv_uio_probe(struct hv_device *dev, + if (ret) + goto fail; + ++ /* Communicating with host has to be via shared memory not hypercall */ ++ if (!dev->channel->offermsg.monitor_allocated) { ++ dev_err(&dev->device, "vmbus channel requires hypercall\n"); ++ ret = -ENOTSUPP; ++ goto fail_close; ++ } ++ + dev->channel->inbound.ring_buffer->interrupt_mask = 1; + set_channel_read_mode(dev->channel, HV_CALL_DIRECT); + diff --git a/queue-4.14/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch b/queue-4.14/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch new file mode 100644 index 00000000000..abc9f7b5bcf --- /dev/null +++ b/queue-4.14/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: "Pieter \\\"PoroCYon\\\" Sluys" +Date: Thu, 4 Jan 2018 16:53:50 +0100 +Subject: vfb: fix video mode and line_length being set when loaded + +From: "Pieter \\\"PoroCYon\\\" Sluys" + + +[ Upstream commit 7b9faf5df0ac495a1a3d7cdb64921c179f9008ac ] + +Currently, when loading the vfb module, the newly created fbdev +has a line_length of 0, and its video mode would be PSEUDOCOLOR +regardless of color depth. (The former could be worked around by +calling the FBIOPUT_VSCREENINFO ioctl with having the FBACTIVIATE_FORCE +flag set.) This patch automatically sets the line_length correctly, +and the video mode is derived from the bit depth now as well. + +Thanks to Geert Uytterhoeven for confirming the bug and helping me with +the patch. + +Output of `fbset -i' before the patch: +mode "1366x768-60" + # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz + geometry 1366 768 1366 768 32 + timings 13806 120 10 14 3 32 5 + rgba 8/0,8/8,8/16,8/24 +endmode + +Frame buffer device information: + Name : Virtual FB + Address : 0xffffaa1405d85000 + Size : 4196352 + Type : PACKED PIXELS + Visual : PSEUDOCOLOR + XPanStep : 1 + YPanStep : 1 + YWrapStep : 1 + LineLength : 0 <-- note this + Accelerator : No + +After: +mode "1366x768-60" + # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz + geometry 1366 768 1366 768 32 + timings 13806 120 10 14 3 32 5 + rgba 8/0,8/8,8/16,8/24 +endmode + +Frame buffer device information: + Name : Virtual FB + Address : 0xffffaa1405d85000 + Size : 4196352 + Type : PACKED PIXELS + Visual : TRUECOLOR + XPanStep : 1 + YPanStep : 1 + YWrapStep : 1 + LineLength : 5464 + Accelerator : No + +Signed-off-by: "Pieter \"PoroCYon\" Sluys" +Reviewed-by: Geert Uytterhoeven +[b.zolnierkie: minor fixups] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/vfb.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/video/fbdev/vfb.c ++++ b/drivers/video/fbdev/vfb.c +@@ -239,8 +239,23 @@ static int vfb_check_var(struct fb_var_s + */ + static int vfb_set_par(struct fb_info *info) + { ++ switch (info->var.bits_per_pixel) { ++ case 1: ++ info->fix.visual = FB_VISUAL_MONO01; ++ break; ++ case 8: ++ info->fix.visual = FB_VISUAL_PSEUDOCOLOR; ++ break; ++ case 16: ++ case 24: ++ case 32: ++ info->fix.visual = FB_VISUAL_TRUECOLOR; ++ break; ++ } ++ + info->fix.line_length = get_line_length(info->var.xres_virtual, + info->var.bits_per_pixel); ++ + return 0; + } + +@@ -450,6 +465,8 @@ static int vfb_probe(struct platform_dev + goto err2; + platform_set_drvdata(dev, info); + ++ vfb_set_par(info); ++ + fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n", + videomemorysize >> 10); + return 0; diff --git a/queue-4.14/vfs-close-race-between-getcwd-and-d_move.patch b/queue-4.14/vfs-close-race-between-getcwd-and-d_move.patch new file mode 100644 index 00000000000..27de5996eac --- /dev/null +++ b/queue-4.14/vfs-close-race-between-getcwd-and-d_move.patch @@ -0,0 +1,114 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: NeilBrown +Date: Fri, 10 Nov 2017 15:45:41 +1100 +Subject: VFS: close race between getcwd() and d_move() + +From: NeilBrown + + +[ Upstream commit 61647823aa920e395afcce4b57c32afb51456cab ] + +d_move() will call __d_drop() and then __d_rehash() +on the dentry being moved. This creates a small window +when the dentry appears to be unhashed. Many tests +of d_unhashed() are made under ->d_lock and so are safe +from racing with this window, but some aren't. +In particular, getcwd() calls