From: Greg Kroah-Hartman Date: Mon, 3 Jul 2017 07:57:34 +0000 (+0200) Subject: 4.11-stable patches X-Git-Tag: v3.18.60~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee1eadbaa62d40999cf6f86291510cebdc0d8ea4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.11-stable patches added patches: alsa-hda-fix-endless-loop-of-codec-configure.patch alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch gpiolib-fix-filtering-out-unwanted-events.patch mips-avoid-accidental-raw-backtrace.patch mips-fix-irq-tracing-lockdep-when-rescheduling.patch mips-head-reorder-instructions-missing-a-delay-slot.patch mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch nfsv4.2-don-t-send-mode-again-in-post-exclusive4_1-setattr-with-umask.patch ovl-copy-up-don-t-unlock-between-lookup-and-link.patch perf-x86-intel-uncore-fix-wrong-box-pointer-check.patch revert-nfs-nfs_rename-handle-erestartsys-dentry-left-behind.patch x86-intel_rdt-fix-memory-leak-on-mount-failure.patch --- diff --git a/queue-4.11/alsa-hda-fix-endless-loop-of-codec-configure.patch b/queue-4.11/alsa-hda-fix-endless-loop-of-codec-configure.patch new file mode 100644 index 00000000000..b63653c8ee0 --- /dev/null +++ b/queue-4.11/alsa-hda-fix-endless-loop-of-codec-configure.patch @@ -0,0 +1,61 @@ +From d94815f917da770d42c377786dc428f542e38f71 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 28 Jun 2017 12:02:02 +0200 +Subject: ALSA: hda - Fix endless loop of codec configure + +From: Takashi Iwai + +commit d94815f917da770d42c377786dc428f542e38f71 upstream. + +azx_codec_configure() loops over the codecs found on the given +controller via a linked list. The code used to work in the past, but +in the current version, this may lead to an endless loop when a codec +binding returns an error. + +The culprit is that the snd_hda_codec_configure() unregisters the +device upon error, and this eventually deletes the given codec object +from the bus. Since the list is initialized via list_del_init(), the +next object points to the same device itself. This behavior change +was introduced at splitting the HD-audio code code, and forgotten to +adapt it here. + +For fixing this bug, just use a *_safe() version of list iteration. + +Fixes: d068ebc25e6e ("ALSA: hda - Move some codes up to hdac_bus struct") +Reported-by: Daniel Vetter +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.h | 2 ++ + sound/pci/hda/hda_controller.c | 8 ++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_codec.h ++++ b/sound/pci/hda/hda_codec.h +@@ -294,6 +294,8 @@ struct hda_codec { + + #define list_for_each_codec(c, bus) \ + list_for_each_entry(c, &(bus)->core.codec_list, core.list) ++#define list_for_each_codec_safe(c, n, bus) \ ++ list_for_each_entry_safe(c, n, &(bus)->core.codec_list, core.list) + + /* snd_hda_codec_read/write optional flags */ + #define HDA_RW_NO_RESPONSE_FALLBACK (1 << 0) +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1337,8 +1337,12 @@ EXPORT_SYMBOL_GPL(azx_probe_codecs); + /* configure each codec instance */ + int azx_codec_configure(struct azx *chip) + { +- struct hda_codec *codec; +- list_for_each_codec(codec, &chip->bus) { ++ struct hda_codec *codec, *next; ++ ++ /* use _safe version here since snd_hda_codec_configure() deregisters ++ * the device upon error and deletes itself from the bus list. ++ */ ++ list_for_each_codec_safe(codec, next, &chip->bus) { + snd_hda_codec_configure(codec); + } + return 0; diff --git a/queue-4.11/alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch b/queue-4.11/alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch new file mode 100644 index 00000000000..d6aaf2995a3 --- /dev/null +++ b/queue-4.11/alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch @@ -0,0 +1,42 @@ +From a8f20fd25bdce81a8e41767c39f456d346b63427 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 28 Jun 2017 08:59:16 +0800 +Subject: ALSA: hda - set input_path bitmap to zero after moving it to new place + +From: Hui Wang + +commit a8f20fd25bdce81a8e41767c39f456d346b63427 upstream. + +Recently we met a problem, the codec has valid adcs and input pins, +and they can form valid input paths, but the driver does not build +valid controls for them like "Mic boost", "Capture Volume" and +"Capture Switch". + +Through debugging, I found the driver needs to shrink the invalid +adcs and input paths for this machine, so it will move the whole +column bitmap value to the previous column, after moving it, the +driver forgets to set the original column bitmap value to zero, as a +result, the driver will invalidate the path whose index value is the +original