From: Greg Kroah-Hartman Date: Sun, 10 Sep 2017 11:37:11 +0000 (+0200) Subject: 4.12-stable patches X-Git-Tag: v3.18.71~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ef0295c1e9b6ec73571c29be2594844f03a06b5a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.12-stable patches added patches: alsa-msnd-optimize-harden-dsp-and-midi-loops.patch btrfs-resume-qgroup-rescan-on-rw-remount.patch kvm-svm-limit-pferr_nested_guest_page-error_code-check-to-l1-guest.patch mm-kvfree-the-swap-cluster-info-if-the-swap-file-is-unsatisfactory.patch mm-memory.c-fix-mem_cgroup_oom_disable-call-missing.patch mm-swapfile.c-fix-swapon-frontswap_map-memory-leak-on-error.patch mtd-nand-hynix-add-support-for-20nm-nand-chips.patch mtd-nand-make-samsung-slc-nand-usable-again.patch mtd-nand-mxc-fix-mxc_v1-ooblayout.patch mtd-nand-qcom-fix-config-error-for-bch.patch mtd-nand-qcom-fix-read-failure-without-complete-bootchain.patch nvme-fabrics-generate-spec-compliant-uuid-nqns.patch radix-tree-must-check-__radix_tree_preload-return-value.patch rtlwifi-btcoexist-fix-breakage-of-ant_sel-for-rtl8723be.patch selftests-x86-fsgsbase-test-selectors-1-2-and-3.patch --- diff --git a/queue-4.12/alsa-msnd-optimize-harden-dsp-and-midi-loops.patch b/queue-4.12/alsa-msnd-optimize-harden-dsp-and-midi-loops.patch new file mode 100644 index 00000000000..abc8b2bece7 --- /dev/null +++ b/queue-4.12/alsa-msnd-optimize-harden-dsp-and-midi-loops.patch @@ -0,0 +1,106 @@ +From 20e2b791796bd68816fa115f12be5320de2b8021 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 6 Jul 2017 12:34:40 +0200 +Subject: ALSA: msnd: Optimize / harden DSP and MIDI loops + +From: Takashi Iwai + +commit 20e2b791796bd68816fa115f12be5320de2b8021 upstream. + +The ISA msnd drivers have loops fetching the ring-buffer head, tail +and size values inside the loops. Such codes are inefficient and +fragile. + +This patch optimizes it, and also adds the sanity check to avoid the +endless loops. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196131 +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196133 +Signed-off-by: Takashi Iwai +Signed-off-by: grygorii tertychnyi +Signed-off-by: Greg Kroah-Hartman + +--- + sound/isa/msnd/msnd_midi.c | 28 ++++++++++++++-------------- + sound/isa/msnd/msnd_pinnacle.c | 23 ++++++++++++----------- + 2 files changed, 26 insertions(+), 25 deletions(-) + +--- a/sound/isa/msnd/msnd_midi.c ++++ b/sound/isa/msnd/msnd_midi.c +@@ -120,24 +120,24 @@ void snd_msndmidi_input_read(void *mpuv) + unsigned long flags; + struct snd_msndmidi *mpu = mpuv; + void *pwMIDQData = mpu->dev->mappedbase + MIDQ_DATA_BUFF; ++ u16 head, tail, size; + + spin_lock_irqsave(&mpu->input_lock, flags); +- while (readw(mpu->dev->MIDQ + JQS_wTail) != +- readw(mpu->dev->MIDQ + JQS_wHead)) { +- u16 wTmp, val; +- val = readw(pwMIDQData + 2 * readw(mpu->dev->MIDQ + JQS_wHead)); ++ head = readw(mpu->dev->MIDQ + JQS_wHead); ++ tail = readw(mpu->dev->MIDQ + JQS_wTail); ++ size = readw(mpu->dev->MIDQ + JQS_wSize); ++ if (head > size || tail > size) ++ goto out; ++ while (head != tail) { ++ unsigned char val = readw(pwMIDQData + 2 * head); + +- if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER, +- &mpu->mode)) +- snd_rawmidi_receive(mpu->substream_input, +- (unsigned char *)&val, 1); +- +- wTmp = readw(mpu->dev->MIDQ + JQS_wHead) + 1; +- if (wTmp > readw(mpu->dev->MIDQ + JQS_wSize)) +- writew(0, mpu->dev->MIDQ + JQS_wHead); +- else +- writew(wTmp, mpu->dev->MIDQ + JQS_wHead); ++ if (test_bit(MSNDMIDI_MODE_BIT_INPUT_TRIGGER, &mpu->mode)) ++ snd_rawmidi_receive(mpu->substream_input, &val, 1); ++ if (++head > size) ++ head = 0; ++ writew(head, mpu->dev->MIDQ + JQS_wHead); + } ++ out: + spin_unlock_irqrestore(&mpu->input_lock, flags); + } + EXPORT_SYMBOL(snd_msndmidi_input_read); +--- a/sound/isa/msnd/msnd_pinnacle.c ++++ b/sound/isa/msnd/msnd_pinnacle.c +@@ -170,23 +170,24 @@ static irqreturn_t snd_msnd_interrupt(in + { + struct snd_msnd *chip = dev_id; + void *pwDSPQData = chip->mappedbase + DSPQ_DATA_BUFF; ++ u16 head, tail, size; + + /* Send ack to DSP */ + /* inb(chip->io + HP_RXL); */ + + /* Evaluate