From: Greg Kroah-Hartman Date: Tue, 20 Feb 2018 15:48:33 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.15.5~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dfbc6f9b74b467f6cd18b2226d5966aacc8293c1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: 9p-trans_virtio-discard-zero-length-reply.patch alsa-hda-fix-headset-mic-detection-problem-for-two-dell-machines.patch alsa-hda-realtek-add-headset-mode-support-for-dell-laptop.patch alsa-hda-realtek-enable-thinkpad-dock-device-for-alc298-platform.patch alsa-hda-realtek-pci-quirk-for-fujitsu-u7x7.patch alsa-seq-fix-racy-pool-initializations.patch alsa-usb-add-more-device-quirks-for-usb-dsd-devices.patch alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch arm64-proc-set-pte_ng-for-table-entries-to-avoid-traversing-them-twice.patch blk-wbt-account-flush-requests-correctly.patch btrfs-fix-btrfs_evict_inode-to-handle-abnormal-inodes-correctly.patch btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch btrfs-fix-deadlock-in-run_delalloc_nocow.patch btrfs-fix-extent-state-leak-from-tree-log.patch btrfs-fix-unexpected-eexist-when-creating-new-inode.patch btrfs-fix-use-after-free-on-root-orphan_block_rsv.patch dm-correctly-handle-chained-bios-in-dec_pending.patch drm-qxl-reapply-cursor-after-resetting-primary.patch iscsi-target-make-sure-to-wake-up-sleeping-login-worker.patch mtd-nand-vf610-set-correct-ooblayout.patch mvpp2-fix-multicast-address-filter.patch qxl-alloc-use-shadow-for-dumb-buffers.patch rtlwifi-rtl8821ae-fix-connection-lost-problem-correctly.patch target-iscsi-avoid-null-dereference-in-chap-auth-error-path.patch xprtrdma-fix-bug-after-a-device-removal.patch xprtrdma-fix-calculation-of-ri_max_send_sges.patch --- diff --git a/queue-4.14/9p-trans_virtio-discard-zero-length-reply.patch b/queue-4.14/9p-trans_virtio-discard-zero-length-reply.patch new file mode 100644 index 00000000000..70f8ec17a4d --- /dev/null +++ b/queue-4.14/9p-trans_virtio-discard-zero-length-reply.patch @@ -0,0 +1,36 @@ +From 26d99834f89e76514076d9cd06f61e56e6a509b8 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Mon, 22 Jan 2018 22:02:05 +0100 +Subject: 9p/trans_virtio: discard zero-length reply + +From: Greg Kurz + +commit 26d99834f89e76514076d9cd06f61e56e6a509b8 upstream. + +When a 9p request is successfully flushed, the server is expected to just +mark it as used without sending a 9p reply (ie, without writing data into +the buffer). In this case, virtqueue_get_buf() will return len == 0 and +we must not report a REQ_STATUS_RCVD status to the client, otherwise the +client will erroneously assume the request has not been flushed. + +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kurz +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_virtio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -160,7 +160,8 @@ static void req_done(struct virtqueue *v + spin_unlock_irqrestore(&chan->lock, flags); + /* Wakeup if anyone waiting for VirtIO ring space. */ + wake_up(chan->vc_wq); +- p9_client_cb(chan->client, req, REQ_STATUS_RCVD); ++ if (len) ++ p9_client_cb(chan->client, req, REQ_STATUS_RCVD); + } + } + diff --git a/queue-4.14/alsa-hda-fix-headset-mic-detection-problem-for-two-dell-machines.patch b/queue-4.14/alsa-hda-fix-headset-mic-detection-problem-for-two-dell-machines.patch new file mode 100644 index 00000000000..0ef02c6e353 --- /dev/null +++ b/queue-4.14/alsa-hda-fix-headset-mic-detection-problem-for-two-dell-machines.patch @@ -0,0 +1,46 @@ +From 3f2f7c553d077be6a30cb96b2976a2c940bf5335 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Mon, 29 Jan 2018 14:23:15 +0800 +Subject: ALSA: hda - Fix headset mic detection problem for two Dell machines + +From: Hui Wang + +commit 3f2f7c553d077be6a30cb96b2976a2c940bf5335 upstream. + +One of them has the codec of alc256 and the other one has the codec +of alc289. + +Cc: +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6585,6 +6585,11 @@ static const struct snd_hda_pin_quirk al + {0x14, 0x90170110}, + {0x21, 0x02211020}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x12, 0x90a60130}, ++ {0x14, 0x90170110}, ++ {0x14, 0x01011020}, ++ {0x21, 0x0221101f}), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC256_STANDARD_PINS), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC, + {0x14, 0x90170110}, +@@ -6653,6 +6658,10 @@ static const struct snd_hda_pin_quirk al + {0x12, 0x90a60120}, + {0x14, 0x90170110}, + {0x21, 0x0321101f}), ++ SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x12, 0xb7a60130}, ++ {0x14, 0x90170110}, ++ {0x21, 0x04211020}), + SND_HDA_PIN_QUIRK(0x10ec0290, 0x103c, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1, + ALC290_STANDARD_PINS, + {0x15, 0x04211040}, diff --git a/queue-4.14/alsa-hda-realtek-add-headset-mode-support-for-dell-laptop.patch b/queue-4.14/alsa-hda-realtek-add-headset-mode-support-for-dell-laptop.patch new file mode 100644 index 00000000000..bcbf418e7d5 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-add-headset-mode-support-for-dell-laptop.patch @@ -0,0 +1,35 @@ +From 40e2c4e5a7efcd50983aacbddd3c617e776018bf Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 2 Feb 2018 15:13:09 +0800 +Subject: ALSA: hda/realtek - Add headset mode support for Dell laptop + +From: Kailang Yang + +commit 40e2c4e5a7efcd50983aacbddd3c617e776018bf upstream. + +This platform had two Dmic and single Dmic. +This update was for single Dmic. + +This commit was for two Dmic. + +Fixes: 75ee94b20b46 ("ALSA: hda - fix headset mic problem for Dell machines...") +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6176,6 +6176,8 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), + SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), ++ SND_PCI_QUIRK(0x1028, 0x084b, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB), ++ SND_PCI_QUIRK(0x1028, 0x084e, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), diff --git a/queue-4.14/alsa-hda-realtek-enable-thinkpad-dock-device-for-alc298-platform.patch b/queue-4.14/alsa-hda-realtek-enable-thinkpad-dock-device-for-alc298-platform.patch new file mode 100644 index 00000000000..04b63f8bfbc --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-enable-thinkpad-dock-device-for-alc298-platform.patch @@ -0,0 +1,105 @@ +From 61fcf8ece9b6b09450250c4ca40cc3b81a96a68d Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 2 Feb 2018 15:26:46 +0800 +Subject: ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform + +From: Kailang Yang + +commit 61fcf8ece9b6b09450250c4ca40cc3b81a96a68d upstream. + +Thinkpad Dock device support for ALC298 platform. +It need to use SSID for the quirk table. +Because IdeaPad also has ALC298 platform. +Use verb for the quirk table will confuse. + +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4827,6 +4827,28 @@ static void alc_fixup_tpt440_dock(struct + } + } + ++static void alc_fixup_tpt470_dock(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ static const struct hda_pintbl pincfgs[] = { ++ { 0x17, 0x21211010 }, /* dock headphone */ ++ { 0x19, 0x21a11010 }, /* dock mic */ ++ { } ++ }; ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP; ++ /* Enable DOCK device */ ++ snd_hda_codec_write(codec, 0x17, 0, ++ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0); ++ /* Enable DOCK device */ ++ snd_hda_codec_write(codec, 0x19, 0, ++ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0); ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ } ++} ++ + static void alc_shutup_dell_xps13(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; +@@ -5301,6 +5323,7 @@ enum { + ALC700_FIXUP_INTEL_REFERENCE, + ALC274_FIXUP_DELL_BIND_DACS, + ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, ++ ALC298_FIXUP_TPT470_DOCK, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -6126,6 +6149,12 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC274_FIXUP_DELL_BIND_DACS + }, ++ [ALC298_FIXUP_TPT470_DOCK] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_tpt470_dock, ++ .chained = true, ++ .chain_id = ALC293_FIXUP_LENOVO_SPK_NOISE ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -6307,8 +6336,16 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x222d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x222e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2231, "Thinkpad T560", ALC292_FIXUP_TPT460), + SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC292_FIXUP_TPT460), ++ SND_PCI_QUIRK(0x17aa, 0x2245, "Thinkpad T470", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x2246, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x2247, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x224b, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), +@@ -6329,7 +6366,12 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x5050, "Thinkpad T560p", ALC292_FIXUP_TPT460), + SND_PCI_QUIRK(0x17aa, 0x5051, "Thinkpad L460", ALC292_FIXUP_TPT460), + SND_PCI_QUIRK(0x17aa, 0x5053, "Thinkpad T460", ALC292_FIXUP_TPT460), ++ SND_PCI_QUIRK(0x17aa, 0x505d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x505f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x5062, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x17aa, 0x511e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), + SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */ diff --git a/queue-4.14/alsa-hda-realtek-pci-quirk-for-fujitsu-u7x7.patch b/queue-4.14/alsa-hda-realtek-pci-quirk-for-fujitsu-u7x7.patch new file mode 100644 index 00000000000..a547906d6c8 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-pci-quirk-for-fujitsu-u7x7.patch @@ -0,0 +1,83 @@ +From fdcc968a3b290407bcba9d4c90e2fba6d8d928f1 Mon Sep 17 00:00:00 2001 +From: Jan-Marek Glogowski +Date: Wed, 14 Feb 2018 11:29:15 +0100 +Subject: ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 + +From: Jan-Marek Glogowski + +commit fdcc968a3b290407bcba9d4c90e2fba6d8d928f1 upstream. + +These laptops have a combined jack to attach headsets, the U727 on +the left, the U757 on the right, but a headsets microphone doesn't +work. Using hdajacksensetest I found that pin 0x19 changed the +present state when plugging the headset, in addition to 0x21, but +didn't have the correct configuration (shown as "Not connected"). + +So this sets the configuration to the same values as the headphone +pin 0x21 except for the device type microphone, which makes it +work correctly. With the patch the configured pins for U727 are + +Pin 0x12 (Internal Mic, Mobile-In): present = No +Pin 0x14 (Internal Speaker): present = No +Pin 0x19 (Black Mic, Left side): present = No +Pin 0x1d (Internal Aux): present = No +Pin 0x21 (Black Headphone, Left side): present = No + +Signed-off-by: Jan-Marek Glogowski +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3355,6 +3355,19 @@ static void alc269_fixup_pincfg_no_hp_to + spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP; + } + ++static void alc269_fixup_pincfg_U7x7_headset_mic(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ unsigned int cfg_headphone = snd_hda_codec_get_pincfg(codec, 0x21); ++ unsigned int cfg_headset_mic = snd_hda_codec_get_pincfg(codec, 0x19); ++ ++ if (cfg_headphone && cfg_headset_mic == 0x411111f0) ++ snd_hda_codec_set_pincfg(codec, 0x19, ++ (cfg_headphone & ~AC_DEFCFG_DEVICE) | ++ (AC_JACK_MIC_IN << AC_DEFCFG_DEVICE_SHIFT)); ++} ++ + static void alc269_fixup_hweq(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -5228,6 +5241,7 @@ enum { + ALC269_FIXUP_LIFEBOOK_EXTMIC, + ALC269_FIXUP_LIFEBOOK_HP_PIN, + ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT, ++ ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC, + ALC269_FIXUP_AMIC, + ALC269_FIXUP_DMIC, + ALC269VB_FIXUP_AMIC, +@@ -5434,6 +5448,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc269_fixup_pincfg_no_hp_to_lineout, + }, ++ [ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc269_fixup_pincfg_U7x7_headset_mic, ++ }, + [ALC269_FIXUP_AMIC] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -6308,6 +6326,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x10cf, 0x159f, "Lifebook E780", ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT), + SND_PCI_QUIRK(0x10cf, 0x15dc, "Lifebook T731", ALC269_FIXUP_LIFEBOOK_HP_PIN), + SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN), ++ SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC), + SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), + SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE), + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), diff --git a/queue-4.14/alsa-seq-fix-racy-pool-initializations.patch b/queue-4.14/alsa-seq-fix-racy-pool-initializations.patch new file mode 100644 index 00000000000..afbd2b92893 --- /dev/null +++ b/queue-4.14/alsa-seq-fix-racy-pool-initializations.patch @@ -0,0 +1,60 @@ +From d15d662e89fc667b90cd294b0eb45694e33144da Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 12 Feb 2018 15:20:51 +0100 +Subject: ALSA: seq: Fix racy pool initializations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit d15d662e89fc667b90cd294b0eb45694e33144da upstream. + +ALSA sequencer core initializes the event pool on demand by invoking +snd_seq_pool_init() when the first write happens and the pool is +empty. Meanwhile user can reset the pool size manually via ioctl +concurrently, and this may lead to UAF or out-of-bound accesses since +the function tries to vmalloc / vfree the buffer. + +A simple fix is to just wrap the snd_seq_pool_init() call with the +recently introduced client->ioctl_mutex; as the calls for +snd_seq_pool_init() from other side are always protected with this +mutex, we can avoid the race. + +Reported-by: 范龙飞 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -999,7 +999,7 @@ static ssize_t snd_seq_write(struct file + { + struct snd_seq_client *client = file->private_data; + int written = 0, len; +- int err = -EINVAL; ++ int err; + struct snd_seq_event event; + + if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT)) +@@ -1014,11 +1014,15 @@ static ssize_t snd_seq_write(struct file + + /* allocate the pool now if the pool is not allocated yet */ + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) { +- if (snd_seq_pool_init(client->pool) < 0) ++ mutex_lock(&client->ioctl_mutex); ++ err = snd_seq_pool_init(client->pool); ++ mutex_unlock(&client->ioctl_mutex); ++ if (err < 0) + return -ENOMEM; + } + + /* only process whole events */ ++ err = -EINVAL; + while (count >= sizeof(struct snd_seq_event)) { + /* Read in the event header from the user */ + len = sizeof(event); diff --git a/queue-4.14/alsa-usb-add-more-device-quirks-for-usb-dsd-devices.patch b/queue-4.14/alsa-usb-add-more-device-quirks-for-usb-dsd-devices.patch new file mode 100644 index 00000000000..db5f412388e --- /dev/null +++ b/queue-4.14/alsa-usb-add-more-device-quirks-for-usb-dsd-devices.patch @@ -0,0 +1,37 @@ +From 7c74866baef1827e18f8269aec85030063520bd4 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Sun, 11 Feb 2018 09:50:27 -0400 +Subject: ALSA: usb: add more device quirks for USB DSD devices + +From: Daniel Mack + +commit 7c74866baef1827e18f8269aec85030063520bd4 upstream. + +Add some more devices that need quirks to handle DSD modes correctly. + +Signed-off-by: Daniel Mack +Reported-and-tested-by: Thomas Gresens +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1369,8 +1369,11 @@ u64 snd_usb_interface_dsd_format_quirks( + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; + +- /* Amanero Combo384 USB interface with native DSD support */ +- case USB_ID(0x16d0, 0x071a): ++ /* Amanero Combo384 USB based DACs with native DSD support */ ++ case USB_ID(0x16d0, 0x071a): /* Amanero - Combo384 */ ++ case USB_ID(0x2ab6, 0x0004): /* T+A DAC8DSD-V2.0, MP1000E-V2.0, MP2000R-V2.0, MP2500R-V2.0, MP3100HV-V2.0 */ ++ case USB_ID(0x2ab6, 0x0005): /* T+A USB HD Audio 1 */ ++ case USB_ID(0x2ab6, 0x0006): /* T+A USB HD Audio 2 */ + if (fp->altsetting == 2) { + switch (le16_to_cpu(chip->dev->descriptor.bcdDevice)) { + case 0x199: diff --git a/queue-4.14/alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch b/queue-4.14/alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch new file mode 100644 index 00000000000..ed90be8f258 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch @@ -0,0 +1,40 @@ +From 5e35dc0338d85ccebacf3f77eca1e5dea73155e8 Mon Sep 17 00:00:00 2001 +From: Lassi Ylikojola +Date: Fri, 9 Feb 2018 16:51:36 +0200 +Subject: ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204 + +From: Lassi Ylikojola + +commit 5e35dc0338d85ccebacf3f77eca1e5dea73155e8 upstream. + +Add quirk to ensure a sync endpoint is properly configured. +This patch is a fix for same symptoms on Behringer UFX1204 as patch +from Albertto Aquirre on Dec 8 2016 for Axe-Fx II. + +Signed-off-by: Lassi Ylikojola +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -357,6 +357,15 @@ static int set_sync_ep_implicit_fb_quirk + + alts = &iface->altsetting[1]; + goto add_sync_ep; ++ case USB_ID(0x1397, 0x0002): ++ ep = 0x81; ++ iface = usb_ifnum_to_if(dev, 1); ++ ++ if (!iface || iface->num_altsetting == 0) ++ return -EINVAL; ++ ++ alts = &iface->altsetting[1]; ++ goto add_sync_ep; + + } + if (attr == USB_ENDPOINT_SYNC_ASYNC && diff --git a/queue-4.14/alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch b/queue-4.14/alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch new file mode 100644 index 00000000000..97d866a9fca --- /dev/null +++ b/queue-4.14/alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch @@ -0,0 +1,78 @@ +From 447cae58cecd69392b74a4a42cd0ab9cabd816af Mon Sep 17 00:00:00 2001 +From: Kirill Marinushkin +Date: Mon, 29 Jan 2018 06:37:55 +0100 +Subject: ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute + +From: Kirill Marinushkin + +commit 447cae58cecd69392b74a4a42cd0ab9cabd816af upstream. + +The layout of the UAC2 Control request and response varies depending on +the request type. With the current implementation, only the Layout 2 +Parameter Block (with the 2-byte sized RANGE attribute) is handled +properly. For the Control requests with the 1-byte sized RANGE attribute +(Bass Control, Mid Control, Tremble Control), the response is parsed +incorrectly. + +This commit: +* fixes the wLength field value in the request +* fixes parsing the range values from the response + +Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") +Signed-off-by: Kirill Marinushkin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -347,17 +347,20 @@ static int get_ctl_value_v2(struct usb_m + int validx, int *value_ret) + { + struct snd_usb_audio *chip = cval->head.mixer->chip; +- unsigned char buf[4 + 3 * sizeof(__u32)]; /* enough space for one range */ ++ /* enough space for one range */ ++ unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)]; + unsigned char *val; +- int idx = 0, ret, size; ++ int idx = 0, ret, val_size, size; + __u8 bRequest; + ++ val_size = uac2_ctl_value_size(cval->val_type); ++ + if (request == UAC_GET_CUR) { + bRequest = UAC2_CS_CUR; +- size = uac2_ctl_value_size(cval->val_type); ++ size = val_size; + } else { + bRequest = UAC2_CS_RANGE; +- size = sizeof(buf); ++ size = sizeof(__u16) + 3 * val_size; + } + + memset(buf, 0, sizeof(buf)); +@@ -390,16 +393,17 @@ error: + val = buf + sizeof(__u16); + break; + case UAC_GET_MAX: +- val = buf + sizeof(__u16) * 2; ++ val = buf + sizeof(__u16) + val_size; + break; + case UAC_GET_RES: +- val = buf + sizeof(__u16) * 3; ++ val = buf + sizeof(__u16) + val_size * 2; + break; + default: + return -EINVAL; + } + +- *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16))); ++ *value_ret = convert_signed_value(cval, ++ snd_usb_combine_bytes(val, val_size)); + + return 0; + } diff --git a/queue-4.14/arm64-proc-set-pte_ng-for-table-entries-to-avoid-traversing-them-twice.patch b/queue-4.14/arm64-proc-set-pte_ng-for-table-entries-to-avoid-traversing-them-twice.patch new file mode 100644 index 00000000000..0e01091594c --- /dev/null +++ b/queue-4.14/arm64-proc-set-pte_ng-for-table-entries-to-avoid-traversing-them-twice.patch @@ -0,0 +1,81 @@ +From 2ce77f6d8a9ae9ce6d80397d88bdceb84a2004cd Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 13 Feb 2018 13:14:09 +0000 +Subject: arm64: proc: Set PTE_NG for table entries to avoid traversing them twice + +From: Will Deacon + +commit 2ce77f6d8a9ae9ce6d80397d88bdceb84a2004cd upstream. + +When KASAN is enabled, the swapper page table contains many identical +mappings of the zero page, which can lead to a stall during boot whilst +the G -> nG code continually walks the same page table entries looking +for global mappings. + +This patch sets the nG bit (bit 11, which is IGNORED) in table entries +after processing the subtree so we can easily skip them if we see them +a second time. + +Tested-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/proc.S | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -190,7 +190,8 @@ ENDPROC(idmap_cpu_replace_ttbr1) + dc cvac, cur_\()\type\()p // Ensure any existing dirty + dmb sy // lines are written back before + ldr \type, [cur_\()\type\()p] // loading the entry +- tbz \type, #0, next_\()\type // Skip invalid entries ++ tbz \type, #0, skip_\()\type // Skip invalid and ++ tbnz \type, #11, skip_\()\type // non-global entries + .endm + + .macro __idmap_kpti_put_pgtable_ent_ng, type +@@ -249,8 +250,9 @@ ENTRY(idmap_kpti_install_ng_mappings) + add end_pgdp, cur_pgdp, #(PTRS_PER_PGD * 8) + do_pgd: __idmap_kpti_get_pgtable_ent pgd + tbnz pgd, #1, walk_puds +- __idmap_kpti_put_pgtable_ent_ng pgd + next_pgd: ++ __idmap_kpti_put_pgtable_ent_ng pgd ++skip_pgd: + add cur_pgdp, cur_pgdp, #8 + cmp cur_pgdp, end_pgdp + b.ne do_pgd +@@ -278,8 +280,9 @@ walk_puds: + add end_pudp, cur_pudp, #(PTRS_PER_PUD * 8) + do_pud: __idmap_kpti_get_pgtable_ent pud + tbnz pud, #1, walk_pmds +- __idmap_kpti_put_pgtable_ent_ng pud + next_pud: ++ __idmap_kpti_put_pgtable_ent_ng pud ++skip_pud: + add cur_pudp, cur_pudp, 8 + cmp cur_pudp, end_pudp + b.ne do_pud +@@ -298,8 +301,9 @@ walk_pmds: + add end_pmdp, cur_pmdp, #(PTRS_PER_PMD * 8) + do_pmd: __idmap_kpti_get_pgtable_ent pmd + tbnz pmd, #1, walk_ptes +- __idmap_kpti_put_pgtable_ent_ng pmd + next_pmd: ++ __idmap_kpti_put_pgtable_ent_ng pmd ++skip_pmd: + add cur_pmdp, cur_pmdp, #8 + cmp cur_pmdp, end_pmdp + b.ne do_pmd +@@ -317,7 +321,7 @@ walk_ptes: + add end_ptep, cur_ptep, #(PTRS_PER_PTE * 8) + do_pte: __idmap_kpti_get_pgtable_ent pte + __idmap_kpti_put_pgtable_ent_ng pte +-next_pte: ++skip_pte: + add cur_ptep, cur_ptep, #8 + cmp cur_ptep, end_ptep + b.ne do_pte diff --git a/queue-4.14/blk-wbt-account-flush-requests-correctly.patch b/queue-4.14/blk-wbt-account-flush-requests-correctly.patch new file mode 100644 index 00000000000..86c01367ccd --- /dev/null +++ b/queue-4.14/blk-wbt-account-flush-requests-correctly.patch @@ -0,0 +1,49 @@ +From 5235553d821433e1f4fa720fd025d2c4b7ee9994 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 5 Feb 2018 13:16:56 -0700 +Subject: blk-wbt: account flush requests correctly + +From: Jens Axboe + +commit 5235553d821433e1f4fa720fd025d2c4b7ee9994 upstream. + +Mikulas reported a workload that saw bad performance, and figured +out what it was due to various other types of requests being +accounted as reads. Flush requests, for instance. Due to the +high latency of those, we heavily throttle the writes to keep +the latencies in balance. But they really should be accounted +as writes. + +Fix this by checking the exact type of the request. If it's a +read, account as a read, if it's a write or a flush, account +as a write. Any other request we disregard. Previously everything +would have been mistakenly accounted as reads. + +Reported-by: Mikulas Patocka +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-wbt.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/block/blk-wbt.c ++++ b/block/blk-wbt.c +@@ -698,7 +698,15 @@ u64 wbt_default_latency_nsec(struct requ + + static int wbt_data_dir(const struct request *rq) + { +- return rq_data_dir(rq); ++ const int op = req_op(rq); ++ ++ if (op == REQ_OP_READ) ++ return READ; ++ else if (op == REQ_OP_WRITE || op == REQ_OP_FLUSH) ++ return WRITE; ++ ++ /* don't account */ ++ return -1; + } + + int wbt_init(struct request_queue *q) diff --git a/queue-4.14/btrfs-fix-btrfs_evict_inode-to-handle-abnormal-inodes-correctly.patch b/queue-4.14/btrfs-fix-btrfs_evict_inode-to-handle-abnormal-inodes-correctly.patch new file mode 100644 index 00000000000..235cbf4b286 --- /dev/null +++ b/queue-4.14/btrfs-fix-btrfs_evict_inode-to-handle-abnormal-inodes-correctly.patch @@ -0,0 +1,44 @@ +From e8f1bc1493855e32b7a2a019decc3c353d94daf6 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:53 -0700 +Subject: Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly + +From: Liu Bo + +commit e8f1bc1493855e32b7a2a019decc3c353d94daf6 upstream. + +This regression is introduced in +commit 3d48d9810de4 ("btrfs: Handle uninitialised inode eviction"). + +There are two problems, + +a) it is ->destroy_inode() that does the final free on inode, not + ->evict_inode(), +b) clear_inode() must be called before ->evict_inode() returns. + +This could end up hitting BUG_ON(inode->i_state != (I_FREEING | I_CLEAR)); +in evict() because I_CLEAR is set in clear_inode(). + +Fixes: commit 3d48d9810de4 ("btrfs: Handle uninitialised inode eviction") +Cc: # v4.7-rc6+ +Signed-off-by: Liu Bo +Reviewed-by: Nikolay Borisov +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5318,7 +5318,7 @@ void btrfs_evict_inode(struct inode *ino + trace_btrfs_inode_evict(inode); + + if (!root) { +- kmem_cache_free(btrfs_inode_cachep, BTRFS_I(inode)); ++ clear_inode(inode); + return; + } + diff --git a/queue-4.14/btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch b/queue-4.14/btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch new file mode 100644 index 00000000000..52ed9e3d372 --- /dev/null +++ b/queue-4.14/btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch @@ -0,0 +1,65 @@ +From 1846430c24d66e85cc58286b3319c82cd54debb2 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:51 -0700 +Subject: Btrfs: fix crash due to not cleaning up tree log block's dirty bits + +From: Liu Bo + +commit 1846430c24d66e85cc58286b3319c82cd54debb2 upstream. + +In cases that the whole fs flips into readonly status due to failures in +critical sections, then log tree's blocks are still dirty, and this leads +to a crash during umount time, the crash is about use-after-free, + +umount + -> close_ctree + -> stop workers + -> iput(btree_inode) + -> iput_final + -> write_inode_now + -> ... + -> queue job on stop'd workers + +cc: v3.12+ +Fixes: 681ae50917df ("Btrfs: cleanup reserved space when freeing tree log on error") +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2494,6 +2494,9 @@ static noinline int walk_down_log_tree(s + clean_tree_block(fs_info, next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(root_owner != +@@ -2574,6 +2577,9 @@ static noinline int walk_up_log_tree(str + clean_tree_block(fs_info, next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID); +@@ -2652,6 +2658,9 @@ static int walk_log_tree(struct btrfs_tr + clean_tree_block(fs_info, next); + btrfs_wait_tree_block_writeback(next); + btrfs_tree_unlock(next); ++ } else { ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags)) ++ clear_extent_buffer_dirty(next); + } + + WARN_ON(log->root_key.objectid != diff --git a/queue-4.14/btrfs-fix-deadlock-in-run_delalloc_nocow.patch b/queue-4.14/btrfs-fix-deadlock-in-run_delalloc_nocow.patch new file mode 100644 index 00000000000..eaa7c033f01 --- /dev/null +++ b/queue-4.14/btrfs-fix-deadlock-in-run_delalloc_nocow.patch @@ -0,0 +1,38 @@ +From e89166990f11c3f21e1649d760dd35f9e410321c Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:50 -0700 +Subject: Btrfs: fix deadlock in run_delalloc_nocow + +From: Liu Bo + +commit e89166990f11c3f21e1649d760dd35f9e410321c upstream. + +@cur_offset is not set back to what it should be (@cow_start) if +btrfs_next_leaf() returns something wrong, and the range [cow_start, +cur_offset) remains locked forever. + +cc: +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1330,8 +1330,11 @@ next_slot: + leaf = path->nodes[0]; + if (path->slots[0] >= btrfs_header_nritems(leaf)) { + ret = btrfs_next_leaf(root, path); +- if (ret < 0) ++ if (ret < 0) { ++ if (cow_start != (u64)-1) ++ cur_offset = cow_start; + goto error; ++ } + if (ret > 0) + break; + leaf = path->nodes[0]; diff --git a/queue-4.14/btrfs-fix-extent-state-leak-from-tree-log.patch b/queue-4.14/btrfs-fix-extent-state-leak-from-tree-log.patch new file mode 100644 index 00000000000..36a6c19e058 --- /dev/null +++ b/queue-4.14/btrfs-fix-extent-state-leak-from-tree-log.patch @@ -0,0 +1,44 @@ +From 55237a5f2431a72435e3ed39e4306e973c0446b7 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:52 -0700 +Subject: Btrfs: fix extent state leak from tree log + +From: Liu Bo + +commit 55237a5f2431a72435e3ed39e4306e973c0446b7 upstream. + +It's possible that btrfs_sync_log() bails out after one of the two +btrfs_write_marked_extents() which convert extent state's state bit into +EXTENT_NEED_WAIT from EXTENT_DIRTY/EXTENT_NEW, however only EXTENT_DIRTY +and EXTENT_NEW are searched by free_log_tree() so that those extent states +with EXTENT_NEED_WAIT lead to memory leak. + +cc: +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3047,13 +3047,14 @@ static void free_log_tree(struct btrfs_t + + while (1) { + ret = find_first_extent_bit(&log->dirty_log_pages, +- 0, &start, &end, EXTENT_DIRTY | EXTENT_NEW, ++ 0, &start, &end, ++ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT, + NULL); + if (ret) + break; + + clear_extent_bits(&log->dirty_log_pages, start, end, +- EXTENT_DIRTY | EXTENT_NEW); ++ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT); + } + + /* diff --git a/queue-4.14/btrfs-fix-unexpected-eexist-when-creating-new-inode.patch b/queue-4.14/btrfs-fix-unexpected-eexist-when-creating-new-inode.patch new file mode 100644 index 00000000000..8ef28082156 --- /dev/null +++ b/queue-4.14/btrfs-fix-unexpected-eexist-when-creating-new-inode.patch @@ -0,0 +1,60 @@ +From 900c9981680067573671ecc5cbfa7c5770be3a40 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:56 -0700 +Subject: Btrfs: fix unexpected -EEXIST when creating new inode + +From: Liu Bo + +commit 900c9981680067573671ecc5cbfa7c5770be3a40 upstream. + +The highest objectid, which is assigned to new inode, is decided at +the time of initializing fs roots. However, in cases where log replay +gets processed, the btree which fs root owns might be changed, so we +have to search it again for the highest objectid, otherwise creating +new inode would end up with -EEXIST. + +cc: v4.4-rc6+ +Fixes: f32e48e92596 ("Btrfs: Initialize btrfs_root->highest_objectid when loading tree root and subvolume roots") +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -28,6 +28,7 @@ + #include "hash.h" + #include "compression.h" + #include "qgroup.h" ++#include "inode-map.h" + + /* magic values for the inode_only field in btrfs_log_inode: + * +@@ -5715,6 +5716,23 @@ again: + path); + } + ++ if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) { ++ struct btrfs_root *root = wc.replay_dest; ++ ++ btrfs_release_path(path); ++ ++ /* ++ * We have just replayed everything, and the highest ++ * objectid of fs roots probably has changed in case ++ * some inode_item's got replayed. ++ * ++ * root->objectid_mutex is not acquired as log replay ++ * could only happen during mount. ++ */ ++ ret = btrfs_find_highest_objectid(root, ++ &root->highest_objectid); ++ } ++ + key.offset = found_key.offset - 1; + wc.replay_dest->log_root = NULL; + free_extent_buffer(log->node); diff --git a/queue-4.14/btrfs-fix-use-after-free-on-root-orphan_block_rsv.patch b/queue-4.14/btrfs-fix-use-after-free-on-root-orphan_block_rsv.patch new file mode 100644 index 00000000000..b4ea882618b --- /dev/null +++ b/queue-4.14/btrfs-fix-use-after-free-on-root-orphan_block_rsv.patch @@ -0,0 +1,121 @@ +From 1a932ef4e47984dee227834667b5ff5a334e4805 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 25 Jan 2018 11:02:54 -0700 +Subject: Btrfs: fix use-after-free on root->orphan_block_rsv + +From: Liu Bo + +commit 1a932ef4e47984dee227834667b5ff5a334e4805 upstream. + +I got these from running generic/475, + +WARNING: CPU: 0 PID: 26384 at fs/btrfs/inode.c:3326 btrfs_orphan_commit_root+0x1ac/0x2b0 [btrfs] +BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +IP: btrfs_block_rsv_release+0x1c/0x70 [btrfs] +Call Trace: + btrfs_orphan_release_metadata+0x9f/0x200 [btrfs] + btrfs_orphan_del+0x10d/0x170 [btrfs] + btrfs_setattr+0x500/0x640 [btrfs] + notify_change+0x7ae/0x870 + do_truncate+0xca/0x130 + vfs_truncate+0x2ee/0x3d0 + do_sys_truncate+0xaf/0xf0 + SyS_truncate+0xe/0x10 + entry_SYSCALL_64_fastpath+0x1f/0x96 + +The race is between btrfs_orphan_commit_root and btrfs_orphan_del, + t1 t2 +btrfs_orphan_commit_root btrfs_orphan_del + spin_lock + check (&root->orphan_inodes) + root->orphan_block_rsv = NULL; + spin_unlock + atomic_dec(&root->orphan_inodes); + access root->orphan_block_rsv + +Accessing root->orphan_block_rsv must be done before decreasing +root->orphan_inodes. + +cc: v3.12+ +Fixes: 703c88e03524 ("Btrfs: fix tracking of orphan inode count") +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3371,6 +3371,11 @@ int btrfs_orphan_add(struct btrfs_trans_ + ret = btrfs_orphan_reserve_metadata(trans, inode); + ASSERT(!ret); + if (ret) { ++ /* ++ * dec doesn't need spin_lock as ->orphan_block_rsv ++ * would be released only if ->orphan_inodes is ++ * zero. ++ */ + atomic_dec(&root->orphan_inodes); + clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED, + &inode->runtime_flags); +@@ -3385,12 +3390,17 @@ int btrfs_orphan_add(struct btrfs_trans_ + if (insert >= 1) { + ret = btrfs_insert_orphan_item(trans, root, btrfs_ino(inode)); + if (ret) { +- atomic_dec(&root->orphan_inodes); + if (reserve) { + clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED, + &inode->runtime_flags); + btrfs_orphan_release_metadata(inode); + } ++ /* ++ * btrfs_orphan_commit_root may race with us and set ++ * ->orphan_block_rsv to zero, in order to avoid that, ++ * decrease ->orphan_inodes after everything is done. ++ */ ++ atomic_dec(&root->orphan_inodes); + if (ret != -EEXIST) { + clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM, + &inode->runtime_flags); +@@ -3422,28 +3432,26 @@ static int btrfs_orphan_del(struct btrfs + { + struct btrfs_root *root = inode->root; + int delete_item = 0; +- int release_rsv = 0; + int ret = 0; + +- spin_lock(&root->orphan_lock); + if (test_and_clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM, + &inode->runtime_flags)) + delete_item = 1; + ++ if (delete_item && trans) ++ ret = btrfs_del_orphan_item(trans, root, btrfs_ino(inode)); ++ + if (test_and_clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED, + &inode->runtime_flags)) +- release_rsv = 1; +- spin_unlock(&root->orphan_lock); ++ btrfs_orphan_release_metadata(inode); + +- if (delete_item) { ++ /* ++ * btrfs_orphan_commit_root may race with us and set ->orphan_block_rsv ++ * to zero, in order to avoid that, decrease ->orphan_inodes after ++ * everything is done. ++ */ ++ if (delete_item) + atomic_dec(&root->orphan_inodes); +- if (trans) +- ret = btrfs_del_orphan_item(trans, root, +- btrfs_ino(inode)); +- } +- +- if (release_rsv) +- btrfs_orphan_release_metadata(inode); + + return ret; + } diff --git a/queue-4.14/dm-correctly-handle-chained-bios-in-dec_pending.patch b/queue-4.14/dm-correctly-handle-chained-bios-in-dec_pending.patch new file mode 100644 index 00000000000..85369c0b020 --- /dev/null +++ b/queue-4.14/dm-correctly-handle-chained-bios-in-dec_pending.patch @@ -0,0 +1,54 @@ +From 8dd601fa8317243be887458c49f6c29c2f3d719f Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 15 Feb 2018 20:00:15 +1100 +Subject: dm: correctly handle chained bios in dec_pending() + +From: NeilBrown + +commit 8dd601fa8317243be887458c49f6c29c2f3d719f upstream. + +dec_pending() is given an error status (possibly 0) to be recorded +against a bio. It can be called several times on the one 'struct +dm_io', and it is careful to only assign a non-zero error to +io->status. However when it then assigned io->status to bio->bi_status, +it is not careful and could overwrite a genuine error status with 0. + +This can happen when chained bios are in use. If a bio is chained +beneath the bio that this dm_io is handling, the child bio might +complete and set bio->bi_status before the dm_io completes. + +This has been possible since chained bios were introduced in 3.14, and +has become a lot easier to trigger with commit 18a25da84354 ("dm: ensure +bio submission follows a depth-first tree walk") as that commit caused +dm to start using chained bios itself. + +A particular failure mode is that if a bio spans an 'error' target and a +working target, the 'error' fragment will complete instantly and set the +->bi_status, and the other fragment will normally complete a little +later, and will clear ->bi_status. + +The fix is simply to only assign io_error to bio->bi_status when +io_error is not zero. + +Reported-and-tested-by: Milan Broz +Cc: stable@vger.kernel.org (v3.14+) +Signed-off-by: NeilBrown +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -815,7 +815,8 @@ static void dec_pending(struct dm_io *io + queue_io(md, bio); + } else { + /* done with normal IO or empty flush */ +- bio->bi_status = io_error; ++ if (io_error) ++ bio->bi_status = io_error; + bio_endio(bio); + } + } diff --git a/queue-4.14/drm-qxl-reapply-cursor-after-resetting-primary.patch b/queue-4.14/drm-qxl-reapply-cursor-after-resetting-primary.patch new file mode 100644 index 00000000000..073f54b131e --- /dev/null +++ b/queue-4.14/drm-qxl-reapply-cursor-after-resetting-primary.patch @@ -0,0 +1,153 @@ +From 9428088c90b6f7d5edd2a1b0d742c75339b36f6e Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Mon, 27 Nov 2017 16:50:10 -0500 +Subject: drm/qxl: reapply cursor after resetting primary + +From: Ray Strode + +commit 9428088c90b6f7d5edd2a1b0d742c75339b36f6e upstream. + +QXL associates mouse state with its primary plane. + +Destroying a primary plane and putting a new one in place has the side +effect of destroying the cursor as well. + +This commit changes the driver to reapply the cursor any time a new +primary is created. It achieves this by keeping a reference to the +cursor bo on the qxl_crtc struct. + +This fix is very similar to + +commit 4532b241a4b7 ("drm/qxl: reapply cursor after SetCrtc calls") + +which got implicitly reverted as part of implementing the atomic +modeset feature. + +Cc: Gerd Hoffmann +Cc: Dave Airlie +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1512097 +Fixes: 1277eed5fecb ("drm: qxl: Atomic phase 1: convert cursor to universal plane") +Cc: stable@vger.kernel.org +Signed-off-by: Ray Strode +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/qxl/qxl_display.c | 59 ++++++++++++++++++++++++++++++++++++++ + drivers/gpu/drm/qxl/qxl_drv.h | 2 + + 2 files changed, 61 insertions(+) + +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -289,6 +289,7 @@ static void qxl_crtc_destroy(struct drm_ + { + struct qxl_crtc *qxl_crtc = to_qxl_crtc(crtc); + ++ qxl_bo_unref(&qxl_crtc->cursor_bo); + drm_crtc_cleanup(crtc); + kfree(qxl_crtc); + } +@@ -495,6 +496,53 @@ static int qxl_primary_atomic_check(stru + return 0; + } + ++static int qxl_primary_apply_cursor(struct drm_plane *plane) ++{ ++ struct drm_device *dev = plane->dev; ++ struct qxl_device *qdev = dev->dev_private; ++ struct drm_framebuffer *fb = plane->state->fb; ++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc); ++ struct qxl_cursor_cmd *cmd; ++ struct qxl_release *release; ++ int ret = 0; ++ ++ if (!qcrtc->cursor_bo) ++ return 0; ++ ++ ret = qxl_alloc_release_reserved(qdev, sizeof(*cmd), ++ QXL_RELEASE_CURSOR_CMD, ++ &release, NULL); ++ if (ret) ++ return ret; ++ ++ ret = qxl_release_list_add(release, qcrtc->cursor_bo); ++ if (ret) ++ goto out_free_release; ++ ++ ret = qxl_release_reserve_list(release, false); ++ if (ret) ++ goto out_free_release; ++ ++ cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release); ++ cmd->type = QXL_CURSOR_SET; ++ cmd->u.set.position.x = plane->state->crtc_x + fb->hot_x; ++ cmd->u.set.position.y = plane->state->crtc_y + fb->hot_y; ++ ++ cmd->u.set.shape = qxl_bo_physical_address(qdev, qcrtc->cursor_bo, 0); ++ ++ cmd->u.set.visible = 1; ++ qxl_release_unmap(qdev, release, &cmd->release_info); ++ ++ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); ++ qxl_release_fence_buffer_objects(release); ++ ++ return ret; ++ ++out_free_release: ++ qxl_release_free(qdev, release); ++ return ret; ++} ++ + static void qxl_primary_atomic_update(struct drm_plane *plane, + struct drm_plane_state *old_state) + { +@@ -510,6 +558,7 @@ static void qxl_primary_atomic_update(st + .x2 = qfb->base.width, + .y2 = qfb->base.height + }; ++ int ret; + bool same_shadow = false; + + if (old_state->fb) { +@@ -531,6 +580,11 @@ static void qxl_primary_atomic_update(st + if (!same_shadow) + qxl_io_destroy_primary(qdev); + bo_old->is_primary = false; ++ ++ ret = qxl_primary_apply_cursor(plane); ++ if (ret) ++ DRM_ERROR( ++ "could not set cursor after creating primary"); + } + + if (!bo->is_primary) { +@@ -571,6 +625,7 @@ static void qxl_cursor_atomic_update(str + struct drm_device *dev = plane->dev; + struct qxl_device *qdev = dev->dev_private; + struct drm_framebuffer *fb = plane->state->fb; ++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc); + struct qxl_release *release; + struct qxl_cursor_cmd *cmd; + struct qxl_cursor *cursor; +@@ -628,6 +683,10 @@ static void qxl_cursor_atomic_update(str + cmd->u.set.shape = qxl_bo_physical_address(qdev, + cursor_bo, 0); + cmd->type = QXL_CURSOR_SET; ++ ++ qxl_bo_unref(&qcrtc->cursor_bo); ++ qcrtc->cursor_bo = cursor_bo; ++ cursor_bo = NULL; + } else { + + ret = qxl_release_reserve_list(release, true); +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -135,6 +135,8 @@ struct qxl_bo_list { + struct qxl_crtc { + struct drm_crtc base; + int index; ++ ++ struct qxl_bo *cursor_bo; + }; + + struct qxl_output { diff --git a/queue-4.14/iscsi-target-make-sure-to-wake-up-sleeping-login-worker.patch b/queue-4.14/iscsi-target-make-sure-to-wake-up-sleeping-login-worker.patch new file mode 100644 index 00000000000..5f49d659901 --- /dev/null +++ b/queue-4.14/iscsi-target-make-sure-to-wake-up-sleeping-login-worker.patch @@ -0,0 +1,56 @@ +From 1c130ae00b769a2e2df41bad3d6051ee8234b636 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 19 Jan 2018 14:36:29 +0100 +Subject: iscsi-target: make sure to wake up sleeping login worker + +From: Florian Westphal + +commit 1c130ae00b769a2e2df41bad3d6051ee8234b636 upstream. + +Mike Christie reports: + Starting in 4.14 iscsi logins will fail around 50% of the time. + +Problem appears to be that iscsi_target_sk_data_ready() callback may +return without doing anything in case it finds the login work queue +is still blocked in sock_recvmsg(). + +Nicholas Bellinger says: + It would indicate users providing their own ->sk_data_ready() callback + must be responsible for waking up a kthread context blocked on + sock_recvmsg(..., MSG_WAITALL), when a second ->sk_data_ready() is + received before the first sock_recvmsg(..., MSG_WAITALL) completes. + +So, do this and invoke the original data_ready() callback -- in +case of tcp sockets this takes care of waking the thread. + +Disclaimer: I do not understand why this problem did not show up before +tcp prequeue removal. + +(Drop WARN_ON usage - nab) + +Reported-by: Mike Christie +Bisected-by: Mike Christie +Tested-by: Mike Christie +Diagnosed-by: Nicholas Bellinger +Fixes: e7942d0633c4 ("tcp: remove prequeue support") +Signed-off-by: Florian Westphal +Cc: stable@vger.kernel.org # 4.14+ +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_nego.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -432,6 +432,9 @@ static void iscsi_target_sk_data_ready(s + if (test_and_set_bit(LOGIN_FLAGS_READ_ACTIVE, &conn->login_flags)) { + write_unlock_bh(&sk->sk_callback_lock); + pr_debug("Got LOGIN_FLAGS_READ_ACTIVE=1, conn: %p >>>>\n", conn); ++ if (iscsi_target_sk_data_ready == conn->orig_data_ready) ++ return; ++ conn->orig_data_ready(sk); + return; + } + diff --git a/queue-4.14/mtd-nand-vf610-set-correct-ooblayout.patch b/queue-4.14/mtd-nand-vf610-set-correct-ooblayout.patch new file mode 100644 index 00000000000..b13ed654141 --- /dev/null +++ b/queue-4.14/mtd-nand-vf610-set-correct-ooblayout.patch @@ -0,0 +1,42 @@ +From ea56fb282368ea08c2a313af6b55cb597aec4db1 Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Fri, 9 Feb 2018 13:21:42 +0100 +Subject: mtd: nand: vf610: set correct ooblayout + +From: Stefan Agner + +commit ea56fb282368ea08c2a313af6b55cb597aec4db1 upstream. + +With commit 3cf32d180227 ("mtd: nand: vf610: switch to +mtd_ooblayout_ops") the driver started to use the NAND cores +default large page ooblayout. However, shortly after commit +6a623e076944 ("mtd: nand: add ooblayout for old hamming layout") +changed the default layout to the old hamming layout, which is +not what vf610_nfc is using. Specify the default large page +layout explicitly. + +Fixes: 6a623e076944 ("mtd: nand: add ooblayout for old hamming layout") +Cc: # v4.12+ +Signed-off-by: Stefan Agner +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/vf610_nfc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/nand/vf610_nfc.c ++++ b/drivers/mtd/nand/vf610_nfc.c +@@ -752,10 +752,8 @@ static int vf610_nfc_probe(struct platfo + if (mtd->oobsize > 64) + mtd->oobsize = 64; + +- /* +- * mtd->ecclayout is not specified here because we're using the +- * default large page ECC layout defined in NAND core. +- */ ++ /* Use default large page ECC layout defined in NAND core */ ++ mtd_set_ooblayout(mtd, &nand_ooblayout_lp_ops); + if (chip->ecc.strength == 32) { + nfc->ecc_mode = ECC_60_BYTE; + chip->ecc.bytes = 60; diff --git a/queue-4.14/mvpp2-fix-multicast-address-filter.patch b/queue-4.14/mvpp2-fix-multicast-address-filter.patch new file mode 100644 index 00000000000..903a2eb1b02 --- /dev/null +++ b/queue-4.14/mvpp2-fix-multicast-address-filter.patch @@ -0,0 +1,57 @@ +From 7ac8ff95f48cbfa609a060fd6a1e361dd62feeb3 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 11 Feb 2018 18:10:28 -0500 +Subject: mvpp2: fix multicast address filter + +From: Mikulas Patocka + +commit 7ac8ff95f48cbfa609a060fd6a1e361dd62feeb3 upstream. + +IPv6 doesn't work on the MacchiatoBIN board. It is caused by broken +multicast address filter in the mvpp2 driver. + +The driver loads doesn't load any multicast entries if "allmulti" is not +set. This condition should be reversed. + +The condition !netdev_mc_empty(dev) is useless (because +netdev_for_each_mc_addr is nop if the list is empty). + +This patch also fixes a possible overflow of the multicast list - if +mvpp2_prs_mac_da_accept fails, we set the allmulti flag and retry. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/marvell/mvpp2.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -6888,6 +6888,7 @@ static void mvpp2_set_rx_mode(struct net + int id = port->id; + bool allmulti = dev->flags & IFF_ALLMULTI; + ++retry: + mvpp2_prs_mac_promisc_set(priv, id, dev->flags & IFF_PROMISC); + mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_ALL, allmulti); + mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_IP6, allmulti); +@@ -6895,9 +6896,13 @@ static void mvpp2_set_rx_mode(struct net + /* Remove all port->id's mcast enries */ + mvpp2_prs_mcast_del_all(priv, id); + +- if (allmulti && !netdev_mc_empty(dev)) { +- netdev_for_each_mc_addr(ha, dev) +- mvpp2_prs_mac_da_accept(priv, id, ha->addr, true); ++ if (!allmulti) { ++ netdev_for_each_mc_addr(ha, dev) { ++ if (mvpp2_prs_mac_da_accept(priv, id, ha->addr, true)) { ++ allmulti = true; ++ goto retry; ++ } ++ } + } + } + diff --git a/queue-4.14/qxl-alloc-use-shadow-for-dumb-buffers.patch b/queue-4.14/qxl-alloc-use-shadow-for-dumb-buffers.patch new file mode 100644 index 00000000000..224986cfbba --- /dev/null +++ b/queue-4.14/qxl-alloc-use-shadow-for-dumb-buffers.patch @@ -0,0 +1,177 @@ +From 62676d10b483a2ff6e8b08c5e7c7d63a831343f5 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 19 Oct 2017 08:21:50 +0200 +Subject: qxl: alloc & use shadow for dumb buffers + +From: Gerd Hoffmann + +commit 62676d10b483a2ff6e8b08c5e7c7d63a831343f5 upstream. + +This patch changes the way the primary surface is used for dumb +framebuffers. Instead of configuring the bo itself as primary surface +a shadow bo is created and used instead. Framebuffers can share the +shadow bo in case they have the same format and resolution. + +On atomic plane updates we don't have to update the primary surface in +case we pageflip from one framebuffer to another framebuffer which +shares the same shadow. This in turn avoids the flicker caused by the +primary-destroy + primary-create cycle, which is very annonying when +running wayland on qxl. + +The qxl driver never actually writes to the shadow bo. It sends qxl +blit commands which update it though, and the spice server might +actually execute them (and thereby write to the shadow) in case the +local rendering is kicked for some reason. This happens for example in +case qemu is asked to write out a dump of the guest display (screendump +monitor command). + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Dave Airlie +Link: http://patchwork.freedesktop.org/patch/msgid/20171019062150.28090-3-kraxel@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/qxl/qxl_cmd.c | 6 +++- + drivers/gpu/drm/qxl/qxl_display.c | 49 +++++++++++++++++++++++++++++++++++--- + drivers/gpu/drm/qxl/qxl_drv.h | 2 + + drivers/gpu/drm/qxl/qxl_dumb.c | 1 + 4 files changed, 54 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/qxl/qxl_cmd.c ++++ b/drivers/gpu/drm/qxl/qxl_cmd.c +@@ -388,7 +388,11 @@ void qxl_io_create_primary(struct qxl_de + create->width = bo->surf.width; + create->height = bo->surf.height; + create->stride = bo->surf.stride; +- create->mem = qxl_bo_physical_address(qdev, bo, offset); ++ if (bo->shadow) { ++ create->mem = qxl_bo_physical_address(qdev, bo->shadow, offset); ++ } else { ++ create->mem = qxl_bo_physical_address(qdev, bo, offset); ++ } + + QXL_INFO(qdev, "%s: mem = %llx, from %p\n", __func__, create->mem, + bo->kptr); +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -305,7 +305,9 @@ static const struct drm_crtc_funcs qxl_c + void qxl_user_framebuffer_destroy(struct drm_framebuffer *fb) + { + struct qxl_framebuffer *qxl_fb = to_qxl_framebuffer(fb); ++ struct qxl_bo *bo = gem_to_qxl_bo(qxl_fb->obj); + ++ WARN_ON(bo->shadow); + drm_gem_object_unreference_unlocked(qxl_fb->obj); + drm_framebuffer_cleanup(fb); + kfree(qxl_fb); +@@ -508,6 +510,7 @@ static void qxl_primary_atomic_update(st + .x2 = qfb->base.width, + .y2 = qfb->base.height + }; ++ bool same_shadow = false; + + if (old_state->fb) { + qfb_old = to_qxl_framebuffer(old_state->fb); +@@ -519,15 +522,23 @@ static void qxl_primary_atomic_update(st + if (bo == bo_old) + return; + ++ if (bo_old && bo_old->shadow && bo->shadow && ++ bo_old->shadow == bo->shadow) { ++ same_shadow = true; ++ } ++ + if (bo_old && bo_old->is_primary) { +- qxl_io_destroy_primary(qdev); ++ if (!same_shadow) ++ qxl_io_destroy_primary(qdev); + bo_old->is_primary = false; + } + + if (!bo->is_primary) { +- qxl_io_create_primary(qdev, 0, bo); ++ if (!same_shadow) ++ qxl_io_create_primary(qdev, 0, bo); + bo->is_primary = true; + } ++ + qxl_draw_dirty_fb(qdev, qfb, bo, 0, 0, &norect, 1, 1); + } + +@@ -681,8 +692,9 @@ static void qxl_cursor_atomic_disable(st + static int qxl_plane_prepare_fb(struct drm_plane *plane, + struct drm_plane_state *new_state) + { ++ struct qxl_device *qdev = plane->dev->dev_private; + struct drm_gem_object *obj; +- struct qxl_bo *user_bo; ++ struct qxl_bo *user_bo, *old_bo = NULL; + int ret; + + if (!new_state->fb) +@@ -691,6 +703,32 @@ static int qxl_plane_prepare_fb(struct d + obj = to_qxl_framebuffer(new_state->fb)->obj; + user_bo = gem_to_qxl_bo(obj); + ++ if (plane->type == DRM_PLANE_TYPE_PRIMARY && ++ user_bo->is_dumb && !user_bo->shadow) { ++ if (plane->state->fb) { ++ obj = to_qxl_framebuffer(plane->state->fb)->obj; ++ old_bo = gem_to_qxl_bo(obj); ++ } ++ if (old_bo && old_bo->shadow && ++ user_bo->gem_base.size == old_bo->gem_base.size && ++ plane->state->crtc == new_state->crtc && ++ plane->state->crtc_w == new_state->crtc_w && ++ plane->state->crtc_h == new_state->crtc_h && ++ plane->state->src_x == new_state->src_x && ++ plane->state->src_y == new_state->src_y && ++ plane->state->src_w == new_state->src_w && ++ plane->state->src_h == new_state->src_h && ++ plane->state->rotation == new_state->rotation && ++ plane->state->zpos == new_state->zpos) { ++ drm_gem_object_get(&old_bo->shadow->gem_base); ++ user_bo->shadow = old_bo->shadow; ++ } else { ++ qxl_bo_create(qdev, user_bo->gem_base.size, ++ true, true, QXL_GEM_DOMAIN_VRAM, NULL, ++ &user_bo->shadow); ++ } ++ } ++ + ret = qxl_bo_pin(user_bo, QXL_GEM_DOMAIN_CPU, NULL); + if (ret) + return ret; +@@ -715,6 +753,11 @@ static void qxl_plane_cleanup_fb(struct + obj = to_qxl_framebuffer(old_state->fb)->obj; + user_bo = gem_to_qxl_bo(obj); + qxl_bo_unpin(user_bo); ++ ++ if (user_bo->shadow && !user_bo->is_primary) { ++ drm_gem_object_put_unlocked(&user_bo->shadow->gem_base); ++ user_bo->shadow = NULL; ++ } + } + + static const uint32_t qxl_cursor_plane_formats[] = { +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -113,6 +113,8 @@ struct qxl_bo { + /* Constant after initialization */ + struct drm_gem_object gem_base; + bool is_primary; /* is this now a primary surface */ ++ bool is_dumb; ++ struct qxl_bo *shadow; + bool hw_surf_alloc; + struct qxl_surface surf; + uint32_t surface_id; +--- a/drivers/gpu/drm/qxl/qxl_dumb.c ++++ b/drivers/gpu/drm/qxl/qxl_dumb.c +@@ -63,6 +63,7 @@ int qxl_mode_dumb_create(struct drm_file + &handle); + if (r) + return r; ++ qobj->is_dumb = true; + args->pitch = pitch; + args->handle = handle; + return 0; diff --git a/queue-4.14/rtlwifi-rtl8821ae-fix-connection-lost-problem-correctly.patch b/queue-4.14/rtlwifi-rtl8821ae-fix-connection-lost-problem-correctly.patch new file mode 100644 index 00000000000..95261e5016c --- /dev/null +++ b/queue-4.14/rtlwifi-rtl8821ae-fix-connection-lost-problem-correctly.patch @@ -0,0 +1,70 @@ +From c713fb071edc0efc01a955f65a006b0e1795d2eb Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 5 Feb 2018 12:38:11 -0600 +Subject: rtlwifi: rtl8821ae: Fix connection lost problem correctly + +From: Larry Finger + +commit c713fb071edc0efc01a955f65a006b0e1795d2eb upstream. + +There has been a coding error in rtl8821ae since it was first introduced, +namely that an 8-bit register was read using a 16-bit read in +_rtl8821ae_dbi_read(). This error was fixed with commit 40b368af4b75 +("rtlwifi: Fix alignment issues"); however, this change led to +instability in the connection. To restore stability, this change +was reverted in commit b8b8b16352cd ("rtlwifi: rtl8821ae: Fix connection +lost problem"). + +Unfortunately, the unaligned access causes machine checks in ARM +architecture, and we were finally forced to find the actual cause of the +problem on x86 platforms. Following a suggestion from Pkshih +, it was found that increasing the ASPM L1 +latency from 0 to 7 fixed the instability. This parameter was varied to +see if a smaller value would work; however, it appears that 7 is the +safest value. A new symbol is defined for this quantity, thus it can be +easily changed if necessary. + +Fixes: b8b8b16352cd ("rtlwifi: rtl8821ae: Fix connection lost problem") +Cc: Stable # 4.14+ +Fix-suggested-by: Pkshih +Signed-off-by: Larry Finger +Tested-by: James Cameron # x86_64 OLPC NL3 +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 5 +++-- + drivers/net/wireless/realtek/rtlwifi/wifi.h | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1122,7 +1122,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl + } + if (0 == tmp) { + read_addr = REG_DBI_RDATA + addr % 4; +- ret = rtl_read_word(rtlpriv, read_addr); ++ ret = rtl_read_byte(rtlpriv, read_addr); + } + return ret; + } +@@ -1164,7 +1164,8 @@ static void _rtl8821ae_enable_aspm_back_ + } + + tmp = _rtl8821ae_dbi_read(rtlpriv, 0x70f); +- _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7)); ++ _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7) | ++ ASPM_L1_LATENCY << 3); + + tmp = _rtl8821ae_dbi_read(rtlpriv, 0x719); + _rtl8821ae_dbi_write(rtlpriv, 0x719, tmp | BIT(3) | BIT(4)); +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -99,6 +99,7 @@ + #define RTL_USB_MAX_RX_COUNT 100 + #define QBSS_LOAD_SIZE 5 + #define MAX_WMMELE_LENGTH 64 ++#define ASPM_L1_LATENCY 7 + + #define TOTAL_CAM_ENTRY 32 + diff --git a/queue-4.14/series b/queue-4.14/series index f388fd00ffd..afee6a8a6b4 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -122,3 +122,30 @@ xenbus-track-caller-request-id.patch seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch +rtlwifi-rtl8821ae-fix-connection-lost-problem-correctly.patch +arm64-proc-set-pte_ng-for-table-entries-to-avoid-traversing-them-twice.patch +qxl-alloc-use-shadow-for-dumb-buffers.patch +drm-qxl-reapply-cursor-after-resetting-primary.patch +xprtrdma-fix-calculation-of-ri_max_send_sges.patch +xprtrdma-fix-bug-after-a-device-removal.patch +blk-wbt-account-flush-requests-correctly.patch +target-iscsi-avoid-null-dereference-in-chap-auth-error-path.patch +iscsi-target-make-sure-to-wake-up-sleeping-login-worker.patch +dm-correctly-handle-chained-bios-in-dec_pending.patch +btrfs-fix-deadlock-in-run_delalloc_nocow.patch +btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch +btrfs-fix-extent-state-leak-from-tree-log.patch +btrfs-fix-btrfs_evict_inode-to-handle-abnormal-inodes-correctly.patch +btrfs-fix-use-after-free-on-root-orphan_block_rsv.patch +btrfs-fix-unexpected-eexist-when-creating-new-inode.patch +9p-trans_virtio-discard-zero-length-reply.patch +mtd-nand-vf610-set-correct-ooblayout.patch +alsa-hda-fix-headset-mic-detection-problem-for-two-dell-machines.patch +alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch +alsa-hda-realtek-add-headset-mode-support-for-dell-laptop.patch +alsa-hda-realtek-enable-thinkpad-dock-device-for-alc298-platform.patch +alsa-hda-realtek-pci-quirk-for-fujitsu-u7x7.patch +alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch +alsa-usb-add-more-device-quirks-for-usb-dsd-devices.patch +alsa-seq-fix-racy-pool-initializations.patch +mvpp2-fix-multicast-address-filter.patch diff --git a/queue-4.14/target-iscsi-avoid-null-dereference-in-chap-auth-error-path.patch b/queue-4.14/target-iscsi-avoid-null-dereference-in-chap-auth-error-path.patch new file mode 100644 index 00000000000..7b99797a5a5 --- /dev/null +++ b/queue-4.14/target-iscsi-avoid-null-dereference-in-chap-auth-error-path.patch @@ -0,0 +1,36 @@ +From ce512d79d0466a604793addb6b769d12ee326822 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Wed, 13 Dec 2017 18:22:30 +0100 +Subject: target/iscsi: avoid NULL dereference in CHAP auth error path + +From: David Disseldorp + +commit ce512d79d0466a604793addb6b769d12ee326822 upstream. + +If chap_server_compute_md5() fails early, e.g. via CHAP_N mismatch, then +crypto_free_shash() is called with a NULL pointer which gets +dereferenced in crypto_shash_tfm(). + +Fixes: 69110e3cedbb ("iscsi-target: Use shash and ahash") +Suggested-by: Markus Elfring +Signed-off-by: David Disseldorp +Cc: stable@vger.kernel.org # 4.6+ +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_auth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -421,7 +421,8 @@ static int chap_server_compute_md5( + auth_ret = 0; + out: + kzfree(desc); +- crypto_free_shash(tfm); ++ if (tfm) ++ crypto_free_shash(tfm); + kfree(challenge); + kfree(challenge_binhex); + return auth_ret; diff --git a/queue-4.14/xprtrdma-fix-bug-after-a-device-removal.patch b/queue-4.14/xprtrdma-fix-bug-after-a-device-removal.patch new file mode 100644 index 00000000000..c3fe9f93491 --- /dev/null +++ b/queue-4.14/xprtrdma-fix-bug-after-a-device-removal.patch @@ -0,0 +1,65 @@ +From e89e8d8fcdc6751e86ccad794b052fe67e6ad619 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 31 Jan 2018 12:34:13 -0500 +Subject: xprtrdma: Fix BUG after a device removal + +From: Chuck Lever + +commit e89e8d8fcdc6751e86ccad794b052fe67e6ad619 upstream. + +Michal Kalderon reports a BUG that occurs just after device removal: + +[ 169.112490] rpcrdma: removing device qedr0 for 192.168.110.146:20049 +[ 169.143909] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +[ 169.181837] IP: rpcrdma_dma_unmap_regbuf+0xa/0x60 [rpcrdma] + +The RPC/RDMA client transport attempts to allocate some resources +on demand. Registered buffers are one such resource. These are +allocated (or re-allocated) by xprt_rdma_allocate to hold RPC Call +and Reply messages. A hardware resource is associated with each of +these buffers, as they can be used for a Send or Receive Work +Request. + +If a device is removed from under an NFS/RDMA mount, the transport +layer is responsible for releasing all hardware resources before +the device can be finally unplugged. A BUG results when the NFS +mount hasn't yet seen much activity: the transport tries to release +resources that haven't yet been allocated. + +rpcrdma_free_regbuf() already checks for this case, so just move +that check to cover the DEVICE_REMOVAL case as well. + +Reported-by: Michal Kalderon +Fixes: bebd031866ca ("xprtrdma: Support unplugging an HCA ...") +Signed-off-by: Chuck Lever +Tested-by: Michal Kalderon +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/verbs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1331,6 +1331,9 @@ __rpcrdma_dma_map_regbuf(struct rpcrdma_ + static void + rpcrdma_dma_unmap_regbuf(struct rpcrdma_regbuf *rb) + { ++ if (!rb) ++ return; ++ + if (!rpcrdma_regbuf_is_mapped(rb)) + return; + +@@ -1346,9 +1349,6 @@ rpcrdma_dma_unmap_regbuf(struct rpcrdma_ + void + rpcrdma_free_regbuf(struct rpcrdma_regbuf *rb) + { +- if (!rb) +- return; +- + rpcrdma_dma_unmap_regbuf(rb); + kfree(rb); + } diff --git a/queue-4.14/xprtrdma-fix-calculation-of-ri_max_send_sges.patch b/queue-4.14/xprtrdma-fix-calculation-of-ri_max_send_sges.patch new file mode 100644 index 00000000000..d02cc153f48 --- /dev/null +++ b/queue-4.14/xprtrdma-fix-calculation-of-ri_max_send_sges.patch @@ -0,0 +1,77 @@ +From 1179e2c27efe21167ec9d882b14becefba2ee990 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 31 Jan 2018 12:34:05 -0500 +Subject: xprtrdma: Fix calculation of ri_max_send_sges + +From: Chuck Lever + +commit 1179e2c27efe21167ec9d882b14becefba2ee990 upstream. + +Commit 16f906d66cd7 ("xprtrdma: Reduce required number of send +SGEs") introduced the rpcrdma_ia::ri_max_send_sges field. This fixes +a problem where xprtrdma would not work if the device's max_sge +capability was small (low single digits). + +At least RPCRDMA_MIN_SEND_SGES are needed for the inline parts of +each RPC. ri_max_send_sges is set to this value: + + ia->ri_max_send_sges = max_sge - RPCRDMA_MIN_SEND_SGES; + +Then when marshaling each RPC, rpcrdma_args_inline uses that value +to determine whether the device has enough Send SGEs to convey an +NFS WRITE payload inline, or whether instead a Read chunk is +required. + +More recently, commit ae72950abf99 ("xprtrdma: Add data structure to +manage RDMA Send arguments") used the ri_max_send_sges value to +calculate the size of an array, but that commit erroneously assumed +ri_max_send_sges contains a value similar to the device's max_sge, +and not one that was reduced by the minimum SGE count. + +This assumption results in the calculated size of the sendctx's +Send SGE array to be too small. When the array is used to marshal +an RPC, the code can write Send SGEs into the following sendctx +element in that array, corrupting it. When the device's max_sge is +large, this issue is entirely harmless; but it results in an oops +in the provider's post_send method, if dev.attrs.max_sge is small. + +So let's straighten this out: ri_max_send_sges will now contain a +value with the same meaning as dev.attrs.max_sge, which makes +the code easier to understand, and enables rpcrdma_sendctx_create +to calculate the size of the SGE array correctly. + +Reported-by: Michal Kalderon +Fixes: 16f906d66cd7 ("xprtrdma: Reduce required number of send SGEs") +Signed-off-by: Chuck Lever +Tested-by: Michal Kalderon +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/rpc_rdma.c | 2 +- + net/sunrpc/xprtrdma/verbs.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/xprtrdma/rpc_rdma.c ++++ b/net/sunrpc/xprtrdma/rpc_rdma.c +@@ -142,7 +142,7 @@ static bool rpcrdma_args_inline(struct r + if (xdr->page_len) { + remaining = xdr->page_len; + offset = offset_in_page(xdr->page_base); +- count = 0; ++ count = RPCRDMA_MIN_SEND_SGES; + while (remaining) { + remaining -= min_t(unsigned int, + PAGE_SIZE - offset, remaining); +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -523,7 +523,7 @@ rpcrdma_ep_create(struct rpcrdma_ep *ep, + pr_warn("rpcrdma: HCA provides only %d send SGEs\n", max_sge); + return -ENOMEM; + } +- ia->ri_max_send_sges = max_sge - RPCRDMA_MIN_SEND_SGES; ++ ia->ri_max_send_sges = max_sge; + + if (ia->ri_device->attrs.max_qp_wr <= RPCRDMA_BACKWARD_WRS) { + dprintk("RPC: %s: insufficient wqe's available\n",