colume bitmap value. After executing this function, all +valid input paths are invalidated by a mistake, there are no any +valid input paths, so the driver won't build controls for them. + +Fixes: 3a65bcdc577a ("ALSA: hda - Fix inconsistent input_paths after ADC reduction") +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_generic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -3169,6 +3169,7 @@ static int check_dyn_adc_switch(struct h + spec->input_paths[i][nums]); + spec->input_paths[i][nums] = + spec->input_paths[i][n]; ++ spec->input_paths[i][n] = 0; + } + } + nums++; diff --git a/queue-4.11/dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch b/queue-4.11/dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch new file mode 100644 index 00000000000..4e31ed1a56f --- /dev/null +++ b/queue-4.11/dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch @@ -0,0 +1,122 @@ +From 00a0ea33b495ee6149bf5a77ac5807ce87323abb Mon Sep 17 00:00:00 2001 +From: Vallish Vaidyeshwara +Date: Fri, 23 Jun 2017 18:53:06 +0000 +Subject: dm thin: do not queue freed thin mapping for next stage processing + +From: Vallish Vaidyeshwara + +commit 00a0ea33b495ee6149bf5a77ac5807ce87323abb upstream. + +process_prepared_discard_passdown_pt1() should cleanup +dm_thin_new_mapping in cases of error. + +dm_pool_inc_data_range() can fail trying to get a block reference: + +metadata operation 'dm_pool_inc_data_range' failed: error = -61 + +When dm_pool_inc_data_range() fails, dm thin aborts current metadata +transaction and marks pool as PM_READ_ONLY. Memory for thin mapping +is released as well. However, current thin mapping will be queued +onto next stage as part of queue_passdown_pt2() or passdown_endio(). +This dangling thin mapping memory when processed and accessed in +next stage will lead to device mapper crashing. + +Code flow without fix: +-> process_prepared_discard_passdown_pt1(m) + -> dm_thin_remove_range() + -> discard passdown + --> passdown_endio(m) queues m onto next stage + -> dm_pool_inc_data_range() fails, frees memory m + but does not remove it from next stage queue + +-> process_prepared_discard_passdown_pt2(m) + -> processes freed memory m and crashes + +One such stack: + +Call Trace: +[] dm_cell_release_no_holder+0x2f/0x70 [dm_bio_prison] +[] cell_defer_no_holder+0x3c/0x80 [dm_thin_pool] +[] process_prepared_discard_passdown_pt2+0x4b/0x90 [dm_thin_pool] +[] process_prepared+0x81/0xa0 [dm_thin_pool] +[] do_worker+0xc5/0x820 [dm_thin_pool] +[] ? __schedule+0x244/0x680 +[] ? pwq_activate_delayed_work+0x42/0xb0 +[] process_one_work+0x153/0x3f0 +[] worker_thread+0x12b/0x4b0 +[] ? rescuer_thread+0x350/0x350 +[] kthread+0xca/0xe0 +[] ? kthread_park+0x60/0x60 +[] ret_from_fork+0x25/0x30 + +The fix is to first take the block ref count for discarded block and +then do a passdown discard of this block. If block ref count fails, +then bail out aborting current metadata transaction, mark pool as +PM_READ_ONLY and also free current thin mapping memory (existing error +handling code) without queueing this thin mapping onto next stage of +processing. If block ref count succeeds, then passdown discard of this +block. Discard callback of passdown_endio() will queue this thin mapping +onto next stage of processing. + +Code flow with fix: +-> process_prepared_discard_passdown_pt1(m) + -> dm_thin_remove_range() + -> dm_pool_inc_data_range() + --> if fails, free memory m and bail out + -> discard passdown + --> passdown_endio(m) queues m onto next stage + +Reviewed-by: Eduardo Valentin +Reviewed-by: Cristian Gafton +Reviewed-by: Anchal Agarwal +Signed-off-by: Vallish Vaidyeshwara +Reviewed-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1094,6 +1094,19 @@ static void process_prepared_discard_pas + return; + } + ++ /* ++ * Increment the unmapped blocks. This prevents a race between the ++ * passdown io and reallocation of freed blocks. ++ */ ++ r = dm_pool_inc_data_range(pool->pmd, m->data_block, data_end); ++ if (r) { ++ metadata_operation_failed(pool, "dm_pool_inc_data_range", r); ++ bio_io_error(m->bio); ++ cell_defer_no_holder(tc, m->cell); ++ mempool_free(m, pool->mapping_pool); ++ return; ++ } ++ + discard_parent = bio_alloc(GFP_NOIO, 1); + if (!discard_parent) { + DMWARN("%s: unable to allocate top level discard bio for passdown. Skipping passdown.", +@@ -1114,19 +1127,6 @@ static void process_prepared_discard_pas + end_discard(&op, r); + } + } +- +- /* +- * Increment the unmapped blocks. This prevents a race between the +- * passdown io and reallocation of freed blocks. +- */ +- r = dm_pool_inc_data_range(pool->pmd, m->data_block, data_end); +- if (r) { +- metadata_operation_failed(pool, "dm_pool_inc_data_range", r); +- bio_io_error(m->bio); +- cell_defer_no_holder(tc, m->cell); +- mempool_free(m, pool->mapping_pool); +- return; +- } + } + + static void process_prepared_discard_passdown_pt2(struct dm_thin_new_mapping *m) diff --git a/queue-4.11/drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch b/queue-4.11/drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch new file mode 100644 index 00000000000..5309e48f8ee --- /dev/null +++ b/queue-4.11/drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch @@ -0,0 +1,35 @@ +From 82fcee526ba8ca2c5d378bdf51b21b7eb058fe3a Mon Sep 17 00:00:00 2001 +From: Deepak Rawat +Date: Mon, 26 Jun 2017 14:39:08 +0200 +Subject: drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr + +From: Deepak Rawat + +commit 82fcee526ba8ca2c5d378bdf51b21b7eb058fe3a upstream. + +The hash table created during vmw_cmdbuf_res_man_create was +never freed. This causes memory leak in context creation. +Added the corresponding drm_ht_remove in vmw_cmdbuf_res_man_destroy. + +Tested for memory leak by running piglit overnight and kernel +memory is not inflated which earlier was. + +Signed-off-by: Deepak Rawat +Reviewed-by: Sinclair Yeh +Signed-off-by: Thomas Hellstrom +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +@@ -321,6 +321,7 @@ void vmw_cmdbuf_res_man_destroy(struct v + list_for_each_entry_safe(entry, next, &man->list, head) + vmw_cmdbuf_res_free(man, entry); + ++ drm_ht_remove(&man->resources); + kfree(man); + } + diff --git a/queue-4.11/gpiolib-fix-filtering-out-unwanted-events.patch b/queue-4.11/gpiolib-fix-filtering-out-unwanted-events.patch new file mode 100644 index 00000000000..4060a346c3e --- /dev/null +++ b/queue-4.11/gpiolib-fix-filtering-out-unwanted-events.patch @@ -0,0 +1,38 @@ +From ad537b822577fcc143325786cd6ad50d7b9df31c Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 23 Jun 2017 13:45:16 +0200 +Subject: gpiolib: fix filtering out unwanted events + +From: Bartosz Golaszewski + +commit ad537b822577fcc143325786cd6ad50d7b9df31c upstream. + +GPIOEVENT_REQUEST_BOTH_EDGES is not a single flag, but a binary OR of +GPIOEVENT_REQUEST_RISING_EDGE and GPIOEVENT_REQUEST_FALLING_EDGE. + +The expression 'le->eflags & GPIOEVENT_REQUEST_BOTH_EDGES' we'll get +evaluated to true even if only one event type was requested. + +Fix it by checking both RISING & FALLING flags explicitly. + +Fixes: 61f922db7221 ("gpio: userspace ABI for reading GPIO line events") +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -708,7 +708,8 @@ static irqreturn_t lineevent_irq_thread( + + ge.timestamp = ktime_get_real_ns(); + +- if (le->eflags & GPIOEVENT_REQUEST_BOTH_EDGES) { ++ if (le->eflags & GPIOEVENT_REQUEST_RISING_EDGE ++ && le->eflags & GPIOEVENT_REQUEST_FALLING_EDGE) { + int level = gpiod_get_value_cansleep(le->desc); + + if (level) diff --git a/queue-4.11/mips-avoid-accidental-raw-backtrace.patch b/queue-4.11/mips-avoid-accidental-raw-backtrace.patch new file mode 100644 index 00000000000..37991f85495 --- /dev/null +++ b/queue-4.11/mips-avoid-accidental-raw-backtrace.patch @@ -0,0 +1,45 @@ +From 854236363370995a609a10b03e35fd3dc5e9e4a1 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 29 Jun 2017 15:05:04 +0100 +Subject: MIPS: Avoid accidental raw backtrace + +From: James Hogan + +commit 854236363370995a609a10b03e35fd3dc5e9e4a1 upstream. + +Since commit 81a76d7119f6 ("MIPS: Avoid using unwind_stack() with +usermode") show_backtrace() invokes the raw backtracer when +cp0_status & ST0_KSU indicates user mode to fix issues on EVA kernels +where user and kernel address spaces overlap. + +However this is used by show_stack() which creates its own pt_regs on +the stack and leaves cp0_status uninitialised in most of the code paths. +This results in the non deterministic use of the raw back tracer +depending on the previous stack content. + +show_stack() deals exclusively with kernel mode stacks anyway, so +explicitly initialise regs.cp0_status to KSU_KERNEL (i.e. 0) to ensure +we get a useful backtrace. + +Fixes: 81a76d7119f6 ("MIPS: Avoid using unwind_stack() with usermode") +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16656/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/traps.