From 174763a728bacac179033e85a3710d54b66b527d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 29 Apr 2018 13:49:25 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch
	kobject-don-t-use-warn-for-registration-failures.patch
	mtd-rawnand-tango-fix-struct-clk-memory-leak.patch
	scsi-sd-defer-spinning-up-drive-while-sanitize-is-in-progress.patch
	vfio-ccw-process-ssch-with-interrupts-disabled.patch
---
 ...bfqq-pointers-when-preparing-request.patch | 48 ++++++++++++
 ...t-use-warn-for-registration-failures.patch | 47 +++++++++++
 ...and-tango-fix-struct-clk-memory-leak.patch | 34 ++++++++
 ...-drive-while-sanitize-is-in-progress.patch | 36 +++++++++
 queue-4.14/series                             |  5 ++
 ...rocess-ssch-with-interrupts-disabled.patch | 78 +++++++++++++++++++
 6 files changed, 248 insertions(+)
 create mode 100644 queue-4.14/bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch
 create mode 100644 queue-4.14/kobject-don-t-use-warn-for-registration-failures.patch
 create mode 100644 queue-4.14/mtd-rawnand-tango-fix-struct-clk-memory-leak.patch
 create mode 100644 queue-4.14/scsi-sd-defer-spinning-up-drive-while-sanitize-is-in-progress.patch
 create mode 100644 queue-4.14/vfio-ccw-process-ssch-with-interrupts-disabled.patch

diff --git a/queue-4.14/bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch b/queue-4.14/bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch
new file mode 100644
index 00000000000..2abc4ec1034
--- /dev/null
+++ b/queue-4.14/bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch
@@ -0,0 +1,48 @@
+From 72961c4e6082be79825265d9193272b8a1634dec Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 17 Apr 2018 17:08:52 -0600
+Subject: bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 72961c4e6082be79825265d9193272b8a1634dec upstream.
+
+Even if we don't have an IO context attached to a request, we still
+need to clear the priv[0..1] pointers, as they could be pointing
+to previously used bic/bfqq structures. If we don't do so, we'll
+either corrupt memory on dispatching a request, or cause an
+imbalance in counters.
+
+Inspired by a fix from Kees.
+
+Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Reported-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Fixes: aee69d78dec0 ("block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bfq-iosched.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -4447,8 +4447,16 @@ static void bfq_prepare_request(struct r
+ 	bool new_queue = false;
+ 	bool bfqq_already_existing = false, split = false;
+ 
+-	if (!rq->elv.icq)
++	/*
++	 * Even if we don't have an icq attached, we should still clear
++	 * the scheduler pointers, as they might point to previously
++	 * allocated bic/bfqq structs.
++	 */
++	if (!rq->elv.icq) {
++		rq->elv.priv[0] = rq->elv.priv[1] = NULL;
+ 		return;
++	}
++
+ 	bic = icq_to_bic(rq->elv.icq);
+ 
+ 	spin_lock_irq(&bfqd->lock);
diff --git a/queue-4.14/kobject-don-t-use-warn-for-registration-failures.patch b/queue-4.14/kobject-don-t-use-warn-for-registration-failures.patch
new file mode 100644
index 00000000000..7b430e31a4a
--- /dev/null
+++ b/queue-4.14/kobject-don-t-use-warn-for-registration-failures.patch
@@ -0,0 +1,47 @@
+From 3e14c6abbfb5c94506edda9d8e2c145d79375798 Mon Sep 17 00:00:00 2001
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Wed, 11 Apr 2018 17:22:43 +0200
+Subject: kobject: don't use WARN for registration failures
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+commit 3e14c6abbfb5c94506edda9d8e2c145d79375798 upstream.
+
+This WARNING proved to be noisy. The function still returns an error
+and callers should handle it. That's how most of kernel code works.
+Downgrade the WARNING to pr_err() and leave WARNINGs for kernel bugs.
