From: Greg Kroah-Hartman Date: Sun, 22 Jul 2018 15:56:51 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.4.144~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e0d547b642e2e3db15a5bd6dee581f87c72bdbf1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: alsa-hda-add-mute-led-support-for-hp-probook-455-g5.patch alsa-hda-realtek-add-panasonic-cf-sz6-headset-jack-quirk.patch alsa-hda-realtek-yet-another-clevo-p950-quirk-entry.patch alsa-rawmidi-change-resized-buffers-atomically.patch arc-configs-remove-config_initramfs_source-from-defconfigs.patch arc-fix-config_swap.patch arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch arcv2-save-accl-reg-pair-by-default.patch fat-fix-memory-allocation-failure-handling-of-match_strdup.patch kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch kvm-vmx-mark-vmxarea-with-revision_id-of-physical-cpu-even-when-evmcs-enabled.patch scsi-qla2xxx-fix-inconsistent-dma-mem-alloc-free.patch scsi-qla2xxx-fix-kernel-crash-due-to-late-workqueue-allocation.patch scsi-qla2xxx-fix-null-pointer-dereference-for-fcport-search.patch scsi-sd_zbc-fix-variable-type-and-bogus-comment.patch x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch x86-events-intel-ds-fix-bts_interrupt_threshold-alignment.patch x86-kvm-vmx-don-t-read-current-thread.-fs-gs-base-of-legacy-tasks.patch x86-kvmclock-set-pvti_cpu0_va-after-enabling-kvmclock.patch x86-mce-remove-min-interval-polling-limitation.patch --- diff --git a/queue-4.17/alsa-hda-add-mute-led-support-for-hp-probook-455-g5.patch b/queue-4.17/alsa-hda-add-mute-led-support-for-hp-probook-455-g5.patch new file mode 100644 index 00000000000..692d072519f --- /dev/null +++ b/queue-4.17/alsa-hda-add-mute-led-support-for-hp-probook-455-g5.patch @@ -0,0 +1,33 @@ +From 9a6249d2a145226ec1b294116fcb08744cf7ab56 Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Mon, 16 Jul 2018 15:50:08 +0800 +Subject: ALSA: hda: add mute led support for HP ProBook 455 G5 + +From: Po-Hsu Lin + +commit 9a6249d2a145226ec1b294116fcb08744cf7ab56 upstream. + +Audio mute led does not work on HP ProBook 455 G5, +this can be fixed by using CXT_FIXUP_MUTE_LED_GPIO to support it. + +BugLink: https://bugs.launchpad.net/bugs/1781763 +Reported-by: James Buren +Signed-off-by: Po-Hsu Lin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -965,6 +965,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE), diff --git a/queue-4.17/alsa-hda-realtek-add-panasonic-cf-sz6-headset-jack-quirk.patch b/queue-4.17/alsa-hda-realtek-add-panasonic-cf-sz6-headset-jack-quirk.patch new file mode 100644 index 00000000000..d8265ce1de0 --- /dev/null +++ b/queue-4.17/alsa-hda-realtek-add-panasonic-cf-sz6-headset-jack-quirk.patch @@ -0,0 +1,31 @@ +From 0fca97a29b83e3f315c14ed2372cfd0f9ee0a006 Mon Sep 17 00:00:00 2001 +From: YOKOTA Hiroshi +Date: Sun, 1 Jul 2018 18:30:01 +0900 +Subject: ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk + +From: YOKOTA Hiroshi + +commit 0fca97a29b83e3f315c14ed2372cfd0f9ee0a006 upstream. + +This adds some required quirk when uses headset or headphone on +Panasonic CF-SZ6. + +Signed-off-by: YOKOTA Hiroshi +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6543,6 +6543,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC), + SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC), + SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE), ++ SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8), + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC), diff --git a/queue-4.17/alsa-hda-realtek-yet-another-clevo-p950-quirk-entry.patch b/queue-4.17/alsa-hda-realtek-yet-another-clevo-p950-quirk-entry.patch new file mode 100644 index 00000000000..a3221cae6a0 --- /dev/null +++ b/queue-4.17/alsa-hda-realtek-yet-another-clevo-p950-quirk-entry.patch @@ -0,0 +1,31 @@ +From f3d737b6340b0c7bacd8bc751605f0ed6203f146 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 17 Jul 2018 17:08:32 +0200 +Subject: ALSA: hda/realtek - Yet another Clevo P950 quirk entry + +From: Takashi Iwai + +commit f3d737b6340b0c7bacd8bc751605f0ed6203f146 upstream. + +The PCI SSID 1558:95e1 needs the same quirk for other Clevo P950 +models, too. Otherwise no sound comes out of speakers. + +Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1101143 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2363,6 +2363,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX), + SND_PCI_QUIRK(0x1558, 0x9501, "Clevo P950HR", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1558, 0x95e1, "Clevo P95xER", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1558, 0x95e2, "Clevo P950ER", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD), diff --git a/queue-4.17/alsa-rawmidi-change-resized-buffers-atomically.patch b/queue-4.17/alsa-rawmidi-change-resized-buffers-atomically.patch new file mode 100644 index 00000000000..92b5d9a94cb --- /dev/null +++ b/queue-4.17/alsa-rawmidi-change-resized-buffers-atomically.patch @@ -0,0 +1,84 @@ +From 39675f7a7c7e7702f7d5341f1e0d01db746543a0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 17 Jul 2018 17:26:43 +0200 +Subject: ALSA: rawmidi: Change resized buffers atomically + +From: Takashi Iwai + +commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream. + +The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the +current code is racy. For example, the sequencer client may write to +buffer while it being resized. + +As a simple workaround, let's switch to the resized buffer inside the +stream runtime lock. + +Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user( + int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, + struct snd_rawmidi_params * params) + { +- char *newbuf; ++ char *newbuf, *oldbuf; + struct snd_rawmidi_runtime *runtime = substream->runtime; + + if (substream->append && substream->use_count > 1) +@@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd + return -EINVAL; + } + if (params->buffer_size != runtime->buffer_size) { +- newbuf = krealloc(runtime->buffer, params->buffer_size, +- GFP_KERNEL); ++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL); + if (!newbuf) + return -ENOMEM; ++ spin_lock_irq(&runtime->lock); ++ oldbuf = runtime->buffer; + runtime->buffer = newbuf; + runtime->buffer_size = params->buffer_size; + runtime->avail = runtime->buffer_size; ++ runtime->appl_ptr = runtime->hw_ptr = 0; ++ spin_unlock_irq(&runtime->lock); ++ kfree(oldbuf); + } + runtime->avail_min = params->avail_min; + substream->active_sensing = !params->no_active_sensing; +@@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params) + int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, + struct snd_rawmidi_params * params) + { +- char *newbuf; ++ char *newbuf, *oldbuf; + struct snd_rawmidi_runtime *runtime = substream->runtime; + + snd_rawmidi_drain_input(substream); +@@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_ + return -EINVAL; + } + if (params->buffer_size != runtime->buffer_size) { +- newbuf = krealloc(runtime->buffer, params->buffer_size, +- GFP_KERNEL); ++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL); + if (!newbuf) + return -ENOMEM; ++ spin_lock_irq(&runtime->lock); ++ oldbuf = runtime->buffer; + runtime->buffer = newbuf; + runtime->buffer_size = params->buffer_size; ++ runtime->appl_ptr = runtime->hw_ptr = 0; ++ spin_unlock_irq(&runtime->lock); ++ kfree(oldbuf); + } + runtime->avail_min = params->avail_min; + return 0; diff --git a/queue-4.17/arc-configs-remove-config_initramfs_source-from-defconfigs.patch