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -201,6 +201,8 @@ void show_stack(struct task_struct *task + { + struct pt_regs regs; + mm_segment_t old_fs = get_fs(); ++ ++ regs.cp0_status = KSU_KERNEL; + if (sp) { + regs.regs[29] = (unsigned long)sp; + regs.regs[31] = 0; diff --git a/queue-4.11/mips-fix-irq-tracing-lockdep-when-rescheduling.patch b/queue-4.11/mips-fix-irq-tracing-lockdep-when-rescheduling.patch new file mode 100644 index 00000000000..5e7a1cf1cfb --- /dev/null +++ b/queue-4.11/mips-fix-irq-tracing-lockdep-when-rescheduling.patch @@ -0,0 +1,109 @@ +From d8550860d910c6b7b70f830f59003b33daaa52c9 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 3 Mar 2017 15:26:05 -0800 +Subject: MIPS: Fix IRQ tracing & lockdep when rescheduling + +From: Paul Burton + +commit d8550860d910c6b7b70f830f59003b33daaa52c9 upstream. + +When the scheduler sets TIF_NEED_RESCHED & we call into the scheduler +from arch/mips/kernel/entry.S we disable interrupts. This is true +regardless of whether we reach work_resched from syscall_exit_work, +resume_userspace or by looping after calling schedule(). Although we +disable interrupts in these paths we don't call trace_hardirqs_off() +before calling into C code which may acquire locks, and we therefore +leave lockdep with an inconsistent view of whether interrupts are +disabled or not when CONFIG_PROVE_LOCKING & CONFIG_DEBUG_LOCKDEP are +both enabled. + +Without tracing this interrupt state lockdep will print warnings such +as the following once a task returns from a syscall via +syscall_exit_partial with TIF_NEED_RESCHED set: + +[ 49.927678] ------------[ cut here ]------------ +[ 49.934445] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:3687 check_flags.part.41+0x1dc/0x1e8 +[ 49.946031] DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled) +[ 49.946355] CPU: 0 PID: 1 Comm: init Not tainted 4.10.0-00439-gc9fd5d362289-dirty #197 +[ 49.963505] Stack : 0000000000000000 ffffffff81bb5d6a 0000000000000006 ffffffff801ce9c4 +[ 49.974431] 0000000000000000 0000000000000000 0000000000000000 000000000000004a +[ 49.985300] ffffffff80b7e487 ffffffff80a24498 a8000000ff160000 ffffffff80ede8b8 +[ 49.996194] 0000000000000001 0000000000000000 0000000000000000 0000000077c8030c +[ 50.007063] 000000007fd8a510 ffffffff801cd45c 0000000000000000 a8000000ff127c88 +[ 50.017945] 0000000000000000 ffffffff801cf928 0000000000000001 ffffffff80a24498 +[ 50.028827] 0000000000000000 0000000000000001 0000000000000000 0000000000000000 +[ 50.039688] 0000000000000000 a8000000ff127bd0 0000000000000000 ffffffff805509bc +[ 50.050575] 00000000140084e0 0000000000000000 0000000000000000 0000000000040a00 +[ 50.061448] 0000000000000000 ffffffff8010e1b0 0000000000000000 ffffffff805509bc +[ 50.072327] ... +[ 50.076087] Call Trace: +[ 50.079869] [] show_stack+0x80/0xa8 +[ 50.086577] [] dump_stack+0x10c/0x190 +[ 50.093498] [] __warn+0xf0/0x108 +[ 50.099889] [] warn_slowpath_fmt+0x3c/0x48 +[ 50.107241] [] check_flags.part.41+0x1dc/0x1e8 +[ 50.114961] [] lock_is_held_type+0x8c/0xb0 +[ 50.122291] [] __schedule+0x8c0/0x10f8 +[ 50.129221] [] schedule+0x30/0x98 +[ 50.135659] [] work_resched+0x8/0x34 +[ 50.142397] ---[ end trace 0cb4f6ef5b99fe21 ]--- +[ 50.148405] possible reason: unannotated irqs-off. +[ 50.154600] irq event stamp: 400463 +[ 50.159566] hardirqs last enabled at (400463): [] _raw_spin_unlock_irqrestore+0x40/0xa8 +[ 50.171981] hardirqs last disabled at (400462): [] _raw_spin_lock_irqsave+0x30/0xb0 +[ 50.183897] softirqs last enabled at (400450): [] __do_softirq+0x4ac/0x6a8 +[ 50.195015] softirqs last disabled at (400425): [] irq_exit+0x110/0x128 + +Fix this by using the TRACE_IRQS_OFF macro to call trace_hardirqs_off() +when CONFIG_TRACE_IRQFLAGS is enabled. This is done before invoking +schedule() following the work_resched label because: + + 1) Interrupts are disabled regardless of the path we take to reach + work_resched() & schedule(). + + 2) Performing the tracing here avoids the need to do it in paths which + disable interrupts but don't call out to C code before hitting a + path which uses the RESTORE_SOME macro that will call + trace_hardirqs_on() or trace_hardirqs_off() as appropriate. + +We call trace_hardirqs_on() using the TRACE_IRQS_ON macro before calling +syscall_trace_leave() for similar reasons, ensuring that lockdep has a +consistent view of state after we re-enable interrupts. + +Signed-off-by: Paul Burton +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15385/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/entry.S | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/mips/kernel/entry.S ++++ b/arch/mips/kernel/entry.S +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -119,6 +120,7 @@ work_pending: + andi t0, a2, _TIF_NEED_RESCHED # a2 is preloaded with TI_FLAGS + beqz t0, work_notifysig + work_resched: ++ TRACE_IRQS_OFF + jal schedule + + local_irq_disable # make