From 5741262c343e8a3487951aba379950036b819b25 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 Jul 2017 21:39:21 -0700 Subject: [PATCH] 4.12-stable patches added patches: acpi-ec-drop-ec-noirq-hooks-to-fix-a-regression.patch ceph-fix-race-in-concurrent-readdir.patch drm-amd-powerplay-fix-memory-leak-in-cz_hwmgr-backend.patch drm-atomic-add-missing-drm_atomic_state_clear-to-atomic_remove_fb.patch drm-i915-disable-msi-for-all-pre-gen5.patch drm-i915-gvt-fix-inconsistent-locks-holding-sequence.patch drm-i915-gvt-fix-possible-recursive-locking-issue.patch drm-i915-make-dp-mst-connector-info-work.patch drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch ftrace-fix-uninitialized-variable-in-match_records.patch hfsplus-don-t-clear-sgid-when-inheriting-acls.patch ib-core-namespace-is-mandatory-input-for-address-resolution.patch ib-iser-fix-connection-teardown-race-condition.patch input-i8042-fix-crash-at-boot-time.patch iommu-arm-smmu-plumb-in-new-acpi-identifiers.patch iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch mips-fix-mips_atomic_set-retry-condition.patch mips-fix-mips_atomic_set-with-eva.patch mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch mips-negate-error-syscall-return-in-trace.patch mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch mips-save-static-registers-before-sysmips.patch mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch mips-send-sigill-for-r6-branches-in-__compute_return_epc_for_insn.patch mlx5-avoid-that-mlx5_ib_sg_to_klms-overflows-the-klms-array.patch mtd-nand-tango-fix-incorrect-use-of-seqin-command.patch net-sunrpc-xprt_sock-fix-regression-in-connection-error-reporting.patch nfs-fix-initialization-of-nfs_page_array-npages.patch nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch nvme-rdma-remove-race-conditions-from-ib-signalling.patch ovl-fix-random-return-value-on-mount.patch ovl-mark-parent-impure-on-ovl_link.patch perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch perf-core-fix-scheduling-regression-of-pinned-groups.patch pnfs-fix-eaccess-on-commit-to-ds-handling.patch rdma-core-initialize-port_num-in-qp_attr.patch rdma-uverbs-fix-the-check-for-port-number.patch revert-acpi-ec-enable-event-freeze-mode...-to-fix-a-regression.patch revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch staging-comedi-ni_mio_common-fix-ao-timer-off-by-one-regression.patch staging-lustre-ko2iblnd-check-copy_from_iter-copy_to_iter-return-code.patch staging-rtl8188eu-add-tl-wn722n-v2-support.patch staging-sm750fb-avoid-conflicting-vesafb.patch sunrpc-use-constant-time-memory-comparison-for-mac.patch target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch ubifs-correctly-evict-xattr-inodes.patch ubifs-don-t-encrypt-special-files-on-creation.patch ubifs-don-t-leak-kernel-memory-to-the-mtd.patch ubifs-set-double-hash-cookie-also-for-rename_exchange.patch udf-fix-deadlock-between-writeback-and-udf_setsize.patch udf-fix-races-with-i_size-changes-during-readpage.patch vfio-fix-group-release-deadlock.patch vfio-new-external-user-group-file-match.patch vfio-remove-unnecessary-uses-of-vfio_container.group_lock.patch x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch --- ...p-ec-noirq-hooks-to-fix-a-regression.patch | 74 ++++++ .../ceph-fix-race-in-concurrent-readdir.patch | 50 ++++ ...-fix-memory-leak-in-cz_hwmgr-backend.patch | 36 +++ ...omic_state_clear-to-atomic_remove_fb.patch | 35 +++ ...rm-i915-disable-msi-for-all-pre-gen5.patch | 70 ++++++ ...-inconsistent-locks-holding-sequence.patch | 64 ++++++ ...fix-possible-recursive-locking-issue.patch | 157 +++++++++++++ ...i915-make-dp-mst-connector-info-work.patch | 40 ++++ ...ull-mstb-in-drm_dp_mst_handle_up_req.patch | 38 +++ ...eceived-up-down-message-transactions.patch | 129 +++++++++++ ...uring-mst-sideband-message-reception.patch | 48 ++++ ...nitialized-variable-in-match_records.patch | 38 +++ ...on-t-clear-sgid-when-inheriting-acls.patch | 93 ++++++++ ...ndatory-input-for-address-resolution.patch | 45 ++++ ...x-connection-teardown-race-condition.patch | 98 ++++++++ .../input-i8042-fix-crash-at-boot-time.patch | 121 ++++++++++ ...m-smmu-plumb-in-new-acpi-identifiers.patch | 67 ++++++ ...dereference-in-isert_login_recv_done.patch | 52 +++++ ...alx-in-__compute_return_epc_for_insn.patch | 36 +++ ...-in-r2-to-r6-emulation-error-message.patch | 34 +++ ...ix-mips-i-isa-proc-cpuinfo-reporting.patch | 60 +++++ ...-fix-mips_atomic_set-retry-condition.patch | 40 ++++ .../mips-fix-mips_atomic_set-with-eva.patch | 49 ++++ ...interpretation-in-compute_return_epc.patch | 43 ++++ ...wrong-isa-mode-instruction-emulation.patch | 152 ++++++++++++ ...negate-error-syscall-return-in-trace.patch | 43 ++++ ...2r6-in-__compute_return_epc_for_insn.patch | 101 ++++++++ ...save-static-registers-before-sysmips.patch | 92 ++++++++ ...e32-in-__compute_return_epc_for_insn.patch | 53 +++++ ...hes-in-__compute_return_epc_for_insn.patch | 56 +++++ ...hes-in-__compute_return_epc_for_insn.patch | 118 ++++++++++ ..._sg_to_klms-overflows-the-klms-array.patch | 41 ++++ ...o-fix-incorrect-use-of-seqin-command.patch | 33 +++ ...ession-in-connection-error-reporting.patch | 48 ++++ ...tialization-of-nfs_page_array-npages.patch | 33 +++ ...ate-dentrys-that-are-clearly-invalid.patch | 97 ++++++++ ...e-race-conditions-from-ib-signalling.patch | 72 ++++++ ...ovl-fix-random-return-value-on-mount.patch | 34 +++ .../ovl-mark-parent-impure-on-ovl_link.patch | 75 ++++++ ...ecting-jmp-instruction-to-its-target.patch | 62 +++++ ...heduling-regression-of-pinned-groups.patch | 87 +++++++ ...fix-eaccess-on-commit-to-ds-handling.patch | 47 ++++ ...-core-initialize-port_num-in-qp_attr.patch | 33 +++ ...uverbs-fix-the-check-for-port-number.patch | 36 +++ ...t-freeze-mode...-to-fix-a-regression.patch | 40 ++++ ...l-samples-even-though-u-is-specified.patch | 75 ++++++ queue-4.12/series | 63 +++++ ...n-fix-ao-timer-off-by-one-regression.patch | 56 +++++ ...y_from_iter-copy_to_iter-return-code.patch | 65 ++++++ ...g-rtl8188eu-add-tl-wn722n-v2-support.patch | 29 +++ ...ing-sm750fb-avoid-conflicting-vesafb.patch | 75 ++++++ ...stant-time-memory-comparison-for-mac.patch | 43 ++++ ...e-caw_sem-leak-during-se_cmd-quiesce.patch | 51 +++++ .../ubifs-correctly-evict-xattr-inodes.patch | 88 +++++++ ...-t-encrypt-special-files-on-creation.patch | 32 +++ ...-don-t-leak-kernel-memory-to-the-mtd.patch | 74 ++++++ ...hash-cookie-also-for-rename_exchange.patch | 38 +++ ...ck-between-writeback-and-udf_setsize.patch | 51 +++++ ...-with-i_size-changes-during-readpage.patch | 44 ++++ .../vfio-fix-group-release-deadlock.patch | 77 +++++++ ...o-new-external-user-group-file-match.patch | 114 +++++++++ ...ry-uses-of-vfio_container.group_lock.patch | 216 ++++++++++++++++++ ...-access-caused-by-broken-acpi-tables.patch | 49 ++++ ...he-correct-data-to-unmask_ioapic_irq.patch | 48 ++++ 64 files changed, 4158 insertions(+) create mode 100644 queue-4.12/acpi-ec-drop-ec-noirq-hooks-to-fix-a-regression.patch create mode 100644 queue-4.12/ceph-fix-race-in-concurrent-readdir.patch create mode 100644 queue-4.12/drm-amd-powerplay-fix-memory-leak-in-cz_hwmgr-backend.patch create mode 100644 queue-4.12/drm-atomic-add-missing-drm_atomic_state_clear-to-atomic_remove_fb.patch create mode 100644 queue-4.12/drm-i915-disable-msi-for-all-pre-gen5.patch create mode 100644 queue-4.12/drm-i915-gvt-fix-inconsistent-locks-holding-sequence.patch create mode 100644 queue-4.12/drm-i915-gvt-fix-possible-recursive-locking-issue.patch create mode 100644 queue-4.12/drm-i915-make-dp-mst-connector-info-work.patch create mode 100644 queue-4.12/drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch create mode 100644 queue-4.12/drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch create mode 100644 queue-4.12/drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch create mode 100644 queue-4.12/ftrace-fix-uninitialized-variable-in-match_records.patch create mode 100644 queue-4.12/hfsplus-don-t-clear-sgid-when-inheriting-acls.patch create mode 100644 queue-4.12/ib-core-namespace-is-mandatory-input-for-address-resolution.patch create mode 100644 queue-4.12/ib-iser-fix-connection-teardown-race-condition.patch create mode 100644 queue-4.12/input-i8042-fix-crash-at-boot-time.patch create mode 100644 queue-4.12/iommu-arm-smmu-plumb-in-new-acpi-identifiers.patch create mode 100644 queue-4.12/iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch create mode 100644 queue-4.12/mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch create mode 100644 queue-4.12/mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch create mode 100644 queue-4.12/mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch create mode 100644 queue-4.12/mips-fix-mips_atomic_set-retry-condition.patch create mode 100644 queue-4.12/mips-fix-mips_atomic_set-with-eva.patch create mode 100644 queue-4.12/mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch create mode 100644 queue-4.12/mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch create mode 100644 queue-4.12/mips-negate-error-syscall-return-in-trace.patch create mode 100644 queue-4.12/mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch create mode 100644 queue-4.12/mips-save-static-registers-before-sysmips.patch create mode 100644 queue-4.12/mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch create mode 100644 queue-4.12/mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch create mode 100644 queue-4.12/mips-send-sigill-for-r6-branches-in-__compute_return_epc_for_insn.patch create mode 100644 queue-4.12/mlx5-avoid-that-mlx5_ib_sg_to_klms-overflows-the-klms-array.patch create mode 100644 queue-4.12/mtd-nand-tango-fix-incorrect-use-of-seqin-command.patch create mode 100644 queue-4.12/net-sunrpc-xprt_sock-fix-regression-in-connection-error-reporting.patch create mode 100644 queue-4.12/nfs-fix-initialization-of-nfs_page_array-npages.patch create mode 100644 queue-4.12/nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch create mode 100644 queue-4.12/nvme-rdma-remove-race-conditions-from-ib-signalling.patch create mode 100644 queue-4.12/ovl-fix-random-return-value-on-mount.patch create mode 100644 queue-4.12/ovl-mark-parent-impure-on-ovl_link.patch create mode 100644 queue-4.12/perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch create mode 100644 queue-4.12/perf-core-fix-scheduling-regression-of-pinned-groups.patch create mode 100644 queue-4.12/pnfs-fix-eaccess-on-commit-to-ds-handling.patch create mode 100644 queue-4.12/rdma-core-initialize-port_num-in-qp_attr.patch create mode 100644 queue-4.12/rdma-uverbs-fix-the-check-for-port-number.patch create mode 100644 queue-4.12/revert-acpi-ec-enable-event-freeze-mode...-to-fix-a-regression.patch create mode 100644 queue-4.12/revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch create mode 100644 queue-4.12/staging-comedi-ni_mio_common-fix-ao-timer-off-by-one-regression.patch create mode 100644 queue-4.12/staging-lustre-ko2iblnd-check-copy_from_iter-copy_to_iter-return-code.patch create mode 100644 queue-4.12/staging-rtl8188eu-add-tl-wn722n-v2-support.patch create mode 100644 queue-4.12/staging-sm750fb-avoid-conflicting-vesafb.patch create mode 100644 queue-4.12/sunrpc-use-constant-time-memory-comparison-for-mac.patch create mode 100644 queue-4.12/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch create mode 100644 queue-4.12/ubifs-correctly-evict-xattr-inodes.patch create mode 100644 queue-4.12/ubifs-don-t-encrypt-special-files-on-creation.patch create mode 100644 queue-4.12/ubifs-don-t-leak-kernel-memory-to-the-mtd.patch create mode 100644 queue-4.12/ubifs-set-double-hash-cookie-also-for-rename_exchange.patch create mode 100644 queue-4.12/udf-fix-deadlock-between-writeback-and-udf_setsize.patch create mode 100644 queue-4.12/udf-fix-races-with-i_size-changes-during-readpage.patch create mode 100644 queue-4.12/vfio-fix-group-release-deadlock.patch create mode 100644 queue-4.12/vfio-new-external-user-group-file-match.patch create mode 100644 queue-4.12/vfio-remove-unnecessary-uses-of-vfio_container.group_lock.patch create mode 100644 queue-4.12/x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch create mode 100644 queue-4.12/x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch diff --git a/queue-4.12/acpi-ec-drop-ec-noirq-hooks-to-fix-a-regression.patch b/queue-4.12/acpi-ec-drop-ec-noirq-hooks-to-fix-a-regression.patch new file mode 100644 index 00000000000..55e2eaf62cd --- /dev/null +++ b/queue-4.12/acpi-ec-drop-ec-noirq-hooks-to-fix-a-regression.patch @@ -0,0 +1,74 @@ +From 662591461c4b9a1e3b9b159dbf37648a585ebaae Mon Sep 17 00:00:00 2001 +From: Lv Zheng +Date: Wed, 12 Jul 2017 11:09:09 +0800 +Subject: ACPI / EC: Drop EC noirq hooks to fix a regression + +From: Lv Zheng + +commit 662591461c4b9a1e3b9b159dbf37648a585ebaae upstream. + +According to bug reports, although the busy polling mode can make +noirq stages execute faster, it causes abnormal fan blowing up after +system resume (see the first link below for a video demonstration) +on Lenovo ThinkPad X1 Carbon - the 5th Generation. The problem can +be fixed by upgrading the EC firmware on that machine. + +However, many reporters confirm that the problem can be fixed by +stopping busy polling during suspend/resume and for some of them +upgrading the EC firmware is not an option. + +For this reason, drop the noirq stage hooks from the EC driver +to fix the regression. + +Fixes: c3a696b6e8f8 (ACPI / EC: Use busy polling mode when GPE is not enabled) +Link: https://youtu.be/9NQ9x-Jm99Q +Link: https://bugzilla.kernel.org/show_bug.cgi?id=196129 +Reported-by: Andreas Lindhe +Tested-by: Gjorgji Jankovski +Tested-by: Damjan Georgievski +Tested-by: Fernando Chaves +Tested-by: Tomislav Ivek +Tested-by: Denis P. +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1812,24 +1812,6 @@ error: + } + + #ifdef CONFIG_PM_SLEEP +-static int acpi_ec_suspend_noirq(struct device *dev) +-{ +- struct acpi_ec *ec = +- acpi_driver_data(to_acpi_device(dev)); +- +- acpi_ec_enter_noirq(ec); +- return 0; +-} +- +-static int acpi_ec_resume_noirq(struct device *dev) +-{ +- struct acpi_ec *ec = +- acpi_driver_data(to_acpi_device(dev)); +- +- acpi_ec_leave_noirq(ec); +- return 0; +-} +- + static int acpi_ec_suspend(struct device *dev) + { + struct acpi_ec *ec = +@@ -1851,7 +1833,6 @@ static int acpi_ec_resume(struct device + #endif + + static const struct dev_pm_ops acpi_ec_pm = { +- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(acpi_ec_suspend_noirq, acpi_ec_resume_noirq) + SET_SYSTEM_SLEEP_PM_OPS(acpi_ec_suspend, acpi_ec_resume) + }; + diff --git a/queue-4.12/ceph-fix-race-in-concurrent-readdir.patch b/queue-4.12/ceph-fix-race-in-concurrent-readdir.patch new file mode 100644 index 00000000000..d783784138b --- /dev/null +++ b/queue-4.12/ceph-fix-race-in-concurrent-readdir.patch @@ -0,0 +1,50 @@ +From 84583cfb973c4313955c6231cc9cb3772d280b15 Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Thu, 6 Jul 2017 11:12:21 +0800 +Subject: ceph: fix race in concurrent readdir + +From: Yan, Zheng + +commit 84583cfb973c4313955c6231cc9cb3772d280b15 upstream. + +For a large directory, program needs to issue multiple readdir +syscalls to get all dentries. When there are multiple programs +read the directory concurrently. Following sequence of events +can happen. + + - program calls readdir with pos = 2. ceph sends readdir request + to mds. The reply contains N1 entries. ceph adds these N1 entries + to readdir cache. + - program calls readdir with pos = N1+2. The readdir is satisfied + by the readdir cache, N2 entries are returned. (Other program + calls readdir in the middle, which fills the cache) + - program calls readdir with pos = N1+N2+2. ceph sends readdir + request to mds. The reply contains N3 entries and it reaches + directory end. ceph adds these N3 entries to the readdir cache + and marks directory complete. + +The second readdir call does not update fi->readdir_cache_idx. +ceph add the last N3 entries to wrong places. + +Signed-off-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -271,6 +271,11 @@ out: + if (ret < 0) + err = ret; + dput(last); ++ /* last_name no longer match cache index */ ++ if (fi->readdir_cache_idx >= 0) { ++ fi->readdir_cache_idx = -1; ++ fi->dir_release_count = 0; ++ } + } + return err; + } diff --git a/queue-4.12/drm-amd-powerplay-fix-memory-leak-in-cz_hwmgr-backend.patch b/queue-4.12/drm-amd-powerplay-fix-memory-leak-in-cz_hwmgr-backend.patch new file mode 100644 index 00000000000..67f9f98a9c8 --- /dev/null +++ b/queue-4.12/drm-amd-powerplay-fix-memory-leak-in-cz_hwmgr-backend.patch @@ -0,0 +1,36 @@ +From b1e8b9c5b19c58e3159c2acc77167f4a4c74621f Mon Sep 17 00:00:00 2001 +From: Hawking Zhang +Date: Tue, 6 Jun 2017 16:25:44 +0800 +Subject: drm/amd/powerplay: fix memory leak in cz_hwmgr backend + +From: Hawking Zhang + +commit b1e8b9c5b19c58e3159c2acc77167f4a4c74621f upstream. + +vddc_dep_on_dal_pwrl is allocated and initialized in cz_hwmgr_backend_init +Thus free the memory in cz_hwmgr_backend_fini + +Signed-off-by: Hawking Zhang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c +@@ -1224,6 +1224,12 @@ static int cz_hwmgr_backend_fini(struct + phm_destroy_table(hwmgr, &(hwmgr->disable_dynamic_state_management)); + phm_destroy_table(hwmgr, &(hwmgr->power_down_asic)); + phm_destroy_table(hwmgr, &(hwmgr->setup_asic)); ++ ++ if (NULL != hwmgr->dyn_state.vddc_dep_on_dal_pwrl) { ++ kfree(hwmgr->dyn_state.vddc_dep_on_dal_pwrl); ++ hwmgr->dyn_state.vddc_dep_on_dal_pwrl = NULL; ++ } ++ + kfree(hwmgr->backend); + hwmgr->backend = NULL; + } diff --git a/queue-4.12/drm-atomic-add-missing-drm_atomic_state_clear-to-atomic_remove_fb.patch b/queue-4.12/drm-atomic-add-missing-drm_atomic_state_clear-to-atomic_remove_fb.patch new file mode 100644 index 00000000000..eedf1b48337 --- /dev/null +++ b/queue-4.12/drm-atomic-add-missing-drm_atomic_state_clear-to-atomic_remove_fb.patch @@ -0,0 +1,35 @@ +From 4086d90cffb8f48400d51fbab575fe50458512e3 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Thu, 29 Jun 2017 13:59:54 +0200 +Subject: drm/atomic: Add missing drm_atomic_state_clear to atomic_remove_fb + +From: Maarten Lankhorst + +commit 4086d90cffb8f48400d51fbab575fe50458512e3 upstream. + +All atomic state should be cleared when drm_modeset_backoff() is +called, because it drops all locks and the state becomes invalid. + +The call to drm_atomic_state_clear was missing in atomic_remove_fb, +so add the missing call there. + +Signed-off-by: Maarten Lankhorst +Link: http://patchwork.freedesktop.org/patch/msgid/20170629115954.26029-1-maarten.lankhorst@linux.intel.com +Reviewed-by: Daniel Vetter +Fixes: db8f6403e88a ("drm: Convert drm_framebuffer_remove to atomic, v4.") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_framebuffer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_framebuffer.c ++++ b/drivers/gpu/drm/drm_framebuffer.c +@@ -832,6 +832,7 @@ unlock: + drm_atomic_clean_old_fb(dev, plane_mask, ret); + + if (ret == -EDEADLK) { ++ drm_atomic_state_clear(state); + drm_modeset_backoff(&ctx); + goto retry; + } diff --git a/queue-4.12/drm-i915-disable-msi-for-all-pre-gen5.patch b/queue-4.12/drm-i915-disable-msi-for-all-pre-gen5.patch new file mode 100644 index 00000000000..9c0fe5fe223 --- /dev/null +++ b/queue-4.12/drm-i915-disable-msi-for-all-pre-gen5.patch @@ -0,0 +1,70 @@ +From ce3f7163e4ce8fd583dcb36b6ee6b81fd1b419ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Mon, 26 Jun 2017 23:30:51 +0300 +Subject: drm/i915: Disable MSI for all pre-gen5 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit ce3f7163e4ce8fd583dcb36b6ee6b81fd1b419ae upstream. + +We have pretty clear evidence that MSIs are getting lost on g4x and +somehow the interrupt logic doesn't seem to recover from that state +even if we try hard to clear the IIR. + +Disabling IER around the normal IIR clearing in the irq handler isn't +sufficient to avoid this, so the problem really seems to be further +up the interrupt chain. This should guarantee that there's always +an edge if any IIR bits are set after the interrupt handler is done, +which should normally guarantee that the CPU interrupt is generated. +That approach seems to work perfectly on VLV/CHV, but apparently +not on g4x. + +MSI is documented to be broken on 965gm at least. The chipset spec +says MSI is defeatured because interrupts can be delayed or lost, +which fits well with what we're seeing on g4x. Previously we've +already disabled GMBUS interrupts on g4x because somehow GMBUS +manages to raise legacy interrupts even when MSI is enabled. + +Since there's such widespread MSI breakahge all over in the pre-gen5 +land let's just give up on MSI on these platforms. + +Seqno reporting might be negatively affected by this since the legcy +interrupts aren't guaranteed to be ordered with the seqno writes, +whereas MSI interrupts may be? But an occasioanlly missed seqno +seems like a small price to pay for generally working interrupts. + +Cc: Diego Viola +Tested-by: Diego Viola +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101261 +Signed-off-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/20170626203051.28480-1-ville.syrjala@linux.intel.com +Reviewed-by: Daniel Vetter +(cherry picked from commit e38c2da01f76cca82b59ca612529b81df82a7cc7) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -1087,10 +1087,12 @@ static int i915_driver_init_hw(struct dr + * and the registers being closely associated. + * + * According to chipset errata, on the 965GM, MSI interrupts may +- * be lost or delayed, but we use them anyways to avoid +- * stuck interrupts on some machines. ++ * be lost or delayed, and was defeatured. MSI interrupts seem to ++ * get lost on g4x as well, and interrupt delivery seems to stay ++ * properly dead afterwards. So we'll just disable them for all ++ * pre-gen5 chipsets. + */ +- if (!IS_I945G(dev_priv) && !IS_I945GM(dev_priv)) { ++ if (INTEL_GEN(dev_priv) >= 5) { + if (pci_enable_msi(pdev) < 0) + DRM_DEBUG_DRIVER("can't enable MSI"); + } diff --git a/queue-4.12/drm-i915-gvt-fix-inconsistent-locks-holding-sequence.patch b/queue-4.12/drm-i915-gvt-fix-inconsistent-locks-holding-sequence.patch new file mode 100644 index 00000000000..23f037a5766 --- /dev/null +++ b/queue-4.12/drm-i915-gvt-fix-inconsistent-locks-holding-sequence.patch @@ -0,0 +1,64 @@ +From f16bd3dda2c8bf6699e808cd9cc540cfab10e60e Mon Sep 17 00:00:00 2001 +From: Chuanxiao Dong +Date: Mon, 26 Jun 2017 15:20:50 +0800 +Subject: drm/i915/gvt: Fix inconsistent locks holding sequence + +From: Chuanxiao Dong + +commit f16bd3dda2c8bf6699e808cd9cc540cfab10e60e upstream. + +There are two kinds of locking sequence. + +One is in the thread which is started by vfio ioctl to do +the iommu unmapping. The locking sequence is: + down_read(&group_lock) ----> mutex_lock(&cached_lock) + +The other is in the vfio release thread which will unpin all +the cached pages. The lock sequence is: + mutex_lock(&cached_lock) ---> down_read(&group_lock) + +And, the cache_lock is used to protect the rb tree of the cache +node and doing vfio unpin doesn't require this lock. Move the +vfio unpin out of the cache_lock protected region. + +v2: +- use for style instead of do{}while(1). (Zhenyu) + +Fixes: f30437c5e7bf ("drm/i915/gvt: add KVMGT support") +Signed-off-by: Chuanxiao Dong +Cc: Zhenyu Wang +Signed-off-by: Zhenyu Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/kvmgt.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/i915/gvt/kvmgt.c ++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c +@@ -260,16 +260,20 @@ static void gvt_cache_destroy(struct int + struct device *dev = mdev_dev(vgpu->vdev.mdev); + unsigned long gfn; + +- mutex_lock(&vgpu->vdev.cache_lock); +- while ((node = rb_first(&vgpu->vdev.cache))) { ++ for (;;) { ++ mutex_lock(&vgpu->vdev.cache_lock); ++ node = rb_first(&vgpu->vdev.cache); ++ if (!node) { ++ mutex_unlock(&vgpu->vdev.cache_lock); ++ break; ++ } + dma = rb_entry(node, struct gvt_dma, node); + gvt_dma_unmap_iova(vgpu, dma->iova); + gfn = dma->gfn; +- +- vfio_unpin_pages(dev, &gfn, 1); + __gvt_cache_remove_entry(vgpu, dma); ++ mutex_unlock(&vgpu->vdev.cache_lock); ++ vfio_unpin_pages(dev, &gfn, 1); + } +- mutex_unlock(&vgpu->vdev.cache_lock); + } + + static struct intel_vgpu_type *intel_gvt_find_vgpu_type(struct intel_gvt *gvt, diff --git a/queue-4.12/drm-i915-gvt-fix-possible-recursive-locking-issue.patch b/queue-4.12/drm-i915-gvt-fix-possible-recursive-locking-issue.patch new file mode 100644 index 00000000000..53b5a792e9c --- /dev/null +++ b/queue-4.12/drm-i915-gvt-fix-possible-recursive-locking-issue.patch @@ -0,0 +1,157 @@ +From 62d02fd1f807bf5a259a242c483c9fb98a242630 Mon Sep 17 00:00:00 2001 +From: Chuanxiao Dong +Date: Mon, 26 Jun 2017 15:20:49 +0800 +Subject: drm/i915/gvt: Fix possible recursive locking issue + +From: Chuanxiao Dong + +commit 62d02fd1f807bf5a259a242c483c9fb98a242630 upstream. + +vfio_unpin_pages will hold a read semaphore however it is already hold +in the same thread by vfio ioctl. It will cause below warning: + +[ 5102.127454] ============================================ +[ 5102.133379] WARNING: possible recursive locking detected +[ 5102.139304] 4.12.0-rc4+ #3 Not tainted +[ 5102.143483] -------------------------------------------- +[ 5102.149407] qemu-system-x86/1620 is trying to acquire lock: +[ 5102.155624] (&container->group_lock){++++++}, at: [] vfio_unpin_pages+0x96/0xf0 +[ 5102.165626] +but task is already holding lock: +[ 5102.172134] (&container->group_lock){++++++}, at: [] vfio_fops_unl_ioctl+0x5f/0x280 +[ 5102.182522] +other info that might help us debug this: +[ 5102.189806] Possible unsafe locking scenario: + +[ 5102.196411] CPU0 +[ 5102.199136] ---- +[ 5102.201861] lock(&container->group_lock); +[ 5102.206527] lock(&container->group_lock); +[ 5102.211191] +--- + drivers/gpu/drm/i915/gvt/gvt.h | 3 ++ + drivers/gpu/drm/i915/gvt/kvmgt.c | 55 +++++++++++++++++++++++++++++++-------- + 2 files changed, 48 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/i915/gvt/gvt.h ++++ b/drivers/gpu/drm/i915/gvt/gvt.h +@@ -183,6 +183,9 @@ struct intel_vgpu { + struct kvm *kvm; + struct work_struct release_work; + atomic_t released; ++ struct work_struct unpin_work; ++ spinlock_t unpin_lock; /* To protect unpin_list */ ++ struct list_head unpin_list; + } vdev; + #endif + }; +--- a/drivers/gpu/drm/i915/gvt/kvmgt.c ++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c +@@ -78,6 +78,7 @@ struct gvt_dma { + struct rb_node node; + gfn_t gfn; + unsigned long iova; ++ struct list_head list; + }; + + static inline bool handle_valid(unsigned long handle) +@@ -166,6 +167,7 @@ static void gvt_cache_add(struct intel_v + + new->gfn = gfn; + new->iova = iova; ++ INIT_LIST_HEAD(&new->list); + + mutex_lock(&vgpu->vdev.cache_lock); + while (*link) { +@@ -197,26 +199,52 @@ static void __gvt_cache_remove_entry(str + kfree(entry); + } + +-static void gvt_cache_remove(struct intel_vgpu *vgpu, gfn_t gfn) ++static void intel_vgpu_unpin_work(struct work_struct *work) + { ++ struct intel_vgpu *vgpu = container_of(work, struct intel_vgpu, ++ vdev.unpin_work); + struct device *dev = mdev_dev(vgpu->vdev.mdev); + struct gvt_dma *this; +- unsigned long g1; +- int rc; ++ unsigned long gfn; ++ ++ for (;;) { ++ spin_lock(&vgpu->vdev.unpin_lock); ++ if (list_empty(&vgpu->vdev.unpin_list)) { ++ spin_unlock(&vgpu->vdev.unpin_lock); ++ break; ++ } ++ this = list_first_entry(&vgpu->vdev.unpin_list, ++ struct gvt_dma, list); ++ list_del(&this->list); ++ spin_unlock(&vgpu->vdev.unpin_lock); ++ ++ gfn = this->gfn; ++ vfio_unpin_pages(dev, &gfn, 1); ++ kfree(this); ++ } ++} ++ ++static bool gvt_cache_mark_remove(struct intel_vgpu *vgpu, gfn_t gfn) ++{ ++ struct gvt_dma *this; + + mutex_lock(&vgpu->vdev.cache_lock); + this = __gvt_cache_find(vgpu, gfn); + if (!this) { + mutex_unlock(&vgpu->vdev.cache_lock); +- return; ++ return false; + } +- +- g1 = gfn; + gvt_dma_unmap_iova(vgpu, this->iova); +- rc = vfio_unpin_pages(dev, &g1, 1); +- WARN_ON(rc != 1); +- __gvt_cache_remove_entry(vgpu, this); ++ /* remove this from rb tree */ ++ rb_erase(&this->node, &vgpu->vdev.cache); + mutex_unlock(&vgpu->vdev.cache_lock); ++ ++ /* put this to the unpin_list */ ++ spin_lock(&vgpu->vdev.unpin_lock); ++ list_move_tail(&this->list, &vgpu->vdev.unpin_list); ++ spin_unlock(&vgpu->vdev.unpin_lock); ++ ++ return true; + } + + static void gvt_cache_init(struct intel_vgpu *vgpu) +@@ -453,6 +481,9 @@ static int intel_vgpu_create(struct kobj + } + + INIT_WORK(&vgpu->vdev.release_work, intel_vgpu_release_work); ++ INIT_WORK(&vgpu->vdev.unpin_work, intel_vgpu_unpin_work); ++ spin_lock_init(&vgpu->vdev.unpin_lock); ++ INIT_LIST_HEAD(&vgpu->vdev.unpin_list); + + vgpu->vdev.mdev = mdev; + mdev_set_drvdata(mdev, vgpu); +@@ -482,6 +513,7 @@ static int intel_vgpu_iommu_notifier(str + struct intel_vgpu *vgpu = container_of(nb, + struct intel_vgpu, + vdev.iommu_notifier); ++ bool sched_unmap = false; + + if (action == VFIO_IOMMU_NOTIFY_DMA_UNMAP) { + struct vfio_iommu_type1_dma_unmap *unmap = data; +@@ -491,7 +523,10 @@ static int intel_vgpu_iommu_notifier(str + end_gfn = gfn + unmap->size / PAGE_SIZE; + + while (gfn < end_gfn) +- gvt_cache_remove(vgpu, gfn++); ++ sched_unmap |= gvt_cache_mark_remove(vgpu, gfn++); ++ ++ if (sched_unmap) ++ schedule_work(&vgpu->vdev.unpin_work); + } + + return NOTIFY_OK; diff --git a/queue-4.12/drm-i915-make-dp-mst-connector-info-work.patch b/queue-4.12/drm-i915-make-dp-mst-connector-info-work.patch new file mode 100644 index 00000000000..f75fcc827bc --- /dev/null +++ b/queue-4.12/drm-i915-make-dp-mst-connector-info-work.patch @@ -0,0 +1,40 @@ +From 50740024bc393b608f7e391ac35e70f33938dd24 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Mon, 26 Jun 2017 10:33:49 +0200 +Subject: drm/i915: Make DP-MST connector info work + +From: Maarten Lankhorst + +commit 50740024bc393b608f7e391ac35e70f33938dd24 upstream. + +Commit 9a148a96fc3a ("drm/i915/debugfs: add dp mst info") adds support +for DP-MST to intel_connector_info, but forgot to remove the early +return for DP-MST. + +Remove it, and print out MST connectors directly. + +Fixes: 9a148a96fc3a ("drm/i915/debugfs: add dp mst info") +Cc: Dhinakaran Pandiyan +Cc: Libin Yang +Signed-off-by: Maarten Lankhorst +Link: http://patchwork.freedesktop.org/patch/msgid/20170626083349.24389-1-maarten.lankhorst@linux.intel.com +Reviewed-by: Dhinakaran Pandiyan +(cherry picked from commit 77d1f615c78a73a04254fa2bff07ee9fa27145d9) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_debugfs.c ++++ b/drivers/gpu/drm/i915/i915_debugfs.c +@@ -3018,7 +3018,7 @@ static void intel_connector_info(struct + connector->display_info.cea_rev); + } + +- if (!intel_encoder || intel_encoder->type == INTEL_OUTPUT_DP_MST) ++ if (!intel_encoder) + return; + + switch (connector->connector_type) { diff --git a/queue-4.12/drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch b/queue-4.12/drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch new file mode 100644 index 00000000000..e824a8060db --- /dev/null +++ b/queue-4.12/drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch @@ -0,0 +1,38 @@ +From 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 19 Jul 2017 14:43:29 +0300 +Subject: drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req() + +From: Imre Deak + +commit 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf upstream. + +In case of an unknown broadcast message is sent mstb will remain unset, +so check for this. + +Cc: Dave Airlie +Cc: Lyude +Cc: Daniel Vetter +Signed-off-by: Imre Deak +Reviewed-by: Lyude +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-3-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -2324,7 +2324,9 @@ static int drm_dp_mst_handle_up_req(stru + DRM_DEBUG_KMS("Got RSN: pn: %d avail_pbn %d\n", msg.u.resource_stat.port_number, msg.u.resource_stat.available_pbn); + } + +- drm_dp_put_mst_branch_device(mstb); ++ if (mstb) ++ drm_dp_put_mst_branch_device(mstb); ++ + memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx)); + } + return ret; diff --git a/queue-4.12/drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch b/queue-4.12/drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch new file mode 100644 index 00000000000..2e83b091a39 --- /dev/null +++ b/queue-4.12/drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch @@ -0,0 +1,129 @@ +From 636c4c3e762b62aa93632c645ca65879285b16e3 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 19 Jul 2017 16:46:32 +0300 +Subject: drm/mst: Avoid processing partially received up/down message transactions + +From: Imre Deak + +commit 636c4c3e762b62aa93632c645ca65879285b16e3 upstream. + +Currently we may process up/down message transactions containing +uninitialized data. This can happen if there was an error during the +reception of any message in the transaction, but we happened to receive +the last message correctly with the end-of-message flag set. + +To avoid this abort the reception of the transaction when the first +error is detected, rejecting any messages until a message with the +start-of-message flag is received (which will start a new transaction). +This is also what the DP 1.4 spec 2.11.8.2 calls for in this case. + +In addtion this also prevents receiving bogus transactions without the +first message with the the start-of-message flag set. + +v2: +- unchanged +v3: +- git add the part that actually skips messages after an error in + drm_dp_sideband_msg_build() + +Cc: Dave Airlie +Cc: Lyude +Cc: Daniel Vetter +Signed-off-by: Imre Deak +Reviewed-by: Lyude +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20170719134632.13366-1-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -330,6 +330,13 @@ static bool drm_dp_sideband_msg_build(st + return false; + } + ++ /* ++ * ignore out-of-order messages or messages that are part of a ++ * failed transaction ++ */ ++ if (!recv_hdr.somt && !msg->have_somt) ++ return false; ++ + /* get length contained in this portion */ + msg->curchunk_len = recv_hdr.msg_len; + msg->curchunk_hdrlen = hdrlen; +@@ -2164,7 +2171,7 @@ out_unlock: + } + EXPORT_SYMBOL(drm_dp_mst_topology_mgr_resume); + +-static void drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up) ++static bool drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up) + { + int len; + u8 replyblock[32]; +@@ -2179,12 +2186,12 @@ static void drm_dp_get_one_sb_msg(struct + replyblock, len); + if (ret != len) { + DRM_DEBUG_KMS("failed to read DPCD down rep %d %d\n", len, ret); +- return; ++ return false; + } + ret = drm_dp_sideband_msg_build(msg, replyblock, len, true); + if (!ret) { + DRM_DEBUG_KMS("sideband msg build failed %d\n", replyblock[0]); +- return; ++ return false; + } + replylen = msg->curchunk_len + msg->curchunk_hdrlen; + +@@ -2198,25 +2205,30 @@ static void drm_dp_get_one_sb_msg(struct + if (ret != len) { + DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n", + len, ret); +- return; ++ return false; + } + + ret = drm_dp_sideband_msg_build(msg, replyblock, len, false); + if (!ret) { + DRM_DEBUG_KMS("failed to build sideband msg\n"); +- return; ++ return false; + } + + curreply += len; + replylen -= len; + } ++ return true; + } + + static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr) + { + int ret = 0; + +- drm_dp_get_one_sb_msg(mgr, false); ++ if (!drm_dp_get_one_sb_msg(mgr, false)) { ++ memset(&mgr->down_rep_recv, 0, ++ sizeof(struct drm_dp_sideband_msg_rx)); ++ return 0; ++ } + + if (mgr->down_rep_recv.have_eomt) { + struct drm_dp_sideband_msg_tx *txmsg; +@@ -2272,7 +2284,12 @@ static int drm_dp_mst_handle_down_rep(st + static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr) + { + int ret = 0; +- drm_dp_get_one_sb_msg(mgr, true); ++ ++ if (!drm_dp_get_one_sb_msg(mgr, true)) { ++ memset(&mgr->up_req_recv, 0, ++ sizeof(struct drm_dp_sideband_msg_rx)); ++ return 0; ++ } + + if (mgr->up_req_recv.have_eomt) { + struct drm_dp_sideband_msg_req_body msg; diff --git a/queue-4.12/drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch b/queue-4.12/drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch new file mode 100644 index 00000000000..dff9b1c99da --- /dev/null +++ b/queue-4.12/drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch @@ -0,0 +1,48 @@ +From 448421b5e93b9177c5698f0cf6f5e72d2995eeca Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 19 Jul 2017 14:43:28 +0300 +Subject: drm/mst: Fix error handling during MST sideband message reception + +From: Imre Deak + +commit 448421b5e93b9177c5698f0cf6f5e72d2995eeca upstream. + +Handle any error due to partial reads, timeouts etc. to avoid parsing +uninitialized data subsequently. Also bail out if the parsing itself +fails. + +Cc: Dave Airlie +Cc: Lyude +Cc: Daniel Vetter +Signed-off-by: Imre Deak +Reviewed-by: Lyude +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-2-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -2196,11 +2196,17 @@ static void drm_dp_get_one_sb_msg(struct + ret = drm_dp_dpcd_read(mgr->aux, basereg + curreply, + replyblock, len); + if (ret != len) { +- DRM_DEBUG_KMS("failed to read a chunk\n"); ++ DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n", ++ len, ret); ++ return; + } ++ + ret = drm_dp_sideband_msg_build(msg, replyblock, len, false); +- if (ret == false) ++ if (!ret) { + DRM_DEBUG_KMS("failed to build sideband msg\n"); ++ return; ++ } ++ + curreply += len; + replylen -= len; + } diff --git a/queue-4.12/ftrace-fix-uninitialized-variable-in-match_records.patch b/queue-4.12/ftrace-fix-uninitialized-variable-in-match_records.patch new file mode 100644 index 00000000000..88ba258615f --- /dev/null +++ b/queue-4.12/ftrace-fix-uninitialized-variable-in-match_records.patch @@ -0,0 +1,38 @@ +From 2e028c4fe12907f226b8221815f16c2486ad3aa7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 12 Jul 2017 10:35:57 +0300 +Subject: ftrace: Fix uninitialized variable in match_records() + +From: Dan Carpenter + +commit 2e028c4fe12907f226b8221815f16c2486ad3aa7 upstream. + +My static checker complains that if "func" is NULL then "clear_filter" +is uninitialized. This seems like it could be true, although it's +possible something subtle is happening that I haven't seen. + + kernel/trace/ftrace.c:3844 match_records() + error: uninitialized symbol 'clear_filter'. + +Link: http://lkml.kernel.org/r/20170712073556.h6tkpjcdzjaozozs@mwanda + +Fixes: f0a3b154bd7 ("ftrace: Clarify code for mod command") +Signed-off-by: Dan Carpenter +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3665,7 +3665,7 @@ match_records(struct ftrace_hash *hash, + int exclude_mod = 0; + int found = 0; + int ret; +- int clear_filter; ++ int clear_filter = 0; + + if (func) { + func_g.type = filter_parse_regex(func, len, &func_g.search, diff --git a/queue-4.12/hfsplus-don-t-clear-sgid-when-inheriting-acls.patch b/queue-4.12/hfsplus-don-t-clear-sgid-when-inheriting-acls.patch new file mode 100644 index 00000000000..ea7295056bf --- /dev/null +++ b/queue-4.12/hfsplus-don-t-clear-sgid-when-inheriting-acls.patch @@ -0,0 +1,93 @@ +From 84969465ddc4f8aeb3b993123b571aa01c5f2683 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 21 Jun 2017 15:02:47 +0200 +Subject: hfsplus: Don't clear SGID when inheriting ACLs + +From: Jan Kara + +commit 84969465ddc4f8aeb3b993123b571aa01c5f2683 upstream. + +When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit +set, DIR1 is expected to have SGID bit set (and owning group equal to +the owning group of 'DIR0'). However when 'DIR0' also has some default +ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on +'DIR1' to get cleared if user is not member of the owning group. + +Fix the problem by creating __hfsplus_set_posix_acl() function that does +not call posix_acl_update_mode() and use it when inheriting ACLs. That +prevents SGID bit clearing and the mode has been properly set by +posix_acl_create() anyway. + +Fixes: 073931017b49d9458aa351605b43a7e34598caef +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hfsplus/posix_acl.