From: Greg Kroah-Hartman Date: Mon, 3 Jul 2017 09:14:07 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.60~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f7f6756088fe1f7d07ef78ab3550274edeb853fe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: drm-amdgpu-add-support-for-new-hainan-variants.patch drm-amdgpu-fix-program-vce-instance-logic-error.patch kvm-x86-fix-fixing-of-hypercalls.patch net-phy-dp83848-add-dp83620-phy-support.patch perf-x86-intel-handle-exclusive-threadid-correctly-on-cpu-hotplug.patch qla2xxx-fix-erroneous-invalid-handle-message.patch qla2xxx-terminate-exchange-if-corrupted.patch scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch stmmac-add-missing-of_node_put.patch xen-blkback-don-t-free-be-structure-too-early.patch --- diff --git a/queue-4.9/drm-amdgpu-add-support-for-new-hainan-variants.patch b/queue-4.9/drm-amdgpu-add-support-for-new-hainan-variants.patch new file mode 100644 index 00000000000..161086c28c1 --- /dev/null +++ b/queue-4.9/drm-amdgpu-add-support-for-new-hainan-variants.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Alex Deucher +Date: Tue, 17 Jan 2017 15:06:58 -0500 +Subject: drm/amdgpu: add support for new hainan variants + +From: Alex Deucher + + +[ Upstream commit 17324b6add82d6c0bf119f1d1944baef392a4e39 ] + +New hainan parts require updated smc firmware. + +Cc: Sonny Jiang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/si_dpm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +@@ -64,6 +64,7 @@ MODULE_FIRMWARE("radeon/oland_smc.bin"); + MODULE_FIRMWARE("radeon/oland_k_smc.bin"); + MODULE_FIRMWARE("radeon/hainan_smc.bin"); + MODULE_FIRMWARE("radeon/hainan_k_smc.bin"); ++MODULE_FIRMWARE("radeon/banks_k_2_smc.bin"); + + union power_info { + struct _ATOM_POWERPLAY_INFO info; +@@ -7721,10 +7722,11 @@ static int si_dpm_init_microcode(struct + ((adev->pdev->device == 0x6660) || + (adev->pdev->device == 0x6663) || + (adev->pdev->device == 0x6665) || +- (adev->pdev->device == 0x6667))) || +- ((adev->pdev->revision == 0xc3) && +- (adev->pdev->device == 0x6665))) ++ (adev->pdev->device == 0x6667)))) + chip_name = "hainan_k"; ++ else if ((adev->pdev->revision == 0xc3) && ++ (adev->pdev->device == 0x6665)) ++ chip_name = "banks_k_2"; + else + chip_name = "hainan"; + break; diff --git a/queue-4.9/drm-amdgpu-fix-program-vce-instance-logic-error.patch b/queue-4.9/drm-amdgpu-fix-program-vce-instance-logic-error.patch new file mode 100644 index 00000000000..eb8f4951051 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-program-vce-instance-logic-error.patch @@ -0,0 +1,123 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Rex Zhu +Date: Tue, 10 Jan 2017 20:03:59 +0800 +Subject: drm/amdgpu: fix program vce instance logic error. + +From: Rex Zhu + + +[ Upstream commit 50a1ebc70a2803deb7811fc73fb55d70e353bc34 ] + +need to clear bit31-29 in GRBM_GFX_INDEX, +then the program can be valid. + +Signed-off-by: Rex Zhu +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c +@@ -43,9 +43,13 @@ + + #define GRBM_GFX_INDEX__VCE_INSTANCE__SHIFT 0x04 + #define GRBM_GFX_INDEX__VCE_INSTANCE_MASK 0x10 ++#define GRBM_GFX_INDEX__VCE_ALL_PIPE 0x07 ++ + #define mmVCE_LMI_VCPU_CACHE_40BIT_BAR0 0x8616 + #define mmVCE_LMI_VCPU_CACHE_40BIT_BAR1 0x8617 + #define mmVCE_LMI_VCPU_CACHE_40BIT_BAR2 0x8618 ++#define mmGRBM_GFX_INDEX_DEFAULT 0xE0000000 ++ + #define VCE_STATUS_VCPU_REPORT_FW_LOADED_MASK 0x02 + + #define VCE_V3_0_FW_SIZE (384 * 1024) +@@ -54,6 +58,9 @@ + + #define FW_52_8_3 ((52 << 24) | (8 << 16) | (3 << 8)) + ++#define GET_VCE_INSTANCE(i) ((i) << GRBM_GFX_INDEX__VCE_INSTANCE__SHIFT \ ++ | GRBM_GFX_INDEX__VCE_ALL_PIPE) ++ + static void vce_v3_0_mc_resume(struct amdgpu_device *adev, int idx); + static void vce_v3_0_set_ring_funcs(struct amdgpu_device *adev); + static void vce_v3_0_set_irq_funcs(struct amdgpu_device *adev); +@@ -249,7 +256,7 @@ static int vce_v3_0_start(struct amdgpu_ + if (adev->vce.harvest_config & (1 << idx)) + continue; + +- WREG32_FIELD(GRBM_GFX_INDEX, VCE_INSTANCE, idx); ++ WREG32(mmGRBM_GFX_INDEX, GET_VCE_INSTANCE(idx)); + vce_v3_0_mc_resume(adev, idx); + WREG32_FIELD(VCE_STATUS, JOB_BUSY, 1); + +@@ -273,7 +280,7 @@ static int vce_v3_0_start(struct amdgpu_ + } + } + +- WREG32_FIELD(GRBM_GFX_INDEX, VCE_INSTANCE, 0); ++ WREG32(mmGRBM_GFX_INDEX, mmGRBM_GFX_INDEX_DEFAULT); + mutex_unlock(&adev->grbm_idx_mutex); + + return 0; +@@ -288,7 +295,7 @@ static int vce_v3_0_stop(struct amdgpu_d + if (adev->vce.harvest_config & (1 << idx)) + continue; + +- WREG32_FIELD(GRBM_GFX_INDEX, VCE_INSTANCE, idx); ++ WREG32(mmGRBM_GFX_INDEX, GET_VCE_INSTANCE(idx)); + + if (adev->asic_type >= CHIP_STONEY) + WREG32_P(mmVCE_VCPU_CNTL, 0, ~0x200001); +@@ -306,7 +313,7 @@ static int vce_v3_0_stop(struct amdgpu_d + vce_v3_0_set_vce_sw_clock_gating(adev, false); + } + +- WREG32_FIELD(GRBM_GFX_INDEX, VCE_INSTANCE, 0); ++ WREG32(mmGRBM_GFX_INDEX, mmGRBM_GFX_INDEX_DEFAULT); + mutex_unlock(&adev->grbm_idx_mutex); + + return 0; +@@ -586,17 +593,17 @@ static bool vce_v3_0_check_soft_reset(vo + * VCE team suggest use bit 3--bit 6 for busy status check + */ + mutex_lock(&adev->grbm_idx_mutex); +- WREG32_FIELD(GRBM_GFX_INDEX, INSTANCE_INDEX, 0); ++ WREG32(mmGRBM_GFX_INDEX, GET_VCE_INSTANCE(0)); + if (RREG32(mmVCE_STATUS) & AMDGPU_VCE_STATUS_BUSY_MASK) { + srbm_soft_reset = REG_SET_FIELD(srbm_soft_reset, SRBM_SOFT_RESET, SOFT_RESET_VCE0, 1); + srbm_soft_reset = REG_SET_FIELD(srbm_soft_reset, SRBM_SOFT_RESET, SOFT_RESET_VCE1, 1); + } +- WREG32_FIELD(GRBM_GFX_INDEX, INSTANCE_INDEX, 0x10); ++ WREG32(mmGRBM_GFX_INDEX, GET_VCE_INSTANCE(1)); + if (RREG32(mmVCE_STATUS) & AMDGPU_VCE_STATUS_BUSY_MASK) { + srbm_soft_reset = REG_SET_FIELD(srbm_soft_reset, SRBM_SOFT_RESET, SOFT_RESET_VCE0, 1); + srbm_soft_reset = REG_SET_FIELD(srbm_soft_reset, SRBM_SOFT_RESET, SOFT_RESET_VCE1, 1); + } +- WREG32_FIELD(GRBM_GFX_INDEX, INSTANCE_INDEX, 0); ++ WREG32(mmGRBM_GFX_INDEX, GET_VCE_INSTANCE(0)); + mutex_unlock(&adev->grbm_idx_mutex); + + if (srbm_soft_reset) { +@@ -734,7 +741,7 @@ static int vce_v3_0_set_clockgating_stat + if (adev->vce.harvest_config & (1 << i)) + continue; + +- WREG32_FIELD(GRBM_GFX_INDEX, VCE_INSTANCE, i); ++ WREG32(mmGRBM_GFX_INDEX, GET_VCE_INSTANCE(i)); + + if (enable) { + /* initialize VCE_CLOCK_GATING_A: Clock ON/OFF delay */ +@@ -753,7 +760,7 @@ static int vce_v3_0_set_clockgating_stat + vce_v3_0_set_vce_sw_clock_gating(adev, enable); + } + +- WREG32_FIELD(GRBM_GFX_INDEX, VCE_INSTANCE, 0); ++ WREG32(mmGRBM_GFX_INDEX, mmGRBM_GFX_INDEX_DEFAULT); + mutex_unlock(&adev->grbm_idx_mutex); + + return 0; diff --git a/queue-4.9/kvm-x86-fix-fixing-of-hypercalls.patch b/queue-4.9/kvm-x86-fix-fixing-of-hypercalls.patch new file mode 100644 index 00000000000..d362803f6d9 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-fixing-of-hypercalls.