From 1fc86665aefdd117e17284d021b053b7c5cc4b96 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 10 Feb 2017 14:35:56 +0100 Subject: [PATCH] 4.9-stable patches added patches: acpi-nfit-fix-acpi_nfit_flush_probe-crash.patch arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch cpufreq-intel_pstate-disable-energy-efficiency-optimization.patch crypto-algif_aead-fix-kernel-panic-on-list_del.patch crypto-ccp-fix-dma-operations-when-iommu-is-enabled.patch crypto-ccp-fix-double-add-when-creating-new-dma-command.patch crypto-chcr-check-device-is-allocated-before-use.patch crypto-qat-fix-bar-discovery-for-c62x.patch crypto-qat-zero-esram-only-for-dh85x-devices.patch dm-rq-cope-with-dm-device-destruction-while-in-dm_old_request_fn.patch input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch libnvdimm-namespace-do-not-delete-namespace-id-0.patch libnvdimm-pfn-fix-memmap-reservation-size-versus-4k-alignment.patch selinux-fix-off-by-one-in-setprocattr.patch --- ...nfit-fix-acpi_nfit_flush_probe-crash.patch | 61 ++++++++++ ...in-unaligned-access-delay-slot-fixup.patch | 32 ++++++ ...sable-energy-efficiency-optimization.patch | 108 ++++++++++++++++++ ...if_aead-fix-kernel-panic-on-list_del.patch | 37 ++++++ ...dma-operations-when-iommu-is-enabled.patch | 34 ++++++ ...le-add-when-creating-new-dma-command.patch | 75 ++++++++++++ ...check-device-is-allocated-before-use.patch | 64 +++++++++++ ...rypto-qat-fix-bar-discovery-for-c62x.patch | 42 +++++++ ...at-zero-esram-only-for-dh85x-devices.patch | 40 +++++++ ...struction-while-in-dm_old_request_fn.patch | 34 ++++++ ...h-when-mixing-old-and-new-init-style.patch | 63 ++++++++++ ...mespace-do-not-delete-namespace-id-0.patch | 86 ++++++++++++++ ...reservation-size-versus-4k-alignment.patch | 52 +++++++++ ...elinux-fix-off-by-one-in-setprocattr.patch | 65 +++++++++++ 14 files changed, 793 insertions(+) create mode 100644 queue-4.9/acpi-nfit-fix-acpi_nfit_flush_probe-crash.patch create mode 100644 queue-4.9/arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch create mode 100644 queue-4.9/cpufreq-intel_pstate-disable-energy-efficiency-optimization.patch create mode 100644 queue-4.9/crypto-algif_aead-fix-kernel-panic-on-list_del.patch create mode 100644 queue-4.9/crypto-ccp-fix-dma-operations-when-iommu-is-enabled.patch create mode 100644 queue-4.9/crypto-ccp-fix-double-add-when-creating-new-dma-command.patch create mode 100644 queue-4.9/crypto-chcr-check-device-is-allocated-before-use.patch create mode 100644 queue-4.9/crypto-qat-fix-bar-discovery-for-c62x.patch create mode 100644 queue-4.9/crypto-qat-zero-esram-only-for-dh85x-devices.patch create mode 100644 queue-4.9/dm-rq-cope-with-dm-device-destruction-while-in-dm_old_request_fn.patch create mode 100644 queue-4.9/input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch create mode 100644 queue-4.9/libnvdimm-namespace-do-not-delete-namespace-id-0.patch create mode 100644 queue-4.9/libnvdimm-pfn-fix-memmap-reservation-size-versus-4k-alignment.patch create mode 100644 queue-4.9/selinux-fix-off-by-one-in-setprocattr.patch diff --git a/queue-4.9/acpi-nfit-fix-acpi_nfit_flush_probe-crash.patch b/queue-4.9/acpi-nfit-fix-acpi_nfit_flush_probe-crash.patch new file mode 100644 index 00000000000..962fdc6458e --- /dev/null +++ b/queue-4.9/acpi-nfit-fix-acpi_nfit_flush_probe-crash.patch @@ -0,0 +1,61 @@ +From e471486c13b82b1338d49c798f78bb62b1ed0a9e Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 2 Feb 2017 10:31:00 -0800 +Subject: acpi, nfit: fix acpi_nfit_flush_probe() crash + +From: Dan Williams + +commit e471486c13b82b1338d49c798f78bb62b1ed0a9e upstream. + +We queue an on-stack work item to 'nfit_wq' and wait for it to complete +as part of a 'flush_probe' request. However, if the user cancels the +wait we need to make sure the item is flushed from the queue otherwise +we are leaving an out-of-scope stack address on the work list. + + BUG: unable to handle kernel paging request at ffffbcb3c72f7cd0 + IP: [] __list_add+0x1b/0xb0 + [..] + RIP: 0010:[] [] __list_add+0x1b/0xb0 + RSP: 0018:ffffbcb3c7ba7c00 EFLAGS: 00010046 + [..] + Call Trace: + [] insert_work+0x3a/0xc0 + [] ? seq_open+0x5a/0xa0 + [] __queue_work+0x16a/0x460 + [] queue_work_on+0x38/0x40 + [] acpi_nfit_flush_probe+0x95/0xc0 [nfit] + [] ? nfit_visible+0x40/0x40 [nfit] + [] wait_probe_show+0x25/0x60 + [] dev_attr_show+0x20/0x50 + +Fixes: 7ae0fa439faf ("nfit, libnvdimm: async region scrub workqueue") +Reviewed-by: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/nfit/core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -2704,6 +2704,7 @@ static int acpi_nfit_flush_probe(struct + struct acpi_nfit_desc *acpi_desc = to_acpi_nfit_desc(nd_desc); + struct device *dev = acpi_desc->dev; + struct acpi_nfit_flush_work flush; ++ int rc; + + /* bounce the device lock to flush acpi_nfit_add / acpi_nfit_notify */ + device_lock(dev); +@@ -2716,7 +2717,10 @@ static int acpi_nfit_flush_probe(struct + INIT_WORK_ONSTACK(&flush.work, flush_probe); + COMPLETION_INITIALIZER_ONSTACK(flush.cmp); + queue_work(nfit_wq, &flush.work); +- return wait_for_completion_interruptible(&flush.cmp); ++ ++ rc = wait_for_completion_interruptible(&flush.cmp); ++ cancel_work_sync(&flush.work); ++ return rc; + } + + static int acpi_nfit_clear_to_send(struct nvdimm_bus_descriptor *nd_desc, diff --git a/queue-4.9/arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch b/queue-4.9/arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch new file mode 100644 index 00000000000..9450c881467 --- /dev/null +++ b/queue-4.9/arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch @@ -0,0 +1,32 @@ +From a524c218bc94c705886a0e0fedeee45d1931da32 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 7 Feb 2017 09:44:58 -0800 +Subject: ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup + +From: Vineet Gupta + +commit a524c218bc94c705886a0e0fedeee45d1931da32 upstream. + +Reported-by: Jo-Philipp Wich +Fixes: 9aed02feae57bf7 ("ARC: [arcompact] handle unaligned access delay slot") +Cc: linux-kernel@vger.kernel.org +Cc: linux-snps-arc@lists.infradead.org +Signed-off-by: Vineet Gupta +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/unaligned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/kernel/unaligned.c ++++ b/arch/arc/kernel/unaligned.c +@@ -243,7 +243,7 @@ int misaligned_fixup(unsigned long addre + + /* clear any remanants of delay slot */ + if (delay_mode(regs)) { +- regs->ret = regs->bta ~1U; ++ regs->ret = regs->bta & ~1U; + regs->status32 &= ~STATUS_DE_MASK; + } else { + regs->ret += state.instr_len; diff --git a/queue-4.9/cpufreq-intel_pstate-disable-energy-efficiency-optimization.patch b/queue-4.9/cpufreq-intel_pstate-disable-energy-efficiency-optimization.patch new file mode 100644 index 00000000000..536cb553d75 --- /dev/null +++ b/queue-4.9/cpufreq-intel_pstate-disable-energy-efficiency-optimization.patch @@ -0,0 +1,108 @@ +From 6e978b22efa1db9f6e71b24440b5f1d93e968ee3 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Fri, 3 Feb 2017 14:18:39 -0800 +Subject: cpufreq: intel_pstate: Disable energy efficiency optimization + +From: Srinivas Pandruvada + +commit 6e978b22efa1db9f6e71b24440b5f1d93e968ee3 upstream. + +Some Kabylake desktop processors may not reach max turbo when running in +HWP mode, even if running under sustained 100% utilization. + +This occurs when the HWP.EPP (Energy Performance Preference) is set to +"balance_power" (0x80) -- the default on most systems. + +It occurs because the platform BIOS may erroneously enable an +energy-efficiency setting -- MSR_IA32_POWER_CTL BIT-EE, which is not +recommended to be enabled on this SKU. + +On the failing systems, this BIOS issue was not discovered when the +desktop motherboard was tested with Windows, because the BIOS also +neglects to provide the ACPI/CPPC table, that Windows requires to enable +HWP, and so Windows runs in legacy P-state mode, where this setting has +no effect. + +Linux' intel_pstate driver does not require ACPI/CPPC to enable HWP, and +so it