d_unlinked() (which calls +d_unhashed()) without d_lock protection, so it can race. + +This races has been seen in practice with lustre, which uses d_move() as +part of name lookup. See: + https://jira.hpdd.intel.com/browse/LU-9735 +It could race with a regular rename(), and result in ENOENT instead +of either the 'before' or 'after' name. + +The race can be demonstrated with a simple program which +has two threads, one renaming a directory back and forth +while another calls getcwd() within that directory: it should never +fail, but does. See: + https://patchwork.kernel.org/patch/9455345/ + +We could fix this race by taking d_lock and rechecking when +d_unhashed() reports true. Alternately when can remove the window, +which is the approach this patch takes. + +___d_drop() is introduce which does *not* clear d_hash.pprev +so the dentry still appears to be hashed. __d_drop() calls +___d_drop(), then clears d_hash.pprev. +__d_move() now uses ___d_drop() and only clears d_hash.pprev +when not rehashing. + +Signed-off-by: NeilBrown +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -468,9 +468,11 @@ static void dentry_lru_add(struct dentry + * d_drop() is used mainly for stuff that wants to invalidate a dentry for some + * reason (NFS timeouts or autofs deletes). + * +- * __d_drop requires dentry->d_lock. ++ * __d_drop requires dentry->d_lock ++ * ___d_drop doesn't mark dentry as "unhashed" ++ * (dentry->d_hash.pprev will be LIST_POISON2, not NULL). + */ +-void __d_drop(struct dentry *dentry) ++static void ___d_drop(struct dentry *dentry) + { + if (!d_unhashed(dentry)) { + struct hlist_bl_head *b; +@@ -486,12 +488,17 @@ void __d_drop(struct dentry *dentry) + + hlist_bl_lock(b); + __hlist_bl_del(&dentry->d_hash); +- dentry->d_hash.pprev = NULL; + hlist_bl_unlock(b); + /* After this call, in-progress rcu-walk path lookup will fail. */ + write_seqcount_invalidate(&dentry->d_seq); + } + } ++ ++void __d_drop(struct dentry *dentry) ++{ ++ ___d_drop(dentry); ++ dentry->d_hash.pprev = NULL; ++} + EXPORT_SYMBOL(__d_drop); + + void d_drop(struct dentry *dentry) +@@ -2386,7 +2393,7 @@ EXPORT_SYMBOL(d_delete); + static void __d_rehash(struct dentry *entry) + { + struct hlist_bl_head *b = d_hash(entry->d_name.hash); +- BUG_ON(!d_unhashed(entry)); ++ + hlist_bl_lock(b); + hlist_bl_add_head_rcu(&entry->d_hash, b); + hlist_bl_unlock(b); +@@ -2821,9 +2828,9 @@ static void __d_move(struct dentry *dent + write_seqcount_begin_nested(&target->d_seq, DENTRY_D_LOCK_NESTED); + + /* unhash both */ +- /* __d_drop does write_seqcount_barrier, but they're OK to nest. */ +- __d_drop(dentry); +- __d_drop(target); ++ /* ___d_drop does write_seqcount_barrier, but they're OK to nest. */ ++ ___d_drop(dentry); ++ ___d_drop(target); + + /* Switch the names.. */ + if (exchange) +@@ -2835,6 +2842,8 @@ static void __d_move(struct dentry *dent + __d_rehash(dentry); + if (exchange) + __d_rehash(target); ++ else ++ target->d_hash.pprev = NULL; + + /* ... and switch them in the tree */ + if (IS_ROOT(dentry)) { diff --git a/queue-4.14/watchdog-dw_wdt-add-stop-watchdog-operation.patch b/queue-4.14/watchdog-dw_wdt-add-stop-watchdog-operation.patch new file mode 100644 index 00000000000..267a1bc8b90 --- /dev/null +++ b/queue-4.14/watchdog-dw_wdt-add-stop-watchdog-operation.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Oleksij Rempel +Date: Tue, 26 Sep 2017 08:11:22 +0200 +Subject: watchdog: dw_wdt: add stop watchdog operation + +From: Oleksij Rempel + + +[ Upstream commit 1bfe8889380890efe4943d125124f5a7b48571b0 ] + +The only way of stopping the watchdog is by resetting it. +Add the watchdog op for stopping the device and reset if +a reset line is provided. + +At same time WDOG_HW_RUNNING should be remove from dw_wdt_start. +As commented by Guenter Roeck: +dw_wdt sets WDOG_HW_RUNNING in its open function. Result is +that the kref_get() in watchdog_open() won't be executed. But then +kref_put() in close will be called since the watchdog now does stop. +This causes the imbalance. + +Signed-off-by: Oleksij Rempel +Cc: Wim Van Sebroeck +Cc: Guenter Roeck +Cc: linux-watchdog@vger.kernel.org +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/dw_wdt.