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Dmitry Vyukov +Date: Tue, 17 Jan 2017 14:51:04 +0100 +Subject: KVM: x86: fix fixing of hypercalls + +From: Dmitry Vyukov + + +[ Upstream commit ce2e852ecc9a42e4b8dabb46025cfef63209234a ] + +emulator_fix_hypercall() replaces hypercall with vmcall instruction, +but it does not handle GP exception properly when writes the new instruction. +It can return X86EMUL_PROPAGATE_FAULT without setting exception information. +This leads to incorrect emulation and triggers +WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn() +as discovered by syzkaller fuzzer: + +WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558 +Call Trace: + warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 + x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572 + x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618 + emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline] + handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762 + vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625 + vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline] + vcpu_run arch/x86/kvm/x86.c:6947 [inline] + +Set exception information when write in emulator_fix_hypercall() fails. + +Signed-off-by: Dmitry Vyukov +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Wanpeng Li +Cc: kvm@vger.kernel.org +Cc: syzkaller@googlegroups.com +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6111,7 +6111,8 @@ static int emulator_fix_hypercall(struct + + kvm_x86_ops->patch_hypercall(vcpu, instruction); + +- return emulator_write_emulated(ctxt, rip, instruction, 3, NULL); ++ return emulator_write_emulated(ctxt, rip, instruction, 3, ++ &ctxt->exception); + } + + static int dm_request_for_irq_injection(struct kvm_vcpu *vcpu) diff --git a/queue-4.9/net-phy-dp83848-add-dp83620-phy-support.patch b/queue-4.9/net-phy-dp83848-add-dp83620-phy-support.patch new file mode 100644 index 00000000000..f70e201ac3e --- /dev/null +++ b/queue-4.9/net-phy-dp83848-add-dp83620-phy-support.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: "Alvaro G. M" +Date: Tue, 17 Jan 2017 09:08:16 +0100 +Subject: net: phy: dp83848: add DP83620 PHY support + +From: "Alvaro G. M" + + +[ Upstream commit 93b43fd137cd8865adf9978ab9870a344365d3af ] + +This PHY with fiber support is register compatible with DP83848, +so add support for it. + +Signed-off-by: Alvaro Gamez Machado +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83848.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/phy/dp83848.c ++++ b/drivers/net/phy/dp83848.c +@@ -17,6 +17,7 @@ + #include + + #define TI_DP83848C_PHY_ID 0x20005ca0 ++#define TI_DP83620_PHY_ID 0x20005ce0 + #define NS_DP83848C_PHY_ID 0x20005c90 + #define TLK10X_PHY_ID 0x2000a210 + #define TI_DP83822_PHY_ID 0x2000a240 +@@ -77,6 +78,7 @@ static int dp83848_config_intr(struct ph + static struct mdio_device_id __maybe_unused dp83848_tbl[] = { + { TI_DP83848C_PHY_ID, 0xfffffff0 }, + { NS_DP83848C_PHY_ID, 0xfffffff0 }, ++ { TI_DP83620_PHY_ID, 0xfffffff0 }, + { TLK10X_PHY_ID, 0xfffffff0 }, + { TI_DP83822_PHY_ID, 0xfffffff0 }, + { } +@@ -106,6 +108,7 @@ MODULE_DEVICE_TABLE(mdio, dp83848_tbl); + static struct phy_driver dp83848_driver[] = { + DP83848_PHY_DRIVER(TI_DP83848C_PHY_ID, "TI DP83848C 10/100 Mbps PHY"), + DP83848_PHY_DRIVER(NS_DP83848C_PHY_ID, "NS DP83848C 10/100 Mbps PHY"), ++ DP83848_PHY_DRIVER(TI_DP83620_PHY_ID, "TI DP83620 10/100 Mbps PHY"), + DP83848_PHY_DRIVER(TLK10X_PHY_ID, "TI TLK10X 10/100 Mbps PHY"), + DP83848_PHY_DRIVER(TI_DP83822_PHY_ID, "TI DP83822 10/100 Mbps PHY"), + }; diff --git a/queue-4.9/perf-x86-intel-handle-exclusive-threadid-correctly-on-cpu-hotplug.patch b/queue-4.9/perf-x86-intel-handle-exclusive-threadid-correctly-on-cpu-hotplug.patch new file mode 100644 index 00000000000..9cfbd8a6ed0 --- /dev/null +++ b/queue-4.9/perf-x86-intel-handle-exclusive-threadid-correctly-on-cpu-hotplug.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Zhou Chengming +Date: Mon, 16 Jan 2017 11:21:11 +0800 +Subject: perf/x86/intel: Handle exclusive threadid correctly on CPU hotplug + +From: Zhou Chengming + + +[ Upstream commit 4e71de7986386d5fd3765458f27d612931f27f5e ] + +The CPU hotplug function intel_pmu_cpu_starting() sets +cpu_hw_events.excl_thread_id unconditionally to 1 when the shared exclusive +counters data structure is already availabe for the sibling thread. + +This works during the boot process because the first sibling gets threadid +0 assigned and the second sibling which shares the data structure gets 1. + +But when the first thread of the core is offlined and onlined again it +shares the data structure with the second thread and gets exclusive thread +id 1 assigned as well. + +Prevent this by checking the threadid of the already online thread. + +[ tglx: Rewrote changelog ] + +Signed-off-by: Zhou Chengming +Cc: NuoHan Qiao +Cc: ak@linux.intel.com +Cc: peterz@infradead.org +Cc: kan.liang@intel.com +Cc: dave.hansen@linux.intel.com +Cc: eranian@google.com +Cc: qiaonuohan@huawei.com +Cc: davidcc@google.com +Cc: guohanjun@huawei.com +Link: http://lkml.kernel.org/r/1484536871-3131-1-git-send-email-zhouchengming1@huawei.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3164,13 +3164,16 @@ static void intel_pmu_cpu_starting(int c + + if (x86_pmu.flags & PMU_FL_EXCL_CNTRS) { + for_each_cpu(i, topology_sibling_cpumask(cpu)) { ++ struct cpu_hw_events *sibling; + struct intel_excl_cntrs *c; + +- c = per_cpu(cpu_hw_events, i).excl_cntrs; ++ sibling = &per_cpu(cpu_hw_events, i); ++ c = sibling->excl_cntrs; + if (c && c->core_id == core_id) { + cpuc->kfree_on_online[1] = cpuc->excl_cntrs; + cpuc->excl_cntrs = c; +- cpuc->excl_thread_id = 1; ++ if (!sibling->excl_thread_id) ++ cpuc->excl_thread_id = 1; + break; + } + } diff --git a/queue-4.9/qla2xxx-fix-erroneous-invalid-handle-message.patch b/queue-4.9/qla2xxx-fix-erroneous-invalid-handle-message.patch new file mode 100644 index 00000000000..e8077b8d251 --- /dev/null +++ b/queue-4.9/qla2xxx-fix-erroneous-invalid-handle-message.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Quinn Tran +Date: Fri, 23 Dec 2016 18:06:13 -0800 +Subject: qla2xxx: Fix erroneous invalid handle message + +From: Quinn Tran + + +[ Upstream commit 4f060736f29a960aba8e781a88837464756200a8 ] + +Termination of Immediate Notify IOCB was using wrong +IOCB handle. IOCB completion code was unable to find +appropriate code path due to wrong handle. + +Following message is seen in the logs. + +"Error entry - invalid handle/queue (ffff)." + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Reviewed-by: Christoph Hellwig +[ bvanassche: Fixed word order in patch title ] +Signed-off-by: Bart Van Assche + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_isr.c | 4 ++++ + drivers/scsi/qla2xxx/qla_target.