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +--- a/fs/hfsplus/posix_acl.c ++++ b/fs/hfsplus/posix_acl.c +@@ -51,8 +51,8 @@ struct posix_acl *hfsplus_get_posix_acl( + return acl; + } + +-int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, +- int type) ++static int __hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, ++ int type) + { + int err; + char *xattr_name; +@@ -64,12 +64,6 @@ int hfsplus_set_posix_acl(struct inode * + switch (type) { + case ACL_TYPE_ACCESS: + xattr_name = XATTR_NAME_POSIX_ACL_ACCESS; +- if (acl) { +- err = posix_acl_update_mode(inode, &inode->i_mode, &acl); +- if (err) +- return err; +- } +- err = 0; + break; + + case ACL_TYPE_DEFAULT: +@@ -105,6 +99,18 @@ end_set_acl: + return err; + } + ++int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, int type) ++{ ++ int err; ++ ++ if (type == ACL_TYPE_ACCESS && acl) { ++ err = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (err) ++ return err; ++ } ++ return __hfsplus_set_posix_acl(inode, acl, type); ++} ++ + int hfsplus_init_posix_acl(struct inode *inode, struct inode *dir) + { + int err = 0; +@@ -122,15 +128,15 @@ int hfsplus_init_posix_acl(struct inode + return err; + + if (default_acl) { +- err = hfsplus_set_posix_acl(inode, default_acl, +- ACL_TYPE_DEFAULT); ++ err = __hfsplus_set_posix_acl(inode, default_acl, ++ ACL_TYPE_DEFAULT); + posix_acl_release(default_acl); + } + + if (acl) { + if (!err) +- err = hfsplus_set_posix_acl(inode, acl, +- ACL_TYPE_ACCESS); ++ err = __hfsplus_set_posix_acl(inode, acl, ++ ACL_TYPE_ACCESS); + posix_acl_release(acl); + } + return err; diff --git a/queue-4.12/ib-core-namespace-is-mandatory-input-for-address-resolution.patch b/queue-4.12/ib-core-namespace-is-mandatory-input-for-address-resolution.patch new file mode 100644 index 00000000000..c7415db7019 --- /dev/null +++ b/queue-4.12/ib-core-namespace-is-mandatory-input-for-address-resolution.patch @@ -0,0 +1,45 @@ +From bebb2a473a43c8f84a8210687d1cbdde503046d7 Mon Sep 17 00:00:00 2001 +From: Moni Shoua +Date: Tue, 23 May 2017 10:48:44 +0300 +Subject: IB/core: Namespace is mandatory input for address resolution + +From: Moni Shoua + +commit bebb2a473a43c8f84a8210687d1cbdde503046d7 upstream. + +In function addr_resolve() the namespace is a required input parameter +and not an output. It is passed later for searching the routing table +and device addresses. Also, it shouldn't be copied back to the caller. + +Fixes: 565edd1d5555 ('IB/addr: Pass network namespace as a parameter') +Signed-off-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/addr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -510,6 +510,11 @@ static int addr_resolve(struct sockaddr + struct dst_entry *dst; + int ret; + ++ if (!addr->net) { ++ pr_warn_ratelimited("%s: missing namespace\n", __func__); ++ return -EINVAL; ++ } ++ + if (src_in->sa_family == AF_INET) { + struct rtable *rt = NULL; + const struct sockaddr_in *dst_in4 = +@@ -547,7 +552,6 @@ static int addr_resolve(struct sockaddr + } + + addr->bound_dev_if = ndev->ifindex; +- addr->net = dev_net(ndev); + dev_put(ndev); + + return ret; diff --git a/queue-4.12/ib-iser-fix-connection-teardown-race-condition.patch b/queue-4.12/ib-iser-fix-connection-teardown-race-condition.patch new file mode 100644 index 00000000000..b1a960e4958 --- /dev/null +++ b/queue-4.12/ib-iser-fix-connection-teardown-race-condition.patch @@ -0,0 +1,98 @@ +From c8c16d3bae967f1c7af541e8d016e5c51e4f010a Mon Sep 17 00:00:00 2001 +From: Vladimir Neyelov +Date: Sun, 21 May 2017 19:17:31 +0300 +Subject: IB/iser: Fix connection teardown race condition + +From: Vladimir Neyelov + +commit c8c16d3bae967f1c7af541e8d016e5c51e4f010a upstream. + +Under heavy iser target(scst) start/stop stress during login/logout +on iser intitiator side happened trace call provided below. + +The function iscsi_iser_slave_alloc iser_conn pointer could be NULL, +due to the fact that function iscsi_iser_conn_stop can be called before +and free iser connection. Let's protect that flow by introducing global mutex. + +BUG: unable to handle kernel paging request at 0000000000001018 +IP: [] iscsi_iser_slave_alloc+0x1e/0x50 [ib_iser] +Call Trace: +? scsi_alloc_sdev+0x242/0x300 +scsi_probe_and_add_lun+0x9e1/0xea0 +? kfree_const+0x21/0x30 +? kobject_set_name_vargs+0x76/0x90 +? __pm_runtime_resume+0x5b/0x70 +__scsi_scan_target+0xf6/0x250 +scsi_scan_target+0xea/0x100 +iscsi_user_scan_session.part.13+0x101/0x130 [scsi_transport_iscsi] +? iscsi_user_scan_session.part.13+0x130/0x130 [scsi_transport_iscsi] +iscsi_user_scan_session+0x1e/0x30 [scsi_transport_iscsi] +device_for_each_child+0x50/0x90 +iscsi_user_scan+0x44/0x60 [scsi_transport_iscsi] +store_scan+0xa8/0x100 +? common_file_perm+0x5d/0x1c0 +dev_attr_store+0x18/0x30 +sysfs_kf_write+0x37/0x40 +kernfs_fop_write+0x12c/0x1c0 +__vfs_write+0x18/0x40 +vfs_write+0xb5/0x1a0 +SyS_write+0x55/0xc0 + +Fixes: 318d311e8f01 ("iser: Accept arbitrary sg lists mapping if the device supports it") +Signed-off-by: Vladimir Neyelov +Signed-off-by: Leon Romanovsky +Reviewed-by: Sagi Grimberg +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/iser/iscsi_iser.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/infiniband/ulp/iser/iscsi_iser.c ++++ b/drivers/infiniband/ulp/iser/iscsi_iser.c +@@ -83,6 +83,7 @@ static struct scsi_host_template iscsi_i + static struct iscsi_transport iscsi_iser_transport; + static struct scsi_transport_template *iscsi_iser_scsi_transport; + static struct workqueue_struct *release_wq; ++static DEFINE_MUTEX(unbind_iser_conn_mutex); + struct iser_global ig; + + int iser_debug_level = 0; +@@ -550,12 +551,14 @@ iscsi_iser_conn_stop(struct iscsi_cls_co + */ + if (iser_conn) { + mutex_lock(&iser_conn->state_mutex); ++ mutex_lock(&unbind_iser_conn_mutex); + iser_conn_terminate(iser_conn); + iscsi_conn_stop(cls_conn, flag); + + /* unbind */ + iser_conn->iscsi_conn = NULL; + conn->dd_data = NULL; ++ mutex_unlock(&unbind_iser_conn_mutex); + + complete(&iser_conn->stop_completion); + mutex_unlock(&iser_conn->state_mutex); +@@ -977,13 +980,21 @@ static int iscsi_iser_slave_alloc(struct + struct iser_conn *iser_conn; + struct ib_device *ib_dev; + ++ mutex_lock(&unbind_iser_conn_mutex); ++ + session = starget_to_session(scsi_target(sdev))->dd_data; + iser_conn = session->leadconn->dd_data; ++ if (!iser_conn) { ++ mutex_unlock(&unbind_iser_conn_mutex); ++ return -ENOTCONN; ++ } + ib_dev = iser_conn->ib_conn.device->ib_device; + + if (!(ib_dev->attrs.device_cap_flags & IB_DEVICE_SG_GAPS_REG)) + blk_queue_virt_boundary(sdev->request_queue, ~MASK_4K); + ++ mutex_unlock(&unbind_iser_conn_mutex); ++ + return 0; + } + diff --git a/queue-4.12/input-i8042-fix-crash-at-boot-time.patch b/queue-4.12/input-i8042-fix-crash-at-boot-time.patch new file mode 100644 index 00000000000..e1a234170d8 --- /dev/null +++ b/queue-4.12/input-i8042-fix-crash-at-boot-time.patch @@ -0,0 +1,121 @@ +From 340d394a789518018f834ff70f7534fc463d3226 Mon Sep 17 00:00:00 2001 +From: Chen Hong +Date: Sun, 2 Jul 2017 15:11:10 -0700 +Subject: Input: i8042 - fix crash at boot time + +From: Chen Hong + +commit 340d394a789518018f834ff70f7534fc463d3226 upstream. + +The driver checks port->exists twice in i8042_interrupt(), first when +trying to assign temporary "serio" variable, and second time when deciding +whether it should call serio_interrupt(). The value of port->exists may +change between the 2 checks, and we may end up calling serio_interrupt() +with a NULL pointer: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 +IP: [] _spin_lock_irqsave+0x1f/0x40 +PGD 0 +Oops: 0002 [#1] SMP +last sysfs file: +CPU 0 +Modules linked in: + +Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996) +RIP: 0010:[] [] _spin_lock_irqsave+0x1f/0x40 +RSP: 0018:ffff880028203cc0 EFLAGS: 00010082 +RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050 +RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0 +R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098 +FS: 0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b +CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500) +Stack: +ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 0000000000000098 + ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac +Call Trace: + + [] serio_interrupt+0x36/0xa0 +[] i8042_interrupt+0x132/0x3a0 +[] ? kvm_clock_read+0x1c/0x20 +[] ? kvm_clock_get_cycles+0x9/0x10 +[] handle_IRQ_event+0x60/0x170 +[] ? kvm_guest_apic_eoi_write+0x44/0x50 +[] handle_edge_irq+0xde/0x180 +[] handle_irq+0x49/0xa0 +[] do_IRQ+0x6c/0xf0 +[] ret_from_intr+0x0/0x11 +[] ? __do_softirq+0x73/0x1e0 +[] ? hrtimer_interrupt+0x14b/0x260 +[] ? call_softirq+0x1c/0x30 +[] ? do_softirq+0x65/0xa0 +[] ? irq_exit+0x85/0x90 +[] ? smp_apic_timer_interrupt+0x70/0x9b +[] ? apic_timer_interrupt+0x13/0x20 + +To avoid the issue let's change the second check to test whether serio is +NULL or not. + +Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of +trying to be overly smart and using memory barriers. + +Signed-off-by: Chen Hong +[dtor: take lock in i8042_start()/i8042_stop()] +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -436,8 +436,10 @@ static int i8042_start(struct serio *ser + { + struct i8042_port *port = serio->port_data; + ++ spin_lock_irq(&i8042_lock); + port->exists = true; +- mb(); ++ spin_unlock_irq(&i8042_lock); ++ + return 0; + } + +@@ -450,16 +452,20 @@ static void i8042_stop(struct serio *ser + { + struct i8042_port *port = serio->port_data; + ++ spin_lock_irq(&i8042_lock); + port->exists = false; ++ port->serio = NULL; ++ spin_unlock_irq(&i8042_lock); + + /* ++ * We need to make sure that interrupt handler finishes using ++ * our serio port before we return from this function. + * We synchronize with both AUX and KBD IRQs because there is + * a (very unlikely) chance that AUX IRQ is raised for KBD port + * and vice versa. + */ + synchronize_irq(I8042_AUX_IRQ); + synchronize_irq(I8042_KBD_IRQ); +- port->serio = NULL; + } + + /* +@@ -576,7 +582,7 @@ static irqreturn_t i8042_interrupt(int i + + spin_unlock_irqrestore(&i8042_lock, flags); + +- if (likely(port->exists && !filtered)) ++ if (likely(serio && !filtered)) + serio_interrupt(serio, data, dfl); + + out: diff --git a/queue-4.12/iommu-arm-smmu-plumb-in-new-acpi-identifiers.patch b/queue-4.12/iommu-arm-smmu-plumb-in-new-acpi-identifiers.patch new file mode 100644 index 00000000000..b11c7e7ea3a --- /dev/null +++ b/queue-4.12/iommu-arm-smmu-plumb-in-new-acpi-identifiers.patch @@ -0,0 +1,67 @@ +From 84c24379a783c514e5ff7c8fc8a21cf8d64fd05f Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Mon, 19 Jun 2017 16:41:56 +0100 +Subject: iommu/arm-smmu: Plumb in new ACPI identifiers + +From: Robin Murphy + +commit 84c24379a783c514e5ff7c8fc8a21cf8d64fd05f upstream. + +Revision C of IORT now allows us to identify ARM MMU-401 and the Cavium +ThunderX implementation. Wire them up so that we can probe these models +once firmware starts using the new codes in place of generic ones, and +so that the appropriate features and quirks get enabled when we do. + +For the sake of backports and mitigating sychronisation problems with +the ACPICA headers, we'll carry a backup copy of the new definitions +locally for the short term to make life simpler. + +Acked-by: Robert Richter +Tested-by: Robert Richter +Signed-off-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/arm-smmu.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/iommu/arm-smmu.c ++++ b/drivers/iommu/arm-smmu.c +@@ -312,6 +312,14 @@ enum arm_smmu_implementation { + CAVIUM_SMMUV2, + }; + ++/* Until ACPICA headers cover IORT rev. C */ ++#ifndef ACPI_IORT_SMMU_CORELINK_MMU401 ++#define ACPI_IORT_SMMU_CORELINK_MMU401 0x4 ++#endif ++#ifndef ACPI_IORT_SMMU_CAVIUM_THUNDERX ++#define ACPI_IORT_SMMU_CAVIUM_THUNDERX 0x5 ++#endif ++ + struct arm_smmu_s2cr { + struct iommu_group *group; + int count; +@@ -2073,6 +2081,10 @@ static int acpi_smmu_get_data(u32 model, + smmu->version = ARM_SMMU_V1; + smmu->model = GENERIC_SMMU; + break; ++ case ACPI_IORT_SMMU_CORELINK_MMU401: ++ smmu->version = ARM_SMMU_V1_64K; ++ smmu->model = GENERIC_SMMU; ++ break; + case ACPI_IORT_SMMU_V2: + smmu->version = ARM_SMMU_V2; + smmu->model = GENERIC_SMMU; +@@ -2081,6 +2093,10 @@ static int acpi_smmu_get_data(u32 model, + smmu->version = ARM_SMMU_V2; + smmu->model = ARM_MMU500; + break; ++ case ACPI_IORT_SMMU_CAVIUM_THUNDERX: ++ smmu->version = ARM_SMMU_V2; ++ smmu->model = CAVIUM_SMMUV2; ++ break; + default: + ret = -ENODEV; + } diff --git a/queue-4.12/iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch b/queue-4.12/iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch new file mode 100644 index 00000000000..b053924a194 --- /dev/null +++ b/queue-4.12/iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch @@ -0,0 +1,52 @@ +From fce50a2fa4e9c6e103915c351b6d4a98661341d6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 29 Jun 2017 22:21:31 -0700 +Subject: iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done + +From: Nicholas Bellinger + +commit fce50a2fa4e9c6e103915c351b6d4a98661341d6 upstream. + +This patch fixes a NULL pointer dereference in isert_login_recv_done() +of isert_conn->cm_id due to isert_cma_handler() -> isert_connect_error() +resetting isert_conn->cm_id = NULL during a failed login attempt. + +As per Sagi, we will always see the completion of all recv wrs posted +on the qp (given that we assigned a ->done handler), this is a FLUSH +error completion, we just don't get to verify that because we deref +NULL before. + +The issue here, was the assumption that dereferencing the connection +cm_id is always safe, which is not true since: + + commit 4a579da2586bd3b79b025947ea24ede2bbfede62 + Author: Sagi Grimberg + Date: Sun Mar 29 15:52:04 2015 +0300 + + iser-target: Fix possible deadlock in RDMA_CM connection error + +As I see it, we have a direct reference to the isert_device from +isert_conn which is the one-liner fix that we actually need like +we do in isert_rdma_read_done() and isert_rdma_write_done(). + +Reported-by: Andrea Righi +Tested-by: Andrea Righi +Reviewed-by: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1452,7 +1452,7 @@ static void + isert_login_recv_done(struct ib_cq *cq, struct ib_wc *wc) + { + struct isert_conn *isert_conn = wc->qp->qp_context; +- struct ib_device *ib_dev = isert_conn->cm_id->device; ++ struct ib_device *ib_dev = isert_conn->device->ib_device; + + if (unlikely(wc->status != IB_WC_SUCCESS)) { + isert_print_wc(wc, "login recv"); diff --git a/queue-4.12/mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch b/queue-4.12/mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch new file mode 100644 index 00000000000..3515def3a80 --- /dev/null +++ b/queue-4.12/mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch @@ -0,0 +1,36 @@ +From a9db101b735a9d49295326ae41f610f6da62b08c Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:06:19 +0100 +Subject: MIPS: Actually decode JALX in `__compute_return_epc_for_insn' + +From: Maciej W. Rozycki + +commit a9db101b735a9d49295326ae41f610f6da62b08c upstream. + +Complement commit fb6883e5809c ("MIPS: microMIPS: Support handling of +delay slots.") and actually decode the regular MIPS JALX major +instruction opcode, the handling of which has been added with the said +commit for EPC calculation in `__compute_return_epc_for_insn'. + +Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16394/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -556,6 +556,7 @@ int __compute_return_epc_for_insn(struct + /* + * These are unconditional and in j_format. + */ ++ case jalx_op: + case jal_op: + regs->regs[31] = regs->cp0_epc + 8; + case j_op: diff --git a/queue-4.12/mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch b/queue-4.12/mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch new file mode 100644 index 00000000000..a0dc817d7c7 --- /dev/null +++ b/queue-4.12/mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch @@ -0,0 +1,34 @@ +From 27fe2200dad2de8207a694024a7b9037dff1b280 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:15:22 +0100 +Subject: MIPS: Fix a typo: s/preset/present/ in r2-to-r6 emulation error message + +From: Maciej W. Rozycki + +commit 27fe2200dad2de8207a694024a7b9037dff1b280 upstream. + +This is a user-visible message, so we want it to be spelled correctly. + +Fixes: 5f9f41c474be ("MIPS: kernel: Prepare the JR instruction for emulation on MIPS R6") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16400/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -823,7 +823,7 @@ sigill_dsp: + force_sig(SIGILL, current); + return -EFAULT; + sigill_r2r6: +- pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n", ++ pr_info("%s: R2 branch but r2-to-r6 emulator is not present - sending SIGILL.