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/watchdog/dw_wdt.c ++++ b/drivers/watchdog/dw_wdt.c +@@ -127,14 +127,27 @@ static int dw_wdt_start(struct watchdog_ + + dw_wdt_set_timeout(wdd, wdd->timeout); + +- set_bit(WDOG_HW_RUNNING, &wdd->status); +- + writel(WDOG_CONTROL_REG_WDT_EN_MASK, + dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); + + return 0; + } + ++static int dw_wdt_stop(struct watchdog_device *wdd) ++{ ++ struct dw_wdt *dw_wdt = to_dw_wdt(wdd); ++ ++ if (!dw_wdt->rst) { ++ set_bit(WDOG_HW_RUNNING, &wdd->status); ++ return 0; ++ } ++ ++ reset_control_assert(dw_wdt->rst); ++ reset_control_deassert(dw_wdt->rst); ++ ++ return 0; ++} ++ + static int dw_wdt_restart(struct watchdog_device *wdd, + unsigned long action, void *data) + { +@@ -173,6 +186,7 @@ static const struct watchdog_info dw_wdt + static const struct watchdog_ops dw_wdt_ops = { + .owner = THIS_MODULE, + .start = dw_wdt_start, ++ .stop = dw_wdt_stop, + .ping = dw_wdt_ping, + .set_timeout = dw_wdt_set_timeout, + .get_timeleft = dw_wdt_get_timeleft, diff --git a/queue-4.14/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch b/queue-4.14/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch new file mode 100644 index 00000000000..7e3f52d3256 --- /dev/null +++ b/queue-4.14/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Colin Ian King +Date: Tue, 26 Dec 2017 17:33:18 +0000 +Subject: wl1251: check return from call to wl1251_acx_arp_ip_filter + +From: Colin Ian King + + +[ Upstream commit ac1181c60822292176ab96912208ec9f9819faf8 ] + +Currently the less than zero error check on ret is incorrect +as it is checking a far earlier ret assignment rather than the +return from the call to wl1251_acx_arp_ip_filter. Fix this by +adding in the missing assginment. + +Detected by CoverityScan, CID#1164835 ("Logically dead code") + +Fixes: 204cc5c44fb6 ("wl1251: implement hardware ARP filtering") +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wl1251/main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/ti/wl1251/main.c ++++ b/drivers/net/wireless/ti/wl1251/main.c +@@ -1200,8 +1200,7 @@ static void wl1251_op_bss_info_changed(s + WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS); + + enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc; +- wl1251_acx_arp_ip_filter(wl, enable, addr); +- ++ ret = wl1251_acx_arp_ip_filter(wl, enable, addr); + if (ret < 0) + goto out_sleep; + } diff --git a/queue-4.14/x86-gart-exclude-gart-aperture-from-vmcore.patch b/queue-4.14/x86-gart-exclude-gart-aperture-from-vmcore.patch new file mode 100644 index 00000000000..986620fbb14 --- /dev/null +++ b/queue-4.14/x86-gart-exclude-gart-aperture-from-vmcore.patch @@ -0,0 +1,157 @@ +From foo@baz Mon Apr 9 13:58:16 CEST 2018 +From: Jiri Bohac +Date: Sat, 6 Jan 2018 02:00:13 +0100 +Subject: x86/gart: Exclude GART aperture from vmcore + +From: Jiri Bohac + + +[ Upstream commit 2a3e83c6f96c513f43ce5a8c9034608ea584a255 ] + +On machines where the GART aperture is mapped over physical RAM +/proc/vmcore contains the remapped range and reading it may cause hangs or +reboots. + +In the past, the GART region was added into the resource map, implemented +by commit 56dd669a138c ("[PATCH] Insert GART region into resource map") + +However, inserting the iomem_resource from the early GART code caused +resource conflicts with some AGP drivers (bko#72201), which got avoided by +reverting the patch in commit 707d4eefbdb3 ("Revert [PATCH] Insert GART +region into resource map"). This revert introduced the /proc/vmcore bug. + +The vmcore ELF header is either prepared by the kernel (when using the +kexec_file_load syscall) or by the kexec userspace (when using the kexec_load +syscall). Since we no longer have the GART iomem resource, the userspace +kexec has no way of knowing which region to exclude from the ELF header. + +Changes from v1 of this patch: +Instead of excluding the aperture from the ELF header, this patch +makes /proc/vmcore return zeroes in the second kernel when attempting to +read the aperture region. This is done by reusing the +gart_oldmem_pfn_is_ram infrastructure originally intended