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2487,6 +2487,10 @@ qla2x00_error_entry(scsi_qla_host_t *vha + if (pkt->entry_status & RF_BUSY) + res = DID_BUS_BUSY << 16; + ++ if (pkt->entry_type == NOTIFY_ACK_TYPE && ++ pkt->handle == QLA_TGT_SKIP_HANDLE) ++ return; ++ + sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + if (sp) { + sp->done(ha, sp, res); +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -3067,7 +3067,7 @@ static int __qlt_send_term_imm_notif(str + + pkt->entry_type = NOTIFY_ACK_TYPE; + pkt->entry_count = 1; +- pkt->handle = QLA_TGT_SKIP_HANDLE | CTIO_COMPLETION_HANDLE_MARK; ++ pkt->handle = QLA_TGT_SKIP_HANDLE; + + nack = (struct nack_to_isp *)pkt; + nack->ox_id = ntfy->ox_id; diff --git a/queue-4.9/qla2xxx-terminate-exchange-if-corrupted.patch b/queue-4.9/qla2xxx-terminate-exchange-if-corrupted.patch new file mode 100644 index 00000000000..328714478fc --- /dev/null +++ b/queue-4.9/qla2xxx-terminate-exchange-if-corrupted.patch @@ -0,0 +1,113 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Quinn Tran +Date: Fri, 23 Dec 2016 18:06:11 -0800 +Subject: qla2xxx: Terminate exchange if corrupted + +From: Quinn Tran + + +[ Upstream commit 5f35509db179ca7ed1feaa4b14f841adb06ed220 ] + +Corrupted ATIO is defined as length of fcp_header & fcp_cmd +payload is less than 0x38. It's the minimum size for a frame to +carry 8..16 bytes SCSI CDB. The exchange will be dropped or +terminated if corrupted. + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Reviewed-by: Christoph Hellwig +[ bvanassche: Fixed spelling in patch title ] +Signed-off-by: Bart Van Assche + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 3 ++- + drivers/scsi/qla2xxx/qla_target.c | 23 ++++++++++++++++++++--- + drivers/scsi/qla2xxx/qla_target.h | 22 +++++++++++++++++++++- + 3 files changed, 43 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -1555,7 +1555,8 @@ typedef struct { + struct atio { + uint8_t entry_type; /* Entry type. */ + uint8_t entry_count; /* Entry count. */ +- uint8_t data[58]; ++ __le16 attr_n_length; ++ uint8_t data[56]; + uint32_t signature; + #define ATIO_PROCESSED 0xDEADDEAD /* Signature */ + }; +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -6463,12 +6463,29 @@ qlt_24xx_process_atio_queue(struct scsi_ + if (!vha->flags.online) + return; + +- while (ha->tgt.atio_ring_ptr->signature != ATIO_PROCESSED) { ++ while ((ha->tgt.atio_ring_ptr->signature != ATIO_PROCESSED) || ++ fcpcmd_is_corrupted(ha->tgt.atio_ring_ptr)) { + pkt = (struct atio_from_isp *)ha->tgt.atio_ring_ptr; + cnt = pkt->u.raw.entry_count; + +- qlt_24xx_atio_pkt_all_vps(vha, (struct atio_from_isp *)pkt, +- ha_locked); ++ if (unlikely(fcpcmd_is_corrupted(ha->tgt.atio_ring_ptr))) { ++ /* ++ * This packet is corrupted. The header + payload ++ * can not be trusted. There is no point in passing ++ * it further up. ++ */ ++ ql_log(ql_log_warn, vha, 0xffff, ++ "corrupted fcp frame SID[%3phN] OXID[%04x] EXCG[%x] %64phN\n", ++ pkt->u.isp24.fcp_hdr.s_id, ++ be16_to_cpu(pkt->u.isp24.fcp_hdr.ox_id), ++ le32_to_cpu(pkt->u.isp24.exchange_addr), pkt); ++ ++ adjust_corrupted_atio(pkt); ++ qlt_send_term_exchange(vha, NULL, pkt, ha_locked, 0); ++ } else { ++ qlt_24xx_atio_pkt_all_vps(vha, ++ (struct atio_from_isp *)pkt, ha_locked); ++ } + + for (i = 0; i < cnt; i++) { + ha->tgt.atio_ring_index++; +--- a/drivers/scsi/qla2xxx/qla_target.h ++++ b/drivers/scsi/qla2xxx/qla_target.h +@@ -427,13 +427,33 @@ struct atio_from_isp { + struct { + uint8_t entry_type; /* Entry type. */ + uint8_t entry_count; /* Entry count. */ +- uint8_t data[58]; ++ __le16 attr_n_length; ++#define FCP_CMD_LENGTH_MASK 0x0fff ++#define FCP_CMD_LENGTH_MIN 0x38 ++ uint8_t data[56]; + uint32_t signature; + #define ATIO_PROCESSED 0xDEADDEAD /* Signature */ + } raw; + } u; + } __packed; + ++static inline int fcpcmd_is_corrupted(struct atio *atio) ++{ ++ if (atio->entry_type == ATIO_TYPE7 && ++ (le16_to_cpu(atio->attr_n_length & FCP_CMD_LENGTH_MASK) < ++ FCP_CMD_LENGTH_MIN)) ++ return 1; ++ else ++ return 0; ++} ++ ++/* adjust corrupted atio so we won't trip over the same entry again. */ ++static inline void adjust_corrupted_atio(struct atio_from_isp *atio) ++{ ++ atio->u.raw.attr_n_length = cpu_to_le16(FCP_CMD_LENGTH_MIN); ++ atio->u.isp24.fcp_cmnd.add_cdb_len = 0; ++} ++ + #define CTIO_TYPE7 0x12 /* Continue target I/O entry (for 24xx) */ + + /* diff --git a/queue-4.9/scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch b/queue-4.9/scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch new file mode 100644 index 00000000000..a685c965fc8 --- /dev/null +++ b/queue-4.9/scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Johannes Thumshirn +Date: Tue, 10 Jan 2017 12:05:54 +0100 +Subject: scsi: lpfc: Set elsiocb contexts to NULL after freeing it + +From: Johannes Thumshirn + + +[ Upstream commit 8667f515952feefebb3c0f8d9a9266c91b101a46 ] + +Set the elsiocb contexts to NULL after freeing as others depend on it. + +Signed-off-by: Johannes Thumshirn +Acked-by: Dick Kennedy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_els.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3590,12 +3590,14 @@ lpfc_els_free_iocb(struct lpfc_hba *phba + } else { + buf_ptr1 = (struct lpfc_dmabuf *) elsiocb->context2; + lpfc_els_free_data(phba, buf_ptr1); ++ elsiocb->context2 = NULL; + } + } + + if (elsiocb->context3) { + buf_ptr = (struct lpfc_dmabuf *) elsiocb->context3; + lpfc_els_free_bpl(phba, buf_ptr); ++ elsiocb->context3 = NULL; + } + lpfc_sli_release_iocbq(phba, elsiocb); + return 0; diff --git a/queue-4.9/scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch b/queue-4.9/scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch new file mode 100644 index 00000000000..faac4a02e2a --- /dev/null +++ b/queue-4.9/scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Damien Le Moal +Date: Thu, 12 Jan 2017 15:25:10 +0900 +Subject: scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type + +From: Damien Le Moal + + +[ Upstream commit 26f2819772af891dee2843e1f8662c58e5129d5f ] + +Zoned block devices force the use of READ/WRITE(16) commands by setting +sdkp->use_16_for_rw and clearing sdkp->use_10_for_rw. This result in +DPOFUA always being disabled for these drives as the assumed use of +the deprecated READ/WRITE(6) commands only looks at sdkp->use_10_for_rw. +Strenghten the test by also checking that sdkp->use_16_for_rw is false. + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2572,7 +2572,8 @@ sd_read_cache_type(struct scsi_disk *sdk + if (sdp->broken_fua) { + sd_first_printk(KERN_NOTICE, sdkp, "Disabling FUA\n"); + sdkp->DPOFUA = 0; +- } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw) { ++ } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw && ++ !sdkp->device->use_16_for_rw) { + sd_first_printk(KERN_NOTICE, sdkp, + "Uses READ/WRITE(6), disabling FUA\n"); + sdkp->DPOFUA = 0; diff --git a/queue-4.9/series b/queue-4.9/series index 158505890e4..97d1336811d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -57,3 +57,14 @@ net-phy-fix-sign-type-error-in-genphy_config_eee_advert.patch net-phy-use-boolean-dt-properties-for-eee-broken-modes.patch dt-bindings-net-use-boolean-dt-properties-for-eee-broken-modes.patch arm64-dts-meson-gxbb-odroidc2-fix-gbe-tx-link-breakage.patch +xen-blkback-don-t-free-be-structure-too-early.patch +kvm-x86-fix-fixing-of-hypercalls.patch +scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch +stmmac-add-missing-of_node_put.patch +scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch +qla2xxx-terminate-exchange-if-corrupted.patch +qla2xxx-fix-erroneous-invalid-handle-message.patch +drm-amdgpu-fix-program-vce-instance-logic-error.patch +drm-amdgpu-add-support-for-new-hainan-variants.patch +net-phy-dp83848-add-dp83620-phy-support.patch +perf-x86-intel-handle-exclusive-threadid-correctly-on-cpu-hotplug.patch diff --git a/queue-4.9/stmmac-add-missing-of_node_put.patch b/queue-4.9/stmmac-add-missing-of_node_put.patch new file mode 100644 index 00000000000..1fe8d0f9058 --- /dev/null +++ b/queue-4.9/stmmac-add-missing-of_node_put.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Jul 3 11:12:14 CEST 2017 +From: Julia Lawall +Date: Tue, 17 Jan 2017 12:23:21 +0100 +Subject: stmmac: add missing of_node_put + +From: Julia Lawall + + +[ Upstream commit a249708bc2aa1fe3ddf15dfac22bee519d15996b ] + +The function stmmac_dt_phy provides several possibilities for initializing +plat->mdio_node, all of which have the effect of increasing the reference +count of the assigned value. This field is not updated elsewhere, so the +value is live until the end of the lifetime of plat (devm_allocated), just +after the end of stmmac_remove_config_dt. Thus, add an of_node_put on +plat->mdio_node in stmmac_remove_config_dt. It is possible that the field +mdio_node is never initialized, but of_node_put is NULL-safe, so it is also +safe to call of_node_put in that case. + +Signed-off-by: Julia Lawall +Acked-by: Alexandre TORGUE +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -346,6 +346,7 @@ void stmmac_remove_config_dt(struct plat + if (of_phy_is_fixed_link(np)) + of_phy_deregister_fixed_link(np); + of_node_put(plat->phy_node); ++ of_node_put(plat->mdio_node); + } + #else + struct plat_stmmacenet_data * diff --git a/queue-4.9/xen-blkback-don-t-free-be-structure-too-early.patch b/queue-4.9/xen-blkback-don-t-free-be-structure-too-early.patch new file mode 100644 index 00000000000..b845c1cf3b9 --- /dev/null +++ b/queue-4.9/xen-blkback-don-t-free-be-structure-too-early.patch @@ -0,0 +1,51 @@ +From 71df1d7ccad1c36f7321d6b3b48f2ea42681c363 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 18 May 2017 17:28:48 +0200 +Subject: xen/blkback: don't free be structure too early +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +commit 71df1d7ccad1c36f7321d6b3b48f2ea42681c363 upstream. + +The be structure must not be freed when freeing the blkif structure +isn't done. Otherwise a use-after-free of be when unmapping the ring +used for communicating with the frontend will occur in case of a +late call of xenblk_disconnect() (e.g. due to an I/O still active +when trying to disconnect). + +Signed-off-by: Juergen Gross +Tested-by: Steven Haigh +Acked-by: Roger Pau Monné +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -315,8 +315,10 @@ static int xen_blkif_disconnect(struct x + static void xen_blkif_free(struct xen_blkif *blkif) + { + +- xen_blkif_disconnect(blkif); ++ WARN_ON(xen_blkif_disconnect(blkif)); + xen_vbd_free(&blkif->vbd); ++ kfree(blkif->be->mode); ++ kfree(blkif->be); + + /* Make sure everything is drained before shutting down */ + kmem_cache_free(xen_blkif_cachep, blkif); +@@ -511,8 +513,6 @@ static int xen_blkbk_remove(struct xenbu + + /* Put the reference we set in xen_blkif_alloc(). */ + xen_blkif_put(be->blkif); +- kfree(be->mode); +- kfree(be); + return 0; + } +