queued DSP messages */ +- while (readw(chip->DSPQ + JQS_wTail) != readw(chip->DSPQ + JQS_wHead)) { +- u16 wTmp; +- +- snd_msnd_eval_dsp_msg(chip, +- readw(pwDSPQData + 2 * readw(chip->DSPQ + JQS_wHead))); +- +- wTmp = readw(chip->DSPQ + JQS_wHead) + 1; +- if (wTmp > readw(chip->DSPQ + JQS_wSize)) +- writew(0, chip->DSPQ + JQS_wHead); +- else +- writew(wTmp, chip->DSPQ + JQS_wHead); ++ head = readw(chip->DSPQ + JQS_wHead); ++ tail = readw(chip->DSPQ + JQS_wTail); ++ size = readw(chip->DSPQ + JQS_wSize); ++ if (head > size || tail > size) ++ goto out; ++ while (head != tail) { ++ snd_msnd_eval_dsp_msg(chip, readw(pwDSPQData + 2 * head)); ++ if (++head > size) ++ head = 0; ++ writew(head, chip->DSPQ + JQS_wHead); + } ++ out: + /* Send ack to DSP */ + inb(chip->io + HP_RXL); + return IRQ_HANDLED; diff --git a/queue-4.12/btrfs-resume-qgroup-rescan-on-rw-remount.patch b/queue-4.12/btrfs-resume-qgroup-rescan-on-rw-remount.patch new file mode 100644 index 00000000000..f517b5f2cb2 --- /dev/null +++ b/queue-4.12/btrfs-resume-qgroup-rescan-on-rw-remount.patch @@ -0,0 +1,43 @@ +From 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 4 Jul 2017 21:49:06 +1000 +Subject: btrfs: resume qgroup rescan on rw remount + +From: Aleksa Sarai + +commit 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 upstream. + +Several distributions mount the "proper root" as ro during initrd and +then remount it as rw before pivot_root(2). Thus, if a rescan had been +aborted by a previous shutdown, the rescan would never be resumed. + +This issue would manifest itself as several btrfs ioctl(2)s causing the +entire machine to hang when btrfs_qgroup_wait_for_completion was hit +(due to the fs_info->qgroup_rescan_running flag being set but the rescan +itself not being resumed). Notably, Docker's btrfs storage driver makes +regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT +(causing this problem to be manifested on boot for some machines). + +Cc: Jeff Mahoney +Fixes: b382a324b60f ("Btrfs: fix qgroup rescan resume on mount") +Signed-off-by: Aleksa Sarai +Reviewed-by: Nikolay Borisov +Tested-by: Nikolay Borisov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1828,6 +1828,8 @@ static int btrfs_remount(struct super_bl + goto restore; + } + ++ btrfs_qgroup_rescan_resume(fs_info); ++ + if (!fs_info->uuid_root) { + btrfs_info(fs_info, "creating UUID tree"); + ret = btrfs_create_uuid_tree(fs_info); diff --git a/queue-4.12/kvm-svm-limit-pferr_nested_guest_page-error_code-check-to-l1-guest.patch b/queue-4.12/kvm-svm-limit-pferr_nested_guest_page-error_code-check-to-l1-guest.patch new file mode 100644 index 00000000000..2b38d161b11 --- /dev/null +++ b/queue-4.12/kvm-svm-limit-pferr_nested_guest_page-error_code-check-to-l1-guest.patch @@ -0,0 +1,52 @@ +From 64531a3b70b17c8d3e77f2e49e5e1bb70f571266 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Mon, 7 Aug 2017 14:11:30 -0500 +Subject: KVM: SVM: Limit PFERR_NESTED_GUEST_PAGE error_code check to L1 guest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brijesh Singh + +commit 64531a3b70b17c8d3e77f2e49e5e1bb70f571266 upstream. + +Commit 147277540bbc ("kvm: svm: Add support for additional SVM NPF error +codes", 2016-11-23) added a new error code to aid nested page fault +handling. The commit unprotects (kvm_mmu_unprotect_page) the page when +we get a NPF due to guest page table walk where the page was marked RO. + +However, if an L0->L2 shadow nested page table can also be marked read-only +when a page is read only in L1's nested page table. If such a page +is accessed by L2 while walking page tables it can cause a nested +page fault (page table walks are write accesses). However, after +kvm_mmu_unprotect_page we may get another page fault, and again in an +endless stream. + +To cover this use case, we qualify the new error_code check with +vcpu->arch.mmu_direct_map so that the error_code check would run on L1 +guest, and not the L2 guest. This avoids hitting the above scenario. + +Fixes: 147277540bbc54119172481c8ef6d930cc9fbfc2 +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Thomas Lendacky +Signed-off-by: Brijesh Singh +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4759,7 +4759,8 @@ int kvm_mmu_page_fault(struct kvm_vcpu * + * Note: AMD only (since it supports the PFERR_GUEST_PAGE_MASK used + * in PFERR_NEXT_GUEST_PAGE) + */ +- if (error_code == PFERR_NESTED_GUEST_PAGE) { ++ if (vcpu->arch.mmu.direct_map && ++ error_code == PFERR_NESTED_GUEST_PAGE) { + kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(cr2)); + return 1; + } diff --git a/queue-4.12/mm-kvfree-the-swap-cluster-info-if-the-swap-file-is-unsatisfactory.patch b/queue-4.12/mm-kvfree-the-swap-cluster-info-if-the-swap-file-is-unsatisfactory.patch new file mode 100644 index 00000000000..38fd00502f1 --- /dev/null +++ b/queue-4.12/mm-kvfree-the-swap-cluster-info-if-the-swap-file-is-unsatisfactory.patch @@ -0,0 +1,41 @@ +From 8606a1a94da5c4e49c0fb28af62d2e75c6747716 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 8 Sep 2017 16:13:25 -0700 +Subject: mm: kvfree the swap cluster info if the swap file is unsatisfactory + +From: Darrick J. Wong + +commit 8606a1a94da5c4e49c0fb28af62d2e75c6747716 upstream. + +If initializing a small swap file fails because the swap file has a +problem (holes, etc.) then we need to free the cluster info as part of +cleanup. Unfortunately a previous patch changed the code to use kvzalloc +but did not change all the vfree calls to use kvfree. + +Found by running generic/357 from xfstests. + +Link: http://lkml.kernel.org/r/20170831233515.GR3775@magnolia +Fixes: 54f180d3c181 ("mm, swap: use kvzalloc to allocate some swap data structures") +Signed-off-by: Darrick J. Wong +Reviewed-by: "Huang, Ying" +Acked-by: David Rientjes +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/swapfile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2903,7 +2903,7 @@ bad_swap: + p->flags = 0; + spin_unlock(&swap_lock); + vfree(swap_map); +- vfree(cluster_info); ++ kvfree(cluster_info); + if (swap_file) { + if (inode && S_ISREG(inode->i_mode)) { + inode_unlock(inode); diff --git a/queue-4.12/mm-memory.c-fix-mem_cgroup_oom_disable-call-missing.patch b/queue-4.12/mm-memory.c-fix-mem_cgroup_oom_disable-call-missing.patch new file mode 100644 index 00000000000..d4469373d68 --- /dev/null +++ b/queue-4.12/mm-memory.c-fix-mem_cgroup_oom_disable-call-missing.patch @@ -0,0 +1,55 @@ +From de0c799bba2610a8e1e9a50d76a28614520a4cd4 Mon Sep 17 00:00:00 2001 +From: Laurent Dufour +Date: Fri, 8 Sep 2017 16:13:12 -0700 +Subject: mm/memory.c: fix mem_cgroup_oom_disable() call missing + +From: Laurent Dufour + +commit de0c799bba2610a8e1e9a50d76a28614520a4cd4 upstream. + +Seen while reading the code, in handle_mm_fault(), in the case +arch_vma_access_permitted() is failing the call to +mem_cgroup_oom_disable() is not made. + +To fix that, move the call to mem_cgroup_oom_enable() after calling +arch_vma_access_permitted() as it should not have entered the memcg OOM. + +Link: http://lkml.kernel.org/r/1504625439-31313-1-git-send-email-ldufour@linux.vnet.ibm.com +Fixes: bae473a423f6 ("mm: introduce fault_env") +Signed-off-by: Laurent Dufour +Acked-by: Kirill A. Shutemov +Acked-by: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3843,6 +3843,11 @@ int handle_mm_fault(struct vm_area_struc + /* do counter updates before entering really critical section. */ + check_sync_rss_stat(current); + ++ if (!arch_vma_access_permitted(vma, flags & FAULT_FLAG_WRITE, ++ flags & FAULT_FLAG_INSTRUCTION, ++ flags & FAULT_FLAG_REMOTE)) ++ return VM_FAULT_SIGSEGV; ++ + /* + * Enable the memcg OOM handling for faults triggered in user + * space. Kernel faults are handled more gracefully. +@@ -3850,11 +3855,6 @@ int handle_mm_fault(struct vm_area_struc + if (flags & FAULT_FLAG_USER) + mem_cgroup_oom_enable(); + +- if (!arch_vma_access_permitted(vma, flags & FAULT_FLAG_WRITE, +- flags & FAULT_FLAG_INSTRUCTION, +- flags & FAULT_FLAG_REMOTE)) +- return VM_FAULT_SIGSEGV; +- + if (unlikely(is_vm_hugetlb_page(vma))) + ret = hugetlb_fault(vma->vm_mm, vma, address, flags); + else diff --git a/queue-4.12/mm-swapfile.c-fix-swapon-frontswap_map-memory-leak-on-error.patch