to exclude XEN +balooned memory. This works for both, the kexec_file_load and kexec_load +syscalls. + +[Note that the GART region is the same in the first and second kernels: +regardless whether the first kernel fixed up the northbridge/bios setting +and mapped the aperture over physical memory, the second kernel finds the +northbridge properly configured by the first kernel and the aperture +never overlaps with e820 memory because the second kernel has a fake e820 +map created from the crashkernel memory regions. Thus, the second kernel +keeps the aperture address/size as configured by the first kernel.] + +register_oldmem_pfn_is_ram can only register one callback and returns an error +if the callback has been registered already. Since XEN used to be the only user +of this function, it never checks the return value. Now that we have more than +one user, I added a WARN_ON just in case agp, XEN, or any other future user of +register_oldmem_pfn_is_ram were to step on each other's toes. + +Fixes: 707d4eefbdb3 ("Revert [PATCH] Insert GART region into resource map") +Signed-off-by: Jiri Bohac +Signed-off-by: Thomas Gleixner +Cc: Baoquan He +Cc: Toshi Kani +Cc: David Airlie +Cc: yinghai@kernel.org +Cc: joro@8bytes.org +Cc: kexec@lists.infradead.org +Cc: Borislav Petkov +Cc: Bjorn Helgaas +Cc: Dave Young +Cc: Vivek Goyal +Link: https://lkml.kernel.org/r/20180106010013.73suskgxm7lox7g6@dwarf.suse.cz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/aperture_64.c | 46 +++++++++++++++++++++++++++++++++++++++++- + arch/x86/xen/mmu_hvm.c | 2 - + 2 files changed, 46 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/aperture_64.c ++++ b/arch/x86/kernel/aperture_64.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + /* + * Using 512M as goal, in case kexec will load kernel_big +@@ -56,6 +57,33 @@ int fallback_aper_force __initdata; + + int fix_aperture __initdata = 1; + ++#ifdef CONFIG_PROC_VMCORE ++/* ++ * If the first kernel maps the aperture over e820 RAM, the kdump kernel will ++ * use the same range because it will remain configured in the northbridge. ++ * Trying to dump this area via /proc/vmcore may crash the machine, so exclude ++ * it from vmcore. ++ */ ++static unsigned long aperture_pfn_start, aperture_page_count; ++ ++static int gart_oldmem_pfn_is_ram(unsigned long pfn) ++{ ++ return likely((pfn < aperture_pfn_start) || ++ (pfn >= aperture_pfn_start + aperture_page_count)); ++} ++ ++static void exclude_from_vmcore(u64 aper_base, u32 aper_order) ++{ ++ aperture_pfn_start = aper_base >> PAGE_SHIFT; ++ aperture_page_count = (32 * 1024 * 1024) << aper_order >> PAGE_SHIFT; ++ WARN_ON(register_oldmem_pfn_is_ram(&gart_oldmem_pfn_is_ram)); ++} ++#else ++static void exclude_from_vmcore(u64 aper_base, u32 aper_order) ++{ ++} ++#endif ++ + /* This code runs before the PCI subsystem is initialized, so just + access the northbridge directly. */ + +@@ -435,8 +463,16 @@ int __init gart_iommu_hole_init(void) + + out: + if (!fix && !fallback_aper_force) { +- if (last_aper_base) ++ if (last_aper_base) { ++ /* ++ * If this is the kdump kernel, the first kernel ++ * may have allocated the range over its e820 RAM ++ * and fixed up the northbridge ++ */ ++ exclude_from_vmcore(last_aper_base, last_aper_order); ++ + return 1; ++ } + return 0; + } + +@@ -473,6 +509,14 @@ out: + return 0; + } + ++ /* ++ * If this is the kdump kernel _and_ the first kernel did not ++ * configure the aperture in the northbridge, this range may ++ * overlap with the first kernel's memory. We can't access the ++ * range through vmcore even though it should be part of the dump. ++ */ ++ exclude_from_vmcore(aper_alloc, aper_order); ++ + /* Fix up the north bridges */ + for (i = 0; i < amd_nb_bus_dev_ranges[i].dev_limit; i++) { + int bus, dev_base, dev_limit; +--- a/arch/x86/xen/mmu_hvm.c ++++ b/arch/x86/xen/mmu_hvm.c +@@ -75,6 +75,6 @@ void __init xen_hvm_init_mmu_ops(void) + if (is_pagetable_dying_supported()) + pv_mmu_ops.exit_mmap = xen_hvm_exit_mmap; + #ifdef CONFIG_PROC_VMCORE +- register_oldmem_pfn_is_ram(&xen_oldmem_pfn_is_ram); ++ WARN_ON(register_oldmem_pfn_is_ram(&xen_oldmem_pfn_is_ram)); + #endif + }