b/queue-4.17/arc-configs-remove-config_initramfs_source-from-defconfigs.patch new file mode 100644 index 00000000000..c5ff196d3b5 --- /dev/null +++ b/queue-4.17/arc-configs-remove-config_initramfs_source-from-defconfigs.patch @@ -0,0 +1,166 @@ +From 64234961c145606b36eaa82c47b11be842b21049 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Wed, 6 Jun 2018 15:59:38 +0300 +Subject: ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs + +From: Alexey Brodkin + +commit 64234961c145606b36eaa82c47b11be842b21049 upstream. + +We used to have pre-set CONFIG_INITRAMFS_SOURCE with local path +to intramfs in ARC defconfigs. This was quite convenient for +in-house development but not that convenient for newcomers +who obviusly don't have folders like "arc_initramfs" next to +the Linux source tree. Which leads to quite surprising failure +of defconfig building: +------------------------------->8----------------------------- + ../scripts/gen_initramfs_list.sh: Cannot open '../../arc_initramfs_hs/' +../usr/Makefile:57: recipe for target 'usr/initramfs_data.cpio.gz' failed +make[2]: *** [usr/initramfs_data.cpio.gz] Error 1 +------------------------------->8----------------------------- + +So now when more and more people start to deal with our defconfigs +let's make their life easier with removal of CONFIG_INITRAMFS_SOURCE. + +Signed-off-by: Alexey Brodkin +Cc: Kevin Hilman +Cc: stable@vger.kernel.org +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/configs/axs101_defconfig | 1 - + arch/arc/configs/axs103_defconfig | 1 - + arch/arc/configs/axs103_smp_defconfig | 1 - + arch/arc/configs/haps_hs_defconfig | 1 - + arch/arc/configs/haps_hs_smp_defconfig | 1 - + arch/arc/configs/hsdk_defconfig | 1 - + arch/arc/configs/nsim_700_defconfig | 1 - + arch/arc/configs/nsim_hs_defconfig | 1 - + arch/arc/configs/nsim_hs_smp_defconfig | 1 - + arch/arc/configs/nsimosci_defconfig | 1 - + arch/arc/configs/nsimosci_hs_defconfig | 1 - + arch/arc/configs/nsimosci_hs_smp_defconfig | 1 - + 12 files changed, 12 deletions(-) + +--- a/arch/arc/configs/axs101_defconfig ++++ b/arch/arc/configs/axs101_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/axs103_defconfig ++++ b/arch/arc/configs/axs103_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/axs103_smp_defconfig ++++ b/arch/arc/configs/axs103_smp_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/haps_hs_defconfig ++++ b/arch/arc/configs/haps_hs_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EXPERT=y + CONFIG_PERF_EVENTS=y + # CONFIG_COMPAT_BRK is not set +--- a/arch/arc/configs/haps_hs_smp_defconfig ++++ b/arch/arc/configs/haps_hs_smp_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/hsdk_defconfig ++++ b/arch/arc/configs/hsdk_defconfig +@@ -9,7 +9,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/nsim_700_defconfig ++++ b/arch/arc/configs/nsim_700_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsim_hs_defconfig ++++ b/arch/arc/configs/nsim_hs_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsim_hs_smp_defconfig ++++ b/arch/arc/configs/nsim_hs_smp_defconfig +@@ -9,7 +9,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsimosci_defconfig ++++ b/arch/arc/configs/nsimosci_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsimosci_hs_defconfig ++++ b/arch/arc/configs/nsimosci_hs_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsimosci_hs_smp_defconfig ++++ b/arch/arc/configs/nsimosci_hs_smp_defconfig +@@ -9,7 +9,6 @@ CONFIG_IKCONFIG_PROC=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_PERF_EVENTS=y + # CONFIG_COMPAT_BRK is not set + CONFIG_KPROBES=y diff --git a/queue-4.17/arc-fix-config_swap.patch b/queue-4.17/arc-fix-config_swap.patch new file mode 100644 index 00000000000..69a122e7c17 --- /dev/null +++ b/queue-4.17/arc-fix-config_swap.patch @@ -0,0 +1,48 @@ +From 6e3761145a9ba3ce267c330b6bff51cf6a057b06 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 28 Jun 2018 16:59:14 -0700 +Subject: ARC: Fix CONFIG_SWAP + +From: Alexey Brodkin + +commit 6e3761145a9ba3ce267c330b6bff51cf6a057b06 upstream. + +swap was broken on ARC due to silly copy-paste issue. + +We encode offset from swapcache page in __swp_entry() as (off << 13) but +were not decoding back in __swp_offset() as (off >> 13) - it was still +(off << 13). + +This finally fixes swap usage on ARC. + +| # mkswap /dev/sda2 +| +| # swapon -a -e /dev/sda2 +| Adding 500728k swap on /dev/sda2. Priority:-2 extents:1 across:500728k +| +| # free +| total used free shared buffers cached +| Mem: 765104 13456 751648 4736 8 4736 +| -/+ buffers/cache: 8712 756392 +| Swap: 500728 0 500728 + +Cc: stable@vger.kernel.org +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/pgtable.h ++++ b/arch/arc/include/asm/pgtable.h +@@ -379,7 +379,7 @@ void update_mmu_cache(struct vm_area_str + + /* Decode a PTE containing swap "identifier "into constituents */ + #define __swp_type(pte_lookalike) (((pte_lookalike).val) & 0x1f) +-#define __swp_offset(pte_lookalike) ((pte_lookalike).val << 13) ++#define __swp_offset(pte_lookalike) ((pte_lookalike).val >> 13) + + /* NOPs, to keep generic kernel happy */ + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) }) diff --git a/queue-4.17/arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch b/queue-4.17/arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch new file mode 100644 index 00000000000..b7e2cb43d71 --- /dev/null +++ b/queue-4.17/arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch @@ -0,0 +1,44 @@ +From 93312b6da4df31e4102ce5420e6217135a16c7ea Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Wed, 11 Jul 2018 10:42:20 -0700 +Subject: ARC: mm: allow mprotect to make stack mappings executable + +From: Vineet Gupta + +commit 93312b6da4df31e4102ce5420e6217135a16c7ea upstream. + +mprotect(EXEC) was failing for stack mappings as default vm flags was +missing MAYEXEC. + +This was triggered by glibc test suite nptl/tst-execstack testcase + +What is surprising is that despite running LTP for years on, we didn't +catch this issue as it lacks a directed test case. + +gcc dejagnu tests with nested functions also requiring exec stack work +fine though because they rely on the GNU_STACK segment spit out by +compiler and handled in kernel elf loader. + +This glibc case is different as the stack is non exec to begin with and +a dlopen of shared lib with GNU_STACK segment triggers the exec stack +proceedings using a mprotect(PROT_EXEC) which was broken. + +CC: stable@vger.kernel.org +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/page.