sure need_resched and +@@ -155,6 +157,7 @@ syscall_exit_work: + beqz t0, work_pending # trace bit set? + local_irq_enable # could let syscall_trace_leave() + # call schedule() instead ++ TRACE_IRQS_ON + move a0, sp + jal syscall_trace_leave + b resume_userspace diff --git a/queue-4.11/mips-head-reorder-instructions-missing-a-delay-slot.patch b/queue-4.11/mips-head-reorder-instructions-missing-a-delay-slot.patch new file mode 100644 index 00000000000..324c38632b8 --- /dev/null +++ b/queue-4.11/mips-head-reorder-instructions-missing-a-delay-slot.patch @@ -0,0 +1,41 @@ +From 25d8b92e0af75d72ce8b99e63e5a449cc0888efa Mon Sep 17 00:00:00 2001 +From: Karl Beldan +Date: Tue, 27 Jun 2017 19:22:16 +0000 +Subject: MIPS: head: Reorder instructions missing a delay slot + +From: Karl Beldan + +commit 25d8b92e0af75d72ce8b99e63e5a449cc0888efa upstream. + +In this sequence the 'move' is assumed in the delay slot of the 'beq', +but head.S is in reorder mode and the former gets pushed one 'nop' +farther by the assembler. + +The corrected behavior made booting with an UHI supplied dtb erratic. + +Fixes: 15f37e158892 ("MIPS: store the appended dtb address in a variable") +Signed-off-by: Karl Beldan +Reviewed-by: James Hogan +Cc: Jonas Gorski +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/16614/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/head.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/head.S ++++ b/arch/mips/kernel/head.S +@@ -106,8 +106,8 @@ NESTED(kernel_entry, 16, sp) # kernel + beq t0, t1, dtb_found + #endif + li t1, -2 +- beq a0, t1, dtb_found + move t2, a1 ++ beq a0, t1, dtb_found + + li t2, 0 + dtb_found: diff --git a/queue-4.11/mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch b/queue-4.11/mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch new file mode 100644 index 00000000000..61e8c5cb1f7 --- /dev/null +++ b/queue-4.11/mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch @@ -0,0 +1,74 @@ +From 161c51ccb7a6faf45ffe09aa5cf1ad85ccdad503 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 2 Mar 2017 14:02:40 -0800 +Subject: MIPS: pm-cps: Drop manual cache-line alignment of ready_count + +From: Paul Burton + +commit 161c51ccb7a6faf45ffe09aa5cf1ad85ccdad503 upstream. + +We allocate memory for a ready_count variable per-CPU, which is accessed +via a cached non-coherent TLB mapping to perform synchronisation between +threads within the core using LL/SC instructions. In order to ensure +that the variable is contained within its own data cache line we +allocate 2 lines worth of memory & align the resulting pointer to a line +boundary. This is however unnecessary, since kmalloc is guaranteed to +return memory which is at least cache-line aligned (see +ARCH_DMA_MINALIGN). Stop the redundant manual alignment. + +Besides cleaning up the code & avoiding needless work, this has the side +effect of avoiding an arithmetic error found by Bryan on 64 bit systems +due to the 32 bit size of the former dlinesz. This led the ready_count +variable to have its upper 32b cleared erroneously for MIPS64 kernels, +causing problems when ready_count was later used on MIPS64 via cpuidle. + +Signed-off-by: Paul Burton +Fixes: 3179d37ee1ed ("MIPS: pm-cps: add PM state entry code for CPS systems") +Reported-by: Bryan O'Donoghue +Reviewed-by: Bryan O'Donoghue +Tested-by: Bryan O'Donoghue +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15383/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/pm-cps.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/arch/mips/kernel/pm-cps.c ++++ b/arch/mips/kernel/pm-cps.c +@@ -56,7 +56,6 @@ DECLARE_BITMAP(state_support, CPS_PM_STA + * state. Actually per-core rather than per-CPU. + */ + static DEFINE_PER_CPU_ALIGNED(u32*, ready_count); +-static DEFINE_PER_CPU_ALIGNED(void*, ready_count_alloc); + + /* Indicates online CPUs coupled with the current CPU */ + static DEFINE_PER_CPU_ALIGNED(cpumask_t, online_coupled); +@@ -642,7 +641,6 @@ static int cps_pm_online_cpu(unsigned in + { + enum cps_pm_state state; + unsigned core = cpu_data[cpu].core; +- unsigned dlinesz = cpu_data[cpu].dcache.linesz; + void *entry_fn, *core_rc; + + for (state = CPS_PM_NC_WAIT; state < CPS_PM_STATE_COUNT; state++) { +@@ -662,16 +660,11 @@ static int cps_pm_online_cpu(unsigned in + } + + if (!per_cpu(ready_count, core)) { +- core_rc = kmalloc(dlinesz * 2, GFP_KERNEL); ++ core_rc = kmalloc(sizeof(u32), GFP_KERNEL); + if (!core_rc) { + pr_err("Failed allocate core %u ready_count\n", core); + return -ENOMEM; + } +- per_cpu(ready_count_alloc, core) = core_rc; +- +- /* Ensure ready_count is aligned