\n", + current->comm); + force_sig(SIGILL, current); + return -EFAULT; diff --git a/queue-4.12/mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch b/queue-4.12/mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch new file mode 100644 index 00000000000..24464f94b4b --- /dev/null +++ b/queue-4.12/mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch @@ -0,0 +1,60 @@ +From e5f5a5b06e51a36f6ddf31a4a485358263953a3d Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Sat, 8 Jul 2017 23:24:44 +0100 +Subject: MIPS: Fix MIPS I ISA /proc/cpuinfo reporting + +From: Maciej W. Rozycki + +commit e5f5a5b06e51a36f6ddf31a4a485358263953a3d upstream. + +Correct a commit 515a6393dbac ("MIPS: kernel: proc: Add MIPS R6 support +to /proc/cpuinfo") regression that caused MIPS I systems to show no ISA +levels supported in /proc/cpuinfo, e.g.: + +system type : Digital DECstation 2100/3100 +machine : Unknown +processor : 0 +cpu model : R3000 V2.0 FPU V2.0 +BogoMIPS : 10.69 +wait instruction : no +microsecond timers : no +tlb_entries : 64 +extra interrupt vector : no +hardware watchpoint : no +isa : +ASEs implemented : +shadow register sets : 1 +kscratch registers : 0 +package : 0 +core : 0 +VCED exceptions : not available +VCEI exceptions : not available + +and similarly exclude `mips1' from the ISA list for any processors below +MIPSr1. This is because the condition to show `mips1' on has been made +`cpu_has_mips_r1' rather than newly-introduced `cpu_has_mips_1'. Use +the correct condition then. + +Fixes: 515a6393dbac ("MIPS: kernel: proc: Add MIPS R6 support to /proc/cpuinfo") +Signed-off-by: Maciej W. Rozycki +Reviewed-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16758/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/proc.c ++++ b/arch/mips/kernel/proc.c +@@ -83,7 +83,7 @@ static int show_cpuinfo(struct seq_file + } + + seq_printf(m, "isa\t\t\t:"); +- if (cpu_has_mips_r1) ++ if (cpu_has_mips_1) + seq_printf(m, " mips1"); + if (cpu_has_mips_2) + seq_printf(m, "%s", " mips2"); diff --git a/queue-4.12/mips-fix-mips_atomic_set-retry-condition.patch b/queue-4.12/mips-fix-mips_atomic_set-retry-condition.patch new file mode 100644 index 00000000000..3fd6e519271 --- /dev/null +++ b/queue-4.12/mips-fix-mips_atomic_set-retry-condition.patch @@ -0,0 +1,40 @@ +From 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 31 May 2017 16:19:47 +0100 +Subject: MIPS: Fix mips_atomic_set() retry condition + +From: James Hogan + +commit 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 upstream. + +The inline asm retry check in the MIPS_ATOMIC_SET operation of the +sysmips system call has been backwards since commit f1e39a4a616c ("MIPS: +Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler") +merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying +until the operation was inatomic, before returning the new value that +was probably just written multiple times instead of the old value. + +Invert the branch condition to fix that particular issue. + +Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler") +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16148/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/syscall.c ++++ b/arch/mips/kernel/syscall.c +@@ -134,7 +134,7 @@ static inline int mips_atomic_set(unsign + "1: ll %[old], (%[addr]) \n" + " move %[tmp], %[new] \n" + "2: sc %[tmp], (%[addr]) \n" +- " bnez %[tmp], 4f \n" ++ " beqz %[tmp], 4f \n" + "3: \n" + " .insn \n" + " .subsection 2 \n" diff --git a/queue-4.12/mips-fix-mips_atomic_set-with-eva.patch b/queue-4.12/mips-fix-mips_atomic_set-with-eva.patch new file mode 100644 index 00000000000..022f5d2c888 --- /dev/null +++ b/queue-4.12/mips-fix-mips_atomic_set-with-eva.patch @@ -0,0 +1,49 @@ +From 4915e1b043d6286928207b1f6968197b50407294 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 31 May 2017 16:19:49 +0100 +Subject: MIPS: Fix mips_atomic_set() with EVA + +From: James Hogan + +commit 4915e1b043d6286928207b1f6968197b50407294 upstream. + +EVA linked loads (LLE) and conditional stores (SCE) should be used on +EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system +call, or else the atomic set will apply to the kernel view of the +virtual address space (potentially unmapped on EVA kernels) rather than +the user view (TLB mapped). + +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16151/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/syscall.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/syscall.c ++++ b/arch/mips/kernel/syscall.c +@@ -29,6 +29,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -131,9 +132,11 @@ static inline int mips_atomic_set(unsign + __asm__ __volatile__ ( + " .set "MIPS_ISA_ARCH_LEVEL" \n" + " li %[err], 0 \n" +- "1: ll %[old], (%[addr]) \n" ++ "1: \n" ++ user_ll("%[old]", "(%[addr])") + " move %[tmp], %[new] \n" +- "2: sc %[tmp], (%[addr]) \n" ++ "2: \n" ++ user_sc("%[tmp]", "(%[addr])") + " beqz %[tmp], 4f \n" + "3: \n" + " .insn \n" diff --git a/queue-4.12/mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch b/queue-4.12/mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch new file mode 100644 index 00000000000..761bcd4d2d3 --- /dev/null +++ b/queue-4.12/mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch @@ -0,0 +1,43 @@ +From 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:07:34 +0100 +Subject: MIPS: Fix unaligned PC interpretation in `compute_return_epc' + +From: Maciej W. Rozycki + +commit 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a upstream. + +Fix a regression introduced with commit fb6883e5809c ("MIPS: microMIPS: +Support handling of delay slots.") and defer to `__compute_return_epc' +if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware, +which will then arrange for a SIGBUS due to an unaligned instruction +reference. Returning EPC here is never correct as the API defines this +function's result to be either a negative error code on failure or one +of 0 and BRANCH_LIKELY_TAKEN on success. + +Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16395/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/branch.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/arch/mips/include/asm/branch.h ++++ b/arch/mips/include/asm/branch.h +@@ -74,10 +74,7 @@ static inline int compute_return_epc(str + return __microMIPS_compute_return_epc(regs); + if (cpu_has_mips16) + return __MIPS16e_compute_return_epc(regs); +- return regs->cp0_epc; +- } +- +- if (!delay_slot(regs)) { ++ } else if (!delay_slot(regs)) { + regs->cp0_epc += 4; + return 0; + } diff --git a/queue-4.12/mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch b/queue-4.12/mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch new file mode 100644 index 00000000000..f3f14a0a105 --- /dev/null +++ b/queue-4.12/mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch @@ -0,0 +1,152 @@ +From 13769ebad0c42738831787e27c7c7f982e7da579 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:05:08 +0100 +Subject: MIPS: math-emu: Prevent wrong ISA mode instruction emulation + +From: Maciej W. Rozycki + +commit 13769ebad0c42738831787e27c7c7f982e7da579 upstream. + +Terminate FPU emulation immediately whenever an ISA mode switch has been +observed. This is so that we do not interpret machine code in the wrong +mode, for example when a regular MIPS FPU instruction has been placed in +a delay slot of a jump that switches into the MIPS16 mode, as with the +following code (taken from a GCC test suite case): + +00400650 : + 400650: 3c020100 lui v0,0x100 + 400654: 03e00008 jr ra + 400658: 44c2f800 ctc1 v0,c1_fcsr + 40065c: 00000000 nop + +[...] + +004012d0 <__libc_csu_init>: + 4012d0: f000 6a02 li v0,2 + 4012d4: f150 0b1c la v1,3f9430 <_DYNAMIC-0x6df0> + 4012d8: f400 3240 sll v0,16 + 4012dc: e269 addu v0,v1 + 4012de: 659a move gp,v0 + 4012e0: f00c 64f6 save a0-a2,48,ra,s0-s1 + 4012e4: 673c move s1,gp + 4012e6: f010 9978 lw v1,-32744(s1) + 4012ea: d204 sw v0,16(sp) + 4012ec: eb40 jalr v1 + 4012ee: 653b move t9,v1 + 4012f0: f010 997c lw v1,-32740(s1) + 4012f4: f030 9920 lw s1,-32736(s1) + 4012f8: e32f subu v1,s1 + 4012fa: 326b sra v0,v1,2 + 4012fc: d206 sw v0,24(sp) + 4012fe: 220c beqz v0,401318 <__libc_csu_init+0x48> + 401300: 6800 li s0,0 + 401302: 99e0 lw a3,0(s1) + 401304: 4801 addiu s0,1 + 401306: 960e lw a2,56(sp) + 401308: 4904 addiu s1,4 + 40130a: 950d lw a1,52(sp) + 40130c: 940c lw a0,48(sp) + 40130e: ef40 jalr a3 + 401310: 653f move t9,a3 + 401312: 9206 lw v0,24(sp) + 401314: ea0a cmp v0,s0 + 401316: 61f5 btnez 401302 <__libc_csu_init+0x32> + 401318: 6476 restore 48,ra,s0-s1 + 40131a: e8a0 jrc ra + +Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit) +and emulation triggers for the CTC1 instruction. As it is in a jump +delay slot emulation continues from `401312' (`401313' with the ISA +bit). However we have no path to handle MIPS16 FPU code emulation, +because there are no MIPS16 FPU instructions. So the default emulation +path is taken, interpreting a 32-bit word fetched by `get_user' from +`401313' as a regular MIPS instruction, which is: + + 401313: f5ea0a92 sdc1 $f10,2706(t7) + +This makes the FPU emulator proceed with the supposed SDC1 instruction +and consequently makes the program considered here terminate with +SIGSEGV. + +A similar although less severe issue exists with pure-microMIPS +processors in the case where similarly an FPU instruction is emulated in +a delay slot of a register jump that (incorrectly) switches into the +regular MIPS mode. A subsequent instruction fetch from the jump's +target is supposed to cause an Address Error exception, however instead +we proceed with regular MIPS FPU emulation. + +For simplicity then, always terminate the emulation loop whenever a mode +change is detected, denoted by an ISA mode bit flip. As from commit +377cb1b6c16a ("MIPS: Disable MIPS16/microMIPS crap for platforms not +supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded +to 0, so we need to examine the ISA mode bit by hand. + +This complements commit 102cedc32a6e ("MIPS: microMIPS: Floating point +support.") which added JALX decoding to FPU emulation. + +Fixes: 102cedc32a6e ("MIPS: microMIPS: Floating point support.") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16393/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -2524,6 +2524,35 @@ dcopuop: + return 0; + } + ++/* ++ * Emulate FPU instructions. ++ * ++ * If we use FPU hardware, then we have been typically called to handle ++ * an unimplemented operation, such as where an operand is a NaN or ++ * denormalized. In that case exit the emulation loop after a single ++ * iteration so as to let hardware execute any subsequent instructions. ++ * ++ * If we have no FPU hardware or it has been disabled, then continue ++ * emulating floating-point instructions until one of these conditions ++ * has occurred: ++ * ++ * - a non-FPU instruction has been encountered, ++ * ++ * - an attempt to emulate has ended with a signal, ++ * ++ * - the ISA mode has been switched. ++ * ++ * We need to terminate the emulation loop if we got switched to the ++ * MIPS16 mode, whether supported or not, so that we do not attempt ++ * to emulate a MIPS16 instruction as a regular MIPS FPU instruction. ++ * Similarly if we got switched to the microMIPS mode and only the ++ * regular MIPS mode is supported, so that we do not attempt to emulate ++ * a microMIPS instruction as a regular MIPS FPU instruction. Or if ++ * we got switched to the regular MIPS mode and only the microMIPS mode ++ * is supported, so that we do not attempt to emulate a regular MIPS ++ * instruction that should cause an Address Error exception instead. ++ * For simplicity we always terminate upon an ISA mode switch. ++ */ + int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx, + int has_fpu, void *__user *fault_addr) + { +@@ -2609,6 +2638,15 @@ int fpu_emulator_cop1Handler(struct pt_r + break; + if (sig) + break; ++ /* ++ * We have to check for the ISA bit explicitly here, ++ * because `get_isa16_mode' may return 0 if support ++ * for code compression has been globally disabled, ++ * or otherwise we may produce the wrong signal or ++ * even proceed successfully where we must not. ++ */ ++ if ((xcp->cp0_epc ^ prevepc) & 0x1) ++ break; + + cond_resched(); + } while (xcp->cp0_epc > prevepc); diff --git a/queue-4.12/mips-negate-error-syscall-return-in-trace.patch b/queue-4.12/mips-negate-error-syscall-return-in-trace.patch new file mode 100644 index 00000000000..ab604c0350d --- /dev/null +++ b/queue-4.12/mips-negate-error-syscall-return-in-trace.patch @@ -0,0 +1,43 @@ +From 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 29 Jun 2017 10:12:34 +0100 +Subject: MIPS: Negate error syscall return in trace + +From: James Hogan + +commit 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 upstream. + +The sys_exit trace event takes a single return value for the system +call, which MIPS passes the value of the $v0 (result) register, however +MIPS returns positive error codes in $v0 with $a3 specifying that $v0 +contains an error code. As a result erroring system calls are traced +returning positive error numbers that can't always be distinguished from +success. + +Use regs_return_value() to negate the error code if $a3 is set. + +Fixes: 1d7bf993e073 ("MIPS: ftrace: Add support for syscall tracepoints.") +Signed-off-by: James Hogan +Cc: Steven Rostedt +Cc: Ingo Molnar +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16651/ +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -895,7 +895,7 @@ asmlinkage void syscall_trace_leave(stru + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) +- trace_sys_exit(regs, regs->regs[2]); ++ trace_sys_exit(regs, regs_return_value(regs)); + + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall_exit(regs, 0); diff --git a/queue-4.12/mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch b/queue-4.12/mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch new file mode 100644 index 00000000000..477b2646ecd --- /dev/null +++ b/queue-4.12/mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch @@ -0,0 +1,101 @@ +From 1f4edde422961397cf4470b347958c13c6a740bb Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:09:23 +0100 +Subject: MIPS: Rename `sigill_r6' to `sigill_r2r6' in `__compute_return_epc_for_insn' + +From: Maciej W. Rozycki + +commit 1f4edde422961397cf4470b347958c13c6a740bb upstream. + +Use the more accurate `sigill_r2r6' name for the label used in the case +of sending SIGILL in the absence of the instruction emulator for an +earlier ISA level instruction that has been removed as from the R6 ISA, +so that the `sigill_r6' name is freed for the situation where an R6 +instruction is not supposed to be interpreted, because the executing +processor does not support the R6 ISA. + +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16397/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -431,7 +431,7 @@ int __compute_return_epc_for_insn(struct + /* Fall through */ + case jr_op: + if (NO_R6EMU && insn.r_format.func == jr_op) +- goto sigill_r6; ++ goto sigill_r2r6; + regs->cp0_epc = regs->regs[insn.r_format.rs]; + break; + } +@@ -446,7 +446,7 @@ int __compute_return_epc_for_insn(struct + switch (insn.i_format.rt) { + case bltzl_op: + if (NO_R6EMU) +- goto sigill_r6; ++ goto sigill_r2r6; + case bltz_op: + if ((long)regs->regs[insn.i_format.rs] < 0) { + epc = epc + 4 + (insn.i_format.simmediate << 2); +@@ -459,7 +459,7 @@ int __compute_return_epc_for_insn(struct + + case bgezl_op: + if (NO_R6EMU) +- goto sigill_r6; ++ goto sigill_r2r6; + case bgez_op: + if ((long)regs->regs[insn.i_format.rs] >= 0) { + epc = epc + 4 + (insn.i_format.simmediate << 2); +@@ -574,7 +574,7 @@ int __compute_return_epc_for_insn(struct + */ + case beql_op: + if (NO_R6EMU) +- goto sigill_r6; ++ goto sigill_r2r6; + case beq_op: + if (regs->regs[insn.i_format.rs] == + regs->regs[insn.i_format.rt]) { +@@ -588,7 +588,7 @@ int __compute_return_epc_for_insn(struct + + case bnel_op: + if (NO_R6EMU) +- goto sigill_r6; ++ goto sigill_r2r6; + case bne_op: + if (regs->regs[insn.i_format.rs] != + regs->regs[insn.i_format.rt]) { +@@ -602,7 +602,7 @@ int __compute_return_epc_for_insn(struct + + case blezl_op: /* not really i_format */ + if (!insn.i_format.rt && NO_R6EMU) +- goto sigill_r6; ++ goto sigill_r2r6; + case blez_op: + /* + * Compact branches for R6 for the +@@ -637,7 +637,7 @@ int __compute_return_epc_for_insn(struct + + case bgtzl_op: + if (!insn.i_format.rt && NO_R6EMU) +- goto sigill_r6; ++ goto sigill_r2r6; + case bgtz_op: + /* + * Compact branches for R6 for the +@@ -836,7 +836,7 @@ sigill_dsp: + current->comm); + force_sig(SIGILL, current); + return -EFAULT; +-sigill_r6: ++sigill_r2r6: + pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n", + current->comm); + force_sig(SIGILL, current); diff --git a/queue-4.12/mips-save-static-registers-before-sysmips.patch b/queue-4.12/mips-save-static-registers-before-sysmips.patch new file mode 100644 index 00000000000..196e73aa6eb --- /dev/null +++ b/queue-4.12/mips-save-static-registers-before-sysmips.patch @@ -0,0 +1,92 @@ +From 49955d84cd9ccdca5a16a495e448e1a06fad9e49 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 31 May 2017 16:19:48 +0100 +Subject: MIPS: Save static registers before sysmips + +From: James Hogan + +commit 49955d84cd9ccdca5a16a495e448e1a06fad9e49 upstream. + +The MIPS sysmips system call handler may return directly from the +MIPS_ATOMIC_SET case (mips_atomic_set()) to syscall_exit. This path +restores the static (callee saved) registers, however they won't have +been saved on entry to the system call. + +Use the save_static_function() macro to create a __sys_sysmips wrapper +function which saves the static registers before calling sys_sysmips, so +that the correct static register state is restored by syscall_exit. + +Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler") +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16149/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/kernel/syscall.c | 6 ++++++ + 5 files changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -371,7 +371,7 @@ EXPORT(sys_call_table) + PTR sys_writev + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR sys_ni_syscall /* 4150 */ + PTR sys_getsid + PTR sys_fdatasync +--- a/arch/mips/kernel/scall64-64.S ++++ b/arch/mips/kernel/scall64-64.S +@@ -311,7 +311,7 @@ EXPORT(sys_call_table) + PTR sys_sched_getaffinity + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR sys_io_setup /* 5200 */ + PTR sys_io_destroy + PTR sys_io_getevents +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -302,7 +302,7 @@ EXPORT(sysn32_call_table) + PTR compat_sys_sched_getaffinity + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR compat_sys_io_setup /* 6200 */ + PTR sys_io_destroy + PTR compat_sys_io_getevents +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -371,7 +371,7 @@ EXPORT(sys32_call_table) + PTR compat_sys_writev + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR sys_ni_syscall /* 4150 */ + PTR sys_getsid + PTR sys_fdatasync +--- a/arch/mips/kernel/syscall.c ++++ b/arch/mips/kernel/syscall.c +@@ -195,6 +195,12 @@ static inline int mips_atomic_set(unsign + unreachable(); + } + ++/* ++ * mips_atomic_set() normally returns directly via syscall_exit potentially ++ * clobbering static registers, so be sure to preserve them. ++ */ ++save_static_function(sys_sysmips); ++ + SYSCALL_DEFINE3(sysmips, long, cmd, long, arg1, long, arg2) + { + switch (cmd) { diff --git a/queue-4.12/mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch b/queue-4.12/mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch new file mode 100644 index 00000000000..ddbfefe077d --- /dev/null +++ b/queue-4.12/mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch @@ -0,0 +1,53 @@ +From 7b82c1058ac1f8f8b9f2b8786b1f710a57a870a8 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:08:29 +0100 +Subject: MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' + +From: Maciej W. Rozycki + +commit 7b82c1058ac1f8f8b9f2b8786b1f710a57a870a8 upstream. + +Fix commit e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") and +send SIGILL rather than SIGBUS whenever an unimplemented BPOSGE32 DSP +ASE instruction has been encountered in `__compute_return_epc_for_insn' +as our Reserved Instruction exception handler would in response to an +attempt to actually execute the instruction. Sending SIGBUS only makes +sense for the unaligned PC case, since moved to `__compute_return_epc'. +Adjust function documentation accordingly, correct formatting and use +`pr_info' rather than `printk' as the other exit path already does. + +Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16396/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -399,7 +399,7 @@ int __MIPS16e_compute_return_epc(struct + * + * @regs: Pointer to pt_regs + * @insn: branch instruction to decode +- * @returns: -EFAULT on error and forces SIGBUS, and on success ++ * @returns: -EFAULT on error and forces SIGILL, and on success + * returns 0 or BRANCH_LIKELY_TAKEN as appropriate after + * evaluating the branch. + * +@@ -832,8 +832,9 @@ int __compute_return_epc_for_insn(struct + return ret; + + sigill_dsp: +- printk("%s: DSP branch but not DSP ASE - sending SIGBUS.\n", current->comm); +- force_sig(SIGBUS, current); ++ pr_info("%s: DSP branch but not DSP ASE - sending SIGILL.\n", ++ current->comm); ++ force_sig(SIGILL, current); + return -EFAULT; + sigill_r6: + pr_info("%s: R2 branch but r2-to-r6 emulator is not preset - sending SIGILL.\n", diff --git a/queue-4.12/mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch b/queue-4.12/mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch new file mode 100644 index 00000000000..8b918e56048 --- /dev/null +++ b/queue-4.12/mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch @@ -0,0 +1,56 @@ +From fef40be6da856afead4177aaa9d869a66fb3381f Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:12:53 +0100 +Subject: MIPS: Send SIGILL for linked branches in `__compute_return_epc_for_insn' + +From: Maciej W. Rozycki + +commit fef40be6da856afead4177aaa9d869a66fb3381f upstream. + +Fix commit 319824eabc3f ("MIPS: kernel: branch: Do not emulate the +branch likelies on MIPS R6") and also send SIGILL rather than returning +-SIGILL for BLTZAL, BLTZALL, BGEZAL and BGEZALL instruction encodings no +longer supported in R6, except where emulated. Returning -SIGILL is +never correct as the API defines this function's result upon error to be +-EFAULT and a signal actually issued. + +Fixes: 319824eabc3f ("MIPS: kernel: branch: Do not emulate the branch likelies on MIPS R6") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16398/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -473,10 +473,8 @@ int __compute_return_epc_for_insn(struct + case bltzal_op: + case bltzall_op: + if (NO_R6EMU && (insn.i_format.rs || +- insn.i_format.rt == bltzall_op)) { +- ret = -SIGILL; +- break; +- } ++ insn.i_format.rt == bltzall_op)) ++ goto sigill_r2r6; + regs->regs[31] = epc + 8; + /* + * OK we are here either because we hit a NAL +@@ -507,10 +505,8 @@ int __compute_return_epc_for_insn(struct + case bgezal_op: + case bgezall_op: + if (NO_R6EMU && (insn.i_format.rs || +- insn.i_format.rt == bgezall_op)) { +- ret = -SIGILL; +- break; +- } ++ insn.i_format.rt == bgezall_op)) ++ goto sigill_r2r6; + regs->regs[31] = epc + 8; + /* + * OK we are here either because we hit a BAL diff --git a/queue-4.12/mips-send-sigill-for-r6-branches-in-__compute_return_epc_for_insn.patch b/queue-4.12/mips-send-sigill-for-r6-branches-in-__compute_return_epc_for_insn.patch new file mode 100644 index 00000000000..3ce81beed9e --- /dev/null +++ b/queue-4.12/mips-send-sigill-for-r6-branches-in-__compute_return_epc_for_insn.patch @@ -0,0 +1,118 @@ +From a60b1a5bf88a250f1a77977c0224e502c901c77b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:14:12 +0100 +Subject: MIPS: Send SIGILL for R6 branches in `__compute_return_epc_for_insn' + +From: Maciej W. Rozycki + +commit a60b1a5bf88a250f1a77977c0224e502c901c77b upstream. + +Fix: + +* commit 8467ca0122e2 ("MIPS: Emulate the new MIPS R6 branch compact +(BC) instruction"), + +* commit 84fef630127a ("MIPS: Emulate the new MIPS R6 BALC +instruction"), + +* commit 69b9a2fd05a3 ("MIPS: Emulate the new MIPS R6 BEQZC and JIC +instructions"), + +* commit 28d6f93d201d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC +instructions"), + +* commit c893ce38b265 ("MIPS: Emulate the new MIPS R6 BOVC, BEQC and +BEQZALC instructions") + +and send SIGILL rather than returning -SIGILL for R6 branch and jump +instructions. Returning -SIGILL is never correct as the API defines +this function's result upon error to be -EFAULT and a signal actually +issued. + +Fixes: 8467ca0122e2 ("MIPS: Emulate the new MIPS R6 branch compact (BC) instruction") +Fixes: 84fef630127a ("MIPS: Emulate the new MIPS R6 BALC instruction") +Fixes: 69b9a2fd05a3 ("MIPS: Emulate the new MIPS R6 BEQZC and JIC instructions") +Fixes: 28d6f93d201d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC instructions") +Fixes: c893ce38b265 ("MIPS: Emulate the new MIPS R6 BOVC, BEQC and BEQZALC instructions") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16399/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 35 +++++++++++++++-------------------- + 1 file changed, 15 insertions(+), 20 deletions(-) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -771,35 +771,27 @@ int __compute_return_epc_for_insn(struct + #else + case bc6_op: + /* Only valid for MIPS R6 */ +- if (!cpu_has_mips_r6) { +- ret = -SIGILL; +- break; +- } ++ if (!cpu_has_mips_r6) ++ goto sigill_r6; + regs->cp0_epc += 8; + break; + case balc6_op: +- if (!cpu_has_mips_r6) { +- ret = -SIGILL; +- break; +- } ++ if (!cpu_has_mips_r6) ++ goto sigill_r6; + /* Compact branch: BALC */ + regs->regs[31] = epc + 4; + epc += 4 + (insn.i_format.simmediate << 2); + regs->cp0_epc = epc; + break; + case pop66_op: +- if (!cpu_has_mips_r6) { +- ret = -SIGILL; +- break; +- } ++ if (!cpu_has_mips_r6) ++ goto sigill_r6; + /* Compact branch: BEQZC || JIC */ + regs->cp0_epc += 8; + break; + case pop76_op: +- if (!cpu_has_mips_r6) { +- ret = -SIGILL; +- break; +- } ++ if (!cpu_has_mips_r6) ++ goto sigill_r6; + /* Compact branch: BNEZC || JIALC */ + if (!insn.i_format.rs) { + /* JIALC: set $31/ra */ +@@ -811,10 +803,8 @@ int __compute_return_epc_for_insn(struct + case pop10_op: + case pop30_op: + /* Only valid for MIPS R6 */ +- if (!cpu_has_mips_r6) { +- ret = -SIGILL; +- break; +- } ++ if (!cpu_has_mips_r6) ++ goto sigill_r6; + /* + * Compact branches: + * bovc, beqc, beqzalc, bnvc, bnec, bnezlac +@@ -837,6 +827,11 @@ sigill_r2r6: + current->comm); + force_sig(SIGILL, current); + return -EFAULT; ++sigill_r6: ++ pr_info("%s: R6 branch but no MIPSr6 ISA support - sending SIGILL.\n", ++ current->comm); ++ force_sig(SIGILL, current); ++ return -EFAULT; + } + EXPORT_SYMBOL_GPL(__compute_return_epc_for_insn); + diff --git a/queue-4.12/mlx5-avoid-that-mlx5_ib_sg_to_klms-overflows-the-klms-array.patch b/queue-4.12/mlx5-avoid-that-mlx5_ib_sg_to_klms-overflows-the-klms-array.patch new file mode 100644 index 00000000000..617ab6fedbc --- /dev/null +++ b/queue-4.12/mlx5-avoid-that-mlx5_ib_sg_to_klms-overflows-the-klms-array.patch @@ -0,0 +1,41 @@ +From 99975cd4fda52974a767aa44fe0b1a8f74950d9d Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 24 Apr 2017 15:15:28 -0700 +Subject: mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms[] array + +From: Bart Van Assche + +commit 99975cd4fda52974a767aa44fe0b1a8f74950d9d upstream. + +ib_map_mr_sg() can pass an SG-list to .map_mr_sg() that is larger +than what fits into a single MR. .map_mr_sg() must not attempt to +map more SG-list elements than what fits into a single MR. +Hence make sure that mlx5_ib_sg_to_klms() does not write outside +the MR klms[] array. + +Fixes: b005d3164713 ("mlx5: Add arbitrary sg list support") +Signed-off-by: Bart Van Assche +Reviewed-by: Max Gurtovoy +Cc: Sagi Grimberg +Cc: Leon Romanovsky +Cc: Israel Rukshin +Acked-by: Leon Romanovsky +Reviewed-by: Sagi Grimberg +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1779,7 +1779,7 @@ mlx5_ib_sg_to_klms(struct mlx5_ib_mr *mr + mr->ndescs = sg_nents; + + for_each_sg(sgl, sg, sg_nents, i) { +- if (unlikely(i > mr->max_descs)) ++ if (unlikely(i >= mr->max_descs)) + break; + klms[i].va = cpu_to_be64(sg_dma_address(sg) + sg_offset); + klms[i].bcount = cpu_to_be32(sg_dma_len(sg) - sg_offset); diff --git a/queue-4.12/mtd-nand-tango-fix-incorrect-use-of-seqin-command.patch b/queue-4.12/mtd-nand-tango-fix-incorrect-use-of-seqin-command.patch new file mode 100644 index 00000000000..2dd3664b0eb --- /dev/null +++ b/queue-4.12/mtd-nand-tango-fix-incorrect-use-of-seqin-command.patch @@ -0,0 +1,33 @@ +From a186493237a9d8559997c2f97c33c4716d602fd2 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Wed, 17 May 2017 10:47:50 +0200 +Subject: mtd: nand: tango: Fix incorrect use of SEQIN command + +From: Boris Brezillon + +commit a186493237a9d8559997c2f97c33c4716d602fd2 upstream. + +SEQIN is supposed to be used when one wants to start programming a page. +What we want here is just to change the column within the page, which is +done with the RNDIN command. + +Fixes: 6956e2385a16 ("mtd: nand: add tango NAND flash controller support") +Signed-off-by: Boris Brezillon +Acked-by: Marc Gonzalez +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/tango_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/tango_nand.c ++++ b/drivers/mtd/nand/tango_nand.c +@@ -340,7 +340,7 @@ static void aux_write(struct nand_chip * + + if (!*buf) { + /* skip over "len" bytes */ +- chip->cmdfunc(mtd, NAND_CMD_SEQIN, *pos, -1); ++ chip->cmdfunc(mtd, NAND_CMD_RNDIN, *pos, -1); + } else { + tango_write_buf(mtd, *buf, len); + *buf += len; diff --git a/queue-4.12/net-sunrpc-xprt_sock-fix-regression-in-connection-error-reporting.patch b/queue-4.12/net-sunrpc-xprt_sock-fix-regression-in-connection-error-reporting.patch new file mode 100644 index 00000000000..c7ff3f3c1c5 --- /dev/null +++ b/queue-4.12/net-sunrpc-xprt_sock-fix-regression-in-connection-error-reporting.patch @@ -0,0 +1,48 @@ +From 3ffbc1d65583394be12801655781dd2b079ce169 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 19 Jul 2017 14:05:01 +1000 +Subject: net/sunrpc/xprt_sock: fix regression in connection error reporting. + +From: NeilBrown + +commit 3ffbc1d65583394be12801655781dd2b079ce169 upstream. + +Commit 3d4762639dd3 ("tcp: remove poll() flakes when receiving +RST") in v4.12 changed the order in which ->sk_state_change() +and ->sk_error_report() are called when a socket is shut +down - sk_state_change() is now called first. + +This causes xs_tcp_state_change() -> xs_sock_mark_closed() -> +xprt_disconnect_done() to wake all pending tasked with -EAGAIN. +When the ->sk_error_report() callback arrives, it is too late to +pass the error on, and it is lost. + +As easy way to demonstrate the problem caused is to try to start +rpc.nfsd while rcpbind isn't running. +nfsd will attempt a tcp connection to rpcbind. A ECONNREFUSED +error is returned, but sunrpc code loses the error and keeps +retrying. If it saw the ECONNREFUSED, it would abort. + +To fix this, handle the sk->sk_err in the TCP_CLOSE branch of +xs_tcp_state_change(). + +Fixes: 3d4762639dd3 ("tcp: remove poll() flakes when receiving RST") +Signed-off-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -1624,6 +1624,8 @@ static void xs_tcp_state_change(struct s + if (test_and_clear_bit(XPRT_SOCK_CONNECTING, + &transport->sock_state)) + xprt_clear_connecting(xprt); ++ if (sk->sk_err) ++ xprt_wake_pending_tasks(xprt, -sk->sk_err); + xs_sock_mark_closed(xprt); + } + out: diff --git a/queue-4.12/nfs-fix-initialization-of-nfs_page_array-npages.patch b/queue-4.12/nfs-fix-initialization-of-nfs_page_array-npages.patch new file mode 100644 index 00000000000..0f5d21c81ff --- /dev/null +++ b/queue-4.12/nfs-fix-initialization-of-nfs_page_array-npages.patch @@ -0,0 +1,33 @@ +From 2eb3aea7d9c43325a12df312adfc7fb25bbd636b Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 9 Jun 2017 11:03:23 -0400 +Subject: NFS: Fix initialization of nfs_page_array->npages + +From: Benjamin Coddington + +commit 2eb3aea7d9c43325a12df312adfc7fb25bbd636b upstream. + +Commit 8ef9b0b9e1c0 open-coded nfs_pgarray_set(), and left out the +initialization of the nfs_page_array's npages. This mistake didn't show up +until testing with block layouts, and there shows that all pNFS reads +return -EIO. + +Fixes: 8ef9b0b9e1c0 ("NFS: move nfs_pgarray_set() to open code") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pagelist.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -779,6 +779,7 @@ int nfs_generic_pgio(struct nfs_pageio_d + gfp_t gfp_flags = GFP_KERNEL; + + pagecount = nfs_page_array_len(mirror->pg_base, mirror->pg_count); ++ pg_array->npages = pagecount; + + if (pagecount <= ARRAY_SIZE(pg_array->page_array)) + pg_array->pagevec = pg_array->page_array; diff --git a/queue-4.12/nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch b/queue-4.12/nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch new file mode 100644 index 00000000000..d0350d9c836 --- /dev/null +++ b/queue-4.12/nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch @@ -0,0 +1,97 @@ +From cc89684c9a265828ce061037f1f79f4a68ccd3f7 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 5 Jul 2017 12:22:20 +1000 +Subject: NFS: only invalidate dentrys that are clearly invalid. + +From: NeilBrown + +commit cc89684c9a265828ce061037f1f79f4a68ccd3f7 upstream. + +Since commit bafc9b754f75 ("vfs: More precise tests in d_invalidate") +in v3.18, a return of '0' from ->d_revalidate() will cause the dentry +to be invalidated even if it has filesystems mounted on or it or on a +descendant. The mounted filesystem is unmounted. + +This means we need to be careful not to return 0 unless the directory +referred to truly is invalid. So -ESTALE or -ENOENT should invalidate +the directory. Other errors such a -EPERM or -ERESTARTSYS should be +returned from ->d_revalidate() so they are propagated to the caller. + +A particular problem can be demonstrated by: + +1/ mount an NFS filesystem using NFSv3 on /mnt +2/ mount any other filesystem on /mnt/foo +3/ ls /mnt/foo +4/ turn off network, or otherwise make the server unable to respond +5/ ls /mnt/foo & +6/ cat /proc/$!/stack # note that nfs_lookup_revalidate is in the call stack +7/ kill -9 $! # this results in -ERESTARTSYS being returned +8/ observe that /mnt/foo has been unmounted. + +This patch changes nfs_lookup_revalidate() to only treat + -ESTALE from nfs_lookup_verify_inode() and + -ESTALE or -ENOENT from ->lookup() +as indicating an invalid inode. Other errors are returned. + +Also nfs_check_inode_attributes() is changed to return -ESTALE rather +than -EIO. This is consistent with the error returned in similar +circumstances from nfs_update_inode(). + +As this bug allows any user to unmount a filesystem mounted on an NFS +filesystem, this fix is suitable for stable kernels. + +Fixes: bafc9b754f75 ("vfs: More precise tests in d_invalidate") +Signed-off-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 12 ++++++++---- + fs/nfs/inode.c | 4 ++-- + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1115,11 +1115,13 @@ static int nfs_lookup_revalidate(struct + /* Force a full look up iff the parent directory has changed */ + if (!nfs_is_exclusive_create(dir, flags) && + nfs_check_verifier(dir, dentry, flags & LOOKUP_RCU)) { +- +- if (nfs_lookup_verify_inode(inode, flags)) { ++ error = nfs_lookup_verify_inode(inode, flags); ++ if (error) { + if (flags & LOOKUP_RCU) + return -ECHILD; +- goto out_zap_parent; ++ if (error == -ESTALE) ++ goto out_zap_parent; ++ goto out_error; + } + nfs_advise_use_readdirplus(dir); + goto out_valid; +@@ -1144,8 +1146,10 @@ static int nfs_lookup_revalidate(struct + trace_nfs_lookup_revalidate_enter(dir, dentry, flags); + error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label); + trace_nfs_lookup_revalidate_exit(dir, dentry, flags, error); +- if (error) ++ if (error == -ESTALE || error == -ENOENT) + goto out_bad; ++ if (error) ++ goto out_error; + if (nfs_compare_fh(NFS_FH(inode), fhandle)) + goto out_bad; + if ((error = nfs_refresh_inode(inode, fattr)) != 0) +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1315,9 +1315,9 @@ static int nfs_check_inode_attributes(st + return 0; + /* Has the inode gone and changed behind our back? */ + if ((fattr->valid & NFS_ATTR_FATTR_FILEID) && nfsi->fileid != fattr->fileid) +- return -EIO; ++ return -ESTALE; + if ((fattr->valid & NFS_ATTR_FATTR_TYPE) && (inode->i_mode & S_IFMT) != (fattr->mode & S_IFMT)) +- return -EIO; ++ return -ESTALE; + + if (!nfs_file_has_buffered_writers(nfsi)) { + /* Verify a few of the more important attributes */ diff --git a/queue-4.12/nvme-rdma-remove-race-conditions-from-ib-signalling.patch b/queue-4.12/nvme-rdma-remove-race-conditions-from-ib-signalling.patch new file mode 100644 index 00000000000..9a828b8a39f --- /dev/null +++ b/queue-4.12/nvme-rdma-remove-race-conditions-from-ib-signalling.patch @@ -0,0 +1,72 @@ +From 5e599d73c1c1816af07f94ddba879499aa39b43c Mon Sep 17 00:00:00 2001 +From: Marta Rybczynska +Date: Tue, 6 Jun 2017 13:27:21 +0200 +Subject: nvme-rdma: remove race conditions from IB signalling + +From: Marta Rybczynska + +commit 5e599d73c1c1816af07f94ddba879499aa39b43c upstream. + +This patch improves the way the RDMA IB signalling is done by using atomic +operations for the signalling variable. This avoids race conditions on +sig_count. + +The signalling interval changes slightly and is now the largest power of +two not larger than queue depth / 2. + +ilog() usage idea by Bart Van Assche. + +Signed-off-by: Marta Rybczynska +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/rdma.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -88,7 +88,7 @@ enum nvme_rdma_queue_flags { + + struct nvme_rdma_queue { + struct nvme_rdma_qe *rsp_ring; +- u8 sig_count; ++ atomic_t sig_count; + int queue_size; + size_t cmnd_capsule_len; + struct nvme_rdma_ctrl *ctrl; +@@ -553,6 +553,7 @@ static int nvme_rdma_init_queue(struct n + queue->cmnd_capsule_len = sizeof(struct nvme_command); + + queue->queue_size = queue_size; ++ atomic_set(&queue->sig_count, 0); + + queue->cm_id = rdma_create_id(&init_net, nvme_rdma_cm_handler, queue, + RDMA_PS_TCP, IB_QPT_RC); +@@ -1040,17 +1041,16 @@ static void nvme_rdma_send_done(struct i + nvme_rdma_wr_error(cq, wc, "SEND"); + } + +-static inline int nvme_rdma_queue_sig_limit(struct nvme_rdma_queue *queue) ++/* ++ * We want to signal completion at least every queue depth/2. This returns the ++ * largest power of two that is not above half of (queue size + 1) to optimize ++ * (avoid divisions). ++ */ ++static inline bool nvme_rdma_queue_sig_limit(struct nvme_rdma_queue *queue) + { +- int sig_limit; ++ int limit = 1 << ilog2((queue->queue_size + 1) / 2); + +- /* +- * We signal completion every queue depth/2 and also handle the +- * degenerated case of a device with queue_depth=1, where we +- * would need to signal every message. +- */ +- sig_limit = max(queue->queue_size / 2, 1); +- return (++queue->sig_count % sig_limit) == 0; ++ return (atomic_inc_return(&queue->sig_count) & (limit - 1)) == 0; + } + + static int nvme_rdma_post_send(struct nvme_rdma_queue *queue, diff --git a/queue-4.12/ovl-fix-random-return-value-on-mount.patch b/queue-4.12/ovl-fix-random-return-value-on-mount.patch new file mode 100644 index 00000000000..25ddf29abc6 --- /dev/null +++ b/queue-4.12/ovl-fix-random-return-value-on-mount.patch @@ -0,0 +1,34 @@ +From 8fc646b44385ff0a9853f6590497e43049eeb311 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 11 Jul 2017 15:58:35 +0300 +Subject: ovl: fix random return value on mount + +From: Amir Goldstein + +commit 8fc646b44385ff0a9853f6590497e43049eeb311 upstream. + +On failure to prepare_creds(), mount fails with a random +return value, as err was last set to an integer cast of +a valid lower mnt pointer or set to 0 if inodes index feature +is enabled. + +Reported-by: Dan Carpenter +Fixes: 3fe6e52f0626 ("ovl: override creds with the ones from ...") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -946,6 +946,7 @@ static int ovl_fill_super(struct super_b + else + sb->s_d_op = &ovl_dentry_operations; + ++ err = -ENOMEM; + ufs->creator_cred = cred = prepare_creds(); + if (!cred) + goto out_put_lower_mnt; diff --git a/queue-4.12/ovl-mark-parent-impure-on-ovl_link.patch b/queue-4.12/ovl-mark-parent-impure-on-ovl_link.patch new file mode 100644 index 00000000000..9460a68d882 --- /dev/null +++ b/queue-4.12/ovl-mark-parent-impure-on-ovl_link.patch @@ -0,0 +1,75 @@ +From ea3dad18dc5f778cfd931311a91a9315aa0065a3 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 11 Jul 2017 15:58:34 +0300 +Subject: ovl: mark parent impure on ovl_link() + +From: Amir Goldstein + +commit ea3dad18dc5f778cfd931311a91a9315aa0065a3 upstream. + +When linking a file with copy up origin into a new parent, mark the +new parent dir "impure". + +Fixes: ee1d6d37b6b8 ("ovl: mark upper dir with type origin entries "impure"") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/dir.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -478,17 +478,30 @@ out_cleanup: + } + + static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, +- struct cattr *attr, struct dentry *hardlink) ++ struct cattr *attr, struct dentry *hardlink, ++ bool origin) + { + int err; + const struct cred *old_cred; + struct cred *override_cred; ++ struct dentry *parent = dentry->d_parent; + +- err = ovl_copy_up(dentry->d_parent); ++ err = ovl_copy_up(parent); + if (err) + return err; + + old_cred = ovl_override_creds(dentry->d_sb); ++ ++ /* ++ * When linking a file with copy up origin into a new parent, mark the ++ * new parent dir "impure". ++ */ ++ if (origin) { ++ err = ovl_set_impure(parent, ovl_dentry_upper(parent)); ++ if (err) ++ goto out_revert_creds; ++ } ++ + err = -ENOMEM; + override_cred = prepare_creds(); + if (override_cred) { +@@ -547,7 +560,7 @@ static int ovl_create_object(struct dent + inode_init_owner(inode, dentry->d_parent->d_inode, mode); + attr.mode = inode->i_mode; + +- err = ovl_create_or_link(dentry, inode, &attr, NULL); ++ err = ovl_create_or_link(dentry, inode, &attr, NULL, false); + if (err) + iput(inode); + +@@ -601,7 +614,8 @@ static int ovl_link(struct dentry *old, + inode = d_inode(old); + ihold(inode); + +- err = ovl_create_or_link(new, inode, NULL, ovl_dentry_upper(old)); ++ err = ovl_create_or_link(new, inode, NULL, ovl_dentry_upper(old), ++ ovl_type_origin(old)); + if (err) + iput(inode); + diff --git a/queue-4.12/perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch b/queue-4.12/perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch new file mode 100644 index 00000000000..4b2c56af1f6 --- /dev/null +++ b/queue-4.12/perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch @@ -0,0 +1,62 @@ +From 80f62589fa52f530cffc50e78c0b5a2ae572d61e Mon Sep 17 00:00:00 2001 +From: Jin Yao +Date: Thu, 8 Jun 2017 14:01:44 +0800 +Subject: perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jin Yao + +commit 80f62589fa52f530cffc50e78c0b5a2ae572d61e upstream. + +When the jump instruction is displayed at the row 0 in annotate view, +the arrow is broken. An example: + + 16.86 │ ┌──je 82 + 0.01 │ movsd (%rsp),%xmm0 + │ movsd 0x8(%rsp),%xmm4 + │ movsd 0x8(%rsp),%xmm1 + │ movsd (%rsp),%xmm3 + │ divsd %xmm4,%xmm0 + │ divsd %xmm3,%xmm1 + │ movsd (%rsp),%xmm2 + │ addsd %xmm1,%xmm0 + │ addsd %xmm2,%xmm0 + │ movsd %xmm0,(%rsp) + │82: sub $0x1,%ebx + 83.03 │ ↑ jne 38 + │ add $0x10,%rsp + │ xor %eax,%eax + │ pop %rbx + │ ← retq + +The patch increments the row number before checking with 0. + +Signed-off-by: Yao Jin +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Fixes: 944e1abed9e1 ("perf ui browser: Add method to draw up/down arrow line") +Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/ui/browser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/ui/browser.c ++++ b/tools/perf/ui/browser.c +@@ -704,7 +704,7 @@ static void __ui_browser__line_arrow_dow + ui_browser__gotorc(browser, row, column + 1); + SLsmg_draw_hline(2); + +- if (row++ == 0) ++ if (++row == 0) + goto out; + } else + row = 0; diff --git a/queue-4.12/perf-core-fix-scheduling-regression-of-pinned-groups.patch b/queue-4.12/perf-core-fix-scheduling-regression-of-pinned-groups.patch new file mode 100644 index 00000000000..b52c06ae4e0 --- /dev/null +++ b/queue-4.12/perf-core-fix-scheduling-regression-of-pinned-groups.patch @@ -0,0 +1,87 @@ +From 3bda69c1c3993a2bddbae01397d12bfef6054011 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 18 Jul 2017 14:08:34 +0300 +Subject: perf/core: Fix scheduling regression of pinned groups + +From: Alexander Shishkin + +commit 3bda69c1c3993a2bddbae01397d12bfef6054011 upstream. + +Vince Weaver reported: + +> I was tracking down some regressions in my perf_event_test testsuite. +> Some of the tests broke in the 4.11-rc1 timeframe. +> +> I've bisected one of them, this report is about +> tests/overflow/simul_oneshot_group_overflow +> This test creates an event group containing two sampling events, set +> to overflow to a signal handler (which disables and then refreshes the +> event). +> +> On a good kernel you get the following: +> Event perf::instructions with period 1000000 +> Event perf::instructions with period 2000000 +> fd 3 overflows: 946 (perf::instructions/1000000) +> fd 4 overflows: 473 (perf::instructions/2000000) +> Ending counts: +> Count 0: 946379875 +> Count 1: 946365218 +> +> With the broken kernels you get: +> Event perf::instructions with period 1000000 +> Event perf::instructions with period 2000000 +> fd 3 overflows: 938 (perf::instructions/1000000) +> fd 4 overflows: 318 (perf::instructions/2000000) +> Ending counts: +> Count 0: 946373080 +> Count 1: 653373058 + +The root cause of the bug is that the following commit: + + 487f05e18a ("perf/core: Optimize event rescheduling on active contexts") + +erronously assumed that event's 'pinned' setting determines whether the +event belongs to a pinned group or not, but in fact, it's the group +leader's pinned state that matters. + +This was discovered by Vince in the test case described above, where two instruction +counters are grouped, the group leader is pinned, but the other event is not; +in the regressed case the counters were off by 33% (the difference between events' +periods), but should be the same within the error margin. + +Fix the problem by looking at the group leader's pinning. + +Reported-by: Vince Weaver +Tested-by: Vince Weaver +Signed-off-by: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Fixes: 487f05e18a ("perf/core: Optimize event rescheduling on active contexts") +Link: http://lkml.kernel.org/r/87lgnmvw7h.fsf@ashishki-desk.ger.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1456,6 +1456,13 @@ static enum event_type_t get_event_type( + + lockdep_assert_held(&ctx->lock); + ++ /* ++ * It's 'group type', really, because if our group leader is ++ * pinned, so are we. ++ */ ++ if (event->group_leader != event) ++ event = event->group_leader; ++ + event_type = event->attr.pinned ? EVENT_PINNED : EVENT_FLEXIBLE; + if (!ctx->task) + event_type |= EVENT_CPU; diff --git a/queue-4.12/pnfs-fix-eaccess-on-commit-to-ds-handling.patch b/queue-4.12/pnfs-fix-eaccess-on-commit-to-ds-handling.patch new file mode 100644 index 00000000000..b1349f3351a --- /dev/null +++ b/queue-4.12/pnfs-fix-eaccess-on-commit-to-ds-handling.patch @@ -0,0 +1,47 @@ +From a0bc01e0f1fa39702b5244b3bac699bea0d4f413 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Fri, 23 Jun 2017 10:26:58 -0400 +Subject: PNFS fix EACCESS on commit to DS handling + +From: Olga Kornievskaia + +commit a0bc01e0f1fa39702b5244b3bac699bea0d4f413 upstream. + +Commit fabbbee0eb0f "PNFS fix fallback to MDS if got error on +commit to DS" moved the pnfs_set_lo_fail() to unhandled errors +which was not correct and lead to a kernel oops on umount. + +Instead, fix the original EACCESS on commit to DS error by +getting the new layout and re-doing the IO. + +Fixes: fabbbee0eb0f ("PNFS fix fallback to MDS if got error on commit to DS") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/filelayout/filelayout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -172,6 +172,7 @@ static int filelayout_async_handle_error + case -NFS4ERR_RETRY_UNCACHED_REP: + break; + /* Invalidate Layout errors */ ++ case -NFS4ERR_ACCESS: + case -NFS4ERR_PNFS_NO_LAYOUT: + case -ESTALE: /* mapped NFS4ERR_STALE */ + case -EBADHANDLE: /* mapped NFS4ERR_BADHANDLE */ +@@ -202,10 +203,10 @@ static int filelayout_async_handle_error + task->tk_status); + nfs4_mark_deviceid_unavailable(devid); + pnfs_error_mark_layout_for_return(inode, lseg); ++ pnfs_set_lo_fail(lseg); + rpc_wake_up(&tbl->slot_tbl_waitq); + /* fall through */ + default: +- pnfs_set_lo_fail(lseg); + reset: + dprintk("%s Retry through MDS. Error %d\n", __func__, + task->tk_status); diff --git a/queue-4.12/rdma-core-initialize-port_num-in-qp_attr.patch b/queue-4.12/rdma-core-initialize-port_num-in-qp_attr.patch new file mode 100644 index 00000000000..e5597775a4e --- /dev/null +++ b/queue-4.12/rdma-core-initialize-port_num-in-qp_attr.patch @@ -0,0 +1,33 @@ +From a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 Mon Sep 17 00:00:00 2001 +From: "Ismail, Mustafa" +Date: Fri, 14 Jul 2017 09:41:31 -0500 +Subject: RDMA/core: Initialize port_num in qp_attr + +From: Ismail, Mustafa + +commit a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 upstream. + +Initialize the port_num for iWARP in rdma_init_qp_attr. + +Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") +Reviewed-by: Steve Wise +Signed-off-by: Mustafa Ismail +Tested-by: Mike Marciniszyn +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cma.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1044,6 +1044,8 @@ int rdma_init_qp_attr(struct rdma_cm_id + } else + ret = iw_cm_init_qp_attr(id_priv->cm_id.iw, qp_attr, + qp_attr_mask); ++ qp_attr->port_num = id_priv->id.port_num; ++ *qp_attr_mask |= IB_QP_PORT; + } else + ret = -ENOSYS; + diff --git a/queue-4.12/rdma-uverbs-fix-the-check-for-port-number.patch b/queue-4.12/rdma-uverbs-fix-the-check-for-port-number.patch new file mode 100644 index 00000000000..6f3704946c0 --- /dev/null +++ b/queue-4.12/rdma-uverbs-fix-the-check-for-port-number.patch @@ -0,0 +1,36 @@ +From 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 Mon Sep 17 00:00:00 2001 +From: "Ismail, Mustafa" +Date: Fri, 14 Jul 2017 09:41:30 -0500 +Subject: RDMA/uverbs: Fix the check for port number + +From: Ismail, Mustafa + +commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream. + +The port number is only valid if IB_QP_PORT is set in the mask. +So only check port number if it is valid to prevent modify_qp from +failing due to an invalid port number. + +Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds") +Reviewed-by: Steve Wise +Signed-off-by: Mustafa Ismail +Tested-by: Mike Marciniszyn +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_cmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1931,7 +1931,8 @@ static int modify_qp(struct ib_uverbs_fi + goto out; + } + +- if (!rdma_is_port_valid(qp->device, cmd->base.port_num)) { ++ if ((cmd->base.attr_mask & IB_QP_PORT) && ++ !rdma_is_port_valid(qp->device, cmd->base.port_num)) { + ret = -EINVAL; + goto release_qp; + } diff --git a/queue-4.12/revert-acpi-ec-enable-event-freeze-mode...-to-fix-a-regression.patch b/queue-4.12/revert-acpi-ec-enable-event-freeze-mode...-to-fix-a-regression.patch new file mode 100644 index 00000000000..e3fb4a84a30 --- /dev/null +++ b/queue-4.12/revert-acpi-ec-enable-event-freeze-mode...-to-fix-a-regression.patch @@ -0,0 +1,40 @@ +From 9c40f956ce9b331493347d1b3cb7e384f7dc0581 Mon Sep 17 00:00:00 2001 +From: Lv Zheng +Date: Wed, 12 Jul 2017 11:09:17 +0800 +Subject: Revert "ACPI / EC: Enable event freeze mode..." to fix a regression + +From: Lv Zheng + +commit 9c40f956ce9b331493347d1b3cb7e384f7dc0581 upstream. + +On Lenovo ThinkPad X1 Carbon - the 5th Generation, enabling an earlier +EC event freezing timing causes acpitz-virtual-0 to report a stuck +48C temparature. And with EC firmware revisioned as 1.14, without +reverting back to old EC event freezing timing, the fan still blows +up after a system resume. + +This reverts the culprit change so that the regression can be fixed +without upgrading the EC firmware. + +Fixes: d30283057ecd (ACPI / EC: Enable event freeze mode to improve event handling) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=191181#c168 +Tested-by: Damjan Georgievski +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -147,7 +147,7 @@ static unsigned int ec_storm_threshold + module_param(ec_storm_threshold, uint, 0644); + MODULE_PARM_DESC(ec_storm_threshold, "Maxim false GPE numbers not considered as GPE storm"); + +-static bool ec_freeze_events __read_mostly = true; ++static bool ec_freeze_events __read_mostly = false; + module_param(ec_freeze_events, bool, 0644); + MODULE_PARM_DESC(ec_freeze_events, "Disabling event handling during suspend/resume"); + diff --git a/queue-4.12/revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch b/queue-4.12/revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch new file mode 100644 index 00000000000..80ad094fcd7 --- /dev/null +++ b/queue-4.12/revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch @@ -0,0 +1,75 @@ +From 6a8a75f3235724c5941a33e287b2f98966ad14c5 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Tue, 11 Jul 2017 10:56:54 +0200 +Subject: Revert "perf/core: Drop kernel samples even though :u is specified" + +From: Ingo Molnar + +commit 6a8a75f3235724c5941a33e287b2f98966ad14c5 upstream. + +This reverts commit cc1582c231ea041fbc68861dfaf957eaf902b829. + +This commit introduced a regression that broke rr-project, which uses sampling +events to receive a signal on overflow (but does not care about the contents +of the sample). These signals are critical to the correct operation of rr. + +There's been some back and forth about how to fix it - but to not keep +applications in limbo queue up a revert. + +Reported-by: Kyle Huey +Acked-by: Kyle Huey +Acked-by: Peter Zijlstra +Cc: Jin Yao +Cc: Vince Weaver +Cc: Linus Torvalds +Cc: Will Deacon +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Stephane Eranian +Cc: Namhyung Kim +Cc: Jiri Olsa +Link: http://lkml.kernel.org/r/20170628105600.GC5981@leverpostej +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 21 --------------------- + 1 file changed, 21 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7323,21 +7323,6 @@ int perf_event_account_interrupt(struct + return __perf_event_account_interrupt(event, 1); + } + +-static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs) +-{ +- /* +- * Due to interrupt latency (AKA "skid"), we may enter the +- * kernel before taking an overflow, even if the PMU is only +- * counting user events. +- * To avoid leaking information to userspace, we must always +- * reject kernel samples when exclude_kernel is set. +- */ +- if (event->attr.exclude_kernel && !user_mode(regs)) +- return false; +- +- return true; +-} +- + /* + * Generic event overflow handling, sampling. + */ +@@ -7359,12 +7344,6 @@ static int __perf_event_overflow(struct + ret = __perf_event_account_interrupt(event, throttle); + + /* +- * For security, drop the skid kernel samples if necessary. +- */ +- if (!sample_is_allowed(event, regs)) +- return ret; +- +- /* + * XXX event_limit might not quite work as expected on inherited + * events + */ diff --git a/queue-4.12/series b/queue-4.12/series index cbc429b42c6..50164269bde 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -109,3 +109,66 @@ f2fs-use-spin_-un-lock_irq-save-restore.patch f2fs-don-t-clear-sgid-when-inheriting-acls.patch serial-st-asc-potential-error-pointer-dereference.patch serial-sh-sci-uninitialized-variables-in-sysfs-files.patch +ovl-mark-parent-impure-on-ovl_link.patch +ovl-fix-random-return-value-on-mount.patch +drm-amd-powerplay-fix-memory-leak-in-cz_hwmgr-backend.patch +drm-i915-disable-msi-for-all-pre-gen5.patch +vfio-fix-group-release-deadlock.patch +vfio-new-external-user-group-file-match.patch +vfio-remove-unnecessary-uses-of-vfio_container.group_lock.patch +nvme-rdma-remove-race-conditions-from-ib-signalling.patch +ftrace-fix-uninitialized-variable-in-match_records.patch +iommu-arm-smmu-plumb-in-new-acpi-identifiers.patch +drm-i915-gvt-fix-possible-recursive-locking-issue.patch +drm-i915-gvt-fix-inconsistent-locks-holding-sequence.patch +drm-atomic-add-missing-drm_atomic_state_clear-to-atomic_remove_fb.patch +mips-fix-mips_atomic_set-retry-condition.patch +mips-fix-mips_atomic_set-with-eva.patch +mips-negate-error-syscall-return-in-trace.patch +mtd-nand-tango-fix-incorrect-use-of-seqin-command.patch +ubifs-correctly-evict-xattr-inodes.patch +ubifs-don-t-leak-kernel-memory-to-the-mtd.patch +ubifs-don-t-encrypt-special-files-on-creation.patch +ubifs-set-double-hash-cookie-also-for-rename_exchange.patch +acpi-ec-drop-ec-noirq-hooks-to-fix-a-regression.patch +revert-acpi-ec-enable-event-freeze-mode...-to-fix-a-regression.patch +x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch +x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch +mips-fix-mips-i-isa-proc-cpuinfo-reporting.patch +mips-save-static-registers-before-sysmips.patch +mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch +mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch +mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch +mips-send-sigill-for-bposge32-in-__compute_return_epc_for_insn.patch +mips-rename-sigill_r6-to-sigill_r2r6-in-__compute_return_epc_for_insn.patch +mips-send-sigill-for-linked-branches-in-__compute_return_epc_for_insn.patch +mips-send-sigill-for-r6-branches-in-__compute_return_epc_for_insn.patch +mips-fix-a-typo-s-preset-present-in-r2-to-r6-emulation-error-message.patch +input-i8042-fix-crash-at-boot-time.patch +ib-iser-fix-connection-teardown-race-condition.patch +ib-core-namespace-is-mandatory-input-for-address-resolution.patch +sunrpc-use-constant-time-memory-comparison-for-mac.patch +net-sunrpc-xprt_sock-fix-regression-in-connection-error-reporting.patch +nfs-fix-initialization-of-nfs_page_array-npages.patch +pnfs-fix-eaccess-on-commit-to-ds-handling.patch +nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch +udf-fix-races-with-i_size-changes-during-readpage.patch +udf-fix-deadlock-between-writeback-and-udf_setsize.patch +target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch +iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch +perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch +perf-core-fix-scheduling-regression-of-pinned-groups.patch +revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch +staging-rtl8188eu-add-tl-wn722n-v2-support.patch +staging-comedi-ni_mio_common-fix-ao-timer-off-by-one-regression.patch +staging-sm750fb-avoid-conflicting-vesafb.patch +staging-lustre-ko2iblnd-check-copy_from_iter-copy_to_iter-return-code.patch +ceph-fix-race-in-concurrent-readdir.patch +rdma-uverbs-fix-the-check-for-port-number.patch +rdma-core-initialize-port_num-in-qp_attr.patch +drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch +drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch +drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch +drm-i915-make-dp-mst-connector-info-work.patch +mlx5-avoid-that-mlx5_ib_sg_to_klms-overflows-the-klms-array.patch +hfsplus-don-t-clear-sgid-when-inheriting-acls.patch diff --git a/queue-4.12/staging-comedi-ni_mio_common-fix-ao-timer-off-by-one-regression.patch b/queue-4.12/staging-comedi-ni_mio_common-fix-ao-timer-off-by-one-regression.patch new file mode 100644 index 00000000000..fa5873b7890 --- /dev/null +++ b/queue-4.12/staging-comedi-ni_mio_common-fix-ao-timer-off-by-one-regression.patch @@ -0,0 +1,56 @@ +From 15d5193104a457d5151840247e3bce561c42e3e9 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 30 Jun 2017 12:02:18 +0100 +Subject: staging: comedi: ni_mio_common: fix AO timer off-by-one regression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ian Abbott + +commit 15d5193104a457d5151840247e3bce561c42e3e9 upstream. + +As reported by Éric Piel on the Comedi mailing list (see +), +the analog output asynchronous commands are running too fast with a +period 50 ns shorter than it should be. This affects all boards with AO +command support that are supported by the "ni_pcimio", "ni_atmio", and +"ni_mio_cs" drivers. + +This is a regression bug introduced by commit 080e6795cba3 ("staging: +comedi: ni_mio_common: Cleans up/clarifies ni_ao_cmd"), specifically, +this line in `ni_ao_cmd_set_update()`: + + /* following line: N-1 per STC */ + ni_stc_writel(dev, trigvar - 1, NISTC_AO_UI_LOADA_REG); + +The `trigvar` variable value comes from a call to `ni_ns_to_timer()` +which converts a timer period in nanoseconds to a hardware divisor +value. The function already reduces the divisor by 1 as required by the +hardware, so the above line should not reduce it further by 1. Fix it +by replacing `trigvar` by `trigvar - 1` in the above line, and remove +the misleading comment. + +Reported-by: Éric Piel +Fixes: 080e6795cba3 ("staging: comedi: ni_mio_common: Cleans up/clarifies ni_ao_cmd") +Cc: Éric Piel +Cc: Spencer E. Olson +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_mio_common.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -3116,8 +3116,7 @@ static void ni_ao_cmd_set_update(struct + /* following line: 2-1 per STC */ + ni_stc_writel(dev, 1, NISTC_AO_UI_LOADA_REG); + ni_stc_writew(dev, NISTC_AO_CMD1_UI_LOAD, NISTC_AO_CMD1_REG); +- /* following line: N-1 per STC */ +- ni_stc_writel(dev, trigvar - 1, NISTC_AO_UI_LOADA_REG); ++ ni_stc_writel(dev, trigvar, NISTC_AO_UI_LOADA_REG); + } else { /* TRIG_EXT */ + /* FIXME: assert scan_begin_arg != 0, ret failure otherwise */ + devpriv->ao_cmd2 |= NISTC_AO_CMD2_BC_GATE_ENA; diff --git a/queue-4.12/staging-lustre-ko2iblnd-check-copy_from_iter-copy_to_iter-return-code.patch b/queue-4.12/staging-lustre-ko2iblnd-check-copy_from_iter-copy_to_iter-return-code.patch new file mode 100644 index 00000000000..c201b55e228 --- /dev/null +++ b/queue-4.12/staging-lustre-ko2iblnd-check-copy_from_iter-copy_to_iter-return-code.patch @@ -0,0 +1,65 @@ +From 566e1ce22e04426fa52328b2adcdf1df49acd98e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Sat, 15 Jul 2017 11:32:08 -0400 +Subject: staging: lustre: ko2iblnd: check copy_from_iter/copy_to_iter return code + +From: Arnd Bergmann + +commit 566e1ce22e04426fa52328b2adcdf1df49acd98e upstream. + +We now get a helpful warning for code that calls copy_{from,to}_iter +without checking the return value, introduced by commit aa28de275a24 +("iov_iter/hardening: move object size checks to inlined part"). + +drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c: In function 'kiblnd_send': +drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:1643:2: error: ignoring return value of 'copy_from_iter', declared with attribute warn_unused_result [-Werror=unused-result] +drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c: In function 'kiblnd_recv': +drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:1744:3: error: ignoring return value of 'copy_to_iter', declared with attribute warn_unused_result [-Werror=unused-result] + +In case we get short copies here, we may get incorrect behavior. +I've added failure handling for both rx and tx now, returning +-EFAULT as expected. + +Signed-off-by: Arnd Bergmann +Signed-off-by: James Simmons +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c | 19 +++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c ++++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c +@@ -1640,8 +1640,13 @@ kiblnd_send(struct lnet_ni *ni, void *pr + ibmsg = tx->tx_msg; + ibmsg->ibm_u.immediate.ibim_hdr = *hdr; + +- copy_from_iter(&ibmsg->ibm_u.immediate.ibim_payload, IBLND_MSG_SIZE, +- &from); ++ rc = copy_from_iter(&ibmsg->ibm_u.immediate.ibim_payload, payload_nob, ++ &from); ++ if (rc != payload_nob) { ++ kiblnd_pool_free_node(&tx->tx_pool->tpo_pool, &tx->tx_list); ++ return -EFAULT; ++ } ++ + nob = offsetof(struct kib_immediate_msg, ibim_payload[payload_nob]); + kiblnd_init_tx_msg(ni, tx, IBLND_MSG_IMMEDIATE, nob); + +@@ -1741,8 +1746,14 @@ kiblnd_recv(struct lnet_ni *ni, void *pr + break; + } + +- copy_to_iter(&rxmsg->ibm_u.immediate.ibim_payload, +- IBLND_MSG_SIZE, to); ++ rc = copy_to_iter(&rxmsg->ibm_u.immediate.ibim_payload, rlen, ++ to); ++ if (rc != rlen) { ++ rc = -EFAULT; ++ break; ++ } ++ ++ rc = 0; + lnet_finalize(ni, lntmsg, 0); + break; + diff --git a/queue-4.12/staging-rtl8188eu-add-tl-wn722n-v2-support.patch b/queue-4.12/staging-rtl8188eu-add-tl-wn722n-v2-support.patch new file mode 100644 index 00000000000..935e9d79f6b --- /dev/null +++ b/queue-4.12/staging-rtl8188eu-add-tl-wn722n-v2-support.patch @@ -0,0 +1,29 @@ +From 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 Mon Sep 17 00:00:00 2001 +From: Michael Gugino +Date: Mon, 17 Jul 2017 13:29:09 -0400 +Subject: staging: rtl8188eu: add TL-WN722N v2 support + +From: Michael Gugino + +commit 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 upstream. + +Add support for USB Device TP-Link TL-WN722N v2. +VendorID: 0x2357, ProductID: 0x010c + +Signed-off-by: Michael Gugino +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -43,6 +43,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */ + {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */ + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ ++ {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {} /* Terminating entry */ + }; diff --git a/queue-4.12/staging-sm750fb-avoid-conflicting-vesafb.patch b/queue-4.12/staging-sm750fb-avoid-conflicting-vesafb.patch new file mode 100644 index 00000000000..5fb08339c63 --- /dev/null +++ b/queue-4.12/staging-sm750fb-avoid-conflicting-vesafb.patch @@ -0,0 +1,75 @@ +From 740c433ec35187b45abe08bb6c45a321a791be8e Mon Sep 17 00:00:00 2001 +From: Teddy Wang +Date: Fri, 30 Jun 2017 21:57:43 +0100 +Subject: staging: sm750fb: avoid conflicting vesafb + +From: Teddy Wang + +commit 740c433ec35187b45abe08bb6c45a321a791be8e upstream. + +If vesafb is enabled in the config then /dev/fb0 is created by vesa +and this sm750 driver gets fb1, fb2. But we need to be fb0 and fb1 to +effectively work with xorg. +So if it has been alloted fb1, then try to remove the other fb0. + +In the previous send, why #ifdef is used was asked. +https://lkml.org/lkml/2017/6/25/57 + +Answered at: https://lkml.org/lkml/2017/6/25/69 +Also pasting here for reference. + +'Did a quick research into "why". +The patch d8801e4df91e ("x86/PCI: Set IORESOURCE_ROM_SHADOW only for the +default VGA device") has started setting IORESOURCE_ROM_SHADOW in flags +for a default VGA device and that is being done only for x86. +And so, we will need that #ifdef to check IORESOURCE_ROM_SHADOW as that +needs to be checked only for a x86 and not for other arch.' + +Signed-off-by: Teddy Wang +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/sm750fb/sm750.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/staging/sm750fb/sm750.c ++++ b/drivers/staging/sm750fb/sm750.c +@@ -1053,6 +1053,26 @@ release_fb: + return err; + } + ++static int lynxfb_kick_out_firmware_fb(struct pci_dev *pdev) ++{ ++ struct apertures_struct *ap; ++ bool primary = false; ++ ++ ap = alloc_apertures(1); ++ if (!ap) ++ return -ENOMEM; ++ ++ ap->ranges[0].base = pci_resource_start(pdev, 0); ++ ap->ranges[0].size = pci_resource_len(pdev, 0); ++#ifdef CONFIG_X86 ++ primary = pdev->resource[PCI_ROM_RESOURCE].flags & ++ IORESOURCE_ROM_SHADOW; ++#endif ++ remove_conflicting_framebuffers(ap, "sm750_fb1", primary); ++ kfree(ap); ++ return 0; ++} ++ + static int lynxfb_pci_probe(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +@@ -1061,6 +1081,10 @@ static int lynxfb_pci_probe(struct pci_d + int fbidx; + int err; + ++ err = lynxfb_kick_out_firmware_fb(pdev); ++ if (err) ++ return err; ++ + /* enable device */ + err = pcim_enable_device(pdev); + if (err) diff --git a/queue-4.12/sunrpc-use-constant-time-memory-comparison-for-mac.patch b/queue-4.12/sunrpc-use-constant-time-memory-comparison-for-mac.patch new file mode 100644 index 00000000000..193a516c31b --- /dev/null +++ b/queue-4.12/sunrpc-use-constant-time-memory-comparison-for-mac.patch @@ -0,0 +1,43 @@ +From 15a8b93fd5690de017ce665382ea45e5d61811a4 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sat, 10 Jun 2017 04:59:07 +0200 +Subject: sunrpc: use constant time memory comparison for mac + +From: Jason A. Donenfeld + +commit 15a8b93fd5690de017ce665382ea45e5d61811a4 upstream. + +Otherwise, we enable a MAC forgery via timing attack. + +Signed-off-by: Jason A. Donenfeld +Cc: "J. Bruce Fields" +Cc: Jeff Layton +Cc: Trond Myklebust +Cc: Anna Schumaker +Cc: linux-nfs@vger.kernel.org +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c ++++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c +@@ -34,6 +34,7 @@ + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + ++#include + #include + #include + #include +@@ -927,7 +928,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kc + if (ret) + goto out_err; + +- if (memcmp(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) { ++ if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) { + ret = GSS_S_BAD_SIG; + goto out_err; + } diff --git a/queue-4.12/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch b/queue-4.12/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch new file mode 100644 index 00000000000..6f0270a10d5 --- /dev/null +++ b/queue-4.12/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch @@ -0,0 +1,51 @@ +From 1d6ef276594a781686058802996e09c8550fd767 Mon Sep 17 00:00:00 2001 +From: Jiang Yi +Date: Sun, 25 Jun 2017 12:28:50 -0700 +Subject: target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce + +From: Jiang Yi + +commit 1d6ef276594a781686058802996e09c8550fd767 upstream. + +This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak, +that would be triggered during normal se_cmd shutdown or abort +via __transport_wait_for_tasks(). + +This would occur because target_complete_cmd() would catch this +early and do complete_all(&cmd->t_transport_stop_comp), but since +target_complete_ok_work() or target_complete_failure_work() are +never called to invoke se_cmd->transport_complete_callback(), +the COMPARE_AND_WRITE specific callbacks never release caw_sem. + +To address this special case, go ahead and release caw_sem +directly from target_complete_cmd(). + +(Remove '&& success' from check, to release caw_sem regardless + of scsi_status - nab) + +Signed-off-by: Jiang Yi +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -730,6 +730,15 @@ void target_complete_cmd(struct se_cmd * + if (cmd->transport_state & CMD_T_ABORTED || + cmd->transport_state & CMD_T_STOP) { + spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ /* ++ * If COMPARE_AND_WRITE was stopped by __transport_wait_for_tasks(), ++ * release se_device->caw_sem obtained by sbc_compare_and_write() ++ * since target_complete_ok_work() or target_complete_failure_work() ++ * won't be called to invoke the normal CAW completion callbacks. ++ */ ++ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) { ++ up(&dev->caw_sem); ++ } + complete_all(&cmd->t_transport_stop_comp); + return; + } else if (!success) { diff --git a/queue-4.12/ubifs-correctly-evict-xattr-inodes.patch b/queue-4.12/ubifs-correctly-evict-xattr-inodes.patch new file mode 100644 index 00000000000..8cb0c234db0 --- /dev/null +++ b/queue-4.12/ubifs-correctly-evict-xattr-inodes.patch @@ -0,0 +1,88 @@ +From 272eda8298dc82eb411ece82bbb2c62911087b24 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Wed, 17 May 2017 00:20:27 +0200 +Subject: ubifs: Correctly evict xattr inodes + +From: Richard Weinberger + +commit 272eda8298dc82eb411ece82bbb2c62911087b24 upstream. + +UBIFS handles extended attributes just like files, as consequence of +that, they also have inodes. +Therefore UBIFS does all the inode machinery also for xattrs. Since new +inodes have i_nlink of 1, a file or xattr inode will be evicted +if i_nlink goes down to 0 after an unlink. UBIFS assumes this model also +for xattrs, which is not correct. +One can create a file "foo" with xattr "user.test". By reading +"user.test" an inode will be created, and by deleting "user.test" it +will get evicted later. The assumption breaks if the file "foo", which +hosts the xattrs, will be removed. VFS nor UBIFS does not remove each +xattr via ubifs_xattr_remove(), it just removes the host inode from +the TNC and all underlying xattr nodes too and the inode will remain +in the cache and wastes memory. + +To solve this problem, remove xattr inodes from the VFS inode cache in +ubifs_xattr_remove() to make sure that they get evicted. + +Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/tnc.c | 2 ++ + fs/ubifs/ubifs.h | 1 + + fs/ubifs/xattr.c | 22 ++++++++++++++++++++++ + 3 files changed, 25 insertions(+) + +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -2802,6 +2802,8 @@ int ubifs_tnc_remove_ino(struct ubifs_in + dbg_tnc("xent '%s', ino %lu", xent->name, + (unsigned long)xattr_inum); + ++ ubifs_evict_xattr_inode(c, xattr_inum); ++ + fname_name(&nm) = xent->name; + fname_len(&nm) = le16_to_cpu(xent->nlen); + err = ubifs_tnc_remove_nm(c, &key1, &nm); +--- a/fs/ubifs/ubifs.h ++++ b/fs/ubifs/ubifs.h +@@ -1757,6 +1757,7 @@ int ubifs_xattr_set(struct inode *host, + size_t size, int flags); + ssize_t ubifs_xattr_get(struct inode *host, const char *name, void *buf, + size_t size); ++void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum); + + #ifdef CONFIG_UBIFS_FS_SECURITY + extern int ubifs_init_security(struct inode *dentry, struct inode *inode, +--- a/fs/ubifs/xattr.c ++++ b/fs/ubifs/xattr.c +@@ -513,6 +513,28 @@ out_cancel: + return err; + } + ++/** ++ * ubifs_evict_xattr_inode - Evict an xattr inode. ++ * @c: UBIFS file-system description object ++ * @xattr_inum: xattr inode number ++ * ++ * When an inode that hosts xattrs is being removed we have to make sure ++ * that cached inodes of the xattrs also get removed from the inode cache ++ * otherwise we'd waste memory. This function looks up an inode from the ++ * inode cache and clears the link counter such that iput() will evict ++ * the inode. ++ */ ++void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum) ++{ ++ struct inode *inode; ++ ++ inode = ilookup(c->vfs_sb, xattr_inum); ++ if (inode) { ++ clear_nlink(inode); ++ iput(inode); ++ } ++} ++ + static int ubifs_xattr_remove(struct inode *host, const char *name) + { + struct inode *inode; diff --git a/queue-4.12/ubifs-don-t-encrypt-special-files-on-creation.patch b/queue-4.12/ubifs-don-t-encrypt-special-files-on-creation.patch new file mode 100644 index 00000000000..a545bf5460d --- /dev/null +++ b/queue-4.12/ubifs-don-t-encrypt-special-files-on-creation.patch @@ -0,0 +1,32 @@ +From f34e87f58dabc31eb69f61cf4a79e951d4176743 Mon Sep 17 00:00:00 2001 +From: David Gstir +Date: Wed, 17 May 2017 13:36:16 +0200 +Subject: ubifs: Don't encrypt special files on creation + +From: David Gstir + +commit f34e87f58dabc31eb69f61cf4a79e951d4176743 upstream. + +When a new inode is created, we check if the containing folder has a encryption +policy set and inherit that. This should however only be done for regular +files, links and subdirectories. Not for sockes fifos etc. + +Fixes: d475a507457b ("ubifs: Add skeleton for fscrypto") +Signed-off-by: David Gstir +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/dir.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -143,6 +143,7 @@ struct inode *ubifs_new_inode(struct ubi + case S_IFBLK: + case S_IFCHR: + inode->i_op = &ubifs_file_inode_operations; ++ encrypted = false; + break; + default: + BUG(); diff --git a/queue-4.12/ubifs-don-t-leak-kernel-memory-to-the-mtd.patch b/queue-4.12/ubifs-don-t-leak-kernel-memory-to-the-mtd.patch new file mode 100644 index 00000000000..f333d5c33d4 --- /dev/null +++ b/queue-4.12/ubifs-don-t-leak-kernel-memory-to-the-mtd.patch @@ -0,0 +1,74 @@ +From 4acadda74ff8b949c448c0282765ae747e088c87 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 16 Jun 2017 16:21:44 +0200 +Subject: ubifs: Don't leak kernel memory to the MTD + +From: Richard Weinberger + +commit 4acadda74ff8b949c448c0282765ae747e088c87 upstream. + +When UBIFS prepares data structures which will be written to the MTD it +ensues that their lengths are multiple of 8. Since it uses kmalloc() the +padded bytes are left uninitialized and we leak a few bytes of kernel +memory to the MTD. +To make sure that all bytes are initialized, let's switch to kzalloc(). +Kzalloc() is fine in this case because the buffers are not huge and in +the IO path the performance bottleneck is anyway the MTD. + +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Reviewed-by: Boris Brezillon +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -574,7 +574,7 @@ int ubifs_jnl_update(struct ubifs_info * + /* Make sure to also account for extended attributes */ + len += host_ui->data_len; + +- dent = kmalloc(len, GFP_NOFS); ++ dent = kzalloc(len, GFP_NOFS); + if (!dent) + return -ENOMEM; + +@@ -967,7 +967,7 @@ int ubifs_jnl_xrename(struct ubifs_info + if (twoparents) + len += plen; + +- dent1 = kmalloc(len, GFP_NOFS); ++ dent1 = kzalloc(len, GFP_NOFS); + if (!dent1) + return -ENOMEM; + +@@ -1117,7 +1117,7 @@ int ubifs_jnl_rename(struct ubifs_info * + len = aligned_dlen1 + aligned_dlen2 + ALIGN(ilen, 8) + ALIGN(plen, 8); + if (move) + len += plen; +- dent = kmalloc(len, GFP_NOFS); ++ dent = kzalloc(len, GFP_NOFS); + if (!dent) + return -ENOMEM; + +@@ -1500,7 +1500,7 @@ int ubifs_jnl_delete_xattr(struct ubifs_ + hlen = host_ui->data_len + UBIFS_INO_NODE_SZ; + len = aligned_xlen + UBIFS_INO_NODE_SZ + ALIGN(hlen, 8); + +- xent = kmalloc(len, GFP_NOFS); ++ xent = kzalloc(len, GFP_NOFS); + if (!xent) + return -ENOMEM; + +@@ -1607,7 +1607,7 @@ int ubifs_jnl_change_xattr(struct ubifs_ + aligned_len1 = ALIGN(len1, 8); + aligned_len = aligned_len1 + ALIGN(len2, 8); + +- ino = kmalloc(aligned_len, GFP_NOFS); ++ ino = kzalloc(aligned_len, GFP_NOFS); + if (!ino) + return -ENOMEM; + diff --git a/queue-4.12/ubifs-set-double-hash-cookie-also-for-rename_exchange.patch b/queue-4.12/ubifs-set-double-hash-cookie-also-for-rename_exchange.patch new file mode 100644 index 00000000000..75abb08bf76 --- /dev/null +++ b/queue-4.12/ubifs-set-double-hash-cookie-also-for-rename_exchange.patch @@ -0,0 +1,38 @@ +From a6664433d383eeb71cbdeb9aea2c66eeea76e742 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 26 Jun 2017 13:49:04 +0200 +Subject: ubifs: Set double hash cookie also for RENAME_EXCHANGE + +From: Richard Weinberger + +commit a6664433d383eeb71cbdeb9aea2c66eeea76e742 upstream. + +We developed RENAME_EXCHANGE and UBIFS_FLG_DOUBLE_HASH more or less in +parallel and this case was forgotten. :-( + +Fixes: d63d61c16972 ("ubifs: Implement UBIFS_FLG_DOUBLE_HASH") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -984,6 +984,7 @@ int ubifs_jnl_xrename(struct ubifs_info + dent1->nlen = cpu_to_le16(fname_len(snd_nm)); + memcpy(dent1->name, fname_name(snd_nm), fname_len(snd_nm)); + dent1->name[fname_len(snd_nm)] = '\0'; ++ set_dent_cookie(c, dent1); + zero_dent_node_unused(dent1); + ubifs_prep_grp_node(c, dent1, dlen1, 0); + +@@ -996,6 +997,7 @@ int ubifs_jnl_xrename(struct ubifs_info + dent2->nlen = cpu_to_le16(fname_len(fst_nm)); + memcpy(dent2->name, fname_name(fst_nm), fname_len(fst_nm)); + dent2->name[fname_len(fst_nm)] = '\0'; ++ set_dent_cookie(c, dent2); + zero_dent_node_unused(dent2); + ubifs_prep_grp_node(c, dent2, dlen2, 0); + diff --git a/queue-4.12/udf-fix-deadlock-between-writeback-and-udf_setsize.patch b/queue-4.12/udf-fix-deadlock-between-writeback-and-udf_setsize.patch new file mode 100644 index 00000000000..8aac029b4bf --- /dev/null +++ b/queue-4.12/udf-fix-deadlock-between-writeback-and-udf_setsize.patch @@ -0,0 +1,51 @@ +From f2e95355891153f66d4156bf3a142c6489cd78c6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 13 Jun 2017 16:20:25 +0200 +Subject: udf: Fix deadlock between writeback and udf_setsize() + +From: Jan Kara + +commit f2e95355891153f66d4156bf3a142c6489cd78c6 upstream. + +udf_setsize() called truncate_setsize() with i_data_sem held. Thus +truncate_pagecache() called from truncate_setsize() could lock a page +under i_data_sem which can deadlock as page lock ranks below +i_data_sem - e. g. writeback can hold page lock and try to acquire +i_data_sem to map a block. + +Fix the problem by moving truncate_setsize() calls from under +i_data_sem. It is safe for us to change i_size without holding +i_data_sem as all the places that depend on i_size being stable already +hold inode_lock. + +Fixes: 7e49b6f2480cb9a9e7322a91592e56a5c85361f5 +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1222,8 +1222,8 @@ int udf_setsize(struct inode *inode, lof + return err; + } + set_size: +- truncate_setsize(inode, newsize); + up_write(&iinfo->i_data_sem); ++ truncate_setsize(inode, newsize); + } else { + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { + down_write(&iinfo->i_data_sem); +@@ -1240,9 +1240,9 @@ set_size: + udf_get_block); + if (err) + return err; ++ truncate_setsize(inode, newsize); + down_write(&iinfo->i_data_sem); + udf_clear_extent_cache(inode); +- truncate_setsize(inode, newsize); + udf_truncate_extents(inode); + up_write(&iinfo->i_data_sem); + } diff --git a/queue-4.12/udf-fix-races-with-i_size-changes-during-readpage.patch b/queue-4.12/udf-fix-races-with-i_size-changes-during-readpage.patch new file mode 100644 index 00000000000..d3954afec73 --- /dev/null +++ b/queue-4.12/udf-fix-races-with-i_size-changes-during-readpage.patch @@ -0,0 +1,44 @@ +From 9795e0e8ac0d6a3ee092f1b555b284b57feef99e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 13 Jun 2017 15:54:58 +0200 +Subject: udf: Fix races with i_size changes during readpage + +From: Jan Kara + +commit 9795e0e8ac0d6a3ee092f1b555b284b57feef99e upstream. + +__udf_adinicb_readpage() uses i_size several times. When truncate +changes i_size while the function is running, it can observe several +different values and thus e.g. expose uninitialized parts of page to +userspace. Also use i_size_read() in the function since it does not hold +inode_lock. Since i_size is guaranteed to be small, this cannot really +cause any issues even on 32-bit archs but let's be careful. + +Fixes: 9c2fc0de1a6e638fe58c354a463f544f42a90a09 +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/file.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/udf/file.c ++++ b/fs/udf/file.c +@@ -43,10 +43,15 @@ static void __udf_adinicb_readpage(struc + struct inode *inode = page->mapping->host; + char *kaddr; + struct udf_inode_info *iinfo = UDF_I(inode); ++ loff_t isize = i_size_read(inode); + ++ /* ++ * We have to be careful here as truncate can change i_size under us. ++ * So just sample it once and use the same value everywhere. ++ */ + kaddr = kmap_atomic(page); +- memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, inode->i_size); +- memset(kaddr + inode->i_size, 0, PAGE_SIZE - inode->i_size); ++ memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, isize); ++ memset(kaddr + isize, 0, PAGE_SIZE - isize); + flush_dcache_page(page); + SetPageUptodate(page); + kunmap_atomic(kaddr); diff --git a/queue-4.12/vfio-fix-group-release-deadlock.patch b/queue-4.12/vfio-fix-group-release-deadlock.patch new file mode 100644 index 00000000000..1c454eb6fec --- /dev/null +++ b/queue-4.12/vfio-fix-group-release-deadlock.patch @@ -0,0 +1,77 @@ +From 811642d8d8a82c0cce8dc2debfdaf23c5a144839 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 19 Jun 2017 09:10:32 -0600 +Subject: vfio: Fix group release deadlock + +From: Alex Williamson + +commit 811642d8d8a82c0cce8dc2debfdaf23c5a144839 upstream. + +If vfio_iommu_group_notifier() acquires a group reference and that +reference becomes the last reference to the group, then vfio_group_put +introduces a deadlock code path where we're trying to unregister from +the iommu notifier chain from within a callout of that chain. Use a +work_struct to release this reference asynchronously. + +Signed-off-by: Alex Williamson +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio.c | 37 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -423,6 +423,34 @@ static void vfio_group_put(struct vfio_g + kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock); + } + ++struct vfio_group_put_work { ++ struct work_struct work; ++ struct vfio_group *group; ++}; ++ ++static void vfio_group_put_bg(struct work_struct *work) ++{ ++ struct vfio_group_put_work *do_work; ++ ++ do_work = container_of(work, struct vfio_group_put_work, work); ++ ++ vfio_group_put(do_work->group); ++ kfree(do_work); ++} ++ ++static void vfio_group_schedule_put(struct vfio_group *group) ++{ ++ struct vfio_group_put_work *do_work; ++ ++ do_work = kmalloc(sizeof(*do_work), GFP_KERNEL); ++ if (WARN_ON(!do_work)) ++ return; ++ ++ INIT_WORK(&do_work->work, vfio_group_put_bg); ++ do_work->group = group; ++ schedule_work(&do_work->work); ++} ++ + /* Assume group_lock or group reference is held */ + static void vfio_group_get(struct vfio_group *group) + { +@@ -762,7 +790,14 @@ static int vfio_iommu_group_notifier(str + break; + } + +- vfio_group_put(group); ++ /* ++ * If we're the last reference to the group, the group will be ++ * released, which includes unregistering the iommu group notifier. ++ * We hold a read-lock on that notifier list, unregistering needs ++ * a write-lock... deadlock. Release our reference asynchronously ++ * to avoid that situation. ++ */ ++ vfio_group_schedule_put(group); + return NOTIFY_OK; + } + diff --git a/queue-4.12/vfio-new-external-user-group-file-match.patch b/queue-4.12/vfio-new-external-user-group-file-match.patch new file mode 100644 index 00000000000..9073bfe811c --- /dev/null +++ b/queue-4.12/vfio-new-external-user-group-file-match.patch @@ -0,0 +1,114 @@ +From 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 28 Jun 2017 13:50:05 -0600 +Subject: vfio: New external user group/file match + +From: Alex Williamson + +commit 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d upstream. + +At the point where the kvm-vfio pseudo device wants to release its +vfio group reference, we can't always acquire a new reference to make +that happen. The group can be in a state where we wouldn't allow a +new reference to be added. This new helper function allows a caller +to match a file to a group to facilitate this. Given a file and +group, report if they match. Thus the caller needs to already have a +group reference to match to the file. This allows the deletion of a +group without acquiring a new reference. + +Signed-off-by: Alex Williamson +Reviewed-by: Eric Auger +Reviewed-by: Paolo Bonzini +Tested-by: Eric Auger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio.c | 9 +++++++++ + include/linux/vfio.h | 2 ++ + virt/kvm/vfio.c | 27 +++++++++++++++++++-------- + 3 files changed, 30 insertions(+), 8 deletions(-) + +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1776,6 +1776,15 @@ void vfio_group_put_external_user(struct + } + EXPORT_SYMBOL_GPL(vfio_group_put_external_user); + ++bool vfio_external_group_match_file(struct vfio_group *test_group, ++ struct file *filep) ++{ ++ struct vfio_group *group = filep->private_data; ++ ++ return (filep->f_op == &vfio_group_fops) && (group == test_group); ++} ++EXPORT_SYMBOL_GPL(vfio_external_group_match_file); ++ + int vfio_external_user_iommu_id(struct vfio_group *group) + { + return iommu_group_id(group->iommu_group); +--- a/include/linux/vfio.h ++++ b/include/linux/vfio.h +@@ -97,6 +97,8 @@ extern void vfio_unregister_iommu_driver + */ + extern struct vfio_group *vfio_group_get_external_user(struct file *filep); + extern void vfio_group_put_external_user(struct vfio_group *group); ++extern bool vfio_external_group_match_file(struct vfio_group *group, ++ struct file *filep); + extern int vfio_external_user_iommu_id(struct vfio_group *group); + extern long vfio_external_check_extension(struct vfio_group *group, + unsigned long arg); +--- a/virt/kvm/vfio.c ++++ b/virt/kvm/vfio.c +@@ -51,6 +51,22 @@ static struct vfio_group *kvm_vfio_group + return vfio_group; + } + ++static bool kvm_vfio_external_group_match_file(struct vfio_group *group, ++ struct file *filep) ++{ ++ bool ret, (*fn)(struct vfio_group *, struct file *); ++ ++ fn = symbol_get(vfio_external_group_match_file); ++ if (!fn) ++ return false; ++ ++ ret = fn(group, filep); ++ ++ symbol_put(vfio_external_group_match_file); ++ ++ return ret; ++} ++ + static void kvm_vfio_group_put_external_user(struct vfio_group *vfio_group) + { + void (*fn)(struct vfio_group *); +@@ -231,18 +247,13 @@ static int kvm_vfio_set_group(struct kvm + if (!f.file) + return -EBADF; + +- vfio_group = kvm_vfio_group_get_external_user(f.file); +- fdput(f); +- +- if (IS_ERR(vfio_group)) +- return PTR_ERR(vfio_group); +- + ret = -ENOENT; + + mutex_lock(&kv->lock); + + list_for_each_entry(kvg, &kv->group_list, node) { +- if (kvg->vfio_group != vfio_group) ++ if (!kvm_vfio_external_group_match_file(kvg->vfio_group, ++ f.file)) + continue; + + list_del(&kvg->node); +@@ -260,7 +271,7 @@ static int kvm_vfio_set_group(struct kvm + + mutex_unlock(&kv->lock); + +- kvm_vfio_group_put_external_user(vfio_group); ++ fdput(f); + + kvm_vfio_update_coherency(dev); + diff --git a/queue-4.12/vfio-remove-unnecessary-uses-of-vfio_container.group_lock.patch b/queue-4.12/vfio-remove-unnecessary-uses-of-vfio_container.group_lock.patch new file mode 100644 index 00000000000..2ae15597484 --- /dev/null +++ b/queue-4.12/vfio-remove-unnecessary-uses-of-vfio_container.group_lock.patch @@ -0,0 +1,216 @@ +From 7f56c30bd0a232822aca38d288da475613bdff9b Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Fri, 7 Jul 2017 15:37:38 -0600 +Subject: vfio: Remove unnecessary uses of vfio_container.group_lock + +From: Alex Williamson + +commit 7f56c30bd0a232822aca38d288da475613bdff9b upstream. + +The original intent of vfio_container.group_lock is to protect +vfio_container.group_list, however over time it's become a crutch to +prevent changes in container composition any time we call into the +iommu driver backend. This introduces problems when we start to have +more complex interactions, for example when a user's DMA unmap request +triggers a notification to an mdev vendor driver, who responds by +attempting to unpin mappings within that request, re-entering the +iommu backend. We incorrectly assume that the use of read-locks here +allow for this nested locking behavior, but a poorly timed write-lock +could in fact trigger a deadlock. + +The current use of group_lock seems to fall into the trap of locking +code, not data. Correct that by removing uses of group_lock that are +not directly related to group_list. Note that the vfio type1 iommu +backend has its own mutex, vfio_iommu.lock, which it uses to protect +itself for each of these interfaces anyway. The group_lock appears to +be a redundancy for these interfaces and type1 even goes so far as to +release its mutex to allow for exactly the re-entrant code path above. + +Reported-by: Chuanxiao Dong +Signed-off-by: Alex Williamson +Acked-by: Alexey Kardashevskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio.c | 38 -------------------------------------- + 1 file changed, 38 deletions(-) + +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1175,15 +1175,11 @@ static long vfio_fops_unl_ioctl(struct f + ret = vfio_ioctl_set_iommu(container, arg); + break; + default: +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + data = container->iommu_data; + + if (driver) /* passthrough all unrecognized ioctls */ + ret = driver->ops->ioctl(data, cmd, arg); +- +- up_read(&container->group_lock); + } + + return ret; +@@ -1237,15 +1233,11 @@ static ssize_t vfio_fops_read(struct fil + struct vfio_iommu_driver *driver; + ssize_t ret = -EINVAL; + +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + if (likely(driver && driver->ops->read)) + ret = driver->ops->read(container->iommu_data, + buf, count, ppos); + +- up_read(&container->group_lock); +- + return ret; + } + +@@ -1256,15 +1248,11 @@ static ssize_t vfio_fops_write(struct fi + struct vfio_iommu_driver *driver; + ssize_t ret = -EINVAL; + +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + if (likely(driver && driver->ops->write)) + ret = driver->ops->write(container->iommu_data, + buf, count, ppos); + +- up_read(&container->group_lock); +- + return ret; + } + +@@ -1274,14 +1262,10 @@ static int vfio_fops_mmap(struct file *f + struct vfio_iommu_driver *driver; + int ret = -EINVAL; + +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + if (likely(driver && driver->ops->mmap)) + ret = driver->ops->mmap(container->iommu_data, vma); + +- up_read(&container->group_lock); +- + return ret; + } + +@@ -1993,8 +1977,6 @@ int vfio_pin_pages(struct device *dev, u + goto err_pin_pages; + + container = group->container; +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + if (likely(driver && driver->ops->pin_pages)) + ret = driver->ops->pin_pages(container->iommu_data, user_pfn, +@@ -2002,7 +1984,6 @@ int vfio_pin_pages(struct device *dev, u + else + ret = -ENOTTY; + +- up_read(&container->group_lock); + vfio_group_try_dissolve_container(group); + + err_pin_pages: +@@ -2042,8 +2023,6 @@ int vfio_unpin_pages(struct device *dev, + goto err_unpin_pages; + + container = group->container; +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + if (likely(driver && driver->ops->unpin_pages)) + ret = driver->ops->unpin_pages(container->iommu_data, user_pfn, +@@ -2051,7 +2030,6 @@ int vfio_unpin_pages(struct device *dev, + else + ret = -ENOTTY; + +- up_read(&container->group_lock); + vfio_group_try_dissolve_container(group); + + err_unpin_pages: +@@ -2073,8 +2051,6 @@ static int vfio_register_iommu_notifier( + return -EINVAL; + + container = group->container; +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + if (likely(driver && driver->ops->register_notifier)) + ret = driver->ops->register_notifier(container->iommu_data, +@@ -2082,7 +2058,6 @@ static int vfio_register_iommu_notifier( + else + ret = -ENOTTY; + +- up_read(&container->group_lock); + vfio_group_try_dissolve_container(group); + + return ret; +@@ -2100,8 +2075,6 @@ static int vfio_unregister_iommu_notifie + return -EINVAL; + + container = group->container; +- down_read(&container->group_lock); +- + driver = container->iommu_driver; + if (likely(driver && driver->ops->unregister_notifier)) + ret = driver->ops->unregister_notifier(container->iommu_data, +@@ -2109,7 +2082,6 @@ static int vfio_unregister_iommu_notifie + else + ret = -ENOTTY; + +- up_read(&container->group_lock); + vfio_group_try_dissolve_container(group); + + return ret; +@@ -2127,7 +2099,6 @@ static int vfio_register_group_notifier( + unsigned long *events, + struct notifier_block *nb) + { +- struct vfio_container *container; + int ret; + bool set_kvm = false; + +@@ -2145,9 +2116,6 @@ static int vfio_register_group_notifier( + if (ret) + return -EINVAL; + +- container = group->container; +- down_read(&container->group_lock); +- + ret = blocking_notifier_chain_register(&group->notifier, nb); + + /* +@@ -2158,7 +2126,6 @@ static int vfio_register_group_notifier( + blocking_notifier_call_chain(&group->notifier, + VFIO_GROUP_NOTIFY_SET_KVM, group->kvm); + +- up_read(&container->group_lock); + vfio_group_try_dissolve_container(group); + + return ret; +@@ -2167,19 +2134,14 @@ static int vfio_register_group_notifier( + static int vfio_unregister_group_notifier(struct vfio_group *group, + struct notifier_block *nb) + { +- struct vfio_container *container; + int ret; + + ret = vfio_group_add_container_user(group); + if (ret) + return -EINVAL; + +- container = group->container; +- down_read(&container->group_lock); +- + ret = blocking_notifier_chain_unregister(&group->notifier, nb); + +- up_read(&container->group_lock); + vfio_group_try_dissolve_container(group); + + return ret; diff --git a/queue-4.12/x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch b/queue-4.12/x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch new file mode 100644 index 00000000000..08c072926bf --- /dev/null +++ b/queue-4.12/x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch @@ -0,0 +1,49 @@ +From dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 Mon Sep 17 00:00:00 2001 +From: Seunghun Han +Date: Tue, 18 Jul 2017 20:03:51 +0900 +Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables + +From: Seunghun Han + +commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream. + +The bus_irq argument of mp_override_legacy_irq() is used as the index into +the isa_irq_to_gsi[] array. The bus_irq argument originates from +ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI +tables, but is nowhere sanity checked. + +That allows broken or malicious ACPI tables to overwrite memory, which +might cause malfunction, panic or arbitrary code execution. + +Add a sanity check and emit a warning when that triggers. + +[ tglx: Added warning and rewrote changelog ] + +Signed-off-by: Seunghun Han +Signed-off-by: Thomas Gleixner +Cc: security@kernel.org +Cc: "Rafael J. Wysocki" +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/acpi/boot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -347,6 +347,14 @@ static void __init mp_override_legacy_ir + struct mpc_intsrc mp_irq; + + /* ++ * Check bus_irq boundary. ++ */ ++ if (bus_irq >= NR_IRQS_LEGACY) { ++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); ++ return; ++ } ++ ++ /* + * Convert 'gsi' to 'ioapic.pin'. + */ + ioapic = mp_find_ioapic(gsi); diff --git a/queue-4.12/x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch b/queue-4.12/x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch new file mode 100644 index 00000000000..75f0c35198f --- /dev/null +++ b/queue-4.12/x86-ioapic-pass-the-correct-data-to-unmask_ioapic_irq.patch @@ -0,0 +1,48 @@ +From e708e35ba6d89ff785b225cd07dcccab04fa954a Mon Sep 17 00:00:00 2001 +From: Seunghun Han +Date: Tue, 18 Jul 2017 18:20:44 +0900 +Subject: x86/ioapic: Pass the correct data to unmask_ioapic_irq() + +From: Seunghun Han + +commit e708e35ba6d89ff785b225cd07dcccab04fa954a upstream. + +One of the rarely executed code pathes in check_timer() calls +unmask_ioapic_irq() passing irq_get_chip_data(0) as argument. + +That's wrong as unmask_ioapic_irq() expects a pointer to the irq data of +interrupt 0. irq_get_chip_data(0) returns NULL, so the following +dereference in unmask_ioapic_irq() causes a kernel panic. + +The issue went unnoticed in the first place because irq_get_chip_data() +returns a void pointer so the compiler cannot do a type check on the +argument. The code path was added for machines with broken configuration, +but it seems that those machines are either not running current kernels or +simply do not longer exist. + +Hand in irq_get_irq_data(0) as argument which provides the correct data. + +[ tglx: Rewrote changelog ] + +Fixes: 4467715a44cc ("x86/irq: Move irq_cfg.irq_2_pin into io_apic.c") +Signed-off-by: Seunghun Han +Signed-off-by: Thomas Gleixner +Link: http://lkml.kernel.org/r/1500369644-45767-1-git-send-email-kkamagui@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2115,7 +2115,7 @@ static inline void __init check_timer(vo + int idx; + idx = find_irq_entry(apic1, pin1, mp_INT); + if (idx != -1 && irq_trigger(idx)) +- unmask_ioapic_irq(irq_get_chip_data(0)); ++ unmask_ioapic_irq(irq_get_irq_data(0)); + } + irq_domain_deactivate_irq(irq_data); + irq_domain_activate_irq(irq_data); -- 2.47.3