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/page.h ++++ b/arch/arc/include/asm/page.h +@@ -105,7 +105,7 @@ typedef pte_t * pgtable_t; + #define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr)) + + /* Default Permissions for stack/heaps pages (Non Executable) */ +-#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE) ++#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) + + #define WANT_PAGE_VIRTUAL 1 + diff --git a/queue-4.17/arcv2-save-accl-reg-pair-by-default.patch b/queue-4.17/arcv2-save-accl-reg-pair-by-default.patch new file mode 100644 index 00000000000..ce0c8acd139 --- /dev/null +++ b/queue-4.17/arcv2-save-accl-reg-pair-by-default.patch @@ -0,0 +1,43 @@ +From af1fc5baa724c63ce1733dfcf855bad5ef6078e3 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 17 Jul 2018 15:21:56 -0700 +Subject: ARCv2: [plat-hsdk]: Save accl reg pair by default + +From: Vineet Gupta + +commit af1fc5baa724c63ce1733dfcf855bad5ef6078e3 upstream. + +This manifsted as strace segfaulting on HSDK because gcc was targetting +the accumulator registers as GPRs, which kernek was not saving/restoring +by default. + +Cc: stable@vger.kernel.org #4.14+ +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/Kconfig | 2 +- + arch/arc/plat-hsdk/Kconfig | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -408,7 +408,7 @@ config ARC_HAS_DIV_REM + + config ARC_HAS_ACCL_REGS + bool "Reg Pair ACCL:ACCH (FPU and/or MPY > 6)" +- default n ++ default y + help + Depending on the configuration, CPU can contain accumulator reg-pair + (also referred to as r58:r59). These can also be used by gcc as GPR so +--- a/arch/arc/plat-hsdk/Kconfig ++++ b/arch/arc/plat-hsdk/Kconfig +@@ -7,5 +7,7 @@ + + menuconfig ARC_SOC_HSDK + bool "ARC HS Development Kit SOC" ++ depends on ISA_ARCV2 ++ select ARC_HAS_ACCL_REGS + select CLK_HSDK + select RESET_HSDK diff --git a/queue-4.17/fat-fix-memory-allocation-failure-handling-of-match_strdup.patch b/queue-4.17/fat-fix-memory-allocation-failure-handling-of-match_strdup.patch new file mode 100644 index 00000000000..ce4eb21f0c7 --- /dev/null +++ b/queue-4.17/fat-fix-memory-allocation-failure-handling-of-match_strdup.patch @@ -0,0 +1,82 @@ +From 35033ab988c396ad7bce3b6d24060c16a9066db8 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Fri, 20 Jul 2018 17:53:42 -0700 +Subject: fat: fix memory allocation failure handling of match_strdup() + +From: OGAWA Hirofumi + +commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream. + +In parse_options(), if match_strdup() failed, parse_options() leaves +opts->iocharset in unexpected state (i.e. still pointing the freed +string). And this can be the cause of double free. + +To fix, this initialize opts->iocharset always when freeing. + +Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp +Signed-off-by: OGAWA Hirofumi +Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/inode.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -697,13 +697,21 @@ static void fat_set_state(struct super_b + brelse(bh); + } + ++static void fat_reset_iocharset(struct fat_mount_options *opts) ++{ ++ if (opts->iocharset != fat_default_iocharset) { ++ /* Note: opts->iocharset can be NULL here */ ++ kfree(opts->iocharset); ++ opts->iocharset = fat_default_iocharset; ++ } ++} ++ + static void delayed_free(struct rcu_head *p) + { + struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu); + unload_nls(sbi->nls_disk); + unload_nls(sbi->nls_io); +- if (sbi->options.iocharset != fat_default_iocharset) +- kfree(sbi->options.iocharset); ++ fat_reset_iocharset(&sbi->options); + kfree(sbi); + } + +@@ -1118,7 +1126,7 @@ static int parse_options(struct super_bl + opts->fs_fmask = opts->fs_dmask = current_umask(); + opts->allow_utime = -1; + opts->codepage = fat_default_codepage; +- opts->iocharset = fat_default_iocharset; ++ fat_reset_iocharset(opts); + if (is_vfat) { + opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95; + opts->rodir = 0; +@@ -1275,8 +1283,7 @@ static int parse_options(struct super_bl + + /* vfat specific */ + case Opt_charset: +- if (opts->iocharset != fat_default_iocharset) +- kfree(opts->iocharset); ++ fat_reset_iocharset(opts); + iocharset = match_strdup(&args[0]); + if (!iocharset) + return -ENOMEM; +@@ -1867,8 +1874,7 @@ out_fail: + iput(fat_inode); + unload_nls(sbi->nls_io); + unload_nls(sbi->nls_disk); +- if (sbi->options.iocharset != fat_default_iocharset) +- kfree(sbi->options.iocharset); ++ fat_reset_iocharset(&sbi->options); + sb->s_fs_info = NULL; + kfree(sbi); + return error; diff --git a/queue-4.17/kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch b/queue-4.17/kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch new file mode 100644 index 00000000000..7ec0f08a395 --- /dev/null +++ b/queue-4.17/kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch @@ -0,0 +1,67 @@ +From b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47 Mon Sep 17 00:00:00 2001 +From: Lan Tianyu +Date: Thu, 21 Dec 2017 21:10:36 -0500 +Subject: KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lan Tianyu + +commit b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47 upstream. + +Syzbot reports crashes in kvm_irqfd_assign(), caused by use-after-free +when kvm_irqfd_assign() and kvm_irqfd_deassign() run in parallel +for one specific eventfd. When the assign path hasn't finished but irqfd +has been added to kvm->irqfds.items list, another thead may deassign the +eventfd and free struct kvm_kernel_irqfd(). The assign path then uses +the struct kvm_kernel_irqfd that has been freed by deassign path. To avoid +such issue, keep irqfd under kvm->irq_srcu protection after the irqfd +has been added to kvm->irqfds.items list, and call synchronize_srcu() +in irq_shutdown() to make sure that irqfd has been fully initialized in +the assign path. + +Reported-by: Dmitry Vyukov +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Dmitry Vyukov +Signed-off-by: Tianyu Lan +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -119,8 +119,12 @@ irqfd_shutdown(struct work_struct *work) + { + struct kvm_kernel_irqfd *irqfd = + container_of(work, struct kvm_kernel_irqfd, shutdown); ++ struct kvm *kvm = irqfd->kvm; + u64 cnt; + ++ /* Make sure irqfd has been initalized in assign path. */ ++ synchronize_srcu(&kvm->irq_srcu); ++ + /* + * Synchronize with the wait-queue and unhook ourselves to prevent + * further events. +@@ -387,7 +391,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct + + idx = srcu_read_lock(&kvm->irq_srcu); + irqfd_update(kvm, irqfd); +- srcu_read_unlock(&kvm->irq_srcu, idx); + + list_add_tail(&irqfd->list, &kvm->irqfds.items); + +@@ -421,6 +424,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct + } + #endif + ++ srcu_read_unlock(&kvm->irq_srcu, idx); + return 0; + + fail: diff --git a/queue-4.17/kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch b/queue-4.17/kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch new file mode 100644 index 00000000000..967c76d8206 --- /dev/null +++ b/queue-4.17/kvm-irqfd-fix-race-between-epollhup-and-irq_bypass_register_consumer.patch @@ -0,0 +1,51 @@ +From 9432a3175770e06cb83eada2d91fac90c977cb99 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 28 May 2018 13:31:13 +0200 +Subject: KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer + +From: Paolo Bonzini + +commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream. + +A comment warning against this bug is there, but the code is not doing what +the comment says. Therefore it is possible that an EPOLLHUP races against +irq_bypass_register_consumer. The EPOLLHUP handler schedules irqfd_shutdown, +and if that runs soon enough, you get a use-after-free. + +Reported-by: syzbot +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Reviewed-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -405,11 +405,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct + if (events & EPOLLIN) + schedule_work(&irqfd->inject); + +- /* +- * do not drop the file until the irqfd is fully initialized, otherwise +- * we might race against the EPOLLHUP +- */ +- fdput(f); + #ifdef CONFIG_HAVE_KVM_IRQ_BYPASS + if (kvm_arch_has_irq_bypass()) { + irqfd->consumer.token = (void *)irqfd->eventfd; +@@ -425,6 +420,12 @@ kvm_irqfd_assign(struct kvm *kvm, struct + #endif + + srcu_read_unlock(&kvm->irq_srcu, idx); ++ ++ /* ++ * do not drop the file until the irqfd is fully initialized, otherwise ++ * we might race against the EPOLLHUP ++ */ ++ fdput(f); + return 