b/queue-4.12/mm-swapfile.c-fix-swapon-frontswap_map-memory-leak-on-error.patch new file mode 100644 index 00000000000..c0e034c41de --- /dev/null +++ b/queue-4.12/mm-swapfile.c-fix-swapon-frontswap_map-memory-leak-on-error.patch @@ -0,0 +1,33 @@ +From b6b1fd2a6bedd533aeed83924d7be0e944fded9f Mon Sep 17 00:00:00 2001 +From: David Rientjes +Date: Fri, 8 Sep 2017 16:13:29 -0700 +Subject: mm/swapfile.c: fix swapon frontswap_map memory leak on error + +From: David Rientjes + +commit b6b1fd2a6bedd533aeed83924d7be0e944fded9f upstream. + +Free frontswap_map if an error is encountered before enable_swap_info(). + +Signed-off-by: David Rientjes +Reviewed-by: "Huang, Ying" +Cc: Darrick J. Wong +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/swapfile.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2904,6 +2904,7 @@ bad_swap: + spin_unlock(&swap_lock); + vfree(swap_map); + kvfree(cluster_info); ++ kvfree(frontswap_map); + if (swap_file) { + if (inode && S_ISREG(inode->i_mode)) { + inode_unlock(inode); diff --git a/queue-4.12/mtd-nand-hynix-add-support-for-20nm-nand-chips.patch b/queue-4.12/mtd-nand-hynix-add-support-for-20nm-nand-chips.patch new file mode 100644 index 00000000000..b68aa2d1e55 --- /dev/null +++ b/queue-4.12/mtd-nand-hynix-add-support-for-20nm-nand-chips.patch @@ -0,0 +1,57 @@ +From fd213b5bae800dc00a2930dcd07f63ab9bbff3f9 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 5 Aug 2017 14:16:24 +0200 +Subject: mtd: nand: hynix: add support for 20nm NAND chips + +From: Martin Blumenstingl + +commit fd213b5bae800dc00a2930dcd07f63ab9bbff3f9 upstream. + +According to the datasheet of the H27UCG8T2BTR the NAND Technology field +(6th byte of the "Device Identifier Description", bits 0-2) the +following values are possible: +- 0x0 = 48nm +- 0x1 = 41nm +- 0x2 = 32nm +- 0x3 = 26nm +- 0x4 = 20nm +- (all others are reserved) + +Fix this by extending the mask for this field to allow detecting value +0x4 (20nm) as valid NAND technology. +Without this the detection of the ECC requirements fails, because the +code assumes that the device is a 48nm device (0x4 & 0x3 = 0x0) and +aborts with "Invalid ECC requirements" because it cannot map the "ECC +Level". Extending the mask makes the ECC requirement detection code +recognize this chip as <= 26nm and sets up the ECC step size and ECC +strength correctly. + +Signed-off-by: Martin Blumenstingl +Fixes: 78f3482d7480 ("mtd: nand: hynix: Rework NAND ID decoding to extract more information") +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_hynix.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/nand_hynix.c ++++ b/drivers/mtd/nand/nand_hynix.c +@@ -477,7 +477,7 @@ static void hynix_nand_extract_ecc_requi + * The ECC requirements field meaning depends on the + * NAND technology. + */ +- u8 nand_tech = chip->id.data[5] & 0x3; ++ u8 nand_tech = chip->id.data[5] & 0x7; + + if (nand_tech < 3) { + /* > 26nm, reference: H27UBG8T2A datasheet */ +@@ -533,7 +533,7 @@ static void hynix_nand_extract_scramblin + if (nand_tech > 0) + chip->options |= NAND_NEED_SCRAMBLING; + } else { +- nand_tech = chip->id.data[5] & 0x3; ++ nand_tech = chip->id.data[5] & 0x7; + + /* < 32nm */ + if (nand_tech > 2) diff --git a/queue-4.12/mtd-nand-make-samsung-slc-nand-usable-again.patch b/queue-4.12/mtd-nand-make-samsung-slc-nand-usable-again.patch new file mode 100644 index 00000000000..8051a1c1170 --- /dev/null +++ b/queue-4.12/mtd-nand-make-samsung-slc-nand-usable-again.patch @@ -0,0 +1,54 @@ +From 69fc01296c92814b62dbfba1600fe7ed2ed304f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lothar=20Wa=C3=9Fmann?