to a cacheline boundary */ +- core_rc += dlinesz - 1; +- core_rc = (void *)((unsigned long)core_rc & ~(dlinesz - 1)); + per_cpu(ready_count, core) = core_rc; + } + diff --git a/queue-4.11/nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch b/queue-4.11/nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch new file mode 100644 index 00000000000..70b3e5b24bc --- /dev/null +++ b/queue-4.11/nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch @@ -0,0 +1,41 @@ +From bd171930e6a3de4f5cffdafbb944e50093dfb59b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 27 Jun 2017 17:33:38 -0400 +Subject: NFSv4.1: Fix a race in nfs4_proc_layoutget + +From: Trond Myklebust + +commit bd171930e6a3de4f5cffdafbb944e50093dfb59b upstream. + +If the task calling layoutget is signalled, then it is possible for the +calls to nfs4_sequence_free_slot() and nfs4_layoutget_prepare() to race, +in which case we leak a slot. +The fix is to move the call to nfs4_sequence_free_slot() into the +nfs4_layoutget_release() so that it gets called at task teardown time. + +Fixes: 2e80dbe7ac51 ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -8430,6 +8430,7 @@ static void nfs4_layoutget_release(void + size_t max_pages = max_response_pages(server); + + dprintk("--> %s\n", __func__); ++ nfs4_sequence_free_slot(&lgp->res.seq_res); + nfs4_free_pages(lgp->args.layout.pages, max_pages); + pnfs_put_layout_hdr(NFS_I(inode)->layout); + put_nfs_open_context(lgp->args.ctx); +@@ -8504,7 +8505,6 @@ nfs4_proc_layoutget(struct nfs4_layoutge + /* if layoutp->len is 0, nfs4_layoutget_prepare called rpc_exit */ + if (status == 0 && lgp->res.layoutp->len) + lseg = pnfs_layout_process(lgp); +- nfs4_sequence_free_slot(&lgp->res.seq_res); + rpc_put_task(task); + dprintk("<-- %s status=%d\n", __func__, status); + if (status) diff --git a/queue-4.11/nfsv4.2-don-t-send-mode-again-in-post-exclusive4_1-setattr-with-umask.patch b/queue-4.11/nfsv4.2-don-t-send-mode-again-in-post-exclusive4_1-setattr-with-umask.patch new file mode 100644 index 00000000000..0215639b2f3 --- /dev/null +++ b/queue-4.11/nfsv4.2-don-t-send-mode-again-in-post-exclusive4_1-setattr-with-umask.patch @@ -0,0 +1,36 @@ +From 501e7a4689378f8b1690089bfdd4f1e12ec22903 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 2 Jun 2017 11:21:34 -0400 +Subject: NFSv4.2: Don't send mode again in post-EXCLUSIVE4_1 SETATTR with umask + +From: Benjamin Coddington + +commit 501e7a4689378f8b1690089bfdd4f1e12ec22903 upstream. + +Now that we have umask support, we shouldn't re-send the mode in a SETATTR +following an exclusive CREATE, or we risk having the same problem fixed in +commit 5334c5bdac92 ("NFS: Send attributes in OPEN request for +NFS4_CREATE_EXCLUSIVE4_1"), which is that files with S_ISGID will have that +bit stripped away. + +Signed-off-by: Benjamin Coddington +Fixes: dff25ddb4808 ("nfs: add support for the umask attribute") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2588,7 +2588,8 @@ static inline void nfs4_exclusive_attrse + + /* Except MODE, it seems harmless of setting twice. */ + if (opendata->o_arg.createmode != NFS4_CREATE_EXCLUSIVE && +- attrset[1] & FATTR4_WORD1_MODE) ++ (attrset[1] & FATTR4_WORD1_MODE || ++ attrset[2] & FATTR4_WORD2_MODE_UMASK)) + sattr->ia_valid &= ~ATTR_MODE; + + if (attrset[2] & FATTR4_WORD2_SECURITY_LABEL) diff --git a/queue-4.11/ovl-copy-up-don-t-unlock-between-lookup-and-link.patch b/queue-4.11/ovl-copy-up-don-t-unlock-between-lookup-and-link.patch new file mode 100644 index 00000000000..a41e7ff4680 --- /dev/null +++ b/queue-4.11/ovl-copy-up-don-t-unlock-between-lookup-and-link.patch @@ -0,0 +1,85 @@ +From e85f82ff9b8ef503923a3be8ca6b5fd1908a7f3f Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 28 Jun 2017 13:41:22 +0200 +Subject: ovl: copy-up: don't unlock between lookup and link + +From: Miklos Szeredi + +commit e85f82ff9b8ef503923a3be8ca6b5fd1908a7f3f upstream. + +Nothing prevents mischief on upper layer while we are busy copying up the +data. + +Move the lookup right before the looked up dentry is actually used. + +Signed-off-by: Miklos Szeredi +Fixes: 01ad3eb8a073 ("ovl: concurrent copy up of regular files") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/copy_up.