runs in HWP mode, exposing this incorrect BIOS configuration. + +There are several ways to address this problem. + +First, Linux can also run in legacy P-state mode on this system. +As intel_pstate is how Linux enables HWP, booting with +"intel_pstate=disable" +will run in acpi-cpufreq/ondemand legacy p-state mode. + +Or second, the "performance" governor can be used with intel_pstate, +which will modify HWP.EPP to 0. + +Or third, starting in 4.10, the +/sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference +attribute in can be updated from "balance_power" to "performance". + +Or fourth, apply this patch, which fixes the erroneous setting of +MSR_IA32_POWER_CTL BIT_EE on this model, allowing the default +configuration to function as designed. + +Signed-off-by: Srinivas Pandruvada +Reviewed-by: Len Brown +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/intel_pstate.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -820,6 +820,25 @@ static void intel_pstate_hwp_enable(stru + wrmsrl_on_cpu(cpudata->cpu, MSR_PM_ENABLE, 0x1); + } + ++#define MSR_IA32_POWER_CTL_BIT_EE 19 ++ ++/* Disable energy efficiency optimization */ ++static void intel_pstate_disable_ee(int cpu) ++{ ++ u64 power_ctl; ++ int ret; ++ ++ ret = rdmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, &power_ctl); ++ if (ret) ++ return; ++ ++ if (!(power_ctl & BIT(MSR_IA32_POWER_CTL_BIT_EE))) { ++ pr_info("Disabling energy efficiency optimization\n"); ++ power_ctl |= BIT(MSR_IA32_POWER_CTL_BIT_EE); ++ wrmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, power_ctl); ++ } ++} ++ + static int atom_get_min_pstate(void) + { + u64 value; +@@ -1420,6 +1439,11 @@ static const struct x86_cpu_id intel_pst + {} + }; + ++static const struct x86_cpu_id intel_pstate_cpu_ee_disable_ids[] = { ++ ICPU(INTEL_FAM6_KABYLAKE_DESKTOP, core_params), ++ {} ++}; ++ + static int intel_pstate_init_cpu(unsigned int cpunum) + { + struct cpudata *cpu; +@@ -1435,6 +1459,12 @@ static int intel_pstate_init_cpu(unsigne + cpu->cpu = cpunum; + + if (hwp_active) { ++ const struct x86_cpu_id *id; ++ ++ id = x86_match_cpu(intel_pstate_cpu_ee_disable_ids); ++ if (id) ++ intel_pstate_disable_ee(cpunum); ++ + intel_pstate_hwp_enable(cpu); + pid_params.sample_rate_ms = 50; + pid_params.sample_rate_ns = 50 * NSEC_PER_MSEC; diff --git a/queue-4.9/crypto-algif_aead-fix-kernel-panic-on-list_del.patch b/queue-4.9/crypto-algif_aead-fix-kernel-panic-on-list_del.patch new file mode 100644 index 00000000000..fef3b80c627 --- /dev/null +++ b/queue-4.9/crypto-algif_aead-fix-kernel-panic-on-list_del.patch @@ -0,0 +1,37 @@ +From 0b529f143e8baad441a5aac9ad55ec2434d8fb46 Mon Sep 17 00:00:00 2001 +From: Harsh Jain +Date: Wed, 1 Feb 2017 21:10:28 +0530 +Subject: crypto: algif_aead - Fix kernel panic on list_del +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Harsh Jain + +commit 0b529f143e8baad441a5aac9ad55ec2434d8fb46 upstream. + +Kernel panics when userspace program try to access AEAD interface. +Remove node from Linked List before freeing its memory. + +Signed-off-by: Harsh Jain +Reviewed-by: Stephan Müller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -671,9 +671,9 @@ static int aead_recvmsg_sync(struct sock + unlock: + list_for_each_entry_safe(rsgl, tmp, &ctx->list, list) { + af_alg_free_sg(&rsgl->sgl); ++ list_del(&rsgl->list); + if (rsgl != &ctx->first_rsgl) + sock_kfree_s(sk, rsgl, sizeof(*rsgl)); +- list_del(&rsgl->list); + } + INIT_LIST_HEAD(&ctx->list); + aead_wmem_wakeup(sk); diff --git a/queue-4.9/crypto-ccp-fix-dma-operations-when-iommu-is-enabled.patch b/queue-4.9/crypto-ccp-fix-dma-operations-when-iommu-is-enabled.patch new file mode 100644 index 00000000000..c555e0b3b9f --- /dev/null +++ b/queue-4.9/crypto-ccp-fix-dma-operations-when-iommu-is-enabled.patch @@ -0,0 +1,34 @@ +From 500c0106e638e08c2c661c305ed57d6b67e10908 Mon Sep 17 00:00:00 2001 +From: Gary R Hook +Date: Fri, 27 Jan 2017 15:28:45 -0600 +Subject: crypto: ccp - Fix DMA operations when IOMMU is enabled + +From: Gary R Hook + +commit 500c0106e638e08c2c661c305ed57d6b67e10908 upstream. + +An I/O page fault occurs when the IOMMU is enabled on a +system that supports the v5 CCP. DMA operations use a +Request ID value that does not match what is expected by +the IOMMU, resulting in the I/O page fault. Setting the +Request ID value to 0 corrects this issue. + +Signed-off-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-dev-v5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/ccp/ccp-dev-v5.c ++++ b/drivers/crypto/ccp/ccp-dev-v5.c +@@ -955,7 +955,7 @@ static irqreturn_t ccp5_irq_handler(int + static void ccp5_config(struct ccp_device *ccp) + { + /* Public side */ +- iowrite32(0x00001249, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET); ++ iowrite32(0x0, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET); + } + + static void ccp5other_config(struct ccp_device *ccp) diff --git a/queue-4.9/crypto-ccp-fix-double-add-when-creating-new-dma-command.patch b/queue-4.9/crypto-ccp-fix-double-add-when-creating-new-dma-command.patch new file mode 100644 index 00000000000..c4a8639785c --- /dev/null +++ b/queue-4.9/crypto-ccp-fix-double-add-when-creating-new-dma-command.patch @@ -0,0 +1,75 @@ +From e5da5c5667381d2772374ee6a2967b3576c9483d Mon Sep 17 00:00:00 2001 +From: Gary R Hook +Date: Fri, 27 Jan 2017 17:09:04 -0600 +Subject: crypto: ccp - Fix double add when creating new DMA command + +From: Gary R Hook + +commit e5da5c5667381d2772374ee6a2967b3576c9483d upstream. + +Eliminate a double-add by creating a new list to manage +command descriptors when created; move the descriptor to +the pending list when the command is submitted. + +Signed-off-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-dev.h | 1 + + drivers/crypto/ccp/ccp-dmaengine.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccp/ccp-dev.h ++++ b/drivers/crypto/ccp/ccp-dev.h +@@ -238,6 +238,7 @@ struct ccp_dma_chan { + struct ccp_device *ccp; + + spinlock_t lock; ++ struct list_head created; + struct list_head pending; + struct list_head active; + struct list_head complete; +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -63,6 +63,7 @@ static void ccp_free_chan_resources(stru + ccp_free_desc_resources(chan->ccp, &chan->complete); + ccp_free_desc_resources(chan->ccp, &chan->active); + ccp_free_desc_resources(chan->ccp, &chan->pending); ++ ccp_free_desc_resources(chan->ccp, &chan->created); + + spin_unlock_irqrestore(&chan->lock, flags); + } +@@ -273,6 +274,7 @@ static dma_cookie_t ccp_tx_submit(struct + spin_lock_irqsave(&chan->lock, flags); + + cookie = dma_cookie_assign(tx_desc); ++ list_del(&desc->entry); + list_add_tail(&desc->entry, &chan->pending); + + spin_unlock_irqrestore(&chan->lock, flags); +@@ -426,7 +428,7 @@ static struct ccp_dma_desc *ccp_create_d + + spin_lock_irqsave(&chan->lock, sflags); + +- list_add_tail(&desc->entry, &chan->pending); ++ list_add_tail(&desc->entry, &chan->created); + + spin_unlock_irqrestore(&chan->lock, sflags); + +@@ -610,6 +612,7 @@ static int ccp_terminate_all(struct dma_ + /*TODO: Purge the complete list? */ + ccp_free_desc_resources(chan->ccp, &chan->active); + ccp_free_desc_resources(chan->ccp, &chan->pending); ++ ccp_free_desc_resources(chan->ccp, &chan->created); + + spin_unlock_irqrestore(&chan->lock, flags); + +@@ -679,6 +682,7 @@ int ccp_dmaengine_register(struct ccp_de + chan->ccp = ccp; + + spin_lock_init(&chan->lock); ++ INIT_LIST_HEAD(&chan->created); + INIT_LIST_HEAD(&chan->pending); + INIT_LIST_HEAD(&chan->active); + INIT_LIST_HEAD(&chan->complete); diff --git a/queue-4.9/crypto-chcr-check-device-is-allocated-before-use.patch b/queue-4.9/crypto-chcr-check-device-is-allocated-before-use.patch new file mode 100644 index 00000000000..e38e2f08212 --- /dev/null +++ b/queue-4.9/crypto-chcr-check-device-is-allocated-before-use.patch @@ -0,0 +1,64 @@ +From f5f7bebc91ab378dea5aad5277c4d283e46472d9 Mon Sep 17 00:00:00 2001 +From: Harsh Jain +Date: Tue, 24 Jan 2017 10:34:33 +0530 +Subject: crypto: chcr - Check device is allocated before use + +From: Harsh Jain + +commit f5f7bebc91ab378dea5aad5277c4d283e46472d9 upstream. + +Ensure dev is allocated for crypto uld context before using the device +for crypto operations. + +Signed-off-by: Atul Gupta +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/chelsio/chcr_core.