= +Date: Tue, 29 Aug 2017 12:17:12 +0200 +Subject: mtd: nand: make Samsung SLC NAND usable again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lothar Waßmann + +commit 69fc01296c92814b62dbfba1600fe7ed2ed304f5 upstream. + +commit c51d0ac59f24 ("mtd: nand: Move Samsung specific init/detection +logic in nand_samsung.c") introduced a regression for Samsung SLC NAND +chips. Prior to this commit chip->bits_per_cell was initialized by calling +nand_get_bits_per_cell() before using nand_is_slc(). +With the offending commit this call is skipped, leaving +chip->bits_per_cell cleared to zero when the manufacturer specific +'.detect' function calls nand_is_slc() which in turn interprets +bits_per_cell != 1 as indication for an MLC chip. +The effect is that e.g. a K9F1G08U0F NAND chip is falsely detected as +MLC NAND with 4KiB page size rather than SLC with 2KiB page size. + +Add a call to nand_get_bits_per_cell() before calling the .detect hook +function in nand_manufacturer_detect(), so that the nand_is_slc() +calls in the manufacturer specific code will return correct results. + +Fixes: c51d0ac59f24 ("mtd: nand: Move Samsung specific init/detection logic in nand_samsung.c") +Signed-off-by: Lothar Waßmann +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -3972,10 +3972,13 @@ static void nand_manufacturer_detect(str + * nand_decode_ext_id() otherwise. + */ + if (chip->manufacturer.desc && chip->manufacturer.desc->ops && +- chip->manufacturer.desc->ops->detect) ++ chip->manufacturer.desc->ops->detect) { ++ /* The 3rd id byte holds MLC / multichip data */ ++ chip->bits_per_cell = nand_get_bits_per_cell(chip->id.data[2]); + chip->manufacturer.desc->ops->detect(chip); +- else ++ } else { + nand_decode_ext_id(chip); ++ } + } + + /* diff --git a/queue-4.12/mtd-nand-mxc-fix-mxc_v1-ooblayout.patch b/queue-4.12/mtd-nand-mxc-fix-mxc_v1-ooblayout.patch new file mode 100644 index 00000000000..72511b4dc8d --- /dev/null +++ b/queue-4.12/mtd-nand-mxc-fix-mxc_v1-ooblayout.patch @@ -0,0 +1,56 @@ +From 3bff08dffe3115a25ce04b95ea75f6d868572c60 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 25 Nov 2016 11:32:32 +0100 +Subject: mtd: nand: mxc: Fix mxc_v1 ooblayout + +From: Boris Brezillon + +commit 3bff08dffe3115a25ce04b95ea75f6d868572c60 upstream. + +Commit a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") +introduced a bug in the OOB layout description. Even if the driver claims +that 3 ECC bytes are reserved to protect 512 bytes of data, it's actually +5 ECC bytes to protect 512+6 bytes of data (some OOB bytes are also +protected using extra ECC bytes). + +Fix the mxc_v1_ooblayout_{free,ecc}() functions to reflect this behavior. + +Signed-off-by: Boris Brezillon +Fixes: a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/mxc_nand.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/mxc_nand.c ++++ b/drivers/mtd/nand/mxc_nand.c +@@ -877,6 +877,8 @@ static void mxc_do_addr_cycle(struct mtd + } + } + ++#define MXC_V1_ECCBYTES 5 ++ + static int mxc_v1_ooblayout_ecc(struct mtd_info *mtd, int section, + struct mtd_oob_region *oobregion) + { +@@ -886,7 +888,7 @@ static int mxc_v1_ooblayout_ecc(struct m + return -ERANGE; + + oobregion->offset = (section * 16) + 6; +- oobregion->length = nand_chip->ecc.bytes; ++ oobregion->length = MXC_V1_ECCBYTES; + + return 0; + } +@@ -908,8 +910,7 @@ static int mxc_v1_ooblayout_free(struct + oobregion->length = 4; + } + } else { +- oobregion->offset = ((section - 1) * 16) + +- nand_chip->ecc.bytes + 6; ++ oobregion->offset = ((section - 1) * 16) + MXC_V1_ECCBYTES + 6; + if (section < nand_chip->ecc.steps) + oobregion->length = (section * 16) + 6 - + oobregion->offset; diff --git a/queue-4.12/mtd-nand-qcom-fix-config-error-for-bch.patch b/queue-4.12/mtd-nand-qcom-fix-config-error-for-bch.patch new file mode 100644 index 00000000000..89e085117e5 --- /dev/null +++ b/queue-4.12/mtd-nand-qcom-fix-config-error-for-bch.patch @@ -0,0 +1,39 @@ +From 10777de570016471fd929869c7830a7772893e39 Mon Sep 17 00:00:00 2001 +From: Abhishek Sahu +Date: Thu, 3 Aug 2017 17:56:39 +0200 +Subject: mtd: nand: qcom: fix config error for BCH + +From: Abhishek Sahu + +commit 10777de570016471fd929869c7830a7772893e39 upstream. + +The configuration for BCH is not correct in the current driver. +The ECC_CFG_ECC_DISABLE bit defines whether to enable or disable the +BCH ECC in which + + 0x1 : BCH_DISABLED + 0x0 : BCH_ENABLED + +But currently host->bch_enabled is being assigned to BCH_DISABLED. + +Fixes: c76b78d8ec05a ("mtd: nand: Qualcomm NAND controller driver") +Signed-off-by: Abhishek Sahu +Reviewed-by: Archit Taneja +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/qcom_nandc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/qcom_nandc.c ++++ b/drivers/mtd/nand/qcom_nandc.c +@@ -1900,7 +1900,7 @@ static int qcom_nand_host_setup(struct q + | wide_bus << WIDE_FLASH + | 1 << DEV0_CFG1_ECC_DISABLE; + +- host->ecc_bch_cfg = host->bch_enabled << ECC_CFG_ECC_DISABLE ++ host->ecc_bch_cfg = !host->bch_enabled << ECC_CFG_ECC_DISABLE + | 0 << ECC_SW_RESET + | host->cw_data << ECC_NUM_DATA_BYTES + | 1 << ECC_FORCE_CLK_OPEN diff --git a/queue-4.12/mtd-nand-qcom-fix-read-failure-without-complete-bootchain.patch b/queue-4.12/mtd-nand-qcom-fix-read-failure-without-complete-bootchain.patch new file mode 100644 index 00000000000..73cba6883fe --- /dev/null +++ b/queue-4.12/mtd-nand-qcom-fix-read-failure-without-complete-bootchain.patch @@ -0,0 +1,81 @@ +From d8a9b320a26c1ea28e51e4f3ecfb593d5aac2910 Mon Sep 17 00:00:00 2001 +From: Abhishek Sahu +Date: Fri, 11 Aug 2017 17:09:16 +0530 +Subject: mtd: nand: qcom: fix read failure without complete bootchain + +From: Abhishek Sahu + +commit d8a9b320a26c1ea28e51e4f3ecfb593d5aac2910 upstream. + +The NAND page read fails without complete boot chain since +NAND_DEV_CMD_VLD value is not proper. The default power on reset +value for this register is + + 0xe - ERASE_START_VALID | WRITE_START_VALID | READ_STOP_VALID + +The READ_START_VALID should be enabled for sending PAGE_READ +command. READ_STOP_VALID should be cleared since normal NAND +page read does not require READ_STOP command. + +Fixes: c76b78d8ec05a ("mtd: nand: Qualcomm NAND controller driver") +Reviewed-by: Archit Taneja +Signed-off-by: Abhishek Sahu +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/qcom_nandc.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/nand/qcom_nandc.c ++++ b/drivers/mtd/nand/qcom_nandc.c +@@ -109,7 +109,11 @@ + #define READ_ADDR 0 + + /* NAND_DEV_CMD_VLD bits */ +-#define READ_START_VLD 0 ++#define READ_START_VLD BIT(0) ++#define READ_STOP_VLD BIT(1) ++#define WRITE_START_VLD BIT(2) ++#define ERASE_START_VLD BIT(3) ++#define SEQ_READ_START_VLD BIT(4) + + /* NAND_EBI2_ECC_BUF_CFG bits */ + #define NUM_STEPS 0 +@@ -148,6 +152,10 @@ + #define FETCH_ID 0xb + #define RESET_DEVICE 0xd + ++/* Default Value for NAND_DEV_CMD_VLD */ ++#define NAND_DEV_CMD_VLD_VAL (READ_START_VLD | WRITE_START_VLD | \ ++ ERASE_START_VLD | SEQ_READ_START_VLD) ++ + /* + * the NAND controller performs reads/writes with ECC in 516 byte chunks. + * the driver calls the chunks 'step' or 'codeword' interchangeably +@@ -672,8 +680,7 @@ static int nandc_param(struct qcom_nand_ + + /* configure CMD1 and VLD for ONFI param probing */ + nandc_set_reg(nandc, NAND_DEV_CMD_VLD, +- (nandc->vld & ~(1 << READ_START_VLD)) +- | 0 << READ_START_VLD); ++ (nandc->vld & ~READ_START_VLD)); + nandc_set_reg(nandc, NAND_DEV_CMD1, + (nandc->cmd1 & ~(0xFF << READ_ADDR)) + | NAND_CMD_PARAM << READ_ADDR); +@@ -1972,13 +1979,14 @@ static int qcom_nandc_setup(struct qcom_ + { + /* kill onenand */ + nandc_write(nandc, SFLASHC_BURST_CFG, 0); ++ nandc_write(nandc, NAND_DEV_CMD_VLD, NAND_DEV_CMD_VLD_VAL); + + /* enable ADM DMA */ + nandc_write(nandc, NAND_FLASH_CHIP_SELECT, DM_EN); + + /* save the original values of these registers */ + nandc->cmd1 = nandc_read(nandc, NAND_DEV_CMD1); +- nandc->vld = nandc_read(nandc, NAND_DEV_CMD_VLD); ++ nandc->vld = NAND_DEV_CMD_VLD_VAL; + + return 0; + } diff --git a/queue-4.12/nvme-fabrics-generate-spec-compliant-uuid-nqns.patch b/queue-4.12/nvme-fabrics-generate-spec-compliant-uuid-nqns.patch new file mode 100644 index 00000000000..e84e9c96901 --- /dev/null +++ b/queue-4.12/nvme-fabrics-generate-spec-compliant-uuid-nqns.patch @@ -0,0 +1,33 @@ +From 40a5fce495715c48c2e02668144e68a507ac5a30 Mon Sep 17 00:00:00 2001 +From: Daniel Verkamp +Date: Wed, 30 Aug 2017 15:18:19 -0700 +Subject: nvme-fabrics: generate spec-compliant UUID NQNs + +From: Daniel Verkamp + +commit 40a5fce495715c48c2e02668144e68a507ac5a30 upstream. + +The default host NQN, which is generated based on the host's UUID, +does not follow the UUID-based NQN format laid out in the NVMe 1.3 +specification. Remove