0; + + fail: diff --git a/queue-4.17/kvm-vmx-mark-vmxarea-with-revision_id-of-physical-cpu-even-when-evmcs-enabled.patch b/queue-4.17/kvm-vmx-mark-vmxarea-with-revision_id-of-physical-cpu-even-when-evmcs-enabled.patch new file mode 100644 index 00000000000..66f1a480440 --- /dev/null +++ b/queue-4.17/kvm-vmx-mark-vmxarea-with-revision_id-of-physical-cpu-even-when-evmcs-enabled.patch @@ -0,0 +1,95 @@ +From 2307af1c4b2e0ad886f30e31739845322cbd328b Mon Sep 17 00:00:00 2001 +From: Liran Alon +Date: Fri, 29 Jun 2018 22:59:04 +0300 +Subject: KVM: VMX: Mark VMXArea with revision_id of physical CPU even when eVMCS enabled + +From: Liran Alon + +commit 2307af1c4b2e0ad886f30e31739845322cbd328b upstream. + +When eVMCS is enabled, all VMCS allocated to be used by KVM are marked +with revision_id of KVM_EVMCS_VERSION instead of revision_id reported +by MSR_IA32_VMX_BASIC. + +However, even though not explictly documented by TLFS, VMXArea passed +as VMXON argument should still be marked with revision_id reported by +physical CPU. + +This issue was found by the following setup: +* L0 = KVM which expose eVMCS to it's L1 guest. +* L1 = KVM which consume eVMCS reported by L0. +This setup caused the following to occur: +1) L1 execute hardware_enable(). +2) hardware_enable() calls kvm_cpu_vmxon() to execute VMXON. +3) L0 intercept L1 VMXON and execute handle_vmon() which notes +vmxarea->revision_id != VMCS12_REVISION and therefore fails with +nested_vmx_failInvalid() which sets RFLAGS.CF. +4) L1 kvm_cpu_vmxon() don't check RFLAGS.CF for failure and therefore +hardware_enable() continues as usual. +5) L1 hardware_enable() then calls ept_sync_global() which executes +INVEPT. +6) L0 intercept INVEPT and execute handle_invept() which notes +!vmx->nested.vmxon and thus raise a #UD to L1. +7) Raised #UD caused L1 to panic. + +Reviewed-by: Krish Sadhukhan +Cc: stable@vger.kernel.org +Fixes: 773e8a0425c923bc02668a2d6534a5ef5a43cc69 +Signed-off-by: Liran Alon +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -4110,11 +4110,7 @@ static __init int setup_vmcs_config(stru + vmcs_conf->order = get_order(vmcs_conf->size); + vmcs_conf->basic_cap = vmx_msr_high & ~0x1fff; + +- /* KVM supports Enlightened VMCS v1 only */ +- if (static_branch_unlikely(&enable_evmcs)) +- vmcs_conf->revision_id = KVM_EVMCS_VERSION; +- else +- vmcs_conf->revision_id = vmx_msr_low; ++ vmcs_conf->revision_id = vmx_msr_low; + + vmcs_conf->pin_based_exec_ctrl = _pin_based_exec_control; + vmcs_conf->cpu_based_exec_ctrl = _cpu_based_exec_control; +@@ -4184,7 +4180,13 @@ static struct vmcs *alloc_vmcs_cpu(int c + return NULL; + vmcs = page_address(pages); + memset(vmcs, 0, vmcs_config.size); +- vmcs->revision_id = vmcs_config.revision_id; /* vmcs revision id */ ++ ++ /* KVM supports Enlightened VMCS v1 only */ ++ if (static_branch_unlikely(&enable_evmcs)) ++ vmcs->revision_id = KVM_EVMCS_VERSION; ++ else ++ vmcs->revision_id = vmcs_config.revision_id; ++ + return vmcs; + } + +@@ -4343,6 +4345,19 @@ static __init int alloc_kvm_area(void) + return -ENOMEM; + } + ++ /* ++ * When eVMCS is enabled, alloc_vmcs_cpu() sets ++ * vmcs->revision_id to KVM_EVMCS_VERSION instead of ++ * revision_id reported by MSR_IA32_VMX_BASIC. ++ * ++ * However, even though not explictly documented by ++ * TLFS, VMXArea passed as VMXON argument should ++ * still be marked with revision_id reported by ++ * physical CPU. ++ */ ++ if (static_branch_unlikely(&enable_evmcs)) ++ vmcs->revision_id = vmcs_config.revision_id; ++ + per_cpu(vmxarea, cpu) = vmcs; + } + return 0; diff --git a/queue-4.17/scsi-qla2xxx-fix-inconsistent-dma-mem-alloc-free.patch b/queue-4.17/scsi-qla2xxx-fix-inconsistent-dma-mem-alloc-free.patch new file mode 100644 index 00000000000..665ba04726d --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-fix-inconsistent-dma-mem-alloc-free.patch @@ -0,0 +1,270 @@ +From b5f3bc39a0e815a30005da246dd4ad47fd2f88ff Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Mon, 2 Jul 2018 13:01:58 -0700 +Subject: scsi: qla2xxx: Fix inconsistent DMA mem alloc/free + +From: Quinn Tran + +commit b5f3bc39a0e815a30005da246dd4ad47fd2f88ff upstream. + +GPNFT command allocates 2 buffer for switch query. On completion, the same +buffers were freed using different size, instead of using original size at +the time of allocation. + +This patch saves the size of the request and response buffers and uses that +to free them. + +Following stack trace can be seen when using debug kernel + +dump_stack+0x19/0x1b +__warn+0xd8/0x100 +warn_slowpath_fmt+0x5f/0x80 +check_unmap+0xfb/0xa20 +debug_dma_free_coherent+0x110/0x160 +qla24xx_sp_unmap+0x131/0x1e0 [qla2xxx] +qla24xx_async_gnnft_done+0xb6/0x550 [qla2xxx] +qla2x00_do_work+0x1ec/0x9f0 [qla2xxx] + +Cc: # v4.17+ +Fixes: 33b28357dd00 ("scsi: qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan") +Reported-by: Ewan D. Milne +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_def.h | 2 ++ + drivers/scsi/qla2xxx/qla_gs.c | 40 ++++++++++++++++++++++++++-------------- + 2 files changed, 28 insertions(+), 14 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -361,6 +361,8 @@ struct ct_arg { + dma_addr_t rsp_dma; + u32 req_size; + u32 rsp_size; ++ u32 req_allocated_size; ++ u32 rsp_allocated_size; + void *req; + void *rsp; + port_id_t id; +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -556,7 +556,7 @@ err2: + /* please ignore kernel warning. otherwise, we have mem leak. */ + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, + sp->u.iocb_cmd.u.ctarg.req, + sp->u.iocb_cmd.u.ctarg.req_dma); + sp->u.iocb_cmd.u.ctarg.req = NULL; +@@ -564,7 +564,7 @@ err2: + + if (sp->u.iocb_cmd.u.ctarg.rsp) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + sp->u.iocb_cmd.u.ctarg.rsp, + sp->u.iocb_cmd.u.ctarg.rsp_dma); + sp->u.iocb_cmd.u.ctarg.rsp = NULL; +@@ -617,6 +617,7 @@ static int qla_async_rftid(scsi_qla_host + sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.req) { + ql_log(ql_log_warn, vha, 0xd041, + "%s: Failed to allocate ct_sns request.\n", +@@ -627,6 +628,7 @@ static int qla_async_rftid(scsi_qla_host + sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.rsp) { + ql_log(ql_log_warn, vha, 0xd042, + "%s: Failed to allocate ct_sns request.\n", +@@ -712,6 +714,7 @@ static int qla_async_rffid(scsi_qla_host + sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.req) { + ql_log(ql_log_warn, vha, 0xd041, + "%s: Failed to allocate ct_sns request.\n", +@@ -722,6 +725,7 @@ static int qla_async_rffid(scsi_qla_host + sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.rsp) { + ql_log(ql_log_warn, vha, 0xd042, + "%s: Failed to allocate ct_sns request.\n", +@@ -802,6 +806,7 @@ static int qla_async_rnnid(scsi_qla_host + sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.req) { + ql_log(ql_log_warn, vha, 0xd041, + "%s: Failed to allocate ct_sns request.\n", +@@ -812,6 +817,7 @@ static int qla_async_rnnid(scsi_qla_host + sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.rsp) { + ql_log(ql_log_warn, vha, 0xd042, + "%s: Failed to allocate ct_sns request.\n", +@@ -909,6 +915,7 @@ static int qla_async_rsnn_nn(scsi_qla_ho + sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.req) { + ql_log(ql_log_warn, vha, 0xd041, + "%s: Failed to allocate ct_sns request.\n", +@@ -919,6 +926,7 @@ static int qla_async_rsnn_nn(scsi_qla_ho + sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.rsp) { + ql_log(ql_log_warn, vha, 0xd042, + "%s: Failed to allocate ct_sns request.