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/drivers/crypto/chelsio/chcr_core.c ++++ b/drivers/crypto/chelsio/chcr_core.c +@@ -51,6 +51,7 @@ static struct cxgb4_uld_info chcr_uld_in + int assign_chcr_device(struct chcr_dev **dev) + { + struct uld_ctx *u_ctx; ++ int ret = -ENXIO; + + /* + * Which device to use if multiple devices are available TODO +@@ -58,15 +59,14 @@ int assign_chcr_device(struct chcr_dev * + * must go to the same device to maintain the ordering. + */ + mutex_lock(&dev_mutex); /* TODO ? */ +- u_ctx = list_first_entry(&uld_ctx_list, struct uld_ctx, entry); +- if (!u_ctx) { +- mutex_unlock(&dev_mutex); +- return -ENXIO; ++ list_for_each_entry(u_ctx, &uld_ctx_list, entry) ++ if (u_ctx && u_ctx->dev) { ++ *dev = u_ctx->dev; ++ ret = 0; ++ break; + } +- +- *dev = u_ctx->dev; + mutex_unlock(&dev_mutex); +- return 0; ++ return ret; + } + + static int chcr_dev_add(struct uld_ctx *u_ctx) +@@ -203,10 +203,8 @@ static int chcr_uld_state_change(void *h + + static int __init chcr_crypto_init(void) + { +- if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info)) { ++ if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info)) + pr_err("ULD register fail: No chcr crypto support in cxgb4"); +- return -1; +- } + + return 0; + } diff --git a/queue-4.9/crypto-qat-fix-bar-discovery-for-c62x.patch b/queue-4.9/crypto-qat-fix-bar-discovery-for-c62x.patch new file mode 100644 index 00000000000..64b28324219 --- /dev/null +++ b/queue-4.9/crypto-qat-fix-bar-discovery-for-c62x.patch @@ -0,0 +1,42 @@ +From 3484ecbe0e9deb94afb0b9b6172d77e98eb72b94 Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Thu, 22 Dec 2016 15:00:12 +0000 +Subject: crypto: qat - fix bar discovery for c62x + +From: Giovanni Cabiddu + +commit 3484ecbe0e9deb94afb0b9b6172d77e98eb72b94 upstream. + +Some accelerators of the c62x series have only two bars. +This patch skips BAR0 if the accelerator does not have it. + +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_c62x/adf_drv.c | 2 +- + drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/qat/qat_c62x/adf_drv.c ++++ b/drivers/crypto/qat/qat_c62x/adf_drv.c +@@ -233,7 +233,7 @@ static int adf_probe(struct pci_dev *pde + &hw_data->accel_capabilities_mask); + + /* Find and map all the device's BARS */ +- i = 0; ++ i = (hw_data->fuses & ADF_DEVICE_FUSECTL_MASK) ? 1 : 0; + bar_mask = pci_select_bars(pdev, IORESOURCE_MEM); + for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask, + ADF_PCI_MAX_BARS * 2) { +--- a/drivers/crypto/qat/qat_common/adf_accel_devices.h ++++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h +@@ -69,6 +69,7 @@ + #define ADF_ERRSOU5 (0x3A000 + 0xD8) + #define ADF_DEVICE_FUSECTL_OFFSET 0x40 + #define ADF_DEVICE_LEGFUSE_OFFSET 0x4C ++#define ADF_DEVICE_FUSECTL_MASK 0x80000000 + #define ADF_PCI_MAX_BARS 3 + #define ADF_DEVICE_NAME_LENGTH 32 + #define ADF_ETR_MAX_RINGS_PER_BANK 16 diff --git a/queue-4.9/crypto-qat-zero-esram-only-for-dh85x-devices.patch b/queue-4.9/crypto-qat-zero-esram-only-for-dh85x-devices.patch new file mode 100644 index 00000000000..b58b1269503 --- /dev/null +++ b/queue-4.9/crypto-qat-zero-esram-only-for-dh85x-devices.patch @@ -0,0 +1,40 @@ +From 685ce0626840e2673fe64ea8807684f7324fec5f Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Thu, 22 Dec 2016 15:00:24 +0000 +Subject: crypto: qat - zero esram only for DH85x devices + +From: Giovanni Cabiddu + +commit 685ce0626840e2673fe64ea8807684f7324fec5f upstream. + +Zero embedded ram in DH85x devices. This is not +needed for newer generations as it is done by HW. + +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_common/qat_hal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/qat/qat_common/qat_hal.c ++++ b/drivers/crypto/qat/qat_common/qat_hal.c +@@ -456,7 +456,7 @@ static int qat_hal_init_esram(struct icp + unsigned int csr_val; + int times = 30; + +- if (handle->pci_dev->device == ADF_C3XXX_PCI_DEVICE_ID) ++ if (handle->pci_dev->device != ADF_DH895XCC_PCI_DEVICE_ID) + return 0; + + csr_val = ADF_CSR_RD(csr_addr, 0); +@@ -716,7 +716,7 @@ int qat_hal_init(struct adf_accel_dev *a + (void __iomem *)((uintptr_t)handle->hal_cap_ae_xfer_csr_addr_v + + LOCAL_TO_XFER_REG_OFFSET); + handle->pci_dev = pci_info->pci_dev; +- if (handle->pci_dev->device != ADF_C3XXX_PCI_DEVICE_ID) { ++ if (handle->pci_dev->device == ADF_DH895XCC_PCI_DEVICE_ID) { + sram_bar = + &pci_info->pci_bars[hw_data->get_sram_bar_id(hw_data)]; + handle->hal_sram_addr_v = sram_bar->virt_addr; diff --git a/queue-4.9/dm-rq-cope-with-dm-device-destruction-while-in-dm_old_request_fn.patch b/queue-4.9/dm-rq-cope-with-dm-device-destruction-while-in-dm_old_request_fn.patch new file mode 100644 index 00000000000..342985ad94e --- /dev/null +++ b/queue-4.9/dm-rq-cope-with-dm-device-destruction-while-in-dm_old_request_fn.patch @@ -0,0 +1,34 @@ +From 4087a1fffe38106e10646606a27f10d40451862d Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Wed, 25 Jan 2017 16:24:52 +0100 +Subject: dm rq: cope with DM device destruction while in dm_old_request_fn() + +From: Mike Snitzer + +commit 4087a1fffe38106e10646606a27f10d40451862d upstream. + +Fixes a crash in dm_table_find_target() due to a NULL struct dm_table +being passed from dm_old_request_fn() that races with DM device +destruction. + +Reported-by: artem@flashgrid.io +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-rq.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/md/dm-rq.c ++++ b/drivers/md/dm-rq.c +@@ -804,6 +804,10 @@ static void dm_old_request_fn(struct req + int srcu_idx; + struct dm_table *map = dm_get_live_table(md, &srcu_idx); + ++ if (unlikely(!map)) { ++ dm_put_live_table(md, srcu_idx); ++ return; ++ } + ti = dm_table_find_target(map, pos); + dm_put_live_table(md, srcu_idx); + } diff --git a/queue-4.9/input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch b/queue-4.9/input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch new file mode 100644 index 00000000000..7e2002f33a5 --- /dev/null +++ b/queue-4.9/input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch @@ -0,0 +1,63 @@ +From 601bbbe0517303c9f8eb3d75e11d64efed1293c9 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 31 Jan 2017 14:56:43 -0800 +Subject: Input: uinput - fix crash when mixing old and new init style + +From: Dmitry Torokhov + +commit 601bbbe0517303c9f8eb3d75e11d64efed1293c9 upstream. + +If user tries to initialize uinput device mixing old and new style +initialization (i.e. using old UI_SET_ABSBIT instead of UI_ABS_SETUP, +we forget to allocate input->absinfo and will crash when trying to send +absolute events: + + ioctl(ui, UI_DEV_SETUP, &us); + ioctl(ui, UI_SET_PHYS, "Test"); + + ioctl(ui, UI_SET_EVBIT, EV_ABS); + ioctl(ui, UI_SET_ABSBIT, ABS_X); + ioctl(ui, UI_SET_ABSBIT, ABS_Y); + ioctl(ui, UI_DEV_CREATE, 0); + +Reported-by: Rodrigo Rivas Costa +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191811 +Fixes: fbae10db0940 ("Input: uinput - rework ABS validation") +Reviewed-by: Benjamin Tissoires +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/uinput.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -263,13 +263,21 @@ static int uinput_create_device(struct u + return -EINVAL; + } + +- if (test_bit(ABS_MT_SLOT, dev->absbit)) { +- nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; +- error = input_mt_init_slots(dev, nslot, 0); +- if (error) ++ if (test_bit(EV_ABS, dev->evbit)) { ++ input_alloc_absinfo(dev); ++ if (!dev->absinfo) { ++ error = -EINVAL; + goto fail1; +- } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { +- input_set_events_per_packet(dev, 60); ++ } ++ ++ if (test_bit(ABS_MT_SLOT, dev->absbit)) { ++ nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1; ++ error = input_mt_init_slots(dev, nslot, 0); ++ if (error) ++ goto fail1; ++ } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) { ++ input_set_events_per_packet(dev, 60); ++ } + } + + if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) { diff --git a/queue-4.9/libnvdimm-namespace-do-not-delete-namespace-id-0.patch b/queue-4.9/libnvdimm-namespace-do-not-delete-namespace-id-0.patch new file mode 100644 index 00000000000..f3a7dc69d30 --- /dev/null +++ b/queue-4.9/libnvdimm-namespace-do-not-delete-namespace-id-0.patch @@ -0,0 +1,86 @@ +From 9d032f4201d39e5cf43a8709a047e481f5723fdc Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 25 Jan 2017 00:54:07 +0530 +Subject: libnvdimm, namespace: do not delete namespace-id 0 + +From: Dan Williams + +commit 9d032f4201d39e5cf43a8709a047e481f5723fdc upstream. + +Given that the naming of pmem devices changes from the pmemX form to the +pmemX.Y form when namespace id is greater than 0, arrange for namespaces +with id-0 to be exempt from deletion. Otherwise a simple reconfiguration +of an existing namespace to a new mode results in a name change of the +resulting block device: + + # ndctl list --namespace=namespace1.0 + { + "dev":"namespace1.0", + "mode":"raw", + "size":2147483648, + "uuid":"3dadf3dc-89b9-4b24-b20e-abc8a4707ce3", + "blockdev":"pmem1" + } + + # ndctl create-namespace --reconfig=namespace1.0 --mode=memory --force + { + "dev":"namespace1.1", + "mode":"memory", + "size":2111832064, + "uuid":"7b4a6341-7318-4219-a02c-fb57c0bbf613", + "blockdev":"pmem1.1" + } + +This change does require tooling changes to explicitly look for +namespaceX.0 if the seed has already advanced to another namespace. + +Fixes: 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple pmem-namespaces per region") +Reviewed-by: Johannes Thumshirn +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/namespace_devs.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -962,8 +962,8 @@ static ssize_t __size_store(struct devic + struct nvdimm_drvdata *ndd; + struct nd_label_id label_id; + u32 flags = 0, remainder; ++ int rc, i, id = -1; + u8 *uuid = NULL; +- int rc, i; + + if (dev->driver || ndns->claim) + return -EBUSY; +@@ -972,11 +972,13 @@ static ssize_t __size_store(struct devic + struct nd_namespace_pmem *nspm = to_nd_namespace_pmem(dev); + + uuid = nspm->uuid; ++ id = nspm->id; + } else if (is_namespace_blk(dev)) { + struct nd_namespace_blk *nsblk = to_nd_namespace_blk(dev); + + uuid = nsblk->uuid; + flags = NSLABEL_FLAG_LOCAL; ++ id = nsblk->id; + } + + /* +@@ -1039,10 +1041,11 @@ static ssize_t __size_store(struct devic + + /* + * Try to delete the namespace if we deleted all of its +- * allocation, this is not the seed device for the region, and +- * it is not actively claimed by a btt instance. ++ * allocation, this is not the seed or 0th device for the ++ * region, and it is not actively claimed by a btt, pfn, or dax ++ * instance. + */ +- if (val == 0 && nd_region->ns_seed != dev && !ndns->claim) ++ if (val == 0 && id != 0 && nd_region->ns_seed != dev && !ndns->claim) + nd_device_unregister(dev, ND_ASYNC); + + return rc; diff --git a/queue-4.9/libnvdimm-pfn-fix-memmap-reservation-size-versus-4k-alignment.patch b/queue-4.9/libnvdimm-pfn-fix-memmap-reservation-size-versus-4k-alignment.patch new file mode 100644 index 00000000000..1ee6bbbaf46 --- /dev/null +++ b/queue-4.9/libnvdimm-pfn-fix-memmap-reservation-size-versus-4k-alignment.patch @@ -0,0 +1,52 @@ +From bfb34527a32a1a576d9bfb7026d3ab0369a6cd60 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sat, 4 Feb 2017 14:47:31 -0800 +Subject: libnvdimm, pfn: fix memmap reservation size versus 4K alignment + +From: Dan Williams + +commit bfb34527a32a1a576d9bfb7026d3ab0369a6cd60 upstream. + +When vmemmap_populate() allocates space for the memmap it does so in 2MB +sized chunks. The libnvdimm-pfn driver incorrectly accounts for this +when the alignment of the device is set to 4K. When this happens we +trigger memory allocation failures in altmap_alloc_block_buf() and +trigger warnings of the form: + + WARNING: CPU: 0 PID: 3376 at arch/x86/mm/init_64.c:656 arch_add_memory+0xe4/0xf0 + [..] + Call Trace: + dump_stack+0x86/0xc3 + __warn+0xcb/0xf0 + warn_slowpath_null+0x1d/0x20 + arch_add_memory+0xe4/0xf0 + devm_memremap_pages+0x29b/0x4e0 + +Fixes: 315c562536c4 ("libnvdimm, pfn: add 'align' attribute, default to HPAGE_SIZE") +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/pfn_devs.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -627,15 +627,12 @@ static int nd_pfn_init(struct nd_pfn *nd + size = resource_size(&nsio->res); + npfns = (size - start_pad - end_trunc - SZ_8K) / SZ_4K; + if (nd_pfn->mode == PFN_MODE_PMEM) { +- unsigned long memmap_size; +- + /* + * vmemmap_populate_hugepages() allocates the memmap array in + * HPAGE_SIZE chunks. + */ +- memmap_size = ALIGN(64 * npfns, HPAGE_SIZE); +- offset = ALIGN(start + SZ_8K + memmap_size + dax_label_reserve, +- nd_pfn->align) - start; ++ offset = ALIGN(start + SZ_8K + 64 * npfns + dax_label_reserve, ++ max(nd_pfn->align, HPAGE_SIZE)) - start; + } else if (nd_pfn->mode == PFN_MODE_RAM) + offset = ALIGN(start + SZ_8K + dax_label_reserve, + nd_pfn->align) - start; diff --git a/queue-4.9/selinux-fix-off-by-one-in-setprocattr.patch b/queue-4.9/selinux-fix-off-by-one-in-setprocattr.patch new file mode 100644 index 00000000000..fa74a89a37e --- /dev/null +++ b/queue-4.9/selinux-fix-off-by-one-in-setprocattr.patch @@ -0,0 +1,65 @@ +From 0c461cb727d146c9ef2d3e86214f498b78b7d125 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Tue, 31 Jan 2017 11:54:04 -0500 +Subject: selinux: fix off-by-one in setprocattr + +From: Stephen Smalley + +commit 0c461cb727d146c9ef2d3e86214f498b78b7d125 upstream. + +SELinux tries to support setting/clearing of /proc/pid/attr attributes +from the shell by ignoring terminating newlines and treating an +attribute value that begins with a NUL or newline as an attempt to +clear the attribute. However, the test for clearing attributes has +always been wrong; it has an off-by-one error, and this could further +lead to reading past the end of the allocated buffer since commit +bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write(): +switch to memdup_user()"). Fix the off-by-one error. + +Even with this fix, setting and clearing /proc/pid/attr attributes +from the shell is not straightforward since the interface does not +support multiple write() calls (so shells that write the value and +newline separately will set and then immediately clear the attribute, +requiring use of echo -n to set the attribute), whereas trying to use +echo -n "" to clear the attribute causes the shell to skip the +write() call altogether since POSIX says that a zero-length write +causes no side effects. Thus, one must use echo -n to set and echo +without -n to clear, as in the following example: +$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate +$ cat /proc/$$/attr/fscreate +unconfined_u:object_r:user_home_t:s0 +$ echo "" > /proc/$$/attr/fscreate +$ cat /proc/$$/attr/fscreate + +Note the use of /proc/$$ rather than /proc/self, as otherwise +the cat command will read its own attribute value, not that of the shell. + +There are no users of this facility to my knowledge; possibly we +should just get rid of it. + +UPDATE: Upon further investigation it appears that a local process +with the process:setfscreate permission can cause a kernel panic as a +result of this bug. This patch fixes CVE-2017-2618. + +Signed-off-by: Stephen Smalley +[PM: added the update about CVE-2017-2618 to the commit description] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: James Morris + +--- + security/selinux/hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -5858,7 +5858,7 @@ static int selinux_setprocattr(struct ta + return error; + + /* Obtain a SID for the context, if one was specified. */ +- if (size && str[1] && str[1] != '\n') { ++ if (size && str[0] && str[0] != '\n') { + if (str[size-1] == '\n') { + str[size-1] = 0; + size--; -- 2.47.3