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -252,15 +252,9 @@ static int ovl_copy_up_locked(struct den + .link = link + }; + +- upper = lookup_one_len(dentry->d_name.name, upperdir, +- dentry->d_name.len); +- err = PTR_ERR(upper); +- if (IS_ERR(upper)) +- goto out; +- + err = security_inode_copy_up(dentry, &new_creds); + if (err < 0) +- goto out1; ++ goto out; + + if (new_creds) + old_creds = override_creds(new_creds); +@@ -284,7 +278,7 @@ static int ovl_copy_up_locked(struct den + } + + if (err) +- goto out2; ++ goto out; + + if (S_ISREG(stat->mode)) { + struct path upperpath; +@@ -317,6 +311,14 @@ static int ovl_copy_up_locked(struct den + if (err) + goto out_cleanup; + ++ upper = lookup_one_len(dentry->d_name.name, upperdir, ++ dentry->d_name.len); ++ if (IS_ERR(upper)) { ++ err = PTR_ERR(upper); ++ upper = NULL; ++ goto out_cleanup; ++ } ++ + if (tmpfile) + err = ovl_do_link(temp, udir, upper, true); + else +@@ -330,17 +332,15 @@ static int ovl_copy_up_locked(struct den + + /* Restore timestamps on parent (best effort) */ + ovl_set_timestamps(upperdir, pstat); +-out2: ++out: + dput(temp); +-out1: + dput(upper); +-out: + return err; + + out_cleanup: + if (!tmpfile) + ovl_cleanup(wdir, temp); +- goto out2; ++ goto out; + } + + /* diff --git a/queue-4.11/perf-x86-intel-uncore-fix-wrong-box-pointer-check.patch b/queue-4.11/perf-x86-intel-uncore-fix-wrong-box-pointer-check.patch new file mode 100644 index 00000000000..53f45dd5dfd --- /dev/null +++ b/queue-4.11/perf-x86-intel-uncore-fix-wrong-box-pointer-check.patch @@ -0,0 +1,36 @@ +From 80c65fdb4c6920e332a9781a3de5877594b07522 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Thu, 29 Jun 2017 12:09:26 -0700 +Subject: perf/x86/intel/uncore: Fix wrong box pointer check + +From: Kan Liang + +commit 80c65fdb4c6920e332a9781a3de5877594b07522 upstream. + +Should not init a NULL box. It will cause system crash. +The issue looks like caused by a typo. + +This was not noticed because there is no NULL box. Also, for most +boxes, they are enabled by default. The init code is not critical. + +Fixes: fff4b87e594a ("perf/x86/intel/uncore: Make package handling more robust") +Signed-off-by: Kan Liang +Signed-off-by: Thomas Gleixner +Link: http://lkml.kernel.org/r/20170629190926.2456-1-kan.liang@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/uncore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/events/intel/uncore.c ++++ b/arch/x86/events/intel/uncore.c +@@ -1170,7 +1170,7 @@ static int uncore_event_cpu_online(unsig + pmu = type->pmus; + for (i = 0; i < type->num_boxes; i++, pmu++) { + box = pmu->boxes[pkg]; +- if (!box && atomic_inc_return(&box->refcnt) == 1) ++ if (box && atomic_inc_return(&box->refcnt) == 1) + uncore_box_init(box); + } + } diff --git a/queue-4.11/revert-nfs-nfs_rename-handle-erestartsys-dentry-left-behind.patch b/queue-4.11/revert-nfs-nfs_rename-handle-erestartsys-dentry-left-behind.patch new file mode 100644 index 00000000000..97ec21c4c9c --- /dev/null +++ b/queue-4.11/revert-nfs-nfs_rename-handle-erestartsys-dentry-left-behind.patch @@ -0,0 +1,123 @@ +From d9f2950006f110f54444a10442752372ee568289 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 16 Jun 2017 11:12:59 -0400 +Subject: Revert "NFS: nfs_rename() handle -ERESTARTSYS dentry left behind" + +From: Benjamin Coddington + +commit d9f2950006f110f54444a10442752372ee568289 upstream. + +This reverts commit 920b4530fb80430ff30ef83efe21ba1fa5623731 which could +call d_move() without holding the directory's i_mutex, and reverts commit +d4ea7e3c5c0e341c15b073016dbf3ab6c65f12f3 "NFS: Fix old dentry rehash after +move", which was a follow-up fix. + +Signed-off-by: Benjamin Coddington +Fixes: 920b4530fb80 ("NFS: nfs_rename() handle -ERESTARTSYS dentry left behind") +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 51 ++++++++++++++++++++++++--------------------------- + 1 file changed, 24 insertions(+), 27 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2002,29 +2002,6 @@ nfs_link(struct dentry *old_dentry, stru + } + EXPORT_SYMBOL_GPL(nfs_link); + +-static void +-nfs_complete_rename(struct rpc_task *task, struct nfs_renamedata *data) +-{ +- struct dentry *old_dentry = data->old_dentry; +- struct dentry *new_dentry = data->new_dentry; +- struct inode *old_inode = d_inode(old_dentry); +- struct inode *new_inode = d_inode(new_dentry); +- +- nfs_mark_for_revalidate(old_inode); +- +- switch (task->tk_status) { +- case 0: +- if (new_inode != NULL) +- nfs_drop_nlink(new_inode); +- d_move(old_dentry, new_dentry); +- nfs_set_verifier(new_dentry, +- nfs_save_change_attribute(data->new_dir)); +- break; +- case -ENOENT: +- nfs_dentry_handle_enoent(old_dentry); +- } +-} +- + /* + * RENAME + * FIXME: Some nfsds, like the Linux user space nfsd, may generate a +@@ -2055,7 +2032,7 @@ int nfs_rename(struct inode *old_dir, st + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); +- struct dentry *dentry = NULL; ++ struct dentry *dentry = NULL, *rehash = NULL; + struct