the "NVMf:" portion of the NQN to match the spec. + +Signed-off-by: Daniel Verkamp +Reviewed-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/fabrics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -77,7 +77,7 @@ static struct nvmf_host *nvmf_host_defau + kref_init(&host->ref); + uuid_be_gen(&host->id); + snprintf(host->nqn, NVMF_NQN_SIZE, +- "nqn.2014-08.org.nvmexpress:NVMf:uuid:%pUb", &host->id); ++ "nqn.2014-08.org.nvmexpress:uuid:%pUb", &host->id); + + mutex_lock(&nvmf_hosts_mutex); + list_add_tail(&host->list, &nvmf_hosts); diff --git a/queue-4.12/radix-tree-must-check-__radix_tree_preload-return-value.patch b/queue-4.12/radix-tree-must-check-__radix_tree_preload-return-value.patch new file mode 100644 index 00000000000..652c2818aba --- /dev/null +++ b/queue-4.12/radix-tree-must-check-__radix_tree_preload-return-value.patch @@ -0,0 +1,70 @@ +From bc9ae2247ac92fd4d962507bafa3afffff6660ff Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 8 Sep 2017 16:15:54 -0700 +Subject: radix-tree: must check __radix_tree_preload() return value + +From: Eric Dumazet + +commit bc9ae2247ac92fd4d962507bafa3afffff6660ff upstream. + +__radix_tree_preload() only disables preemption if no error is returned. + +So we really need to make sure callers always check the return value. + +idr_preload() contract is to always disable preemption, so we need +to add a missing preempt_disable() if an error happened. + +Similarly, ida_pre_get() only needs to call preempt_enable() in the +case no error happened. + +Link: http://lkml.kernel.org/r/1504637190.15310.62.camel@edumazet-glaptop3.roam.corp.google.com +Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree") +Fixes: 7ad3d4d85c7a ("ida: Move ida_bitmap to a percpu variable") +Signed-off-by: Eric Dumazet +Cc: Matthew Wilcox +Cc: "Kirill A. Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/radix-tree.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -463,7 +463,7 @@ radix_tree_node_free(struct radix_tree_n + * To make use of this facility, the radix tree must be initialised without + * __GFP_DIRECT_RECLAIM being passed to INIT_RADIX_TREE(). + */ +-static int __radix_tree_preload(gfp_t gfp_mask, unsigned nr) ++static __must_check int __radix_tree_preload(gfp_t gfp_mask, unsigned nr) + { + struct radix_tree_preload *rtp; + struct radix_tree_node *node; +@@ -2103,7 +2103,8 @@ EXPORT_SYMBOL(radix_tree_tagged); + */ + void idr_preload(gfp_t gfp_mask) + { +- __radix_tree_preload(gfp_mask, IDR_PRELOAD_SIZE); ++ if (__radix_tree_preload(gfp_mask, IDR_PRELOAD_SIZE)) ++ preempt_disable(); + } + EXPORT_SYMBOL(idr_preload); + +@@ -2117,13 +2118,13 @@ EXPORT_SYMBOL(idr_preload); + */ + int ida_pre_get(struct ida *ida, gfp_t gfp) + { +- __radix_tree_preload(gfp, IDA_PRELOAD_SIZE); + /* + * The IDA API has no preload_end() equivalent. Instead, + * ida_get_new() can return -EAGAIN, prompting the caller + * to return to the ida_pre_get() step. + */ +- preempt_enable(); ++ if (!__radix_tree_preload(gfp, IDA_PRELOAD_SIZE)) ++ preempt_enable(); + + if (!this_cpu_read(ida_bitmap)) { + struct ida_bitmap *bitmap = kmalloc(sizeof(*bitmap), gfp); diff --git a/queue-4.12/rtlwifi-btcoexist-fix-breakage-of-ant_sel-for-rtl8723be.patch b/queue-4.12/rtlwifi-btcoexist-fix-breakage-of-ant_sel-for-rtl8723be.patch new file mode 100644 index 00000000000..17a7cebc1fe --- /dev/null +++ b/queue-4.12/rtlwifi-btcoexist-fix-breakage-of-ant_sel-for-rtl8723be.patch @@ -0,0 +1,43 @@ +From a33fcba6ec01efcca33b1afad91057020f247f15 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 4 Sep 2017 12:51:33 -0500 +Subject: rtlwifi: btcoexist: Fix breakage of ant_sel for rtl8723be + +From: Larry Finger + +commit a33fcba6ec01efcca33b1afad91057020f247f15 upstream. + +In commit bcd37f4a0831 ("rtlwifi: btcoex: 23b 2ant: let bt transmit when +hw initialisation done"), there is an additional error when the module +parameter ant_sel is used to select the auxilary antenna. The error is +that the antenna selection is not checked when writing the antenna +selection register. + +Fixes: bcd37f4a0831 ("rtlwifi: btcoex: 23b 2ant: let bt transmit when hw initialisation done") +Signed-off-by: Larry Finger +Cc: Ping-Ke Shih +Cc: Yan-Hsuan Chuang +Cc: Birming Chiu +Cc: Shaofu +Cc: Steven Ting +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c ++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8723b2ant.c +@@ -1153,7 +1153,10 @@ static void btc8723b2ant_set_ant_path(st + } + + /* fixed internal switch S1->WiFi, S0->BT */ +- btcoexist->btc_write_4byte(btcoexist, 0x948, 0x0); ++ if (board_info->btdm_ant_pos == BTC_ANTENNA_AT_MAIN_PORT) ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x0); ++ else ++ btcoexist->btc_write_2byte(btcoexist, 0x948, 0x280); + + switch (antpos_type) { + case BTC_ANT_WIFI_AT_MAIN: diff --git a/queue-4.12/selftests-x86-fsgsbase-test-selectors-1-2-and-3.patch b/queue-4.12/selftests-x86-fsgsbase-test-selectors-1-2-and-3.patch new file mode 100644 index 00000000000..d85ff4f0b7f --- /dev/null +++ b/queue-4.12/selftests-x86-fsgsbase-test-selectors-1-2-and-3.patch @@ -0,0 +1,114 @@ +From 23d98c204386a98d9ef9f9e744f41443ece4929f Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Tue, 1 Aug 2017 07:11:36 -0700 +Subject: selftests/x86/fsgsbase: Test selectors 1, 2, and 3 + +From: Andy Lutomirski + +commit 23d98c204386a98d9ef9f9e744f41443ece4929f upstream. + +Those are funny cases. Make sure they work. + +(Something is screwy with signal handling if a selector is 1, 2, or 3. +Anyone who wants to dive into that rabbit hole is welcome to do so.) + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Chang Seok +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/fsgsbase.c | 41 ++++++++++++++++++++++++++++----- + 1 file changed, 35 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/x86/fsgsbase.c ++++ b/tools/testing/selftests/x86/fsgsbase.c +@@ -285,9 +285,12 @@ static void *threadproc(void *ctx) + } + } + +-static void set_gs_and_switch_to(unsigned long local, unsigned long remote) ++static void set_gs_and_switch_to(unsigned long local, ++ unsigned short force_sel, ++ unsigned long remote) + { + unsigned long base; ++ unsigned short sel_pre_sched, sel_post_sched; + + bool hard_zero = false; + if (local == HARD_ZERO) { +@@ -297,6 +300,8 @@ static void set_gs_and_switch_to(unsigne + + printf("[RUN]\tARCH_SET_GS(0x%lx)%s, then schedule to 0x%lx\n", + local, hard_zero ? " and clear gs" : "", remote); ++ if (force_sel) ++ printf("\tBefore schedule, set selector to 0x%hx\n", force_sel); + if (syscall(SYS_arch_prctl, ARCH_SET_GS, local) != 0) + err(1, "ARCH_SET_GS"); + if (hard_zero) +@@ -307,18 +312,35 @@ static void set_gs_and_switch_to(unsigne + printf("[FAIL]\tGSBASE wasn't set as expected\n"); + } + ++ if (force_sel) { ++ asm volatile ("mov %0, %%gs" : : "rm" (force_sel)); ++ sel_pre_sched = force_sel; ++ local = read_base(GS); ++ ++ /* ++ * Signal delivery seems to mess up weird selectors. Put it ++ * back. ++ */ ++ asm volatile ("mov %0, %%gs" : : "rm" (force_sel)); ++ } else { ++ asm volatile ("mov %%gs, %0" : "=rm" (sel_pre_sched)); ++ } ++ + remote_base = remote; + ftx = 1; + syscall(SYS_futex, &ftx, FUTEX_WAKE, 0, NULL, NULL, 0); + while (ftx != 0) + syscall(SYS_futex, &ftx, FUTEX_WAIT, 1, NULL, NULL, 0); + ++ asm volatile ("mov %%gs, %0" : "=rm" (sel_post_sched)); + base = read_base(GS); +- if (base == local) { +- printf("[OK]\tGSBASE remained 0x%lx\n", local); ++ if (base == local && sel_pre_sched == sel_post_sched) { ++ printf("[OK]\tGS/BASE remained 0x%hx/0x%lx\n", ++ sel_pre_sched, local); + } else { + nerrs++; +- printf("[FAIL]\tGSBASE changed to 0x%lx\n", base); ++ printf("[FAIL]\tGS/BASE changed from 0x%hx/0x%lx to 0x%hx/0x%lx\n", ++ sel_pre_sched, local, sel_post_sched, base); + } + } + +@@ -381,8 +403,15 @@ int main() + + for (int local = 0; local < 4; local++) { + for (int remote = 0; remote < 4; remote++) { +- set_gs_and_switch_to(bases_with_hard_zero[local], +- bases_with_hard_zero[remote]); ++ for (unsigned short s = 0; s < 5; s++) { ++ unsigned short sel = s; ++ if (s == 4) ++ asm ("mov %%ss, %0" : "=rm" (sel)); ++ set_gs_and_switch_to( ++ bases_with_hard_zero[local], ++ sel, ++ bases_with_hard_zero[remote]); ++ } + } + } +