+
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: syzbot+209c0f67f99fec8eb14b@syzkaller.appspotmail.com
+Reported-by: syzbot+7fb6d9525a4528104e05@syzkaller.appspotmail.com
+Reported-by: syzbot+2e63711063e2d8f9ea27@syzkaller.appspotmail.com
+Reported-by: syzbot+de73361ee4971b6e6f75@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/kobject.c |   12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/lib/kobject.c
++++ b/lib/kobject.c
+@@ -234,14 +234,12 @@ static int kobject_add_internal(struct k
+ 
+ 		/* be noisy on error issues */
+ 		if (error == -EEXIST)
+-			WARN(1, "%s failed for %s with "
+-			     "-EEXIST, don't try to register things with "
+-			     "the same name in the same directory.\n",
+-			     __func__, kobject_name(kobj));
++			pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n",
++			       __func__, kobject_name(kobj));
+ 		else
+-			WARN(1, "%s failed for %s (error: %d parent: %s)\n",
+-			     __func__, kobject_name(kobj), error,
+-			     parent ? kobject_name(parent) : "'none'");
++			pr_err("%s failed for %s (error: %d parent: %s)\n",
++			       __func__, kobject_name(kobj), error,
++			       parent ? kobject_name(parent) : "'none'");
+ 	} else
+ 		kobj->state_in_sysfs = 1;
+ 
diff --git a/queue-4.14/mtd-rawnand-tango-fix-struct-clk-memory-leak.patch b/queue-4.14/mtd-rawnand-tango-fix-struct-clk-memory-leak.patch
new file mode 100644
index 00000000000..16f6be27b66
--- /dev/null
+++ b/queue-4.14/mtd-rawnand-tango-fix-struct-clk-memory-leak.patch
@@ -0,0 +1,34 @@
+From 007b4e8b705a4eff184d567c5a8b496622f9e116 Mon Sep 17 00:00:00 2001
+From: Marc Gonzalez <marc_gonzalez@sigmadesigns.com>
+Date: Thu, 5 Apr 2018 14:57:59 +0200
+Subject: mtd: rawnand: tango: Fix struct clk memory leak
+
+From: Marc Gonzalez <marc_gonzalez@sigmadesigns.com>
+
+commit 007b4e8b705a4eff184d567c5a8b496622f9e116 upstream.
+
+Use devm_clk_get() to let Linux manage struct clk memory.
+
+Fixes: 6956e2385a16 ("add tango NAND flash controller support")
+Cc: stable@vger.kernel.org
+Reported-by: Xidong Wang <wangxidong_97@163.com>
+Signed-off-by: Marc Gonzalez <marc_gonzalez@sigmadesigns.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/tango_nand.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/tango_nand.c
++++ b/drivers/mtd/nand/tango_nand.c
+@@ -654,7 +654,7 @@ static int tango_nand_probe(struct platf
+ 
+ 	writel_relaxed(MODE_RAW, nfc->pbus_base + PBUS_PAD_MODE);
+ 
+-	clk = clk_get(&pdev->dev, NULL);
++	clk = devm_clk_get(&pdev->dev, NULL);
+ 	if (IS_ERR(clk))
+ 		return PTR_ERR(clk);
+ 
diff --git a/queue-4.14/scsi-sd-defer-spinning-up-drive-while-sanitize-is-in-progress.patch b/queue-4.14/scsi-sd-defer-spinning-up-drive-while-sanitize-is-in-progress.patch
new file mode 100644
index 00000000000..27a640fc791
--- /dev/null
+++ b/queue-4.14/scsi-sd-defer-spinning-up-drive-while-sanitize-is-in-progress.patch
@@ -0,0 +1,36 @@
+From 505aa4b6a8834a2300971c5220c380c3271ebde3 Mon Sep 17 00:00:00 2001
+From: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
+Date: Tue, 17 Apr 2018 17:03:12 +0530
+Subject: scsi: sd: Defer spinning up drive while SANITIZE is in progress
+
+From: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
+
+commit 505aa4b6a8834a2300971c5220c380c3271ebde3 upstream.
+
+A drive being sanitized will return NOT READY / ASC 0x4 / ASCQ
+0x1b ("LOGICAL UNIT NOT READY. SANITIZE IN PROGRESS").
+
+Prevent spinning up the drive until this condition clears.
+
+[mkp: tweaked commit message]
+
+Signed-off-by: Mahesh Rajashekhara <mahesh.rajashekhara@microsemi.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2132,6 +2132,8 @@ sd_spinup_disk(struct scsi_disk *sdkp)
+ 				break;	/* standby */
+ 			if (sshdr.asc == 4 && sshdr.ascq == 0xc)
+ 				break;	/* unavailable */
++			if (sshdr.asc == 4 && sshdr.ascq == 0x1b)
++				break;	/* sanitize in progress */
+ 			/*
+ 			 * Issue command to spin up drive when not ready
+ 			 */
diff --git a/queue-4.14/series b/queue-4.14/series
index dc87d799a9e..cb137c6d9a5 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -51,3 +51,8 @@ mtd-spi-nor-cadence-quadspi-fix-page-fault-kernel-panic.patch
 mtd-cfi-cmdset_0001-do-not-allow-read-write-to-suspend-erase-block.patch
 mtd-cfi-cmdset_0001-workaround-micron-erase-suspend-bug.patch
 mtd-cfi-cmdset_0002-do-not-allow-read-write-to-suspend-erase-block.patch
+mtd-rawnand-tango-fix-struct-clk-memory-leak.patch
+kobject-don-t-use-warn-for-registration-failures.patch
+scsi-sd-defer-spinning-up-drive-while-sanitize-is-in-progress.patch
+bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch
+vfio-ccw-process-ssch-with-interrupts-disabled.patch
diff --git a/queue-4.14/vfio-ccw-process-ssch-with-interrupts-disabled.patch b/queue-4.14/vfio-ccw-process-ssch-with-interrupts-disabled.patch
new file mode 100644
index 00000000000..7f3de2799ca
--- /dev/null
+++ b/queue-4.14/vfio-ccw-process-ssch-with-interrupts-disabled.patch
@@ -0,0 +1,78 @@
+From 3368e547c52b96586f0edf9657ca12b94d8e61a7 Mon Sep 17 00:00:00 2001
+From: Cornelia Huck <cohuck@redhat.com>
+Date: Fri, 20 Apr 2018 10:24:04 +0200
+Subject: vfio: ccw: process ssch with interrupts disabled
+
+From: Cornelia Huck <cohuck@redhat.com>
+
+commit 3368e547c52b96586f0edf9657ca12b94d8e61a7 upstream.
+
+When we call ssch, an interrupt might already be pending once we
+return from the START SUBCHANNEL instruction. Therefore we need to
+make sure interrupts are disabled while holding the subchannel lock
+until after we're done with our processing.
+
+Cc: stable@vger.kernel.org #v4.12+
+Reviewed-by: Dong Jia Shi <bjsdjshi@linux.ibm.com>
+Acked-by: Halil Pasic <pasic@linux.vnet.ibm.com>
+Acked-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/vfio_ccw_fsm.c |   19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/s390/cio/vfio_ccw_fsm.c
++++ b/drivers/s390/cio/vfio_ccw_fsm.c
+@@ -20,12 +20,12 @@ static int fsm_io_helper(struct vfio_ccw
+ 	int ccode;
+ 	__u8 lpm;
+ 	unsigned long flags;
++	int ret;
+ 
+ 	sch = private->sch;
+ 
+ 	spin_lock_irqsave(sch->lock, flags);
+ 	private->state = VFIO_CCW_STATE_BUSY;
+-	spin_unlock_irqrestore(sch->lock, flags);
+ 
+ 	orb = cp_get_orb(&private->cp, (u32)(addr_t)sch, sch->lpm);
+ 
+@@ -38,10 +38,12 @@ static int fsm_io_helper(struct vfio_ccw
+ 		 * Initialize device status information
+ 		 */
+ 		sch->schib.scsw.cmd.actl |= SCSW_ACTL_START_PEND;
+-		return 0;
++		ret = 0;
++		break;
+ 	case 1:		/* Status pending */
+ 	case 2:		/* Busy */
+-		return -EBUSY;
++		ret = -EBUSY;
++		break;
+ 	case 3:		/* Device/path not operational */
+ 	{
+ 		lpm = orb->cmd.lpm;
+@@ -51,13 +53,16 @@ static int fsm_io_helper(struct vfio_ccw
+ 			sch->lpm = 0;
+ 
+ 		if (cio_update_schib(sch))
+-			return -ENODEV;
+-
+-		return sch->lpm ? -EACCES : -ENODEV;
++			ret = -ENODEV;
++		else
++			ret = sch->lpm ? -EACCES : -ENODEV;
++		break;
+ 	}
+ 	default:
+-		return ccode;
++		ret = ccode;
+ 	}
++	spin_unlock_irqrestore(sch->lock, flags);
++	return ret;
+ }
+ 
+ static void fsm_notoper(struct vfio_ccw_private *private,
-- 
2.47.3