\n", +@@ -3392,14 +3400,14 @@ void qla24xx_sp_unmap(scsi_qla_host_t *v + { + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, + sp->u.iocb_cmd.u.ctarg.req, + sp->u.iocb_cmd.u.ctarg.req_dma); + sp->u.iocb_cmd.u.ctarg.req = NULL; + } + if (sp->u.iocb_cmd.u.ctarg.rsp) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + sp->u.iocb_cmd.u.ctarg.rsp, + sp->u.iocb_cmd.u.ctarg.rsp_dma); + sp->u.iocb_cmd.u.ctarg.rsp = NULL; +@@ -3600,14 +3608,14 @@ static void qla2x00_async_gpnid_sp_done( + /* please ignore kernel warning. otherwise, we have mem leak. */ + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, + sp->u.iocb_cmd.u.ctarg.req, + sp->u.iocb_cmd.u.ctarg.req_dma); + sp->u.iocb_cmd.u.ctarg.req = NULL; + } + if (sp->u.iocb_cmd.u.ctarg.rsp) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + sp->u.iocb_cmd.u.ctarg.rsp, + sp->u.iocb_cmd.u.ctarg.rsp_dma); + sp->u.iocb_cmd.u.ctarg.rsp = NULL; +@@ -3658,6 +3666,7 @@ int qla24xx_async_gpnid(scsi_qla_host_t + sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.req) { + ql_log(ql_log_warn, vha, 0xd041, + "Failed to allocate ct_sns request.\n"); +@@ -3667,6 +3676,7 @@ int qla24xx_async_gpnid(scsi_qla_host_t + sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev, + sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma, + GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.rsp) { + ql_log(ql_log_warn, vha, 0xd042, + "Failed to allocate ct_sns request.\n"); +@@ -4125,14 +4135,14 @@ static void qla2x00_async_gpnft_gnnft_sp + */ + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, + sp->u.iocb_cmd.u.ctarg.req, + sp->u.iocb_cmd.u.ctarg.req_dma); + sp->u.iocb_cmd.u.ctarg.req = NULL; + } + if (sp->u.iocb_cmd.u.ctarg.rsp) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + sp->u.iocb_cmd.u.ctarg.rsp, + sp->u.iocb_cmd.u.ctarg.rsp_dma); + sp->u.iocb_cmd.u.ctarg.rsp = NULL; +@@ -4162,14 +4172,14 @@ static void qla2x00_async_gpnft_gnnft_sp + /* please ignore kernel warning. Otherwise, we have mem leak. */ + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, + sp->u.iocb_cmd.u.ctarg.req, + sp->u.iocb_cmd.u.ctarg.req_dma); + sp->u.iocb_cmd.u.ctarg.req = NULL; + } + if (sp->u.iocb_cmd.u.ctarg.rsp) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + sp->u.iocb_cmd.u.ctarg.rsp, + sp->u.iocb_cmd.u.ctarg.rsp_dma); + sp->u.iocb_cmd.u.ctarg.rsp = NULL; +@@ -4264,14 +4274,14 @@ static int qla24xx_async_gnnft(scsi_qla_ + done_free_sp: + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, + sp->u.iocb_cmd.u.ctarg.req, + sp->u.iocb_cmd.u.ctarg.req_dma); + sp->u.iocb_cmd.u.ctarg.req = NULL; + } + if (sp->u.iocb_cmd.u.ctarg.rsp) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + sp->u.iocb_cmd.u.ctarg.rsp, + sp->u.iocb_cmd.u.ctarg.rsp_dma); + sp->u.iocb_cmd.u.ctarg.rsp = NULL; +@@ -4332,6 +4342,7 @@ int qla24xx_async_gpnft(scsi_qla_host_t + sp->u.iocb_cmd.u.ctarg.req = dma_zalloc_coherent( + &vha->hw->pdev->dev, sizeof(struct ct_sns_pkt), + &sp->u.iocb_cmd.u.ctarg.req_dma, GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.req) { + ql_log(ql_log_warn, vha, 0xffff, + "Failed to allocate ct_sns request.\n"); +@@ -4349,6 +4360,7 @@ int qla24xx_async_gpnft(scsi_qla_host_t + sp->u.iocb_cmd.u.ctarg.rsp = dma_zalloc_coherent( + &vha->hw->pdev->dev, rspsz, + &sp->u.iocb_cmd.u.ctarg.rsp_dma, GFP_KERNEL); ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt); + if (!sp->u.iocb_cmd.u.ctarg.rsp) { + ql_log(ql_log_warn, vha, 0xffff, + "Failed to allocate ct_sns request.\n"); +@@ -4408,14 +4420,14 @@ int qla24xx_async_gpnft(scsi_qla_host_t + done_free_sp: + if (sp->u.iocb_cmd.u.ctarg.req) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, + sp->u.iocb_cmd.u.ctarg.req, + sp->u.iocb_cmd.u.ctarg.req_dma); + sp->u.iocb_cmd.u.ctarg.req = NULL; + } + if (sp->u.iocb_cmd.u.ctarg.rsp) { + dma_free_coherent(&vha->hw->pdev->dev, +- sizeof(struct ct_sns_pkt), ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, + sp->u.iocb_cmd.u.ctarg.rsp, + sp->u.iocb_cmd.u.ctarg.rsp_dma); + sp->u.iocb_cmd.u.ctarg.rsp = NULL; diff --git a/queue-4.17/scsi-qla2xxx-fix-kernel-crash-due-to-late-workqueue-allocation.patch b/queue-4.17/scsi-qla2xxx-fix-kernel-crash-due-to-late-workqueue-allocation.patch new file mode 100644 index 00000000000..6e6027646a3 --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-fix-kernel-crash-due-to-late-workqueue-allocation.patch @@ -0,0 +1,93 @@ +From d48cc67cd4406d589fdbfa8c7d51c86532f86feb Mon Sep 17 00:00:00 2001 +From: "himanshu.madhani@cavium.com" +Date: Mon, 2 Jul 2018 13:01:59 -0700 +Subject: scsi: qla2xxx: Fix kernel crash due to late workqueue allocation + +From: himanshu.madhani@cavium.com + +commit d48cc67cd4406d589fdbfa8c7d51c86532f86feb upstream. + +This patch fixes crash for FCoE adapter. Once driver initialization is +complete, firmware will start posting Asynchronous Event, However driver +has not yet allocated workqueue to process and queue up work. This delay +of allocating workqueue results into NULL pointer access. + +The following stack trace is seen: + +[ 24.577259] BUG: unable to handle kernel NULL pointer dereference at 0000000000000102 +[ 24.623133] PGD 0 P4D 0 +[ 24.636760] Oops: 0000 [#1] SMP NOPTI +[ 24.656942] Modules linked in: i2c_algo_bit drm_kms_helper sr_mod(+) syscopyarea sysfillrect sysimgblt cdrom fb_sys_fops ata_generic ttm pata_acpi sd_mod ahci pata_atiixp sfc(+) qla2xxx(+) libahci drm qla4xxx(+) nvme_fc hpsa mdio libiscsi qlcnic(+) nvme_fabrics scsi_transport_sas serio_raw mtd crc32c_intel libata nvme_core i2c_core scsi_transport_iscsi tg3 scsi_transport_fc bnx2 iscsi_boot_sysfs dm_multipath dm_mirror dm_region_hash dm_log dm_mod +[ 24.887449] CPU: 0 PID: 177 Comm: kworker/0:3 Not tainted 4.17.0-rc6 #1 +[ 24.925119] Hardware name: HP ProLiant DL385 G7, BIOS A18 08/15/2012 +[ 24.962106] Workqueue: events work_for_cpu_fn +[ 24.987098] RIP: 0010:__queue_work+0x1f/0x3a0 +[ 25.011672] RSP: 0018:ffff992642ceba10 EFLAGS: 00010082 +[ 25.042116] RAX: 0000000000000082 RBX: 0000000000000082 RCX: 0000000000000000 +[ 25.083293] RDX: ffff8cf9abc6d7d0 RSI: 0000000000000000 RDI: 0000000000002000 +[ 25.123094] RBP: 0000000000000000 R08: 0000000000025a40 R09: ffff8cf9aade2880 +[ 25.164087] R10: 0000000000000000 R11: ffff992642ceb6f0 R12: ffff8cf9abc6d7d0 +[ 25.202280] R13: 0000000000002000 R14: ffff8cf9abc6d7b8 R15: 0000000000002000 +[ 25.242050] FS: 0000000000000000(0000) f9b5c00000(0000) knlGS:0000000000000000 +[ 25.977565] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 26.010457] CR2: 0000000000000102 CR3: 000000030760a000 CR4: 00000000000406f0 +[ 26.051048] Call Trace: +[ 26.063572] ? __switch_to_asm+0x34/0x70 +[ 26.086079] queue_work_on+0x24/0x40 +[ 26.107090] qla2x00_post_work+0x81/0xb0 [qla2xxx] +[ 26.133356] qla2x00_async_event+0x1ad/0x1a20 [qla2xxx] +[ 26.164075] ? lock_timer_base+0x67/0x80 +[ 26.186420] ? try_to_del_timer_sync+0x4d/0x80 +[ 26.212284] ? del_timer_sync+0x35/0x40 +[ 26.234080] ? schedule_timeout+0x165/0x2f0 +[ 26.259575] qla82xx_poll+0x13e/0x180 [qla2xxx] +[ 26.285740] qla2x00_mailbox_command+0x74b/0xf50 [qla2xxx] +[ 26.319040] qla82xx_set_driver_version+0x13b/0x1c0 [qla2xxx] +[ 26.352108] ? qla2x00_init_rings+0x206/0x3f0 [qla2xxx] +[ 26.381733] qla2x00_initialize_adapter+0x35c/0x7f0 [qla2xxx] +[ 26.413240] qla2x00_probe_one+0x1479/0x2390 [qla2xxx] +[ 26.442055] local_pci_probe+0x3f/0xa0 +[ 26.463108] work_for_cpu_fn+0x10/0x20 +[ 26.483295] process_one_work+0x152/0x350 +[ 26.505730] worker_thread+0x1cf/0x3e0 +[ 26.527090] kthread+0xf5/0x130 +[ 26.545085] ? max_active_store+0x80/0x80 +[ 26.568085] ? kthread_bind+0x10/0x10 +[ 26.589533] ret_from_fork+0x22/0x40 +[ 26.610192] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 89 ff 41 56 41 55 41 89 fd 41 54 49 89 d4 55 48 89 f5 53 48 83 ec 0 86 02 01 00 00 01 0f 85 80 02 00 00 49 c7 c6 c0 ec 01 00 41 +[ 27.308540] RIP: __queue_work+0x1f/0x3a0 RSP: ffff992642ceba10 +[ 27.341591] CR2: 0000000000000102 +[ 27.360208] ---[ end trace 01b7b7ae2c005cf3 ]--- + +Cc: # v4.17+ +Fixes: 9b3e0f4d4147 ("scsi: qla2xxx: Move work element processing out of DPC thread" +Reported-by: Li Wang +Tested-by: Li Wang +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3180,6 +3180,8 @@ qla2x00_probe_one(struct pci_dev *pdev, + "req->req_q_in=%p req->req_q_out=%p rsp->rsp_q_in=%p rsp->rsp_q_out=%p.\n", + req->req_q_in, req->req_q_out, rsp->rsp_q_in, rsp->rsp_q_out); + ++ ha->wq = alloc_workqueue("qla2xxx_wq", 0, 0); ++ + if (ha->isp_ops->initialize_adapter(base_vha)) { + ql_log(ql_log_fatal, base_vha, 0x00d6, + "Failed to initialize adapter - Adapter flags %x.\n", +@@ -3216,8 +3218,6 @@ qla2x00_probe_one(struct pci_dev *pdev, + host->can_queue, base_vha->req, + base_vha->mgmt_svr_loop_id, host->sg_tablesize); + +- ha->wq = alloc_workqueue("qla2xxx_wq", 0, 0); +- + if (ha->mqenable) { + bool mq = false; + bool startit = false; diff --git a/queue-4.17/scsi-qla2xxx-fix-null-pointer-dereference-for-fcport-search.patch b/queue-4.17/scsi-qla2xxx-fix-null-pointer-dereference-for-fcport-search.patch new file mode 100644 index 00000000000..6f6f2fb30a2 --- /dev/null +++ b/queue-4.17/scsi-qla2xxx-fix-null-pointer-dereference-for-fcport-search.patch @@ -0,0 +1,97 @@ +From 36eb8ff672faee83ccce60c191f0fef07c6adce6 Mon Sep 17 00:00:00 2001 +From: Chuck Anderson +Date: Mon, 2 Jul 2018 13:02:00 -0700 +Subject: scsi: qla2xxx: Fix NULL pointer dereference for fcport search + +From: Chuck Anderson + +commit 36eb8ff672faee83ccce60c191f0fef07c6adce6 upstream. + +Crash dump shows following instructions + +crash> bt +PID: 0 TASK: ffffffffbe412480 CPU: 0 COMMAND: "swapper/0" + #0 [ffff891ee0003868] machine_kexec at ffffffffbd063ef1 + #1 [ffff891ee00038c8] __crash_kexec at ffffffffbd12b6f2 + #2 [ffff891ee0003998] crash_kexec at ffffffffbd12c84c + #3 [ffff891ee00039b8] oops_end at ffffffffbd030f0a + #4 [ffff891ee00039e0] no_context at ffffffffbd074643 + #5 [ffff891ee0003a40] __bad_area_nosemaphore at ffffffffbd07496e + #6 [ffff891ee0003a90] bad_area_nosemaphore at ffffffffbd074a64 + #7 [ffff891ee0003aa0] __do_page_fault at ffffffffbd074b0a + #8 [ffff891ee0003b18] do_page_fault at ffffffffbd074fc8 + #9 [ffff891ee0003b50] page_fault at ffffffffbda01925 + [exception RIP: qlt_schedule_sess_for_deletion+15] + RIP: ffffffffc02e526f RSP: ffff891ee0003c08 RFLAGS: 00010046 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffc0307847 + RDX: 00000000000020e6 RSI: ffff891edbc377c8 RDI: 0000000000000000 + RBP: ffff891ee0003c18 R8: ffffffffc02f0b20 R9: 0000000000000250 + R10: 0000000000000258 R11: 000000000000b780 R12: ffff891ed9b43000 + R13: 00000000000000f0 R14: 0000000000000006 R15: ffff891edbc377c8 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #10 [ffff891ee0003c20] qla2x00_fcport_event_handler at ffffffffc02853d3 [qla2xxx] + #11 [ffff891ee0003cf0] __dta_qla24xx_async_gnl_sp_done_333 at ffffffffc0285a1d [qla2xxx] + #12 [ffff891ee0003de8] qla24xx_process_response_queue at ffffffffc02a2eb5 [qla2xxx] + #13 [ffff891ee0003e88] qla24xx_msix_rsp_q at ffffffffc02a5403 [qla2xxx] + #14 [ffff891ee0003ec0] __handle_irq_event_percpu at ffffffffbd0f4c59 + #15 [ffff891ee0003f10] handle_irq_event_percpu at ffffffffbd0f4e02 + #16 [ffff891ee0003f40] handle_irq_event at ffffffffbd0f4e90 + #17 [ffff891ee0003f68] handle_edge_irq at ffffffffbd0f8984 + #18 [ffff891ee0003f88] handle_irq at ffffffffbd0305d5 + #19 [ffff891ee0003fb8] do_IRQ at ffffffffbda02a18 + --- --- + #20 [ffffffffbe403d30] ret_from_intr at ffffffffbda0094e + [exception RIP: unknown or invalid address] + RIP: 000000000000001f RSP: 0000000000000000 RFLAGS: fff3b8c2091ebb3f + RAX: ffffbba5a0000200 RBX: 0000be8cdfa8f9fa RCX: 0000000000000018 + RDX: 0000000000000101 RSI: 000000000000015d RDI: 0000000000000193 + RBP: 0000000000000083 R8: ffffffffbe403e38 R9: 0000000000000002 + R10: 0000000000000000 R11: ffffffffbe56b820 R12: ffff891ee001cf00 + R13: ffffffffbd11c0a4 R14: ffffffffbe403d60 R15: 0000000000000001 + ORIG_RAX: ffff891ee0022ac0 CS: 0000 SS: ffffffffffffffb9 + bt: WARNING: possibly bogus exception frame + #21 [ffffffffbe403dd8] cpuidle_enter_state at ffffffffbd67c6fd + #22 [ffffffffbe403e40] cpuidle_enter at ffffffffbd67c907 + #23 [ffffffffbe403e50] call_cpuidle at ffffffffbd0d98f3 + #24 [ffffffffbe403e60] do_idle at ffffffffbd0d9b42 + #25 [ffffffffbe403e98] cpu_startup_entry at ffffffffbd0d9da3 + #26 [ffffffffbe403ec0] rest_init at ffffffffbd81d4aa + #27 [ffffffffbe403ed0] start_kernel at ffffffffbe67d2ca + #28 [ffffffffbe403f28] x86_64_start_reservations at ffffffffbe67c675 + #29 [ffffffffbe403f38] x86_64_start_kernel at ffffffffbe67c6eb + #30 [ffffffffbe403f50] secondary_startup_64 at ffffffffbd0000d5 + +Fixes: 040036bb0bc1 ("scsi: qla2xxx: Delay loop id allocation at login") +Cc: # v4.17+ +Signed-off-by: Chuck Anderson +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_init.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -591,12 +591,14 @@ static void qla24xx_handle_gnl_done_even + conflict_fcport = + qla2x00_find_fcport_by_wwpn(vha, + e->port_name, 0); +- ql_dbg(ql_dbg_disc, vha, 0x20e6, +- "%s %d %8phC post del sess\n", +- __func__, __LINE__, +- conflict_fcport->port_name); +- qlt_schedule_sess_for_deletion +- (conflict_fcport); ++ if (conflict_fcport) { ++ qlt_schedule_sess_for_deletion ++ (conflict_fcport); ++ ql_dbg(ql_dbg_disc, vha, 0x20e6, ++ "%s %d %8phC post del sess\n", ++ __func__, __LINE__, ++ conflict_fcport->port_name); ++ } + } + + /* FW already picked this loop id for another fcport */ diff --git a/queue-4.17/scsi-sd_zbc-fix-variable-type-and-bogus-comment.patch b/queue-4.17/scsi-sd_zbc-fix-variable-type-and-bogus-comment.patch new file mode 100644 index 00000000000..5427965f347 --- /dev/null +++ b/queue-4.17/scsi-sd_zbc-fix-variable-type-and-bogus-comment.patch @@ -0,0 +1,49 @@ +From f13cff6c25bd8986627365346d123312ee7baa78 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 3 Jul 2018 15:23:58 +0900 +Subject: scsi: sd_zbc: Fix variable type and bogus comment + +From: Damien Le Moal + +commit f13cff6c25bd8986627365346d123312ee7baa78 upstream. + +Fix the description of sd_zbc_check_zone_size() to correctly explain that +the returned value is a number of device blocks, not bytes. Additionally, +the 32 bits "ret" variable used in this function may truncate the 64 bits +zone_blocks variable value upon return. To fix this, change "ret" type to +s64. + +Fixes: ccce20fc79 ("sd_zbc: Avoid that resetting a zone fails sporadically") +Signed-off-by: Damien Le Moal +Cc: Bart Van Assche +Cc: stable@kernel.org +Reviewed-by: Hannes Reinecke +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd_zbc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -401,7 +401,8 @@ static int sd_zbc_check_capacity(struct + * Check that all zones of the device are equal. The last zone can however + * be smaller. The zone size must also be a power of two number of LBAs. + * +- * Returns the zone size in bytes upon success or an error code upon failure. ++ * Returns the zone size in number of blocks upon success or an error code ++ * upon failure. + */ + static s64 sd_zbc_check_zone_size(struct scsi_disk *sdkp) + { +@@ -411,7 +412,7 @@ static s64 sd_zbc_check_zone_size(struct + unsigned char *rec; + unsigned int buf_len; + unsigned int list_length; +- int ret; ++ s64 ret; + u8 same; + + /* Get a buffer */ diff --git a/queue-4.17/x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch b/queue-4.17/x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch new file mode 100644 index 00000000000..3f079bde1cf --- /dev/null +++ b/queue-4.17/x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch @@ -0,0 +1,141 @@ +From 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Mon, 9 Jul 2018 16:35:34 +0300 +Subject: x86/apm: Don't access __preempt_count with zeroed fs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 upstream. + +APM_DO_POP_SEGS does not restore fs/gs which were zeroed by +APM_DO_ZERO_SEGS. Trying to access __preempt_count with +zeroed fs doesn't really work. + +Move the ibrs call outside the APM_DO_SAVE_SEGS/APM_DO_RESTORE_SEGS +invocations so that fs is actually restored before calling +preempt_enable(). + +Fixes the following sort of oopses: +[ 0.313581] general protection fault: 0000 [#1] PREEMPT SMP +[ 0.313803] Modules linked in: +[ 0.314040] CPU: 0 PID: 268 Comm: kapmd Not tainted 4.16.0-rc1-triton-bisect-00090-gdd84441a7971 #19 +[ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 +[ 0.316161] EFLAGS: 00210016 CPU: 0 +[ 0.316161] EAX: 00000102 EBX: 00000000 ECX: 00000102 EDX: 00000000 +[ 0.316161] ESI: 0000530e EDI: dea95f64 EBP: dea95f18 ESP: dea95ef0 +[ 0.316161] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 +[ 0.316161] CR0: 80050033 CR2: 00000000 CR3: 015d3000 CR4: 000006d0 +[ 0.316161] Call Trace: +[ 0.316161] ? cpumask_weight.constprop.15+0x20/0x20 +[ 0.316161] on_cpu0+0x44/0x70 +[ 0.316161] apm+0x54e/0x720 +[ 0.316161] ? __switch_to_asm+0x26/0x40 +[ 0.316161] ? __schedule+0x17d/0x590 +[ 0.316161] kthread+0xc0/0xf0 +[ 0.316161] ? proc_apm_show+0x150/0x150 +[ 0.316161] ? kthread_create_worker_on_cpu+0x20/0x20 +[ 0.316161] ret_from_fork+0x2e/0x38 +[ 0.316161] Code: da 8e c2 8e e2 8e ea 57 55 2e ff 1d e0 bb 5d b1 0f 92 c3 5d 5f 07 1f 89 47 0c 90 8d b4 26 00 00 00 00 90 8d b4 26 00 00 00 00 90 <64> ff 0d 84 16 5c b1 74 7f 8b 45 dc 8e e0 8b 45 d8 8e e8 8b 45 +[ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 SS:ESP: 0068:dea95ef0 +[ 0.316161] ---[ end trace 656253db2deaa12c ]--- + +Fixes: dd84441a7971 ("x86/speculation: Use IBRS if available before calling into firmware") +Signed-off-by: Ville Syrjälä +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: David Woodhouse +Cc: "H. Peter Anvin" +Cc: x86@kernel.org +Cc: David Woodhouse +Cc: "H. Peter Anvin" +Link: https://lkml.kernel.org/r/20180709133534.5963-1-ville.syrjala@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/apm.h | 6 ------ + arch/x86/kernel/apm_32.c | 5 +++++ + 2 files changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/apm.h ++++ b/arch/x86/include/asm/apm.h +@@ -7,8 +7,6 @@ + #ifndef _ASM_X86_MACH_DEFAULT_APM_H + #define _ASM_X86_MACH_DEFAULT_APM_H + +-#include +- + #ifdef APM_ZERO_SEGS + # define APM_DO_ZERO_SEGS \ + "pushl %%ds\n\t" \ +@@ -34,7 +32,6 @@ static inline void apm_bios_call_asm(u32 + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ +- firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -47,7 +44,6 @@ static inline void apm_bios_call_asm(u32 + "=S" (*esi) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); +- firmware_restrict_branch_speculation_end(); + } + + static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, +@@ -60,7 +56,6 @@ static inline bool apm_bios_call_simple_ + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ +- firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -73,7 +68,6 @@ static inline bool apm_bios_call_simple_ + "=S" (si) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); +- firmware_restrict_branch_speculation_end(); + return error; + } + +--- a/arch/x86/kernel/apm_32.c ++++ b/arch/x86/kernel/apm_32.c +@@ -240,6 +240,7 @@ + #include + #include + #include ++#include + + #if defined(CONFIG_APM_DISPLAY_BLANK) && defined(CONFIG_VT) + extern int (*console_blank_hook)(int); +@@ -614,11 +615,13 @@ static long __apm_bios_call(void *_call) + gdt[0x40 / 8] = bad_bios_desc; + + apm_irq_save(flags); ++ firmware_restrict_branch_speculation_start(); + APM_DO_SAVE_SEGS; + apm_bios_call_asm(call->func, call->ebx, call->ecx, + &call->eax, &call->ebx, &call->ecx, &call->edx, + &call->esi); + APM_DO_RESTORE_SEGS; ++ firmware_restrict_branch_speculation_end(); + apm_irq_restore(flags); + gdt[0x40 / 8] = save_desc_40; + put_cpu(); +@@ -690,10 +693,12 @@ static long __apm_bios_call_simple(void + gdt[0x40 / 8] = bad_bios_desc; + + apm_irq_save(flags); ++ firmware_restrict_branch_speculation_start(); + APM_DO_SAVE_SEGS; + error = apm_bios_call_simple_asm(call->func, call->ebx, call->ecx, + &call->eax); + APM_DO_RESTORE_SEGS; ++ firmware_restrict_branch_speculation_end(); + apm_irq_restore(flags); + gdt[0x40 / 8] = save_desc_40; + put_cpu(); diff --git a/queue-4.17/x86-events-intel-ds-fix-bts_interrupt_threshold-alignment.patch b/queue-4.17/x86-events-intel-ds-fix-bts_interrupt_threshold-alignment.patch new file mode 100644 index 00000000000..4160e6c979b --- /dev/null +++ b/queue-4.17/x86-events-intel-ds-fix-bts_interrupt_threshold-alignment.patch @@ -0,0 +1,56 @@ +From 2c991e408df6a407476dbc453d725e1e975479e7 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Sat, 14 Jul 2018 12:58:07 -0700 +Subject: x86/events/intel/ds: Fix bts_interrupt_threshold alignment + +From: Hugh Dickins + +commit 2c991e408df6a407476dbc453d725e1e975479e7 upstream. + +Markus reported that BTS is sporadically missing the tail of the trace +in the perf_event data buffer: [decode error (1): instruction overflow] +shown in GDB; and bisected it to the conversion of debug_store to PTI. + +A little "optimization" crept into alloc_bts_buffer(), which mistakenly +placed bts_interrupt_threshold away from the 24-byte record boundary. +Intel SDM Vol 3B 17.4.9 says "This address must point to an offset from +the BTS buffer base that is a multiple of the BTS record size." + +Revert "max" from a byte count to a record count, to calculate the +bts_interrupt_threshold correctly: which turns out to fix problem seen. + +Fixes: c1961a4631da ("x86/events/intel/ds: Map debug buffers in cpu_entry_area") +Reported-and-tested-by: Markus T Metzger +Signed-off-by: Hugh Dickins +Signed-off-by: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Dave Hansen +Cc: Stephane Eranian +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lkml.kernel.org/r/alpine.LSU.2.11.1807141248290.1614@eggly.anvils +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/ds.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -408,9 +408,11 @@ static int alloc_bts_buffer(int cpu) + ds->bts_buffer_base = (unsigned long) cea; + ds_update_cea(cea, buffer, BTS_BUFFER_SIZE, PAGE_KERNEL); + ds->bts_index = ds->bts_buffer_base; +- max = BTS_RECORD_SIZE * (BTS_BUFFER_SIZE / BTS_RECORD_SIZE); +- ds->bts_absolute_maximum = ds->bts_buffer_base + max; +- ds->bts_interrupt_threshold = ds->bts_absolute_maximum - (max / 16); ++ max = BTS_BUFFER_SIZE / BTS_RECORD_SIZE; ++ ds->bts_absolute_maximum = ds->bts_buffer_base + ++ max * BTS_RECORD_SIZE; ++ ds->bts_interrupt_threshold = ds->bts_absolute_maximum - ++ (max / 16) * BTS_RECORD_SIZE; + return 0; + } + diff --git a/queue-4.17/x86-kvm-vmx-don-t-read-current-thread.-fs-gs-base-of-legacy-tasks.patch b/queue-4.17/x86-kvm-vmx-don-t-read-current-thread.-fs-gs-base-of-legacy-tasks.patch new file mode 100644 index 00000000000..48f57e65d7e --- /dev/null +++ b/queue-4.17/x86-kvm-vmx-don-t-read-current-thread.-fs-gs-base-of-legacy-tasks.patch @@ -0,0 +1,94 @@ +From b062b794c7831a70bda4dfac202c1a9418e06ac0 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 11 Jul 2018 19:37:18 +0200 +Subject: x86/kvm/vmx: don't read current->thread.{fs,gs}base of legacy tasks + +From: Vitaly Kuznetsov + +commit b062b794c7831a70bda4dfac202c1a9418e06ac0 upstream. + +When we switched from doing rdmsr() to reading FS/GS base values from +current->thread we completely forgot about legacy 32-bit userspaces which +we still support in KVM (why?). task->thread.{fsbase,gsbase} are only +synced for 64-bit processes, calling save_fsgs_for_kvm() and using +its result from current is illegal for legacy processes. + +There's no ARCH_SET_FS/GS prctls for legacy applications. Base MSRs are, +however, not always equal to zero. Intel's manual says (3.4.4 Segment +Loading Instructions in IA-32e Mode): + +"In order to set up compatibility mode for an application, segment-load +instructions (MOV to Sreg, POP Sreg) work normally in 64-bit mode. An +entry is read from the system descriptor table (GDT or LDT) and is loaded +in the hidden portion of the segment register. +... +The hidden descriptor register fields for FS.base and GS.base are +physically mapped to MSRs in order to load all address bits supported by +a 64-bit implementation. +" + +The issue was found by strace test suite where 32-bit ioctl_kvm_run test +started segfaulting. + +Reported-by: Dmitry V. Levin +Bisected-by: Masatake YAMATO +Fixes: 42b933b59721 ("x86/kvm/vmx: read MSR_{FS,KERNEL_GS}_BASE from current->thread") +Cc: stable@vger.kernel.org +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2376,6 +2376,7 @@ static void vmx_save_host_state(struct k + struct vcpu_vmx *vmx = to_vmx(vcpu); + #ifdef CONFIG_X86_64 + int cpu = raw_smp_processor_id(); ++ unsigned long fs_base, kernel_gs_base; + #endif + int i; + +@@ -2391,12 +2392,20 @@ static void vmx_save_host_state(struct k + vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel; + + #ifdef CONFIG_X86_64 +- save_fsgs_for_kvm(); +- vmx->host_state.fs_sel = current->thread.fsindex; +- vmx->host_state.gs_sel = current->thread.gsindex; +-#else +- savesegment(fs, vmx->host_state.fs_sel); +- savesegment(gs, vmx->host_state.gs_sel); ++ if (likely(is_64bit_mm(current->mm))) { ++ save_fsgs_for_kvm(); ++ vmx->host_state.fs_sel = current->thread.fsindex; ++ vmx->host_state.gs_sel = current->thread.gsindex; ++ fs_base = current->thread.fsbase; ++ kernel_gs_base = current->thread.gsbase; ++ } else { ++#endif ++ savesegment(fs, vmx->host_state.fs_sel); ++ savesegment(gs, vmx->host_state.gs_sel); ++#ifdef CONFIG_X86_64 ++ fs_base = read_msr(MSR_FS_BASE); ++ kernel_gs_base = read_msr(MSR_KERNEL_GS_BASE); ++ } + #endif + if (!(vmx->host_state.fs_sel & 7)) { + vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel); +@@ -2416,10 +2425,10 @@ static void vmx_save_host_state(struct k + savesegment(ds, vmx->host_state.ds_sel); + savesegment(es, vmx->host_state.es_sel); + +- vmcs_writel(HOST_FS_BASE, current->thread.fsbase); ++ vmcs_writel(HOST_FS_BASE, fs_base); + vmcs_writel(HOST_GS_BASE, cpu_kernelmode_gs_base(cpu)); + +- vmx->msr_host_kernel_gs_base = current->thread.gsbase; ++ vmx->msr_host_kernel_gs_base = kernel_gs_base; + if (is_long_mode(&vmx->vcpu)) + wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base); + #else diff --git a/queue-4.17/x86-kvmclock-set-pvti_cpu0_va-after-enabling-kvmclock.patch b/queue-4.17/x86-kvmclock-set-pvti_cpu0_va-after-enabling-kvmclock.patch new file mode 100644 index 00000000000..2ddfbff265d --- /dev/null +++ b/queue-4.17/x86-kvmclock-set-pvti_cpu0_va-after-enabling-kvmclock.patch @@ -0,0 +1,66 @@ +From 94ffba484663ab3fc695ce2a34871e8c3db499f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Sun, 15 Jul 2018 17:43:11 +0200 +Subject: x86/kvmclock: set pvti_cpu0_va after enabling kvmclock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Radim Krčmář + +commit 94ffba484663ab3fc695ce2a34871e8c3db499f7 upstream. + +pvti_cpu0_va is the address of shared kvmclock data structure. + +pvti_cpu0_va is currently kept unset (1) on 32 bit systems, (2) when +kvmclock vsyscall is disabled, and (3) if kvmclock is not stable. +This poses a problem, because kvm_ptp needs pvti_cpu0_va, but (1) can +work on 32 bit, (2) has little relation to the vsyscall, and (3) does +not need stable kvmclock (although kvmclock won't be used for system +clock if it's not stable, so kvm_ptp is pointless in that case). + +Expose pvti_cpu0_va whenever kvmclock is enabled to allow all users to +work with it. + +This fixes a regression found on Gentoo: https://bugs.gentoo.org/658544. + +Fixes: 9f08890ab906 ("x86/pvclock: add setter for pvclock_pvti_cpu0_va") +Cc: stable@vger.kernel.org +Reported-by: Andreas Steinmetz +Signed-off-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kvmclock.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/kvmclock.c ++++ b/arch/x86/kernel/kvmclock.c +@@ -319,6 +319,8 @@ void __init kvmclock_init(void) + printk(KERN_INFO "kvm-clock: Using msrs %x and %x", + msr_kvm_system_time, msr_kvm_wall_clock); + ++ pvclock_set_pvti_cpu0_va(hv_clock); ++ + if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT)) + pvclock_set_flags(PVCLOCK_TSC_STABLE_BIT); + +@@ -366,14 +368,11 @@ int __init kvm_setup_vsyscall_timeinfo(v + vcpu_time = &hv_clock[cpu].pvti; + flags = pvclock_read_flags(vcpu_time); + +- if (!(flags & PVCLOCK_TSC_STABLE_BIT)) { +- put_cpu(); +- return 1; +- } +- +- pvclock_set_pvti_cpu0_va(hv_clock); + put_cpu(); + ++ if (!(flags & PVCLOCK_TSC_STABLE_BIT)) ++ return 1; ++ + kvm_clock.archdata.vclock_mode = VCLOCK_PVCLOCK; + #endif + return 0; diff --git a/queue-4.17/x86-mce-remove-min-interval-polling-limitation.patch b/queue-4.17/x86-mce-remove-min-interval-polling-limitation.patch new file mode 100644 index 00000000000..e638f1f1db3 --- /dev/null +++ b/queue-4.17/x86-mce-remove-min-interval-polling-limitation.patch @@ -0,0 +1,44 @@ +From fbdb328c6bae0a7c78d75734a738b66b86dffc96 Mon Sep 17 00:00:00 2001 +From: Dewet Thibaut +Date: Mon, 16 Jul 2018 10:49:27 +0200 +Subject: x86/MCE: Remove min interval polling limitation + +From: Dewet Thibaut + +commit fbdb328c6bae0a7c78d75734a738b66b86dffc96 upstream. + +commit b3b7c4795c ("x86/MCE: Serialize sysfs changes") introduced a min +interval limitation when setting the check interval for polled MCEs. +However, the logic is that 0 disables polling for corrected MCEs, see +Documentation/x86/x86_64/machinecheck. The limitation prevents disabling. + +Remove this limitation and allow the value 0 to disable polling again. + +Fixes: b3b7c4795c ("x86/MCE: Serialize sysfs changes") +Signed-off-by: Dewet Thibaut +Signed-off-by: Alexander Sverdlin +[ Massage commit message. ] +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Cc: Tony Luck +Cc: linux-edac +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180716084927.24869-1-alexander.sverdlin@nokia.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -2147,9 +2147,6 @@ static ssize_t store_int_with_restart(st + if (check_interval == old_check_interval) + return ret; + +- if (check_interval < 1) +- check_interval = 1; +- + mutex_lock(&mce_sysfs_mutex); + mce_restart(); + mutex_unlock(&mce_sysfs_mutex);