rpc_task *task; + int error = -EBUSY; + +@@ -2078,8 +2055,10 @@ int nfs_rename(struct inode *old_dir, st + * To prevent any new references to the target during the + * rename, we unhash the dentry in advance. + */ +- if (!d_unhashed(new_dentry)) ++ if (!d_unhashed(new_dentry)) { + d_drop(new_dentry); ++ rehash = new_dentry; ++ } + + if (d_count(new_dentry) > 2) { + int err; +@@ -2096,6 +2075,7 @@ int nfs_rename(struct inode *old_dir, st + goto out; + + new_dentry = dentry; ++ rehash = NULL; + new_inode = NULL; + } + } +@@ -2104,8 +2084,7 @@ int nfs_rename(struct inode *old_dir, st + if (new_inode != NULL) + NFS_PROTO(new_inode)->return_delegation(new_inode); + +- task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, +- nfs_complete_rename); ++ task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, NULL); + if (IS_ERR(task)) { + error = PTR_ERR(task); + goto out; +@@ -2115,9 +2094,27 @@ int nfs_rename(struct inode *old_dir, st + if (error == 0) + error = task->tk_status; + rpc_put_task(task); ++ nfs_mark_for_revalidate(old_inode); + out: ++ if (rehash) ++ d_rehash(rehash); + trace_nfs_rename_exit(old_dir, old_dentry, + new_dir, new_dentry, error); ++ if (!error) { ++ if (new_inode != NULL) ++ nfs_drop_nlink(new_inode); ++ /* ++ * The d_move() should be here instead of in an async RPC completion ++ * handler because we need the proper locks to move the dentry. If ++ * we're interrupted by a signal, the async RPC completion handler ++ * should mark the directories for revalidation. ++ */ ++ d_move(old_dentry, new_dentry); ++ nfs_set_verifier(new_dentry, ++ nfs_save_change_attribute(new_dir)); ++ } else if (error == -ENOENT) ++ nfs_dentry_handle_enoent(old_dentry); ++ + /* new dentry created? */ + if (dentry) + dput(dentry); diff --git a/queue-4.11/series b/queue-4.11/series index f5337f2f91e..5275131db2d 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -33,3 +33,18 @@ rtnetlink-add-ifla_group-to-ifla_policy.patch netfilter-synproxy-fix-conntrackd-interaction.patch nfsv4.x-callback-create-the-callback-service-through-svc_create_pooled.patch xen-blkback-don-t-use-xen_blkif_get-in-xen-blkback-kthread.patch +mips-head-reorder-instructions-missing-a-delay-slot.patch +mips-avoid-accidental-raw-backtrace.patch +mips-pm-cps-drop-manual-cache-line-alignment-of-ready_count.patch +mips-fix-irq-tracing-lockdep-when-rescheduling.patch +alsa-hda-fix-endless-loop-of-codec-configure.patch +alsa-hda-set-input_path-bitmap-to-zero-after-moving-it-to-new-place.patch +nfsv4.2-don-t-send-mode-again-in-post-exclusive4_1-setattr-with-umask.patch +nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch +revert-nfs-nfs_rename-handle-erestartsys-dentry-left-behind.patch +ovl-copy-up-don-t-unlock-between-lookup-and-link.patch +gpiolib-fix-filtering-out-unwanted-events.patch +x86-intel_rdt-fix-memory-leak-on-mount-failure.patch +perf-x86-intel-uncore-fix-wrong-box-pointer-check.patch +drm-vmwgfx-free-hash-table-allocated-by-cmdbuf-managed-res-mgr.patch +dm-thin-do-not-queue-freed-thin-mapping-for-next-stage-processing.patch diff --git a/queue-4.11/x86-intel_rdt-fix-memory-leak-on-mount-failure.patch b/queue-4.11/x86-intel_rdt-fix-memory-leak-on-mount-failure.patch new file mode 100644 index 00000000000..1e8762b5da4 --- /dev/null +++ b/queue-4.11/x86-intel_rdt-fix-memory-leak-on-mount-failure.patch @@ -0,0 +1,46 @@ +From 79298acc4ba097e9ab78644e3e38902d73547c92 Mon Sep 17 00:00:00 2001 +From: Vikas Shivappa +Date: Mon, 26 Jun 2017 11:55:49 -0700 +Subject: x86/intel_rdt: Fix memory leak on mount failure + +From: Vikas Shivappa + +commit 79298acc4ba097e9ab78644e3e38902d73547c92 upstream. + +If mount fails, the kn_info directory is not freed causing memory leak. + +Add the missing error handling path. + +Fixes: 4e978d06dedb ("x86/intel_rdt: Add "info" files to resctrl file system") +Signed-off-by: Vikas Shivappa +Signed-off-by: Thomas Gleixner +Cc: ravi.v.shankar@intel.com +Cc: tony.luck@intel.com +Cc: fenghua.yu@intel.com +Cc: peterz@infradead.org +Cc: vikas.shivappa@intel.com +Cc: andi.kleen@intel.com +Link: http://lkml.kernel.org/r/1498503368-20173-3-git-send-email-vikas.shivappa@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c ++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +@@ -767,11 +767,13 @@ static struct dentry *rdt_mount(struct f + dentry = kernfs_mount(fs_type, flags, rdt_root, + RDTGROUP_SUPER_MAGIC, NULL); + if (IS_ERR(dentry)) +- goto out_cdp; ++ goto out_destroy; + + static_branch_enable(&rdt_enable_key); + goto out; + ++out_destroy: ++ kernfs_remove(kn_info); + out_cdp: + cdp_disable(); + out: